Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
adminpriv.exe

Overview

General Information

Sample name:adminpriv.exe
Analysis ID:1430490
MD5:5cae01aea8ed390ce9bec17b6c1237e4
SHA1:3a80a49efaac5d839400e4fb8f803243fb39a513
SHA256:19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618
Infos:

Detection

Score:36
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Enables debug privileges
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Sample file is different than original file name gathered from version info

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

  • System is w10x64native
  • adminpriv.exe (PID: 2008 cmdline: "C:\Users\user\Desktop\adminpriv.exe" MD5: 5CAE01AEA8ED390CE9BEC17B6C1237E4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: adminpriv.exeReversingLabs: Detection: 54%
Source: adminpriv.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: E:\Projects\NSudo\Output\Release\x64\NSudo.pdbSS source: adminpriv.exe
Source: Binary string: E:\Projects\NSudo\Output\Release\x64\NSudo.pdb source: adminpriv.exe
Source: adminpriv.exeString found in binary or memory: https://forums.mydigitallife.net/threads/59268/
Source: adminpriv.exeString found in binary or memory: https://github.com/M2Team/NSudo
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C204AC memset,GetCurrentProcess,OpenProcessToken,CreateProcessAsUserW,SetPriorityClass,ResumeThread,WaitForSingleObjectEx,CloseHandle,CloseHandle,DestroyEnvironmentBlock,CloseHandle,5_2_00007FF746C204AC
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C1F0D85_2_00007FF746C1F0D8
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C21DCC5_2_00007FF746C21DCC
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C20B885_2_00007FF746C20B88
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C19A085_2_00007FF746C19A08
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C201045_2_00007FF746C20104
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C260885_2_00007FF746C26088
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C15E0C5_2_00007FF746C15E0C
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C2CE915_2_00007FF746C2CE91
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C1F6805_2_00007FF746C1F680
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C135085_2_00007FF746C13508
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C2C2945_2_00007FF746C2C294
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C162245_2_00007FF746C16224
Source: adminpriv.exeBinary or memory string: OriginalFilename vs adminpriv.exe
Source: adminpriv.exe, 00000005.00000000.52386766550.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenameNSudo.exe, vs adminpriv.exe
Source: adminpriv.exeBinary or memory string: OriginalFilenameNSudo.exe, vs adminpriv.exe
Source: classification engineClassification label: sus36.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C21348 AdjustTokenPrivileges,GetLastError,5_2_00007FF746C21348
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C21168 GetTokenInformation,GetLastError,malloc,GetTokenInformation,AdjustTokenPrivileges,GetLastError,SetLastError,free,5_2_00007FF746C21168
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C13450 SetLastError,FindResourceExW,SizeofResource,LoadResource,LockResource,GetLastError,GetLastError,GetLastError,5_2_00007FF746C13450
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C13508 OpenSCManagerW,OpenServiceW,QueryServiceStatusEx,StartServiceW,GetTickCount64,SleepEx,CloseServiceHandle,CloseServiceHandle,5_2_00007FF746C13508
Source: adminpriv.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\adminpriv.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: adminpriv.exeReversingLabs: Detection: 54%
Source: adminpriv.exeString found in binary or memory: t console window. PS: If you want to create a process with the new console window, please do not include the "-UseCurrentConsole" parameter. -Version Show version information of NSudo. -? Show this content. -H Show this content. -Help Show this cont
Source: adminpriv.exeString found in binary or memory: nt. Context Menu: -Install Copy NSudo to the Windows directory and add the context menu. -Uninstall Remove NSudo in the Windows directory and the context menu. PS: 1. All NSudo command arguments is case-insensitive. 2. You can use the
Source: adminpriv.exeString found in binary or memory: -? -H -Help -Install NSudoWindows
Source: adminpriv.exeString found in binary or memory: -? -H -Help -Install NSudoWindows
Source: adminpriv.exeString found in binary or memory: -Help
Source: adminpriv.exeString found in binary or memory: -Install
Source: adminpriv.exeString found in binary or memory: -Help Show this content.
Source: adminpriv.exeString found in binary or memory: -Install Copy NSudo to the Windows directory and add the context menu.
Source: adminpriv.exeString found in binary or memory: -Help Affiche l'aide.
Source: adminpriv.exeString found in binary or memory: -Install Copie NSudo dans le r
Source: C:\Users\user\Desktop\adminpriv.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\adminpriv.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\adminpriv.exeSection loaded: msvcp60.dllJump to behavior
Source: C:\Users\user\Desktop\adminpriv.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Users\user\Desktop\adminpriv.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\adminpriv.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\adminpriv.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Users\user\Desktop\adminpriv.exeSection loaded: iconcodecservice.dllJump to behavior
Source: C:\Users\user\Desktop\adminpriv.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\adminpriv.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\adminpriv.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\adminpriv.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\adminpriv.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\adminpriv.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\adminpriv.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\adminpriv.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\adminpriv.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: Run
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: OK
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: Run
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: OK
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: Run
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: OK
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: Run
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: OK
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: Run
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: OK
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: Run
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: OK
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: Run
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: OK
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: Run
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: OK
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: Run
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: OK
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: Run
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: OK
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: Run
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: OK
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: Run
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: OK
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: Run
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: OK
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: Run
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: OK
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: Run
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: OK
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: Run
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: OK
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: Run
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: OK
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: Run
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: OK
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: Run
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: OK
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: Run
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: OK
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: Run
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: OK
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: Run
Source: C:\Users\user\Desktop\adminpriv.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: adminpriv.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: adminpriv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: adminpriv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: adminpriv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: adminpriv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: adminpriv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: adminpriv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: adminpriv.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: adminpriv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\Projects\NSudo\Output\Release\x64\NSudo.pdbSS source: adminpriv.exe
Source: Binary string: E:\Projects\NSudo\Output\Release\x64\NSudo.pdb source: adminpriv.exe
Source: adminpriv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: adminpriv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: adminpriv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: adminpriv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: adminpriv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C1E1E0 LoadLibraryW,GetProcAddress,FreeLibrary,5_2_00007FF746C1E1E0
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C13508 OpenSCManagerW,OpenServiceW,QueryServiceStatusEx,StartServiceW,GetTickCount64,SleepEx,CloseServiceHandle,CloseServiceHandle,5_2_00007FF746C13508
Source: C:\Users\user\Desktop\adminpriv.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_5-9380
Source: C:\Users\user\Desktop\adminpriv.exeAPI coverage: 9.6 %
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C2B808 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,5_2_00007FF746C2B808
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C2B808 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,5_2_00007FF746C2B808
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C1E1E0 LoadLibraryW,GetProcAddress,FreeLibrary,5_2_00007FF746C1E1E0
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C2BB3C GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,5_2_00007FF746C2BB3C
Source: C:\Users\user\Desktop\adminpriv.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C2C850 IsProcessorFeaturePresent,memset,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FF746C2C850
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C2C5D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FF746C2C5D0
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C2B280 SetUnhandledExceptionFilter,5_2_00007FF746C2B280
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C2B470 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FF746C2B470
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C20104 CreateRestrictedToken,GetTokenInformation,GetLastError,malloc,SetLastError,GetTokenInformation,SetTokenInformation,GetTokenInformation,GetLastError,malloc,GetTokenInformation,AllocateAndInitializeSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,EqualSid,AddAce,GetAce,SetTokenInformation,SetTokenInformation,free,FreeSid,free,free,CloseHandle,5_2_00007FF746C20104
Source: C:\Users\user\Desktop\adminpriv.exeCode function: 5_2_00007FF746C2B6D0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,GetTickCount64,GetTickCount64,QueryPerformanceCounter,5_2_00007FF746C2B6D0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Valid Accounts		2
Command and Scripting Interpreter		1
Valid Accounts		1
Valid Accounts		1
Valid Accounts		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Service Execution		1
Windows Service		11
Access Token Manipulation		11
Access Token Manipulation		LSASS Memory3
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
Native API		1
DLL Side-Loading		1
Windows Service		1
DLL Side-Loading		Security Account Manager2
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
adminpriv.exe54%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://github.com/M2Team/NSudoadminpriv.exefalse
    		high
    https://forums.mydigitallife.net/threads/59268/adminpriv.exefalse
      		high

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1430490
      Start date and time:2024-04-23 18:11:58 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 5m 40s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
      Number of analysed new started processes analysed:7
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:adminpriv.exe
      Detection:SUS
      Classification:sus36.winEXE@1/0@0/0
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 24
      • Number of non-executed functions: 63
      Cookbook Comments:
      • Found application associated with file extension: .exe

      Warnings

      • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe
      • Excluded domains from analysis (whitelisted): spclient.wg.spotify.com
      • VT rate limit hit for: adminpriv.exe

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:PE32+ executable (GUI) x86-64, for MS Windows
      Entropy (8bit):6.2191709910374895
      TrID:
      • Win64 Executable GUI (202006/5) 92.65%
      • Win64 Executable (generic) (12005/4) 5.51%
      • Generic Win/DOS Executable (2004/3) 0.92%
      • DOS Executable Generic (2002/1) 0.92%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:adminpriv.exe
      File size:252'928 bytes
      MD5:5cae01aea8ed390ce9bec17b6c1237e4
      SHA1:3a80a49efaac5d839400e4fb8f803243fb39a513
      SHA256:19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618
      SHA512:c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481
      SSDEEP:3072:n3vg+rJrkQVOUPrxLExK08A+MQ20AFHxH32Hdxkq5:n3vg+rOgOyrNEI3AxQUHK
      TLSH:2D342A4A7E58C0B5D0A791F899438A82F7B1FC16073043BF13A972791F772B1BE2A651
      File Content Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......( .<lA.olA.olA.o.(.nhA.olA.o[A.o>).noA.o>).nnA.o.'.nmA.o.'.niA.o>).nkA.o.(.nmA.o.(.n}A.o.(.nBA.o.'.nyA.olA.ox@.o.(.niA.o.(oomA.

      File Icon

      Icon Hash:231cdaf698999906

      Static PE Info

      General

      Entrypoint:0x14001b3e0
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x140000000
      Subsystem:windows gui
      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Time Stamp:0x5C2A0B8A [Mon Dec 31 12:28:58 2018 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:6
      OS Version Minor:0
      File Version Major:6
      File Version Minor:0
      Subsystem Version Major:6
      Subsystem Version Minor:0
      Import Hash:55fa9bd502457bea13d3626a68dc1cad

      Entrypoint Preview

      Instruction
      dec eax
      sub esp, 28h
      call 00007FE06C550D4Ch
      dec eax
      add esp, 28h
      jmp 00007FE06C550903h
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      dec eax
      sub esp, 48h
      call 00007FE06C54900Ch
      mov dword ptr [esp+58h], eax
      call 00007FE06C54ACA3h
      inc ebp
      xor ecx, ecx
      dec esp
      lea eax, dword ptr [esp+68h]
      cmp eax, 01h
      dec eax
      lea edx, dword ptr [esp+30h]
      dec eax
      lea eax, dword ptr [esp+58h]
      inc ecx
      sete cl
      dec eax
      mov dword ptr [esp+20h], eax
      dec eax
      lea ecx, dword ptr [esp+60h]
      call dword ptr [00003015h]
      dec eax
      add esp, 48h
      ret
      dec eax
      mov eax, dword ptr [00003011h]
      dec eax
      jmp eax
      int3
      int3
      int3
      int3
      int3
      int3
      xor eax, eax
      cmp dword ptr [0000FC98h], eax
      setne al
      ret
      int3
      int3
      int3
      int3
      mov dword ptr [00010B8Ah], 00000000h
      ret
      int3
      int3
      int3
      int3
      int3
      inc eax
      push ebx
      dec eax
      sub esp, 000005C0h
      mov ebx, ecx
      mov ecx, 00000017h
      call dword ptr [00002E22h]
      test eax, eax
      je 00007FE06C550A66h
      mov ecx, ebx
      int 29h
      mov ecx, 00000003h
      call 00007FE06C550A2Dh
      xor edx, edx
      dec eax
      lea ecx, dword ptr [esp+000000F0h]
      inc ecx
      mov eax, 000004D0h

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x293880xf0.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x2f0000x113f8.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x2d0000x1a1c.pdata
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x410000x2cc.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x234b00x54.rdata
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x236100x28.rdata
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x235100x100.rdata
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x1e0000x600.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x1cf480x1d0002bb6014f49dd048ba2659ec6fa8408e9False0.4616615032327586data6.274460021502248IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rdata0x1e0000xc7060xc80018ecc7a2e5e307442685c841745b7954False0.34921875OpenPGP Public Key4.5347891656060115IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0x2b0000x17400xc00b0dcf4ba030cb5d2f42927ebe7055487False0.22330729166666666data3.947592449508497IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .pdata0x2d0000x1a1c0x1c00c08072fef804c27fc3e537a6a8794a5aFalse0.4716796875data5.053135403745446IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .rsrc0x2f0000x113f80x114005b58a5b379d54d695d1d07df30e08922False0.23297384510869565data5.425036797515047IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0x410000x2cc0x400fb1887e4a47a9e6cdfe77e3e02953396False0.5107421875data4.33913742192629IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountryZLIB Complexity
      CONFIG0x2f5680x33fUnicode text, UTF-8 (with BOM) text, with CRLF line terminators0.26594464500601683
      STRING0x3b4c80x547Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5144337527757217
      STRING0x3d4f00x520Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.40625
      STRING0x3e5680x5dcJSON data0.4266666666666667
      STRING0x3c4880x561Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseTaiwan0.5134350036310821
      STRING0x3bac80x9bfUnicode text, UTF-8 (with BOM) text, with CRLF line terminators0.4220440881763527
      STRING0x3dab80xaafUnicode text, UTF-8 (with BOM) text, with CRLF line terminators0.34113345521023763
      STRING0x3ec000xcd8Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.3524939172749392
      STRING0x3caa80xa45Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseTaiwan0.4138455686572841
      STRING0x3ba100xb2Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.9382022471910112
      STRING0x3da100xa7Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.9041916167664671
      STRING0x3eb480xb1ASCII text, with CRLF line terminators0.864406779661017
      STRING0x3c9f00xb2Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseTaiwan0.9325842696629213
      RT_ICON0x2fa280x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.34308510638297873
      RT_ICON0x2fe900x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 00.261046511627907
      RT_ICON0x305480x988Device independent bitmap graphic, 24 x 48 x 32, image size 00.23934426229508196
      RT_ICON0x30ed00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.1550187617260788
      RT_ICON0x31f780x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 00.13062130177514794
      RT_ICON0x339e00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.12406639004149378
      RT_ICON0x35f880x4228Device independent bitmap graphic, 64 x 128 x 32, image size 00.06654463863958432
      RT_ICON0x3a1b00x129bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9216880117572959
      RT_DIALOG0x2f4e00x84data0.7424242424242424
      RT_DIALOG0x2f8a80x180data0.5
      RT_GROUP_ICON0x3b4500x76data0.7542372881355932
      RT_VERSION0x3f8d80x2e8data0.4905913978494624
      RT_MANIFEST0x3fbc00x835XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2041), with CRLF line terminatorsEnglishUnited States0.32032365540218943

      Imports

      DLLImport
      KERNEL32.dllDeleteCriticalSection, WaitForSingleObjectEx, GetCurrentProcess, GetCurrentThreadId, ResumeThread, SetPriorityClass, OpenProcess, FreeLibrary, LoadLibraryW, MulDiv, CopyFileW, MoveFileExW, InitializeCriticalSectionEx, TerminateProcess, LoadLibraryExA, VirtualFree, VirtualAlloc, FlushInstructionCache, InterlockedPushEntrySList, InterlockedPopEntrySList, GetProcessHeap, HeapFree, HeapAlloc, OutputDebugStringW, InitializeSListHead, EnterCriticalSection, LeaveCriticalSection, DecodePointer, RaiseException, SetFileAttributesW, GetFileAttributesW, DeleteFileW, ExpandEnvironmentStringsW, GetCommandLineW, SizeofResource, LockResource, LoadResource, FindResourceExW, GetSystemWindowsDirectoryW, SleepEx, SetLastError, CloseHandle, VerifyVersionInfoW, GetModuleHandleW, VerSetConditionMask, MultiByteToWideChar, GetProcAddress, GetModuleFileNameW, GetTickCount64, QueryPerformanceCounter, GetLastError, GetSystemTimeAsFileTime, GetCurrentProcessId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, EncodePointer, InitOnceExecuteOnce
      USER32.dllEndPaint, GetWindowTextW, GetClientRect, BeginPaint, LoadImageW, MonitorFromWindow, ChangeWindowMessageFilter, GetDC, SetWindowLongPtrW, UnregisterClassW, DialogBoxParamW, SendMessageW, SetWindowTextW, DrawIconEx, EndDialog, GetDlgItem
      GDI32.dllGetDeviceCaps
      COMDLG32.dllGetOpenFileNameW
      ADVAPI32.dllRegDeleteTreeW, RegSetValueExW, RegOpenKeyExW, RegCreateKeyExW, RegCloseKey, SetTokenInformation, RevertToSelf, InitializeAcl, GetTokenInformation, GetLengthSid, GetAce, FreeSid, EqualSid, DuplicateTokenEx, CreateRestrictedToken, AllocateAndInitializeSid, AdjustTokenPrivileges, AddAce, AddAccessAllowedAce, OpenProcessToken, SetThreadToken, CreateProcessAsUserW, StartServiceW, QueryServiceStatusEx, OpenServiceW, OpenSCManagerW, CloseServiceHandle
      SHELL32.dllDragQueryFileW, DragFinish
      ole32.dllCoInitializeEx
      WTSAPI32.dllWTSQueryUserToken, WTSEnumerateProcessesW, WTSFreeMemory
      USERENV.dllDestroyEnvironmentBlock, CreateEnvironmentBlock
      msvcrt.dllabort, fseek, __C_specific_handler, _cexit, ??0exception@@QEAA@AEBQEBD@Z, __setusermatherr, _initterm, _initterm_e, exit, _exit, _c_exit, __wgetmainargs, atexit, _wcmdln, _lock, _unlock, _fseeki64, ?terminate@@YAXXZ, _strtoi64, _strtoui64, ??0exception@@QEAA@XZ, ??0exception@@QEAA@AEBV0@@Z, ??1exception@@UEAA@XZ, ?what@exception@@UEBAPEBDXZ, _XcptFilter, fsetpos, fwrite, memmove, memcpy, ??2@YAPEAX_K@Z, memset, setlocale, ??3@YAXPEAX@Z, memcmp, localeconv, ungetc, setvbuf, fread, fputc, fgetpos, fgetc, fflush, fclose, strtod, _set_fmode, malloc, free, _wcsicmp, wcsrchr, _errno, ??_V@YAXPEAX@Z, __CxxFrameHandler3, _CxxThrowException, _wcsnicmp, _iob, _vsnprintf, __set_app_type, _commode, wcslen, __dllonexit, wcsstr, _wfsopen
      msvcp60.dll_Toupper, _Tolower, _Getctype

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      ChineseTaiwan
      EnglishUnited States

      Network Behavior

      No network behavior found

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      System Behavior

      General

      Target ID:5
      Start time:18:13:59
      Start date:23/04/2024
      Path:C:\Users\user\Desktop\adminpriv.exe
      Wow64 process (32bit):false
      Commandline:"C:\Users\user\Desktop\adminpriv.exe"
      Imagebase:0x7ff746c10000
      File size:252'928 bytes
      MD5 hash:5CAE01AEA8ED390CE9BEC17B6C1237E4
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate
      Has exited:false

      Disassembly

      Reset < >

        Execution Graph

        Execution Coverage:8.2%
        Dynamic/Decrypted Code Coverage:0%
        Signature Coverage:22.2%
        Total number of Nodes:2000
        Total number of Limit Nodes:17
        execution_graph 11981 7ff746c1def4 11988 7ff746c2260c 11981->11988 11982 7ff746c1dfbd SetWindowLongPtrW 11983 7ff746c1dfb1 11982->11983 11984 7ff746c2c270 8 API calls 11983->11984 11986 7ff746c1e010 11984->11986 11989 7ff746c2261e 11988->11989 11998 7ff746c1df79 11988->11998 11990 7ff746c22624 EndDialog 11989->11990 11991 7ff746c22643 11989->11991 11990->11998 11992 7ff746c2266e 11991->11992 11993 7ff746c2264d 11991->11993 11994 7ff746c22678 11992->11994 11995 7ff746c22691 11992->11995 12011 7ff746c21828 GetDlgItem GetDlgItem GetDlgItem 11993->12011 12154 7ff746c21cb4 BeginPaint 11994->12154 11995->11998 11999 7ff746c22727 11995->11999 12000 7ff746c226b7 11995->12000 11998->11982 11998->11983 11999->11998 12001 7ff746c22731 11999->12001 12002 7ff746c226e1 12000->12002 12003 7ff746c226c3 12000->12003 12176 7ff746c216dc 12001->12176 12006 7ff746c226fa 12002->12006 12007 7ff746c226ec 12002->12007 12044 7ff746c21dcc 12003->12044 12006->11998 12163 7ff746c2155c 12006->12163 12009 7ff746c213b0 73 API calls 12007->12009 12009->11998 12012 7ff746c16e64 26 API calls 12011->12012 12013 7ff746c218c6 12012->12013 12014 7ff746c1e2f4 43 API calls 12013->12014 12015 7ff746c218db SetWindowTextW 12014->12015 12017 7ff746c12da0 20 API calls 12015->12017 12018 7ff746c218fb 7 API calls 12017->12018 12019 7ff746c219ed 12018->12019 12020 7ff746c245ac 27 API calls 12019->12020 12021 7ff746c1e2f4 43 API calls 12019->12021 12024 7ff746c21a4d MonitorFromWindow 12019->12024 12020->12019 12022 7ff746c21a20 SetWindowTextW 12021->12022 12023 7ff746c12da0 20 API calls 12022->12023 12023->12019 12189 7ff746c1e1e0 LoadLibraryW 12024->12189 12027 7ff746c21a70 GetDC GetDeviceCaps GetDC GetDeviceCaps 12028 7ff746c21aa4 LoadImageW SendMessageW SendMessageW LoadImageW 12027->12028 12029 7ff746c21b51 12028->12029 12030 7ff746c245ac 27 API calls 12029->12030 12031 7ff746c1e2f4 43 API calls 12029->12031 12034 7ff746c21bb6 SendMessageW 12029->12034 12030->12029 12032 7ff746c21b84 SendMessageW 12031->12032 12033 7ff746c12da0 20 API calls 12032->12033 12033->12029 12043 7ff746c21bde 12034->12043 12035 7ff746c21c88 12037 7ff746c2c270 8 API calls 12035->12037 12036 7ff746c12b9c 22 API calls 12036->12043 12038 7ff746c21c97 12037->12038 12038->11998 12039 7ff746c12b9c 22 API calls 12040 7ff746c21c09 SendMessageW 12039->12040 12041 7ff746c12da0 20 API calls 12040->12041 12041->12043 12042 7ff746c12da0 20 API calls 12042->12043 12043->12035 12043->12036 12043->12039 12043->12042 12045 7ff746c11b8c 25 API calls 12044->12045 12046 7ff746c21e35 GetWindowTextW 12045->12046 12047 7ff746c21e5b 12046->12047 12048 7ff746c21e74 12046->12048 12049 7ff746c21e84 SendMessageW 12047->12049 12050 7ff746c12f04 27 API calls 12048->12050 12051 7ff746c11b8c 25 API calls 12049->12051 12050->12049 12052 7ff746c21ed4 GetWindowTextW 12051->12052 12053 7ff746c21f09 12052->12053 12054 7ff746c21f2e 12052->12054 12055 7ff746c21f44 _wcsicmp 12053->12055 12056 7ff746c12f04 27 API calls 12054->12056 12057 7ff746c21fdc 12055->12057 12058 7ff746c21f6b 12055->12058 12056->12055 12059 7ff746c12f78 27 API calls 12057->12059 12060 7ff746c245ac 27 API calls 12058->12060 12061 7ff746c2200d memmove 12059->12061 12062 7ff746c21f96 12060->12062 12063 7ff746c1e2f4 43 API calls 12061->12063 12064 7ff746c1e2f4 43 API calls 12062->12064 12066 7ff746c2205b _wcsicmp 12063->12066 12065 7ff746c21fad 12064->12065 12067 7ff746c21020 70 API calls 12065->12067 12070 7ff746c12da0 20 API calls 12066->12070 12069 7ff746c21fd2 12067->12069 12072 7ff746c12da0 20 API calls 12069->12072 12071 7ff746c2207b 12070->12071 12073 7ff746c2208b memmove 12071->12073 12111 7ff746c2207f 12071->12111 12074 7ff746c225c5 12072->12074 12075 7ff746c1e2f4 43 API calls 12073->12075 12077 7ff746c12da0 20 API calls 12074->12077 12078 7ff746c220d3 _wcsicmp 12075->12078 12076 7ff746c24530 30 API calls 12080 7ff746c221fd 12076->12080 12081 7ff746c225d2 12077->12081 12083 7ff746c12da0 20 API calls 12078->12083 12084 7ff746c2221b 12080->12084 12087 7ff746c24530 30 API calls 12080->12087 12082 7ff746c12da0 20 API calls 12081->12082 12085 7ff746c225dc 12082->12085 12086 7ff746c220f3 12083->12086 12088 7ff746c24530 30 API calls 12084->12088 12089 7ff746c2c270 8 API calls 12085->12089 12090 7ff746c22103 memmove 12086->12090 12086->12111 12087->12084 12091 7ff746c22237 12088->12091 12092 7ff746c225ed 12089->12092 12093 7ff746c1e2f4 43 API calls 12090->12093 12094 7ff746c24530 30 API calls 12091->12094 12092->11998 12095 7ff746c2214b _wcsicmp 12093->12095 12096 7ff746c22261 12094->12096 12098 7ff746c12da0 20 API calls 12095->12098 12099 7ff746c12f78 27 API calls 12096->12099 12100 7ff746c2216b 12098->12100 12101 7ff746c222cf 12099->12101 12102 7ff746c22178 memmove 12100->12102 12100->12111 12103 7ff746c12f78 27 API calls 12101->12103 12104 7ff746c1e2f4 43 API calls 12102->12104 12105 7ff746c222f5 12103->12105 12106 7ff746c221c0 _wcsicmp 12104->12106 12108 7ff746c16da0 27 API calls 12105->12108 12109 7ff746c12da0 20 API calls 12106->12109 12110 7ff746c22319 12108->12110 12109->12111 12112 7ff746c12f78 27 API calls 12110->12112 12111->12076 12111->12080 12113 7ff746c2233f 12112->12113 12114 7ff746c12f78 27 API calls 12113->12114 12115 7ff746c22365 12114->12115 12116 7ff746c12f78 27 API calls 12115->12116 12117 7ff746c2238f 12116->12117 12118 7ff746c16da0 27 API calls 12117->12118 12119 7ff746c223b5 12118->12119 12120 7ff746c127c0 52 API calls 12119->12120 12121 7ff746c223ea 12120->12121 12122 7ff746c12d10 21 API calls 12121->12122 12123 7ff746c223f5 12122->12123 12124 7ff746c12d10 21 API calls 12123->12124 12125 7ff746c22417 12124->12125 12126 7ff746c12b9c 22 API calls 12125->12126 12127 7ff746c22478 12126->12127 12196 7ff746c1407c 12127->12196 12129 7ff746c2248d 12130 7ff746c2249c 12129->12130 12131 7ff746c224cd 12129->12131 12132 7ff746c12da0 20 API calls 12130->12132 12133 7ff746c12da0 20 API calls 12131->12133 12134 7ff746c224a8 memmove 12132->12134 12135 7ff746c224d6 12133->12135 12134->12131 12136 7ff746c12da0 20 API calls 12135->12136 12137 7ff746c224e0 12136->12137 12138 7ff746c1f680 490 API calls 12137->12138 12139 7ff746c22505 12138->12139 12140 7ff746c22571 12139->12140 12142 7ff746c245ac 27 API calls 12139->12142 12141 7ff746c12da0 20 API calls 12140->12141 12143 7ff746c2257e 12141->12143 12144 7ff746c22531 12142->12144 12145 7ff746c25df0 23 API calls 12143->12145 12146 7ff746c1e2f4 43 API calls 12144->12146 12147 7ff746c2259a ??3@YAXPEAX 12145->12147 12148 7ff746c22545 12146->12148 12150 7ff746c12da0 20 API calls 12147->12150 12149 7ff746c21020 70 API calls 12148->12149 12151 7ff746c22567 12149->12151 12152 7ff746c225b8 12150->12152 12153 7ff746c12da0 20 API calls 12151->12153 12152->12069 12153->12140 12200 7ff746c1e26c GetClientRect MulDiv MulDiv MulDiv MulDiv 12154->12200 12156 7ff746c21d03 12201 7ff746c1e0fc MulDiv MulDiv MulDiv MulDiv DrawIconEx 12156->12201 12158 7ff746c21d4b 12202 7ff746c1e0fc MulDiv MulDiv MulDiv MulDiv DrawIconEx 12158->12202 12160 7ff746c21d98 EndPaint 12161 7ff746c2c270 8 API calls 12160->12161 12162 7ff746c21db4 12161->12162 12162->11998 12164 7ff746c11b8c 25 API calls 12163->12164 12165 7ff746c215b7 memset GetOpenFileNameW wcslen 12164->12165 12166 7ff746c2163e 12165->12166 12167 7ff746c21652 12165->12167 12168 7ff746c21661 wcslen 12166->12168 12169 7ff746c12f04 27 API calls 12167->12169 12170 7ff746c216aa 12168->12170 12171 7ff746c21691 SetWindowTextW 12168->12171 12169->12168 12172 7ff746c12da0 20 API calls 12170->12172 12171->12170 12173 7ff746c216b3 12172->12173 12174 7ff746c2c270 8 API calls 12173->12174 12175 7ff746c216c1 12174->12175 12175->11998 12177 7ff746c11b8c 25 API calls 12176->12177 12178 7ff746c21734 DragQueryFileW 12177->12178 12179 7ff746c21779 12178->12179 12180 7ff746c21791 12178->12180 12181 7ff746c217a1 GetFileAttributesW 12179->12181 12182 7ff746c12f04 27 API calls 12180->12182 12183 7ff746c217ec DragFinish 12181->12183 12184 7ff746c217bd SetWindowTextW 12181->12184 12182->12181 12185 7ff746c12da0 20 API calls 12183->12185 12184->12183 12186 7ff746c217ff 12185->12186 12187 7ff746c2c270 8 API calls 12186->12187 12188 7ff746c2180d 12187->12188 12188->11998 12190 7ff746c1e219 12189->12190 12191 7ff746c1e220 GetProcAddress 12189->12191 12192 7ff746c12364 3 API calls 12190->12192 12191->12190 12193 7ff746c1e235 FreeLibrary 12191->12193 12194 7ff746c1e21e 12192->12194 12193->12194 12194->12027 12194->12028 12197 7ff746c14097 12196->12197 12197->12197 12198 7ff746c26c40 26 API calls 12197->12198 12199 7ff746c140ae memmove 12198->12199 12199->12129 12200->12156 12201->12158 12202->12160 11742 7ff746c2b1e0 11754 7ff746c2cb70 __set_app_type 11742->11754 11744 7ff746c2b1f0 11755 7ff746c2af50 11744->11755 11747 7ff746c2b261 11748 7ff746c2b21a 11752 7ff746c2b233 11748->11752 11760 7ff746c2b400 11748->11760 11750 7ff746c2b22a 11750->11752 11763 7ff746c2b7c0 InitializeSListHead 11750->11763 11753 7ff746c2b251 11752->11753 11764 7ff746c2b470 IsProcessorFeaturePresent 11752->11764 11754->11744 11756 7ff746c2af65 11755->11756 11759 7ff746c2af6e 11755->11759 11757 7ff746c2b470 9 API calls 11756->11757 11756->11759 11758 7ff746c2b02e 11757->11758 11759->11748 11761 7ff746c2b409 11760->11761 11762 7ff746c2b412 __wgetmainargs 11761->11762 11762->11750 11765 7ff746c2b48a 11764->11765 11766 7ff746c2b498 memset RtlCaptureContext RtlLookupFunctionEntry 11765->11766 11767 7ff746c2b4dc RtlVirtualUnwind 11766->11767 11768 7ff746c2b522 memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 11766->11768 11767->11768 11769 7ff746c2b5af 11768->11769 11769->11747 11638 7ff746c273bc 11639 7ff746c273de 11638->11639 11645 7ff746c2741f 11638->11645 11646 7ff746c2ac40 11639->11646 11641 7ff746c273eb 11641->11645 11651 7ff746c23b6c 11641->11651 11647 7ff746c2aca5 11646->11647 11648 7ff746c2acd4 _wfsopen 11647->11648 11650 7ff746c2acf3 11647->11650 11649 7ff746c2aceb fclose 11648->11649 11648->11650 11649->11650 11650->11641 11652 7ff746c23bfa 11651->11652 11653 7ff746c23c1d 11651->11653 11671 7ff746c2c9d0 11652->11671 11655 7ff746c2c270 8 API calls 11653->11655 11656 7ff746c23c68 11655->11656 11657 7ff746c1b2c8 11656->11657 11675 7ff746c2a530 11657->11675 11659 7ff746c1b301 11680 7ff746c1d3d8 11659->11680 11661 7ff746c1b398 11696 7ff746c2a5e0 11661->11696 11665 7ff746c2c270 8 API calls 11667 7ff746c1b3b2 11665->11667 11667->11645 11669 7ff746c1b3c8 11670 7ff746c1b3d2 _CxxThrowException 11669->11670 11672 7ff746c2c9d9 _errno 11671->11672 11674 7ff746c2c9f3 11671->11674 11673 7ff746c2c9e9 11672->11673 11673->11653 11674->11653 11676 7ff746c2a54d 11675->11676 11677 7ff746c2a53f 11675->11677 11676->11659 11701 7ff746c2cb50 _lock 11677->11701 11681 7ff746c1d3f8 11680->11681 11682 7ff746c1d427 11680->11682 11683 7ff746c2a530 _lock 11681->11683 11684 7ff746c2c270 8 API calls 11682->11684 11685 7ff746c1d404 11683->11685 11686 7ff746c1b31a 11684->11686 11687 7ff746c2a5e0 2 API calls 11685->11687 11686->11661 11688 7ff746c239b8 11686->11688 11687->11682 11689 7ff746c1b370 11688->11689 11690 7ff746c239eb 11688->11690 11689->11661 11689->11669 11690->11689 11691 7ff746c239f0 ??2@YAPEAX_K 11690->11691 11692 7ff746c23a08 11691->11692 11693 7ff746c23a31 11691->11693 11702 7ff746c1bde8 11692->11702 11693->11689 11711 7ff746c1d000 11693->11711 11697 7ff746c2a5eb 11696->11697 11698 7ff746c2cb60 _unlock 11696->11698 11699 7ff746c1b3a2 11697->11699 11700 7ff746c2ad90 LeaveCriticalSection 11697->11700 11699->11665 11700->11698 11703 7ff746c2a530 _lock 11702->11703 11704 7ff746c1be0d 11703->11704 11705 7ff746c1be5b 11704->11705 11706 7ff746c1be41 11704->11706 11730 7ff746c1c580 11705->11730 11725 7ff746c2a8f0 setlocale 11706->11725 11712 7ff746c1d017 11711->11712 11713 7ff746c1d027 11712->11713 11714 7ff746c1d021 free 11712->11714 11715 7ff746c1d03b 11713->11715 11716 7ff746c1d035 free 11713->11716 11714->11713 11717 7ff746c1d049 free 11715->11717 11718 7ff746c1d04f 11715->11718 11716->11715 11717->11718 11719 7ff746c1d05d free 11718->11719 11720 7ff746c1d063 11718->11720 11719->11720 11721 7ff746c1d077 11720->11721 11722 7ff746c1d071 free 11720->11722 11723 7ff746c1d08b 11721->11723 11724 7ff746c1d085 free 11721->11724 11722->11721 11724->11723 11733 7ff746c2a610 11725->11733 11727 7ff746c2a923 11728 7ff746c2a928 setlocale 11727->11728 11729 7ff746c2a935 11727->11729 11728->11729 11741 7ff746c2b190 ??0exception@@QEAA@AEBQEBD 11730->11741 11732 7ff746c1be6c _CxxThrowException 11734 7ff746c2a628 11733->11734 11735 7ff746c2a68e 11733->11735 11736 7ff746c2a62d free 11734->11736 11738 7ff746c2a632 11734->11738 11735->11727 11736->11738 11737 7ff746c2a658 malloc 11739 7ff746c2a67b 11737->11739 11740 7ff746c2a66c memmove 11737->11740 11738->11735 11738->11737 11738->11738 11739->11727 11740->11739 11741->11732 8618 7ff746c20b88 CoInitializeEx 8690 7ff746c1e540 8618->8690 8620 7ff746c20bdc 8705 7ff746c12f78 8620->8705 8623 7ff746c12f78 27 API calls 8624 7ff746c20c61 8623->8624 8711 7ff746c16da0 8624->8711 8627 7ff746c12f78 27 API calls 8628 7ff746c20cab 8627->8628 8629 7ff746c12f78 27 API calls 8628->8629 8630 7ff746c20cd3 8629->8630 8631 7ff746c12f78 27 API calls 8630->8631 8632 7ff746c20d04 8631->8632 8633 7ff746c16da0 27 API calls 8632->8633 8634 7ff746c20d2d GetCommandLineW 8633->8634 8635 7ff746c20d49 8634->8635 8635->8635 8636 7ff746c12f78 27 API calls 8635->8636 8637 7ff746c20d5f 8636->8637 8721 7ff746c127c0 8637->8721 8643 7ff746c20d9e 8644 7ff746c12d10 21 API calls 8643->8644 8645 7ff746c20dc5 8644->8645 8759 7ff746c12b9c 8645->8759 8647 7ff746c20e1d 8648 7ff746c12da0 20 API calls 8647->8648 8649 7ff746c20e26 memmove 8648->8649 8650 7ff746c12da0 20 API calls 8649->8650 8651 7ff746c20e54 8650->8651 8652 7ff746c20eaa 8651->8652 8654 7ff746c20e60 memset 8651->8654 8788 7ff746c1f680 8652->8788 8764 7ff746c1bc9c 8654->8764 8657 7ff746c20edd 8661 7ff746c20f4b 8657->8661 8662 7ff746c20ee2 8657->8662 8658 7ff746c20ed1 8894 7ff746c213b0 8658->8894 8659 7ff746c20e78 8767 7ff746c1e020 8659->8767 8664 7ff746c20ea5 8661->8664 8977 7ff746c245ac 8661->8977 8925 7ff746c16e64 8662->8925 8670 7ff746c12da0 20 API calls 8664->8670 8665 7ff746c20ed8 8665->8664 8671 7ff746c20fc4 8670->8671 8984 7ff746c25df0 8671->8984 8676 7ff746c1e2f4 43 API calls 8679 7ff746c20f8e 8676->8679 8682 7ff746c21020 70 API calls 8679->8682 8681 7ff746c12da0 20 API calls 8684 7ff746c20ff2 8681->8684 8685 7ff746c20fae 8682->8685 8991 7ff746c2c270 8684->8991 8688 7ff746c12da0 20 API calls 8685->8688 8686 7ff746c12da0 20 API calls 8686->8665 8688->8665 8691 7ff746c1e6f8 8690->8691 8692 7ff746c1e579 GetModuleHandleW 8690->8692 8693 7ff746c2c270 8 API calls 8691->8693 9000 7ff746c12288 8692->9000 8695 7ff746c1e705 8693->8695 8695->8620 8697 7ff746c12da0 20 API calls 8698 7ff746c1e5cb wcsrchr 8697->8698 8700 7ff746c1e614 wcslen 8698->8700 8701 7ff746c1e635 8700->8701 9010 7ff746c12f04 8701->9010 8706 7ff746c12fbe 8705->8706 8707 7ff746c12f93 memmove 8705->8707 9081 7ff746c11aa8 8706->9081 8710 7ff746c12fd1 8707->8710 8710->8623 8712 7ff746c16de2 8711->8712 8719 7ff746c16e46 8711->8719 8713 7ff746c16e5b 8712->8713 8714 7ff746c16df1 8712->8714 9103 7ff746c12e18 8713->9103 9094 7ff746c12e2c 8714->9094 8717 7ff746c16df9 8717->8719 8720 7ff746c12b9c 22 API calls 8717->8720 8718 7ff746c16e60 8719->8627 8720->8717 8722 7ff746c12818 8721->8722 9114 7ff746c12fe4 8722->9114 8726 7ff746c12d10 21 API calls 8727 7ff746c12a82 8726->8727 8728 7ff746c2c270 8 API calls 8727->8728 8729 7ff746c12a8e 8728->8729 8741 7ff746c12da0 8729->8741 8730 7ff746c128e1 _wcsnicmp 8739 7ff746c12857 8730->8739 8731 7ff746c12a2e wcsstr 8733 7ff746c12a57 8731->8733 8733->8733 8734 7ff746c12f78 27 API calls 8733->8734 8735 7ff746c12a2c 8734->8735 8735->8726 8736 7ff746c1295b wcsstr 8736->8739 8738 7ff746c12f78 27 API calls 8738->8739 8739->8730 8739->8731 8739->8735 8739->8736 8739->8738 8740 7ff746c12da0 20 API calls 8739->8740 9142 7ff746c12070 8739->9142 8740->8739 8742 7ff746c12db3 8741->8742 8743 7ff746c12de4 8741->8743 8744 7ff746c12ddf ??3@YAXPEAX 8742->8744 8745 7ff746c12dfb 8742->8745 8746 7ff746c12ddc 8742->8746 8749 7ff746c12d10 8743->8749 8744->8743 8747 7ff746c2c810 19 API calls 8745->8747 8746->8744 8748 7ff746c12e00 8747->8748 8750 7ff746c12d89 8749->8750 8751 7ff746c12d2a 8749->8751 8750->8643 8752 7ff746c12d44 8751->8752 8753 7ff746c12da0 20 API calls 8751->8753 8754 7ff746c12d73 ??3@YAXPEAX 8752->8754 8755 7ff746c12d99 8752->8755 8756 7ff746c12d70 8752->8756 8753->8751 8754->8750 8757 7ff746c2c810 19 API calls 8755->8757 8756->8754 8758 7ff746c12d9e 8757->8758 8760 7ff746c12bbd 8759->8760 8762 7ff746c12e98 21 API calls 8760->8762 8763 7ff746c12bd3 memmove 8760->8763 8762->8763 8763->8647 9245 7ff746c131d4 8764->9245 8768 7ff746c1e076 8767->8768 8769 7ff746c1e046 8767->8769 9264 7ff746c2bc6c 8768->9264 9255 7ff746c2bb3c GetProcessHeap HeapAlloc 8769->9255 8774 7ff746c1e0ea 9270 7ff746c22d30 RaiseException 8774->9270 8775 7ff746c1e08c GetCurrentThreadId EnterCriticalSection LeaveCriticalSection DialogBoxParamW 8777 7ff746c1e061 8775->8777 8776 7ff746c1e054 SetLastError 8776->8777 8777->8664 8780 7ff746c2bc0c 8777->8780 8781 7ff746c2bc6a 8780->8781 8782 7ff746c2bc11 8780->8782 8781->8664 8783 7ff746c2bc51 GetProcessHeap HeapFree 8782->8783 8784 7ff746c2bc27 InterlockedPushEntrySList 8782->8784 8785 7ff746c2bc36 8782->8785 8783->8781 8784->8783 8786 7ff746c2b8e4 10 API calls 8785->8786 8787 7ff746c2bc42 8786->8787 8787->8783 8789 7ff746c1f88b 8788->8789 8790 7ff746c1f6db 8788->8790 9379 7ff746c20a68 GetCurrentProcess OpenProcessToken 8789->9379 8790->8789 8792 7ff746c1f6e5 8790->8792 8794 7ff746c12b9c 22 API calls 8792->8794 8796 7ff746c1f700 8794->8796 8795 7ff746c1f884 8800 7ff746c2c270 8 API calls 8795->8800 8797 7ff746c12b9c 22 API calls 8796->8797 8799 7ff746c1f716 _wcsicmp 8797->8799 8802 7ff746c1f73c _wcsicmp 8799->8802 8811 7ff746c1f79b 8799->8811 8803 7ff746c200e1 8800->8803 8804 7ff746c1f75d _wcsicmp 8802->8804 8802->8811 8803->8657 8803->8658 8806 7ff746c1f77e _wcsicmp 8804->8806 8804->8811 8805 7ff746c12b9c 22 API calls 8887 7ff746c1f8fa 8805->8887 8808 7ff746c1f7a3 8806->8808 8806->8811 8807 7ff746c12da0 20 API calls 8809 7ff746c1f87b 8807->8809 8810 7ff746c1f7ac memset 8808->8810 8808->8811 8813 7ff746c12da0 20 API calls 8809->8813 9299 7ff746c1bbe4 8810->9299 8811->8807 8813->8795 8815 7ff746c1f92d _wcsicmp 8815->8887 8816 7ff746c1f7e2 9307 7ff746c1e71c 8816->9307 8817 7ff746c1f7f1 _wcsicmp 8821 7ff746c1f7eb 8817->8821 8822 7ff746c1f83f 8817->8822 8818 7ff746c2008b 8825 7ff746c12da0 20 API calls 8818->8825 8820 7ff746c1fa0c _wcsicmp 8820->8887 8829 7ff746c1f817 8821->8829 9351 7ff746c22bf4 8821->9351 8824 7ff746c240e8 21 API calls 8822->8824 8823 7ff746c1f951 _wcsicmp 8823->8887 8827 7ff746c1f848 8824->8827 8831 7ff746c200a0 8825->8831 8833 7ff746c1f85b 8827->8833 8834 7ff746c1f851 RegCloseKey 8827->8834 8828 7ff746c1f979 _wcsicmp 8828->8887 9369 7ff746c240e8 8829->9369 8830 7ff746c1fa2c _wcsicmp 8830->8887 8835 7ff746c200ab CloseHandle 8831->8835 8836 7ff746c200b6 8831->8836 8832 7ff746c1fa7f _wcsicmp 8832->8887 8840 7ff746c12da0 20 API calls 8833->8840 8834->8833 8835->8836 8836->8795 8843 7ff746c200c5 CloseHandle 8836->8843 8838 7ff746c1fb45 _wcsicmp 8838->8887 8839 7ff746c1faa3 _wcsicmp 8839->8887 8840->8811 8841 7ff746c1f99a _wcsicmp 8841->8887 8842 7ff746c1fa52 _wcsicmp 8842->8818 8842->8887 8843->8795 8845 7ff746c1f82a RegCloseKey 8846 7ff746c1f834 8845->8846 8850 7ff746c12da0 20 API calls 8846->8850 8847 7ff746c1facc _wcsicmp 8847->8887 8848 7ff746c1fb6b _wcsicmp 8848->8887 8849 7ff746c1f9bb _wcsicmp 8849->8887 8850->8811 8851 7ff746c1f9d9 _wcsicmp 8851->8818 8851->8887 8852 7ff746c1fc8e _wcsicmp 8852->8887 8853 7ff746c1fb8f _wcsicmp 8853->8887 8854 7ff746c1faf2 _wcsicmp 8854->8887 8855 7ff746c1fe07 8855->8818 8856 7ff746c1fe1c 8855->8856 8857 7ff746c1febf 8855->8857 9397 7ff746c20778 8856->9397 8862 7ff746c1fec4 8857->8862 8863 7ff746c1fee5 8857->8863 8858 7ff746c1fcd6 _wcsicmp 8858->8887 8859 7ff746c1fbb4 _wcsicmp 8859->8887 8860 7ff746c1fb18 _wcsicmp 8860->8818 8860->8887 9422 7ff746c20880 8862->9422 8867 7ff746c1feea 8863->8867 8868 7ff746c1ff11 8863->8868 8865 7ff746c1fbdd _wcsicmp 8865->8887 9433 7ff746c207f0 8867->9433 8874 7ff746c1ff44 8868->8874 8875 7ff746c1ff16 DuplicateTokenEx 8868->8875 8869 7ff746c12f78 27 API calls 8869->8887 8870 7ff746c1fd90 _wcsicmp 8870->8818 8870->8887 8871 7ff746c1fcfa _wcsicmp 8871->8887 8872 7ff746c1fe49 SetTokenInformation 8880 7ff746c1fe5f 8872->8880 8878 7ff746c1ff4d DuplicateTokenEx 8874->8878 8874->8880 8875->8880 8876 7ff746c1fd23 _wcsicmp 8876->8887 8877 7ff746c1fbff _wcsicmp 8877->8887 8878->8818 8881 7ff746c1ff7d 8878->8881 8879 7ff746c1fe7f 8879->8818 8890 7ff746c1fea4 8879->8890 9415 7ff746c21284 AllocateAndInitializeSid 8879->9415 8880->8818 8880->8879 9404 7ff746c21168 GetTokenInformation GetLastError 8880->9404 9441 7ff746c20104 CreateRestrictedToken 8881->9441 8882 7ff746c1fd46 _wcsicmp 8882->8887 8884 7ff746c1fc25 _wcsicmp 8884->8887 8886 7ff746c1fd69 _wcsicmp 8886->8818 8886->8887 8887->8815 8887->8818 8887->8820 8887->8823 8887->8828 8887->8830 8887->8832 8887->8838 8887->8839 8887->8841 8887->8842 8887->8847 8887->8848 8887->8849 8887->8851 8887->8852 8887->8853 8887->8854 8887->8855 8887->8858 8887->8859 8887->8860 8887->8865 8887->8869 8887->8870 8887->8871 8887->8876 8887->8877 8887->8882 8887->8884 8887->8886 8889 7ff746c1fc53 _wcsicmp 8887->8889 8889->8818 8889->8887 8890->8818 9476 7ff746c204ac memset GetCurrentProcess OpenProcessToken 8890->9476 8893 7ff746c20083 RevertToSelf 8893->8818 8895 7ff746c16e64 26 API calls 8894->8895 8896 7ff746c21411 8895->8896 8897 7ff746c1e2f4 43 API calls 8896->8897 8898 7ff746c21426 8897->8898 8899 7ff746c16e64 26 API calls 8898->8899 8900 7ff746c2144f 8899->8900 8901 7ff746c1e2f4 43 API calls 8900->8901 8902 7ff746c21464 memmove 8901->8902 8903 7ff746c1e2f4 43 API calls 8902->8903 8904 7ff746c214a5 8903->8904 11516 7ff746c13e10 8904->11516 8906 7ff746c214b5 8907 7ff746c13e10 35 API calls 8906->8907 8908 7ff746c214c5 8907->8908 8909 7ff746c12da0 20 API calls 8908->8909 8910 7ff746c214cf 8909->8910 8911 7ff746c12da0 20 API calls 8910->8911 8912 7ff746c214d9 8911->8912 8913 7ff746c12da0 20 API calls 8912->8913 8914 7ff746c214e3 8913->8914 8915 7ff746c12da0 20 API calls 8914->8915 8916 7ff746c214ed SetLastError 8915->8916 11524 7ff746c13220 8916->11524 8919 7ff746c12364 3 API calls 8920 7ff746c2152a 8919->8920 8921 7ff746c12da0 20 API calls 8920->8921 8922 7ff746c21535 8921->8922 8923 7ff746c2c270 8 API calls 8922->8923 8924 7ff746c21543 8923->8924 8924->8665 8926 7ff746c16f79 8925->8926 8927 7ff746c16e90 8925->8927 8928 7ff746c12e04 22 API calls 8926->8928 8930 7ff746c16ed9 ??2@YAPEAX_K 8927->8930 8931 7ff746c16f00 8927->8931 8929 7ff746c16f7e 8928->8929 8934 7ff746c2c810 19 API calls 8929->8934 8930->8929 8932 7ff746c16ef2 8930->8932 8931->8932 8933 7ff746c16f05 ??2@YAPEAX_K 8931->8933 8935 7ff746c16f14 memmove 8932->8935 8933->8935 8938 7ff746c16f84 8934->8938 8936 7ff746c16f62 8935->8936 8937 7ff746c16f35 8935->8937 8941 7ff746c1e2f4 8936->8941 8937->8929 8939 7ff746c16f5d ??3@YAXPEAX 8937->8939 8940 7ff746c16f5a 8937->8940 8939->8936 8940->8939 11543 7ff746c179b8 8941->11543 8944 7ff746c12b9c 22 API calls 8945 7ff746c1e34e 8944->8945 8946 7ff746c1e385 8945->8946 8947 7ff746c1e380 ??3@YAXPEAX 8945->8947 8949 7ff746c1e37d 8945->8949 8950 7ff746c1e3b0 8945->8950 8948 7ff746c2c270 8 API calls 8946->8948 8947->8946 8951 7ff746c1e3a5 8948->8951 8949->8947 8952 7ff746c2c810 19 API calls 8950->8952 8954 7ff746c21020 8951->8954 8953 7ff746c1e3b5 8952->8953 8955 7ff746c16e64 26 API calls 8954->8955 8956 7ff746c2107f 8955->8956 8957 7ff746c1e2f4 43 API calls 8956->8957 8958 7ff746c21094 memmove 8957->8958 8959 7ff746c1e2f4 43 API calls 8958->8959 8960 7ff746c210db 8959->8960 8961 7ff746c13f24 31 API calls 8960->8961 8962 7ff746c210eb 8961->8962 8963 7ff746c13e10 35 API calls 8962->8963 8964 7ff746c210fb 8963->8964 8965 7ff746c12da0 20 API calls 8964->8965 8966 7ff746c21105 8965->8966 8967 7ff746c12da0 20 API calls 8966->8967 8968 7ff746c2110f 8967->8968 8969 7ff746c12da0 20 API calls 8968->8969 8970 7ff746c21119 8969->8970 8971 7ff746c13220 16 API calls 8970->8971 8972 7ff746c21144 8971->8972 8973 7ff746c12da0 20 API calls 8972->8973 8974 7ff746c2114e 8973->8974 8975 7ff746c2c270 8 API calls 8974->8975 8976 7ff746c20f3f 8975->8976 8976->8686 8978 7ff746c245c2 8977->8978 8978->8978 8979 7ff746c245d1 memmove 8978->8979 8980 7ff746c245f3 8978->8980 8983 7ff746c20f79 8979->8983 8982 7ff746c16e64 26 API calls 8980->8982 8982->8983 8983->8676 8985 7ff746c25e11 8984->8985 8990 7ff746c25e26 8984->8990 8987 7ff746c25e16 8985->8987 8985->8990 8986 7ff746c20fda ??3@YAXPEAX 8986->8681 8988 7ff746c12fe4 22 API calls 8987->8988 8988->8986 8990->8986 11624 7ff746c25e94 8990->11624 8992 7ff746c2c27a 8991->8992 8993 7ff746c21003 8992->8993 8994 7ff746c2c610 IsProcessorFeaturePresent 8992->8994 8995 7ff746c2c628 8994->8995 11630 7ff746c2c6f0 RtlCaptureContext 8995->11630 9001 7ff746c122df 9000->9001 9002 7ff746c122c6 GetModuleFileNameW 9000->9002 9013 7ff746c11b8c 9001->9013 9005 7ff746c1231b 9002->9005 9006 7ff746c1231e wcslen 9002->9006 9005->9006 9007 7ff746c12340 9006->9007 9009 7ff746c1232c 9006->9009 9008 7ff746c12f04 27 API calls 9007->9008 9008->9009 9009->8697 9011 7ff746c12f59 9010->9011 9066 7ff746c11eb0 9011->9066 9014 7ff746c11bb9 9013->9014 9015 7ff746c11c74 9013->9015 9025 7ff746c12e98 9014->9025 9033 7ff746c12e04 9015->9033 9018 7ff746c11c79 9046 7ff746c2c810 9018->9046 9021 7ff746c11c5d 9021->9002 9023 7ff746c11c58 ??3@YAXPEAX 9023->9021 9024 7ff746c11c55 9024->9023 9026 7ff746c12ee7 9025->9026 9027 7ff746c12ebe ??2@YAPEAX_K 9025->9027 9028 7ff746c12eee ??2@YAPEAX_K 9026->9028 9029 7ff746c11c02 9026->9029 9027->9026 9030 7ff746c12efb 9027->9030 9028->9029 9029->9018 9029->9021 9029->9023 9029->9024 9031 7ff746c2c810 19 API calls 9030->9031 9032 7ff746c12f00 9031->9032 9050 7ff746c2a470 9033->9050 9047 7ff746c2c82c 9046->9047 9057 7ff746c2c850 IsProcessorFeaturePresent 9047->9057 9053 7ff746c2a420 9050->9053 9052 7ff746c2a481 9056 7ff746c2b190 ??0exception@@QEAA@AEBQEBD 9053->9056 9055 7ff746c2a42e 9055->9052 9056->9055 9058 7ff746c2c87a 9057->9058 9059 7ff746c2c88b memset memset RtlCaptureContext RtlLookupFunctionEntry 9058->9059 9060 7ff746c2c932 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 9059->9060 9061 7ff746c2c8f5 RtlVirtualUnwind 9059->9061 9062 7ff746c2c9a1 GetCurrentProcess TerminateProcess 9060->9062 9063 7ff746c2c995 9060->9063 9061->9060 9064 7ff746c2c270 8 API calls 9062->9064 9063->9062 9065 7ff746c2c844 9064->9065 9067 7ff746c11ee2 9066->9067 9080 7ff746c11fe7 9066->9080 9069 7ff746c12e98 21 API calls 9067->9069 9068 7ff746c12e04 22 API calls 9070 7ff746c11fed 9068->9070 9071 7ff746c11f2f 9069->9071 9072 7ff746c11fa7 memmove 9071->9072 9073 7ff746c11f4b memmove 9071->9073 9076 7ff746c11fb6 9072->9076 9074 7ff746c11f5d 9073->9074 9075 7ff746c11f9d ??3@YAXPEAX 9074->9075 9077 7ff746c11f9a 9074->9077 9078 7ff746c11fe2 9074->9078 9075->9076 9077->9075 9079 7ff746c2c810 19 API calls 9078->9079 9079->9080 9080->9068 9082 7ff746c11b80 9081->9082 9083 7ff746c11ad4 9081->9083 9084 7ff746c12e04 22 API calls 9082->9084 9086 7ff746c12e98 21 API calls 9083->9086 9085 7ff746c11b85 9084->9085 9088 7ff746c2c810 19 API calls 9085->9088 9087 7ff746c11b0f memmove 9086->9087 9089 7ff746c11b38 9087->9089 9090 7ff746c11b69 9087->9090 9091 7ff746c11b8b 9088->9091 9089->9085 9092 7ff746c11b64 ??3@YAXPEAX 9089->9092 9093 7ff746c11b61 9089->9093 9090->8710 9092->9090 9093->9092 9095 7ff746c12e7e 9094->9095 9096 7ff746c12e55 ??2@YAPEAX_K 9094->9096 9097 7ff746c12e8d 9095->9097 9098 7ff746c12e85 ??2@YAPEAX_K 9095->9098 9099 7ff746c12e6d 9096->9099 9100 7ff746c12e92 9096->9100 9097->8717 9098->9097 9099->8717 9101 7ff746c2c810 19 API calls 9100->9101 9102 7ff746c12e97 9101->9102 9104 7ff746c2a470 ??0exception@@QEAA@AEBQEBD 9103->9104 9105 7ff746c12e28 9104->9105 9106 7ff746c12e7e 9105->9106 9107 7ff746c12e55 ??2@YAPEAX_K 9105->9107 9108 7ff746c12e8d 9106->9108 9109 7ff746c12e85 ??2@YAPEAX_K 9106->9109 9110 7ff746c12e6d 9107->9110 9111 7ff746c12e92 9107->9111 9108->8718 9109->9108 9110->8718 9112 7ff746c2c810 19 API calls 9111->9112 9113 7ff746c12e97 9112->9113 9117 7ff746c13016 9114->9117 9120 7ff746c1282b 9114->9120 9116 7ff746c12da0 20 API calls 9116->9117 9117->9116 9118 7ff746c12da0 20 API calls 9117->9118 9148 7ff746c12ca0 9117->9148 9119 7ff746c13039 ??3@YAXPEAX 9118->9119 9119->9117 9119->9120 9121 7ff746c12478 9120->9121 9122 7ff746c124f1 9121->9122 9124 7ff746c124fd 9121->9124 9155 7ff746c11c80 9122->9155 9126 7ff746c125a0 9124->9126 9129 7ff746c12597 9124->9129 9170 7ff746c11d84 9124->9170 9127 7ff746c125d7 9126->9127 9128 7ff746c125f1 9126->9128 9130 7ff746c12b9c 22 API calls 9127->9130 9185 7ff746c111a0 9128->9185 9129->9126 9132 7ff746c12f04 27 API calls 9129->9132 9140 7ff746c125eb 9130->9140 9132->9126 9133 7ff746c1278d 9134 7ff746c12da0 20 API calls 9133->9134 9135 7ff746c12796 9134->9135 9136 7ff746c2c270 8 API calls 9135->9136 9137 7ff746c127a5 9136->9137 9137->8739 9138 7ff746c12b9c 22 API calls 9138->9140 9139 7ff746c111a0 30 API calls 9139->9140 9140->9133 9140->9138 9140->9139 9141 7ff746c11d84 27 API calls 9140->9141 9141->9140 9143 7ff746c1208d 9142->9143 9147 7ff746c120c2 9143->9147 9214 7ff746c11120 9143->9214 9145 7ff746c120e9 9217 7ff746c11560 9145->9217 9147->8739 9149 7ff746c12cf2 9148->9149 9151 7ff746c12cbb 9148->9151 9149->9117 9150 7ff746c12ca0 20 API calls 9150->9151 9151->9150 9152 7ff746c12da0 20 API calls 9151->9152 9153 7ff746c12da0 20 API calls 9151->9153 9152->9151 9154 7ff746c12cdc ??3@YAXPEAX 9153->9154 9154->9149 9154->9151 9156 7ff746c11d7b 9155->9156 9158 7ff746c11cb0 9155->9158 9157 7ff746c12e04 22 API calls 9156->9157 9159 7ff746c11d81 9157->9159 9160 7ff746c12e98 21 API calls 9158->9160 9161 7ff746c11cfd 9160->9161 9162 7ff746c11d57 memmove 9161->9162 9163 7ff746c11d19 memmove 9161->9163 9166 7ff746c11d5f 9162->9166 9164 7ff746c11d4d ??3@YAXPEAX 9163->9164 9165 7ff746c11d35 9163->9165 9164->9166 9167 7ff746c11d4a 9165->9167 9168 7ff746c11d76 9165->9168 9166->9124 9167->9164 9169 7ff746c2c810 19 API calls 9168->9169 9169->9156 9171 7ff746c11dbe 9170->9171 9184 7ff746c11ea7 9170->9184 9174 7ff746c12e98 21 API calls 9171->9174 9172 7ff746c12e04 22 API calls 9173 7ff746c11ead 9172->9173 9175 7ff746c11e0b 9174->9175 9176 7ff746c11e70 memmove 9175->9176 9177 7ff746c11e25 memmove 9175->9177 9180 7ff746c11e85 9176->9180 9178 7ff746c11e4e 9177->9178 9179 7ff746c11e66 ??3@YAXPEAX 9177->9179 9181 7ff746c11ea2 9178->9181 9182 7ff746c11e63 9178->9182 9179->9180 9180->9124 9183 7ff746c2c810 19 API calls 9181->9183 9182->9179 9183->9184 9184->9172 9186 7ff746c112cc 9185->9186 9187 7ff746c111ec 9185->9187 9188 7ff746c12e18 22 API calls 9186->9188 9190 7ff746c12e2c 21 API calls 9187->9190 9189 7ff746c112d1 9188->9189 9191 7ff746c1122c 9190->9191 9192 7ff746c12b9c 22 API calls 9191->9192 9193 7ff746c11267 9192->9193 9194 7ff746c11289 9193->9194 9200 7ff746c12120 9193->9200 9196 7ff746c12120 memmove 9194->9196 9197 7ff746c112a4 9196->9197 9204 7ff746c12ae4 9197->9204 9201 7ff746c1218c 9200->9201 9202 7ff746c12143 9200->9202 9201->9194 9203 7ff746c12150 memmove 9202->9203 9203->9201 9203->9203 9205 7ff746c12b10 9204->9205 9206 7ff746c112b6 9204->9206 9207 7ff746c12b2a 9205->9207 9208 7ff746c12da0 20 API calls 9205->9208 9206->9140 9209 7ff746c12b59 ??3@YAXPEAX 9207->9209 9210 7ff746c12b93 9207->9210 9211 7ff746c12b56 9207->9211 9208->9205 9209->9206 9212 7ff746c2c810 19 API calls 9210->9212 9211->9209 9213 7ff746c12b98 9212->9213 9220 7ff746c12aa4 ??2@YAPEAX_K 9214->9220 9216 7ff746c11147 9216->9145 9218 7ff746c115ca 9217->9218 9221 7ff746c11878 9218->9221 9220->9216 9225 7ff746c118c8 9221->9225 9222 7ff746c11966 9234 7ff746c112d4 9222->9234 9224 7ff746c11995 9227 7ff746c119ff 9224->9227 9228 7ff746c119d3 9224->9228 9225->9222 9225->9224 9226 7ff746c11983 9230 7ff746c12da0 20 API calls 9227->9230 9229 7ff746c112d4 21 API calls 9228->9229 9229->9226 9231 7ff746c11a08 9230->9231 9232 7ff746c12da0 20 API calls 9231->9232 9233 7ff746c11a11 ??3@YAXPEAX 9232->9233 9233->9226 9235 7ff746c11544 9234->9235 9240 7ff746c12c68 9235->9240 9241 7ff746c12da0 20 API calls 9240->9241 9242 7ff746c12c7e 9241->9242 9243 7ff746c12da0 20 API calls 9242->9243 9244 7ff746c12c87 9243->9244 9252 7ff746c13108 memset VerSetConditionMask VerSetConditionMask VerSetConditionMask VerifyVersionInfoW 9245->9252 9248 7ff746c131e9 GetModuleHandleW 9249 7ff746c13215 ChangeWindowMessageFilter ChangeWindowMessageFilter 9248->9249 9250 7ff746c131fb GetProcAddress 9248->9250 9249->8659 9250->9249 9251 7ff746c1320e 9250->9251 9251->9249 9253 7ff746c2c270 8 API calls 9252->9253 9254 7ff746c131c6 9253->9254 9254->9248 9254->9249 9256 7ff746c2bb66 9255->9256 9263 7ff746c1e04b 9255->9263 9271 7ff746c2b8e4 9256->9271 9259 7ff746c2bb89 9281 7ff746c2b9e4 9259->9281 9260 7ff746c2bb81 9262 7ff746c2bb97 GetProcessHeap HeapFree 9260->9262 9260->9263 9262->9263 9263->8768 9263->8776 9265 7ff746c1e083 9264->9265 9266 7ff746c2bc75 9264->9266 9265->8774 9265->8775 9266->9265 9267 7ff746c2bcdc 9266->9267 9268 7ff746c2bca0 GetCurrentProcess FlushInstructionCache 9266->9268 9269 7ff746c2b8e4 10 API calls 9267->9269 9268->9265 9269->9265 9272 7ff746c2b8fa 9271->9272 9273 7ff746c2b908 LoadLibraryExA 9271->9273 9274 7ff746c2b8fd DecodePointer 9272->9274 9275 7ff746c2b929 GetProcAddress 9273->9275 9276 7ff746c2b9d5 9273->9276 9274->9276 9275->9276 9277 7ff746c2b942 EncodePointer GetProcAddress 9275->9277 9276->9259 9276->9260 9277->9276 9278 7ff746c2b967 EncodePointer GetProcAddress 9277->9278 9278->9276 9279 7ff746c2b98c EncodePointer GetProcAddress 9278->9279 9279->9276 9280 7ff746c2b9b1 EncodePointer 9279->9280 9280->9274 9282 7ff746c2ba0a InterlockedPopEntrySList 9281->9282 9283 7ff746c2b9fa 9281->9283 9285 7ff746c2ba18 memset 9282->9285 9286 7ff746c2ba2b VirtualAlloc 9282->9286 9294 7ff746c2babc 9283->9294 9289 7ff746c2baad 9285->9289 9287 7ff746c2ba49 RaiseException 9286->9287 9288 7ff746c2ba60 InterlockedPopEntrySList 9286->9288 9287->9289 9291 7ff746c2ba77 VirtualFree 9288->9291 9292 7ff746c2ba8d 9288->9292 9289->9260 9291->9289 9293 7ff746c2ba94 InterlockedPushEntrySList 9292->9293 9293->9289 9293->9293 9295 7ff746c2bad8 GetProcessHeap HeapAlloc 9294->9295 9296 7ff746c2b9ff 9294->9296 9295->9296 9297 7ff746c2baf8 InitializeSListHead 9295->9297 9296->9282 9296->9287 9297->9296 9298 7ff746c2bb0b GetProcessHeap HeapFree 9297->9298 9298->9296 9494 7ff746c13398 GetSystemWindowsDirectoryW 9299->9494 9302 7ff746c1bc82 _wcsicmp 9302->8816 9302->8817 9305 7ff746c1bc79 9508 7ff746c1eb58 GetModuleHandleW 9305->9508 9308 7ff746c1e768 9307->9308 9309 7ff746c1eaf5 9307->9309 9312 7ff746c12288 30 API calls 9308->9312 9310 7ff746c2c270 8 API calls 9309->9310 9311 7ff746c1eb06 9310->9311 9311->8821 9313 7ff746c1e782 CopyFileW 9312->9313 9315 7ff746c12da0 20 API calls 9313->9315 9316 7ff746c1e7a4 9315->9316 9317 7ff746c12f78 27 API calls 9316->9317 9318 7ff746c1e7cc 9317->9318 11454 7ff746c13eb4 9318->11454 9320 7ff746c1e7de 11458 7ff746c13f24 9320->11458 9322 7ff746c1e7f2 9323 7ff746c12da0 20 API calls 9322->9323 9324 7ff746c1e7fd 9323->9324 9325 7ff746c12da0 20 API calls 9324->9325 9350 7ff746c1e807 9325->9350 9326 7ff746c1e9dd RegCreateKeyExW 9328 7ff746c1eacc 9326->9328 9333 7ff746c1ea21 9326->9333 9327 7ff746c1bf34 22 API calls 9327->9350 9329 7ff746c12da0 20 API calls 9328->9329 9332 7ff746c1ead8 9329->9332 9330 7ff746c13f98 35 API calls 9330->9350 9334 7ff746c1eaec 9332->9334 9335 7ff746c1eae2 RegCloseKey 9332->9335 9333->9328 11478 7ff746c1f628 wcslen RegSetValueExW 9333->11478 9337 7ff746c12da0 20 API calls 9334->9337 9335->9334 9336 7ff746c13eb4 31 API calls 9336->9350 9337->9309 9338 7ff746c13f24 31 API calls 9338->9350 9339 7ff746c12da0 20 API calls 9339->9350 9341 7ff746c1eb23 9342 7ff746c12da0 20 API calls 9341->9342 9343 7ff746c1eb2c 9342->9343 9344 7ff746c12da0 20 API calls 9343->9344 9346 7ff746c1eb39 9344->9346 9345 7ff746c24530 30 API calls 9345->9350 9347 7ff746c12da0 20 API calls 9346->9347 9348 7ff746c1eb45 9347->9348 9349 7ff746c12da0 20 API calls 9348->9349 9349->9328 9350->9326 9350->9327 9350->9330 9350->9336 9350->9338 9350->9339 9350->9341 9350->9345 11462 7ff746c1ddc4 RegCreateKeyExW 9350->11462 9352 7ff746c22c2a GetFileAttributesW 9351->9352 9353 7ff746c22cfc 9351->9353 9356 7ff746c22c4b 9352->9356 9357 7ff746c22c4e SetFileAttributesW 9352->9357 9355 7ff746c2c270 8 API calls 9353->9355 9358 7ff746c22d0c 9355->9358 9356->9357 9359 7ff746c22c63 9357->9359 9360 7ff746c22c66 DeleteFileW 9357->9360 9358->8829 9359->9360 9361 7ff746c22c70 MoveFileExW 9360->9361 9368 7ff746c22c89 9360->9368 9361->9368 9363 7ff746c22ce8 RegDeleteTreeW 9363->9353 9364 7ff746c1bf34 22 API calls 9365 7ff746c22ca0 RegDeleteTreeW 9364->9365 9366 7ff746c12da0 20 API calls 9365->9366 9366->9368 9367 7ff746c12da0 20 API calls 9367->9368 9368->9363 9368->9364 9368->9367 9370 7ff746c1f821 9369->9370 9378 7ff746c24106 9369->9378 9370->8845 9370->8846 9371 7ff746c2417c ??3@YAXPEAX 9371->9370 9372 7ff746c24132 9372->9371 9374 7ff746c24179 9372->9374 9375 7ff746c241a2 9372->9375 9373 7ff746c12da0 20 API calls 9373->9378 9374->9371 9376 7ff746c2c810 19 API calls 9375->9376 9377 7ff746c241a7 9376->9377 9378->9372 9378->9373 9380 7ff746c20aae GetTokenInformation 9379->9380 9381 7ff746c20ad2 9379->9381 9380->9381 9382 7ff746c20add CloseHandle 9381->9382 9383 7ff746c20ae3 9381->9383 9382->9383 9384 7ff746c2c270 8 API calls 9383->9384 9385 7ff746c1f89a 9384->9385 9385->8795 9386 7ff746c20b00 9385->9386 9387 7ff746c20880 19 API calls 9386->9387 9388 7ff746c20b3a 9387->9388 9389 7ff746c20b61 9388->9389 9390 7ff746c21168 16 API calls 9388->9390 9391 7ff746c20b6c CloseHandle 9389->9391 9392 7ff746c20b72 9389->9392 9393 7ff746c20b4c 9390->9393 9391->9392 9394 7ff746c2c270 8 API calls 9392->9394 9393->9389 9395 7ff746c20b52 SetThreadToken 9393->9395 9396 7ff746c1f8b5 9394->9396 9395->9389 9396->8795 9396->8805 11482 7ff746c13508 OpenSCManagerW 9397->11482 9400 7ff746c207d6 9402 7ff746c2c270 8 API calls 9400->9402 9403 7ff746c1fe41 9402->9403 9403->8818 9403->8872 9405 7ff746c2125f 9404->9405 9406 7ff746c211c3 malloc 9404->9406 9407 7ff746c2c270 8 API calls 9405->9407 9408 7ff746c21247 SetLastError 9406->9408 9409 7ff746c211d4 GetTokenInformation 9406->9409 9411 7ff746c2126e 9407->9411 9410 7ff746c21252 9408->9410 9409->9410 9414 7ff746c211fa 9409->9414 9410->9405 9412 7ff746c21257 free 9410->9412 9411->8879 9412->9405 9413 7ff746c2121a AdjustTokenPrivileges GetLastError 9413->9410 9414->9413 9414->9414 9416 7ff746c21317 9415->9416 9417 7ff746c212eb SetTokenInformation 9415->9417 9418 7ff746c21327 9416->9418 9419 7ff746c21321 FreeSid 9416->9419 9417->9416 9420 7ff746c2c270 8 API calls 9418->9420 9419->9418 9421 7ff746c21336 9420->9421 9421->8890 9423 7ff746c20a68 12 API calls 9422->9423 9429 7ff746c208d6 9423->9429 9424 7ff746c20951 WTSFreeMemory 9425 7ff746c20956 9424->9425 9426 7ff746c2c270 8 API calls 9425->9426 9427 7ff746c20965 9426->9427 9427->8880 9428 7ff746c2093c SetLastError 9432 7ff746c20947 9428->9432 9429->9428 9430 7ff746c20986 9429->9430 9429->9432 9431 7ff746c206a0 13 API calls 9430->9431 9431->9432 9432->9424 9432->9425 9434 7ff746c2082a 9433->9434 9435 7ff746c20830 DuplicateTokenEx 9434->9435 9436 7ff746c20855 9434->9436 9435->9436 9437 7ff746c20860 CloseHandle 9436->9437 9438 7ff746c20866 9436->9438 9437->9438 9439 7ff746c2c270 8 API calls 9438->9439 9440 7ff746c20875 9439->9440 9440->8880 9442 7ff746c2019d 9441->9442 9443 7ff746c20444 9441->9443 9446 7ff746c21284 11 API calls 9442->9446 9444 7ff746c20457 9443->9444 9445 7ff746c2044d FreeSid 9443->9445 9448 7ff746c2045c free 9444->9448 9449 7ff746c20464 9444->9449 9445->9444 9447 7ff746c201ab 9446->9447 9447->9443 9450 7ff746c201b6 GetTokenInformation GetLastError 9447->9450 9448->9449 9451 7ff746c20469 free 9449->9451 9452 7ff746c20471 9449->9452 9453 7ff746c201e9 malloc 9450->9453 9454 7ff746c20425 9450->9454 9451->9452 9455 7ff746c2047b CloseHandle 9452->9455 9456 7ff746c20481 9452->9456 9458 7ff746c20209 GetTokenInformation 9453->9458 9459 7ff746c201f9 SetLastError 9453->9459 9454->9443 9462 7ff746c2043c free 9454->9462 9455->9456 9457 7ff746c2c270 8 API calls 9456->9457 9460 7ff746c20490 9457->9460 9458->9443 9461 7ff746c20233 SetTokenInformation 9458->9461 9459->9454 9460->8879 9461->9443 9463 7ff746c2025d GetTokenInformation GetLastError 9461->9463 9462->9443 9463->9454 9464 7ff746c20290 malloc 9463->9464 9464->9459 9465 7ff746c202a4 GetTokenInformation 9464->9465 9465->9443 9466 7ff746c202ce AllocateAndInitializeSid 9465->9466 9466->9443 9467 7ff746c2031b GetLengthSid malloc 9466->9467 9467->9459 9468 7ff746c2034c InitializeAcl 9467->9468 9468->9454 9469 7ff746c2036e AddAccessAllowedAce 9468->9469 9469->9454 9470 7ff746c20392 GetAce 9469->9470 9472 7ff746c20399 EqualSid 9470->9472 9473 7ff746c203e6 SetTokenInformation 9470->9473 9472->9470 9475 7ff746c203af AddAce 9472->9475 9473->9454 9474 7ff746c2040a SetTokenInformation 9473->9474 9474->9454 9475->9470 9477 7ff746c20668 9476->9477 9482 7ff746c20567 9476->9482 9478 7ff746c20677 CloseHandle 9477->9478 9479 7ff746c2067d 9477->9479 9478->9479 9480 7ff746c2c270 8 API calls 9479->9480 9481 7ff746c2007f 9480->9481 9481->8818 9481->8893 9482->9477 9483 7ff746c12f78 27 API calls 9482->9483 9484 7ff746c205b3 9483->9484 11509 7ff746c209a8 9484->11509 9486 7ff746c205c2 CreateProcessAsUserW 9488 7ff746c12da0 20 API calls 9486->9488 9489 7ff746c20613 9488->9489 9490 7ff746c12da0 20 API calls 9489->9490 9491 7ff746c2061e 9490->9491 9492 7ff746c2065f DestroyEnvironmentBlock 9491->9492 9493 7ff746c20622 SetPriorityClass ResumeThread WaitForSingleObjectEx CloseHandle CloseHandle 9491->9493 9492->9477 9493->9492 9495 7ff746c1341a 9494->9495 9496 7ff746c133c3 9494->9496 9559 7ff746c12364 GetLastError 9495->9559 9498 7ff746c12f04 27 API calls 9496->9498 9500 7ff746c133cc GetSystemWindowsDirectoryW 9496->9500 9498->9500 9499 7ff746c1340b 9499->9302 9502 7ff746c24530 9499->9502 9500->9495 9500->9499 9503 7ff746c24581 9502->9503 9504 7ff746c24555 memmove 9502->9504 9562 7ff746c16f88 9503->9562 9507 7ff746c1bc51 RegOpenKeyExW 9504->9507 9507->9302 9507->9305 9577 7ff746c13450 9508->9577 9511 7ff746c1f094 9513 7ff746c2c270 8 API calls 9511->9513 9515 7ff746c1f0a3 9513->9515 9515->9302 9560 7ff746c1237d GetLastError 9559->9560 9561 7ff746c12372 GetLastError 9559->9561 9560->9499 9561->9560 9563 7ff746c170c7 9562->9563 9565 7ff746c16fbf 9562->9565 9564 7ff746c12e04 22 API calls 9563->9564 9566 7ff746c170cd 9564->9566 9567 7ff746c12e98 21 API calls 9565->9567 9568 7ff746c1700c 9567->9568 9569 7ff746c17037 memmove memmove 9568->9569 9570 7ff746c1708a memmove memmove 9568->9570 9572 7ff746c17068 9569->9572 9573 7ff746c17080 ??3@YAXPEAX 9569->9573 9571 7ff746c170a7 9570->9571 9571->9507 9574 7ff746c1707d 9572->9574 9575 7ff746c170c2 9572->9575 9573->9571 9574->9573 9576 7ff746c2c810 19 API calls 9575->9576 9576->9563 9578 7ff746c1347c SetLastError FindResourceExW 9577->9578 9579 7ff746c13475 9577->9579 9580 7ff746c134d2 GetLastError 9578->9580 9581 7ff746c134a6 SizeofResource LoadResource 9578->9581 9579->9511 9585 7ff746c1b7f4 9579->9585 9583 7ff746c134dc GetLastError 9580->9583 9584 7ff746c134e4 GetLastError 9580->9584 9581->9580 9582 7ff746c134c5 LockResource 9581->9582 9582->9580 9583->9579 9584->9579 9586 7ff746c1b83e 9585->9586 9587 7ff746c1b81f memmove 9585->9587 9589 7ff746c16e64 26 API calls 9586->9589 9590 7ff746c1b84c 9587->9590 9589->9590 9591 7ff746c1376c 9590->9591 9592 7ff746c137b2 9591->9592 9593 7ff746c13804 9591->9593 9707 7ff746c19904 ??2@YAPEAX_K 9592->9707 9594 7ff746c19904 ??2@YAPEAX_K 9593->9594 9597 7ff746c137c3 9594->9597 9596 7ff746c2c270 8 API calls 9598 7ff746c13865 9596->9598 9597->9596 9599 7ff746c275e4 9598->9599 9709 7ff746c1c36c 9599->9709 9708 7ff746c19933 9707->9708 9708->9597 9710 7ff746c1c388 9709->9710 9716 7ff746c1c3b3 9709->9716 9711 7ff746c1c38d 9710->9711 9712 7ff746c1c3e2 9710->9712 9714 7ff746c1c3c8 ??2@YAPEAX_K 9711->9714 9715 7ff746c1c392 9711->9715 9827 7ff746c17c48 ??2@YAPEAX_K 9712->9827 9714->9716 9717 7ff746c1c3ba 9715->9717 9719 7ff746c1c397 9715->9719 9724 7ff746c1ba18 9716->9724 9822 7ff746c17b58 ??2@YAPEAX_K 9717->9822 9719->9716 9832 7ff746c1b7cc 9719->9832 9725 7ff746c1ba53 9724->9725 9955 7ff746c282a0 9725->9955 9727 7ff746c1ba80 9728 7ff746c27734 9727->9728 9729 7ff746c279e8 memset 9728->9729 9730 7ff746c27789 memset 9728->9730 10414 7ff746c1a6a8 memset 9729->10414 9733 7ff746c277b7 9730->9733 10062 7ff746c1b860 9733->10062 9734 7ff746c27bc6 9736 7ff746c27c39 9734->9736 9737 7ff746c27bcc 9734->9737 9741 7ff746c279e3 9736->9741 9745 7ff746c27c6a ??3@YAXPEAX 9736->9745 9751 7ff746c27c9a 9736->9751 9740 7ff746c1c36c 53 API calls 9737->9740 9738 7ff746c282a0 35 API calls 9742 7ff746c27a3c 9738->9742 9744 7ff746c27bdd 9740->9744 9747 7ff746c2c270 8 API calls 9741->9747 9742->9734 9746 7ff746c27a4c memmove 9742->9746 9750 7ff746c255c0 29 API calls 9744->9750 9745->9741 9752 7ff746c26088 51 API calls 9746->9752 9753 7ff746c2769d 9747->9753 9756 7ff746c27c05 9750->9756 9754 7ff746c2c810 19 API calls 9751->9754 9759 7ff746c27a8a 9752->9759 9810 7ff746c1cb50 9753->9810 9760 7ff746c27c9f 9754->9760 9756->9741 9756->9745 9756->9760 9773 7ff746c27c37 9756->9773 9764 7ff746c24e54 60 API calls 9759->9764 9771 7ff746c2c810 19 API calls 9760->9771 9769 7ff746c27ab3 9764->9769 9770 7ff746c26948 23 API calls 9769->9770 9775 7ff746c27ac4 9770->9775 9776 7ff746c27ca5 9771->9776 9773->9745 9781 7ff746c2c810 19 API calls 9776->9781 9784 7ff746c27cab 9781->9784 9811 7ff746c1cb94 9810->9811 9812 7ff746c1cb63 9810->9812 9814 7ff746c1cc24 9811->9814 9815 7ff746c1cbd6 ??3@YAXPEAX 9811->9815 9817 7ff746c1cbd3 9811->9817 9818 7ff746c1cbea 9811->9818 9813 7ff746c1cb8f ??3@YAXPEAX 9812->9813 9812->9814 9813->9811 9816 7ff746c2c810 19 API calls 9814->9816 9815->9818 9817->9815 9823 7ff746c245ac 27 API calls 9822->9823 9824 7ff746c17bb5 9823->9824 9825 7ff746c2c270 8 API calls 9824->9825 9826 7ff746c17bc6 9825->9826 9826->9716 9858 7ff746c22e1c ??2@YAPEAX_K 9827->9858 9829 7ff746c17c93 9830 7ff746c2c270 8 API calls 9829->9830 9831 7ff746c17ca6 9830->9831 9831->9716 9833 7ff746c245ac 27 API calls 9832->9833 9834 7ff746c1b7ea 9833->9834 9835 7ff746c24a74 memmove 9834->9835 9859 7ff746c270bc 9835->9859 9858->9829 9895 7ff746c16ab4 9859->9895 9864 7ff746c244b8 23 API calls 9865 7ff746c2711b memmove 9864->9865 9915 7ff746c13bc8 9865->9915 9896 7ff746c16ae6 9895->9896 9896->9896 9897 7ff746c16b9f 9896->9897 9898 7ff746c16b91 9896->9898 9901 7ff746c16b6c memmove 9896->9901 9899 7ff746c2c270 8 API calls 9897->9899 9902 7ff746c16e64 26 API calls 9898->9902 9903 7ff746c16baf 9899->9903 9901->9897 9902->9897 9904 7ff746c13d38 9903->9904 9905 7ff746c13d82 9904->9905 9906 7ff746c13dae 9905->9906 9907 7ff746c13da0 9905->9907 9908 7ff746c13db4 9905->9908 9909 7ff746c244b8 23 API calls 9906->9909 9923 7ff746c17394 9907->9923 9908->9906 9927 7ff746c22d40 memmove 9908->9927 9910 7ff746c13dde 9909->9910 9912 7ff746c244b8 23 API calls 9910->9912 9914 7ff746c13df7 9912->9914 9914->9864 9916 7ff746c13bef 9915->9916 9917 7ff746c13c14 9915->9917 9916->9917 9924 7ff746c174be 9923->9924 9925 7ff746c12e04 22 API calls 9924->9925 9926 7ff746c174c3 9925->9926 9928 7ff746c22d87 ??3@YAXPEAX 9927->9928 9929 7ff746c22d6f 9927->9929 9928->9906 9930 7ff746c22da2 9929->9930 9931 7ff746c22d84 9929->9931 9932 7ff746c2c810 19 API calls 9930->9932 9931->9928 9933 7ff746c22da7 9932->9933 9956 7ff746c282b5 9955->9956 9957 7ff746c282b0 9955->9957 9960 7ff746c282ed 9956->9960 9961 7ff746c282b9 9956->9961 10023 7ff746c267e0 9956->10023 10016 7ff746c2948c 9957->10016 9964 7ff746c2835a 9960->9964 9965 7ff746c282f2 9960->9965 9961->9727 9962 7ff746c267e0 27 API calls 9962->9964 9963 7ff746c2833c 9966 7ff746c153f4 27 API calls 9963->9966 10015 7ff746c289ad 9963->10015 9964->9961 9964->9962 9965->9961 9965->9963 9969 7ff746c284c5 9965->9969 10027 7ff746c153f4 9965->10027 9966->10015 9968 7ff746c284f4 9973 7ff746c285fb 9968->9973 9975 7ff746c170d0 22 API calls 9968->9975 9970 7ff746c284e5 9969->9970 10043 7ff746c170d0 9969->10043 9970->9968 9974 7ff746c267e0 27 API calls 9970->9974 9992 7ff746c284f2 9970->9992 9979 7ff746c267e0 27 API calls 9973->9979 9976 7ff746c28543 9974->9976 9975->9973 9976->9968 9976->9992 9977 7ff746c267e0 27 API calls 9977->10015 9978 7ff746c170d0 22 API calls 9978->9992 9982 7ff746c285df 9979->9982 9980 7ff746c285e1 9983 7ff746c2c270 8 API calls 9980->9983 9981 7ff746c267e0 27 API calls 9981->9992 9984 7ff746c2873d 9982->9984 9987 7ff746c2864a 9982->9987 9989 7ff746c170d0 22 API calls 9982->9989 9986 7ff746c286a9 9983->9986 9988 7ff746c28755 9984->9988 9990 7ff746c170d0 22 API calls 9984->9990 9993 7ff746c2870f _errno 9984->9993 9985 7ff746c28a41 9985->9727 9986->9727 9991 7ff746c267e0 27 API calls 9987->9991 9996 7ff746c267e0 27 API calls 9988->9996 9989->9987 9990->9988 9995 7ff746c28684 9991->9995 9992->9978 9992->9980 9992->9981 9992->9982 9992->9984 9992->9993 9997 7ff746c288af _strtoui64 _errno 9993->9997 9998 7ff746c288d7 9993->9998 9995->9980 10008 7ff746c286c2 9995->10008 10000 7ff746c2878f 9996->10000 9997->9998 9999 7ff746c28912 strtod 9997->9999 9998->9999 10002 7ff746c288f6 _strtoi64 _errno 9998->10002 9999->9963 10004 7ff746c287bd 10000->10004 10007 7ff746c170d0 22 API calls 10000->10007 10012 7ff746c287f2 10000->10012 10002->9999 10011 7ff746c267e0 27 API calls 10004->10011 10005 7ff746c170d0 22 API calls 10005->10008 10006 7ff746c268a4 27 API calls 10006->10015 10007->10004 10008->9984 10008->9993 10008->10005 10009 7ff746c267e0 27 API calls 10008->10009 10009->10008 10010 7ff746c170d0 22 API calls 10010->10012 10011->10012 10012->9993 10012->10010 10013 7ff746c267e0 27 API calls 10012->10013 10013->10012 10014 7ff746c170d0 22 API calls 10014->10015 10015->9977 10015->9985 10015->10006 10015->10014 10047 7ff746c272dc 10015->10047 10017 7ff746c267e0 27 API calls 10016->10017 10018 7ff746c2949a 10017->10018 10019 7ff746c267e0 27 API calls 10018->10019 10021 7ff746c294b8 10018->10021 10020 7ff746c294a9 10019->10020 10020->10021 10022 7ff746c267e0 27 API calls 10020->10022 10021->9956 10022->10021 10025 7ff746c267f7 10023->10025 10024 7ff746c26823 10024->9956 10025->10024 10026 7ff746c153f4 27 API calls 10025->10026 10026->10024 10028 7ff746c1556f 10027->10028 10030 7ff746c15447 10027->10030 10029 7ff746c12e18 22 API calls 10028->10029 10031 7ff746c15574 10029->10031 10032 7ff746c154a8 10030->10032 10033 7ff746c1547d ??2@YAPEAX_K 10030->10033 10035 7ff746c2c810 19 API calls 10031->10035 10034 7ff746c154af ??2@YAPEAX_K 10032->10034 10037 7ff746c1549a 10032->10037 10033->10031 10033->10037 10034->10037 10036 7ff746c1557a 10035->10036 10038 7ff746c154fc memmove 10037->10038 10040 7ff746c154d3 10037->10040 10038->10040 10039 7ff746c15535 memmove 10054 7ff746c22ecc 10039->10054 10040->10039 10044 7ff746c1721c 10043->10044 10045 7ff746c12e04 22 API calls 10044->10045 10046 7ff746c17221 10045->10046 10048 7ff746c27326 10047->10048 10052 7ff746c27306 10047->10052 10049 7ff746c170d0 22 API calls 10048->10049 10049->10052 10050 7ff746c27397 10050->10015 10051 7ff746c267e0 27 API calls 10051->10052 10052->10050 10052->10051 10053 7ff746c170d0 22 API calls 10052->10053 10053->10052 10055 7ff746c1554f 10054->10055 10057 7ff746c22ef4 10054->10057 10055->9969 10056 7ff746c22f1c ??3@YAXPEAX 10056->10055 10057->10056 10058 7ff746c22f49 10057->10058 10059 7ff746c22f19 10057->10059 10060 7ff746c2c810 19 API calls 10058->10060 10059->10056 10061 7ff746c22f4e 10060->10061 10063 7ff746c1b8de 10062->10063 10064 7ff746c1c36c 53 API calls 10063->10064 10065 7ff746c1b906 10064->10065 10602 7ff746c23d80 10065->10602 10067 7ff746c1b94f 10068 7ff746c19a08 memset 10067->10068 10090 7ff746c19a80 10068->10090 10070 7ff746c1a1dc 10074 7ff746c1a2a8 10070->10074 10075 7ff746c1a1e5 10070->10075 10082 7ff746c245ac 27 API calls 10074->10082 10083 7ff746c245ac 27 API calls 10075->10083 10077 7ff746c1a363 10081 7ff746c26948 23 API calls 10077->10081 10079 7ff746c2c270 8 API calls 10085 7ff746c1a373 10081->10085 10086 7ff746c1a209 10083->10086 10090->10070 10090->10075 10090->10077 10097 7ff746c1a586 10090->10097 10098 7ff746c1a415 10090->10098 10099 7ff746c282a0 35 API calls 10090->10099 10101 7ff746c25808 47 API calls 10090->10101 10108 7ff746c25948 95 API calls 10090->10108 10111 7ff746c1a045 memmove 10090->10111 10115 7ff746c1a4c6 10090->10115 10119 7ff746c26d40 79 API calls 10090->10119 10156 7ff746c19dca 10090->10156 10160 7ff746c19eb0 10090->10160 10183 7ff746c23d80 24 API calls 10090->10183 10220 7ff746c19bd1 10090->10220 10623 7ff746c18e7c 10090->10623 10643 7ff746c18784 10090->10643 10665 7ff746c1805c 10090->10665 10687 7ff746c191e0 10090->10687 10707 7ff746c18b14 10090->10707 10727 7ff746c297f8 10090->10727 10748 7ff746c29504 10090->10748 10769 7ff746c2823c 10090->10769 10773 7ff746c183f8 10090->10773 10801 7ff746c27fbc 10090->10801 10105 7ff746c245ac 27 API calls 10097->10105 10107 7ff746c245ac 27 API calls 10098->10107 10099->10090 10101->10090 10112 7ff746c1a5aa 10105->10112 10114 7ff746c1a439 10107->10114 10108->10090 10120 7ff746c26088 51 API calls 10111->10120 10121 7ff746c26088 51 API calls 10112->10121 10123 7ff746c26088 51 API calls 10114->10123 10117 7ff746c245ac 27 API calls 10115->10117 10125 7ff746c1a4f0 10117->10125 10119->10090 10127 7ff746c1a095 10120->10127 10134 7ff746c26088 51 API calls 10125->10134 10136 7ff746c24e54 60 API calls 10127->10136 10165 7ff746c245ac 27 API calls 10156->10165 10170 7ff746c16e64 26 API calls 10160->10170 10173 7ff746c19dee 10165->10173 10177 7ff746c19ee2 10170->10177 10180 7ff746c26088 51 API calls 10173->10180 10185 7ff746c26088 51 API calls 10177->10185 10183->10090 10836 7ff746c1cec4 10220->10836 10432 7ff746c1a726 10414->10432 10416 7ff746c1cec4 23 API calls 10417 7ff746c1b270 10416->10417 10420 7ff746c2c270 8 API calls 10417->10420 10418 7ff746c1aec4 10423 7ff746c1af87 10418->10423 10424 7ff746c1aecd 10418->10424 10426 7ff746c1b281 10420->10426 10421 7ff746c1b046 10429 7ff746c26948 23 API calls 10421->10429 10430 7ff746c245ac 27 API calls 10423->10430 10431 7ff746c245ac 27 API calls 10424->10431 10426->9734 10426->9738 10436 7ff746c1b053 10429->10436 10434 7ff746c1afab 10430->10434 10437 7ff746c1aef1 10431->10437 10432->10418 10432->10421 10432->10424 10435 7ff746c282a0 35 API calls 10432->10435 10442 7ff746c1a9b0 10432->10442 10443 7ff746c1b1a7 10432->10443 10447 7ff746c2823c 24 API calls 10432->10447 10450 7ff746c27fbc 4 API calls 10432->10450 10457 7ff746c1b0f0 10432->10457 10459 7ff746c1ad30 memmove 10432->10459 10466 7ff746c178e8 59 API calls 10432->10466 10492 7ff746c1ab9e 10432->10492 10498 7ff746c1aac5 10432->10498 10518 7ff746c23d80 24 API calls 10432->10518 10553 7ff746c1b03e 10432->10553 11003 7ff746c19120 10432->11003 11012 7ff746c18a28 10432->11012 11028 7ff746c182f4 10432->11028 11044 7ff746c19490 10432->11044 11053 7ff746c18dbc 10432->11053 11062 7ff746c299c8 10432->11062 11075 7ff746c296d4 10432->11075 11087 7ff746c186a0 10432->11087 10439 7ff746c26088 51 API calls 10434->10439 10435->10432 10440 7ff746c13cd0 27 API calls 10436->10440 10441 7ff746c26088 51 API calls 10437->10441 10444 7ff746c1afc0 10439->10444 10445 7ff746c1b067 10440->10445 10446 7ff746c1af09 10441->10446 10448 7ff746c245ac 27 API calls 10442->10448 10449 7ff746c245ac 27 API calls 10443->10449 10451 7ff746c24e54 60 API calls 10444->10451 10452 7ff746c13c68 24 API calls 10445->10452 10453 7ff746c24e54 60 API calls 10446->10453 10447->10432 10455 7ff746c1a9d4 10448->10455 10458 7ff746c1b1cb 10449->10458 10450->10432 10456 7ff746c1afeb 10451->10456 10460 7ff746c1b07c 10452->10460 10454 7ff746c1af34 10453->10454 10463 7ff746c26948 23 API calls 10454->10463 10464 7ff746c26088 51 API calls 10455->10464 10461 7ff746c26948 23 API calls 10456->10461 10467 7ff746c245ac 27 API calls 10457->10467 10468 7ff746c26088 51 API calls 10458->10468 10465 7ff746c26088 51 API calls 10459->10465 10462 7ff746c24c64 47 API calls 10460->10462 10474 7ff746c1affc 10461->10474 10469 7ff746c1b08e 10462->10469 10470 7ff746c1af45 10463->10470 10471 7ff746c1a9e9 10464->10471 10472 7ff746c1ad80 10465->10472 10466->10432 10473 7ff746c1b114 10467->10473 10475 7ff746c1b1e3 10468->10475 10477 7ff746c26948 23 API calls 10469->10477 10479 7ff746c27dd4 14 API calls 10470->10479 10480 7ff746c24e54 60 API calls 10471->10480 10481 7ff746c24e54 60 API calls 10472->10481 10482 7ff746c26088 51 API calls 10473->10482 10478 7ff746c27dd4 14 API calls 10474->10478 10476 7ff746c24e54 60 API calls 10475->10476 10483 7ff746c1b20e 10476->10483 10484 7ff746c1b09f 10477->10484 10489 7ff746c1b00f 10478->10489 10485 7ff746c1af58 10479->10485 10486 7ff746c1aa14 10480->10486 10487 7ff746c1adab 10481->10487 10488 7ff746c1b12c 10482->10488 10491 7ff746c26948 23 API calls 10483->10491 10493 7ff746c27dd4 14 API calls 10484->10493 10495 7ff746c121a8 20 API calls 10485->10495 10496 7ff746c26948 23 API calls 10486->10496 10497 7ff746c26948 23 API calls 10487->10497 10490 7ff746c24e54 60 API calls 10488->10490 10494 7ff746c121a8 20 API calls 10489->10494 10505 7ff746c1b157 10490->10505 10499 7ff746c1b21d 10491->10499 10504 7ff746c16e64 26 API calls 10492->10504 10500 7ff746c1b0b2 10493->10500 10501 7ff746c1af64 ??1exception@@UEAA ??1exception@@UEAA 10495->10501 10502 7ff746c1aa23 10496->10502 10503 7ff746c1adbb 10497->10503 10507 7ff746c245ac 27 API calls 10498->10507 10510 7ff746c27dd4 14 API calls 10499->10510 10511 7ff746c121a8 20 API calls 10500->10511 10513 7ff746c121a8 20 API calls 10501->10513 10514 7ff746c27dd4 14 API calls 10502->10514 10515 7ff746c27dd4 14 API calls 10503->10515 10508 7ff746c1abd0 10504->10508 10509 7ff746c26948 23 API calls 10505->10509 10516 7ff746c1aae9 10507->10516 10522 7ff746c26088 51 API calls 10508->10522 10523 7ff746c1b166 10509->10523 10517 7ff746c1b230 10510->10517 10520 7ff746c1aa36 10514->10520 10521 7ff746c1adce 10515->10521 10524 7ff746c26088 51 API calls 10516->10524 10528 7ff746c121a8 20 API calls 10517->10528 10518->10432 10530 7ff746c121a8 20 API calls 10520->10530 10531 7ff746c1ae0e ??1exception@@UEAA ??1exception@@UEAA 10521->10531 10536 7ff746c1ae09 ??3@YAXPEAX 10521->10536 10541 7ff746c1b2be 10521->10541 10526 7ff746c1abeb 10522->10526 10527 7ff746c27dd4 14 API calls 10523->10527 10525 7ff746c1ab01 10524->10525 10532 7ff746c24e54 60 API calls 10525->10532 10539 7ff746c24e54 60 API calls 10526->10539 10540 7ff746c1b179 10527->10540 10533 7ff746c1b23b ??1exception@@UEAA ??1exception@@UEAA 10528->10533 10535 7ff746c1aa41 ??1exception@@UEAA ??1exception@@UEAA 10530->10535 10537 7ff746c1ae6c 10531->10537 10538 7ff746c1ae3e 10531->10538 10542 7ff746c1ab2c 10532->10542 10546 7ff746c121a8 20 API calls 10533->10546 10549 7ff746c121a8 20 API calls 10535->10549 10536->10531 10537->10553 10556 7ff746c1ad26 ??3@YAXPEAX 10537->10556 10562 7ff746c1b2a6 10537->10562 10563 7ff746c1aebf 10537->10563 10543 7ff746c1ae67 ??3@YAXPEAX 10538->10543 10554 7ff746c1b2a1 10538->10554 10544 7ff746c1ac16 10539->10544 10545 7ff746c121a8 20 API calls 10540->10545 10550 7ff746c2c810 19 API calls 10541->10550 10551 7ff746c26948 23 API calls 10542->10551 10543->10537 10555 7ff746c26948 23 API calls 10544->10555 10557 7ff746c1b184 ??1exception@@UEAA ??1exception@@UEAA 10545->10557 10558 7ff746c1b2c4 10550->10558 10559 7ff746c1ab3b 10551->10559 10553->10416 10560 7ff746c2c810 19 API calls 10554->10560 10561 7ff746c1ac26 10555->10561 10556->10553 10564 7ff746c121a8 20 API calls 10557->10564 10565 7ff746c27dd4 14 API calls 10559->10565 10560->10562 10567 7ff746c27dd4 14 API calls 10561->10567 10566 7ff746c2c810 19 API calls 10562->10566 10563->10556 10568 7ff746c1ab4e 10565->10568 10569 7ff746c1b2ac 10566->10569 10570 7ff746c1ac39 10567->10570 10571 7ff746c121a8 20 API calls 10568->10571 10574 7ff746c2c810 19 API calls 10569->10574 10570->10569 10572 7ff746c1ac78 ??1exception@@UEAA ??1exception@@UEAA 10570->10572 10575 7ff746c1ac73 ??3@YAXPEAX 10570->10575 10573 7ff746c1ab59 ??1exception@@UEAA ??1exception@@UEAA 10571->10573 10576 7ff746c1acd7 10572->10576 10577 7ff746c1aca9 10572->10577 10578 7ff746c121a8 20 API calls 10573->10578 10579 7ff746c1b2b2 10574->10579 10575->10572 10576->10553 10576->10556 10581 7ff746c1b2b8 10576->10581 10577->10579 10580 7ff746c1acd2 ??3@YAXPEAX 10577->10580 10580->10576 10605 7ff746c23e50 10602->10605 10604 7ff746c23db5 10604->10067 10606 7ff746c23e89 10605->10606 10612 7ff746c23ed3 10605->10612 10607 7ff746c23f94 10606->10607 10608 7ff746c23ea3 10606->10608 10620 7ff746c242e0 10607->10620 10615 7ff746c177ac 10608->10615 10612->10604 10616 7ff746c177fa 10615->10616 10617 7ff746c1789f 10615->10617 10616->10617 10618 7ff746c12e18 22 API calls 10616->10618 10617->10612 10619 7ff746c178e5 10618->10619 10621 7ff746c2a470 ??0exception@@QEAA@AEBQEBD 10620->10621 10622 7ff746c242f0 10621->10622 10624 7ff746c18eda 10623->10624 10625 7ff746c18efe 10624->10625 10627 7ff746c1911a 10624->10627 10635 7ff746c18f42 10624->10635 10628 7ff746c2c270 8 API calls 10625->10628 10626 7ff746c18f77 10861 7ff746c2a450 10627->10861 10631 7ff746c18fab 10637 7ff746c18f58 10631->10637 10635->10626 10635->10631 10635->10637 10644 7ff746c187e2 10643->10644 10645 7ff746c18806 10644->10645 10898 7ff746c17bd4 ??2@YAPEAX_K 10644->10898 10648 7ff746c2c270 8 API calls 10645->10648 10666 7ff746c180b7 10665->10666 10667 7ff746c180db 10666->10667 10668 7ff746c1c36c 53 API calls 10666->10668 10669 7ff746c2c270 8 API calls 10667->10669 10670 7ff746c180f6 10668->10670 10688 7ff746c1923e 10687->10688 10689 7ff746c19262 10688->10689 10690 7ff746c192ac 10688->10690 10691 7ff746c19488 10688->10691 10692 7ff746c2c270 8 API calls 10689->10692 10693 7ff746c19317 10690->10693 10694 7ff746c192e2 10690->10694 10701 7ff746c192c2 10690->10701 10696 7ff746c2a450 _CxxThrowException 10691->10696 10693->10701 10708 7ff746c18b72 10707->10708 10709 7ff746c18b96 10708->10709 10710 7ff746c18bda 10708->10710 10713 7ff746c18db6 10708->10713 10714 7ff746c2c270 8 API calls 10709->10714 10711 7ff746c18c10 10710->10711 10712 7ff746c18c45 10710->10712 10721 7ff746c18bf0 10710->10721 10712->10721 10728 7ff746c299c0 10727->10728 10731 7ff746c29852 10727->10731 10729 7ff746c2a450 _CxxThrowException 10728->10729 10732 7ff746c23d80 24 API calls 10731->10732 10749 7ff746c296cc 10748->10749 10752 7ff746c2955e 10748->10752 10750 7ff746c2a450 _CxxThrowException 10749->10750 10753 7ff746c23d80 24 API calls 10752->10753 10754 7ff746c295ba 10753->10754 10770 7ff746c2826b 10769->10770 10771 7ff746c23d80 24 API calls 10770->10771 10772 7ff746c28293 10771->10772 10772->10090 10774 7ff746c18456 10773->10774 10775 7ff746c1847a 10774->10775 10779 7ff746c18698 10774->10779 10786 7ff746c184c0 10774->10786 10776 7ff746c2c270 8 API calls 10775->10776 10777 7ff746c18529 10787 7ff746c184d6 10777->10787 10778 7ff746c184f1 10782 7ff746c2a450 _CxxThrowException 10779->10782 10786->10777 10786->10778 10786->10787 10802 7ff746c27fe4 10801->10802 10803 7ff746c25f28 4 API calls 10802->10803 10804 7ff746c28014 10803->10804 10804->10090 10837 7ff746c1a64f 10836->10837 10838 7ff746c1ced5 10836->10838 10837->10079 10899 7ff746c231fc 23 API calls 10898->10899 11004 7ff746c19163 11003->11004 11005 7ff746c19136 11003->11005 11007 7ff746c191af 11004->11007 11010 7ff746c1916c 11004->11010 11006 7ff746c255c0 29 API calls 11005->11006 11009 7ff746c1915e 11006->11009 11008 7ff746c255c0 29 API calls 11007->11008 11008->11009 11009->10432 11010->11009 11096 7ff746c14d80 11010->11096 11013 7ff746c18a79 11012->11013 11014 7ff746c18a44 11012->11014 11016 7ff746c18ad0 11013->11016 11017 7ff746c18a82 11013->11017 11015 7ff746c17bd4 24 API calls 11014->11015 11018 7ff746c18a4c 11015->11018 11021 7ff746c17bd4 24 API calls 11016->11021 11019 7ff746c18aac 11017->11019 11020 7ff746c18a90 11017->11020 11022 7ff746c255c0 29 API calls 11018->11022 11105 7ff746c14a2c 11019->11105 11023 7ff746c17bd4 24 API calls 11020->11023 11025 7ff746c18ad8 11021->11025 11027 7ff746c18a71 11022->11027 11023->11027 11026 7ff746c255c0 29 API calls 11025->11026 11026->11027 11027->10432 11029 7ff746c1835f 11028->11029 11030 7ff746c1831f 11028->11030 11032 7ff746c18368 11029->11032 11033 7ff746c183aa 11029->11033 11031 7ff746c1c36c 53 API calls 11030->11031 11035 7ff746c1832e 11031->11035 11036 7ff746c1838c 11032->11036 11037 7ff746c18376 11032->11037 11034 7ff746c1c36c 53 API calls 11033->11034 11039 7ff746c183b9 11034->11039 11040 7ff746c255c0 29 API calls 11035->11040 11116 7ff746c146dc 11036->11116 11041 7ff746c1c36c 53 API calls 11037->11041 11043 7ff746c255c0 29 API calls 11039->11043 11042 7ff746c18357 11040->11042 11041->11042 11042->10432 11043->11042 11045 7ff746c194ad 11044->11045 11046 7ff746c194e0 11044->11046 11047 7ff746c255c0 29 API calls 11045->11047 11048 7ff746c194e9 11046->11048 11049 7ff746c19533 11046->11049 11051 7ff746c194d8 11047->11051 11048->11051 11127 7ff746c14f28 11048->11127 11050 7ff746c255c0 29 API calls 11049->11050 11050->11051 11051->10432 11054 7ff746c18dff 11053->11054 11055 7ff746c18dd2 11053->11055 11057 7ff746c18e08 11054->11057 11058 7ff746c18e4b 11054->11058 11056 7ff746c255c0 29 API calls 11055->11056 11059 7ff746c18dfa 11056->11059 11057->11059 11136 7ff746c14bd8 11057->11136 11060 7ff746c255c0 29 API calls 11058->11060 11059->10432 11060->11059 11145 7ff746c1980c 11062->11145 11065 7ff746c150d8 27 API calls 11067 7ff746c29a08 11065->11067 11066 7ff746c29a8b 11066->10432 11067->11066 11068 7ff746c29b34 27 API calls 11067->11068 11069 7ff746c29aaf 11068->11069 11070 7ff746c13cd0 27 API calls 11069->11070 11071 7ff746c29ac7 11070->11071 11072 7ff746c24c64 47 API calls 11071->11072 11073 7ff746c29ada _CxxThrowException 11072->11073 11076 7ff746c1980c 68 API calls 11075->11076 11077 7ff746c29705 11076->11077 11078 7ff746c150d8 27 API calls 11077->11078 11080 7ff746c29714 11077->11080 11078->11080 11079 7ff746c29797 11079->10432 11080->11079 11081 7ff746c29b34 27 API calls 11080->11081 11082 7ff746c297bb 11081->11082 11083 7ff746c13cd0 27 API calls 11082->11083 11084 7ff746c297d3 11083->11084 11085 7ff746c24c64 47 API calls 11084->11085 11086 7ff746c297e6 _CxxThrowException 11085->11086 11088 7ff746c186bd 11087->11088 11089 7ff746c186f4 11087->11089 11090 7ff746c255c0 29 API calls 11088->11090 11091 7ff746c186fd 11089->11091 11092 7ff746c18743 11089->11092 11094 7ff746c186ec 11090->11094 11091->11094 11172 7ff746c14884 11091->11172 11093 7ff746c255c0 29 API calls 11092->11093 11093->11094 11094->10432 11097 7ff746c14dcd 11096->11097 11098 7ff746c14f1f 11096->11098 11101 7ff746c2444c 21 API calls 11097->11101 11099 7ff746c12e18 22 API calls 11098->11099 11100 7ff746c14f24 11099->11100 11102 7ff746c14e0a 11101->11102 11103 7ff746c23144 30 API calls 11102->11103 11104 7ff746c14f04 11103->11104 11104->11009 11106 7ff746c14a79 11105->11106 11107 7ff746c14bcf 11105->11107 11110 7ff746c2444c 21 API calls 11106->11110 11108 7ff746c12e18 22 API calls 11107->11108 11109 7ff746c14bd4 11108->11109 11111 7ff746c14ab6 11110->11111 11112 7ff746c17bd4 24 API calls 11111->11112 11113 7ff746c14ae8 11112->11113 11113->11113 11114 7ff746c23144 30 API calls 11113->11114 11115 7ff746c14bb9 11114->11115 11115->11027 11117 7ff746c1472b 11116->11117 11118 7ff746c1487e 11116->11118 11121 7ff746c2444c 21 API calls 11117->11121 11119 7ff746c12e18 22 API calls 11118->11119 11120 7ff746c14883 11119->11120 11122 7ff746c14768 11121->11122 11123 7ff746c1c36c 53 API calls 11122->11123 11124 7ff746c14790 11123->11124 11125 7ff746c23144 30 API calls 11124->11125 11126 7ff746c1485e 11125->11126 11126->11042 11128 7ff746c150d0 11127->11128 11130 7ff746c14f75 11127->11130 11129 7ff746c12e18 22 API calls 11128->11129 11131 7ff746c150d5 11129->11131 11132 7ff746c2444c 21 API calls 11130->11132 11134 7ff746c14fb2 11132->11134 11133 7ff746c23144 30 API calls 11135 7ff746c150b5 11133->11135 11134->11133 11134->11134 11135->11051 11137 7ff746c14d77 11136->11137 11138 7ff746c14c25 11136->11138 11139 7ff746c12e18 22 API calls 11137->11139 11141 7ff746c2444c 21 API calls 11138->11141 11140 7ff746c14d7c 11139->11140 11142 7ff746c14c62 11141->11142 11142->11142 11143 7ff746c23144 30 API calls 11142->11143 11144 7ff746c14d5c 11143->11144 11144->11059 11146 7ff746c19869 11145->11146 11147 7ff746c1982b 11145->11147 11148 7ff746c198b8 11146->11148 11149 7ff746c19872 11146->11149 11150 7ff746c1c36c 53 API calls 11147->11150 11153 7ff746c1c36c 53 API calls 11148->11153 11151 7ff746c19880 11149->11151 11152 7ff746c19894 11149->11152 11154 7ff746c19839 11150->11154 11156 7ff746c1c36c 53 API calls 11151->11156 11161 7ff746c15724 11152->11161 11158 7ff746c198c6 11153->11158 11155 7ff746c255c0 29 API calls 11154->11155 11159 7ff746c19861 11155->11159 11156->11159 11160 7ff746c255c0 29 API calls 11158->11160 11159->11065 11159->11067 11160->11159 11162 7ff746c15778 11161->11162 11163 7ff746c158d3 11161->11163 11166 7ff746c2444c 21 API calls 11162->11166 11164 7ff746c12e18 22 API calls 11163->11164 11165 7ff746c158d8 11164->11165 11165->11159 11167 7ff746c157b5 11166->11167 11168 7ff746c1c36c 53 API calls 11167->11168 11169 7ff746c157e6 11168->11169 11170 7ff746c23144 30 API calls 11169->11170 11171 7ff746c158b3 11170->11171 11171->11159 11173 7ff746c148d1 11172->11173 11174 7ff746c14a25 11172->11174 11177 7ff746c2444c 21 API calls 11173->11177 11175 7ff746c12e18 22 API calls 11174->11175 11176 7ff746c14a2a 11175->11176 11178 7ff746c1490e 11177->11178 11178->11178 11179 7ff746c23144 30 API calls 11178->11179 11180 7ff746c14a0a 11179->11180 11180->11094 11455 7ff746c13ed7 11454->11455 11456 7ff746c24530 30 API calls 11455->11456 11457 7ff746c13ee5 memmove 11456->11457 11457->9320 11459 7ff746c13f42 11458->11459 11460 7ff746c24530 30 API calls 11459->11460 11461 7ff746c13f57 memmove 11460->11461 11461->9322 11463 7ff746c1de22 11462->11463 11464 7ff746c1deb3 11462->11464 11479 7ff746c1f628 wcslen RegSetValueExW 11463->11479 11465 7ff746c1decb 11464->11465 11466 7ff746c1debf RegCloseKey 11464->11466 11468 7ff746c1dedb 11465->11468 11469 7ff746c1ded5 RegCloseKey 11465->11469 11466->11465 11471 7ff746c2c270 8 API calls 11468->11471 11469->11468 11470 7ff746c1de39 11470->11464 11473 7ff746c1de62 RegCreateKeyExW 11470->11473 11480 7ff746c1f628 wcslen RegSetValueExW 11470->11480 11472 7ff746c1deea 11471->11472 11472->9350 11473->11464 11475 7ff746c1dea3 11473->11475 11481 7ff746c1f628 wcslen RegSetValueExW 11475->11481 11476 7ff746c1de5c 11476->11464 11476->11473 11478->9333 11479->11470 11480->11476 11481->11464 11483 7ff746c1356d OpenServiceW 11482->11483 11484 7ff746c13635 11482->11484 11483->11484 11495 7ff746c13591 11483->11495 11485 7ff746c12364 3 API calls 11484->11485 11487 7ff746c13623 11485->11487 11486 7ff746c13599 QueryServiceStatusEx 11486->11487 11486->11495 11488 7ff746c1364b 11487->11488 11489 7ff746c13641 CloseServiceHandle 11487->11489 11491 7ff746c13659 11488->11491 11492 7ff746c13650 CloseServiceHandle 11488->11492 11489->11488 11490 7ff746c135c8 StartServiceW 11490->11484 11490->11495 11494 7ff746c2c270 8 API calls 11491->11494 11492->11491 11493 7ff746c135e7 GetTickCount64 11493->11495 11496 7ff746c135f5 SleepEx 11493->11496 11497 7ff746c13668 11494->11497 11495->11486 11495->11487 11495->11490 11495->11493 11496->11486 11497->9400 11498 7ff746c206a0 OpenProcess 11497->11498 11499 7ff746c206f9 OpenProcessToken 11498->11499 11500 7ff746c206f1 11498->11500 11501 7ff746c20737 11499->11501 11502 7ff746c20712 DuplicateTokenEx 11499->11502 11500->11499 11500->11501 11503 7ff746c2074c 11501->11503 11504 7ff746c20741 CloseHandle 11501->11504 11502->11501 11505 7ff746c2075a 11503->11505 11506 7ff746c20751 CloseHandle 11503->11506 11504->11503 11507 7ff746c2c270 8 API calls 11505->11507 11506->11505 11508 7ff746c20769 11507->11508 11508->9400 11510 7ff746c209ef 11509->11510 11511 7ff746c209f2 ExpandEnvironmentStringsW 11509->11511 11510->11511 11512 7ff746c20a1d 11511->11512 11514 7ff746c20a06 ExpandEnvironmentStringsW 11511->11514 11513 7ff746c12f04 27 API calls 11512->11513 11513->11514 11514->9486 11517 7ff746c13e3c 11516->11517 11518 7ff746c13e61 11516->11518 11517->11518 11519 7ff746c13e48 11517->11519 11520 7ff746c24530 30 API calls 11518->11520 11529 7ff746c26c40 11519->11529 11521 7ff746c13e76 memmove 11520->11521 11521->8906 11525 7ff746c131d4 15 API calls 11524->11525 11526 7ff746c1325b DialogBoxParamW 11525->11526 11527 7ff746c2c270 8 API calls 11526->11527 11528 7ff746c1328a 11527->11528 11528->8919 11530 7ff746c26d3a 11529->11530 11531 7ff746c26c6f 11529->11531 11533 7ff746c242f4 2 API calls 11530->11533 11532 7ff746c26d06 11531->11532 11537 7ff746c26c7f memmove memmove memmove 11531->11537 11539 7ff746c174c4 11532->11539 11535 7ff746c26d3f 11533->11535 11536 7ff746c13e5f 11536->11521 11537->11536 11540 7ff746c17605 11539->11540 11541 7ff746c12e04 22 API calls 11540->11541 11542 7ff746c1760a 11541->11542 11544 7ff746c16c98 memcmp 11543->11544 11546 7ff746c179dc 11544->11546 11547 7ff746c17a03 memcmp 11546->11547 11551 7ff746c17a17 11546->11551 11547->11551 11550 7ff746c17a23 11550->8944 11551->11550 11552 7ff746c142cc 11551->11552 11597 7ff746c12aa4 ??2@YAPEAX_K 11552->11597 11554 7ff746c142f3 11555 7ff746c231fc 23 API calls 11554->11555 11556 7ff746c14317 11555->11556 11557 7ff746c16224 11556->11557 11558 7ff746c16279 11557->11558 11559 7ff746c16296 11557->11559 11598 7ff746c15b80 11558->11598 11561 7ff746c162a2 memcmp 11559->11561 11562 7ff746c16325 11559->11562 11569 7ff746c162db 11561->11569 11563 7ff746c163b5 memcmp 11562->11563 11567 7ff746c1632e memcmp 11562->11567 11581 7ff746c163f3 11563->11581 11566 7ff746c2c270 8 API calls 11572 7ff746c16627 11566->11572 11573 7ff746c1636b 11567->11573 11570 7ff746c162fd 11569->11570 11571 7ff746c165f4 11569->11571 11574 7ff746c15b80 22 API calls 11570->11574 11605 7ff746c16878 11571->11605 11572->11550 11573->11571 11575 7ff746c1638d 11573->11575 11577 7ff746c1628e 11574->11577 11579 7ff746c15b80 22 API calls 11575->11579 11577->11566 11578 7ff746c164c6 memcmp 11588 7ff746c164fb 11578->11588 11579->11577 11581->11578 11582 7ff746c16450 memcmp 11581->11582 11583 7ff746c16463 11582->11583 11583->11578 11584 7ff746c16481 11583->11584 11585 7ff746c164a0 11584->11585 11586 7ff746c164b3 11584->11586 11589 7ff746c15b80 22 API calls 11585->11589 11592 7ff746c15b80 22 API calls 11586->11592 11587 7ff746c165b9 11590 7ff746c165e4 11587->11590 11591 7ff746c165d4 11587->11591 11588->11571 11588->11587 11593 7ff746c1658c memcmp 11588->11593 11589->11577 11595 7ff746c15b80 22 API calls 11590->11595 11594 7ff746c15b80 22 API calls 11591->11594 11592->11577 11596 7ff746c165a1 11593->11596 11594->11577 11595->11577 11596->11571 11596->11587 11597->11554 11599 7ff746c15df0 11598->11599 11604 7ff746c15baf 11598->11604 11621 7ff746c233a8 11599->11621 11604->11577 11613 7ff746c168d6 11605->11613 11620 7ff746c1699d 11605->11620 11606 7ff746c169ea 11610 7ff746c16a18 memcmp 11606->11610 11607 7ff746c169be 11608 7ff746c15b80 22 API calls 11607->11608 11614 7ff746c169d8 11608->11614 11609 7ff746c16955 memcmp 11609->11613 11612 7ff746c16a2d 11610->11612 11611 7ff746c168fd memcmp 11611->11613 11615 7ff746c16a7b 11612->11615 11616 7ff746c16a4d 11612->11616 11613->11609 11613->11611 11613->11620 11614->11577 11618 7ff746c1ccec 21 API calls 11615->11618 11617 7ff746c15b80 22 API calls 11616->11617 11617->11614 11619 7ff746c16a84 ??3@YAXPEAX 11618->11619 11619->11614 11620->11606 11620->11607 11622 7ff746c1ccec 21 API calls 11621->11622 11623 7ff746c233ba 11622->11623 11625 7ff746c25eb4 11624->11625 11626 7ff746c12da0 20 API calls 11625->11626 11627 7ff746c25efb 11626->11627 11628 7ff746c12da0 20 API calls 11627->11628 11629 7ff746c25f04 ??3@YAXPEAX 11628->11629 11629->8990 11631 7ff746c2c710 RtlLookupFunctionEntry 11630->11631 11632 7ff746c2c63b 11631->11632 11633 7ff746c2c726 RtlVirtualUnwind 11631->11633 11634 7ff746c2c5d0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 11632->11634 11633->11631 11633->11632 11770 7ff746c2b290 11771 7ff746c2b2a4 11770->11771 11772 7ff746c2b3b8 11771->11772 11773 7ff746c2b2ac 11771->11773 11774 7ff746c2b470 9 API calls 11772->11774 11775 7ff746c2b3c2 11773->11775 11780 7ff746c2b2cb 11773->11780 11774->11775 11776 7ff746c2b470 9 API calls 11775->11776 11778 7ff746c2b3cd 11776->11778 11777 7ff746c2b2f0 11779 7ff746c2b3d5 _exit 11778->11779 11780->11777 11789 7ff746c2b5d0 memset GetStartupInfoW 11780->11789 11782 7ff746c2b356 11783 7ff746c2b372 11782->11783 11791 7ff746c2b620 GetModuleHandleW 11783->11791 11786 7ff746c2b37d 11787 7ff746c2b387 11786->11787 11788 7ff746c2b382 _cexit 11786->11788 11787->11777 11788->11787 11790 7ff746c2b5fe 11789->11790 11790->11782 11792 7ff746c2b379 11791->11792 11792->11778 11792->11786 12203 7ff746c13294 12204 7ff746c1333a 12203->12204 12205 7ff746c132ba LoadImageW 12203->12205 12208 7ff746c13352 EndDialog 12204->12208 12209 7ff746c1335a 12204->12209 12206 7ff746c1330a SetWindowTextW GetDlgItem SetWindowTextW 12205->12206 12207 7ff746c132e6 SendMessageW SendMessageW 12205->12207 12206->12209 12207->12206 12208->12209 11635 7ff746c21348 AdjustTokenPrivileges GetLastError 11636 7ff746c2c270 8 API calls 11635->11636 11637 7ff746c213a9 11636->11637 11793 7ff746c22754 11794 7ff746c12fe4 22 API calls 11793->11794 11795 7ff746c22796 memset 11794->11795 11796 7ff746c227b3 11795->11796 11845 7ff746c1b500 11796->11845 11846 7ff746c1b55a 11845->11846 11848 7ff746c26a90 11846->11848 11861 7ff746c23c74 11848->11861 11853 7ff746c26add 11854 7ff746c26aea 11853->11854 11871 7ff746c2aac0 11853->11871 11855 7ff746c26afa 11876 7ff746c26fc4 11855->11876 11891 7ff746c24814 11861->11891 11864 7ff746c23cd0 11898 7ff746c2a7d0 11864->11898 11865 7ff746c23ce0 11867 7ff746c29fe0 11865->11867 11868 7ff746c2a004 11867->11868 11921 7ff746c1b3e4 11868->11921 11872 7ff746c2a530 _lock 11871->11872 11873 7ff746c2aad8 11872->11873 11874 7ff746c2a5e0 2 API calls 11873->11874 11875 7ff746c2ab33 11874->11875 11875->11854 11944 7ff746c2aa80 InitOnceExecuteOnce 11876->11944 11892 7ff746c23cbe ??2@YAPEAX_K 11891->11892 11893 7ff746c2482d 11891->11893 11892->11864 11892->11865 11894 7ff746c26fc4 29 API calls 11893->11894 11895 7ff746c2485d 11894->11895 11896 7ff746c1c188 37 API calls 11895->11896 11897 7ff746c2486d _CxxThrowException 11896->11897 11899 7ff746c2a530 _lock 11898->11899 11900 7ff746c2a7fd 11899->11900 11901 7ff746c2a894 11900->11901 11912 7ff746c2a980 ??2@YAPEAX_K 11900->11912 11904 7ff746c2a5e0 2 API calls 11901->11904 11903 7ff746c2a815 11907 7ff746c2a834 11903->11907 11918 7ff746c2ada0 11903->11918 11905 7ff746c2a8cb 11904->11905 11905->11865 11907->11901 11908 7ff746c2a857 free 11907->11908 11909 7ff746c2a85c malloc 11907->11909 11908->11909 11909->11901 11911 7ff746c2a886 memmove 11909->11911 11911->11901 11913 7ff746c2aa1e 11912->11913 11914 7ff746c2a9a4 malloc 11912->11914 11913->11903 11916 7ff746c2aa0b 11914->11916 11917 7ff746c2a9fc memmove 11914->11917 11916->11903 11917->11916 11919 7ff746c2adae EncodePointer 11918->11919 11920 7ff746c2add5 11918->11920 11919->11907 11922 7ff746c2a530 _lock 11921->11922 11923 7ff746c1b41d 11922->11923 11924 7ff746c1d3d8 11 API calls 11923->11924 11927 7ff746c1b436 11924->11927 11925 7ff746c1b4b4 11926 7ff746c2a5e0 2 API calls 11925->11926 11928 7ff746c1b4be 11926->11928 11927->11925 11935 7ff746c23a7c 11927->11935 11929 7ff746c2c270 8 API calls 11928->11929 11930 7ff746c1b4ce 11929->11930 11930->11853 11930->11855 11933 7ff746c1b4e4 11934 7ff746c1b4ee _CxxThrowException 11933->11934 11936 7ff746c23ab4 11935->11936 11937 7ff746c1b48c 11935->11937 11936->11937 11938 7ff746c23abd ??2@YAPEAX_K 11936->11938 11937->11925 11937->11933 11939 7ff746c23b2e 11938->11939 11940 7ff746c23ad5 11938->11940 11939->11937 11941 7ff746c1d000 6 API calls 11939->11941 11942 7ff746c1bde8 8 API calls 11940->11942 11941->11937 11943 7ff746c23afe _Getctype 11942->11943 11943->11939

        Executed Functions

        Function 00007FF746C19A08 Relevance: 58.5, APIs: 24, Strings: 9, Instructions: 763COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 49 7ff746c19a08-7ff746c19a7c memset 50 7ff746c19a80-7ff746c19a82 49->50 51 7ff746c19a88-7ff746c19a8e 50->51 52 7ff746c19d19 50->52 53 7ff746c19b82-7ff746c19b85 51->53 54 7ff746c19a94 51->54 55 7ff746c19d1c-7ff746c19d23 52->55 58 7ff746c19b8b-7ff746c19b8e 53->58 59 7ff746c19cd4-7ff746c19cf3 call 7ff746c2c0f8 53->59 56 7ff746c19a9a-7ff746c19a9d 54->56 57 7ff746c19b56-7ff746c19b7d call 7ff746c18b14 54->57 60 7ff746c19d29-7ff746c19d51 call 7ff746c24618 55->60 61 7ff746c1a640 55->61 66 7ff746c19aa3-7ff746c19aa6 56->66 67 7ff746c19b46-7ff746c19b54 56->67 57->55 62 7ff746c19c7e-7ff746c19c8c call 7ff746c29504 58->62 63 7ff746c19b94-7ff746c19b97 58->63 86 7ff746c19cf9-7ff746c19d17 call 7ff746c183f8 59->86 87 7ff746c1a363-7ff746c1a407 call 7ff746c26948 call 7ff746c13cd0 call 7ff746c13c68 call 7ff746c24c64 call 7ff746c26948 call 7ff746c27ccc call 7ff746c121a8 ??1exception@@UEAA@XZ * 2 call 7ff746c121a8 * 2 59->87 81 7ff746c19d7a-7ff746c19d85 call 7ff746c282a0 60->81 82 7ff746c19d53-7ff746c19d5e call 7ff746c282a0 60->82 69 7ff746c1a643-7ff746c1a681 call 7ff746c1cec4 call 7ff746c2c270 61->69 104 7ff746c19c92-7ff746c19ca1 call 7ff746c282a0 62->104 105 7ff746c19bd1 62->105 70 7ff746c1a1dc-7ff746c1a1df 63->70 71 7ff746c19b9d-7ff746c19bab call 7ff746c297f8 63->71 74 7ff746c19aa8-7ff746c19aab 66->74 75 7ff746c19b21-7ff746c19b28 66->75 77 7ff746c19b2f-7ff746c19b41 call 7ff746c191e0 67->77 83 7ff746c1a2a8-7ff746c1a35e call 7ff746c245ac call 7ff746c26088 call 7ff746c24e54 call 7ff746c26948 call 7ff746c27ccc call 7ff746c121a8 ??1exception@@UEAA@XZ * 2 call 7ff746c121a8 70->83 84 7ff746c1a1e5-7ff746c1a29d call 7ff746c245ac call 7ff746c26088 call 7ff746c24e54 call 7ff746c26948 call 7ff746c27ccc call 7ff746c121a8 ??1exception@@UEAA@XZ * 2 call 7ff746c121a8 70->84 71->105 106 7ff746c19bad-7ff746c19bbf call 7ff746c282a0 71->106 88 7ff746c19aad-7ff746c19ab0 74->88 89 7ff746c19aff-7ff746c19b1c call 7ff746c1805c 74->89 75->77 77->55 127 7ff746c19d8b-7ff746c19d99 call 7ff746c282a0 81->127 128 7ff746c19e84-7ff746c19e87 81->128 124 7ff746c19c6e-7ff746c19c79 call 7ff746c282a0 82->124 125 7ff746c19d64-7ff746c19d67 82->125 251 7ff746c1a29e-7ff746c1a2a3 83->251 84->251 86->55 265 7ff746c1a40b-7ff746c1a410 call 7ff746c121a8 87->265 102 7ff746c19ab2-7ff746c19ab5 88->102 103 7ff746c19ae4-7ff746c19afa call 7ff746c18784 88->103 89->55 102->84 111 7ff746c19abb-7ff746c19adf call 7ff746c18e7c 102->111 103->55 130 7ff746c19ca3-7ff746c19cad call 7ff746c25808 104->130 131 7ff746c19cb5-7ff746c19ccf call 7ff746c2823c 104->131 109 7ff746c19bd4-7ff746c19bd7 105->109 145 7ff746c19bdc-7ff746c19bdf 106->145 146 7ff746c19bc1-7ff746c19bcb call 7ff746c25948 106->146 109->69 111->55 124->50 138 7ff746c19d6d-7ff746c19d75 call 7ff746c25808 125->138 139 7ff746c1a415-7ff746c1a4c6 call 7ff746c245ac call 7ff746c26088 call 7ff746c24e54 call 7ff746c26948 call 7ff746c27ccc call 7ff746c121a8 ??1exception@@UEAA@XZ * 2 call 7ff746c121a8 125->139 168 7ff746c1a4cc-7ff746c1a581 call 7ff746c245ac call 7ff746c26088 call 7ff746c24e54 call 7ff746c26948 call 7ff746c27ccc call 7ff746c121a8 ??1exception@@UEAA@XZ * 2 call 7ff746c121a8 127->168 169 7ff746c19d9f-7ff746c19db0 call 7ff746c26d40 127->169 136 7ff746c19e8d-7ff746c19e90 call 7ff746c25948 128->136 137 7ff746c1a586-7ff746c1a63a call 7ff746c245ac call 7ff746c26088 call 7ff746c24e54 call 7ff746c26948 call 7ff746c27ccc call 7ff746c121a8 call 7ff746c2c5b2 ??1exception@@UEAA@XZ call 7ff746c121a8 128->137 130->69 171 7ff746c19cb3 130->171 131->50 163 7ff746c19e95-7ff746c19e97 136->163 137->61 138->163 139->168 161 7ff746c1a045-7ff746c1a0f6 memmove call 7ff746c26088 call 7ff746c24e54 call 7ff746c26948 call 7ff746c27ccc 145->161 162 7ff746c19be5-7ff746c19bf6 call 7ff746c26d40 145->162 146->55 146->105 257 7ff746c1a0f8-7ff746c1a106 161->257 258 7ff746c1a126-7ff746c1a154 ??1exception@@UEAA@XZ * 2 161->258 162->105 197 7ff746c19bf8-7ff746c19c06 call 7ff746c282a0 162->197 163->69 178 7ff746c19e9d-7ff746c19eab call 7ff746c27fbc 163->178 168->251 169->69 193 7ff746c19db6-7ff746c19dc4 call 7ff746c282a0 169->193 171->55 178->50 193->124 223 7ff746c19dca-7ff746c19e7f call 7ff746c245ac call 7ff746c26088 call 7ff746c24e54 call 7ff746c26948 call 7ff746c27ccc call 7ff746c121a8 ??1exception@@UEAA@XZ * 2 call 7ff746c121a8 193->223 227 7ff746c19c0c-7ff746c19c69 call 7ff746c1d5ec call 7ff746c23d80 197->227 228 7ff746c19eb0-7ff746c19f5d call 7ff746c16e64 call 7ff746c26088 call 7ff746c24e54 call 7ff746c26948 call 7ff746c27ccc 197->228 223->251 227->124 313 7ff746c19f8d-7ff746c19fbc ??1exception@@UEAA@XZ * 2 228->313 314 7ff746c19f5f-7ff746c19f6d 228->314 251->265 266 7ff746c1a108-7ff746c1a11b 257->266 267 7ff746c1a121 ??3@YAXPEAX@Z 257->267 268 7ff746c1a184-7ff746c1a1a2 258->268 269 7ff746c1a156-7ff746c1a164 258->269 265->69 266->267 279 7ff746c1a6a0-7ff746c1a6a7 call 7ff746c2c810 266->279 267->258 268->109 272 7ff746c1a1a8-7ff746c1a1b8 268->272 280 7ff746c1a17f ??3@YAXPEAX@Z 269->280 281 7ff746c1a166-7ff746c1a179 269->281 285 7ff746c1a03b-7ff746c1a040 ??3@YAXPEAX@Z 272->285 286 7ff746c1a1be-7ff746c1a1d1 272->286 280->268 281->280 282 7ff746c1a682-7ff746c1a687 call 7ff746c2c810 281->282 295 7ff746c1a688-7ff746c1a68d call 7ff746c2c810 282->295 285->109 286->295 296 7ff746c1a1d7 286->296 312 7ff746c1a68e-7ff746c1a693 call 7ff746c2c810 295->312 296->285 327 7ff746c1a694-7ff746c1a699 call 7ff746c2c810 312->327 319 7ff746c19fec-7ff746c1a00a 313->319 320 7ff746c19fbe-7ff746c19fcc 313->320 317 7ff746c19f88 ??3@YAXPEAX@Z 314->317 318 7ff746c19f6f-7ff746c19f82 314->318 317->313 318->312 318->317 319->109 325 7ff746c1a010-7ff746c1a020 319->325 323 7ff746c19fe7 ??3@YAXPEAX@Z 320->323 324 7ff746c19fce-7ff746c19fe1 320->324 323->319 324->323 324->327 325->285 328 7ff746c1a022-7ff746c1a035 325->328 331 7ff746c1a69a-7ff746c1a69f call 7ff746c2c810 327->331 328->285 328->331 331->279
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ??1exception@@??3@$memset
        • String ID: array$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$number overflow parsing '$object$object key$object separator$value
        • API String ID: 1019579160-3398515896
        • Opcode ID: ebec0994a4d53cc75cb360c857baee29df7ff1ec1c876575cd53ad838de68c14
        • Instruction ID: aa7946862f5f16d4b2628703aa4f5d967d9f68dfbccc13aee520cf377f041f51
        • Opcode Fuzzy Hash: ebec0994a4d53cc75cb360c857baee29df7ff1ec1c876575cd53ad838de68c14
        • Instruction Fuzzy Hash: 0D629562E0C682C5EA20FB64DC411FFE721EB85794FD05232EA4D17A9ADE38F584C760
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C21DCC Relevance: 42.5, APIs: 14, Strings: 10, Instructions: 455windowCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 335 7ff746c21dcc-7ff746c21e59 call 7ff746c11b8c GetWindowTextW 338 7ff746c21e5b-7ff746c21e72 335->338 339 7ff746c21e74-7ff746c21e7f call 7ff746c12f04 335->339 340 7ff746c21e84-7ff746c21f07 SendMessageW call 7ff746c11b8c GetWindowTextW 338->340 339->340 344 7ff746c21f09-7ff746c21f2c 340->344 345 7ff746c21f2e-7ff746c21f3f call 7ff746c12f04 340->345 346 7ff746c21f44-7ff746c21f69 _wcsicmp 344->346 345->346 348 7ff746c21fdc-7ff746c22060 call 7ff746c12f78 memmove call 7ff746c1e2f4 346->348 349 7ff746c21f6b-7ff746c21fcd call 7ff746c245ac call 7ff746c1e2f4 call 7ff746c21020 346->349 359 7ff746c22062 348->359 360 7ff746c22065-7ff746c2207d _wcsicmp call 7ff746c12da0 348->360 361 7ff746c21fd2-7ff746c21fd7 349->361 359->360 366 7ff746c2208b-7ff746c220d8 memmove call 7ff746c1e2f4 360->366 367 7ff746c2207f-7ff746c22086 360->367 363 7ff746c225c0-7ff746c22609 call 7ff746c12da0 * 3 call 7ff746c2c270 361->363 374 7ff746c220da 366->374 375 7ff746c220dd-7ff746c220f5 _wcsicmp call 7ff746c12da0 366->375 369 7ff746c221eb-7ff746c221f8 call 7ff746c24530 367->369 376 7ff746c221fd-7ff746c22200 369->376 374->375 387 7ff746c220f7-7ff746c220fe 375->387 388 7ff746c22103-7ff746c22150 memmove call 7ff746c1e2f4 375->388 380 7ff746c2221b-7ff746c2246d call 7ff746c24530 * 2 call 7ff746c22e54 call 7ff746c12f78 * 2 call 7ff746c16da0 call 7ff746c12f78 * 3 call 7ff746c16da0 call 7ff746c127c0 call 7ff746c12d10 call 7ff746c2ade0 call 7ff746c12d10 call 7ff746c2ade0 call 7ff746c26764 376->380 381 7ff746c22202-7ff746c22216 call 7ff746c24530 376->381 436 7ff746c2246f 380->436 437 7ff746c22473-7ff746c2249a call 7ff746c12b9c call 7ff746c1407c 380->437 381->380 387->369 395 7ff746c22152 388->395 396 7ff746c22155-7ff746c2216d _wcsicmp call 7ff746c12da0 388->396 395->396 403 7ff746c22178-7ff746c221c5 memmove call 7ff746c1e2f4 396->403 404 7ff746c2216f-7ff746c22176 396->404 409 7ff746c221c7 403->409 410 7ff746c221ca-7ff746c221e2 _wcsicmp call 7ff746c12da0 403->410 404->369 409->410 410->376 416 7ff746c221e4 410->416 416->369 436->437 442 7ff746c2249c-7ff746c224c9 call 7ff746c12da0 memmove 437->442 443 7ff746c224cd-7ff746c22507 call 7ff746c12da0 * 2 call 7ff746c1f680 437->443 442->443 452 7ff746c22509-7ff746c22571 call 7ff746c245ac call 7ff746c1e2f4 call 7ff746c21020 call 7ff746c12da0 443->452 453 7ff746c22572-7ff746c225b9 call 7ff746c12da0 call 7ff746c25df0 ??3@YAXPEAX@Z call 7ff746c12da0 443->453 452->453 453->363
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: memmove$_wcsicmp$??3@$TextWindow$MessageSend
        • String ID: -P:E$ -U:C$ -U:P$ -U:S$ -U:T$CurrentProcess$CurrentUser$NSudo -ShowWindowMode=Hide$System$cmd /c start "NSudo.Launcher"
        • API String ID: 2758173521-1902940230
        • Opcode ID: 80126f262a7c89dc5e66f0b7972f2cc7e22274a6d44ab1b12476c3c6473961c0
        • Instruction ID: bf142225547eb15e883a3cc3b40f852ebe98fdb218929d1541bac2405ba549ba
        • Opcode Fuzzy Hash: 80126f262a7c89dc5e66f0b7972f2cc7e22274a6d44ab1b12476c3c6473961c0
        • Instruction Fuzzy Hash: C4326E62A18BC6D9EB20FF24DC806EAB361FB54748FC05132EA4D47A69DF78E644C750
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C1F0D8 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 323COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 468 7ff746c1f0d8-7ff746c1f230 call 7ff746c24780 call 7ff746c1433c call 7ff746c16878 call 7ff746c1433c call 7ff746c16878 call 7ff746c1e3b8 memmove call 7ff746c14384 call 7ff746c16878 call 7ff746c12da0 * 2 call 7ff746c1e3b8 490 7ff746c1f235-7ff746c1f2da memmove call 7ff746c14384 call 7ff746c16878 call 7ff746c12da0 * 2 GetModuleHandleW call 7ff746c13450 468->490 501 7ff746c1f5ee-7ff746c1f618 call 7ff746c2c270 490->501 502 7ff746c1f2e0-7ff746c1f314 call 7ff746c1b7f4 490->502 507 7ff746c1f319-7ff746c1f325 502->507 508 7ff746c1f316 502->508 509 7ff746c1f327 507->509 510 7ff746c1f32a-7ff746c1f358 call 7ff746c1376c call 7ff746c275e4 507->510 508->507 509->510 515 7ff746c1f388-7ff746c1f390 510->515 516 7ff746c1f35a-7ff746c1f366 510->516 517 7ff746c1f392-7ff746c1f3a3 515->517 518 7ff746c1f3c3-7ff746c1f44f call 7ff746c13aa4 memset call 7ff746c2466c call 7ff746c1c294 memset call 7ff746c25794 call 7ff746c1c294 515->518 519 7ff746c1f368-7ff746c1f379 516->519 520 7ff746c1f384 516->520 521 7ff746c1f3be ??3@YAXPEAX@Z 517->521 522 7ff746c1f3a5-7ff746c1f3b8 517->522 538 7ff746c1f450-7ff746c1f465 call 7ff746c1d350 518->538 519->520 528 7ff746c1f37b-7ff746c1f37e 519->528 520->515 521->518 522->521 525 7ff746c1f61f-7ff746c1f627 call 7ff746c2c810 522->525 528->520 541 7ff746c1f46b-7ff746c1f545 call 7ff746c1d4bc call 7ff746c17f28 call 7ff746c12390 call 7ff746c26eb8 call 7ff746c231fc memmove call 7ff746c143cc call 7ff746c16878 call 7ff746c1ccec call 7ff746c12da0 538->541 542 7ff746c1f5c2-7ff746c1f5e9 call 7ff746c1d170 * 2 call 7ff746c255c0 538->542 566 7ff746c1f547-7ff746c1f559 541->566 567 7ff746c1f579-7ff746c1f586 541->567 542->501 568 7ff746c1f55b-7ff746c1f56e 566->568 569 7ff746c1f574 ??3@YAXPEAX@Z 566->569 570 7ff746c1f588-7ff746c1f58b 567->570 571 7ff746c1f5a0-7ff746c1f5b1 call 7ff746c140ec 567->571 568->569 573 7ff746c1f619-7ff746c1f61e call 7ff746c2c810 568->573 569->567 574 7ff746c1f58d-7ff746c1f594 570->574 575 7ff746c1f596-7ff746c1f59e 570->575 576 7ff746c1f5b6-7ff746c1f5bd 571->576 573->525 574->576 575->576 576->538
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ??3@$memmove$memcmp$HandleModulememset
        • String ID: M2-Team NSudo 6.2.1812.31$NSudo.LogoText$NSudo.String.CommandLineHelp$NSudo.String.Links$NSudo.VersionText$String$Translations
        • API String ID: 1404258559-3225136250
        • Opcode ID: 017ca73e58f7b7aca0cd80383286cdd0af77b0d5128dc214527e628d925dd940
        • Instruction ID: cc7c9de4fcfe12182b931fb8213aaf9b58ca1020c76659fad3adb1d3c08a1109
        • Opcode Fuzzy Hash: 017ca73e58f7b7aca0cd80383286cdd0af77b0d5128dc214527e628d925dd940
        • Instruction Fuzzy Hash: 1BE16DA2A18B81D6EB20FF25DC502EEA3A1FB85784FC05132DA5D07B99DF38E645C750
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C20B88 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 272COMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: _wcsicmp$memmove$??3@CommandErrorHandleInitializeLastLineModulememset
        • String ID: NSudo.VersionText
        • API String ID: 878118592-1812561106
        • Opcode ID: f64465616599493093d375288e5940f066d81354b9ce0eef607261b7791b0ce4
        • Instruction ID: f0344f5736359ee9c49b703dcce7236d7d0d70b7461b6ea7dea7efabfd256fde
        • Opcode Fuzzy Hash: f64465616599493093d375288e5940f066d81354b9ce0eef607261b7791b0ce4
        • Instruction Fuzzy Hash: A1D19E62A1CB82D5E700FB64DC401EEF361FB94384F905232EA8D53AA9EF78E584C750
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C1E1E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39libraryloaderCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: Library$AddressErrorFreeLastLoadProc
        • String ID: GetDpiForMonitor$SHCore.dll
        • API String ID: 2540614322-828058174
        • Opcode ID: 6372a0797fb2544606bad6f2d34e402083f6cb804e7aaab77512487d5fe7a0c8
        • Instruction ID: 59f4a6e3f69495c56d21c7174bff3e7303372d5bf8b0e6130eb74890b51d0808
        • Opcode Fuzzy Hash: 6372a0797fb2544606bad6f2d34e402083f6cb804e7aaab77512487d5fe7a0c8
        • Instruction Fuzzy Hash: 2C017821B0CB42C2EA04FB52AC8406AE7A5FB8CFC0B884436DE0D53755DE3CF9828710
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C2BB3C Relevance: 5.0, APIs: 4, Instructions: 36memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • GetProcessHeap.KERNEL32(?,?,00000000,00007FF746C22B8D), ref: 00007FF746C2BB42
        • HeapAlloc.KERNEL32(?,?,00000000,00007FF746C22B8D), ref: 00007FF746C2BB54
        • GetProcessHeap.KERNEL32(?,?,00000000,00007FF746C22B8D), ref: 00007FF746C2BB97
        • HeapFree.KERNEL32(?,?,00000000,00007FF746C22B8D), ref: 00007FF746C2BBA5
          • Part of subcall function 00007FF746C2B9E4: InterlockedPopEntrySList.KERNEL32(?,?,00000000,00007FF746C2BB8E,?,?,00000000,00007FF746C22B8D), ref: 00007FF746C2BA0A
          • Part of subcall function 00007FF746C2B9E4: memset.MSVCRT ref: 00007FF746C2BA21
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: Heap$Process$AllocEntryFreeInterlockedListmemset
        • String ID:
        • API String ID: 1083521011-0
        • Opcode ID: 44705644a9a6d9caa7f118bc2ba3262713434baf58b6779d1a2f7b8dffb4c54d
        • Instruction ID: fead0343975b19d479faf0335242bd04fbcf3aee3f148c06f0d78009898edc95
        • Opcode Fuzzy Hash: 44705644a9a6d9caa7f118bc2ba3262713434baf58b6779d1a2f7b8dffb4c54d
        • Instruction Fuzzy Hash: 5101FB65E0E643C1FA19FB619C9417AD292AF09B44F884439CD0E11395EE3CB894C230
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C21348 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: AdjustErrorLastPrivilegesToken
        • String ID:
        • API String ID: 3328184475-0
        • Opcode ID: ebab14946b6cac057ca819fe5918efe5a8bf7a7b88e42b1ee95b78e788313be4
        • Instruction ID: af6544afd5d35be505b841df49f2ad80ff9b0c585ea981c0383032a8c48bb961
        • Opcode Fuzzy Hash: ebab14946b6cac057ca819fe5918efe5a8bf7a7b88e42b1ee95b78e788313be4
        • Instruction Fuzzy Hash: 0FF03072A28681C7E750EF25BC45657F7A1FB88704F841135EA8D86614DF3CE0158B10
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C21828 Relevance: 63.3, APIs: 24, Strings: 12, Instructions: 270windowCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: Item$MessageSend$??3@Windowmemmove$CapsDeviceImageLoadText$??2@FromMonitor
        • String ID: Button.About$Button.Browse$Button.Run$CurrentProcess$CurrentUser$EnableAllPrivileges$NSudo.VersionText$SettingsGroupText$Static.Open$Static.User$System$WarningText
        • API String ID: 998516796-3282129803
        • Opcode ID: bcc79bd24985b4f6598b33f8e6c334623336ae4526ef51abf1443623a1ae6294
        • Instruction ID: b9669adc8b65fdfe51bd21c31a3fd2d39c72adae7b59e85ebf1cd184323e33c1
        • Opcode Fuzzy Hash: bcc79bd24985b4f6598b33f8e6c334623336ae4526ef51abf1443623a1ae6294
        • Instruction Fuzzy Hash: CBD14932A08B82C6EB00FB61EC845AEB7B5FB88B44B914036DE4D57B68DF38E555C750
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C2B8E4 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 57libraryloaderCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • DecodePointer.KERNEL32(?,?,?,00007FF746C2BCE8,?,?,00000000,00007FF746C22BA4), ref: 00007FF746C2B8FD
        • LoadLibraryExA.KERNELBASE(?,?,?,00007FF746C2BCE8,?,?,00000000,00007FF746C22BA4), ref: 00007FF746C2B917
        • GetProcAddress.KERNEL32(?,?,?,00007FF746C2BCE8,?,?,00000000,00007FF746C22BA4), ref: 00007FF746C2B933
        • EncodePointer.KERNEL32(?,?,?,00007FF746C2BCE8,?,?,00000000,00007FF746C22BA4), ref: 00007FF746C2B945
        • GetProcAddress.KERNEL32(?,?,?,00007FF746C2BCE8,?,?,00000000,00007FF746C22BA4), ref: 00007FF746C2B95C
        • EncodePointer.KERNEL32(?,?,?,00007FF746C2BCE8,?,?,00000000,00007FF746C22BA4), ref: 00007FF746C2B96A
        • GetProcAddress.KERNEL32(?,?,?,00007FF746C2BCE8,?,?,00000000,00007FF746C22BA4), ref: 00007FF746C2B981
        • EncodePointer.KERNEL32(?,?,?,00007FF746C2BCE8,?,?,00000000,00007FF746C22BA4), ref: 00007FF746C2B98F
        • GetProcAddress.KERNEL32(?,?,?,00007FF746C2BCE8,?,?,00000000,00007FF746C22BA4), ref: 00007FF746C2B9A6
        • EncodePointer.KERNEL32(?,?,?,00007FF746C2BCE8,?,?,00000000,00007FF746C22BA4), ref: 00007FF746C2B9B4
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: Pointer$AddressEncodeProc$DecodeLibraryLoad
        • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
        • API String ID: 4088972757-1745123996
        • Opcode ID: 35ed21221e81ae4485eae767c7885d561e245a8616469926a25ead201318a7e8
        • Instruction ID: 3991293ade3035fa3e8f979a25c086c38974b8d0d2ee93a944ddd301a24b54c7
        • Opcode Fuzzy Hash: 35ed21221e81ae4485eae767c7885d561e245a8616469926a25ead201318a7e8
        • Instruction Fuzzy Hash: D621A7A5E0DB47C2FE54FB22BC58236E3A2AF49B55F884535CD4E46360DE3CB0988320
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C22754 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 272COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 681 7ff746c22754-7ff746c227b1 call 7ff746c12fe4 memset 684 7ff746c227b3 681->684 685 7ff746c227b6-7ff746c227d3 call 7ff746c1b500 681->685 684->685 687 7ff746c227d8-7ff746c22815 685->687 688 7ff746c2281b-7ff746c2286a call 7ff746c1c1bc call 7ff746c275e4 687->688 689 7ff746c22ad6-7ff746c22b25 call 7ff746c1c8f0 call 7ff746c2ab40 call 7ff746c2c270 687->689 699 7ff746c2289a-7ff746c22918 call 7ff746c13aa4 memset call 7ff746c2466c call 7ff746c1c294 memset call 7ff746c25794 call 7ff746c1c294 688->699 700 7ff746c2286c-7ff746c22878 688->700 716 7ff746c22919-7ff746c22930 call 7ff746c1d350 699->716 701 7ff746c2287a-7ff746c2288b 700->701 702 7ff746c22896 700->702 701->702 708 7ff746c2288d-7ff746c22890 701->708 702->699 708->702 719 7ff746c22936-7ff746c22a23 call 7ff746c1d4bc call 7ff746c17f28 call 7ff746c12390 call 7ff746c26eb8 call 7ff746c12390 call 7ff746c139b4 call 7ff746c14414 call 7ff746c11878 call 7ff746c12da0 * 4 716->719 720 7ff746c22aa5-7ff746c22ad5 call 7ff746c1d170 * 2 call 7ff746c255c0 716->720 751 7ff746c22a57-7ff746c22a65 719->751 752 7ff746c22a25-7ff746c22a37 719->752 720->689 753 7ff746c22a67-7ff746c22a6a 751->753 754 7ff746c22a81-7ff746c22a93 call 7ff746c140ec 751->754 755 7ff746c22a39-7ff746c22a4c 752->755 756 7ff746c22a52 ??3@YAXPEAX@Z 752->756 757 7ff746c22a6c-7ff746c22a74 753->757 758 7ff746c22a76-7ff746c22a7f 753->758 761 7ff746c22a98-7ff746c22aa0 754->761 755->756 760 7ff746c22b26-7ff746c22b6d call 7ff746c2c810 call 7ff746c1dc88 755->760 756->751 757->761 758->761 766 7ff746c22b6f-7ff746c22b86 760->766 767 7ff746c22bd2-7ff746c22bf0 760->767 761->716 769 7ff746c22b88-7ff746c22b94 call 7ff746c2bb3c 766->769 770 7ff746c22b96-7ff746c22ba4 call 7ff746c2bc6c 766->770 769->770 775 7ff746c22ba8-7ff746c22bcd call 7ff746c2bbb8 SetWindowLongPtrW 769->775 770->775 775->767
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ??3@memset$ByteCharHeapMultiWidememmove$AllocLongProcessWindow
        • String ID: ShortCutList_V2
        • API String ID: 3400822421-179348997
        • Opcode ID: 990ede159a6cc1b1cc286dfe1366377f8d2a1d1dbe685f4bc3941697f4aa1106
        • Instruction ID: d9eda9cb5b4da8cb936506e689c338466e381da371540ec8f8af44fd0c613c61
        • Opcode Fuzzy Hash: 990ede159a6cc1b1cc286dfe1366377f8d2a1d1dbe685f4bc3941697f4aa1106
        • Instruction Fuzzy Hash: 94C16172A0DA85C1EA20FB15E8503EBE361FBC5B90F844532DA8D47B9ADE3CE545CB10
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C13294 Relevance: 10.6, APIs: 7, Instructions: 59windowCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: MessageSendTextWindow$DialogImageItemLoad
        • String ID:
        • API String ID: 1488041840-0
        • Opcode ID: 022caeb323db081ebdc9621ac22fb5f3266a0fde62de18f82aefad138e0b37e6
        • Instruction ID: 45f610c64bac20abf008199cb12138760437b75b752ad321b7295118bad91c59
        • Opcode Fuzzy Hash: 022caeb323db081ebdc9621ac22fb5f3266a0fde62de18f82aefad138e0b37e6
        • Instruction Fuzzy Hash: AA213A75B08611C6FB04EB26D8445AEE361FB88F95F988530CE0D07764CE7CE5578B90
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C1E020 Relevance: 7.6, APIs: 5, Instructions: 54threadCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: CriticalHeapSection$AllocCurrentDialogEnterErrorLastLeaveParamProcessThread
        • String ID:
        • API String ID: 3247953248-0
        • Opcode ID: bdbeac2efd27cc801a1421781c5e32a54a46951ca5349cf2276bc194d8fa3123
        • Instruction ID: 96f2ffee55245b4d8bbf0be94752ed1af80a314b2e8b53c8dcd0cf884291b23c
        • Opcode Fuzzy Hash: bdbeac2efd27cc801a1421781c5e32a54a46951ca5349cf2276bc194d8fa3123
        • Instruction Fuzzy Hash: E4210375A0CB42C2EA14FB11AC4016AF361FB48BA4F948635DA6D57BA5DF3CF4918B10
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C16E64 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ??2@$??3@memmove
        • String ID:
        • API String ID: 3870247476-0
        • Opcode ID: 2fcf686fdfbc0645571af44eabdbe83ca44f7c0c3d88bea96f10e3b4eb53fa3e
        • Instruction ID: 0523e1ce16ed2e52adb989ff09d801aeeed81483a254491a4eaf80ece1a94fcd
        • Opcode Fuzzy Hash: 2fcf686fdfbc0645571af44eabdbe83ca44f7c0c3d88bea96f10e3b4eb53fa3e
        • Instruction Fuzzy Hash: 2A31C4A2B09645C5ED18FA279D443BAD252AF04BE0F844731DE7D0B7D5EE7CF8818254
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C21020 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 80COMMON
        Download Yara Rule

        Control-flow Graph

        APIs
          • Part of subcall function 00007FF746C16E64: ??2@YAPEAX_K@Z.MSVCRT ref: 00007FF746C16EE4
          • Part of subcall function 00007FF746C16E64: memmove.MSVCRT(0000000F,00000000,?,00007FF746C24601,?,?,?,00007FF746C136BF), ref: 00007FF746C16F25
          • Part of subcall function 00007FF746C16E64: ??3@YAXPEAX@Z.MSVCRT ref: 00007FF746C16F5D
          • Part of subcall function 00007FF746C1E2F4: ??3@YAXPEAX@Z.MSVCRT ref: 00007FF746C1E380
        • memmove.MSVCRT ref: 00007FF746C210BC
          • Part of subcall function 00007FF746C12DA0: ??3@YAXPEAX@Z.MSVCRT ref: 00007FF746C12DDF
          • Part of subcall function 00007FF746C13220: DialogBoxParamW.USER32 ref: 00007FF746C13277
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: memmove$??3@$??2@DialogParam
        • String ID: NSudo$NSudo.LogoText$NSudo.String.Links
        • API String ID: 3210716343-3978631420
        • Opcode ID: 1341bfdbf9fe3e9c012816d5ead294d0187b53ac1138f76694fe78fcce998ac6
        • Instruction ID: 05f6ae1cb3cc60b2b481fe69d3f70f53ba078ee1c039aa51308fa8cdc780ad22
        • Opcode Fuzzy Hash: 1341bfdbf9fe3e9c012816d5ead294d0187b53ac1138f76694fe78fcce998ac6
        • Instruction Fuzzy Hash: 17319162A1CA85D5EB00FB60DC403EEE760BB85798F800131EA4D57AAADE7CE549CB50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C1E3B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ByteCharMultiWidememmove$??3@HandleModule
        • String ID: String
        • API String ID: 2568442507-2568140703
        • Opcode ID: 8610b6d25f325c5d0b2a8e73a304b3da75818f968461abc7de60dc08a122c115
        • Instruction ID: 5ee5dc3f57bd88f7635cc8b6137f253cad1db44f4ecfbf130b0666a434928ed7
        • Opcode Fuzzy Hash: 8610b6d25f325c5d0b2a8e73a304b3da75818f968461abc7de60dc08a122c115
        • Instruction Fuzzy Hash: D7317E62F18B52C9FB00FBA5DC402ADA772AB497A4F805631DE5D53A95DF38B084C750
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C1E540 Relevance: 4.6, APIs: 3, Instructions: 58COMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: Module$FileHandleNamewcslen
        • String ID:
        • API String ID: 3343338923-0
        • Opcode ID: 7540261ed28a97a18c145b85476910bf07434d3a07c9fe822785ffd2aca3a240
        • Instruction ID: ef3a998a17d1754feb15605cb7e701afb9f6571ae0a35c3a8d74d4f05cedbc30
        • Opcode Fuzzy Hash: 7540261ed28a97a18c145b85476910bf07434d3a07c9fe822785ffd2aca3a240
        • Instruction Fuzzy Hash: 5B21AE76A1CA49C1EA54FB20E8540AEF3A1FB48B90BD40235DA6E43791DF3CF841CB60
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C1E2F4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ??3@memcmpmemmove
        • String ID: \NSudo.json
        • API String ID: 2437721388-2228655390
        • Opcode ID: fb51a064e8bcd551490c27b0615e22a036a8e28e7409710fd57364450d53c5e0
        • Instruction ID: c10cfacb0e894ef96744d493acbb8fe65c9622424ed06d0e4aefea6f98846da9
        • Opcode Fuzzy Hash: fb51a064e8bcd551490c27b0615e22a036a8e28e7409710fd57364450d53c5e0
        • Instruction Fuzzy Hash: C61184B2718A44C1EB04FB25D85436EA362EB49BD4F904630DB6D0B6D6DF7DE4908750
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C2B290 Relevance: 3.1, APIs: 2, Instructions: 84COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: _cexit_exit
        • String ID:
        • API String ID: 1388522586-0
        • Opcode ID: 6f0a86c8111b0bc8f74ff95f207e82c9f08e9ca9d45b32e9c99582f9a2e78780
        • Instruction ID: 6e6c663a48e7199c7c70be05e83ad4fd2b6cb3dcc540f7b3fd11c2759e1bed13
        • Opcode Fuzzy Hash: 6f0a86c8111b0bc8f74ff95f207e82c9f08e9ca9d45b32e9c99582f9a2e78780
        • Instruction Fuzzy Hash: E8310664E0C646C6FA54FB659C912BBE293AF45348FC44434EE4E4B2D6DE3CF8448660
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C2AC40 Relevance: 3.1, APIs: 2, Instructions: 78COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: _wfsopenfclose
        • String ID:
        • API String ID: 1599020731-0
        • Opcode ID: 5d436e5a73bfcf5040b4e5b8e23e9677646366dbe38ede26eb530e3d6d834cdc
        • Instruction ID: e840ed31742947a6935937a6a1f60f239b1737589fe2c0bbeaeb8cd2c9c3ca86
        • Opcode Fuzzy Hash: 5d436e5a73bfcf5040b4e5b8e23e9677646366dbe38ede26eb530e3d6d834cdc
        • Instruction Fuzzy Hash: 4421B961F2C646C1E769FB56AC01A77E295AF84BC8F885435DD4D83B85CE3DF4428B10
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C1DEF4 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: LongWindow
        • String ID:
        • API String ID: 1378638983-0
        • Opcode ID: 589e2b073ad1d22d29385fb74e179831e539fd02a4fd943d6b1c3f7f54161266
        • Instruction ID: 879362bc2bbdc6da1b4236c2d1f43e1d472f861fa8d02c9a61e884cce8eb5491
        • Opcode Fuzzy Hash: 589e2b073ad1d22d29385fb74e179831e539fd02a4fd943d6b1c3f7f54161266
        • Instruction Fuzzy Hash: 62318C73A08B04CAEB60EF25D9843ADB3A1FB14BA8F444136DE2D57A94CF38F5658740
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C2260C Relevance: 1.6, APIs: 1, Instructions: 81COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: Dialog
        • String ID:
        • API String ID: 1120787796-0
        • Opcode ID: 3cde98bfbaa06629b8be22c0ca757dd317cb772e006b99cc97dfe7560814cd6f
        • Instruction ID: f70f7d08e7929efd022ad3f0513fa1b0eef86af57f446f0a2f3edbdc33ca3b8f
        • Opcode Fuzzy Hash: 3cde98bfbaa06629b8be22c0ca757dd317cb772e006b99cc97dfe7560814cd6f
        • Instruction Fuzzy Hash: A2317226E0CA46C6EA30FA55D84057BE292F791B44FA04532EE8C47AA5DE7CF542CB50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C13220 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: AddressDialogHandleModuleParamProc
        • String ID:
        • API String ID: 3283960210-0
        • Opcode ID: d18cdef275338889d17b4711eaaeb1ef18840f1f10c982a328f071c452d8049a
        • Instruction ID: fccfa261d89bb2ead684908ace3120a47bea373ad5c6c61d5adc7e575ddbd46d
        • Opcode Fuzzy Hash: d18cdef275338889d17b4711eaaeb1ef18840f1f10c982a328f071c452d8049a
        • Instruction Fuzzy Hash: 3FF03762B1CB84C6EA10EB51E9491AAF3A5BB49B94F800135EE8C07B11DF38E465CB10
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C2B400 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: __wgetmainargs
        • String ID:
        • API String ID: 1709950718-0
        • Opcode ID: e2b47385088ddd1a97cafd5d86b035d94d4c904399e3aa17c9e18b732ea6c6a5
        • Instruction ID: f1f71025e00701f45a872f638c7bed0ba0cb2ef8acc9dd39f3f53a694a68d479
        • Opcode Fuzzy Hash: e2b47385088ddd1a97cafd5d86b035d94d4c904399e3aa17c9e18b732ea6c6a5
        • Instruction Fuzzy Hash: 13E0B672E1CB81D5D600FBA4E84159BE762FB90354FC01026E68C82A19DF7CE158CB90
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C245AC Relevance: 1.3, APIs: 1, Instructions: 32COMMON
        Download Yara Rule
        APIs
        • memmove.MSVCRT(?,?,?,00007FF746C136BF), ref: 00007FF746C245E8
          • Part of subcall function 00007FF746C16E64: ??2@YAPEAX_K@Z.MSVCRT ref: 00007FF746C16EE4
          • Part of subcall function 00007FF746C16E64: memmove.MSVCRT(0000000F,00000000,?,00007FF746C24601,?,?,?,00007FF746C136BF), ref: 00007FF746C16F25
          • Part of subcall function 00007FF746C16E64: ??3@YAXPEAX@Z.MSVCRT ref: 00007FF746C16F5D
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: memmove$??2@??3@
        • String ID:
        • API String ID: 1832667548-0
        • Opcode ID: 595519b34355bd40c07da770dea8296a1431ad76161c85909e19b83b06943eb8
        • Instruction ID: 23a466df46766e73f1baed7adbead983e1c4655afb3ef24d65e1432005b95a1b
        • Opcode Fuzzy Hash: 595519b34355bd40c07da770dea8296a1431ad76161c85909e19b83b06943eb8
        • Instruction Fuzzy Hash: 35F08161A0D781C2EB10A716E94026BE651EB14FE4F649331DE69077D9CE3CE5928740
        Uniqueness

        Uniqueness Score: -1.00%

        Non-executed Functions

        Function 00007FF746C1F680 Relevance: 112.7, APIs: 44, Strings: 20, Instructions: 695registryCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: _wcsicmp$CloseToken$DuplicateHandle$InformationRevertSelfmemmovememset
        • String ID: AboveNormal$BelowNormal$CurrentDirectory$Help$Hide$High$Idle$Install$Maximize$Minimize$Normal$Priority$RealTime$Show$ShowWindowMode$TrustedInstaller$Uninstall$UseCurrentConsole$Version$Wait
        • API String ID: 3441829431-2845053546
        • Opcode ID: f2e26d8defd69027e7378dcf69b0361d903a560ed7a78dc4c58f6f5dedda2378
        • Instruction ID: 8c5601a870464c694f08dad6aa5d0f01d52ef49c4eccb51142e36e58b11a1e78
        • Opcode Fuzzy Hash: f2e26d8defd69027e7378dcf69b0361d903a560ed7a78dc4c58f6f5dedda2378
        • Instruction Fuzzy Hash: C9624CA2A0C642C1FA50FB21DC901BBE3A2FB84744F914036DA6D87695DF3CF545CBA0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C20104 Relevance: 39.2, APIs: 26, Instructions: 240memoryCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: Token$Information$ErrorInitializeLastfreemalloc$AllocateFree$AccessAllowedCloseCreateHandleLengthRestricted
        • String ID:
        • API String ID: 47877935-0
        • Opcode ID: 5de103c752ef54186bb55798f7547fc115970b22675c765f905922ad001c453e
        • Instruction ID: 673a0489c543df691cd0aaf2c756e39fb9e352856c4b023847f77ce57ab9939d
        • Opcode Fuzzy Hash: 5de103c752ef54186bb55798f7547fc115970b22675c765f905922ad001c453e
        • Instruction Fuzzy Hash: 46B18536B08A82C6E710FF61E85066AB7A1FB44B98F808531DE5D57B94DF3CE515C710
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C26088 Relevance: 37.2, APIs: 16, Strings: 5, Instructions: 432COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ??3@$memmove
        • String ID: ; expected $; last read: '$syntax error $unexpected $while parsing
        • API String ID: 2601545220-4239264347
        • Opcode ID: df081e83d509d4971fedd0929cb561469290575767d6c5f4a0c89956443318bc
        • Instruction ID: 6f87699919d219586614cdfa12d90a566f371f8dbf4b3490e0e504827dcf3832
        • Opcode Fuzzy Hash: df081e83d509d4971fedd0929cb561469290575767d6c5f4a0c89956443318bc
        • Instruction Fuzzy Hash: 0D029762F1C78182EA10FB29D84426FE762EB857E4F905335DE5D17ADADE7CE180C260
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C2CE91 Relevance: 30.3, APIs: 24, Instructions: 312COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ExceptionThrow$??3@
        • String ID:
        • API String ID: 3542664073-0
        • Opcode ID: 2aca4e85cecc08859ffbd7f03bae566da045d9d71de5088e5aad8cece20c341d
        • Instruction ID: 7dbad3f1d2c34f570ebbdc01010a10254a38797eb508c8dc7696791ef02b7579
        • Opcode Fuzzy Hash: 2aca4e85cecc08859ffbd7f03bae566da045d9d71de5088e5aad8cece20c341d
        • Instruction Fuzzy Hash: 29C10EA6A18A80C9D758FF32DC510FFA362FB88BD4B44A436FE4E5775ACE34E4414690
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C204AC Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 129processthreadCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: CloseHandleProcess$BlockClassCreateCurrentDestroyEnvironmentObjectOpenPriorityResumeSingleThreadTokenUserWaitmemset
        • String ID: WinSta0\Default
        • API String ID: 2311671882-3000584429
        • Opcode ID: a0eb20b0d35efa4880bf5211e22bbd2ce7207b5630345cba8e81284858f891b5
        • Instruction ID: b10b954118cfa1a3059a03f1123abfd388f4f60a03b0194baeca3737fe2e2fcf
        • Opcode Fuzzy Hash: a0eb20b0d35efa4880bf5211e22bbd2ce7207b5630345cba8e81284858f891b5
        • Instruction Fuzzy Hash: CC514032A18A91CAE710FBA1EC405AEB771FB84768F900236DE6D57AE4DF38E445C710
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C2C850 Relevance: 16.6, APIs: 11, Instructions: 77COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ExceptionFilterPresentProcessUnhandledmemset$CaptureContextCurrentDebuggerEntryFeatureFunctionLookupProcessorTerminateUnwindVirtual
        • String ID:
        • API String ID: 2957448560-0
        • Opcode ID: 514932602d295828f64eed44ea2d8d6c28cebce2c2dc000b6af7c7e1e2450842
        • Instruction ID: 0fdfa142b5005547e7f456d9d0f358f41197c647a36528f1c1457b839680fcb2
        • Opcode Fuzzy Hash: 514932602d295828f64eed44ea2d8d6c28cebce2c2dc000b6af7c7e1e2450842
        • Instruction Fuzzy Hash: C431FA76A0CA86C2EB64FB54E8553ABE3A1FB88745F840135DA8E427A5DF3CE1458B10
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C2B470 Relevance: 13.6, APIs: 9, Instructions: 69COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
        • String ID:
        • API String ID: 313767242-0
        • Opcode ID: 24e3e0efd5f04f2e95d216257f964442f9261d47d0c98f19b10952bb7d314ba7
        • Instruction ID: 451fc2729bccbc6edc6f64ac88db4eb2771b29863a47226af0cfc6bf6e4372b9
        • Opcode Fuzzy Hash: 24e3e0efd5f04f2e95d216257f964442f9261d47d0c98f19b10952bb7d314ba7
        • Instruction Fuzzy Hash: 7631ED76A0DB82C2EB74EB50E8547ABF361EB84745F844035DA8E42B95EF3CE5488B10
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C13508 Relevance: 12.1, APIs: 8, Instructions: 114serviceCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: Service$CloseHandleOpen$Count64ManagerQuerySleepStartStatusTick
        • String ID:
        • API String ID: 3633478049-0
        • Opcode ID: 21a8db7839788179d45d4f13bb949c4bc865f804b4db4337fd375ecb597c2166
        • Instruction ID: 634914d4981e7dd01d3a305d5c1ee45897fb8e8c317aa7af8d09abc4488d0263
        • Opcode Fuzzy Hash: 21a8db7839788179d45d4f13bb949c4bc865f804b4db4337fd375ecb597c2166
        • Instruction Fuzzy Hash: 0B41B372A0CA46C6EA64FB12AD0457BF2A1BF48B94F944134DE8E87794DF3CF4418B60
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C21168 Relevance: 12.1, APIs: 8, Instructions: 78COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ErrorLastToken$Information$AdjustPrivilegesfreemalloc
        • String ID:
        • API String ID: 2330545703-0
        • Opcode ID: be545623fc3500f96c58c343494f42ac54b7cabca1ffe2faa5c77d74d9048f78
        • Instruction ID: 82b19880018136e4b57a0af00685e966fc5fa43bc88b71be8b7fbf9ed7553a2c
        • Opcode Fuzzy Hash: be545623fc3500f96c58c343494f42ac54b7cabca1ffe2faa5c77d74d9048f78
        • Instruction Fuzzy Hash: 08317E72A1CA42C2E750FB51EC48B6AF3A6FB89B84F855130EA4E57B54CF3CE5058710
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C13450 Relevance: 12.1, APIs: 8, Instructions: 51COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: Resource$ErrorLast$FindLoadLockSizeof
        • String ID:
        • API String ID: 518650369-0
        • Opcode ID: c0e79dc31f16a900a97837a4f1d1cfa448a392716801088b3835e121dae63792
        • Instruction ID: 50e7e5ff17a3c0dffa24787151e1819658a69450b2555512a20769206afa72cd
        • Opcode Fuzzy Hash: c0e79dc31f16a900a97837a4f1d1cfa448a392716801088b3835e121dae63792
        • Instruction Fuzzy Hash: 6B113AB1A0DA42C1EB05FB22AC0877AE7A1AB08FD4F988434DD8E16754DE3DF4508660
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C2B6D0 Relevance: 9.0, APIs: 6, Instructions: 47timethreadCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: Count64CurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
        • String ID:
        • API String ID: 3559533023-0
        • Opcode ID: 9eb69c6d66b58fed51fc782b81b1a27fa2d3a1d9a0d7d693ba9f96227725966e
        • Instruction ID: 74d390e98ce7c3e16b033a434ccd0c93380cf59c0be3abdcc045f2e81658f877
        • Opcode Fuzzy Hash: 9eb69c6d66b58fed51fc782b81b1a27fa2d3a1d9a0d7d693ba9f96227725966e
        • Instruction Fuzzy Hash: 04113061A1DB42C2EB84EB54F898526B3A5FB49750F802235EE5F427A4EF3CE0948710
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C2B808 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON
        Download Yara Rule
        APIs
        Strings
        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF746C2B88B
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: DebugDebuggerErrorLastOutputPresentStringmemset
        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
        • API String ID: 1848478996-631824599
        • Opcode ID: dac43c16fa7cce6df53483dfa5ac629b9b1d8a97182375cfac8941afd73646ec
        • Instruction ID: 30e77d23b31fc46e14a430c948595dde2696129d30683577ffb47d026e72a189
        • Opcode Fuzzy Hash: dac43c16fa7cce6df53483dfa5ac629b9b1d8a97182375cfac8941afd73646ec
        • Instruction Fuzzy Hash: 8011FB32A18B42D7FB54FB26D95437AA3A5FB44745F804135CA5D82A50DF3CF4A48720
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C15E0C Relevance: 7.8, APIs: 6, Instructions: 306COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: memcmp
        • String ID:
        • API String ID: 1475443563-0
        • Opcode ID: 279b89bee498623192002327cff3d726463028ec11c7fe078a134f085a140164
        • Instruction ID: 0a4b7472b12c41657928d7abc243b1d0589d1ad93c29b1cc89cf8dbf90cbe4b1
        • Opcode Fuzzy Hash: 279b89bee498623192002327cff3d726463028ec11c7fe078a134f085a140164
        • Instruction Fuzzy Hash: 74C1B0A270CB85C1EA20FB1AA9441AAE361FB45BC4F944431EE9E47795CF3DF981CB14
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C16224 Relevance: 7.8, APIs: 6, Instructions: 306COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: memcmp
        • String ID:
        • API String ID: 1475443563-0
        • Opcode ID: c92456e564d9e74101fbecaa44cb5433146da541546483edcc72fe4d58041613
        • Instruction ID: 048a46d66e80a8ecc2c5c9087c68d0b14895ebd4cfc0df547e7727b5c6d4c617
        • Opcode Fuzzy Hash: c92456e564d9e74101fbecaa44cb5433146da541546483edcc72fe4d58041613
        • Instruction Fuzzy Hash: D3C1AEA270CA45C1EA20FF1AA9541AAE761FB45BD4F944431EE9E47796CE3CF881CB10
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C2C5D0 Relevance: 4.5, APIs: 3, Instructions: 13COMMON
        Download Yara Rule
        APIs
        • SetUnhandledExceptionFilter.KERNEL32(?,?,00000000,00007FF746C2C6DD), ref: 00007FF746C2C5DB
        • UnhandledExceptionFilter.KERNEL32(?,?,00000000,00007FF746C2C6DD), ref: 00007FF746C2C5E4
        • GetCurrentProcess.KERNEL32(?,?,00000000,00007FF746C2C6DD), ref: 00007FF746C2C5EA
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ExceptionFilterUnhandled$CurrentProcess
        • String ID:
        • API String ID: 1249254920-0
        • Opcode ID: 97d32785638ea6be5283c059259af2a3576d58c840aaad5fbc91fc1a579e57ab
        • Instruction ID: 5abcd77a65e7a67b41bec2bad9d3a87075896ec29fa7c49878920ead1f5328af
        • Opcode Fuzzy Hash: 97d32785638ea6be5283c059259af2a3576d58c840aaad5fbc91fc1a579e57ab
        • Instruction Fuzzy Hash: 42D092A1E1CA07C6FB58BB62AC1903AD322AB5CB41B451834CE1B663619D3CA4858620
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C2C294 Relevance: .1, Instructions: 111COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 2d6502b876b916cc9015c815bac40de726d230ace11b69fb1170f34c0c913670
        • Instruction ID: 62f3741eef020547e881505bd260c1c83a4936e4f1aae4930fb66562b83886c0
        • Opcode Fuzzy Hash: 2d6502b876b916cc9015c815bac40de726d230ace11b69fb1170f34c0c913670
        • Instruction Fuzzy Hash: F341EFF2D0C642C6F7A4FF15A94537BFA91FB54390F908439EA5E83690DA7CB4904B20
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C2B280 Relevance: .0, Instructions: 3COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: ef4b3766b0249e584b7fa6c9bffe8a5d3541bf68b51e01623fcdc88b84934773
        • Instruction ID: 9ff144cbef72982229691449b1b70fa478554aa9992fdcffe039ad12d28dcea3
        • Opcode Fuzzy Hash: ef4b3766b0249e584b7fa6c9bffe8a5d3541bf68b51e01623fcdc88b84934773
        • Instruction Fuzzy Hash: 03B009A1D1C80BD0E698FB00AC94176F226AB54348BD10635D80E910A09E3CB5489220
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C27734 Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 367COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ??3@memmove$??1exception@@$memset
        • String ID: value
        • API String ID: 2908042784-494360628
        • Opcode ID: 52db2005a5413653b8022e21d068b0ef80dd8877791ec75a6ebb3c07e4c3cf84
        • Instruction ID: b37e4dbcd9d09ebdffb053a13632d3d00782f0d4523d47fb836838926f99927f
        • Opcode Fuzzy Hash: 52db2005a5413653b8022e21d068b0ef80dd8877791ec75a6ebb3c07e4c3cf84
        • Instruction Fuzzy Hash: 3FF1A662E1D781C5EA10FB79D8800AEE762EB857A4F905331EE9D17AD5DE3CE141C720
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C1EB58 Relevance: 28.3, APIs: 10, Strings: 6, Instructions: 333COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ??3@$memmove$ByteCharMultiWidememset$HandleModule
        • String ID: Config$ContextMenu$HasLUAShield$ItemCommandParameters$ItemDescriptionID$ItemName
        • API String ID: 922496067-2751235215
        • Opcode ID: 1202e03d02c71b794e89c02a9d3be84078448b5abf3499e9c90bf14f28c82bbc
        • Instruction ID: cf674b4d47215a25d4b9f0f4330a478933ccb1ff7e63d73d48faa0b4f614a2df
        • Opcode Fuzzy Hash: 1202e03d02c71b794e89c02a9d3be84078448b5abf3499e9c90bf14f28c82bbc
        • Instruction Fuzzy Hash: 1EE160A2A08A82C5EB20FF25DC502EEE361FB44794FC04136DA5D47B9ADF38E645C750
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C24E54 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 256COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ??3@$memmove$??0exception@@
        • String ID: parse error$parse_error
        • API String ID: 248574150-1820534363
        • Opcode ID: 7e562fc8fb2e5160fc5e390c2ce0c81831de70f33ba1acafc5ca44b5110eeedf
        • Instruction ID: 32228710907f95a408b77ea82a7e9907c7755bdaef091cb4ebcc57b4a7ebf7f8
        • Opcode Fuzzy Hash: 7e562fc8fb2e5160fc5e390c2ce0c81831de70f33ba1acafc5ca44b5110eeedf
        • Instruction Fuzzy Hash: 00B180A2E1978285EA00FB69DC441AFE362BB857A4F908731DE6C177D5EF7CE4848350
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C24880 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 266COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ??3@$memmove$??0exception@@$??2@
        • String ID: invalid_iterator$other_error
        • API String ID: 495530496-2116157822
        • Opcode ID: 6cde1239bd8c180db93ccc985035c3f544b8bcd7fefb59cf3ca37b461c13b5af
        • Instruction ID: 1f84d8330b816a689a19f256ebb4d32b3b62421c037d50cf2bece2bbe4db4ee8
        • Opcode Fuzzy Hash: 6cde1239bd8c180db93ccc985035c3f544b8bcd7fefb59cf3ca37b461c13b5af
        • Instruction Fuzzy Hash: 9CB1E362F09B41C6FB10FF69D8441AEE362AB45BA4F808631DE6C17BD5EE78E141C350
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C1E71C Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 245registryfileCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: CloseCreate$memmove$??3@CopyFile
        • String ID: "%1"$*\shell\NSudo$-ShowWindowMode=Hide$Icon$MUIVerb$NSudo$Position$SubCommands$cmd /c start "NSudo.ContextMenu.Launcher"
        • API String ID: 3492308963-3052306793
        • Opcode ID: 05eeafbcfe7c099a26f5c602b1b0dc0ab3beb9c21fceef72ceeb38963992b0d8
        • Instruction ID: baaac101030cb38b5cf4fbfd2bd5cf5d4fe90f34db16d14c4415020e29d616c9
        • Opcode Fuzzy Hash: 05eeafbcfe7c099a26f5c602b1b0dc0ab3beb9c21fceef72ceeb38963992b0d8
        • Instruction Fuzzy Hash: 55C15266619A82D6E760FF60DC402EAF760FB84748FC01132DA4D97BA9DF38E685C750
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C2801C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 141COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00007FF746C16BC0: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,00007FF746C28052), ref: 00007FF746C16C5E
          • Part of subcall function 00007FF746C26B50: memmove.MSVCRT(?,?,?,?,?,00007FF746C13C12,?,?,?,00007FF746C27159), ref: 00007FF746C26BD4
          • Part of subcall function 00007FF746C26B50: memmove.MSVCRT(?,?,?,?,?,00007FF746C13C12,?,?,?,00007FF746C27159), ref: 00007FF746C26BE2
          • Part of subcall function 00007FF746C26B50: memmove.MSVCRT(?,?,?,?,?,00007FF746C13C12,?,?,?,00007FF746C27159), ref: 00007FF746C26BF8
        • memmove.MSVCRT ref: 00007FF746C28094
          • Part of subcall function 00007FF746C244B8: memmove.MSVCRT(?,?,?,?,?,00007FF746C13DDE), ref: 00007FF746C244F9
        • memmove.MSVCRT ref: 00007FF746C280D7
          • Part of subcall function 00007FF746C13BC8: memmove.MSVCRT(?,?,?,00007FF746C27159), ref: 00007FF746C13C42
        • ??3@YAXPEAX@Z.MSVCRT ref: 00007FF746C28134
        • ??3@YAXPEAX@Z.MSVCRT ref: 00007FF746C2817C
        • ??3@YAXPEAX@Z.MSVCRT ref: 00007FF746C281C0
        • ??3@YAXPEAX@Z.MSVCRT ref: 00007FF746C28204
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: memmove$??3@
        • String ID: at line $, column
        • API String ID: 2321372689-191570568
        • Opcode ID: 52af89607e38aa4e52f5a45b294d0ddd54920e6e635e83cac661e124fbf37bda
        • Instruction ID: 78edae183c033a43cde5a4b712523ef39385047a9f96dd501fe19fb80ff46b29
        • Opcode Fuzzy Hash: 52af89607e38aa4e52f5a45b294d0ddd54920e6e635e83cac661e124fbf37bda
        • Instruction Fuzzy Hash: CA5185A2F1964185FB00FB79D8443AEE352AB557A8F905731DE2C176C9DE7CE1848390
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C25234 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 132COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ??3@$memmove$??0exception@@
        • String ID: invalid_iterator$type_error
        • API String ID: 248574150-474996131
        • Opcode ID: 2431617fe5ba620c21086bec49dd2f0927aae150257b2fcf81584e8408360043
        • Instruction ID: 7ba6602c3bd70862e040e6d7d5ecf4e753d44388ac8dcf2ebb34dd607ad98871
        • Opcode Fuzzy Hash: 2431617fe5ba620c21086bec49dd2f0927aae150257b2fcf81584e8408360043
        • Instruction Fuzzy Hash: 8A51D162F19B41C9EB10FF69D8441AEE362AB44BA4FC04231DE6D177D6DE78E041C360
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C17D88 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 115COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ??3@ExceptionThrow$memset
        • String ID: cannot use erase() with $iterator does not fit current value$iterator out of range
        • API String ID: 2804994527-3306149458
        • Opcode ID: 3e15eaf211fec891f09a1115576869cd465099c715a7bd871feedc547b56c951
        • Instruction ID: da729176e913452ea92a6f363806b001446c62091105aca56a5ab2f1c09a4421
        • Opcode Fuzzy Hash: 3e15eaf211fec891f09a1115576869cd465099c715a7bd871feedc547b56c951
        • Instruction Fuzzy Hash: 7C416162B4C686D5EB10FB61D8502EEE361AF81758F844132DE1D07AD6DE38F946C7A0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C270BC Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: memmove$??3@
        • String ID: [json.exception.
        • API String ID: 2321372689-791563284
        • Opcode ID: e843bc7d5a4701ab9560b3273251e0064be092c5bf8e20dd0c41158432e9b82c
        • Instruction ID: d1a7589035982cb9307d4eec309ca131ff3a61b1674c425cf9f9d4b7328a8a2d
        • Opcode Fuzzy Hash: e843bc7d5a4701ab9560b3273251e0064be092c5bf8e20dd0c41158432e9b82c
        • Instruction Fuzzy Hash: 565173A2F18746C5EB10FB69D8453AEE3529B457A4F804735EE2C167C6DE7CE14083A0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C24C64 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ??3@$memmove$??0exception@@
        • String ID: out_of_range
        • API String ID: 248574150-3053435996
        • Opcode ID: fac2152191161a8ab91cbf9402f64892830aeb9535f5bff03c8a2c21e2ba92d5
        • Instruction ID: 07b33e3f9c794a2dd7cc5e850c8431b58153bc5e8e194e15e7a83150cb355bb4
        • Opcode Fuzzy Hash: fac2152191161a8ab91cbf9402f64892830aeb9535f5bff03c8a2c21e2ba92d5
        • Instruction Fuzzy Hash: 1A51C262F18B41C5FB10FF69D8441AEE362AB45BA4F808631DE6D177D6EE78E141C350
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C24A74 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 125COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ??3@$memmove$??0exception@@
        • String ID: other_error
        • API String ID: 248574150-896093151
        • Opcode ID: 6683b7da2eb6950e0f05d2db17d2a2240039d129a0b98d889ca557038e9b5162
        • Instruction ID: 29ef734bd71d44a7afb4496bcf87ee4afd32f0d7bc561562c5dcccfdbf4e6985
        • Opcode Fuzzy Hash: 6683b7da2eb6950e0f05d2db17d2a2240039d129a0b98d889ca557038e9b5162
        • Instruction Fuzzy Hash: 4F51B262F18B41C6EB10FF69D8441AEE362AB45BE8F808231DE6D177D9DE78E145C350
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C22BF4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75registryfileCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: File$Delete$AttributesTree$??3@Move
        • String ID: *\shell\NSudo
        • API String ID: 2897482578-216247581
        • Opcode ID: 07a088cde85d45f59afd8a2976eeb8b357e1e631817abb4b25a6f5974d42ab48
        • Instruction ID: c85b5ed2db48843df4681b869a977708863f2a17b4b593e336a108209d9932cb
        • Opcode Fuzzy Hash: 07a088cde85d45f59afd8a2976eeb8b357e1e631817abb4b25a6f5974d42ab48
        • Instruction Fuzzy Hash: D5314D62A1CA41C2EB20FB25EC5426AE362FB98B84FD44531DE4D43659DF3CF545C750
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C1DDC4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78registryCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: CloseCreate$Valuewcslen
        • String ID: HasLUAShield$command
        • API String ID: 1957578438-235200739
        • Opcode ID: a26ed522d47ab1eab44e124a6e89ce6c0647fa1acbef4e2bdfef15dc81abc7bf
        • Instruction ID: b9ff100344c54dfe761bed72c4255e3bf50af04237829c67b02f6fc6b475ce4c
        • Opcode Fuzzy Hash: a26ed522d47ab1eab44e124a6e89ce6c0647fa1acbef4e2bdfef15dc81abc7bf
        • Instruction Fuzzy Hash: 3F318E62B1CB86C2EB10EB61E8943BBE3A1BB89795F800135DE4C4AA55DF7CF5448B10
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C2B9E4 Relevance: 10.6, APIs: 7, Instructions: 58memoryCOMMON
        Download Yara Rule
        APIs
        • InterlockedPopEntrySList.KERNEL32(?,?,00000000,00007FF746C2BB8E,?,?,00000000,00007FF746C22B8D), ref: 00007FF746C2BA0A
        • memset.MSVCRT ref: 00007FF746C2BA21
          • Part of subcall function 00007FF746C2BABC: GetProcessHeap.KERNEL32(?,?,00000000,00007FF746C2B9FF,?,?,00000000,00007FF746C2BB8E,?,?,00000000,00007FF746C22B8D), ref: 00007FF746C2BAD8
          • Part of subcall function 00007FF746C2BABC: HeapAlloc.KERNEL32(?,?,00000000,00007FF746C2B9FF,?,?,00000000,00007FF746C2BB8E,?,?,00000000,00007FF746C22B8D), ref: 00007FF746C2BAEA
          • Part of subcall function 00007FF746C2BABC: InitializeSListHead.KERNEL32(?,?,00000000,00007FF746C2B9FF,?,?,00000000,00007FF746C2BB8E,?,?,00000000,00007FF746C22B8D), ref: 00007FF746C2BAFB
          • Part of subcall function 00007FF746C2BABC: GetProcessHeap.KERNEL32(?,?,00000000,00007FF746C2B9FF,?,?,00000000,00007FF746C2BB8E,?,?,00000000,00007FF746C22B8D), ref: 00007FF746C2BB0B
          • Part of subcall function 00007FF746C2BABC: HeapFree.KERNEL32(?,?,00000000,00007FF746C2B9FF,?,?,00000000,00007FF746C2BB8E,?,?,00000000,00007FF746C22B8D), ref: 00007FF746C2BB19
        • VirtualAlloc.KERNEL32(?,?,00000000,00007FF746C2BB8E,?,?,00000000,00007FF746C22B8D), ref: 00007FF746C2BA3B
        • RaiseException.KERNEL32(?,?,00000000,00007FF746C2BB8E,?,?,00000000,00007FF746C22B8D), ref: 00007FF746C2BA56
        • InterlockedPopEntrySList.KERNEL32(?,?,00000000,00007FF746C2BB8E,?,?,00000000,00007FF746C22B8D), ref: 00007FF746C2BA69
        • VirtualFree.KERNEL32(?,?,00000000,00007FF746C2BB8E,?,?,00000000,00007FF746C22B8D), ref: 00007FF746C2BA82
        • InterlockedPushEntrySList.KERNEL32(?,?,00000000,00007FF746C2BB8E,?,?,00000000,00007FF746C22B8D), ref: 00007FF746C2BA9E
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: HeapList$EntryInterlocked$AllocFreeProcessVirtual$ExceptionHeadInitializePushRaisememset
        • String ID:
        • API String ID: 119399185-0
        • Opcode ID: af2f6a93eb85d5ee1e62ec952dc2aa3cfbf9cbd43576bcde13bdde6f9d2231e6
        • Instruction ID: be40c7e751fc03ab3a859c5c3cb248be8cbab4f2053e04478db13ccb866af351
        • Opcode Fuzzy Hash: af2f6a93eb85d5ee1e62ec952dc2aa3cfbf9cbd43576bcde13bdde6f9d2231e6
        • Instruction Fuzzy Hash: D3212C60F1DA46C2FF24FB66AD5067BE652AF88B88F884435CD0E46755EE3CF4918320
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C213B0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 102COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00007FF746C16E64: ??2@YAPEAX_K@Z.MSVCRT ref: 00007FF746C16EE4
          • Part of subcall function 00007FF746C16E64: memmove.MSVCRT(0000000F,00000000,?,00007FF746C24601,?,?,?,00007FF746C136BF), ref: 00007FF746C16F25
          • Part of subcall function 00007FF746C16E64: ??3@YAXPEAX@Z.MSVCRT ref: 00007FF746C16F5D
          • Part of subcall function 00007FF746C1E2F4: ??3@YAXPEAX@Z.MSVCRT ref: 00007FF746C1E380
          • Part of subcall function 00007FF746C16E64: ??2@YAPEAX_K@Z.MSVCRT ref: 00007FF746C16F08
        • memmove.MSVCRT ref: 00007FF746C21486
          • Part of subcall function 00007FF746C12DA0: ??3@YAXPEAX@Z.MSVCRT ref: 00007FF746C12DDF
        • SetLastError.KERNEL32 ref: 00007FF746C214EF
          • Part of subcall function 00007FF746C13220: DialogBoxParamW.USER32 ref: 00007FF746C13277
          • Part of subcall function 00007FF746C12364: GetLastError.KERNEL32 ref: 00007FF746C12368
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ??3@memmove$??2@ErrorLast$DialogParam
        • String ID: NSudo$NSudo.LogoText$NSudo.String.CommandLineHelp$NSudo.String.Links
        • API String ID: 2605573470-1898673966
        • Opcode ID: 1ef683b7cbcf28da0f0d93c04aebe11f56f4715633913dcb9ba1c1edc8a6effb
        • Instruction ID: 51881c28db38c144a0cae4c1e27c86faab560a63f35949ad26d3e2cd0e3d0ca8
        • Opcode Fuzzy Hash: 1ef683b7cbcf28da0f0d93c04aebe11f56f4715633913dcb9ba1c1edc8a6effb
        • Instruction Fuzzy Hash: 6841506261CA86D6EB10FB60DC547EAE760FB84748FC00132EA4D47AA5DF3CE549CB50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C29C74 Relevance: 7.7, APIs: 5, Instructions: 201COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: fgetc
        • String ID:
        • API String ID: 2807381905-0
        • Opcode ID: 9a60b312f76118d8cd816a1a4a11205584d044c9dbebafe54e24eec035fa3e1b
        • Instruction ID: 95adb106f37b3f8f0a471b12b31b43722865d3dffe5c2f98d82398d0d84686e4
        • Opcode Fuzzy Hash: 9a60b312f76118d8cd816a1a4a11205584d044c9dbebafe54e24eec035fa3e1b
        • Instruction Fuzzy Hash: D4916172A09A41C8DB50EF26D8903ADB3A6FB44B98F954232EE5D47B99DF39E444C310
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C16F88 Relevance: 7.6, APIs: 5, Instructions: 98COMMON
        Download Yara Rule
        APIs
        • memmove.MSVCRT(?,0000000F,?,?,0000000F,00000000,?,00007FF746C24601,?,?,?,00007FF746C136BF), ref: 00007FF746C1703D
        • memmove.MSVCRT(?,0000000F,?,?,0000000F,00000000,?,00007FF746C24601,?,?,?,00007FF746C136BF), ref: 00007FF746C1704B
        • ??3@YAXPEAX@Z.MSVCRT ref: 00007FF746C17083
        • memmove.MSVCRT(?,0000000F,?,?,0000000F,00000000,?,00007FF746C24601,?,?,?,00007FF746C136BF), ref: 00007FF746C1708D
        • memmove.MSVCRT(?,0000000F,?,?,0000000F,00000000,?,00007FF746C24601,?,?,?,00007FF746C136BF), ref: 00007FF746C1709B
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: memmove$??3@
        • String ID:
        • API String ID: 2321372689-0
        • Opcode ID: 648d95c8768f1c198ed66d0d780e6a4948cde1295dd9e0167cf436a41a78e7c7
        • Instruction ID: 3bec48e2114b829d40dc2f70c8ad0d51eb0f525951ad90028e3056ca98c240a3
        • Opcode Fuzzy Hash: 648d95c8768f1c198ed66d0d780e6a4948cde1295dd9e0167cf436a41a78e7c7
        • Instruction Fuzzy Hash: 4731E1A6B0868195DE54FB26AD042FBE352FB04BE4F844631DF6D4BB81DE3CE0928354
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C2155C Relevance: 7.6, APIs: 5, Instructions: 91COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: wcslen$??3@FileNameOpenTextWindowmemset
        • String ID:
        • API String ID: 4150219074-0
        • Opcode ID: 1ac89aa1f044eb0e74c82c7f90cabd8c9ee570b4f552b0a0ccd67c1530cffe10
        • Instruction ID: f4f2372cc1a0fcd9730ef6d81b4d6d01c6db1e8ee5242500f0d093bbe36f2c02
        • Opcode Fuzzy Hash: 1ac89aa1f044eb0e74c82c7f90cabd8c9ee570b4f552b0a0ccd67c1530cffe10
        • Instruction Fuzzy Hash: 9F415873A05A40C9DB50EF34D8902EDB3A1FB58748B811636EB4E93B98DF39D469C710
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C206A0 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: CloseHandleOpenProcessToken$Duplicate
        • String ID:
        • API String ID: 3520293429-0
        • Opcode ID: 6b0578e874e3aa85afb371ccc1805fcbb59dcd0c25f1d5589de596491d331caa
        • Instruction ID: c8907c7f163d48c5e896dc14761aa01649ce4766da3d3a954912c3379cccedcf
        • Opcode Fuzzy Hash: 6b0578e874e3aa85afb371ccc1805fcbb59dcd0c25f1d5589de596491d331caa
        • Instruction Fuzzy Hash: 2821A162B1C781C2F650FB16BC50967E392BB88BA0F881235ED5E57794CE3CE481C610
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C13108 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ConditionMask$InfoVerifyVersionmemset
        • String ID:
        • API String ID: 375572348-0
        • Opcode ID: aa6da5fe0678fdf6d97ab75461c8f2d9a2550bcc5cfad8a5b2030603fb3eabce
        • Instruction ID: 2645ec70e29d059d75a23ae534f7c0221d4a4cab84d7b618e250eb7c73a7fdff
        • Opcode Fuzzy Hash: aa6da5fe0678fdf6d97ab75461c8f2d9a2550bcc5cfad8a5b2030603fb3eabce
        • Instruction Fuzzy Hash: A2118C77A08601CAE720EF21E844BAAB7A1FB8C758F415235EE4E57754EB38E149CB50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C1E0FC Relevance: 7.6, APIs: 5, Instructions: 56windowCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: DrawIcon
        • String ID:
        • API String ID: 3753536421-0
        • Opcode ID: b75dd67cbd8986ecfbb5c76384b4ede3d0c90750b9153ba5845a9f1b7205ad1f
        • Instruction ID: e6e914fc071bd251c6d7be1ec7632814eab0c38d2da64b297947b65689da2995
        • Opcode Fuzzy Hash: b75dd67cbd8986ecfbb5c76384b4ede3d0c90750b9153ba5845a9f1b7205ad1f
        • Instruction Fuzzy Hash: 0421F936718690CBD324DF22E844A5AB7A2F78CF94F148129EE4953B18CF39E845CB40
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C1D000 Relevance: 7.5, APIs: 6, Instructions: 46COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: free
        • String ID:
        • API String ID: 1294909896-0
        • Opcode ID: e9b519f86c9e4c74f939f3a014f080592d6e562bac41cff582214ad22bf88cb4
        • Instruction ID: 4f6bde3702f83d3df08962b04b5559ba6196a6e34ab26c87b1ea61e4cbab1c78
        • Opcode Fuzzy Hash: e9b519f86c9e4c74f939f3a014f080592d6e562bac41cff582214ad22bf88cb4
        • Instruction Fuzzy Hash: 3E115A57A0E682C0EB54FE60C4A137BE362DF85B68F581235D91E095C6CF3CF88293A0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C1E26C Relevance: 7.5, APIs: 5, Instructions: 35COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ClientRect
        • String ID:
        • API String ID: 846599473-0
        • Opcode ID: edb129873137f0ef47d75c3e35584650bc46503bfbcf9ac00efb918c0930a863
        • Instruction ID: 70f3206aa743bec58888ea21e53f0d3458201f21573cfa55bdb572f28c5917b7
        • Opcode Fuzzy Hash: edb129873137f0ef47d75c3e35584650bc46503bfbcf9ac00efb918c0930a863
        • Instruction Fuzzy Hash: CC019536A18681CBE314EF26E85061BB762E78CB90F548035DF9A53B64CE3DE895CB10
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C2BABC Relevance: 7.5, APIs: 5, Instructions: 32memoryCOMMON
        Download Yara Rule
        APIs
        • GetProcessHeap.KERNEL32(?,?,00000000,00007FF746C2B9FF,?,?,00000000,00007FF746C2BB8E,?,?,00000000,00007FF746C22B8D), ref: 00007FF746C2BAD8
        • HeapAlloc.KERNEL32(?,?,00000000,00007FF746C2B9FF,?,?,00000000,00007FF746C2BB8E,?,?,00000000,00007FF746C22B8D), ref: 00007FF746C2BAEA
        • InitializeSListHead.KERNEL32(?,?,00000000,00007FF746C2B9FF,?,?,00000000,00007FF746C2BB8E,?,?,00000000,00007FF746C22B8D), ref: 00007FF746C2BAFB
        • GetProcessHeap.KERNEL32(?,?,00000000,00007FF746C2B9FF,?,?,00000000,00007FF746C2BB8E,?,?,00000000,00007FF746C22B8D), ref: 00007FF746C2BB0B
        • HeapFree.KERNEL32(?,?,00000000,00007FF746C2B9FF,?,?,00000000,00007FF746C2BB8E,?,?,00000000,00007FF746C22B8D), ref: 00007FF746C2BB19
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: Heap$Process$AllocFreeHeadInitializeList
        • String ID:
        • API String ID: 927271182-0
        • Opcode ID: c5f17a7a957280a77a01a540216e03dccd3f140f3ae22e3bbe91e5ed3e9e52a3
        • Instruction ID: 2002be2e60fd021b9a293237c2dd94b6d31e6bda59f451757c0a1db02d82bc66
        • Opcode Fuzzy Hash: c5f17a7a957280a77a01a540216e03dccd3f140f3ae22e3bbe91e5ed3e9e52a3
        • Instruction Fuzzy Hash: F401F631E09A42C6FB44FB26E94423AE3A2BF4CB88F844438CD0D12765EF3DE495C220
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C21284 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46memoryCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: AllocateFreeInformationInitializeToken
        • String ID:
        • API String ID: 2127330248-3916222277
        • Opcode ID: 52d6ffd63ef4dc1904d3bd7227fd23bf5070f9a19c151ec77f9c2b86d68be125
        • Instruction ID: 774e8e652f695cfab1e385f87333351b2310aea47797838390ea534c362d805f
        • Opcode Fuzzy Hash: 52d6ffd63ef4dc1904d3bd7227fd23bf5070f9a19c151ec77f9c2b86d68be125
        • Instruction Fuzzy Hash: 6F115C32A18781C7F750EB15E89436AB3A1FB88795F500134DA8C47A54CF3DE448CB50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C27DD4 Relevance: 6.4, APIs: 5, Instructions: 142COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ExceptionThrow
        • String ID:
        • API String ID: 432778473-0
        • Opcode ID: c5bd581909aa49c6d013a811113362d8e85978c7023e0de04676e6effc5c1048
        • Instruction ID: a479644ff00170a6f3175574c12a1521ec8ae03aaf1e3dbc4631b867d43b74cb
        • Opcode Fuzzy Hash: c5bd581909aa49c6d013a811113362d8e85978c7023e0de04676e6effc5c1048
        • Instruction Fuzzy Hash: FF51C372E1C942C1DB24FB28C89407AE362FB84B84FD45132EA5D47AA8DE3DF945C760
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C27CCC Relevance: 6.3, APIs: 5, Instructions: 68COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ExceptionThrow
        • String ID:
        • API String ID: 432778473-0
        • Opcode ID: d39db556d8453bea1a6c4059d2d61e6df346d120cd730aa342402e39c7d8374d
        • Instruction ID: e178cff3c5966e762526cc4812e559e94cc02e454dad077bbf866be5ef272e30
        • Opcode Fuzzy Hash: d39db556d8453bea1a6c4059d2d61e6df346d120cd730aa342402e39c7d8374d
        • Instruction Fuzzy Hash: C821B1A2E6C482C2DA24F724CC694B7D322BB94744FD45032E58E46DBADE7DF604CB60
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C16878 Relevance: 6.2, APIs: 4, Instructions: 163COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: memcmp$??3@
        • String ID:
        • API String ID: 3834356630-0
        • Opcode ID: d9cd7e06791bb6cbd55d13bcca279f6ebc60465a29bb1784dde8bcc81cd6981d
        • Instruction ID: 221a9163d643c9019115647ad49e97a2f0e0c1626849ef4305484ff9be029196
        • Opcode Fuzzy Hash: d9cd7e06791bb6cbd55d13bcca279f6ebc60465a29bb1784dde8bcc81cd6981d
        • Instruction Fuzzy Hash: 4461ACA270CA91C2EB10FB16E8541AAF7A0F744BD4F908535EE9D43B95CF38E8918B10
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C1663C Relevance: 6.2, APIs: 4, Instructions: 163COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: memcmp$??3@
        • String ID:
        • API String ID: 3834356630-0
        • Opcode ID: 06b41a543ea792a87a720ee07ed76468a19b9074804891164bd48fe6edb7de86
        • Instruction ID: d29e70607d14ac4bf146fc93728dfb981885a125403854c7df01506e408560fb
        • Opcode Fuzzy Hash: 06b41a543ea792a87a720ee07ed76468a19b9074804891164bd48fe6edb7de86
        • Instruction Fuzzy Hash: 5061B1A271CA81C1EB10FB1AE8441AAF760F744BD4F914936DE9D87B95CF38E891CB50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C153F4 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ??2@memmove
        • String ID:
        • API String ID: 2100761966-0
        • Opcode ID: ba75c73015c2242ca02630a1227ebf392c1910618a86e2b7c65ab1b8f1dd71d1
        • Instruction ID: aa79ac4073af679da01f875a7716ebba29c971d723eab423f72912ed2733afbd
        • Opcode Fuzzy Hash: ba75c73015c2242ca02630a1227ebf392c1910618a86e2b7c65ab1b8f1dd71d1
        • Instruction Fuzzy Hash: DC41B1A2718A86D0DA10FA66D8444AEE721EB44BE4BD58732EE7D137D5DE3CE542C700
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C1C9C8 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ??3@
        • String ID:
        • API String ID: 613200358-0
        • Opcode ID: 1efd99ae2a1f6f83cd32b3c0ad539fc3babb16f85c85d18d875b272a7239db87
        • Instruction ID: 6b020f0c75be36cd0c48917dc9b50be21fceaa3fc155003dadd2a313db2cf5c2
        • Opcode Fuzzy Hash: 1efd99ae2a1f6f83cd32b3c0ad539fc3babb16f85c85d18d875b272a7239db87
        • Instruction Fuzzy Hash: BD417FE3B19A8486EF15EE69C4583BDE352EB04FA8F944735DA2C0A5C9CF6CE4848340
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C216DC Relevance: 6.1, APIs: 4, Instructions: 85fileCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: DragFile$??3@AttributesFinishQueryTextWindow
        • String ID:
        • API String ID: 4104282394-0
        • Opcode ID: 2e6ec1531e7b2b134043bcd7f6964987e66fc1a7ab54dd98b67d4543b5d7bda6
        • Instruction ID: f3c0ccfed04f92f5d6ca31c860f00677fc885c571a25523a24cea71aa2da04ec
        • Opcode Fuzzy Hash: 2e6ec1531e7b2b134043bcd7f6964987e66fc1a7ab54dd98b67d4543b5d7bda6
        • Instruction Fuzzy Hash: 61417873F14A01C9FB00EFA5D8401EDABB1FB48B68B842621CE1D63A58DF38E495C760
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C231FC Relevance: 6.1, APIs: 4, Instructions: 63COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ??2@memmove
        • String ID:
        • API String ID: 2100761966-0
        • Opcode ID: 278f3bdfa1897d4b16f7251da220594d6b082aaf129ef4f8b602eaf1309a1cbd
        • Instruction ID: 11c6bb8ad9e8e7f6a803085b686dfe3d5fc6d6861a44df8633b2c6f950935c37
        • Opcode Fuzzy Hash: 278f3bdfa1897d4b16f7251da220594d6b082aaf129ef4f8b602eaf1309a1cbd
        • Instruction Fuzzy Hash: 8C2153B2B09742C5EA54FA5599883BAE392AB047B0F948735DE7D0B7C5DF38E4908390
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C26A90 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 53COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ??2@ExceptionThrow
        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
        • API String ID: 1774377356-1866435925
        • Opcode ID: 954ab00c0872f958f6b94581a2c82dc17374a96b0a4089f7698a07c097330970
        • Instruction ID: fdb65823526c1b3045fd552e93ad1f3a65f071839f5410d028ce00c98bbcfbca
        • Opcode Fuzzy Hash: 954ab00c0872f958f6b94581a2c82dc17374a96b0a4089f7698a07c097330970
        • Instruction Fuzzy Hash: F9114A22E0C64AD6EA14FB11E9513ABE3A2EB50784F944431EB4D47A96DF3CF0A5C760
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C2DA7F Relevance: 6.0, APIs: 4, Instructions: 45COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ExceptionThrow$??3@
        • String ID:
        • API String ID: 3542664073-0
        • Opcode ID: a05a22f7801d06489e72fa6e6593defd15cded4c0c66acd8f80039aee3f1b07c
        • Instruction ID: 27da6611125da253b2c16dfc55a2d0a1dd0468931dc73b3f27df4b513c376f77
        • Opcode Fuzzy Hash: a05a22f7801d06489e72fa6e6593defd15cded4c0c66acd8f80039aee3f1b07c
        • Instruction Fuzzy Hash: F4019EA5B18A40C9E72CFA33EC522FB9212ABC87C4F549035ED4D4B74ACE3AE4514740
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C20A68 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ProcessToken$CloseCurrentHandleInformationOpen
        • String ID:
        • API String ID: 215268677-0
        • Opcode ID: 2e33c89952cf7888bce86606bd6e7b2846efb0896bc79ddb04d7444bba4bb13a
        • Instruction ID: 4ddc3e60fe6430de3b2c29272cb67049dc9a25713ca0ee10a14ac0b494f99454
        • Opcode Fuzzy Hash: 2e33c89952cf7888bce86606bd6e7b2846efb0896bc79ddb04d7444bba4bb13a
        • Instruction Fuzzy Hash: 60010031A1CA82C2E650EB55E85416BF361FB88BB4F800335EA7E567E4DF7CE4458710
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C24814 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 30COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ExceptionThrow
        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
        • API String ID: 432778473-1866435925
        • Opcode ID: 334f3284b288845d52a8fe73c20ed30447054c4d4cdc3af7eea5f9e2e1648425
        • Instruction ID: ea4e64583af3455fa3262c1cc3d234f13df23881f3f431e30222e06af57032e9
        • Opcode Fuzzy Hash: 334f3284b288845d52a8fe73c20ed30447054c4d4cdc3af7eea5f9e2e1648425
        • Instruction Fuzzy Hash: 89F08C62E6C68AD2EE14FB00DC415FBE362AB50748FD84032D95D869A5EE3CF546C760
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C20880 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ProcessToken$CloseCurrentErrorFreeHandleInformationLastMemoryOpen
        • String ID: winlogon.exe
        • API String ID: 976019093-961692650
        • Opcode ID: b698fafb74598fe6b3ed2514eb24a8b1a26def01634973643b80a3724e5eecfe
        • Instruction ID: 155bb02d726b987cf38de1e402907dd28362b48b35e37c165776bedc044ca750
        • Opcode Fuzzy Hash: b698fafb74598fe6b3ed2514eb24a8b1a26def01634973643b80a3724e5eecfe
        • Instruction Fuzzy Hash: 42315E62A1CA42C6E764FB11A85067BF3A2FB84794F940135EE9E46694DF3CE451CB10
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C13AA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ??3@memmove$??0exception@@ExceptionThrow
        • String ID: cannot use operator[] with a string argument with
        • API String ID: 1968904278-2766135566
        • Opcode ID: cf340ddeb24b485392c000a638af18312fb7162d76051f6f57214fde3e2fddb2
        • Instruction ID: 62f5242f07dc3f9f26d7595b1bd7208cfe6c8d382d8e1a015011d69a3fbccc57
        • Opcode Fuzzy Hash: cf340ddeb24b485392c000a638af18312fb7162d76051f6f57214fde3e2fddb2
        • Instruction Fuzzy Hash: 5931CA72B08A85D5EB10FB75C8402EDE361EB45B98F844231DE5C177C5EE38E541C3A0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C26EB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ??3@ExceptionThrow
        • String ID: cannot use key() for non-object iterators
        • API String ID: 3349825565-3527383725
        • Opcode ID: d7c6d8a945acaadae2ee18e8a3bfcac72812e31f571dba0d89b2c93f6ee73e57
        • Instruction ID: 7d1d723efcc890ffc0137af849871e36b3e72ca7974b0328908565d232a6f00a
        • Opcode Fuzzy Hash: d7c6d8a945acaadae2ee18e8a3bfcac72812e31f571dba0d89b2c93f6ee73e57
        • Instruction Fuzzy Hash: B9215062B0C646C2EE24FB29D84036EE362EB457A4F904232DA6D037E9DE3CF545C760
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C1C36C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ??2@ExceptionThrow
        • String ID: 961c151d2e87f2686a955a9be24d316f1362bf21 3.4.0
        • API String ID: 1774377356-857451449
        • Opcode ID: ad690f9cb74648ad21d05dba1eb70fb8d94e523119ccbf6031cac0145c20050c
        • Instruction ID: 92d847ca3182e817266ddb017dbe1417e2a19d93f837698ac9e37c6e4e6d8c6f
        • Opcode Fuzzy Hash: ad690f9cb74648ad21d05dba1eb70fb8d94e523119ccbf6031cac0145c20050c
        • Instruction Fuzzy Hash: 6E2179E284C502C1E265FA28D8A43FBD690AB45314FC44232E65E066E5CE2DF50ACB21
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C1BBE4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00007FF746C13398: GetSystemWindowsDirectoryW.KERNEL32 ref: 00007FF746C133B7
          • Part of subcall function 00007FF746C13398: GetSystemWindowsDirectoryW.KERNEL32 ref: 00007FF746C13401
          • Part of subcall function 00007FF746C24530: memmove.MSVCRT(?,?,?,?,?,00007FF746C13E76), ref: 00007FF746C24571
        • RegOpenKeyExW.ADVAPI32 ref: 00007FF746C1BC6D
          • Part of subcall function 00007FF746C1EB58: GetModuleHandleW.KERNEL32 ref: 00007FF746C1EBA1
          • Part of subcall function 00007FF746C1EB58: ??3@YAXPEAX@Z.MSVCRT ref: 00007FF746C1EC9F
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: DirectorySystemWindows$??3@HandleModuleOpenmemmove
        • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell$\NSudo.exe
        • API String ID: 2334327573-2634088638
        • Opcode ID: 7ed9c4ccc027b6bbaa15cddf4ad82d2703c7bd7ad0feff38c48f61fce12b10ce
        • Instruction ID: 1212f8e207c02d103d951450254318a18d7f2216406fb4d41ad4cd0bab005a11
        • Opcode Fuzzy Hash: 7ed9c4ccc027b6bbaa15cddf4ad82d2703c7bd7ad0feff38c48f61fce12b10ce
        • Instruction Fuzzy Hash: 61116A72608B01C6E710EF29E84025AB7A0FB44FA8F944224DBAD477A4DF38F553CB18
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C1D0D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ??1exception@@ExceptionThrow
        • String ID: ios_base::badbit set
        • API String ID: 3741338126-3882152299
        • Opcode ID: 17ea093403f27721348a23bea168791ac41c1f5f1177cbb3fc7494a94feae6c9
        • Instruction ID: c5e169108d77ab877101847a3e1b342c37a4c1a2b1eb358ee643d029f22df11c
        • Opcode Fuzzy Hash: 17ea093403f27721348a23bea168791ac41c1f5f1177cbb3fc7494a94feae6c9
        • Instruction Fuzzy Hash: 2901C0B2E4DA06C1EE14FB15D8511BAE321EB41764F805232EA5E433E4DE3CE196C710
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C12E04 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ??2@
        • String ID: string too long$vector<T> too long
        • API String ID: 1033339047-107800493
        • Opcode ID: 3d0eab5613b6e88787e7f88d81f7c72ca03f3a52ff67aca2dca831e5e4794e44
        • Instruction ID: 1bde5fb2ee020a6a018b238201a1992b2a7f2c94bae7b23d2cd4c090aa55f1ad
        • Opcode Fuzzy Hash: 3d0eab5613b6e88787e7f88d81f7c72ca03f3a52ff67aca2dca831e5e4794e44
        • Instruction Fuzzy Hash: C7F09699E0A685D1ED1CF7A1DC552B593518F643B0ED00B31D67E0B7D1DE3CB1818751
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C131D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21libraryloaderCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ConditionMask$AddressHandleInfoModuleProcVerifyVersionmemset
        • String ID: user32.dll
        • API String ID: 3562192782-38312619
        • Opcode ID: d6c7061fb1625124ed92fa2aba4897b6f033d7c7d22c5b428d74ca7285767f04
        • Instruction ID: 25d24189ceb5f9af156d8f2fc1e144f1f58542ae89dc8863efe44f5c5a9082e5
        • Opcode Fuzzy Hash: d6c7061fb1625124ed92fa2aba4897b6f033d7c7d22c5b428d74ca7285767f04
        • Instruction Fuzzy Hash: 99E092A1F0E202C1FD08FB218C542B2D3416F4A700FE84534CC4D123D1DE3CB545CA60
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FF746C2CC30 Relevance: 5.1, APIs: 4, Instructions: 62COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.53632899503.00007FF746C11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF746C10000, based on PE: true
        • Associated: 00000005.00000002.53632871986.00007FF746C10000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632942024.00007FF746C2E000.00000002.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632970037.00007FF746C3B000.00000004.00000001.01000000.00000004.sdmpDownload File
        • Associated: 00000005.00000002.53632995762.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_7ff746c10000_adminpriv.jbxd
        Similarity
        • API ID: ExceptionThrow
        • String ID:
        • API String ID: 432778473-0
        • Opcode ID: 356defb4f08a69ef1f481320a5c8d2d03bb7cf45a386bd29fa33be675b2da2aa
        • Instruction ID: 84e42715d6c091baf1837181a77d4d160113419c0697a16874998bd32a334107
        • Opcode Fuzzy Hash: 356defb4f08a69ef1f481320a5c8d2d03bb7cf45a386bd29fa33be675b2da2aa
        • Instruction Fuzzy Hash: 7A2165A6A18A80C9E768FE32DC511FBA311FB847D4F449535FE5D4B75ACE38E4418740
        Uniqueness

        Uniqueness Score: -1.00%