Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
remcmdstub.exe

Overview

General Information

Sample name:remcmdstub.exe
Analysis ID:1428654
MD5:6fca49b85aa38ee016e39e14b9f9d6d9
SHA1:b0d689c70e91d5600ccc2a4e533ff89bf4ca388b
SHA256:fedd609a16c717db9bea3072bed41e79b564c4bc97f959208bfa52fb3c9fa814
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • remcmdstub.exe (PID: 6972 cmdline: "C:\Users\user\Desktop\remcmdstub.exe" MD5: 6FCA49B85AA38EE016E39E14B9F9D6D9)
    • conhost.exe (PID: 6992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: remcmdstub.exeVirustotal: Detection: 23%Perma Link
Source: remcmdstub.exeReversingLabs: Detection: 23%
Source: remcmdstub.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: remcmdstub.exeStatic PE information: certificate valid
Source: remcmdstub.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: remcmdstub.exeString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: remcmdstub.exeString found in binary or memory: http://s2.symcb.com0
Source: remcmdstub.exeString found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: remcmdstub.exeString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: remcmdstub.exeString found in binary or memory: http://sv.symcd.com0&
Source: remcmdstub.exeString found in binary or memory: http://www.symauth.com/cps0(
Source: remcmdstub.exeString found in binary or memory: http://www.symauth.com/rpa00
Source: remcmdstub.exeString found in binary or memory: https://d.symcb.com/cps0%
Source: remcmdstub.exeString found in binary or memory: https://d.symcb.com/rpa0
Source: remcmdstub.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal48.winEXE@2/1@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6992:120:WilError_03
Source: remcmdstub.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\remcmdstub.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: remcmdstub.exeVirustotal: Detection: 23%
Source: remcmdstub.exeReversingLabs: Detection: 23%
Source: unknownProcess created: C:\Users\user\Desktop\remcmdstub.exe "C:\Users\user\Desktop\remcmdstub.exe"
Source: C:\Users\user\Desktop\remcmdstub.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\remcmdstub.exeSection loaded: apphelp.dllJump to behavior
Source: remcmdstub.exeStatic PE information: certificate valid
Source: remcmdstub.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: remcmdstub.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: remcmdstub.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: remcmdstub.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: remcmdstub.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: remcmdstub.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\remcmdstub.exeCode function: 0_2_003412E0 ExpandEnvironmentStringsA,_memset,GetStdHandle,GetStdHandle,GetStdHandle,GetStdHandle,GetConsoleMode,SetConsoleMode,GetLastError,SetConsoleCtrlHandler,LoadLibraryA,GetProcAddress,SetLastError,CreateProcessA,CloseHandle,CloseHandle,WaitForMultipleObjects,GenerateConsoleCtrlEvent,WaitForMultipleObjects,GetLastError,GetExitCodeProcess,GetLastError,GetLastError,WriteFile,Sleep,GetLastError,GetLastError,GetLastError,WaitForSingleObject,CloseHandle,GetProcAddress,CloseHandle,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,0_2_003412E0
Source: C:\Users\user\Desktop\remcmdstub.exeCode function: 0_2_003449F5 push ecx; ret 0_2_00344A08
Source: C:\Users\user\Desktop\remcmdstub.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-4758
Source: C:\Users\user\Desktop\remcmdstub.exeAPI coverage: 9.9 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\remcmdstub.exeCode function: 0_2_00341EB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00341EB5
Source: C:\Users\user\Desktop\remcmdstub.exeCode function: 0_2_003412E0 ExpandEnvironmentStringsA,_memset,GetStdHandle,GetStdHandle,GetStdHandle,GetStdHandle,GetConsoleMode,SetConsoleMode,GetLastError,SetConsoleCtrlHandler,LoadLibraryA,GetProcAddress,SetLastError,CreateProcessA,CloseHandle,CloseHandle,WaitForMultipleObjects,GenerateConsoleCtrlEvent,WaitForMultipleObjects,GetLastError,GetExitCodeProcess,GetLastError,GetLastError,WriteFile,Sleep,GetLastError,GetLastError,GetLastError,WaitForSingleObject,CloseHandle,GetProcAddress,CloseHandle,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,0_2_003412E0
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\remcmdstub.exeCode function: 0_2_00341EB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00341EB5
Source: C:\Users\user\Desktop\remcmdstub.exeCode function: 0_2_00344CAB SetUnhandledExceptionFilter,0_2_00344CAB
Source: C:\Users\user\Desktop\remcmdstub.exeCode function: 0_2_0034308C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0034308C
Source: C:\Users\user\Desktop\remcmdstub.exeCode function: 0_2_00345973 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00345973
Source: C:\Users\user\Desktop\remcmdstub.exeCode function: 0_2_00341010 GetVersionExA,0_2_00341010

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Native API		1
DLL Side-Loading		1
Process Injection		1
Process Injection		OS Credential Dumping1
System Time Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
DLL Side-Loading		LSASS Memory1
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager3
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1428654 Sample: remcmdstub.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 48 10 Multi AV Scanner detection for submitted file 2->10 6 remcmdstub.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
remcmdstub.exe24%VirustotalBrowse
remcmdstub.exe24%ReversingLabsWin32.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.symauth.com/cps0(remcmdstub.exefalse
    		high
    http://www.symauth.com/rpa00remcmdstub.exefalse
      		high

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1428654
      Start date and time:2024-04-19 11:27:29 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 2m 12s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:2
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:remcmdstub.exe
      Detection:MAL
      Classification:mal48.winEXE@2/1@0/0
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 93%
      • Number of executed functions: 4
      • Number of non-executed functions: 16
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Stop behavior analysis, all processes terminated

      Warnings

      • Not all processes where analyzed, report is missing behavior information

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      \Device\ConDrv

      Download File
      Process:C:\Users\user\Desktop\remcmdstub.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):95
      Entropy (8bit):4.8704668252128
      Encrypted:false
      SSDEEP:3:jEiDt+WfWXxUSL4IjqFlFBaBpbZBn:fwvhUSkRrFBaDr
      MD5:5A1A33985923BF090F2D5AC233EBC981
      SHA1:9FC152EB770CC2D598ED79F0016519E6848EE5B5
      SHA-256:8A94B3F5AF3D64A966021A24FCCB47203E27C13D1A01FAC332094E1916A08943
      SHA-512:DE8B5B37C9C67700C59FE81DAE0CA9DEFFBFBB03C9A4844F7BB3B1B54ACCEA84A5BA9D474327B6B43E51B6FB7070044BCE661ABDC1FD3BDBDAF50409D9143036
      Malicious:false
      Reputation:low
      Preview:Usage: C:\Users\user\Desktop\remcmdstub.exe (4 InheritableEventHandles) (CommandLineToSpawn)..

      Static File Info

      General

      File type:PE32 executable (console) Intel 80386, for MS Windows
      Entropy (8bit):6.446503462786185
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.96%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:remcmdstub.exe
      File size:63'864 bytes
      MD5:6fca49b85aa38ee016e39e14b9f9d6d9
      SHA1:b0d689c70e91d5600ccc2a4e533ff89bf4ca388b
      SHA256:fedd609a16c717db9bea3072bed41e79b564c4bc97f959208bfa52fb3c9fa814
      SHA512:f9c90029ff3dea84df853db63dace97d1c835a8cf7b6a6227a5b6db4abe25e9912dfed6967a88a128d11ab584663e099bf80c50dd879242432312961c0cfe622
      SSDEEP:1536:Tf6fvDuNcAjJMBUHYBlXU1wT2JFqy9BQhiK:D6f7cjJ4U4I1jFqy92hiK
      TLSH:CA536B153A55D033D9420D3015B8D3B28E7B796256B9C49F7FA803BA5FE13D06A2837A
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$U..`4..`4..`4..{.D.q4..{.p.54..iLI.e4..`4..74..{.q.}4..{.@.a4..{.G.a4..Rich`4..................PE..L......U...................

      File Icon

      Icon Hash:90cececece8e8eb0

      Static PE Info

      General

      Entrypoint:0x4021b4
      Entrypoint Section:.text
      Digitally signed:true
      Imagebase:0x400000
      Subsystem:windows cui
      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Time Stamp:0x55BB88BA [Fri Jul 31 14:39:54 2015 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:5
      OS Version Minor:1
      File Version Major:5
      File Version Minor:1
      Subsystem Version Major:5
      Subsystem Version Minor:1
      Import Hash:99c0cd957fc7334714fefa3daa61a6ea

      Authenticode Signature

      Signature Valid:true
      Signature Issuer:CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
      Signature Validation Error:The operation completed successfully
      Error Number:0
      Not Before, Not After
      • 12/01/2016 00:00:00 22/09/2017 00:59:59
      Subject Chain
      • CN=NetSupport Ltd, O=NetSupport Ltd, L=Peterborough, S=Cambridgeshire, C=GB
      Version:3
      Thumbprint MD5:01BC32D0D5C6F54460D042D1EF48303C
      Thumbprint SHA-1:EF3F9E69461B32D4C3CA123CC040335F1E0D0C75
      Thumbprint SHA-256:7086610176DBBE170DF29E0EE34BFB970322204D0060BEF070C091415F105E32
      Serial:2A7C96B4A761A9747606BD1056003D49

      Entrypoint Preview

      Instruction
      call 00007F92146E55EFh
      jmp 00007F92146E1CCAh
      sub eax, 000003A4h
      je 00007F92146E1E54h
      sub eax, 04h
      je 00007F92146E1E49h
      sub eax, 0Dh
      je 00007F92146E1E3Eh
      dec eax
      je 00007F92146E1E35h
      xor eax, eax
      ret
      mov eax, 00000404h
      ret
      mov eax, 00000412h
      ret
      mov eax, 00000804h
      ret
      mov eax, 00000411h
      ret
      mov edi, edi
      push esi
      push edi
      mov esi, eax
      push 00000101h
      xor edi, edi
      lea eax, dword ptr [esi+1Ch]
      push edi
      push eax
      call 00007F92146E1BE1h
      xor eax, eax
      movzx ecx, ax
      mov eax, ecx
      mov dword ptr [esi+04h], edi
      mov dword ptr [esi+08h], edi
      mov dword ptr [esi+0Ch], edi
      shl ecx, 10h
      or eax, ecx
      lea edi, dword ptr [esi+10h]
      stosd
      stosd
      stosd
      mov ecx, 0040D018h
      add esp, 0Ch
      lea eax, dword ptr [esi+1Ch]
      sub ecx, esi
      mov edi, 00000101h
      mov dl, byte ptr [ecx+eax]
      mov byte ptr [eax], dl
      inc eax
      dec edi
      jne 00007F92146E1E29h
      lea eax, dword ptr [esi+0000011Dh]
      mov esi, 00000100h
      mov dl, byte ptr [eax+ecx]
      mov byte ptr [eax], dl
      inc eax
      dec esi
      jne 00007F92146E1E29h
      pop edi
      pop esi
      ret
      mov edi, edi
      push ebp
      mov ebp, esp
      sub esp, 0000051Ch
      mov eax, dword ptr [0040D000h]
      xor eax, ebp
      mov dword ptr [ebp-04h], eax
      push ebx
      push edi
      lea eax, dword ptr [ebp-00000518h]
      push eax
      push dword ptr [esi+04h]
      call dword ptr [0040A06Ch]
      mov edi, 00000100h

      Rich Headers

      Programming Language:
      • [ASM] VS2010 SP1 build 40219
      • [ C ] VS2010 SP1 build 40219
      • [IMP] VS2008 SP1 build 30729
      • [C++] VS2010 SP1 build 40219
      • [RES] VS2010 SP1 build 40219
      • [LNK] VS2010 SP1 build 40219

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0xbdc40x3c.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x100000x654.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0xd0000x2978.data
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x110000x788.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xbaa00x40.rdata
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0xa0000x140.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x812e0x8200f4a98d39abc40fb03cecd64187312199False0.6094050480769231data6.4921288348993595IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rdata0xa0000x250c0x260050232bdd36639b3c331c53b69e78bf62False0.3372738486842105data4.832534162037543IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0xd0000x2d8c0xe004132e810625f1caf17538a533e4d9bc3False0.19614955357142858data2.2580975300258888IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rsrc0x100000x6540x8006dc39d63f0892d73400757507011359dFalse0.34375data4.381642653095394IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0x110000xc700xe00417fbf698b053cd26009b1064a88c8eaFalse0.4765625data4.410312209275639IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountryZLIB Complexity
      RT_STRING0x100e80x62data0.7142857142857143
      RT_VERSION0x1014c0x3acdata0.44468085106382976
      RT_MANIFEST0x104f80x15aASCII text, with CRLF line terminatorsEnglishGreat Britain0.5491329479768786

      Imports

      DLLImport
      KERNEL32.dllLoadLibraryA, FreeLibrary, GetProcAddress, SetLastError, GetVersionExA, GetLastError, GetModuleFileNameA, WaitForSingleObject, Sleep, WriteFile, GetExitCodeProcess, GenerateConsoleCtrlEvent, WaitForMultipleObjects, CloseHandle, CreateProcessA, SetConsoleCtrlHandler, SetConsoleMode, GetConsoleMode, GetStdHandle, ExpandEnvironmentStringsA, SetStdHandle, WriteConsoleW, HeapSize, SetFilePointer, FlushFileBuffers, GetCommandLineA, HeapSetInformation, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, DecodePointer, TlsFree, GetModuleHandleW, GetCurrentThreadId, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, EnterCriticalSection, LeaveCriticalSection, IsProcessorFeaturePresent, ExitProcess, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, GetStartupInfoW, DeleteCriticalSection, HeapCreate, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetStringTypeW, HeapFree, HeapAlloc, RtlUnwind, LoadLibraryW, HeapReAlloc, GetConsoleCP, CreateFileW
      USER32.dllEnumWindows, GetClassNameA, SendMessageA, EnumThreadWindows

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      EnglishGreat Britain

      Network Behavior

      No network behavior found

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:11:28:42
      Start date:19/04/2024
      Path:C:\Users\user\Desktop\remcmdstub.exe
      Wow64 process (32bit):true
      Commandline:"C:\Users\user\Desktop\remcmdstub.exe"
      Imagebase:0x340000
      File size:63'864 bytes
      MD5 hash:6FCA49B85AA38EE016E39E14B9F9D6D9
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:true

      General

      Target ID:1
      Start time:11:28:42
      Start date:19/04/2024
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff7699e0000
      File size:862'208 bytes
      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      Disassembly

      Reset < >

        Execution Graph

        Execution Coverage:8.4%
        Dynamic/Decrypted Code Coverage:0%
        Signature Coverage:7.5%
        Total number of Nodes:1560
        Total number of Limit Nodes:26
        execution_graph 5921 3421b4 5924 345973 5921->5924 5923 3421b9 5923->5923 5925 3459a5 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 5924->5925 5926 345998 5924->5926 5927 34599c 5925->5927 5926->5925 5926->5927 5927->5923 5928 347336 5929 345d61 __calloc_crt 66 API calls 5928->5929 5930 347342 EncodePointer 5929->5930 5931 34735b 5930->5931 6278 342176 6281 3451b2 6278->6281 6282 342d12 __getptd_noexit 66 API calls 6281->6282 6283 342187 6282->6283 5932 348930 RtlUnwind 6186 344a10 6187 344a3c 6186->6187 6188 344a49 6186->6188 6189 341eb5 __call_reportfault 5 API calls 6187->6189 6190 341eb5 __call_reportfault 5 API calls 6188->6190 6189->6188 6196 344a59 __except_handler4 __IsNonwritableInCurrentImage 6190->6196 6191 344adc 6192 344ab2 __except_handler4 6192->6191 6193 344acc 6192->6193 6194 341eb5 __call_reportfault 5 API calls 6192->6194 6195 341eb5 __call_reportfault 5 API calls 6193->6195 6194->6193 6195->6191 6196->6191 6196->6192 6202 346e52 RtlUnwind 6196->6202 6198 344b2e __except_handler4 6199 344b62 6198->6199 6200 341eb5 __call_reportfault 5 API calls 6198->6200 6201 341eb5 __call_reportfault 5 API calls 6199->6201 6200->6199 6201->6192 6202->6198 6203 349110 6204 349126 6203->6204 6205 34911a 6203->6205 6205->6204 6206 34911f CloseHandle 6205->6206 6206->6204 4522 342053 4523 34205f _flsall 4522->4523 4524 342069 HeapSetInformation 4523->4524 4527 342074 4523->4527 4524->4527 4526 3420c2 4528 3420cd 4526->4528 4713 34202a 4526->4713 4559 345955 HeapCreate 4527->4559 4560 342ed4 GetModuleHandleW 4528->4560 4531 3420d3 4532 3420de __RTC_Initialize 4531->4532 4533 34202a _fast_error_exit 66 API calls 4531->4533 4585 3456c4 GetStartupInfoW 4532->4585 4533->4532 4536 3420f8 GetCommandLineA 4598 34562d GetEnvironmentStringsW 4536->4598 4543 34211d 4624 3452fc 4543->4624 4544 344f86 __amsg_exit 66 API calls 4544->4543 4546 342123 4547 34212e 4546->4547 4549 344f86 __amsg_exit 66 API calls 4546->4549 4644 344d65 4547->4644 4549->4547 4550 342136 4551 342141 4550->4551 4552 344f86 __amsg_exit 66 API calls 4550->4552 4650 3412e0 4551->4650 4552->4551 4554 34215e 4555 34216f 4554->4555 4710 344f3c 4554->4710 4728 344f68 4555->4728 4558 342174 _flsall 4559->4526 4561 342ef1 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4560->4561 4562 342ee8 4560->4562 4563 342f3b TlsAlloc 4561->4563 4731 342c21 4562->4731 4567 342f89 TlsSetValue 4563->4567 4568 34304a 4563->4568 4567->4568 4569 342f9a 4567->4569 4568->4531 4741 344d0e 4569->4741 4574 343045 4576 342c21 __mtterm 70 API calls 4574->4576 4575 342fe2 DecodePointer 4577 342ff7 4575->4577 4576->4568 4577->4574 4750 345d61 4577->4750 4580 343015 DecodePointer 4581 343026 4580->4581 4581->4574 4582 34302a 4581->4582 4756 342c5e 4582->4756 4584 343032 GetCurrentThreadId 4584->4568 4586 345d61 __calloc_crt 66 API calls 4585->4586 4587 3456e2 4586->4587 4587->4587 4590 345d61 __calloc_crt 66 API calls 4587->4590 4591 3420ec 4587->4591 4593 3457d7 4587->4593 4594 345857 4587->4594 4588 34588d GetStdHandle 4588->4594 4589 3458f1 SetHandleCount 4589->4591 4590->4587 4591->4536 4721 344f86 4591->4721 4592 34589f GetFileType 4592->4594 4593->4594 4595 345803 GetFileType 4593->4595 4596 34580e InitializeCriticalSectionAndSpinCount 4593->4596 4594->4588 4594->4589 4594->4592 4597 3458c5 InitializeCriticalSectionAndSpinCount 4594->4597 4595->4593 4595->4596 4596->4591 4596->4593 4597->4591 4597->4594 4599 342108 4598->4599 4600 345649 WideCharToMultiByte 4598->4600 4611 345572 4599->4611 4602 3456b6 FreeEnvironmentStringsW 4600->4602 4603 34567e 4600->4603 4602->4599 4604 345d1c __malloc_crt 66 API calls 4603->4604 4605 345684 4604->4605 4605->4602 4606 34568c WideCharToMultiByte 4605->4606 4607 34569e 4606->4607 4608 3456aa FreeEnvironmentStringsW 4606->4608 4609 345ce2 _free 66 API calls 4607->4609 4608->4599 4610 3456a6 4609->4610 4610->4608 4612 345587 4611->4612 4613 34558c GetModuleFileNameA 4611->4613 4990 342884 4612->4990 4615 3455b3 4613->4615 4984 3453d8 4615->4984 4618 342112 4618->4543 4618->4544 4619 3455ef 4620 345d1c __malloc_crt 66 API calls 4619->4620 4621 3455f5 4620->4621 4621->4618 4622 3453d8 _parse_cmdline 76 API calls 4621->4622 4623 34560f 4622->4623 4623->4618 4625 345305 4624->4625 4627 34530a _strlen 4624->4627 4626 342884 ___initmbctable 94 API calls 4625->4626 4626->4627 4628 345d61 __calloc_crt 66 API calls 4627->4628 4631 345318 4627->4631 4634 34533f _strlen 4628->4634 4629 34538e 4630 345ce2 _free 66 API calls 4629->4630 4630->4631 4631->4546 4632 345d61 __calloc_crt 66 API calls 4632->4634 4633 3453b4 4636 345ce2 _free 66 API calls 4633->4636 4634->4629 4634->4631 4634->4632 4634->4633 4637 3453cb 4634->4637 5431 347725 4634->5431 4636->4631 4638 3431b5 __invoke_watson 10 API calls 4637->4638 4640 3453d7 4638->4640 4639 3477d7 _parse_cmdline 76 API calls 4639->4640 4640->4639 4642 345464 4640->4642 4641 345562 4641->4546 4642->4641 4643 3477d7 76 API calls _parse_cmdline 4642->4643 4643->4642 4645 344d73 __IsNonwritableInCurrentImage 4644->4645 5440 346b44 4645->5440 4647 344d91 __initterm_e 4649 344db2 __IsNonwritableInCurrentImage 4647->4649 5443 3473a3 4647->5443 4649->4550 4651 341309 4650->4651 4652 34132a 4651->4652 4655 34134c 4651->4655 5508 341ee5 4652->5508 4654 341337 4657 341eb5 __call_reportfault 5 API calls 4654->4657 4656 3413d2 ExpandEnvironmentStringsA 4655->4656 4658 3413fd _memset 4656->4658 4659 341348 4657->4659 4660 34140c GetStdHandle GetStdHandle GetStdHandle GetConsoleMode 4658->4660 4659->4554 4661 341485 SetConsoleMode 4660->4661 4662 3414b2 GetLastError 4660->4662 4661->4662 4663 3414a0 4661->4663 4662->4663 4664 3414c1 SetConsoleCtrlHandler 4663->4664 5525 341eda 4664->5525 4667 341eda 79 API calls 4668 3414e6 4667->4668 4669 341eda 79 API calls 4668->4669 4670 3414f5 4669->4670 4671 341eda 79 API calls 4670->4671 4672 341504 LoadLibraryA GetProcAddress 4671->4672 4673 341530 4672->4673 4674 34153b SetLastError 4672->4674 4675 341543 CreateProcessA 4673->4675 4674->4675 4676 341742 GetProcAddress 4675->4676 4677 341578 CloseHandle 4675->4677 4679 341758 CloseHandle CloseHandle CloseHandle CloseHandle 4676->4679 4678 3415a0 WaitForMultipleObjects 4677->4678 4678->4678 4688 3415b4 4678->4688 4684 34178e 4679->4684 4680 341601 4687 341606 GetExitCodeProcess 4680->4687 4682 341714 CloseHandle 4685 341726 4682->4685 4686 341739 4682->4686 4683 3416fe 4683->4682 4691 34179f 4684->4691 4692 341798 FreeLibrary 4684->4692 4696 3411d0 94 API calls 4685->4696 4686->4676 4687->4682 4690 341629 4687->4690 4688->4678 4688->4680 4688->4683 4688->4690 4697 3415f0 GetLastError 4688->4697 5529 3411d0 GetModuleFileNameA 4688->5529 4693 341643 GetLastError 4690->4693 4694 34164b 4690->4694 4695 341eb5 __call_reportfault 5 API calls 4691->4695 4692->4691 4693->4694 4699 341653 WriteFile 4694->4699 4698 3417ae 4695->4698 4696->4686 4697->4688 4698->4554 5540 341000 4699->5540 4701 341686 Sleep 4702 341696 4701->4702 4703 3416a3 GetLastError 4702->4703 4704 3416ab 4702->4704 4703->4704 4705 3416c0 GetLastError 4704->4705 4706 3416c8 4704->4706 4705->4706 4707 3416dd GetLastError 4706->4707 4708 3416e8 WaitForSingleObject 4706->4708 4709 3416e5 4707->4709 4708->4683 4709->4708 5888 344dfc 4710->5888 4712 344f4d 4712->4555 4714 34203d 4713->4714 4715 342038 4713->4715 4717 344fca __NMSG_WRITE 66 API calls 4714->4717 4716 345179 __FF_MSGBANNER 66 API calls 4715->4716 4716->4714 4718 342045 4717->4718 4719 344ce4 __mtinitlocknum 3 API calls 4718->4719 4720 34204f 4719->4720 4720->4528 4722 345179 __FF_MSGBANNER 66 API calls 4721->4722 4723 344f90 4722->4723 4724 344fca __NMSG_WRITE 66 API calls 4723->4724 4725 344f98 4724->4725 5918 344f52 4725->5918 4729 344dfc _doexit 66 API calls 4728->4729 4730 344f73 4729->4730 4730->4558 4732 342c3a 4731->4732 4733 342c2b DecodePointer 4731->4733 4734 342c4b TlsFree 4732->4734 4735 342c59 4732->4735 4733->4732 4734->4735 4736 345b9b DeleteCriticalSection 4735->4736 4737 345bb3 4735->4737 4769 345ce2 4736->4769 4739 345bc5 DeleteCriticalSection 4737->4739 4740 342eed 4737->4740 4739->4737 4740->4531 4795 342bdb EncodePointer 4741->4795 4743 344d16 __init_pointers __initp_misc_winsig 4796 347015 EncodePointer 4743->4796 4745 342f9f EncodePointer EncodePointer EncodePointer EncodePointer 4746 345b35 4745->4746 4747 345b40 4746->4747 4748 345b4a InitializeCriticalSectionAndSpinCount 4747->4748 4749 342fde 4747->4749 4748->4747 4748->4749 4749->4574 4749->4575 4753 345d6a 4750->4753 4752 34300d 4752->4574 4752->4580 4753->4752 4754 345d88 Sleep 4753->4754 4797 3477ef 4753->4797 4755 345d9d 4754->4755 4755->4752 4755->4753 4808 3449b0 4756->4808 4758 342c6a GetModuleHandleW 4809 345caf 4758->4809 4760 342ca8 InterlockedIncrement 4816 342d00 4760->4816 4763 345caf __lock 64 API calls 4764 342cc9 4763->4764 4819 3428a2 InterlockedIncrement 4764->4819 4766 342ce7 4831 342d09 4766->4831 4768 342cf4 _flsall 4768->4584 4770 345ced HeapFree 4769->4770 4774 345d16 __dosmaperr 4769->4774 4771 345d02 4770->4771 4770->4774 4775 343259 4771->4775 4774->4735 4778 342d12 GetLastError 4775->4778 4777 34325e GetLastError 4777->4774 4792 342bed TlsGetValue 4778->4792 4781 342d7f SetLastError 4781->4777 4782 345d61 __calloc_crt 62 API calls 4783 342d3d 4782->4783 4783->4781 4784 342d45 DecodePointer 4783->4784 4785 342d5a 4784->4785 4786 342d76 4785->4786 4787 342d5e 4785->4787 4789 345ce2 _free 62 API calls 4786->4789 4788 342c5e __getptd_noexit 62 API calls 4787->4788 4790 342d66 GetCurrentThreadId 4788->4790 4791 342d7c 4789->4791 4790->4781 4791->4781 4793 342c02 DecodePointer TlsSetValue 4792->4793 4794 342c1d 4792->4794 4793->4794 4794->4781 4794->4782 4795->4743 4796->4745 4798 3477fb 4797->4798 4804 347816 4797->4804 4799 347807 4798->4799 4798->4804 4800 343259 __commit 65 API calls 4799->4800 4802 34780c 4800->4802 4801 347829 HeapAlloc 4801->4804 4805 347850 4801->4805 4802->4753 4804->4801 4804->4805 4806 347258 DecodePointer 4804->4806 4805->4753 4807 34726d 4806->4807 4807->4804 4808->4758 4810 345cc4 4809->4810 4811 345cd7 EnterCriticalSection 4809->4811 4834 345bed 4810->4834 4811->4760 4813 345cca 4813->4811 4814 344f86 __amsg_exit 65 API calls 4813->4814 4815 345cd6 4814->4815 4815->4811 4982 345bd6 LeaveCriticalSection 4816->4982 4818 342cc2 4818->4763 4820 3428c0 InterlockedIncrement 4819->4820 4821 3428c3 4819->4821 4820->4821 4822 3428d0 4821->4822 4823 3428cd InterlockedIncrement 4821->4823 4824 3428dd 4822->4824 4825 3428da InterlockedIncrement 4822->4825 4823->4822 4826 3428e7 InterlockedIncrement 4824->4826 4828 3428ea 4824->4828 4825->4824 4826->4828 4827 342903 InterlockedIncrement 4827->4828 4828->4827 4829 342913 InterlockedIncrement 4828->4829 4830 34291e InterlockedIncrement 4828->4830 4829->4828 4830->4766 4983 345bd6 LeaveCriticalSection 4831->4983 4833 342d10 4833->4768 4835 345bf9 _flsall 4834->4835 4836 345c1f 4835->4836 4859 345179 4835->4859 4844 345c2f _flsall 4836->4844 4891 345d1c 4836->4891 4842 345c50 4847 345caf __lock 65 API calls 4842->4847 4843 345c41 4846 343259 __commit 65 API calls 4843->4846 4844->4813 4846->4844 4849 345c57 4847->4849 4850 345c5f InitializeCriticalSectionAndSpinCount 4849->4850 4851 345c8a 4849->4851 4852 345c7b 4850->4852 4853 345c6f 4850->4853 4854 345ce2 _free 65 API calls 4851->4854 4896 345ca6 4852->4896 4855 345ce2 _free 65 API calls 4853->4855 4854->4852 4857 345c75 4855->4857 4858 343259 __commit 65 API calls 4857->4858 4858->4852 4899 3476e6 4859->4899 4861 345180 4863 3476e6 __FF_MSGBANNER 66 API calls 4861->4863 4866 34518d 4861->4866 4862 344fca __NMSG_WRITE 66 API calls 4864 3451a5 4862->4864 4863->4866 4867 344fca __NMSG_WRITE 66 API calls 4864->4867 4865 3451af 4868 344fca 4865->4868 4866->4862 4866->4865 4867->4865 4869 344feb __NMSG_WRITE 4868->4869 4870 345107 4869->4870 4872 3476e6 __FF_MSGBANNER 63 API calls 4869->4872 4951 341eb5 4870->4951 4874 345005 4872->4874 4873 345177 4888 344ce4 4873->4888 4875 345116 GetStdHandle 4874->4875 4876 3476e6 __FF_MSGBANNER 63 API calls 4874->4876 4875->4870 4878 345124 _strlen 4875->4878 4877 345016 4876->4877 4877->4875 4879 345028 4877->4879 4878->4870 4880 34515a WriteFile 4878->4880 4879->4870 4881 345054 GetModuleFileNameW 4879->4881 4884 345075 _wcslen 4879->4884 4880->4870 4881->4884 4882 3431b5 __invoke_watson 10 API calls 4882->4884 4883 347526 63 API calls __NMSG_WRITE 4883->4884 4884->4882 4884->4883 4886 3450f7 4884->4886 4924 34759b 4884->4924 4933 3473ba 4886->4933 4961 344cb9 GetModuleHandleW 4888->4961 4893 345d25 4891->4893 4894 345c3a 4893->4894 4895 345d3c Sleep 4893->4895 4965 3463be 4893->4965 4894->4842 4894->4843 4895->4893 4981 345bd6 LeaveCriticalSection 4896->4981 4898 345cad 4898->4844 4900 3476f2 4899->4900 4901 3476fc 4900->4901 4902 343259 __commit 66 API calls 4900->4902 4901->4861 4903 347715 4902->4903 4906 343207 4903->4906 4909 3431da DecodePointer 4906->4909 4910 3431ef 4909->4910 4915 3431b5 4910->4915 4912 343206 4913 3431da __commit 10 API calls 4912->4913 4914 343213 4913->4914 4914->4861 4918 34308c 4915->4918 4919 3430ab _memset __call_reportfault 4918->4919 4920 3430c9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 4919->4920 4923 343197 __call_reportfault 4920->4923 4921 341eb5 __call_reportfault 5 API calls 4922 3431b3 GetCurrentProcess TerminateProcess 4921->4922 4922->4912 4923->4921 4929 3475ad 4924->4929 4925 3475b1 4926 3475b6 4925->4926 4927 343259 __commit 66 API calls 4925->4927 4926->4884 4928 3475cd 4927->4928 4930 343207 __commit 11 API calls 4928->4930 4929->4925 4929->4926 4931 3475f4 4929->4931 4930->4926 4931->4926 4932 343259 __commit 66 API calls 4931->4932 4932->4928 4959 342bdb EncodePointer 4933->4959 4935 3473e0 4936 3473f0 LoadLibraryW 4935->4936 4937 34746d 4935->4937 4938 347405 GetProcAddress 4936->4938 4946 347505 4936->4946 4942 347487 DecodePointer DecodePointer 4937->4942 4949 34749a 4937->4949 4941 34741b 7 API calls 4938->4941 4938->4946 4939 3474d0 DecodePointer 4940 3474f9 DecodePointer 4939->4940 4944 3474d7 4939->4944 4940->4946 4941->4937 4945 34745d GetProcAddress EncodePointer 4941->4945 4942->4949 4943 341eb5 __call_reportfault 5 API calls 4947 347524 4943->4947 4944->4940 4948 3474ea DecodePointer 4944->4948 4945->4937 4946->4943 4947->4870 4948->4940 4950 3474bd 4948->4950 4949->4939 4949->4940 4949->4950 4950->4940 4952 341ebd 4951->4952 4953 341ebf IsDebuggerPresent 4951->4953 4952->4873 4960 3462d9 4953->4960 4956 3437f6 SetUnhandledExceptionFilter UnhandledExceptionFilter 4957 343813 __call_reportfault 4956->4957 4958 34381b GetCurrentProcess TerminateProcess 4956->4958 4957->4958 4958->4873 4959->4935 4960->4956 4962 344ce2 ExitProcess 4961->4962 4963 344ccd GetProcAddress 4961->4963 4963->4962 4964 344cdd 4963->4964 4964->4962 4966 34643b 4965->4966 4973 3463cc 4965->4973 4967 347258 _malloc DecodePointer 4966->4967 4968 346441 4967->4968 4969 343259 __commit 65 API calls 4968->4969 4972 346433 4969->4972 4970 345179 __FF_MSGBANNER 65 API calls 4970->4973 4971 3463fa HeapAlloc 4971->4972 4971->4973 4972->4893 4973->4970 4973->4971 4974 344fca __NMSG_WRITE 65 API calls 4973->4974 4975 346427 4973->4975 4976 347258 _malloc DecodePointer 4973->4976 4978 344ce4 __mtinitlocknum 3 API calls 4973->4978 4979 346425 4973->4979 4974->4973 4977 343259 __commit 65 API calls 4975->4977 4976->4973 4977->4979 4978->4973 4980 343259 __commit 65 API calls 4979->4980 4980->4972 4981->4898 4982->4818 4983->4833 4986 3453f7 4984->4986 4988 345464 4986->4988 4994 3477d7 4986->4994 4987 345562 4987->4618 4987->4619 4988->4987 4989 3477d7 76 API calls _parse_cmdline 4988->4989 4989->4988 4991 34288d 4990->4991 4992 342894 4990->4992 5318 3426ea 4991->5318 4992->4613 4997 347784 4994->4997 5000 3417c8 4997->5000 5001 3417db 5000->5001 5007 341828 5000->5007 5008 342d8b 5001->5008 5004 341808 5004->5007 5028 3423e1 5004->5028 5007->4986 5009 342d12 __getptd_noexit 66 API calls 5008->5009 5010 342d93 5009->5010 5011 344f86 __amsg_exit 66 API calls 5010->5011 5012 3417e0 5010->5012 5011->5012 5012->5004 5013 342b62 5012->5013 5014 342b6e _flsall 5013->5014 5015 342d8b __getptd 66 API calls 5014->5015 5016 342b73 5015->5016 5017 342ba1 5016->5017 5019 342b85 5016->5019 5018 345caf __lock 66 API calls 5017->5018 5020 342ba8 5018->5020 5021 342d8b __getptd 66 API calls 5019->5021 5044 342b15 5020->5044 5022 342b8a 5021->5022 5025 342b98 _flsall 5022->5025 5027 344f86 __amsg_exit 66 API calls 5022->5027 5025->5004 5027->5025 5029 3423ed _flsall 5028->5029 5030 342d8b __getptd 66 API calls 5029->5030 5031 3423f2 5030->5031 5032 345caf __lock 66 API calls 5031->5032 5040 342404 5031->5040 5033 342422 5032->5033 5034 34246b 5033->5034 5035 342453 InterlockedIncrement 5033->5035 5036 342439 InterlockedDecrement 5033->5036 5314 34247c 5034->5314 5035->5034 5036->5035 5041 342444 5036->5041 5038 344f86 __amsg_exit 66 API calls 5039 342412 _flsall 5038->5039 5039->5007 5040->5038 5040->5039 5041->5035 5042 345ce2 _free 66 API calls 5041->5042 5043 342452 5042->5043 5043->5035 5045 342b22 5044->5045 5046 342b57 5044->5046 5045->5046 5047 3428a2 ___addlocaleref 8 API calls 5045->5047 5052 342bcf 5046->5052 5048 342b38 5047->5048 5048->5046 5055 342931 5048->5055 5313 345bd6 LeaveCriticalSection 5052->5313 5054 342bd6 5054->5022 5056 3429c5 5055->5056 5057 342942 InterlockedDecrement 5055->5057 5056->5046 5069 3429ca 5056->5069 5058 342957 InterlockedDecrement 5057->5058 5059 34295a 5057->5059 5058->5059 5060 342964 InterlockedDecrement 5059->5060 5061 342967 5059->5061 5060->5061 5062 342974 5061->5062 5063 342971 InterlockedDecrement 5061->5063 5064 34297e InterlockedDecrement 5062->5064 5065 342981 5062->5065 5063->5062 5064->5065 5066 34299a InterlockedDecrement 5065->5066 5067 3429aa InterlockedDecrement 5065->5067 5068 3429b5 InterlockedDecrement 5065->5068 5066->5065 5067->5065 5068->5056 5070 3429e1 5069->5070 5071 342a4e 5069->5071 5070->5071 5077 342a15 5070->5077 5083 345ce2 _free 66 API calls 5070->5083 5072 342a9b 5071->5072 5073 345ce2 _free 66 API calls 5071->5073 5080 342ac4 5072->5080 5139 345dfb 5072->5139 5075 342a6f 5073->5075 5079 345ce2 _free 66 API calls 5075->5079 5078 342a36 5077->5078 5086 345ce2 _free 66 API calls 5077->5086 5081 345ce2 _free 66 API calls 5078->5081 5085 342a82 5079->5085 5082 342b09 5080->5082 5087 345ce2 66 API calls _free 5080->5087 5089 342a43 5081->5089 5090 345ce2 _free 66 API calls 5082->5090 5091 342a0a 5083->5091 5084 345ce2 _free 66 API calls 5084->5080 5088 345ce2 _free 66 API calls 5085->5088 5092 342a2b 5086->5092 5087->5080 5093 342a90 5088->5093 5094 345ce2 _free 66 API calls 5089->5094 5095 342b0f 5090->5095 5099 3461db 5091->5099 5127 346172 5092->5127 5098 345ce2 _free 66 API calls 5093->5098 5094->5071 5095->5046 5098->5072 5100 3462d5 5099->5100 5101 3461ec 5099->5101 5100->5077 5102 3461fd 5101->5102 5103 345ce2 _free 66 API calls 5101->5103 5104 34620f 5102->5104 5105 345ce2 _free 66 API calls 5102->5105 5103->5102 5106 346221 5104->5106 5107 345ce2 _free 66 API calls 5104->5107 5105->5104 5108 346233 5106->5108 5109 345ce2 _free 66 API calls 5106->5109 5107->5106 5110 346245 5108->5110 5111 345ce2 _free 66 API calls 5108->5111 5109->5108 5112 346257 5110->5112 5113 345ce2 _free 66 API calls 5110->5113 5111->5110 5114 346269 5112->5114 5115 345ce2 _free 66 API calls 5112->5115 5113->5112 5116 34627b 5114->5116 5117 345ce2 _free 66 API calls 5114->5117 5115->5114 5118 34628d 5116->5118 5119 345ce2 _free 66 API calls 5116->5119 5117->5116 5120 34629f 5118->5120 5121 345ce2 _free 66 API calls 5118->5121 5119->5118 5122 3462b1 5120->5122 5123 345ce2 _free 66 API calls 5120->5123 5121->5120 5124 3462c3 5122->5124 5125 345ce2 _free 66 API calls 5122->5125 5123->5122 5124->5100 5126 345ce2 _free 66 API calls 5124->5126 5125->5124 5126->5100 5128 34617f 5127->5128 5129 3461d7 5127->5129 5130 34618f 5128->5130 5131 345ce2 _free 66 API calls 5128->5131 5129->5078 5132 3461a1 5130->5132 5133 345ce2 _free 66 API calls 5130->5133 5131->5130 5134 3461b3 5132->5134 5135 345ce2 _free 66 API calls 5132->5135 5133->5132 5136 3461c5 5134->5136 5137 345ce2 _free 66 API calls 5134->5137 5135->5134 5136->5129 5138 345ce2 _free 66 API calls 5136->5138 5137->5136 5138->5129 5140 345e0c 5139->5140 5141 342ab9 5139->5141 5142 345ce2 _free 66 API calls 5140->5142 5141->5084 5143 345e14 5142->5143 5144 345ce2 _free 66 API calls 5143->5144 5145 345e1c 5144->5145 5146 345ce2 _free 66 API calls 5145->5146 5147 345e24 5146->5147 5148 345ce2 _free 66 API calls 5147->5148 5149 345e2c 5148->5149 5150 345ce2 _free 66 API calls 5149->5150 5151 345e34 5150->5151 5152 345ce2 _free 66 API calls 5151->5152 5153 345e3c 5152->5153 5154 345ce2 _free 66 API calls 5153->5154 5155 345e43 5154->5155 5156 345ce2 _free 66 API calls 5155->5156 5157 345e4b 5156->5157 5158 345ce2 _free 66 API calls 5157->5158 5159 345e53 5158->5159 5160 345ce2 _free 66 API calls 5159->5160 5161 345e5b 5160->5161 5162 345ce2 _free 66 API calls 5161->5162 5163 345e63 5162->5163 5164 345ce2 _free 66 API calls 5163->5164 5165 345e6b 5164->5165 5166 345ce2 _free 66 API calls 5165->5166 5167 345e73 5166->5167 5168 345ce2 _free 66 API calls 5167->5168 5169 345e7b 5168->5169 5170 345ce2 _free 66 API calls 5169->5170 5171 345e83 5170->5171 5172 345ce2 _free 66 API calls 5171->5172 5173 345e8b 5172->5173 5174 345ce2 _free 66 API calls 5173->5174 5175 345e96 5174->5175 5176 345ce2 _free 66 API calls 5175->5176 5177 345e9e 5176->5177 5178 345ce2 _free 66 API calls 5177->5178 5179 345ea6 5178->5179 5180 345ce2 _free 66 API calls 5179->5180 5181 345eae 5180->5181 5182 345ce2 _free 66 API calls 5181->5182 5183 345eb6 5182->5183 5184 345ce2 _free 66 API calls 5183->5184 5185 345ebe 5184->5185 5186 345ce2 _free 66 API calls 5185->5186 5187 345ec6 5186->5187 5188 345ce2 _free 66 API calls 5187->5188 5189 345ece 5188->5189 5190 345ce2 _free 66 API calls 5189->5190 5191 345ed6 5190->5191 5192 345ce2 _free 66 API calls 5191->5192 5193 345ede 5192->5193 5194 345ce2 _free 66 API calls 5193->5194 5195 345ee6 5194->5195 5196 345ce2 _free 66 API calls 5195->5196 5197 345eee 5196->5197 5198 345ce2 _free 66 API calls 5197->5198 5199 345ef6 5198->5199 5200 345ce2 _free 66 API calls 5199->5200 5201 345efe 5200->5201 5202 345ce2 _free 66 API calls 5201->5202 5203 345f06 5202->5203 5204 345ce2 _free 66 API calls 5203->5204 5205 345f0e 5204->5205 5206 345ce2 _free 66 API calls 5205->5206 5207 345f1c 5206->5207 5208 345ce2 _free 66 API calls 5207->5208 5209 345f27 5208->5209 5210 345ce2 _free 66 API calls 5209->5210 5211 345f32 5210->5211 5212 345ce2 _free 66 API calls 5211->5212 5213 345f3d 5212->5213 5214 345ce2 _free 66 API calls 5213->5214 5215 345f48 5214->5215 5216 345ce2 _free 66 API calls 5215->5216 5217 345f53 5216->5217 5218 345ce2 _free 66 API calls 5217->5218 5219 345f5e 5218->5219 5220 345ce2 _free 66 API calls 5219->5220 5221 345f69 5220->5221 5222 345ce2 _free 66 API calls 5221->5222 5223 345f74 5222->5223 5224 345ce2 _free 66 API calls 5223->5224 5225 345f7f 5224->5225 5226 345ce2 _free 66 API calls 5225->5226 5227 345f8a 5226->5227 5228 345ce2 _free 66 API calls 5227->5228 5229 345f95 5228->5229 5230 345ce2 _free 66 API calls 5229->5230 5231 345fa0 5230->5231 5232 345ce2 _free 66 API calls 5231->5232 5233 345fab 5232->5233 5234 345ce2 _free 66 API calls 5233->5234 5235 345fb6 5234->5235 5236 345ce2 _free 66 API calls 5235->5236 5237 345fc1 5236->5237 5238 345ce2 _free 66 API calls 5237->5238 5239 345fcf 5238->5239 5240 345ce2 _free 66 API calls 5239->5240 5241 345fda 5240->5241 5242 345ce2 _free 66 API calls 5241->5242 5243 345fe5 5242->5243 5244 345ce2 _free 66 API calls 5243->5244 5245 345ff0 5244->5245 5246 345ce2 _free 66 API calls 5245->5246 5247 345ffb 5246->5247 5248 345ce2 _free 66 API calls 5247->5248 5249 346006 5248->5249 5250 345ce2 _free 66 API calls 5249->5250 5251 346011 5250->5251 5252 345ce2 _free 66 API calls 5251->5252 5253 34601c 5252->5253 5254 345ce2 _free 66 API calls 5253->5254 5255 346027 5254->5255 5256 345ce2 _free 66 API calls 5255->5256 5257 346032 5256->5257 5258 345ce2 _free 66 API calls 5257->5258 5259 34603d 5258->5259 5260 345ce2 _free 66 API calls 5259->5260 5261 346048 5260->5261 5262 345ce2 _free 66 API calls 5261->5262 5263 346053 5262->5263 5264 345ce2 _free 66 API calls 5263->5264 5265 34605e 5264->5265 5266 345ce2 _free 66 API calls 5265->5266 5267 346069 5266->5267 5268 345ce2 _free 66 API calls 5267->5268 5269 346074 5268->5269 5270 345ce2 _free 66 API calls 5269->5270 5271 346082 5270->5271 5272 345ce2 _free 66 API calls 5271->5272 5273 34608d 5272->5273 5274 345ce2 _free 66 API calls 5273->5274 5275 346098 5274->5275 5276 345ce2 _free 66 API calls 5275->5276 5277 3460a3 5276->5277 5278 345ce2 _free 66 API calls 5277->5278 5279 3460ae 5278->5279 5280 345ce2 _free 66 API calls 5279->5280 5281 3460b9 5280->5281 5282 345ce2 _free 66 API calls 5281->5282 5283 3460c4 5282->5283 5284 345ce2 _free 66 API calls 5283->5284 5285 3460cf 5284->5285 5286 345ce2 _free 66 API calls 5285->5286 5287 3460da 5286->5287 5288 345ce2 _free 66 API calls 5287->5288 5289 3460e5 5288->5289 5290 345ce2 _free 66 API calls 5289->5290 5291 3460f0 5290->5291 5292 345ce2 _free 66 API calls 5291->5292 5293 3460fb 5292->5293 5294 345ce2 _free 66 API calls 5293->5294 5295 346106 5294->5295 5296 345ce2 _free 66 API calls 5295->5296 5297 346111 5296->5297 5298 345ce2 _free 66 API calls 5297->5298 5299 34611c 5298->5299 5300 345ce2 _free 66 API calls 5299->5300 5301 346127 5300->5301 5302 345ce2 _free 66 API calls 5301->5302 5303 346135 5302->5303 5304 345ce2 _free 66 API calls 5303->5304 5305 346140 5304->5305 5306 345ce2 _free 66 API calls 5305->5306 5307 34614b 5306->5307 5308 345ce2 _free 66 API calls 5307->5308 5309 346156 5308->5309 5310 345ce2 _free 66 API calls 5309->5310 5311 346161 5310->5311 5312 345ce2 _free 66 API calls 5311->5312 5312->5141 5313->5054 5317 345bd6 LeaveCriticalSection 5314->5317 5316 342483 5316->5040 5317->5316 5319 3426f6 _flsall 5318->5319 5320 342d8b __getptd 66 API calls 5319->5320 5321 3426ff 5320->5321 5322 3423e1 _LocaleUpdate::_LocaleUpdate 68 API calls 5321->5322 5323 342709 5322->5323 5349 342485 5323->5349 5326 345d1c __malloc_crt 66 API calls 5327 34272a 5326->5327 5328 342849 _flsall 5327->5328 5356 342501 5327->5356 5328->4992 5331 342856 5331->5328 5335 345ce2 _free 66 API calls 5331->5335 5340 342869 5331->5340 5332 34275a InterlockedDecrement 5333 34276a 5332->5333 5334 34277b InterlockedIncrement 5332->5334 5333->5334 5337 345ce2 _free 66 API calls 5333->5337 5334->5328 5338 342791 5334->5338 5335->5340 5336 343259 __commit 66 API calls 5336->5328 5341 34277a 5337->5341 5338->5328 5339 345caf __lock 66 API calls 5338->5339 5343 3427a5 InterlockedDecrement 5339->5343 5340->5336 5341->5334 5344 342834 InterlockedIncrement 5343->5344 5345 342821 5343->5345 5366 34284b 5344->5366 5345->5344 5347 345ce2 _free 66 API calls 5345->5347 5348 342833 5347->5348 5348->5344 5350 3417c8 _LocaleUpdate::_LocaleUpdate 76 API calls 5349->5350 5351 342499 5350->5351 5352 3424a4 GetOEMCP 5351->5352 5353 3424c2 5351->5353 5355 3424b4 5352->5355 5354 3424c7 GetACP 5353->5354 5353->5355 5354->5355 5355->5326 5355->5328 5357 342485 getSystemCP 78 API calls 5356->5357 5358 342521 5357->5358 5359 34252c setSBCS 5358->5359 5362 342570 IsValidCodePage 5358->5362 5365 342595 _memset __setmbcp_nolock 5358->5365 5360 341eb5 __call_reportfault 5 API calls 5359->5360 5361 3426e8 5360->5361 5361->5331 5361->5332 5362->5359 5363 342582 GetCPInfo 5362->5363 5363->5359 5363->5365 5369 342251 GetCPInfo 5365->5369 5430 345bd6 LeaveCriticalSection 5366->5430 5368 342852 5368->5328 5370 342339 5369->5370 5372 342285 _memset 5369->5372 5374 341eb5 __call_reportfault 5 API calls 5370->5374 5379 345af5 5372->5379 5376 3423df 5374->5376 5376->5365 5378 3435cd ___crtLCMapStringA 82 API calls 5378->5370 5380 3417c8 _LocaleUpdate::_LocaleUpdate 76 API calls 5379->5380 5381 345b08 5380->5381 5389 345a0e 5381->5389 5384 3435cd 5385 3417c8 _LocaleUpdate::_LocaleUpdate 76 API calls 5384->5385 5386 3435e0 5385->5386 5406 3433e6 5386->5406 5390 345a37 MultiByteToWideChar 5389->5390 5391 345a2c 5389->5391 5394 345a64 5390->5394 5401 345a60 5390->5401 5391->5390 5392 341eb5 __call_reportfault 5 API calls 5395 3422f4 5392->5395 5393 345a79 _memset __alloca_probe_16 5396 345ab2 MultiByteToWideChar 5393->5396 5393->5401 5394->5393 5397 3463be _malloc 66 API calls 5394->5397 5395->5384 5398 345ac8 GetStringTypeW 5396->5398 5399 345ad9 5396->5399 5397->5393 5398->5399 5402 3433c6 5399->5402 5401->5392 5403 3433d2 5402->5403 5405 3433e3 5402->5405 5404 345ce2 _free 66 API calls 5403->5404 5403->5405 5404->5405 5405->5401 5408 343404 MultiByteToWideChar 5406->5408 5409 343462 5408->5409 5413 343469 5408->5413 5410 341eb5 __call_reportfault 5 API calls 5409->5410 5412 342314 5410->5412 5411 3434b6 MultiByteToWideChar 5415 3435ae 5411->5415 5416 3434cf LCMapStringW 5411->5416 5412->5378 5414 3463be _malloc 66 API calls 5413->5414 5419 343482 __alloca_probe_16 5413->5419 5414->5419 5417 3433c6 __freea 66 API calls 5415->5417 5416->5415 5418 3434ee 5416->5418 5417->5409 5420 3434f8 5418->5420 5422 343521 5418->5422 5419->5409 5419->5411 5420->5415 5421 34350c LCMapStringW 5420->5421 5421->5415 5424 34353c __alloca_probe_16 5422->5424 5425 3463be _malloc 66 API calls 5422->5425 5423 343570 LCMapStringW 5426 343586 WideCharToMultiByte 5423->5426 5427 3435a8 5423->5427 5424->5415 5424->5423 5425->5424 5426->5427 5428 3433c6 __freea 66 API calls 5427->5428 5428->5415 5430->5368 5432 347733 5431->5432 5433 34773a 5431->5433 5432->5433 5436 347758 5432->5436 5434 343259 __commit 66 API calls 5433->5434 5439 34773f 5434->5439 5435 343207 __commit 11 API calls 5437 347749 5435->5437 5436->5437 5438 343259 __commit 66 API calls 5436->5438 5437->4634 5438->5439 5439->5435 5441 346b4a EncodePointer 5440->5441 5441->5441 5442 346b64 5441->5442 5442->4647 5446 347367 5443->5446 5445 3473b0 5445->4649 5447 347373 _flsall 5446->5447 5454 344cfc 5447->5454 5453 347394 _flsall 5453->5445 5455 345caf __lock 66 API calls 5454->5455 5456 344d03 5455->5456 5457 347280 DecodePointer DecodePointer 5456->5457 5458 3472ae 5457->5458 5459 34732f 5457->5459 5458->5459 5471 348a9a 5458->5471 5468 34739d 5459->5468 5461 347312 EncodePointer EncodePointer 5461->5459 5462 3472c0 5462->5461 5464 3472e4 5462->5464 5478 345dad 5462->5478 5464->5459 5465 345dad __realloc_crt 70 API calls 5464->5465 5466 347300 EncodePointer 5464->5466 5467 3472fa 5465->5467 5466->5461 5467->5459 5467->5466 5504 344d05 5468->5504 5472 348aa5 5471->5472 5473 348aba HeapSize 5471->5473 5474 343259 __commit 66 API calls 5472->5474 5473->5462 5475 348aaa 5474->5475 5476 343207 __commit 11 API calls 5475->5476 5477 348ab5 5476->5477 5477->5462 5482 345db6 5478->5482 5480 345df5 5480->5464 5481 345dd6 Sleep 5481->5482 5482->5480 5482->5481 5483 347871 5482->5483 5484 347887 5483->5484 5485 34787c 5483->5485 5487 34788f 5484->5487 5495 34789c 5484->5495 5486 3463be _malloc 66 API calls 5485->5486 5488 347884 5486->5488 5489 345ce2 _free 66 API calls 5487->5489 5488->5482 5503 347897 __dosmaperr 5489->5503 5490 3478d4 5492 347258 _malloc DecodePointer 5490->5492 5491 3478a4 HeapReAlloc 5491->5495 5491->5503 5493 3478da 5492->5493 5496 343259 __commit 66 API calls 5493->5496 5494 347904 5498 343259 __commit 66 API calls 5494->5498 5495->5490 5495->5491 5495->5494 5497 347258 _malloc DecodePointer 5495->5497 5500 3478ec 5495->5500 5496->5503 5497->5495 5499 347909 GetLastError 5498->5499 5499->5503 5501 343259 __commit 66 API calls 5500->5501 5502 3478f1 GetLastError 5501->5502 5502->5503 5503->5482 5507 345bd6 LeaveCriticalSection 5504->5507 5506 344d0c 5506->5453 5507->5506 5509 341ef1 _flsall 5508->5509 5510 341f14 __flsbuf 5509->5510 5511 341eff 5509->5511 5541 343b9d 5510->5541 5512 343259 __commit 66 API calls 5511->5512 5513 341f04 5512->5513 5515 343207 __commit 11 API calls 5513->5515 5517 341f0f _flsall 5515->5517 5516 341f26 __flsbuf 5546 343c3a 5516->5546 5517->4654 5519 341f38 __flsbuf 5555 343d9f 5519->5555 5521 341f50 __flsbuf 5579 343cd6 5521->5579 5526 341ec4 5525->5526 5760 343a5a 5526->5760 5783 341d65 5529->5783 5533 3411fb 5534 341225 EnumThreadWindows 5533->5534 5535 341242 GetLastError 5534->5535 5536 34124a 5534->5536 5535->5536 5537 341252 EnumWindows 5536->5537 5538 341262 GetLastError 5537->5538 5539 34126a 5537->5539 5811 3410c0 SendMessageA 5537->5811 5538->5539 5539->4688 5540->4701 5542 343bc0 EnterCriticalSection 5541->5542 5543 343baa 5541->5543 5542->5516 5544 345caf __lock 66 API calls 5543->5544 5545 343bb3 5544->5545 5545->5516 5587 3469ba 5546->5587 5548 343c49 5594 346964 5548->5594 5550 343c4f __flsbuf 5551 343cb6 5550->5551 5552 343c96 5550->5552 5551->5519 5553 345d1c __malloc_crt 66 API calls 5552->5553 5554 343c9c 5553->5554 5554->5551 5556 3417c8 _LocaleUpdate::_LocaleUpdate 76 API calls 5555->5556 5557 343e06 5556->5557 5558 343259 __commit 66 API calls 5557->5558 5559 343e0b 5558->5559 5560 343e15 5559->5560 5563 3469ba __fclose_nolock 66 API calls 5559->5563 5576 343e4c __aulldvrm _strlen 5559->5576 5561 343259 __commit 66 API calls 5560->5561 5562 343e1a 5561->5562 5564 343207 __commit 11 API calls 5562->5564 5563->5576 5565 343e25 5564->5565 5566 341eb5 __call_reportfault 5 API calls 5565->5566 5567 344984 5566->5567 5567->5521 5569 345ce2 _free 66 API calls 5569->5576 5570 3444b7 DecodePointer 5570->5576 5571 343d3d 97 API calls 5571->5576 5572 345d1c __malloc_crt 66 API calls 5574 34447a 5572->5574 5573 344520 DecodePointer 5573->5576 5574->5570 5574->5572 5575 344541 DecodePointer 5575->5576 5576->5560 5576->5565 5576->5569 5576->5570 5576->5571 5576->5573 5576->5574 5576->5575 5577 346cbc 78 API calls __cftof 5576->5577 5578 343d0a 97 API calls 5576->5578 5603 346cd9 5576->5603 5577->5576 5578->5576 5580 343ce1 5579->5580 5581 341f61 5579->5581 5580->5581 5606 3467d1 5580->5606 5583 341f79 5581->5583 5584 341f7e __flsbuf 5583->5584 5754 343c0b 5584->5754 5586 341f89 5586->5517 5588 3469c6 5587->5588 5589 3469db 5587->5589 5590 343259 __commit 66 API calls 5588->5590 5589->5548 5591 3469cb 5590->5591 5592 343207 __commit 11 API calls 5591->5592 5593 3469d6 5592->5593 5593->5548 5595 346980 5594->5595 5596 346971 5594->5596 5598 34699e 5595->5598 5599 343259 __commit 66 API calls 5595->5599 5597 343259 __commit 66 API calls 5596->5597 5600 346976 5597->5600 5598->5550 5601 346991 5599->5601 5600->5550 5602 343207 __commit 11 API calls 5601->5602 5602->5600 5604 3417c8 _LocaleUpdate::_LocaleUpdate 76 API calls 5603->5604 5605 346cec 5604->5605 5605->5576 5607 3467ea 5606->5607 5611 34680c 5606->5611 5608 3469ba __fclose_nolock 66 API calls 5607->5608 5607->5611 5609 346805 5608->5609 5612 3485be 5609->5612 5611->5581 5613 3485ca _flsall 5612->5613 5614 3485d2 5613->5614 5615 3485ed 5613->5615 5712 34326c 5614->5712 5617 3485f9 5615->5617 5620 348633 5615->5620 5619 34326c __commit 66 API calls 5617->5619 5622 3485fe 5619->5622 5637 348fc2 5620->5637 5621 343259 __commit 66 API calls 5630 3485df _flsall 5621->5630 5624 343259 __commit 66 API calls 5622->5624 5626 348606 5624->5626 5625 348639 5628 348647 5625->5628 5629 34865b 5625->5629 5627 343207 __commit 11 API calls 5626->5627 5627->5630 5647 347ec1 5628->5647 5632 343259 __commit 66 API calls 5629->5632 5630->5611 5634 348660 5632->5634 5633 348653 5715 34868a 5633->5715 5635 34326c __commit 66 API calls 5634->5635 5635->5633 5638 348fce _flsall 5637->5638 5639 349028 5638->5639 5640 345caf __lock 66 API calls 5638->5640 5641 34902d EnterCriticalSection 5639->5641 5642 34904a _flsall 5639->5642 5643 348ffa 5640->5643 5641->5642 5642->5625 5644 349003 InitializeCriticalSectionAndSpinCount 5643->5644 5645 349016 5643->5645 5644->5645 5718 349058 5645->5718 5648 347ed0 __write_nolock 5647->5648 5649 347f25 5648->5649 5650 347f06 5648->5650 5683 347efb 5648->5683 5654 347f81 5649->5654 5655 347f64 5649->5655 5652 34326c __commit 66 API calls 5650->5652 5651 341eb5 __call_reportfault 5 API calls 5653 3485bc 5651->5653 5656 347f0b 5652->5656 5653->5633 5658 347f97 5654->5658 5659 347f88 5654->5659 5657 34326c __commit 66 API calls 5655->5657 5660 343259 __commit 66 API calls 5656->5660 5663 347f69 5657->5663 5662 346964 __write_nolock 66 API calls 5658->5662 5722 34876b 5659->5722 5661 347f12 5660->5661 5666 343207 __commit 11 API calls 5661->5666 5667 347f9d 5662->5667 5668 343259 __commit 66 API calls 5663->5668 5666->5683 5669 34823f 5667->5669 5674 342d8b __getptd 66 API calls 5667->5674 5670 347f71 5668->5670 5672 34824e 5669->5672 5673 3484ef WriteFile 5669->5673 5671 343207 __commit 11 API calls 5670->5671 5671->5683 5675 348309 5672->5675 5684 348261 5672->5684 5677 348522 GetLastError 5673->5677 5678 3483de 5673->5678 5676 347fb8 GetConsoleMode 5674->5676 5689 348316 5675->5689 5692 3483e3 5675->5692 5676->5669 5680 347fe1 5676->5680 5681 348221 5677->5681 5678->5681 5679 34856d 5679->5683 5686 343259 __commit 66 API calls 5679->5686 5680->5669 5682 347ff1 GetConsoleCP 5680->5682 5681->5679 5681->5683 5687 348540 5681->5687 5682->5681 5707 348014 5682->5707 5683->5651 5684->5679 5684->5681 5685 3482ab WriteFile 5684->5685 5685->5677 5685->5684 5690 348590 5686->5690 5693 34855f 5687->5693 5694 34854b 5687->5694 5688 348385 WriteFile 5688->5677 5697 3483b9 5688->5697 5689->5679 5689->5688 5698 34326c __commit 66 API calls 5690->5698 5691 348454 WideCharToMultiByte 5691->5677 5695 34848b WriteFile 5691->5695 5692->5679 5692->5691 5735 34327f 5693->5735 5699 343259 __commit 66 API calls 5694->5699 5701 3484c2 GetLastError 5695->5701 5705 3484b6 5695->5705 5697->5678 5697->5681 5697->5689 5698->5683 5700 348550 5699->5700 5703 34326c __commit 66 API calls 5700->5703 5701->5705 5703->5683 5704 348118 5704->5677 5704->5681 5704->5707 5710 348d61 WriteConsoleW CreateFileW __write_nolock 5704->5710 5711 348145 WriteFile 5704->5711 5705->5678 5705->5681 5705->5692 5705->5695 5706 348eb9 78 API calls __fassign 5706->5707 5707->5681 5707->5704 5707->5706 5708 3480c0 WideCharToMultiByte 5707->5708 5732 346d11 5707->5732 5708->5681 5709 3480f1 WriteFile 5708->5709 5709->5677 5709->5704 5710->5704 5711->5677 5711->5704 5713 342d12 __getptd_noexit 66 API calls 5712->5713 5714 343271 5713->5714 5714->5621 5753 349061 LeaveCriticalSection 5715->5753 5717 348690 5717->5630 5721 345bd6 LeaveCriticalSection 5718->5721 5720 34905f 5720->5639 5721->5720 5740 348f59 5722->5740 5724 348789 5725 348791 5724->5725 5726 3487a2 SetFilePointer 5724->5726 5727 343259 __commit 66 API calls 5725->5727 5728 3487ba GetLastError 5726->5728 5729 347f94 5726->5729 5727->5729 5728->5729 5730 3487c4 5728->5730 5729->5658 5731 34327f __dosmaperr 66 API calls 5730->5731 5731->5729 5733 346cd9 __isleadbyte_l 76 API calls 5732->5733 5734 346d20 5733->5734 5734->5707 5736 34326c __commit 66 API calls 5735->5736 5737 34328a __dosmaperr 5736->5737 5738 343259 __commit 66 API calls 5737->5738 5739 34329d 5738->5739 5739->5683 5741 348f66 5740->5741 5742 348f7e 5740->5742 5743 34326c __commit 66 API calls 5741->5743 5745 34326c __commit 66 API calls 5742->5745 5746 348fbd 5742->5746 5744 348f6b 5743->5744 5747 343259 __commit 66 API calls 5744->5747 5748 348f8f 5745->5748 5746->5724 5749 348f73 5747->5749 5750 343259 __commit 66 API calls 5748->5750 5749->5724 5751 348f97 5750->5751 5752 343207 __commit 11 API calls 5751->5752 5752->5749 5753->5717 5755 343c2e LeaveCriticalSection 5754->5755 5756 343c1b 5754->5756 5755->5586 5759 345bd6 LeaveCriticalSection 5756->5759 5758 343c2b 5758->5586 5759->5758 5761 343a73 5760->5761 5764 34382f 5761->5764 5765 3417c8 _LocaleUpdate::_LocaleUpdate 76 API calls 5764->5765 5767 343843 5765->5767 5766 343853 5768 343259 __commit 66 API calls 5766->5768 5767->5766 5772 343889 5767->5772 5769 343858 5768->5769 5770 343207 __commit 11 API calls 5769->5770 5775 3414d7 5770->5775 5773 3438d0 5772->5773 5776 3465a1 5772->5776 5774 343259 __commit 66 API calls 5773->5774 5773->5775 5774->5775 5775->4667 5777 3417c8 _LocaleUpdate::_LocaleUpdate 76 API calls 5776->5777 5778 3465b5 5777->5778 5779 346cd9 __isleadbyte_l 76 API calls 5778->5779 5782 3465c2 5778->5782 5780 3465ea 5779->5780 5781 345af5 ___crtGetStringTypeA 79 API calls 5780->5781 5781->5782 5782->5772 5789 341c5f 5783->5789 5786 3418f9 5804 34184f 5786->5804 5788 34190b 5788->5533 5793 341c70 _strnlen 5789->5793 5790 341c87 5791 343259 __commit 66 API calls 5790->5791 5792 341c8c 5791->5792 5794 343207 __commit 11 API calls 5792->5794 5793->5790 5795 341cb2 5793->5795 5803 3411ef 5793->5803 5794->5803 5796 3417c8 _LocaleUpdate::_LocaleUpdate 76 API calls 5795->5796 5798 341cbe 5796->5798 5797 3435cd ___crtLCMapStringA 82 API calls 5797->5798 5798->5797 5799 341d41 5798->5799 5798->5803 5800 343259 __commit 66 API calls 5799->5800 5801 341d46 5800->5801 5802 343259 __commit 66 API calls 5801->5802 5802->5803 5803->5786 5805 3417c8 _LocaleUpdate::_LocaleUpdate 76 API calls 5804->5805 5806 341868 5805->5806 5807 343259 __commit 66 API calls 5806->5807 5810 34187f _strrchr 5806->5810 5808 341874 5807->5808 5809 343207 __commit 11 API calls 5808->5809 5809->5810 5810->5788 5812 3410fc 5811->5812 5813 341d65 __mbsupr 82 API calls 5812->5813 5814 341104 5813->5814 5815 3411b4 5814->5815 5830 341a3a 5814->5830 5816 341eb5 __call_reportfault 5 API calls 5815->5816 5818 3411c8 5816->5818 5819 341125 5819->5815 5820 341135 GetClassNameA 5819->5820 5833 341c48 5820->5833 5823 34116c 5825 341c48 85 API calls 5823->5825 5828 34118d 5823->5828 5826 341181 5825->5826 5826->5815 5827 341010 GetVersionExA 5826->5827 5827->5828 5828->5815 5829 3411a2 SendMessageA 5828->5829 5829->5815 5839 341910 5830->5839 5832 341a4c 5832->5819 5852 341a51 5833->5852 5835 341160 5835->5823 5836 341010 5835->5836 5837 34102e 5836->5837 5838 341019 GetVersionExA 5836->5838 5837->5823 5838->5837 5840 3417c8 _LocaleUpdate::_LocaleUpdate 76 API calls 5839->5840 5841 341923 5840->5841 5842 341974 5841->5842 5843 341953 5841->5843 5851 34192c _strlen 5841->5851 5846 343259 __commit 66 API calls 5842->5846 5842->5851 5844 343259 __commit 66 API calls 5843->5844 5845 341958 5844->5845 5847 343207 __commit 11 API calls 5845->5847 5849 341998 5846->5849 5848 341963 5847->5848 5848->5832 5850 343207 __commit 11 API calls 5849->5850 5850->5851 5851->5832 5853 3417c8 _LocaleUpdate::_LocaleUpdate 76 API calls 5852->5853 5854 341a64 5853->5854 5855 341a8f 5854->5855 5856 341a6b 5854->5856 5858 341a97 5855->5858 5859 341abd 5855->5859 5857 343259 __commit 66 API calls 5856->5857 5861 341a70 5857->5861 5862 343259 __commit 66 API calls 5858->5862 5860 341ac6 5859->5860 5868 341aea 5859->5868 5873 34364c 5860->5873 5864 343207 __commit 11 API calls 5861->5864 5865 341a9c 5862->5865 5866 341a7b 5864->5866 5867 343207 __commit 11 API calls 5865->5867 5866->5835 5869 341aa7 5867->5869 5868->5869 5870 3435cd 82 API calls ___crtLCMapStringA 5868->5870 5871 341c00 5868->5871 5869->5835 5870->5868 5872 343259 __commit 66 API calls 5871->5872 5872->5869 5874 3417c8 _LocaleUpdate::_LocaleUpdate 76 API calls 5873->5874 5875 343660 5874->5875 5876 343667 5875->5876 5877 34368a 5875->5877 5879 343259 __commit 66 API calls 5876->5879 5878 343692 5877->5878 5887 3436b6 5877->5887 5880 343259 __commit 66 API calls 5878->5880 5881 34366c 5879->5881 5882 343697 5880->5882 5883 343207 __commit 11 API calls 5881->5883 5884 343207 __commit 11 API calls 5882->5884 5886 343677 ___ascii_stricmp 5883->5886 5884->5886 5885 34648c 85 API calls __tolower_l 5885->5887 5886->5869 5887->5885 5887->5886 5889 344e08 _flsall 5888->5889 5890 345caf __lock 61 API calls 5889->5890 5891 344e0f 5890->5891 5893 344e3a DecodePointer 5891->5893 5897 344eb9 5891->5897 5895 344e51 DecodePointer 5893->5895 5893->5897 5903 344e64 5895->5903 5909 344f27 5897->5909 5898 344f1e 5901 344f27 5898->5901 5902 344ce4 __mtinitlocknum 3 API calls 5898->5902 5900 344f36 _flsall 5900->4712 5904 344f34 5901->5904 5916 345bd6 LeaveCriticalSection 5901->5916 5902->5901 5903->5897 5906 344e7b DecodePointer 5903->5906 5908 344e8a DecodePointer DecodePointer 5903->5908 5914 342bdb EncodePointer 5903->5914 5904->4712 5915 342bdb EncodePointer 5906->5915 5908->5903 5910 344f07 5909->5910 5911 344f2d 5909->5911 5910->5900 5913 345bd6 LeaveCriticalSection 5910->5913 5917 345bd6 LeaveCriticalSection 5911->5917 5913->5898 5914->5903 5915->5903 5916->5904 5917->5910 5919 344dfc _doexit 66 API calls 5918->5919 5920 344f63 5919->5920 5933 343b3c 5940 34695b 5933->5940 5936 343b4f 5938 345ce2 _free 66 API calls 5936->5938 5939 343b5a 5938->5939 5953 346881 5940->5953 5942 343b41 5942->5936 5943 346735 5942->5943 5944 346741 _flsall 5943->5944 5945 345caf __lock 66 API calls 5944->5945 5952 34674d 5945->5952 5946 3467b3 5983 3467c8 5946->5983 5948 3467bf _flsall 5948->5936 5950 346788 DeleteCriticalSection 5951 345ce2 _free 66 API calls 5950->5951 5951->5952 5952->5946 5952->5950 5970 347e4d 5952->5970 5954 34688d _flsall 5953->5954 5955 345caf __lock 66 API calls 5954->5955 5961 34689c 5955->5961 5956 346934 5966 346952 5956->5966 5958 343b9d _flsall 67 API calls 5958->5961 5959 346940 _flsall 5959->5942 5961->5956 5961->5958 5962 346839 101 API calls __fflush_nolock 5961->5962 5963 346923 5961->5963 5962->5961 5964 343c0b _flsall 2 API calls 5963->5964 5965 346931 5964->5965 5965->5961 5969 345bd6 LeaveCriticalSection 5966->5969 5968 346959 5968->5959 5969->5968 5971 347e59 _flsall 5970->5971 5972 347e80 5971->5972 5973 347e6b 5971->5973 5979 347e7b _flsall 5972->5979 5986 343b5c 5972->5986 5974 343259 __commit 66 API calls 5973->5974 5976 347e70 5974->5976 5978 343207 __commit 11 API calls 5976->5978 5978->5979 5979->5952 6073 345bd6 LeaveCriticalSection 5983->6073 5985 3467cf 5985->5948 5987 343b90 EnterCriticalSection 5986->5987 5988 343b6e 5986->5988 5990 343b86 5987->5990 5988->5987 5989 343b76 5988->5989 5991 345caf __lock 66 API calls 5989->5991 5992 347de0 5990->5992 5991->5990 5993 347e05 5992->5993 5994 347df1 5992->5994 5996 3467d1 __flush 97 API calls 5993->5996 6000 347e01 5993->6000 5995 343259 __commit 66 API calls 5994->5995 5997 347df6 5995->5997 5999 347e11 5996->5999 5998 343207 __commit 11 API calls 5997->5998 5998->6000 6011 348d30 5999->6011 6008 347eb9 6000->6008 6003 3469ba __fclose_nolock 66 API calls 6004 347e1f 6003->6004 6015 348c6c 6004->6015 6006 347e25 6006->6000 6007 345ce2 _free 66 API calls 6006->6007 6007->6000 6066 343bcf 6008->6066 6010 347ebf 6010->5979 6012 348d40 6011->6012 6014 347e19 6011->6014 6013 345ce2 _free 66 API calls 6012->6013 6012->6014 6013->6014 6014->6003 6016 348c78 _flsall 6015->6016 6017 348c80 6016->6017 6018 348c9b 6016->6018 6019 34326c __commit 66 API calls 6017->6019 6020 348ca7 6018->6020 6024 348ce1 6018->6024 6022 348c85 6019->6022 6021 34326c __commit 66 API calls 6020->6021 6023 348cac 6021->6023 6025 343259 __commit 66 API calls 6022->6025 6026 343259 __commit 66 API calls 6023->6026 6027 348fc2 ___lock_fhandle 68 API calls 6024->6027 6028 348c8d _flsall 6025->6028 6029 348cb4 6026->6029 6030 348ce7 6027->6030 6028->6006 6031 343207 __commit 11 API calls 6029->6031 6032 348cf5 6030->6032 6033 348d01 6030->6033 6031->6028 6038 348bd0 6032->6038 6035 343259 __commit 66 API calls 6033->6035 6036 348cfb 6035->6036 6053 348d28 6036->6053 6039 348f59 __close_nolock 66 API calls 6038->6039 6042 348be0 6039->6042 6040 348c36 6056 348ed3 6040->6056 6042->6040 6044 348f59 __close_nolock 66 API calls 6042->6044 6052 348c14 6042->6052 6047 348c0b 6044->6047 6045 348f59 __close_nolock 66 API calls 6048 348c20 CloseHandle 6045->6048 6046 348c60 6046->6036 6051 348f59 __close_nolock 66 API calls 6047->6051 6048->6040 6049 348c2c GetLastError 6048->6049 6049->6040 6050 34327f __dosmaperr 66 API calls 6050->6046 6051->6052 6052->6040 6052->6045 6065 349061 LeaveCriticalSection 6053->6065 6055 348d2e 6055->6028 6057 348ee4 6056->6057 6058 348f3f 6056->6058 6057->6058 6063 348f0f 6057->6063 6059 343259 __commit 66 API calls 6058->6059 6060 348f44 6059->6060 6061 34326c __commit 66 API calls 6060->6061 6062 348c3e 6061->6062 6062->6046 6062->6050 6063->6062 6064 348f2f SetStdHandle 6063->6064 6064->6062 6065->6055 6067 343be0 6066->6067 6068 343bff LeaveCriticalSection 6066->6068 6067->6068 6069 343be7 6067->6069 6068->6010 6072 345bd6 LeaveCriticalSection 6069->6072 6071 343bfc 6071->6010 6072->6071 6073->5985 6305 344c59 IsProcessorFeaturePresent 6074 3415bb 6079 3415b4 6074->6079 6075 3411d0 94 API calls 6075->6079 6076 3415a0 WaitForMultipleObjects 6076->6076 6076->6079 6077 3415f0 GetLastError 6077->6079 6078 341601 6084 341606 GetExitCodeProcess 6078->6084 6079->6074 6079->6075 6079->6076 6079->6077 6079->6078 6081 3416fe 6079->6081 6086 341629 6079->6086 6080 341714 CloseHandle 6082 341726 6080->6082 6083 341739 GetProcAddress 6080->6083 6081->6080 6090 3411d0 94 API calls 6082->6090 6087 341758 CloseHandle CloseHandle CloseHandle CloseHandle 6083->6087 6084->6080 6084->6086 6088 341643 GetLastError 6086->6088 6089 34164b 6086->6089 6093 34178e 6087->6093 6088->6089 6092 341653 WriteFile 6089->6092 6090->6083 6108 341000 6092->6108 6096 34179f 6093->6096 6097 341798 FreeLibrary 6093->6097 6095 341686 Sleep 6098 341696 6095->6098 6099 341eb5 __call_reportfault 5 API calls 6096->6099 6097->6096 6101 3416a3 GetLastError 6098->6101 6102 3416ab 6098->6102 6100 3417ae 6099->6100 6101->6102 6103 3416c0 GetLastError 6102->6103 6104 3416c8 6102->6104 6103->6104 6105 3416dd GetLastError 6104->6105 6106 3416e8 WaitForSingleObject 6104->6106 6107 3416e5 6105->6107 6106->6081 6107->6106 6108->6095 6109 342da5 6110 342db1 _flsall 6109->6110 6111 342dc9 6110->6111 6112 345ce2 _free 66 API calls 6110->6112 6114 342eb3 _flsall 6110->6114 6113 342dd7 6111->6113 6115 345ce2 _free 66 API calls 6111->6115 6112->6111 6116 342de5 6113->6116 6117 345ce2 _free 66 API calls 6113->6117 6115->6113 6118 342df3 6116->6118 6120 345ce2 _free 66 API calls 6116->6120 6117->6116 6119 342e01 6118->6119 6121 345ce2 _free 66 API calls 6118->6121 6122 342e0f 6119->6122 6123 345ce2 _free 66 API calls 6119->6123 6120->6118 6121->6119 6124 342e1d 6122->6124 6125 345ce2 _free 66 API calls 6122->6125 6123->6122 6126 342e2e 6124->6126 6128 345ce2 _free 66 API calls 6124->6128 6125->6124 6127 345caf __lock 66 API calls 6126->6127 6129 342e36 6127->6129 6128->6126 6130 342e42 InterlockedDecrement 6129->6130 6131 342e5b 6129->6131 6130->6131 6132 342e4d 6130->6132 6145 342ebf 6131->6145 6132->6131 6135 345ce2 _free 66 API calls 6132->6135 6135->6131 6136 345caf __lock 66 API calls 6137 342e6f 6136->6137 6139 342931 ___removelocaleref 8 API calls 6137->6139 6144 342ea0 6137->6144 6142 342e84 6139->6142 6141 345ce2 _free 66 API calls 6141->6114 6143 3429ca ___freetlocinfo 66 API calls 6142->6143 6142->6144 6143->6144 6148 342ecb 6144->6148 6151 345bd6 LeaveCriticalSection 6145->6151 6147 342e68 6147->6136 6152 345bd6 LeaveCriticalSection 6148->6152 6150 342ead 6150->6141 6151->6147 6152->6150 6284 3476e5 6285 3476f2 6284->6285 6286 3476fc 6285->6286 6287 343259 __commit 66 API calls 6285->6287 6288 347715 6287->6288 6289 343207 __commit 11 API calls 6288->6289 6290 347720 6289->6290 6207 347000 6208 347003 6207->6208 6211 348a67 6208->6211 6220 34707b DecodePointer 6211->6220 6213 348a6c 6214 348a77 6213->6214 6221 347088 6213->6221 6216 348a8f 6214->6216 6217 34308c __call_reportfault 8 API calls 6214->6217 6218 344f52 _abort 66 API calls 6216->6218 6217->6216 6219 348a99 6218->6219 6220->6213 6229 347094 _flsall 6221->6229 6222 3470ef 6227 3470d1 DecodePointer 6222->6227 6228 3470fe 6222->6228 6223 3470bb 6224 342d12 __getptd_noexit 66 API calls 6223->6224 6226 3470c0 _siglookup 6224->6226 6232 34715b 6226->6232 6234 344f52 _abort 66 API calls 6226->6234 6241 3470c9 _flsall 6226->6241 6227->6226 6230 343259 __commit 66 API calls 6228->6230 6229->6222 6229->6223 6229->6227 6231 3470b7 6229->6231 6233 347103 6230->6233 6231->6223 6231->6228 6236 345caf __lock 66 API calls 6232->6236 6237 347166 6232->6237 6235 343207 __commit 11 API calls 6233->6235 6234->6232 6235->6241 6236->6237 6239 34719b 6237->6239 6242 342bdb EncodePointer 6237->6242 6243 3471ef 6239->6243 6241->6214 6242->6239 6244 3471f5 6243->6244 6245 3471fc 6243->6245 6247 345bd6 LeaveCriticalSection 6244->6247 6245->6241 6247->6245 6306 341040 SendMessageA 6307 341079 6306->6307 6314 341e90 6307->6314 6310 341a3a 76 API calls 6311 341092 6310->6311 6312 341eb5 __call_reportfault 5 API calls 6311->6312 6313 3410ae 6312->6313 6317 341d8a 6314->6317 6321 341d9b _strnlen 6317->6321 6318 341db2 6319 343259 __commit 66 API calls 6318->6319 6320 341db7 6319->6320 6322 343207 __commit 11 API calls 6320->6322 6321->6318 6323 341ddd 6321->6323 6331 341081 6321->6331 6322->6331 6324 3417c8 _LocaleUpdate::_LocaleUpdate 76 API calls 6323->6324 6326 341de9 6324->6326 6325 3435cd ___crtLCMapStringA 82 API calls 6325->6326 6326->6325 6327 341e6c 6326->6327 6326->6331 6328 343259 __commit 66 API calls 6327->6328 6329 341e71 6328->6329 6330 343259 __commit 66 API calls 6329->6330 6330->6331 6331->6310 6332 346dc0 6333 346dd2 6332->6333 6335 346de0 @_EH4_CallFilterFunc@8 6332->6335 6334 341eb5 __call_reportfault 5 API calls 6333->6334 6334->6335 6153 348923 6154 344f86 __amsg_exit 66 API calls 6153->6154 6155 34892a 6154->6155 6248 34170f 6249 341714 CloseHandle 6248->6249 6262 341000 6248->6262 6252 341726 6249->6252 6255 341739 GetProcAddress 6249->6255 6254 3411d0 94 API calls 6252->6254 6253 341758 CloseHandle CloseHandle CloseHandle CloseHandle 6257 34178e 6253->6257 6254->6255 6255->6253 6258 34179f 6257->6258 6259 341798 FreeLibrary 6257->6259 6260 341eb5 __call_reportfault 5 API calls 6258->6260 6259->6258 6261 3417ae 6260->6261 6262->6249 6156 341629 6157 34162e 6156->6157 6158 341643 GetLastError 6157->6158 6159 34164b 6157->6159 6158->6159 6160 341653 WriteFile 6159->6160 6184 341000 6160->6184 6162 341686 Sleep 6163 341696 6162->6163 6164 3416a3 GetLastError 6163->6164 6165 3416ab 6163->6165 6164->6165 6166 3416c0 GetLastError 6165->6166 6167 3416c8 6165->6167 6166->6167 6168 3416dd GetLastError 6167->6168 6169 3416e8 WaitForSingleObject 6167->6169 6170 3416e5 6168->6170 6172 3416fe 6169->6172 6170->6169 6171 341714 CloseHandle 6173 341726 6171->6173 6174 341739 GetProcAddress 6171->6174 6172->6171 6177 3411d0 94 API calls 6173->6177 6176 341758 CloseHandle CloseHandle CloseHandle CloseHandle 6174->6176 6179 34178e 6176->6179 6177->6174 6180 34179f 6179->6180 6181 341798 FreeLibrary 6179->6181 6182 341eb5 __call_reportfault 5 API calls 6180->6182 6181->6180 6183 3417ae 6182->6183 6184->6162 6291 344c69 6292 344ca5 6291->6292 6294 344c7b 6291->6294 6294->6292 6295 346fdc 6294->6295 6296 346fe8 _flsall 6295->6296 6297 342d8b __getptd 66 API calls 6296->6297 6298 346fed 6297->6298 6299 348a67 _abort 68 API calls 6298->6299 6300 34700f _flsall 6299->6300 6300->6292 6263 34218a 6264 34219f 6263->6264 6265 342199 6263->6265 6267 3421a4 _flsall 6264->6267 6269 344f77 6264->6269 6266 344f52 _abort 66 API calls 6265->6266 6266->6264 6270 344dfc _doexit 66 API calls 6269->6270 6271 344f82 6270->6271 6271->6267 6185 344cab SetUnhandledExceptionFilter 6272 343a8b 6273 343a98 6272->6273 6274 345d61 __calloc_crt 66 API calls 6273->6274 6275 343ab2 6274->6275 6276 345d61 __calloc_crt 66 API calls 6275->6276 6277 343acb 6275->6277 6276->6277

        Executed Functions

        Function 003412E0 Relevance: 65.1, APIs: 31, Strings: 6, Instructions: 364libraryloadersleepCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 0 3412e0-341311 call 341000 3 341325-341328 0->3 4 341313-341323 call 341000 0->4 6 34134c-341361 3->6 7 34132a-341332 call 341ee5 3->7 4->3 8 3413c6-341483 call 341000 ExpandEnvironmentStringsA call 341000 call 341fb0 GetStdHandle * 3 GetConsoleMode 6->8 9 341363-34136e 6->9 14 341337-34134b call 341eb5 7->14 28 341485-34149e SetConsoleMode 8->28 29 3414b2-3414be GetLastError call 341000 8->29 12 341370-341375 9->12 12->12 15 341377-341381 12->15 18 341382-341388 15->18 18->18 21 34138a-34139f 18->21 23 3413a0-3413a6 21->23 23->23 25 3413a8-3413c2 23->25 25->9 27 3413c4 25->27 27->8 28->29 30 3414a0-3414b0 call 341000 28->30 35 3414c1-34152e SetConsoleCtrlHandler call 341eda * 4 LoadLibraryA GetProcAddress 29->35 30->35 44 341530-341539 35->44 45 34153b-34153d SetLastError 35->45 46 341543-341572 CreateProcessA 44->46 45->46 48 341742-341796 GetProcAddress CloseHandle * 4 call 341000 46->48 49 341578-341599 CloseHandle 46->49 78 34179f-3417b1 call 341eb5 48->78 79 341798-341799 FreeLibrary 48->79 50 3415a0-3415b2 WaitForMultipleObjects 49->50 50->50 52 3415b4 50->52 54 341601-341624 call 341000 GetExitCodeProcess 52->54 55 3415dc-3415e8 call 341000 52->55 56 34170f 52->56 57 341629-341641 call 341000 52->57 58 3415bb-3415da call 341000 call 3411d0 52->58 54->57 60 341714-341724 CloseHandle 54->60 76 3415ea-3415ee 55->76 56->60 61 34170f call 341000 56->61 83 341643-34164b GetLastError call 341000 57->83 84 34164e-3416a1 call 341000 WriteFile call 341000 Sleep call 341000 57->84 58->76 68 341726-341739 call 341000 call 3411d0 60->68 69 34173c 60->69 61->60 68->69 69->48 76->50 87 3415f0-3415ff GetLastError call 341000 76->87 79->78 83->84 101 3416a3-3416ab GetLastError call 341000 84->101 102 3416ae-3416be call 341000 84->102 87->50 101->102 108 3416c0-3416c8 GetLastError call 341000 102->108 109 3416cb-3416db call 341000 102->109 108->109 115 3416dd-3416e5 GetLastError call 341000 109->115 116 3416e8-3416fc WaitForSingleObject 109->116 115->116 116->56 118 3416fe-34170d call 341000 116->118 118->60
        APIs
        • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000208), ref: 003413EB
        • _memset.LIBCMT ref: 00341407
        • GetStdHandle.KERNEL32(000000F6), ref: 0034144B
        • GetStdHandle.KERNEL32(000000F5), ref: 00341455
        • GetStdHandle.KERNEL32(000000F4), ref: 0034145F
        • GetConsoleMode.KERNEL32(?,?), ref: 0034147B
        • SetConsoleMode.KERNEL32(?,?), ref: 00341496
        • SetConsoleCtrlHandler.KERNEL32(Function_00001280,00000001), ref: 003414C8
          • Part of subcall function 00341EDA: __wcstoi64.LIBCMT ref: 00341ED0
        • LoadLibraryA.KERNEL32(Kernel32.dll), ref: 00341512
        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00341526
        • SetLastError.KERNEL32(00000078), ref: 0034153D
        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000200,00000000,00000000,00000044,?), ref: 00341564
        • CloseHandle.KERNEL32(?), ref: 0034157F
        • GetLastError.KERNEL32 ref: 003415F0
        • GetExitCodeProcess.KERNEL32(?,?), ref: 00341614
        • GetLastError.KERNEL32 ref: 00341643
        • WriteFile.KERNEL32 ref: 00341674
        • Sleep.KERNEL32(00000064,00000000), ref: 0034168B
        • GetLastError.KERNEL32 ref: 003416A3
        • GetLastError.KERNEL32 ref: 003416C0
        • GetLastError.KERNEL32 ref: 003416DD
        • WaitForSingleObject.KERNEL32(?,00001388), ref: 003416F4
        • CloseHandle.KERNEL32(?), ref: 0034171B
        • WaitForMultipleObjects.KERNEL32(00000004,?,00000000,000000FF), ref: 003415AD
          • Part of subcall function 003411D0: GetModuleFileNameA.KERNEL32(00000000,0034DE00,00000104,?,00341739,?,00000001), ref: 003411DF
          • Part of subcall function 003411D0: __mbsupr.LIBCMT ref: 003411EA
          • Part of subcall function 003411D0: EnumThreadWindows.USER32(00000000,00341040,?), ref: 00341232
          • Part of subcall function 003411D0: GetLastError.KERNEL32 ref: 00341242
          • Part of subcall function 003411D0: EnumWindows.USER32(003410C0,?), ref: 00341258
          • Part of subcall function 003411D0: GetLastError.KERNEL32 ref: 00341262
        • GetProcAddress.KERNEL32(?,Wow64RevertWow64FsRedirection), ref: 0034174E
        • CloseHandle.KERNEL32(?), ref: 0034176C
        • CloseHandle.KERNEL32(?), ref: 00341775
        • CloseHandle.KERNEL32(?), ref: 0034177E
        • CloseHandle.KERNEL32(?), ref: 00341787
        • FreeLibrary.KERNEL32(?), ref: 00341799
        Strings
        • ExitExitExit, xrefs: 00341664
        • Usage: %s (4 InheritableEventHandles) (CommandLineToSpawn), xrefs: 0034132D
        • Wow64RevertWow64FsRedirection, xrefs: 00341748
        • Wow64DisableWow64FsRedirection, xrefs: 0034151A
        • D, xrefs: 00341437
        • Kernel32.dll, xrefs: 00341507
        Memory Dump Source
        • Source File: 00000000.00000002.1890748704.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
        • Associated: 00000000.00000002.1890727843.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890766909.000000000034A000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890783545.000000000034D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890809054.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_340000_remcmdstub.jbxd
        Similarity
        • API ID: Handle$ErrorLast$Close$Console$AddressEnumFileLibraryModeProcProcessWaitWindows$CodeCreateCtrlEnvironmentExitExpandFreeHandlerLoadModuleMultipleNameObjectObjectsSingleSleepStringsThreadWrite__mbsupr__wcstoi64_memset
        • String ID: D$ExitExitExit$Kernel32.dll$Usage: %s (4 InheritableEventHandles) (CommandLineToSpawn)$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection
        • API String ID: 50065477-3522353013
        • Opcode ID: e51c6055bf9f2a61e25a69d104dd227262eb2c3df74245deb7666bf7dea6fa4c
        • Instruction ID: 0549486b281fbb86d922c5518e2340f5d6cfab95c26d863ffbf230f4175ae8ad
        • Opcode Fuzzy Hash: e51c6055bf9f2a61e25a69d104dd227262eb2c3df74245deb7666bf7dea6fa4c
        • Instruction Fuzzy Hash: 31D193F5A00A189BDB21AF64DC85B9E77F8AF84345F004198F609AF241DA35BAC4CF65
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00341EE5 Relevance: 3.0, APIs: 2, Instructions: 50COMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • __stbuf.LIBCMT ref: 00341F33
        • __ftbuf.LIBCMT ref: 00341F5C
          • Part of subcall function 00343259: __getptd_noexit.LIBCMT ref: 00343259
        Memory Dump Source
        • Source File: 00000000.00000002.1890748704.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
        • Associated: 00000000.00000002.1890727843.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890766909.000000000034A000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890783545.000000000034D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890809054.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_340000_remcmdstub.jbxd
        Similarity
        • API ID: __ftbuf__getptd_noexit__stbuf
        • String ID:
        • API String ID: 825687605-0
        • Opcode ID: 38e5de1503f78adde59bb453dfcba6bd8650dcdf1c812a00e172595bc56bf4b5
        • Instruction ID: 958deb7a71846037e38e8d7483b7185d70de1ffe4356c91f89eebfb3266374ab
        • Opcode Fuzzy Hash: 38e5de1503f78adde59bb453dfcba6bd8650dcdf1c812a00e172595bc56bf4b5
        • Instruction Fuzzy Hash: EA016773940208AAEB077BB0DC47AEE36D8DF00774F104639F4149F1C2DA74AF455A61
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00344CE4 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 152 344ce4-344cf5 call 344cb9 ExitProcess
        APIs
        • ___crtCorExitProcess.LIBCMT ref: 00344CEC
          • Part of subcall function 00344CB9: GetModuleHandleW.KERNEL32(mscoree.dll,?,00344CF1,?,?,003463ED,000000FF,0000001E,00000001,00000000,00000000,?,00345D2D,?,00000001,?), ref: 00344CC3
          • Part of subcall function 00344CB9: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00344CD3
        • ExitProcess.KERNEL32 ref: 00344CF5
        Memory Dump Source
        • Source File: 00000000.00000002.1890748704.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
        • Associated: 00000000.00000002.1890727843.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890766909.000000000034A000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890783545.000000000034D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890809054.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_340000_remcmdstub.jbxd
        Similarity
        • API ID: ExitProcess$AddressHandleModuleProc___crt
        • String ID:
        • API String ID: 2427264223-0
        • Opcode ID: a3664c8b9af57205e57e8f61435e595a1c8663d66554bfae37308cbd9497d216
        • Instruction ID: ec76a59f9413c93bfa9849c3a044698b25ca8d771cacaf62666283fd6b025507
        • Opcode Fuzzy Hash: a3664c8b9af57205e57e8f61435e595a1c8663d66554bfae37308cbd9497d216
        • Instruction Fuzzy Hash: 0CB09232040148BFDB022F12FC0A9493FAAEB813A0F144020F9090D132DF72BD92AA81
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00344F3C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 155 344f3c-344f48 call 344dfc 157 344f4d-344f51 155->157
        APIs
        • _doexit.LIBCMT ref: 00344F48
          • Part of subcall function 00344DFC: __lock.LIBCMT ref: 00344E0A
          • Part of subcall function 00344DFC: DecodePointer.KERNEL32(0034BC00,00000020,00344F63,?,00000001,00000000,?,00344FA3,000000FF,?,00345CD6,00000011,?,?,00342CA8,0000000D), ref: 00344E46
          • Part of subcall function 00344DFC: DecodePointer.KERNEL32(?,00344FA3,000000FF,?,00345CD6,00000011,?,?,00342CA8,0000000D), ref: 00344E57
          • Part of subcall function 00344DFC: DecodePointer.KERNEL32(-00000004,?,00344FA3,000000FF,?,00345CD6,00000011,?,?,00342CA8,0000000D), ref: 00344E7D
          • Part of subcall function 00344DFC: DecodePointer.KERNEL32(?,00344FA3,000000FF,?,00345CD6,00000011,?,?,00342CA8,0000000D), ref: 00344E90
          • Part of subcall function 00344DFC: DecodePointer.KERNEL32(?,00344FA3,000000FF,?,00345CD6,00000011,?,?,00342CA8,0000000D), ref: 00344E9A
        Memory Dump Source
        • Source File: 00000000.00000002.1890748704.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
        • Associated: 00000000.00000002.1890727843.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890766909.000000000034A000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890783545.000000000034D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890809054.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_340000_remcmdstub.jbxd
        Similarity
        • API ID: DecodePointer$__lock_doexit
        • String ID:
        • API String ID: 3343572566-0
        • Opcode ID: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
        • Instruction ID: b6e47820be22a881a9ccd3df8211d04c0eaf0df2e6095895b266ca47c4880bce
        • Opcode Fuzzy Hash: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
        • Instruction Fuzzy Hash: 02B0923298030833DA222582AC03F063A5997C1B60E240020BA0C1D2A2A9A2B9658089
        Uniqueness

        Uniqueness Score: -1.00%

        Non-executed Functions

        Function 00341EB5 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • IsDebuggerPresent.KERNEL32 ref: 003437E4
        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 003437F9
        • UnhandledExceptionFilter.KERNEL32(0034A5F4), ref: 00343804
        • GetCurrentProcess.KERNEL32(C0000409), ref: 00343820
        • TerminateProcess.KERNEL32(00000000), ref: 00343827
        Memory Dump Source
        • Source File: 00000000.00000002.1890748704.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
        • Associated: 00000000.00000002.1890727843.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890766909.000000000034A000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890783545.000000000034D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890809054.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_340000_remcmdstub.jbxd
        Similarity
        • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
        • String ID:
        • API String ID: 2579439406-0
        • Opcode ID: 792e49860a66513633e604ed0bd01ab427071f14169396ca75f8b0759e9d1c1c
        • Instruction ID: 30ccfe426f7018477a3e7e7a9155e063400347708e22834afd4fd2479032a846
        • Opcode Fuzzy Hash: 792e49860a66513633e604ed0bd01ab427071f14169396ca75f8b0759e9d1c1c
        • Instruction Fuzzy Hash: 4421ADBC901214DFD713DF5AFD85A443BA8BB1A305F00446AE9298F261EBF079898B16
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00341010 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
        Download Yara Rule
        APIs
        • GetVersionExA.KERNEL32(0034DF08,0034118D), ref: 00341028
        Memory Dump Source
        • Source File: 00000000.00000002.1890748704.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
        • Associated: 00000000.00000002.1890727843.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890766909.000000000034A000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890783545.000000000034D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890809054.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_340000_remcmdstub.jbxd
        Similarity
        • API ID: Version
        • String ID:
        • API String ID: 1889659487-0
        • Opcode ID: c1431b15dc83a6dd18649be39cbb0e7743f1612c0200015fbb455ff8666d3064
        • Instruction ID: 693c47311b0b005557293bab18c0c4270ce20e99ff3139715c6dfaf51fabe73c
        • Opcode Fuzzy Hash: c1431b15dc83a6dd18649be39cbb0e7743f1612c0200015fbb455ff8666d3064
        • Instruction Fuzzy Hash: 87C0023D2546149ED7336B20BA4D7497AE8A70A399F914454D0035E0E0CAB425CCCA42
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00344CAB Relevance: 1.5, APIs: 1, Instructions: 4COMMON
        Download Yara Rule
        APIs
        • SetUnhandledExceptionFilter.KERNEL32(Function_00004C69), ref: 00344CB0
        Memory Dump Source
        • Source File: 00000000.00000002.1890748704.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
        • Associated: 00000000.00000002.1890727843.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890766909.000000000034A000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890783545.000000000034D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890809054.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_340000_remcmdstub.jbxd
        Similarity
        • API ID: ExceptionFilterUnhandled
        • String ID:
        • API String ID: 3192549508-0
        • Opcode ID: ef4b373efa73aa5a540f32fafd3c7921fcb4b1dea18aed513bf291ae4c69440a
        • Instruction ID: 143668652d5292e2c2a29874e49c32406453513f28e3f26fdd529a643a41e02b
        • Opcode Fuzzy Hash: ef4b373efa73aa5a540f32fafd3c7921fcb4b1dea18aed513bf291ae4c69440a
        • Instruction Fuzzy Hash: AE9002A46925006A461217705C8954535D49A99712B494860A005CC064DE51644C5512
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00342ED4 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 520 342ed4-342ee6 GetModuleHandleW 521 342ef1-342f39 GetProcAddress * 4 520->521 522 342ee8-342ef0 call 342c21 520->522 523 342f51-342f70 521->523 524 342f3b-342f42 521->524 528 342f75-342f83 TlsAlloc 523->528 524->523 527 342f44-342f4b 524->527 527->523 529 342f4d-342f4f 527->529 530 342f89-342f94 TlsSetValue 528->530 531 34304a 528->531 529->523 529->528 530->531 532 342f9a-342fe0 call 344d0e EncodePointer * 4 call 345b35 530->532 533 34304c-34304e 531->533 538 343045 call 342c21 532->538 539 342fe2-342fff DecodePointer 532->539 538->531 539->538 542 343001-343013 call 345d61 539->542 542->538 545 343015-343028 DecodePointer 542->545 545->538 547 34302a-343043 call 342c5e GetCurrentThreadId 545->547 547->533
        APIs
        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,003420D3,0034BB30,00000014), ref: 00342EDC
        • __mtterm.LIBCMT ref: 00342EE8
          • Part of subcall function 00342C21: DecodePointer.KERNEL32(00000004,0034304A,?,003420D3,0034BB30,00000014), ref: 00342C32
          • Part of subcall function 00342C21: TlsFree.KERNEL32(00000002,0034304A,?,003420D3,0034BB30,00000014), ref: 00342C4C
          • Part of subcall function 00342C21: DeleteCriticalSection.KERNEL32(00000000,00000000,76EF5810,?,0034304A,?,003420D3,0034BB30,00000014), ref: 00345B9C
          • Part of subcall function 00342C21: _free.LIBCMT ref: 00345B9F
          • Part of subcall function 00342C21: DeleteCriticalSection.KERNEL32(00000002,76EF5810,?,0034304A,?,003420D3,0034BB30,00000014), ref: 00345BC6
        • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00342EFE
        • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00342F0B
        • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00342F18
        • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00342F25
        • TlsAlloc.KERNEL32(?,003420D3,0034BB30,00000014), ref: 00342F75
        • TlsSetValue.KERNEL32(00000000,?,003420D3,0034BB30,00000014), ref: 00342F90
        • __init_pointers.LIBCMT ref: 00342F9A
        • EncodePointer.KERNEL32(?,003420D3,0034BB30,00000014), ref: 00342FAB
        • EncodePointer.KERNEL32(?,003420D3,0034BB30,00000014), ref: 00342FB8
        • EncodePointer.KERNEL32(?,003420D3,0034BB30,00000014), ref: 00342FC5
        • EncodePointer.KERNEL32(?,003420D3,0034BB30,00000014), ref: 00342FD2
        • DecodePointer.KERNEL32(00342DA5,?,003420D3,0034BB30,00000014), ref: 00342FF3
        • __calloc_crt.LIBCMT ref: 00343008
        • DecodePointer.KERNEL32(00000000,?,003420D3,0034BB30,00000014), ref: 00343022
        • GetCurrentThreadId.KERNEL32 ref: 00343034
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1890748704.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
        • Associated: 00000000.00000002.1890727843.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890766909.000000000034A000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890783545.000000000034D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890809054.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_340000_remcmdstub.jbxd
        Similarity
        • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
        • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
        • API String ID: 3698121176-3819984048
        • Opcode ID: fbb711e042e94e13991054a0f87f74682277a707dc20aca100b5315bd0508cf1
        • Instruction ID: 0612f4d8ca804987982afe866050462b6782376673836d41cb1f37a58cf6af85
        • Opcode Fuzzy Hash: fbb711e042e94e13991054a0f87f74682277a707dc20aca100b5315bd0508cf1
        • Instruction Fuzzy Hash: A9314A399406109ED733AF74AC0960A3EECFB46B60F41051AE8069F2B4EF74B559DF51
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003415BB Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 156COMMON
        Download Yara Rule

        Control-flow Graph

        Memory Dump Source
        • Source File: 00000000.00000002.1890748704.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
        • Associated: 00000000.00000002.1890727843.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890766909.000000000034A000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890783545.000000000034D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890809054.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_340000_remcmdstub.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 9921a50ee439bf5f4897f6b42a3ba535b4af72bae2095ac17eb6785b039ce49e
        • Instruction ID: e6d0f943dbf658ba76bdf47ba0b5ed75c7366a40f655047bfe7a8a99a7718033
        • Opcode Fuzzy Hash: 9921a50ee439bf5f4897f6b42a3ba535b4af72bae2095ac17eb6785b039ce49e
        • Instruction Fuzzy Hash: B65184F1A40A185BDB21BBB0AC45B9E7BAC9F44385F010194F6099F145DE75BEC08FA6
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00341629 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 116COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1890748704.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
        • Associated: 00000000.00000002.1890727843.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890766909.000000000034A000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890783545.000000000034D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890809054.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_340000_remcmdstub.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: ff29201eb1614a884def09cfe5b9941de0b166bc2e59c3d110b753e63c1ff3fa
        • Instruction ID: fe0941b0d8fa575abd6fd86c90fcfeb8dc6d6393dd650e3164d255c72077d879
        • Opcode Fuzzy Hash: ff29201eb1614a884def09cfe5b9941de0b166bc2e59c3d110b753e63c1ff3fa
        • Instruction Fuzzy Hash: 303165F5A40A1857DB21BBB0AC45B9E7BAC9F44785F010098F609AF145DE35FEC08FA6
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0034170F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 50COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1890748704.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
        • Associated: 00000000.00000002.1890727843.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890766909.000000000034A000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890783545.000000000034D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890809054.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_340000_remcmdstub.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 00abaaba33cf18354885ee243fe1c3f5856093a431f4d44b7cb06db179335a18
        • Instruction ID: d900a35149b9c0ff9c1d2eba5733a07d4020b309b67503974ba836479460420a
        • Opcode Fuzzy Hash: 00abaaba33cf18354885ee243fe1c3f5856093a431f4d44b7cb06db179335a18
        • Instruction Fuzzy Hash: C50112B5A0061857CB21BBB09C81BAEB7BCAF84351F0105D9F7096B241CE35BEC49F65
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003410C0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83windowCOMMON
        Download Yara Rule
        APIs
        • SendMessageA.USER32(?,0000000D,00000100,?), ref: 003410ED
        • __mbsupr.LIBCMT ref: 003410FF
          • Part of subcall function 00341D65: __mbsupr_s_l.LIBCMT ref: 00341D77
        • GetClassNameA.USER32(?,?,00000080), ref: 00341149
        • SendMessageA.USER32(?,00000010,00000000,00000000), ref: 003411AC
          • Part of subcall function 00341010: GetVersionExA.KERNEL32(0034DF08,0034118D), ref: 00341028
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1890748704.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
        • Associated: 00000000.00000002.1890727843.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890766909.000000000034A000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890783545.000000000034D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890809054.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_340000_remcmdstub.jbxd
        Similarity
        • API ID: MessageSend$ClassNameVersion__mbsupr__mbsupr_s_l
        • String ID: ConsoleWindowClass$remcmdstub$tty
        • API String ID: 1503972978-2677773511
        • Opcode ID: dc1ccf6521f90e3533d838b36d94540a92e18118516e586f575e9cc989de6235
        • Instruction ID: 63dfe6d95e35f2998bd467df41dfb556e5f903b1d059c3408b4e24fc8c51b735
        • Opcode Fuzzy Hash: dc1ccf6521f90e3533d838b36d94540a92e18118516e586f575e9cc989de6235
        • Instruction Fuzzy Hash: 5F219575A40A1966EF23A760AD02BEB73EC9F11345F004065FA049E181EE74BBC48BA2
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003411D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 53threadCOMMON
        Download Yara Rule
        APIs
        • GetModuleFileNameA.KERNEL32(00000000,0034DE00,00000104,?,00341739,?,00000001), ref: 003411DF
        • __mbsupr.LIBCMT ref: 003411EA
          • Part of subcall function 00341D65: __mbsupr_s_l.LIBCMT ref: 00341D77
          • Part of subcall function 003418F9: __mbsrchr_l.LIBCMT ref: 00341906
        • EnumThreadWindows.USER32(00000000,00341040,?), ref: 00341232
        • GetLastError.KERNEL32 ref: 00341242
        • EnumWindows.USER32(003410C0,?), ref: 00341258
        • GetLastError.KERNEL32 ref: 00341262
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1890748704.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
        • Associated: 00000000.00000002.1890727843.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890766909.000000000034A000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890783545.000000000034D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890809054.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_340000_remcmdstub.jbxd
        Similarity
        • API ID: EnumErrorLastWindows$FileModuleNameThread__mbsrchr_l__mbsupr__mbsupr_s_l
        • String ID: (NULL)
        • API String ID: 1384321584-651416449
        • Opcode ID: 18a675aa3570bbc234b8950bd8e66481c65b03c8e8504ac6fad938bdc82defe3
        • Instruction ID: d0924f727769f0a052ab15789a46b9da6cde9b3058793780d6ce0b13167041f9
        • Opcode Fuzzy Hash: 18a675aa3570bbc234b8950bd8e66481c65b03c8e8504ac6fad938bdc82defe3
        • Instruction Fuzzy Hash: 11014FA5B80E5477D62337B17C0AF9B3ECC9B517DAF050420F609DE192E9A1F5C486A2
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00342C5E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0034BBB0,00000008,00342D66,00000000,00000000,?,?,00342D93,?,003417E0,?,?,00341CBE,?), ref: 00342C6F
        • __lock.LIBCMT ref: 00342CA3
          • Part of subcall function 00345CAF: __mtinitlocknum.LIBCMT ref: 00345CC5
          • Part of subcall function 00345CAF: __amsg_exit.LIBCMT ref: 00345CD1
          • Part of subcall function 00345CAF: EnterCriticalSection.KERNEL32(?,?,?,00342CA8,0000000D), ref: 00345CD9
        • InterlockedIncrement.KERNEL32(0034D018), ref: 00342CB0
        • __lock.LIBCMT ref: 00342CC4
        • ___addlocaleref.LIBCMT ref: 00342CE2
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1890748704.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
        • Associated: 00000000.00000002.1890727843.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890766909.000000000034A000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890783545.000000000034D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890809054.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_340000_remcmdstub.jbxd
        Similarity
        • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
        • String ID: KERNEL32.DLL
        • API String ID: 637971194-2576044830
        • Opcode ID: 892c623b8487bf7db51c9f49a79278ef1cff8b4df04f9a9e9491fabf2561a60e
        • Instruction ID: 2c09f365af56a456ee1999c1536cf20bad1669b1a5ad27478104ae41bdf77489
        • Opcode Fuzzy Hash: 892c623b8487bf7db51c9f49a79278ef1cff8b4df04f9a9e9491fabf2561a60e
        • Instruction Fuzzy Hash: 3D016D75940B00EFD722AF75D84574AFBE0EF51325F10890EE4969E2A1CBB0BA44CF15
        Uniqueness

        Uniqueness Score: -1.00%

        Function 003423E1 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • __getptd.LIBCMT ref: 003423ED
          • Part of subcall function 00342D8B: __getptd_noexit.LIBCMT ref: 00342D8E
          • Part of subcall function 00342D8B: __amsg_exit.LIBCMT ref: 00342D9B
        • __amsg_exit.LIBCMT ref: 0034240D
        • __lock.LIBCMT ref: 0034241D
        • InterlockedDecrement.KERNEL32(?), ref: 0034243A
        • _free.LIBCMT ref: 0034244D
        • InterlockedIncrement.KERNEL32(02791660), ref: 00342465
        Memory Dump Source
        • Source File: 00000000.00000002.1890748704.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
        • Associated: 00000000.00000002.1890727843.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890766909.000000000034A000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890783545.000000000034D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890809054.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_340000_remcmdstub.jbxd
        Similarity
        • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
        • String ID:
        • API String ID: 3470314060-0
        • Opcode ID: 3b94cd1ea5fe126b8374194f6088d2a5f50fa96d8192bc40ac2be46dca4c060a
        • Instruction ID: 42a224ba5eb45ad59792bb54392b98f02cb7c3198488d392aeebc5e34fdadbeb
        • Opcode Fuzzy Hash: 3b94cd1ea5fe126b8374194f6088d2a5f50fa96d8192bc40ac2be46dca4c060a
        • Instruction Fuzzy Hash: EF016D35A00A21ABDB23AB66A44575EB7E4FF01714F854115F810BF391CF347D829BD2
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00347871 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • _malloc.LIBCMT ref: 0034787F
          • Part of subcall function 003463BE: __FF_MSGBANNER.LIBCMT ref: 003463D7
          • Part of subcall function 003463BE: __NMSG_WRITE.LIBCMT ref: 003463DE
          • Part of subcall function 003463BE: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,00345D2D,?,00000001,?,?,00345C3A,00000018,0034BC20,0000000C,00345CCA), ref: 00346403
        • _free.LIBCMT ref: 00347892
        Memory Dump Source
        • Source File: 00000000.00000002.1890748704.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
        • Associated: 00000000.00000002.1890727843.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890766909.000000000034A000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890783545.000000000034D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890809054.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_340000_remcmdstub.jbxd
        Similarity
        • API ID: AllocHeap_free_malloc
        • String ID:
        • API String ID: 2734353464-0
        • Opcode ID: 7153d6be14fc0359283068c27148cfc0605ab944fc066cf77c6384e27d68273f
        • Instruction ID: 778640c216785baa9e5c053c6d73452cfd5e4a811ce45300dba53108a4c6ac15
        • Opcode Fuzzy Hash: 7153d6be14fc0359283068c27148cfc0605ab944fc066cf77c6384e27d68273f
        • Instruction Fuzzy Hash: 7F11C132448615ABCB232FB4AC0A6593AD8AF813A0F214926F8189F161DF70BD40D692
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00342B62 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • __getptd.LIBCMT ref: 00342B6E
          • Part of subcall function 00342D8B: __getptd_noexit.LIBCMT ref: 00342D8E
          • Part of subcall function 00342D8B: __amsg_exit.LIBCMT ref: 00342D9B
        • __getptd.LIBCMT ref: 00342B85
        • __amsg_exit.LIBCMT ref: 00342B93
        • __lock.LIBCMT ref: 00342BA3
        • __updatetlocinfoEx_nolock.LIBCMT ref: 00342BB7
        Memory Dump Source
        • Source File: 00000000.00000002.1890748704.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
        • Associated: 00000000.00000002.1890727843.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890766909.000000000034A000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890783545.000000000034D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890809054.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_340000_remcmdstub.jbxd
        Similarity
        • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
        • String ID:
        • API String ID: 938513278-0
        • Opcode ID: e9b4170e893ab32a806a28c80003c12d7b172ed40fe59da165f5752aa271208c
        • Instruction ID: ea9328ebfeff4e3172cf2e8b30b54e8835ce648e3a97dba1a87664fabfe3bdea
        • Opcode Fuzzy Hash: e9b4170e893ab32a806a28c80003c12d7b172ed40fe59da165f5752aa271208c
        • Instruction Fuzzy Hash: 9CF09A32A00B109AE663BF74A843B4F3BE0EF01720F924249F815BF2D2CF6479419A95
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00341A51 Relevance: 6.2, APIs: 4, Instructions: 173COMMON
        Download Yara Rule
        APIs
        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00341A5F
          • Part of subcall function 003417C8: __getptd.LIBCMT ref: 003417DB
          • Part of subcall function 00343259: __getptd_noexit.LIBCMT ref: 00343259
        • __stricmp_l.LIBCMT ref: 00341ACC
          • Part of subcall function 0034364C: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0034365B
        • ___crtLCMapStringA.LIBCMT ref: 00341B22
        • ___crtLCMapStringA.LIBCMT ref: 00341BA3
        Memory Dump Source
        • Source File: 00000000.00000002.1890748704.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
        • Associated: 00000000.00000002.1890727843.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890766909.000000000034A000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890783545.000000000034D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890809054.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_340000_remcmdstub.jbxd
        Similarity
        • API ID: Locale$StringUpdateUpdate::____crt$__getptd__getptd_noexit__stricmp_l
        • String ID:
        • API String ID: 2544346105-0
        • Opcode ID: ccde090d462bd0a63e26b6b2f0991c81e836c319332b5865de23fb4cd0f8ae65
        • Instruction ID: 01bb74577743ea4d4b07f3422588ce7f887b63a7ddbc4066164d8de121b6de2f
        • Opcode Fuzzy Hash: ccde090d462bd0a63e26b6b2f0991c81e836c319332b5865de23fb4cd0f8ae65
        • Instruction Fuzzy Hash: 78513A709046599BDF2B8BA4C885BBD7BF4EF01324F294299E0625F1D2D770AEC1D750
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00348DA3 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00348DD7
        • __isleadbyte_l.LIBCMT ref: 00348E0A
        • MultiByteToWideChar.KERNEL32(?,00000009,00000000,?,00000000,00000000,?,?,?,0000000C,00000000,00000000), ref: 00348E3B
        • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000001,00000000,00000000,?,?,?,0000000C,00000000,00000000), ref: 00348EA9
        Memory Dump Source
        • Source File: 00000000.00000002.1890748704.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
        • Associated: 00000000.00000002.1890727843.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890766909.000000000034A000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890783545.000000000034D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890809054.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_340000_remcmdstub.jbxd
        Similarity
        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
        • String ID:
        • API String ID: 3058430110-0
        • Opcode ID: 50a24101ef28299a510e8818e5d62a7b5fcb9ad86e70b5ea96cf1304bdeffdf6
        • Instruction ID: 5bd646fef6b07a73c191e61116f3a94106d33d8cc8d7293b0d39412d28ea0a72
        • Opcode Fuzzy Hash: 50a24101ef28299a510e8818e5d62a7b5fcb9ad86e70b5ea96cf1304bdeffdf6
        • Instruction Fuzzy Hash: 2E31B231A01295EFDB22DF64C8849AE7BE5FF02310F168969E4659F1D1DB30ED80EB51
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00341040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37windowCOMMON
        Download Yara Rule
        APIs
        • SendMessageA.USER32(?,0000000D,00000100,?), ref: 00341066
        • __mbsupr.LIBCMT ref: 0034107C
          • Part of subcall function 00341E90: __mbsupr_s_l.LIBCMT ref: 00341EA2
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1890748704.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
        • Associated: 00000000.00000002.1890727843.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890766909.000000000034A000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890783545.000000000034D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1890809054.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_340000_remcmdstub.jbxd
        Similarity
        • API ID: MessageSend__mbsupr__mbsupr_s_l
        • String ID: remcmdstub.exe
        • API String ID: 2906800920-3306276910
        • Opcode ID: 96d8b86799f5028e0cb4f94e83fea72e413e76ef7d58285df2f2310bc7665337
        • Instruction ID: efca496646f136e3c9d97bcefcbb6ac3a254e196d58cf86b714deca950e7cfd3
        • Opcode Fuzzy Hash: 96d8b86799f5028e0cb4f94e83fea72e413e76ef7d58285df2f2310bc7665337
        • Instruction Fuzzy Hash: 2AF090B5A01518ABDB12EBA4ED42FEE77EC9F14744F400095B9449F181EEB0BEC58BA1
        Uniqueness

        Uniqueness Score: -1.00%