Edit tour

Windows Analysis Report
RemComSvc.exe

Overview

General Information

Sample name:RemComSvc.exe
Analysis ID:1381255
MD5:8ee1182e45e6a0c9ce8ec5a5e84ec1c2
SHA1:b82361e5bf288b490ff656d0ff412056cabd16f8
SHA256:7c93d1257cd77cc333d6f9f033c19661d559101fb92b1e95de069058f9f273c9
Infos:

Detection

RemCom RemoteAdmin
Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Creates a process in suspended mode (likely to inject code)
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected RemCom RemoteAdmin tool

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • cmd.exe (PID: 7480 cmdline: cmd /c sc create Mfywu binpath= "C:\Users\user\Desktop\RemComSvc.exe" >> C:\servicereg.log 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • conhost.exe (PID: 7488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7528 cmdline: sc create Mfywu binpath= "C:\Users\user\Desktop\RemComSvc.exe" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
  • cmd.exe (PID: 7608 cmdline: cmd /c sc start Mfywu >> C:\servicestart.log 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • conhost.exe (PID: 7616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7660 cmdline: sc start Mfywu MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
  • RemComSvc.exe (PID: 7672 cmdline: C:\Users\user\Desktop\RemComSvc.exe MD5: 8EE1182E45E6A0C9CE8EC5A5E84EC1C2)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
RemComSvc.exeJoeSecurity_RemComRemoteAdminYara detected RemCom RemoteAdmin toolJoe Security
    SourceRuleDescriptionAuthorStrings
    00000006.00000000.1682996322.0000000000C59000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemComRemoteAdminYara detected RemCom RemoteAdmin toolJoe Security
      00000006.00000002.2945631917.0000000000C59000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemComRemoteAdminYara detected RemCom RemoteAdmin toolJoe Security
        Process Memory Space: RemComSvc.exe PID: 7672JoeSecurity_RemComRemoteAdminYara detected RemCom RemoteAdmin toolJoe Security
          SourceRuleDescriptionAuthorStrings
          6.2.RemComSvc.exe.c50000.0.unpackJoeSecurity_RemComRemoteAdminYara detected RemCom RemoteAdmin toolJoe Security
            6.0.RemComSvc.exe.c50000.0.unpackJoeSecurity_RemComRemoteAdminYara detected RemCom RemoteAdmin toolJoe Security
              No Sigma rule has matched
              No Snort rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: RemComSvc.exeReversingLabs: Detection: 18%
              Source: RemComSvc.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: RemComSvc.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: C:\Users\user\Desktop\RemComSvc.exeCode function: 6_2_00C51450 OpenSCManagerA,WaitForSingleObject,OpenServiceA,CloseServiceHandle,DeleteService,SetServiceStatus,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,6_2_00C51450
              Source: RemComSvc.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: classification engineClassification label: mal48.winEXE@9/2@0/0
              Source: C:\Users\user\Desktop\RemComSvc.exeCode function: 6_2_00C51800 _wprintf,StartServiceCtrlDispatcherA,6_2_00C51800
              Source: C:\Users\user\Desktop\RemComSvc.exeCode function: 6_2_00C51800 _wprintf,StartServiceCtrlDispatcherA,6_2_00C51800
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7616:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03
              Source: RemComSvc.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\SysWOW64\sc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: RemComSvc.exeReversingLabs: Detection: 18%
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c sc create Mfywu binpath= "C:\Users\user\Desktop\RemComSvc.exe" >> C:\servicereg.log 2>&1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create Mfywu binpath= "C:\Users\user\Desktop\RemComSvc.exe"
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c sc start Mfywu >> C:\servicestart.log 2>&1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc start Mfywu
              Source: unknownProcess created: C:\Users\user\Desktop\RemComSvc.exe C:\Users\user\Desktop\RemComSvc.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create Mfywu binpath= "C:\Users\user\Desktop\RemComSvc.exe" Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc start Mfywu Jump to behavior
              Source: RemComSvc.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: RemComSvc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: RemComSvc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: RemComSvc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: RemComSvc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: RemComSvc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: C:\Users\user\Desktop\RemComSvc.exeCode function: 6_2_00C56B94 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,6_2_00C56B94
              Source: C:\Users\user\Desktop\RemComSvc.exeCode function: 6_2_00C53975 push ecx; ret 6_2_00C53988
              Source: C:\Users\user\Desktop\RemComSvc.exeCode function: 6_2_00C51800 _wprintf,StartServiceCtrlDispatcherA,6_2_00C51800
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create Mfywu binpath= "C:\Users\user\Desktop\RemComSvc.exe"
              Source: C:\Users\user\Desktop\RemComSvc.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_6-4036
              Source: C:\Users\user\Desktop\RemComSvc.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_6-4848
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\RemComSvc.exeAPI call chain: ExitProcess graph end nodegraph_6-4037
              Source: C:\Users\user\Desktop\RemComSvc.exeCode function: 6_2_00C518DA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00C518DA
              Source: C:\Users\user\Desktop\RemComSvc.exeCode function: 6_2_00C56B94 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,6_2_00C56B94
              Source: C:\Users\user\Desktop\RemComSvc.exeCode function: 6_2_00C518DA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00C518DA
              Source: C:\Users\user\Desktop\RemComSvc.exeCode function: 6_2_00C53EFF SetUnhandledExceptionFilter,6_2_00C53EFF
              Source: C:\Users\user\Desktop\RemComSvc.exeCode function: 6_2_00C52BF1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00C52BF1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create Mfywu binpath= "C:\Users\user\Desktop\RemComSvc.exe" Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc start Mfywu Jump to behavior
              Source: C:\Users\user\Desktop\RemComSvc.exeCode function: 6_2_00C51380 SetSecurityDescriptorDacl,InitializeSecurityDescriptor,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,ConnectNamedPipe,6_2_00C51380
              Source: C:\Users\user\Desktop\RemComSvc.exeCode function: 6_2_00C51540 GetCurrentProcessId,OpenProcess,OpenProcessToken,GetLastError,LocalAlloc,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetLastError,GetLastError,LocalFree,LocalAlloc,GetLastError,GetTokenInformation,GetLastError,AllocateAndInitializeSid,AllocateAndInitializeSid,GetLastError,AllocateAndInitializeSid,GetLastError,EqualSid,EqualSid,FreeSid,FreeSid,FreeSid,LocalFree,CloseHandle,FindCloseChangeNotification,CloseHandle,6_2_00C51540
              Source: C:\Users\user\Desktop\RemComSvc.exeCode function: 6_2_00C51380 SetSecurityDescriptorDacl,InitializeSecurityDescriptor,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,ConnectNamedPipe,6_2_00C51380
              Source: C:\Users\user\Desktop\RemComSvc.exeCode function: 6_2_00C54792 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,6_2_00C54792
              Source: Yara matchFile source: RemComSvc.exe, type: SAMPLE
              Source: Yara matchFile source: 6.2.RemComSvc.exe.c50000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.0.RemComSvc.exe.c50000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000006.00000000.1682996322.0000000000C59000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2945631917.0000000000C59000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RemComSvc.exe PID: 7672, type: MEMORYSTR
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts13
              Service Execution
              14
              Windows Service
              14
              Windows Service
              12
              Process Injection
              OS Credential Dumping1
              System Time Discovery
              Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts3
              Native API
              Boot or Logon Initialization Scripts12
              Process Injection
              1
              Obfuscated Files or Information
              LSASS Memory1
              Security Software Discovery
              Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager2
              System Information Discovery
              SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1381255 Sample: RemComSvc.exe Startdate: 25/01/2024 Architecture: WINDOWS Score: 48 20 Multi AV Scanner detection for submitted file 2->20 6 cmd.exe 2 2->6         started        8 cmd.exe 2 2->8         started        10 RemComSvc.exe 2->10         started        process3 process4 12 conhost.exe 6->12         started        14 sc.exe 1 6->14         started        16 conhost.exe 8->16         started        18 sc.exe 1 8->18         started       

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              RemComSvc.exe19%ReversingLabs
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              No contacted domains info
              No contacted IP infos
              Joe Sandbox version:39.0.0 Ruby
              Analysis ID:1381255
              Start date and time:2024-01-25 18:46:14 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 4m 6s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Run name:Run as Windows Service
              Number of analysed new started processes analysed:11
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:RemComSvc.exe
              Detection:MAL
              Classification:mal48.winEXE@9/2@0/0
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 10
              • Number of non-executed functions: 15
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • VT rate limit hit for: RemComSvc.exe
              No simulations
              No context
              No context
              No context
              No context
              No context
              Process:C:\Windows\SysWOW64\cmd.exe
              File Type:ASCII text, with CRLF line terminators
              Category:modified
              Size (bytes):28
              Entropy (8bit):3.678439190827718
              Encrypted:false
              SSDEEP:3:4A4AnXjzSv:4HAnXjg
              MD5:A8F4D690C5BDE96AD275C7D4ABE0E3D3
              SHA1:7C62C96EFD2CA4F3C3EBF0B24C9B5B4C04A4570A
              SHA-256:596CCC911C1772735AAC6A6B756A76D3D55BCECD006B980CF147090B2243FA7B
              SHA-512:A875EBE3C5CDF222FF9D08576F4D996AF827A1C86B3E758CE23F6B33530D512A82CE8E39E519837512080C6212A0A19B3385809BE5F5001C4E488DD79550B852
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview:[SC] CreateService SUCCESS..
              Process:C:\Windows\SysWOW64\cmd.exe
              File Type:ASCII text, with CRLF line terminators
              Category:modified
              Size (bytes):409
              Entropy (8bit):3.4748019200398503
              Encrypted:false
              SSDEEP:6:lg3D/8FTgVKBRjrvnsn8qLLFmLaZnsHgm66//Vh//mGSCefq:lgABgV0HvGZLQqOVxmFCcq
              MD5:05FFDC0CAB0DC4CBE91707F2F84B298D
              SHA1:020C3BACF710BB00C015E4821AD6BF5E6FD0E14D
              SHA-256:A01488FF8255EF060EEB6D87E691929B782C61A35CC68B314EEAF1374082F29F
              SHA-512:C8F5BFB9A3015D1564C22EB0CAAA4EB6C53F0548B5CF1CF1511F319AC8365B89A6EFB55DC55628C68EC5F12AEFADA3A29EE50B2578AF1D6305407B29359E3A29
              Malicious:false
              Reputation:low
              Preview:..SERVICE_NAME: Mfywu .. TYPE : 10 WIN32_OWN_PROCESS .. STATE : 4 RUNNING .. (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN).. WIN32_EXIT_CODE : 0 (0x0).. SERVICE_EXIT_CODE : 0 (0x0).. CHECKPOINT : 0x0.. WAIT_HINT : 0x0.. PID : 7672.. FLAGS : ..
              File type:PE32 executable (console) Intel 80386, for MS Windows
              Entropy (8bit):6.025854113957422
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:RemComSvc.exe
              File size:49'664 bytes
              MD5:8ee1182e45e6a0c9ce8ec5a5e84ec1c2
              SHA1:b82361e5bf288b490ff656d0ff412056cabd16f8
              SHA256:7c93d1257cd77cc333d6f9f033c19661d559101fb92b1e95de069058f9f273c9
              SHA512:16aa48d1e5d703aad43c82206405bf662082f01bc292b535d1227f009d3bcd0d863edd243e42fd8c15afe6a8c9189b5cece9cfedebcfcfc840b06546fe3567fd
              SSDEEP:768:hzKkposxgsVKb6SPcTq7Oxp6uIcLDrrrH25WhfMG6PkyUED3nX6omNu5vMsC:gkpROsVaDSxpicvrWwfMG6P9X6i5vM
              TLSH:87234A167391C432D056153419B9C2B34BBFB83256B9878B7B94077E9FB02E09E39397
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1P..u1..u1..u1..n.\.{1..n.h.-1..|IQ.p1..u1...1..n.i.l1..n._.t1..Richu1..........................PE..L.....z_.................x.
              Icon Hash:90cececece8e8eb0
              Entrypoint:0x401d50
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows cui
              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Time Stamp:0x5F7AE3CA [Mon Oct 5 09:13:46 2020 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:5
              OS Version Minor:1
              File Version Major:5
              File Version Minor:1
              Subsystem Version Major:5
              Subsystem Version Minor:1
              Import Hash:ba9923d9bf7b1cc87486a23ff9cc2c57
              Instruction
              call 00007F6C28E45F42h
              jmp 00007F6C28E4339Ah
              mov edi, edi
              push ebp
              mov ebp, esp
              push ecx
              push esi
              mov esi, dword ptr [ebp+0Ch]
              push esi
              call 00007F6C28E469A8h
              mov dword ptr [ebp+0Ch], eax
              mov eax, dword ptr [esi+0Ch]
              pop ecx
              test al, 82h
              jne 00007F6C28E43519h
              call 00007F6C28E44549h
              mov dword ptr [eax], 00000009h
              or dword ptr [esi+0Ch], 20h
              or eax, FFFFFFFFh
              jmp 00007F6C28E43634h
              test al, 40h
              je 00007F6C28E4350Fh
              call 00007F6C28E4452Eh
              mov dword ptr [eax], 00000022h
              jmp 00007F6C28E434E5h
              push ebx
              xor ebx, ebx
              test al, 01h
              je 00007F6C28E43518h
              mov dword ptr [esi+04h], ebx
              test al, 10h
              je 00007F6C28E4358Dh
              mov ecx, dword ptr [esi+08h]
              and eax, FFFFFFFEh
              mov dword ptr [esi], ecx
              mov dword ptr [esi+0Ch], eax
              mov eax, dword ptr [esi+0Ch]
              and eax, FFFFFFEFh
              or eax, 02h
              mov dword ptr [esi+0Ch], eax
              mov dword ptr [esi+04h], ebx
              mov dword ptr [ebp-04h], ebx
              test eax, 0000010Ch
              jne 00007F6C28E4352Eh
              call 00007F6C28E45365h
              add eax, 20h
              cmp esi, eax
              je 00007F6C28E4350Eh
              call 00007F6C28E45359h
              add eax, 40h
              cmp esi, eax
              jne 00007F6C28E4350Fh
              push dword ptr [ebp+0Ch]
              call 00007F6C28E468C9h
              pop ecx
              test eax, eax
              jne 00007F6C28E43509h
              push esi
              call 00007F6C28E46875h
              pop ecx
              test dword ptr [esi+0Ch], 00000108h
              push edi
              je 00007F6C28E43586h
              mov eax, dword ptr [esi+08h]
              mov edi, dword ptr [esi]
              lea ecx, dword ptr [eax+01h]
              mov dword ptr [esi], ecx
              Programming Language:
              • [ASM] VS2010 SP1 build 40219
              • [ C ] VS2010 SP1 build 40219
              • [IMP] VS2008 SP1 build 30729
              • [C++] VS2010 SP1 build 40219
              • [LNK] VS2010 SP1 build 40219
              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0xade40x3c.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0xf0000x1b4.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000x7fc.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xaaa80x40.rdata
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x90000x178.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x76da0x7800228f631d48f7b88cd0f85937bed701c4False0.6086263020833333data6.446638651487706IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x90000x26660x28000713cf11885cda7b2ec25578b5000a50False0.33603515625data4.806488509835395IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0xc0000x2ecc0xe0086c8e306b23340745dab8ccf4cba412bFalse0.1953125data2.245164285527814IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0xf0000x1b40x2007475142898eff4c64c9c7ace29d4959fFalse0.490234375data5.097979088823027IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x100000xce20xe0054d318d2283b3d7597d2e35d8f5dfc08False0.5061383928571429data4.644065363411854IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_MANIFEST0xf0580x15aASCII text, with CRLF line terminatorsEnglishUnited States0.5491329479768786
              DLLImport
              KERNEL32.dllOpenProcess, LocalAlloc, CreateEventA, LocalFree, GetLastError, InterlockedIncrement, ReadFile, WriteFile, DisconnectNamedPipe, InterlockedDecrement, SetEvent, CreateProcessA, WaitForSingleObject, GetExitCodeProcess, CreateNamedPipeA, ConnectNamedPipe, GetCurrentProcessId, CloseHandle, ExitThread, ResumeThread, CreateThread, GetCommandLineA, HeapSetInformation, DecodePointer, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EncodePointer, TerminateProcess, GetCurrentProcess, IsProcessorFeaturePresent, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, SetLastError, GetCurrentThreadId, GetProcAddress, ExitProcess, HeapFree, Sleep, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, GetModuleFileNameW, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, GetStartupInfoW, DeleteCriticalSection, HeapCreate, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, SetFilePointer, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LoadLibraryW, RtlUnwind, HeapAlloc, HeapReAlloc, SetStdHandle, WriteConsoleW, MultiByteToWideChar, LCMapStringW, GetStringTypeW, HeapSize, FlushFileBuffers, CreateFileW
              ADVAPI32.dllRegisterServiceCtrlHandlerA, OpenProcessToken, GetTokenInformation, AllocateAndInitializeSid, EqualSid, FreeSid, OpenSCManagerA, OpenServiceA, CloseServiceHandle, DeleteService, SetServiceStatus, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, StartServiceCtrlDispatcherA
              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States
              No network behavior found
              Target ID:0
              Start time:18:47:05
              Start date:25/01/2024
              Path:C:\Windows\SysWOW64\cmd.exe
              Wow64 process (32bit):true
              Commandline:cmd /c sc create Mfywu binpath= "C:\Users\user\Desktop\RemComSvc.exe" >> C:\servicereg.log 2>&1
              Imagebase:0x240000
              File size:236'544 bytes
              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              Target ID:1
              Start time:18:47:05
              Start date:25/01/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7699e0000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              Target ID:2
              Start time:18:47:05
              Start date:25/01/2024
              Path:C:\Windows\SysWOW64\sc.exe
              Wow64 process (32bit):true
              Commandline:sc create Mfywu binpath= "C:\Users\user\Desktop\RemComSvc.exe"
              Imagebase:0x290000
              File size:61'440 bytes
              MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate
              Has exited:true

              Target ID:3
              Start time:18:47:06
              Start date:25/01/2024
              Path:C:\Windows\SysWOW64\cmd.exe
              Wow64 process (32bit):true
              Commandline:cmd /c sc start Mfywu >> C:\servicestart.log 2>&1
              Imagebase:0x240000
              File size:236'544 bytes
              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              Target ID:4
              Start time:18:47:06
              Start date:25/01/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7699e0000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              Target ID:5
              Start time:18:47:06
              Start date:25/01/2024
              Path:C:\Windows\SysWOW64\sc.exe
              Wow64 process (32bit):true
              Commandline:sc start Mfywu
              Imagebase:0x290000
              File size:61'440 bytes
              MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate
              Has exited:true

              Target ID:6
              Start time:18:47:06
              Start date:25/01/2024
              Path:C:\Users\user\Desktop\RemComSvc.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\RemComSvc.exe
              Imagebase:0xc50000
              File size:49'664 bytes
              MD5 hash:8EE1182E45E6A0C9CE8EC5A5E84EC1C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_RemComRemoteAdmin, Description: Yara detected RemCom RemoteAdmin tool, Source: 00000006.00000000.1682996322.0000000000C59000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
              • Rule: JoeSecurity_RemComRemoteAdmin, Description: Yara detected RemCom RemoteAdmin tool, Source: 00000006.00000002.2945631917.0000000000C59000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
              Reputation:low
              Has exited:false

              Execution Graph

              Execution Coverage

              Dynamic/Packed Code Coverage

              Signature Coverage

              Execution Coverage:9.6%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:5.1%
              Total number of Nodes:1528
              Total number of Limit Nodes:26
              Show Legend
              Hide Nodes/Edges
              execution_graph 5163 c52fc7 IsProcessorFeaturePresent 5401 c51d26 5402 c51d35 5401->5402 5403 c51d3b 5401->5403 5404 c5378f __amsg_exit 66 API calls 5402->5404 5406 c51d40 _wprintf 5403->5406 5407 c537b4 5403->5407 5404->5403 5408 c53639 _doexit 66 API calls 5407->5408 5409 c537bf 5408->5409 5409->5406 5178 c566e0 5179 c566f2 5178->5179 5181 c56700 @_EH4_CallFilterFunc@8 5178->5181 5180 c518da __crtGetStringTypeA_stat 5 API calls 5179->5180 5180->5181 5182 c514e0 5183 c514f6 SetEvent 5182->5183 5184 c514e9 5182->5184 5185 c5152a SetServiceStatus 5183->5185 5184->5185 5186 c51534 GetLastError 5185->5186 5187 c5153a 5185->5187 5186->5187 5188 c55e60 5191 c55d0b 5188->5191 5192 c55d22 5191->5192 5193 c55d45 5192->5193 5194 c55d58 5192->5194 5211 c55d26 5192->5211 5195 c52dbe __fclose_nolock 66 API calls 5193->5195 5196 c51ebe _LocaleUpdate::_LocaleUpdate 76 API calls 5194->5196 5197 c55d4a 5195->5197 5198 c55d63 5196->5198 5199 c52d6c __fclose_nolock 11 API calls 5197->5199 5200 c55dff WideCharToMultiByte 5198->5200 5201 c55d6f 5198->5201 5199->5211 5202 c55e31 GetLastError 5200->5202 5206 c55d7d _memset 5200->5206 5201->5206 5209 c55db3 _memset 5201->5209 5202->5206 5202->5209 5203 c52dbe __fclose_nolock 66 API calls 5204 c55d95 5203->5204 5207 c52dbe __fclose_nolock 66 API calls 5204->5207 5205 c52dbe __fclose_nolock 66 API calls 5208 c55dc0 5205->5208 5206->5203 5206->5211 5207->5211 5210 c52d6c __fclose_nolock 11 API calls 5208->5210 5209->5205 5209->5211 5210->5211 5410 c57f20 RtlUnwind 5168 c57b42 5169 c537c3 __amsg_exit 66 API calls 5168->5169 5170 c57b49 5169->5170 4416 c51bef 4417 c51bfb _wprintf 4416->4417 4418 c51c05 HeapSetInformation 4417->4418 4420 c51c10 4417->4420 4418->4420 4453 c54774 HeapCreate 4420->4453 4421 c51c5e 4424 c51c69 4421->4424 4548 c51bc6 4421->4548 4454 c5337b GetModuleHandleW 4424->4454 4425 c51c6f 4426 c51c7a __RTC_Initialize 4425->4426 4427 c51bc6 _fast_error_exit 66 API calls 4425->4427 4479 c544e3 GetStartupInfoW 4426->4479 4427->4426 4430 c51c94 GetCommandLineA 4492 c5444c GetEnvironmentStringsW 4430->4492 4431 c537c3 __amsg_exit 66 API calls 4433 c51c93 4431->4433 4433->4430 4437 c51cb9 4516 c5411b 4437->4516 4438 c537c3 __amsg_exit 66 API calls 4438->4437 4440 c51cbf 4441 c51cca 4440->4441 4442 c537c3 __amsg_exit 66 API calls 4440->4442 4536 c535a2 4441->4536 4442->4441 4444 c51cd2 4445 c51cdd 4444->4445 4446 c537c3 __amsg_exit 66 API calls 4444->4446 4542 c51800 4445->4542 4446->4445 4448 c51cfa 4449 c51d0b 4448->4449 4556 c53779 4448->4556 4559 c537a5 4449->4559 4452 c51d10 _wprintf 4453->4421 4455 c5338f 4454->4455 4456 c53398 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4454->4456 4562 c5305a 4455->4562 4459 c533e2 TlsAlloc 4456->4459 4461 c534f1 4459->4461 4462 c53430 TlsSetValue 4459->4462 4461->4425 4462->4461 4463 c53441 4462->4463 4572 c5354b 4463->4572 4468 c534ec 4470 c5305a __mtterm 70 API calls 4468->4470 4469 c53489 DecodePointer 4471 c5349e 4469->4471 4470->4461 4471->4468 4472 c53b9e __calloc_crt 66 API calls 4471->4472 4473 c534b4 4472->4473 4473->4468 4474 c534bc DecodePointer 4473->4474 4475 c534cd 4474->4475 4475->4468 4476 c534d1 4475->4476 4477 c53097 __getptd_noexit 66 API calls 4476->4477 4478 c534d9 GetCurrentThreadId 4477->4478 4478->4461 4480 c53b9e __calloc_crt 66 API calls 4479->4480 4487 c54501 4480->4487 4481 c51c88 4481->4430 4481->4431 4482 c546ac GetStdHandle 4484 c54676 4482->4484 4483 c54710 SetHandleCount 4483->4481 4484->4482 4484->4483 4486 c546be GetFileType 4484->4486 4490 c546e4 InitializeCriticalSectionAndSpinCount 4484->4490 4485 c53b9e __calloc_crt 66 API calls 4485->4487 4486->4484 4487->4481 4487->4484 4487->4485 4491 c545f6 4487->4491 4488 c54622 GetFileType 4489 c5462d InitializeCriticalSectionAndSpinCount 4488->4489 4488->4491 4489->4481 4489->4491 4490->4481 4490->4484 4491->4484 4491->4488 4491->4489 4493 c51ca4 4492->4493 4494 c54468 WideCharToMultiByte 4492->4494 4505 c54391 4493->4505 4496 c544d5 FreeEnvironmentStringsW 4494->4496 4497 c5449d 4494->4497 4496->4493 4498 c53b59 __malloc_crt 66 API calls 4497->4498 4499 c544a3 4498->4499 4499->4496 4500 c544ab WideCharToMultiByte 4499->4500 4501 c544bd 4500->4501 4502 c544c9 FreeEnvironmentStringsW 4500->4502 4503 c53b1f _free 66 API calls 4501->4503 4502->4493 4504 c544c5 4503->4504 4504->4502 4506 c543a6 4505->4506 4507 c543ab GetModuleFileNameA 4505->4507 4589 c558f9 4506->4589 4509 c543d2 4507->4509 4583 c541f7 4509->4583 4512 c53b59 __malloc_crt 66 API calls 4513 c54414 4512->4513 4514 c541f7 _parse_cmdline 76 API calls 4513->4514 4515 c51cae 4513->4515 4514->4515 4515->4437 4515->4438 4517 c54124 4516->4517 4519 c54129 _strlen 4516->4519 4518 c558f9 ___initmbctable 94 API calls 4517->4518 4518->4519 4520 c53b9e __calloc_crt 66 API calls 4519->4520 4523 c54137 4519->4523 4525 c5415e _strlen 4520->4525 4521 c541ad 4522 c53b1f _free 66 API calls 4521->4522 4522->4523 4523->4440 4524 c53b9e __calloc_crt 66 API calls 4524->4525 4525->4521 4525->4523 4525->4524 4526 c541d3 4525->4526 4529 c541ea 4525->4529 4767 c56eff 4525->4767 4528 c53b1f _free 66 API calls 4526->4528 4528->4523 4530 c52d1a __invoke_watson 10 API calls 4529->4530 4532 c541f6 4530->4532 4531 c56fb1 _parse_cmdline 76 API calls 4531->4532 4532->4531 4534 c54283 4532->4534 4533 c54381 4533->4440 4534->4533 4535 c56fb1 76 API calls _parse_cmdline 4534->4535 4535->4534 4538 c535b0 __IsNonwritableInCurrentImage 4536->4538 4776 c55c50 4538->4776 4539 c535ce __initterm_e 4541 c535ef __IsNonwritableInCurrentImage 4539->4541 4779 c564e1 4539->4779 4541->4444 4844 c51540 GetCurrentProcessId OpenProcess OpenProcessToken 4542->4844 4545 c51848 StartServiceCtrlDispatcherA 4545->4448 4547 c51845 4547->4545 4549 c51bd4 4548->4549 4550 c51bd9 4548->4550 4552 c540e2 __FF_MSGBANNER 66 API calls 4549->4552 4551 c53f33 __NMSG_WRITE 66 API calls 4550->4551 4553 c51be1 4551->4553 4552->4550 4554 c53521 _malloc 3 API calls 4553->4554 4555 c51beb 4554->4555 4555->4424 4557 c53639 _doexit 66 API calls 4556->4557 4558 c5378a 4557->4558 4558->4449 4560 c53639 _doexit 66 API calls 4559->4560 4561 c537b0 4560->4561 4561->4452 4563 c53064 DecodePointer 4562->4563 4564 c53073 4562->4564 4563->4564 4565 c53084 TlsFree 4564->4565 4566 c53092 4564->4566 4565->4566 4567 c55fd3 DeleteCriticalSection 4566->4567 4568 c55feb 4566->4568 4569 c53b1f _free 66 API calls 4567->4569 4570 c55ffd DeleteCriticalSection 4568->4570 4571 c53394 4568->4571 4569->4566 4570->4568 4571->4425 4581 c52fd7 EncodePointer 4572->4581 4574 c53553 __init_pointers __initp_misc_winsig 4582 c56153 EncodePointer 4574->4582 4576 c53446 EncodePointer EncodePointer EncodePointer EncodePointer 4577 c55f6d 4576->4577 4578 c55f78 4577->4578 4579 c55f82 InitializeCriticalSectionAndSpinCount 4578->4579 4580 c53485 4578->4580 4579->4578 4579->4580 4580->4468 4580->4469 4581->4574 4582->4576 4585 c54216 4583->4585 4587 c54283 4585->4587 4593 c56fb1 4585->4593 4586 c54381 4586->4512 4586->4515 4587->4586 4588 c56fb1 76 API calls _parse_cmdline 4587->4588 4588->4587 4590 c55909 4589->4590 4591 c55902 4589->4591 4590->4507 4654 c5575f 4591->4654 4596 c56f5e 4593->4596 4599 c51ebe 4596->4599 4600 c51f1e 4599->4600 4601 c51ed1 4599->4601 4600->4585 4602 c531c4 __getptd 66 API calls 4601->4602 4603 c51ed6 4602->4603 4604 c51efe 4603->4604 4607 c55bd7 4603->4607 4604->4600 4622 c55456 4604->4622 4608 c55be3 _wprintf 4607->4608 4609 c531c4 __getptd 66 API calls 4608->4609 4610 c55be8 4609->4610 4611 c55c16 4610->4611 4612 c55bfa 4610->4612 4613 c560e7 __lock 66 API calls 4611->4613 4614 c531c4 __getptd 66 API calls 4612->4614 4615 c55c1d 4613->4615 4616 c55bff 4614->4616 4638 c55b8a 4615->4638 4620 c55c0d _wprintf 4616->4620 4621 c537c3 __amsg_exit 66 API calls 4616->4621 4620->4604 4621->4620 4623 c55462 _wprintf 4622->4623 4624 c531c4 __getptd 66 API calls 4623->4624 4625 c55467 4624->4625 4626 c55479 4625->4626 4627 c560e7 __lock 66 API calls 4625->4627 4629 c55487 _wprintf 4626->4629 4631 c537c3 __amsg_exit 66 API calls 4626->4631 4628 c55497 4627->4628 4630 c554e0 4628->4630 4633 c554ae InterlockedDecrement 4628->4633 4634 c554c8 InterlockedIncrement 4628->4634 4629->4600 4650 c554f1 4630->4650 4631->4629 4633->4634 4635 c554b9 4633->4635 4634->4630 4635->4634 4636 c53b1f _free 66 API calls 4635->4636 4637 c554c7 4636->4637 4637->4634 4639 c55b97 4638->4639 4640 c55bcc 4638->4640 4639->4640 4641 c55917 ___addlocaleref 8 API calls 4639->4641 4646 c55c44 4640->4646 4642 c55bad 4641->4642 4642->4640 4643 c559a6 ___removelocaleref 8 API calls 4642->4643 4644 c55bb8 4643->4644 4644->4640 4645 c55a3f ___freetlocinfo 66 API calls 4644->4645 4645->4640 4649 c5600e LeaveCriticalSection 4646->4649 4648 c55c4b 4648->4616 4649->4648 4653 c5600e LeaveCriticalSection 4650->4653 4652 c554f8 4652->4626 4653->4652 4655 c5576b _wprintf 4654->4655 4656 c531c4 __getptd 66 API calls 4655->4656 4657 c55774 4656->4657 4658 c55456 _LocaleUpdate::_LocaleUpdate 68 API calls 4657->4658 4659 c5577e 4658->4659 4685 c554fa 4659->4685 4662 c53b59 __malloc_crt 66 API calls 4663 c5579f 4662->4663 4664 c558be _wprintf 4663->4664 4692 c55576 4663->4692 4664->4590 4667 c557cf InterlockedDecrement 4669 c557f0 InterlockedIncrement 4667->4669 4670 c557df 4667->4670 4668 c558cb 4668->4664 4672 c558de 4668->4672 4674 c53b1f _free 66 API calls 4668->4674 4669->4664 4671 c55806 4669->4671 4670->4669 4673 c53b1f _free 66 API calls 4670->4673 4671->4664 4677 c560e7 __lock 66 API calls 4671->4677 4675 c52dbe __fclose_nolock 66 API calls 4672->4675 4676 c557ef 4673->4676 4674->4672 4675->4664 4676->4669 4679 c5581a InterlockedDecrement 4677->4679 4680 c55896 4679->4680 4681 c558a9 InterlockedIncrement 4679->4681 4680->4681 4683 c53b1f _free 66 API calls 4680->4683 4702 c558c0 4681->4702 4684 c558a8 4683->4684 4684->4681 4686 c51ebe _LocaleUpdate::_LocaleUpdate 76 API calls 4685->4686 4687 c5550e 4686->4687 4688 c55537 4687->4688 4689 c55519 GetOEMCP 4687->4689 4690 c5553c GetACP 4688->4690 4691 c55529 4688->4691 4689->4691 4690->4691 4691->4662 4691->4664 4693 c554fa getSystemCP 78 API calls 4692->4693 4694 c55596 4693->4694 4695 c555a1 setSBCS 4694->4695 4697 c555e5 IsValidCodePage 4694->4697 4701 c5560a _memset __setmbcp_nolock 4694->4701 4696 c518da __crtGetStringTypeA_stat 5 API calls 4695->4696 4698 c5575d 4696->4698 4697->4695 4699 c555f7 GetCPInfo 4697->4699 4698->4667 4698->4668 4699->4695 4699->4701 4705 c552c6 GetCPInfo 4701->4705 4766 c5600e LeaveCriticalSection 4702->4766 4704 c558c7 4704->4664 4708 c552fa _memset 4705->4708 4714 c553ae 4705->4714 4715 c57624 4708->4715 4710 c518da __crtGetStringTypeA_stat 5 API calls 4712 c55454 4710->4712 4712->4701 4713 c574f7 ___crtLCMapStringA 82 API calls 4713->4714 4714->4710 4716 c51ebe _LocaleUpdate::_LocaleUpdate 76 API calls 4715->4716 4717 c57637 4716->4717 4725 c5753d 4717->4725 4720 c574f7 4721 c51ebe _LocaleUpdate::_LocaleUpdate 76 API calls 4720->4721 4722 c5750a 4721->4722 4742 c57310 4722->4742 4726 c57566 MultiByteToWideChar 4725->4726 4727 c5755b 4725->4727 4730 c57593 4726->4730 4737 c5758f 4726->4737 4727->4726 4728 c575a8 _memset __crtGetStringTypeA_stat 4732 c575e1 MultiByteToWideChar 4728->4732 4728->4737 4729 c518da __crtGetStringTypeA_stat 5 API calls 4731 c55369 4729->4731 4730->4728 4733 c567a2 _malloc 66 API calls 4730->4733 4731->4720 4734 c575f7 GetStringTypeW 4732->4734 4735 c57608 4732->4735 4733->4728 4734->4735 4738 c572f0 4735->4738 4737->4729 4739 c572fc 4738->4739 4741 c5730d 4738->4741 4740 c53b1f _free 66 API calls 4739->4740 4739->4741 4740->4741 4741->4737 4744 c5732e MultiByteToWideChar 4742->4744 4745 c5738c 4744->4745 4749 c57393 4744->4749 4746 c518da __crtGetStringTypeA_stat 5 API calls 4745->4746 4748 c55389 4746->4748 4747 c573e0 MultiByteToWideChar 4751 c574d8 4747->4751 4752 c573f9 LCMapStringW 4747->4752 4748->4713 4750 c567a2 _malloc 66 API calls 4749->4750 4755 c573ac __crtGetStringTypeA_stat 4749->4755 4750->4755 4753 c572f0 __freea 66 API calls 4751->4753 4752->4751 4754 c57418 4752->4754 4753->4745 4756 c57422 4754->4756 4758 c5744b 4754->4758 4755->4745 4755->4747 4756->4751 4757 c57436 LCMapStringW 4756->4757 4757->4751 4760 c57466 __crtGetStringTypeA_stat 4758->4760 4761 c567a2 _malloc 66 API calls 4758->4761 4759 c5749a LCMapStringW 4762 c574b0 WideCharToMultiByte 4759->4762 4763 c574d2 4759->4763 4760->4751 4760->4759 4761->4760 4762->4763 4764 c572f0 __freea 66 API calls 4763->4764 4764->4751 4766->4704 4768 c56f14 4767->4768 4769 c56f0d 4767->4769 4770 c52dbe __fclose_nolock 66 API calls 4768->4770 4769->4768 4772 c56f32 4769->4772 4775 c56f19 4770->4775 4771 c52d6c __fclose_nolock 11 API calls 4773 c56f23 4771->4773 4772->4773 4774 c52dbe __fclose_nolock 66 API calls 4772->4774 4773->4525 4774->4775 4775->4771 4777 c55c56 EncodePointer 4776->4777 4777->4777 4778 c55c70 4777->4778 4778->4539 4782 c564a5 4779->4782 4781 c564ee 4781->4541 4783 c564b1 _wprintf 4782->4783 4790 c53539 4783->4790 4789 c564d2 _wprintf 4789->4781 4791 c560e7 __lock 66 API calls 4790->4791 4792 c53540 4791->4792 4793 c563be DecodePointer DecodePointer 4792->4793 4794 c5646d 4793->4794 4795 c563ec 4793->4795 4804 c564db 4794->4804 4795->4794 4807 c57ee1 4795->4807 4797 c56450 EncodePointer EncodePointer 4797->4794 4798 c563fe 4798->4797 4799 c56422 4798->4799 4814 c53bea 4798->4814 4799->4794 4801 c53bea __realloc_crt 70 API calls 4799->4801 4802 c5643e EncodePointer 4799->4802 4803 c56438 4801->4803 4802->4797 4803->4794 4803->4802 4840 c53542 4804->4840 4808 c57f01 HeapSize 4807->4808 4809 c57eec 4807->4809 4808->4798 4810 c52dbe __fclose_nolock 66 API calls 4809->4810 4811 c57ef1 4810->4811 4812 c52d6c __fclose_nolock 11 API calls 4811->4812 4813 c57efc 4812->4813 4813->4798 4816 c53bf3 4814->4816 4817 c53c32 4816->4817 4818 c53c13 Sleep 4816->4818 4819 c568b8 4816->4819 4817->4799 4818->4816 4820 c568c3 4819->4820 4821 c568ce 4819->4821 4822 c567a2 _malloc 66 API calls 4820->4822 4823 c568d6 4821->4823 4832 c568e3 4821->4832 4824 c568cb 4822->4824 4825 c53b1f _free 66 API calls 4823->4825 4824->4816 4839 c568de __dosmaperr 4825->4839 4826 c5691b 4827 c56396 _malloc DecodePointer 4826->4827 4829 c56921 4827->4829 4828 c568eb HeapReAlloc 4828->4832 4828->4839 4830 c52dbe __fclose_nolock 66 API calls 4829->4830 4830->4839 4831 c5694b 4833 c52dbe __fclose_nolock 66 API calls 4831->4833 4832->4826 4832->4828 4832->4831 4834 c56396 _malloc DecodePointer 4832->4834 4836 c56933 4832->4836 4835 c56950 GetLastError 4833->4835 4834->4832 4835->4839 4837 c52dbe __fclose_nolock 66 API calls 4836->4837 4838 c56938 GetLastError 4837->4838 4838->4839 4839->4816 4843 c5600e LeaveCriticalSection 4840->4843 4842 c53549 4842->4789 4843->4842 4845 c515b0 LocalAlloc 4844->4845 4846 c515a2 GetLastError 4844->4846 4847 c515c1 GetLastError 4845->4847 4848 c515cf GetTokenInformation 4845->4848 4868 c516d4 4846->4868 4847->4868 4849 c515f0 GetLastError 4848->4849 4850 c51643 AllocateAndInitializeSid 4848->4850 4853 c515f7 GetLastError 4849->4853 4854 c51601 LocalFree LocalAlloc 4849->4854 4857 c51670 AllocateAndInitializeSid 4850->4857 4858 c51669 GetLastError 4850->4858 4851 c516f2 4855 c516fc 4851->4855 4856 c516f9 FreeSid 4851->4856 4852 c516ef FreeSid 4852->4851 4853->4868 4859 c51624 GetTokenInformation 4854->4859 4860 c5161a GetLastError 4854->4860 4861 c51707 4855->4861 4862 c51700 LocalFree 4855->4862 4856->4855 4863 c51697 4857->4863 4864 c51690 GetLastError 4857->4864 4858->4868 4859->4850 4865 c51639 GetLastError 4859->4865 4860->4868 4866 c51714 FindCloseChangeNotification 4861->4866 4867 c51717 4861->4867 4862->4861 4863->4868 4871 c516a0 EqualSid 4863->4871 4864->4868 4865->4868 4866->4867 4869 c51721 4867->4869 4870 c5171e CloseHandle 4867->4870 4868->4851 4868->4852 4872 c518da __crtGetStringTypeA_stat 5 API calls 4869->4872 4870->4869 4871->4868 4873 c516ba EqualSid 4871->4873 4874 c51731 4872->4874 4873->4863 4873->4868 4874->4545 4875 c51b09 4874->4875 4876 c51b15 _wprintf 4875->4876 4877 c51b23 4876->4877 4878 c51b38 _wprintf 4876->4878 4879 c52dbe __fclose_nolock 66 API calls 4877->4879 4892 c53d50 4878->4892 4880 c51b28 4879->4880 4881 c52d6c __fclose_nolock 11 API calls 4880->4881 4884 c51b33 _wprintf 4881->4884 4883 c51b4a _wprintf 4897 c53ded 4883->4897 4884->4547 4886 c51b5c _wprintf 4904 c51fda 4886->4904 4888 c51b74 _wprintf 4933 c53e89 4888->4933 4893 c53d73 EnterCriticalSection 4892->4893 4894 c53d5d 4892->4894 4893->4883 4895 c560e7 __lock 66 API calls 4894->4895 4896 c53d66 4895->4896 4896->4883 4941 c5520d 4897->4941 4899 c53dfc 4948 c551b7 4899->4948 4901 c53e4f 4901->4886 4902 c53e02 _wprintf 4902->4901 4903 c53b59 __malloc_crt 66 API calls 4902->4903 4903->4901 4905 c51ebe _LocaleUpdate::_LocaleUpdate 76 API calls 4904->4905 4906 c52041 4905->4906 4907 c52dbe __fclose_nolock 66 API calls 4906->4907 4908 c52046 4907->4908 4909 c52050 4908->4909 4912 c5520d __fclose_nolock 66 API calls 4908->4912 4916 c52087 4908->4916 4910 c52dbe __fclose_nolock 66 API calls 4909->4910 4911 c52055 4910->4911 4913 c52d6c __fclose_nolock 11 API calls 4911->4913 4912->4916 4920 c52060 4913->4920 4914 c518da __crtGetStringTypeA_stat 5 API calls 4915 c52bbf 4914->4915 4915->4888 4916->4909 4918 c523b6 DecodePointer 4916->4918 4919 c5235c 4916->4919 4916->4920 4917 c52b86 4917->4888 4928 c52741 4918->4928 4957 c55e7d 4919->4957 4920->4914 4920->4917 4923 c523a0 4925 c51f45 _sprintf 97 API calls 4923->4925 4925->4920 4929 c5276d 4928->4929 4930 c5275b DecodePointer 4928->4930 4931 c5278e 4929->4931 4932 c5277c DecodePointer 4929->4932 4930->4929 4931->4888 4932->4931 4934 c53e94 4933->4934 4936 c51b85 4933->4936 4934->4936 5145 c56a01 4934->5145 4937 c51b9d 4936->4937 4938 c51ba2 _wprintf 4937->4938 5151 c53dbe 4938->5151 4940 c51bad 4940->4884 4942 c5522e 4941->4942 4943 c55219 4941->4943 4942->4899 4944 c52dbe __fclose_nolock 66 API calls 4943->4944 4945 c5521e 4944->4945 4946 c52d6c __fclose_nolock 11 API calls 4945->4946 4947 c55229 4946->4947 4947->4899 4949 c551c4 4948->4949 4950 c551d3 4948->4950 4951 c52dbe __fclose_nolock 66 API calls 4949->4951 4953 c551f1 4950->4953 4954 c52dbe __fclose_nolock 66 API calls 4950->4954 4952 c551c9 4951->4952 4952->4902 4953->4902 4955 c551e4 4954->4955 4956 c52d6c __fclose_nolock 11 API calls 4955->4956 4956->4952 4958 c51ebe _LocaleUpdate::_LocaleUpdate 76 API calls 4957->4958 4959 c52372 4958->4959 4959->4923 4960 c51f45 4959->4960 4962 c51f4b 4960->4962 4961 c51f56 4961->4909 4961->4923 4962->4961 4964 c51d5a 4962->4964 4965 c5520d __fclose_nolock 66 API calls 4964->4965 4966 c51d6a 4965->4966 4967 c51d75 4966->4967 4968 c51d8c 4966->4968 4970 c52dbe __fclose_nolock 66 API calls 4967->4970 4969 c51d90 4968->4969 4979 c51d9d _wprintf 4968->4979 4971 c52dbe __fclose_nolock 66 API calls 4969->4971 4978 c51d7a 4970->4978 4971->4978 4972 c51e8d 4974 c5509a __write 97 API calls 4972->4974 4973 c51e0d 4975 c51e24 4973->4975 4980 c51e41 4973->4980 4974->4978 4988 c5509a 4975->4988 4977 c551b7 __write_nolock 66 API calls 4981 c51df3 4977->4981 4978->4961 4979->4977 4979->4978 4979->4981 4984 c51dfe 4979->4984 4980->4978 5013 c548b2 4980->5013 4981->4984 4985 c5516e 4981->4985 4984->4972 4984->4973 4986 c53b59 __malloc_crt 66 API calls 4985->4986 4987 c55183 4986->4987 4987->4984 4989 c550a6 _wprintf 4988->4989 4990 c550ae 4989->4990 4991 c550c9 4989->4991 4992 c52dd1 __dosmaperr 66 API calls 4990->4992 4993 c550d5 4991->4993 4996 c5510f 4991->4996 4994 c550b3 4992->4994 4995 c52dd1 __dosmaperr 66 API calls 4993->4995 4997 c52dbe __fclose_nolock 66 API calls 4994->4997 4998 c550da 4995->4998 5038 c570b8 4996->5038 5001 c550bb _wprintf 4997->5001 4999 c52dbe __fclose_nolock 66 API calls 4998->4999 5002 c550e2 4999->5002 5001->4978 5004 c52d6c __fclose_nolock 11 API calls 5002->5004 5003 c55115 5005 c55137 5003->5005 5006 c55123 5003->5006 5004->5001 5008 c52dbe __fclose_nolock 66 API calls 5005->5008 5048 c5499d 5006->5048 5009 c5513c 5008->5009 5011 c52dd1 __dosmaperr 66 API calls 5009->5011 5010 c5512f 5107 c55166 5010->5107 5011->5010 5014 c548be _wprintf 5013->5014 5015 c548cf 5014->5015 5016 c548eb 5014->5016 5017 c52dd1 __dosmaperr 66 API calls 5015->5017 5018 c548f7 5016->5018 5022 c54931 5016->5022 5019 c548d4 5017->5019 5020 c52dd1 __dosmaperr 66 API calls 5018->5020 5023 c52dbe __fclose_nolock 66 API calls 5019->5023 5021 c548fc 5020->5021 5024 c52dbe __fclose_nolock 66 API calls 5021->5024 5025 c570b8 ___lock_fhandle 68 API calls 5022->5025 5031 c548dc _wprintf 5023->5031 5026 c54904 5024->5026 5027 c54937 5025->5027 5028 c52d6c __fclose_nolock 11 API calls 5026->5028 5029 c54945 5027->5029 5030 c54961 5027->5030 5028->5031 5032 c5482d __lseeki64_nolock 68 API calls 5029->5032 5033 c52dbe __fclose_nolock 66 API calls 5030->5033 5031->4978 5034 c54956 5032->5034 5035 c54966 5033->5035 5141 c54992 5034->5141 5036 c52dd1 __dosmaperr 66 API calls 5035->5036 5036->5034 5039 c570c4 _wprintf 5038->5039 5040 c5711e 5039->5040 5041 c560e7 __lock 66 API calls 5039->5041 5042 c57140 _wprintf 5040->5042 5043 c57123 EnterCriticalSection 5040->5043 5044 c570f0 5041->5044 5042->5003 5043->5042 5045 c5710c 5044->5045 5046 c570f9 InitializeCriticalSectionAndSpinCount 5044->5046 5110 c5714e 5045->5110 5046->5045 5049 c549ac __write_nolock 5048->5049 5050 c54a01 5049->5050 5051 c549e2 5049->5051 5080 c549d7 5049->5080 5056 c54a5d 5050->5056 5057 c54a40 5050->5057 5052 c52dd1 __dosmaperr 66 API calls 5051->5052 5054 c549e7 5052->5054 5053 c518da __crtGetStringTypeA_stat 5 API calls 5055 c55098 5053->5055 5059 c52dbe __fclose_nolock 66 API calls 5054->5059 5055->5010 5058 c54a70 5056->5058 5114 c5482d 5056->5114 5060 c52dd1 __dosmaperr 66 API calls 5057->5060 5063 c551b7 __write_nolock 66 API calls 5058->5063 5062 c549ee 5059->5062 5064 c54a45 5060->5064 5065 c52d6c __fclose_nolock 11 API calls 5062->5065 5066 c54a79 5063->5066 5067 c52dbe __fclose_nolock 66 API calls 5064->5067 5065->5080 5068 c54d1b 5066->5068 5073 c531c4 __getptd 66 API calls 5066->5073 5069 c54a4d 5067->5069 5071 c54fcb WriteFile 5068->5071 5072 c54d2a 5068->5072 5070 c52d6c __fclose_nolock 11 API calls 5069->5070 5070->5080 5076 c54ffe GetLastError 5071->5076 5077 c54cfd 5071->5077 5074 c54de5 5072->5074 5084 c54d3d 5072->5084 5075 c54a94 GetConsoleMode 5073->5075 5090 c54df2 5074->5090 5097 c54ebf 5074->5097 5075->5068 5079 c54abd 5075->5079 5076->5077 5078 c55049 5077->5078 5077->5080 5082 c5501c 5077->5082 5078->5080 5085 c52dbe __fclose_nolock 66 API calls 5078->5085 5079->5068 5081 c54acd GetConsoleCP 5079->5081 5080->5053 5081->5077 5105 c54af0 5081->5105 5087 c55027 5082->5087 5088 c5503b 5082->5088 5083 c54d87 WriteFile 5083->5076 5083->5084 5084->5077 5084->5078 5084->5083 5091 c5506c 5085->5091 5086 c54f30 WideCharToMultiByte 5086->5076 5094 c54f67 WriteFile 5086->5094 5093 c52dbe __fclose_nolock 66 API calls 5087->5093 5095 c52de4 __dosmaperr 66 API calls 5088->5095 5089 c54e61 WriteFile 5089->5076 5089->5090 5090->5077 5090->5078 5090->5089 5092 c52dd1 __dosmaperr 66 API calls 5091->5092 5092->5080 5096 c5502c 5093->5096 5094->5097 5098 c54f9e GetLastError 5094->5098 5095->5080 5100 c52dd1 __dosmaperr 66 API calls 5096->5100 5097->5077 5097->5078 5097->5086 5097->5094 5098->5097 5100->5080 5101 c5717e WriteConsoleW CreateFileW __write_nolock 5101->5105 5102 c54b9c WideCharToMultiByte 5102->5077 5103 c54bcd WriteFile 5102->5103 5103->5076 5103->5105 5104 c572d6 78 API calls __fassign 5104->5105 5105->5076 5105->5077 5105->5101 5105->5102 5105->5104 5106 c54c21 WriteFile 5105->5106 5124 c55eb5 5105->5124 5106->5076 5106->5105 5140 c57157 LeaveCriticalSection 5107->5140 5109 c5516c 5109->5001 5113 c5600e LeaveCriticalSection 5110->5113 5112 c57155 5112->5040 5113->5112 5127 c5704f 5114->5127 5116 c5484b 5117 c54864 SetFilePointer 5116->5117 5118 c54853 5116->5118 5120 c5487c GetLastError 5117->5120 5121 c54858 5117->5121 5119 c52dbe __fclose_nolock 66 API calls 5118->5119 5119->5121 5120->5121 5122 c54886 5120->5122 5121->5058 5123 c52de4 __dosmaperr 66 API calls 5122->5123 5123->5121 5125 c55e7d __isleadbyte_l 76 API calls 5124->5125 5126 c55ec4 5125->5126 5126->5105 5128 c57074 5127->5128 5129 c5705c 5127->5129 5132 c52dd1 __dosmaperr 66 API calls 5128->5132 5133 c570b3 5128->5133 5130 c52dd1 __dosmaperr 66 API calls 5129->5130 5131 c57061 5130->5131 5134 c52dbe __fclose_nolock 66 API calls 5131->5134 5135 c57085 5132->5135 5133->5116 5139 c57069 5134->5139 5136 c52dbe __fclose_nolock 66 API calls 5135->5136 5137 c5708d 5136->5137 5138 c52d6c __fclose_nolock 11 API calls 5137->5138 5138->5139 5139->5116 5140->5109 5144 c57157 LeaveCriticalSection 5141->5144 5143 c5499a 5143->5031 5144->5143 5146 c56a1a 5145->5146 5150 c56a3c 5145->5150 5147 c5520d __fclose_nolock 66 API calls 5146->5147 5146->5150 5148 c56a35 5147->5148 5149 c5509a __write 97 API calls 5148->5149 5149->5150 5150->4936 5152 c53de1 LeaveCriticalSection 5151->5152 5153 c53dce 5151->5153 5152->4940 5156 c5600e LeaveCriticalSection 5153->5156 5155 c53dde 5155->4940 5156->5155 5212 c53cef 5219 c56b8b 5212->5219 5215 c53d02 5217 c53b1f _free 66 API calls 5215->5217 5218 c53d0d 5217->5218 5232 c56ab1 5219->5232 5221 c53cf4 5221->5215 5222 c56965 5221->5222 5223 c56971 _wprintf 5222->5223 5224 c560e7 __lock 66 API calls 5223->5224 5227 c5697d 5224->5227 5225 c569e3 5262 c569f8 5225->5262 5227->5225 5230 c569b8 DeleteCriticalSection 5227->5230 5249 c580c4 5227->5249 5228 c569ef _wprintf 5228->5215 5231 c53b1f _free 66 API calls 5230->5231 5231->5227 5233 c56abd _wprintf 5232->5233 5234 c560e7 __lock 66 API calls 5233->5234 5240 c56acc 5234->5240 5235 c56b64 5245 c56b82 5235->5245 5237 c53d50 _wprintf 67 API calls 5237->5240 5238 c56b70 _wprintf 5238->5221 5240->5235 5240->5237 5241 c56a69 101 API calls __fflush_nolock 5240->5241 5242 c56b53 5240->5242 5241->5240 5243 c53dbe _flsall 2 API calls 5242->5243 5244 c56b61 5243->5244 5244->5240 5248 c5600e LeaveCriticalSection 5245->5248 5247 c56b89 5247->5238 5248->5247 5250 c580d0 _wprintf 5249->5250 5251 c580f7 5250->5251 5252 c580e2 5250->5252 5260 c580f2 _wprintf 5251->5260 5265 c53d0f 5251->5265 5253 c52dbe __fclose_nolock 66 API calls 5252->5253 5254 c580e7 5253->5254 5256 c52d6c __fclose_nolock 11 API calls 5254->5256 5256->5260 5260->5227 5352 c5600e LeaveCriticalSection 5262->5352 5264 c569ff 5264->5228 5266 c53d21 5265->5266 5267 c53d43 EnterCriticalSection 5265->5267 5266->5267 5268 c53d29 5266->5268 5269 c53d39 5267->5269 5270 c560e7 __lock 66 API calls 5268->5270 5271 c58057 5269->5271 5270->5269 5272 c5807c 5271->5272 5273 c58068 5271->5273 5275 c58078 5272->5275 5277 c56a01 __flush 97 API calls 5272->5277 5274 c52dbe __fclose_nolock 66 API calls 5273->5274 5276 c5806d 5274->5276 5287 c58130 5275->5287 5278 c52d6c __fclose_nolock 11 API calls 5276->5278 5279 c58088 5277->5279 5278->5275 5290 c584df 5279->5290 5282 c5520d __fclose_nolock 66 API calls 5283 c58096 5282->5283 5294 c5841b 5283->5294 5285 c5809c 5285->5275 5286 c53b1f _free 66 API calls 5285->5286 5286->5275 5345 c53d82 5287->5345 5289 c58136 5289->5260 5291 c584ef 5290->5291 5293 c58090 5290->5293 5292 c53b1f _free 66 API calls 5291->5292 5291->5293 5292->5293 5293->5282 5295 c58427 _wprintf 5294->5295 5296 c5842f 5295->5296 5297 c5844a 5295->5297 5298 c52dd1 __dosmaperr 66 API calls 5296->5298 5299 c58456 5297->5299 5302 c58490 5297->5302 5300 c58434 5298->5300 5301 c52dd1 __dosmaperr 66 API calls 5299->5301 5303 c52dbe __fclose_nolock 66 API calls 5300->5303 5304 c5845b 5301->5304 5305 c570b8 ___lock_fhandle 68 API calls 5302->5305 5312 c5843c _wprintf 5303->5312 5306 c52dbe __fclose_nolock 66 API calls 5304->5306 5308 c58496 5305->5308 5307 c58463 5306->5307 5309 c52d6c __fclose_nolock 11 API calls 5307->5309 5310 c584a4 5308->5310 5311 c584b0 5308->5311 5309->5312 5317 c5837f 5310->5317 5314 c52dbe __fclose_nolock 66 API calls 5311->5314 5312->5285 5315 c584aa 5314->5315 5332 c584d7 5315->5332 5318 c5704f __close_nolock 66 API calls 5317->5318 5321 c5838f 5318->5321 5319 c583e5 5335 c56fc9 5319->5335 5321->5319 5322 c583c3 5321->5322 5323 c5704f __close_nolock 66 API calls 5321->5323 5322->5319 5324 c5704f __close_nolock 66 API calls 5322->5324 5326 c583ba 5323->5326 5327 c583cf CloseHandle 5324->5327 5329 c5704f __close_nolock 66 API calls 5326->5329 5327->5319 5330 c583db GetLastError 5327->5330 5328 c5840f 5328->5315 5329->5322 5330->5319 5331 c52de4 __dosmaperr 66 API calls 5331->5328 5344 c57157 LeaveCriticalSection 5332->5344 5334 c584dd 5334->5312 5336 c57035 5335->5336 5337 c56fda 5335->5337 5338 c52dbe __fclose_nolock 66 API calls 5336->5338 5337->5336 5342 c57005 5337->5342 5339 c5703a 5338->5339 5340 c52dd1 __dosmaperr 66 API calls 5339->5340 5341 c5702b 5340->5341 5341->5328 5341->5331 5342->5341 5343 c57025 SetStdHandle 5342->5343 5343->5341 5344->5334 5346 c53d93 5345->5346 5347 c53db2 LeaveCriticalSection 5345->5347 5346->5347 5348 c53d9a 5346->5348 5347->5289 5351 c5600e LeaveCriticalSection 5348->5351 5350 c53daf 5350->5289 5351->5350 5352->5264 5353 c56474 5354 c53b9e __calloc_crt 66 API calls 5353->5354 5355 c56480 EncodePointer 5354->5355 5356 c56499 5355->5356 3744 c51750 RegisterServiceCtrlHandlerA 3745 c517ed 3744->3745 3746 c517a2 SetServiceStatus 3744->3746 3747 c517d2 CreateEventA 3746->3747 3748 c517c8 GetLastError 3746->3748 3750 c51a62 3747->3750 3751 c51a87 3750->3751 3752 c51a72 3750->3752 3771 c53009 TlsGetValue 3751->3771 3798 c52dbe 3752->3798 3760 c51aeb 3804 c53b1f 3760->3804 3764 c51af1 3766 c51a82 3764->3766 3810 c52de4 3764->3810 3766->3745 3767 c51aaf CreateThread 3769 c51ad7 ResumeThread 3767->3769 3770 c51ae3 GetLastError 3767->3770 4069 c51a09 3767->4069 3769->3766 3769->3770 3770->3760 3772 c5301e DecodePointer TlsSetValue 3771->3772 3773 c51a8d 3771->3773 3772->3773 3774 c53b9e 3773->3774 3775 c53ba7 3774->3775 3777 c51a99 3775->3777 3778 c53bc5 Sleep 3775->3778 3815 c56836 3775->3815 3777->3760 3780 c531c4 3777->3780 3779 c53bda 3778->3779 3779->3775 3779->3777 3826 c5314b GetLastError 3780->3826 3782 c531cc 3783 c51aa6 3782->3783 3840 c537c3 3782->3840 3785 c53097 3783->3785 4039 c53930 3785->4039 3787 c530a3 GetModuleHandleW 3788 c560e7 __lock 64 API calls 3787->3788 3789 c530e1 InterlockedIncrement 3788->3789 4040 c53139 3789->4040 3792 c560e7 __lock 64 API calls 3793 c53102 3792->3793 4043 c55917 InterlockedIncrement 3793->4043 3795 c53120 4055 c53142 3795->4055 3797 c5312d _wprintf 3797->3767 3799 c5314b __getptd_noexit 66 API calls 3798->3799 3800 c51a77 3799->3800 3801 c52d6c 3800->3801 4060 c52d3f DecodePointer 3801->4060 3805 c53b53 __dosmaperr 3804->3805 3806 c53b2a HeapFree 3804->3806 3805->3764 3806->3805 3807 c53b3f 3806->3807 3808 c52dbe __fclose_nolock 64 API calls 3807->3808 3809 c53b45 GetLastError 3808->3809 3809->3805 4066 c52dd1 3810->4066 3812 c52def __dosmaperr 3813 c52dbe __fclose_nolock 66 API calls 3812->3813 3814 c52e02 3813->3814 3814->3766 3816 c56842 3815->3816 3820 c5685d 3815->3820 3817 c5684e 3816->3817 3816->3820 3818 c52dbe __fclose_nolock 65 API calls 3817->3818 3821 c56853 3818->3821 3819 c56870 RtlAllocateHeap 3819->3820 3823 c56897 3819->3823 3820->3819 3820->3823 3824 c56396 DecodePointer 3820->3824 3821->3775 3823->3775 3825 c563ab 3824->3825 3825->3820 3827 c53009 ___set_flsgetvalue 3 API calls 3826->3827 3828 c53162 3827->3828 3829 c531b8 SetLastError 3828->3829 3830 c53b9e __calloc_crt 62 API calls 3828->3830 3829->3782 3831 c53176 3830->3831 3831->3829 3832 c5317e DecodePointer 3831->3832 3833 c53193 3832->3833 3834 c53197 3833->3834 3835 c531af 3833->3835 3836 c53097 __getptd_noexit 62 API calls 3834->3836 3837 c53b1f _free 62 API calls 3835->3837 3838 c5319f GetCurrentThreadId 3836->3838 3839 c531b5 3837->3839 3838->3829 3839->3829 3847 c540e2 3840->3847 3844 c537d5 3880 c5378f 3844->3880 3883 c56ec0 3847->3883 3849 c540e9 3850 c540f6 3849->3850 3851 c56ec0 __NMSG_WRITE 66 API calls 3849->3851 3852 c53f33 __NMSG_WRITE 66 API calls 3850->3852 3854 c537cd 3850->3854 3851->3850 3853 c5410e 3852->3853 3855 c53f33 __NMSG_WRITE 66 API calls 3853->3855 3856 c53f33 3854->3856 3855->3854 3857 c53f54 __NMSG_WRITE 3856->3857 3858 c56ec0 __NMSG_WRITE 63 API calls 3857->3858 3879 c54070 3857->3879 3860 c53f6e 3858->3860 3862 c5407f GetStdHandle 3860->3862 3863 c56ec0 __NMSG_WRITE 63 API calls 3860->3863 3861 c540e0 3861->3844 3866 c5408d _strlen 3862->3866 3862->3879 3864 c53f7f 3863->3864 3864->3862 3865 c53f91 3864->3865 3865->3879 3890 c56e5d 3865->3890 3869 c540c3 WriteFile 3866->3869 3866->3879 3869->3879 3870 c53fbd GetModuleFileNameW 3871 c53fde 3870->3871 3874 c53fea _wcslen 3870->3874 3873 c56e5d __NMSG_WRITE 63 API calls 3871->3873 3873->3874 3876 c56d00 63 API calls __NMSG_WRITE 3874->3876 3877 c54060 3874->3877 3899 c52d1a 3874->3899 3902 c56d75 3874->3902 3876->3874 3911 c56b94 3877->3911 3929 c518da 3879->3929 3945 c53639 3880->3945 3882 c537a0 3884 c56ecc 3883->3884 3885 c56ed6 3884->3885 3886 c52dbe __fclose_nolock 66 API calls 3884->3886 3885->3849 3887 c56eef 3886->3887 3888 c52d6c __fclose_nolock 11 API calls 3887->3888 3889 c56efa 3888->3889 3889->3849 3891 c56e6b 3890->3891 3894 c56e72 3890->3894 3891->3894 3897 c56e93 3891->3897 3892 c52dbe __fclose_nolock 66 API calls 3893 c56e77 3892->3893 3895 c52d6c __fclose_nolock 11 API calls 3893->3895 3894->3892 3896 c53fb2 3895->3896 3896->3870 3896->3874 3897->3896 3898 c52dbe __fclose_nolock 66 API calls 3897->3898 3898->3893 3937 c52bf1 3899->3937 3906 c56d87 3902->3906 3903 c56d8b 3904 c56d90 3903->3904 3905 c52dbe __fclose_nolock 66 API calls 3903->3905 3904->3874 3907 c56da7 3905->3907 3906->3903 3906->3904 3909 c56dce 3906->3909 3908 c52d6c __fclose_nolock 11 API calls 3907->3908 3908->3904 3909->3904 3910 c52dbe __fclose_nolock 66 API calls 3909->3910 3910->3907 3943 c52fd7 EncodePointer 3911->3943 3913 c56bba 3914 c56bca LoadLibraryW 3913->3914 3916 c56c47 3913->3916 3915 c56bdf GetProcAddress 3914->3915 3917 c56cdf 3914->3917 3915->3917 3920 c56bf5 7 API calls 3915->3920 3921 c56c61 DecodePointer DecodePointer 3916->3921 3926 c56c74 3916->3926 3922 c518da __crtGetStringTypeA_stat 5 API calls 3917->3922 3918 c56cd3 DecodePointer 3918->3917 3919 c56caa DecodePointer 3919->3918 3923 c56cb1 3919->3923 3920->3916 3924 c56c37 GetProcAddress EncodePointer 3920->3924 3921->3926 3925 c56cfe 3922->3925 3923->3918 3927 c56cc4 DecodePointer 3923->3927 3924->3916 3925->3879 3926->3918 3926->3919 3928 c56c97 3926->3928 3927->3918 3927->3928 3928->3918 3930 c518e4 IsDebuggerPresent 3929->3930 3931 c518e2 3929->3931 3944 c55f65 3930->3944 3931->3861 3934 c52ed4 SetUnhandledExceptionFilter UnhandledExceptionFilter 3935 c52ef9 GetCurrentProcess TerminateProcess 3934->3935 3936 c52ef1 __call_reportfault 3934->3936 3935->3861 3936->3935 3938 c52c10 _memset __call_reportfault 3937->3938 3939 c52c2e IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 3938->3939 3940 c52cfc __call_reportfault 3939->3940 3941 c518da __crtGetStringTypeA_stat 5 API calls 3940->3941 3942 c52d18 GetCurrentProcess TerminateProcess 3941->3942 3942->3874 3943->3913 3944->3934 3946 c53645 _wprintf 3945->3946 3966 c560e7 3946->3966 3948 c5364c 3950 c53677 DecodePointer 3948->3950 3956 c536f6 3948->3956 3952 c5368e DecodePointer 3950->3952 3950->3956 3964 c536a1 3952->3964 3953 c53773 _wprintf 3953->3882 3955 c5375b 3980 c53521 3955->3980 3975 c53764 3956->3975 3960 c536b8 DecodePointer 3974 c52fd7 EncodePointer 3960->3974 3964->3956 3964->3960 3965 c536c7 DecodePointer DecodePointer 3964->3965 3973 c52fd7 EncodePointer 3964->3973 3965->3964 3967 c560fc 3966->3967 3968 c5610f EnterCriticalSection 3966->3968 3983 c56025 3967->3983 3968->3948 3970 c56102 3970->3968 3971 c537c3 __amsg_exit 65 API calls 3970->3971 3972 c5610e 3971->3972 3972->3968 3973->3964 3974->3964 3976 c5376a 3975->3976 3978 c53744 3975->3978 4035 c5600e LeaveCriticalSection 3976->4035 3978->3953 3979 c5600e LeaveCriticalSection 3978->3979 3979->3955 4036 c534f6 GetModuleHandleW 3980->4036 3984 c56031 _wprintf 3983->3984 3985 c56057 3984->3985 3986 c540e2 __FF_MSGBANNER 65 API calls 3984->3986 3993 c56067 _wprintf 3985->3993 4008 c53b59 3985->4008 3988 c56046 3986->3988 3990 c53f33 __NMSG_WRITE 65 API calls 3988->3990 3994 c5604d 3990->3994 3991 c56079 3995 c52dbe __fclose_nolock 65 API calls 3991->3995 3992 c56088 3996 c560e7 __lock 65 API calls 3992->3996 3993->3970 3997 c53521 _malloc 3 API calls 3994->3997 3995->3993 3998 c5608f 3996->3998 3997->3985 3999 c56097 InitializeCriticalSectionAndSpinCount 3998->3999 4000 c560c2 3998->4000 4002 c560a7 3999->4002 4003 c560b3 3999->4003 4001 c53b1f _free 65 API calls 4000->4001 4001->4003 4004 c53b1f _free 65 API calls 4002->4004 4014 c560de 4003->4014 4006 c560ad 4004->4006 4007 c52dbe __fclose_nolock 65 API calls 4006->4007 4007->4003 4010 c53b62 4008->4010 4011 c53b98 4010->4011 4012 c53b79 Sleep 4010->4012 4017 c567a2 4010->4017 4011->3991 4011->3992 4013 c53b8e 4012->4013 4013->4010 4013->4011 4034 c5600e LeaveCriticalSection 4014->4034 4016 c560e5 4016->3993 4018 c5681f 4017->4018 4025 c567b0 4017->4025 4019 c56396 _malloc DecodePointer 4018->4019 4020 c56825 4019->4020 4022 c52dbe __fclose_nolock 65 API calls 4020->4022 4021 c540e2 __FF_MSGBANNER 65 API calls 4026 c567bb 4021->4026 4033 c56817 4022->4033 4023 c567de RtlAllocateHeap 4023->4025 4023->4033 4024 c53f33 __NMSG_WRITE 65 API calls 4024->4026 4025->4023 4025->4026 4027 c5680b 4025->4027 4028 c56396 _malloc DecodePointer 4025->4028 4031 c56809 4025->4031 4026->4021 4026->4024 4026->4025 4030 c53521 _malloc 3 API calls 4026->4030 4029 c52dbe __fclose_nolock 65 API calls 4027->4029 4028->4025 4029->4031 4030->4026 4032 c52dbe __fclose_nolock 65 API calls 4031->4032 4032->4033 4033->4010 4034->4016 4035->3978 4037 c5351a ExitProcess 4036->4037 4038 c5350a GetProcAddress 4036->4038 4038->4037 4039->3787 4058 c5600e LeaveCriticalSection 4040->4058 4042 c530fb 4042->3792 4044 c55935 InterlockedIncrement 4043->4044 4045 c55938 4043->4045 4044->4045 4046 c55945 4045->4046 4047 c55942 InterlockedIncrement 4045->4047 4048 c55952 4046->4048 4049 c5594f InterlockedIncrement 4046->4049 4047->4046 4050 c5595c InterlockedIncrement 4048->4050 4052 c5595f 4048->4052 4049->4048 4050->4052 4051 c55978 InterlockedIncrement 4051->4052 4052->4051 4053 c55988 InterlockedIncrement 4052->4053 4054 c55993 InterlockedIncrement 4052->4054 4053->4052 4054->3795 4059 c5600e LeaveCriticalSection 4055->4059 4057 c53149 4057->3797 4058->4042 4059->4057 4061 c52d54 4060->4061 4062 c52d1a __invoke_watson 10 API calls 4061->4062 4063 c52d6b 4062->4063 4064 c52d3f __fclose_nolock 10 API calls 4063->4064 4065 c52d78 4064->4065 4065->3766 4067 c5314b __getptd_noexit 66 API calls 4066->4067 4068 c52dd6 4067->4068 4068->3812 4070 c53009 ___set_flsgetvalue 3 API calls 4069->4070 4071 c51a13 4070->4071 4083 c52fe9 TlsGetValue 4071->4083 4074 c51a41 4085 c531de 4074->4085 4075 c51a22 4131 c5303d DecodePointer 4075->4131 4077 c51a5c 4121 c519c8 4077->4121 4082 c51a34 GetLastError ExitThread 4084 c51a1e 4083->4084 4084->4074 4084->4075 4087 c531ea _wprintf 4085->4087 4086 c53202 4090 c53210 4086->4090 4091 c53b1f _free 66 API calls 4086->4091 4087->4086 4088 c532ec _wprintf 4087->4088 4089 c53b1f _free 66 API calls 4087->4089 4088->4077 4089->4086 4092 c5321e 4090->4092 4093 c53b1f _free 66 API calls 4090->4093 4091->4090 4094 c5322c 4092->4094 4095 c53b1f _free 66 API calls 4092->4095 4093->4092 4096 c53b1f _free 66 API calls 4094->4096 4100 c5323a 4094->4100 4095->4094 4096->4100 4097 c53b1f _free 66 API calls 4099 c53248 4097->4099 4098 c53256 4102 c53267 4098->4102 4103 c53b1f _free 66 API calls 4098->4103 4099->4098 4101 c53b1f _free 66 API calls 4099->4101 4100->4097 4100->4099 4101->4098 4104 c560e7 __lock 66 API calls 4102->4104 4103->4102 4105 c5326f 4104->4105 4106 c53294 4105->4106 4107 c5327b InterlockedDecrement 4105->4107 4133 c532f8 4106->4133 4107->4106 4109 c53286 4107->4109 4109->4106 4111 c53b1f _free 66 API calls 4109->4111 4111->4106 4112 c560e7 __lock 66 API calls 4113 c532a8 4112->4113 4114 c532d9 4113->4114 4136 c559a6 4113->4136 4180 c53304 4114->4180 4118 c53b1f _free 66 API calls 4118->4088 4122 c519d4 _wprintf 4121->4122 4123 c531c4 __getptd 66 API calls 4122->4123 4124 c519d9 4123->4124 4399 c51380 4124->4399 4125 c519e3 4126 c5199b 81 API calls 4125->4126 4127 c519e9 4126->4127 4128 c537e1 66 API calls 4127->4128 4129 c519fa 4128->4129 4132 c51a30 4131->4132 4132->4077 4132->4082 4183 c5600e LeaveCriticalSection 4133->4183 4135 c532a1 4135->4112 4137 c559b7 InterlockedDecrement 4136->4137 4138 c532bd 4136->4138 4139 c559cc InterlockedDecrement 4137->4139 4140 c559cf 4137->4140 4138->4114 4150 c55a3f 4138->4150 4139->4140 4141 c559dc 4140->4141 4142 c559d9 InterlockedDecrement 4140->4142 4143 c559e6 InterlockedDecrement 4141->4143 4144 c559e9 4141->4144 4142->4141 4143->4144 4145 c559f3 InterlockedDecrement 4144->4145 4146 c559f6 4144->4146 4145->4146 4147 c55a0f InterlockedDecrement 4146->4147 4148 c55a1f InterlockedDecrement 4146->4148 4149 c55a2a InterlockedDecrement 4146->4149 4147->4146 4148->4146 4149->4138 4151 c55ac3 4150->4151 4154 c55a56 4150->4154 4152 c53b1f _free 66 API calls 4151->4152 4153 c55b10 4151->4153 4155 c55ae4 4152->4155 4174 c55b39 4153->4174 4224 c57664 4153->4224 4154->4151 4161 c53b1f _free 66 API calls 4154->4161 4163 c55a8a 4154->4163 4157 c53b1f _free 66 API calls 4155->4157 4162 c55af7 4157->4162 4159 c55b7e 4165 c53b1f _free 66 API calls 4159->4165 4160 c53b1f _free 66 API calls 4160->4174 4166 c55a7f 4161->4166 4167 c53b1f _free 66 API calls 4162->4167 4169 c53b1f _free 66 API calls 4163->4169 4179 c55aab 4163->4179 4164 c53b1f _free 66 API calls 4170 c55ab8 4164->4170 4171 c55b84 4165->4171 4184 c57a44 4166->4184 4173 c55b05 4167->4173 4168 c53b1f 66 API calls _free 4168->4174 4175 c55aa0 4169->4175 4176 c53b1f _free 66 API calls 4170->4176 4171->4114 4177 c53b1f _free 66 API calls 4173->4177 4174->4159 4174->4168 4212 c579db 4175->4212 4176->4151 4177->4153 4179->4164 4398 c5600e LeaveCriticalSection 4180->4398 4182 c532e6 4182->4118 4183->4135 4185 c57a55 4184->4185 4211 c57b3e 4184->4211 4186 c57a66 4185->4186 4187 c53b1f _free 66 API calls 4185->4187 4188 c53b1f _free 66 API calls 4186->4188 4192 c57a78 4186->4192 4187->4186 4188->4192 4189 c57a8a 4191 c57a9c 4189->4191 4193 c53b1f _free 66 API calls 4189->4193 4190 c53b1f _free 66 API calls 4190->4189 4194 c57aae 4191->4194 4195 c53b1f _free 66 API calls 4191->4195 4192->4189 4192->4190 4193->4191 4196 c57ac0 4194->4196 4197 c53b1f _free 66 API calls 4194->4197 4195->4194 4198 c57ad2 4196->4198 4199 c53b1f _free 66 API calls 4196->4199 4197->4196 4200 c57ae4 4198->4200 4201 c53b1f _free 66 API calls 4198->4201 4199->4198 4202 c57af6 4200->4202 4203 c53b1f _free 66 API calls 4200->4203 4201->4200 4204 c57b08 4202->4204 4205 c53b1f _free 66 API calls 4202->4205 4203->4202 4206 c57b1a 4204->4206 4207 c53b1f _free 66 API calls 4204->4207 4205->4204 4208 c57b2c 4206->4208 4209 c53b1f _free 66 API calls 4206->4209 4207->4206 4210 c53b1f _free 66 API calls 4208->4210 4208->4211 4209->4208 4210->4211 4211->4163 4213 c57a40 4212->4213 4214 c579e8 4212->4214 4213->4179 4215 c579f8 4214->4215 4216 c53b1f _free 66 API calls 4214->4216 4217 c57a0a 4215->4217 4219 c53b1f _free 66 API calls 4215->4219 4216->4215 4218 c57a1c 4217->4218 4220 c53b1f _free 66 API calls 4217->4220 4221 c57a2e 4218->4221 4222 c53b1f _free 66 API calls 4218->4222 4219->4217 4220->4218 4221->4213 4223 c53b1f _free 66 API calls 4221->4223 4222->4221 4223->4213 4225 c57675 4224->4225 4226 c55b2e 4224->4226 4227 c53b1f _free 66 API calls 4225->4227 4226->4160 4228 c5767d 4227->4228 4229 c53b1f _free 66 API calls 4228->4229 4230 c57685 4229->4230 4231 c53b1f _free 66 API calls 4230->4231 4232 c5768d 4231->4232 4233 c53b1f _free 66 API calls 4232->4233 4234 c57695 4233->4234 4235 c53b1f _free 66 API calls 4234->4235 4236 c5769d 4235->4236 4237 c53b1f _free 66 API calls 4236->4237 4238 c576a5 4237->4238 4239 c53b1f _free 66 API calls 4238->4239 4240 c576ac 4239->4240 4241 c53b1f _free 66 API calls 4240->4241 4242 c576b4 4241->4242 4243 c53b1f _free 66 API calls 4242->4243 4244 c576bc 4243->4244 4245 c53b1f _free 66 API calls 4244->4245 4246 c576c4 4245->4246 4247 c53b1f _free 66 API calls 4246->4247 4248 c576cc 4247->4248 4249 c53b1f _free 66 API calls 4248->4249 4250 c576d4 4249->4250 4251 c53b1f _free 66 API calls 4250->4251 4252 c576dc 4251->4252 4253 c53b1f _free 66 API calls 4252->4253 4254 c576e4 4253->4254 4255 c53b1f _free 66 API calls 4254->4255 4256 c576ec 4255->4256 4257 c53b1f _free 66 API calls 4256->4257 4258 c576f4 4257->4258 4259 c53b1f _free 66 API calls 4258->4259 4260 c576ff 4259->4260 4261 c53b1f _free 66 API calls 4260->4261 4262 c57707 4261->4262 4263 c53b1f _free 66 API calls 4262->4263 4264 c5770f 4263->4264 4265 c53b1f _free 66 API calls 4264->4265 4266 c57717 4265->4266 4267 c53b1f _free 66 API calls 4266->4267 4268 c5771f 4267->4268 4269 c53b1f _free 66 API calls 4268->4269 4270 c57727 4269->4270 4271 c53b1f _free 66 API calls 4270->4271 4272 c5772f 4271->4272 4273 c53b1f _free 66 API calls 4272->4273 4274 c57737 4273->4274 4275 c53b1f _free 66 API calls 4274->4275 4276 c5773f 4275->4276 4277 c53b1f _free 66 API calls 4276->4277 4278 c57747 4277->4278 4279 c53b1f _free 66 API calls 4278->4279 4280 c5774f 4279->4280 4281 c53b1f _free 66 API calls 4280->4281 4282 c57757 4281->4282 4283 c53b1f _free 66 API calls 4282->4283 4284 c5775f 4283->4284 4285 c53b1f _free 66 API calls 4284->4285 4286 c57767 4285->4286 4287 c53b1f _free 66 API calls 4286->4287 4288 c5776f 4287->4288 4289 c53b1f _free 66 API calls 4288->4289 4290 c57777 4289->4290 4291 c53b1f _free 66 API calls 4290->4291 4292 c57785 4291->4292 4293 c53b1f _free 66 API calls 4292->4293 4294 c57790 4293->4294 4295 c53b1f _free 66 API calls 4294->4295 4296 c5779b 4295->4296 4297 c53b1f _free 66 API calls 4296->4297 4298 c577a6 4297->4298 4299 c53b1f _free 66 API calls 4298->4299 4300 c577b1 4299->4300 4301 c53b1f _free 66 API calls 4300->4301 4302 c577bc 4301->4302 4303 c53b1f _free 66 API calls 4302->4303 4304 c577c7 4303->4304 4305 c53b1f _free 66 API calls 4304->4305 4306 c577d2 4305->4306 4307 c53b1f _free 66 API calls 4306->4307 4308 c577dd 4307->4308 4309 c53b1f _free 66 API calls 4308->4309 4310 c577e8 4309->4310 4311 c53b1f _free 66 API calls 4310->4311 4312 c577f3 4311->4312 4313 c53b1f _free 66 API calls 4312->4313 4314 c577fe 4313->4314 4315 c53b1f _free 66 API calls 4314->4315 4316 c57809 4315->4316 4317 c53b1f _free 66 API calls 4316->4317 4318 c57814 4317->4318 4319 c53b1f _free 66 API calls 4318->4319 4320 c5781f 4319->4320 4321 c53b1f _free 66 API calls 4320->4321 4322 c5782a 4321->4322 4323 c53b1f _free 66 API calls 4322->4323 4324 c57838 4323->4324 4325 c53b1f _free 66 API calls 4324->4325 4326 c57843 4325->4326 4327 c53b1f _free 66 API calls 4326->4327 4328 c5784e 4327->4328 4329 c53b1f _free 66 API calls 4328->4329 4330 c57859 4329->4330 4331 c53b1f _free 66 API calls 4330->4331 4332 c57864 4331->4332 4333 c53b1f _free 66 API calls 4332->4333 4334 c5786f 4333->4334 4335 c53b1f _free 66 API calls 4334->4335 4336 c5787a 4335->4336 4337 c53b1f _free 66 API calls 4336->4337 4338 c57885 4337->4338 4339 c53b1f _free 66 API calls 4338->4339 4340 c57890 4339->4340 4341 c53b1f _free 66 API calls 4340->4341 4342 c5789b 4341->4342 4343 c53b1f _free 66 API calls 4342->4343 4344 c578a6 4343->4344 4345 c53b1f _free 66 API calls 4344->4345 4346 c578b1 4345->4346 4347 c53b1f _free 66 API calls 4346->4347 4348 c578bc 4347->4348 4349 c53b1f _free 66 API calls 4348->4349 4350 c578c7 4349->4350 4351 c53b1f _free 66 API calls 4350->4351 4352 c578d2 4351->4352 4353 c53b1f _free 66 API calls 4352->4353 4354 c578dd 4353->4354 4355 c53b1f _free 66 API calls 4354->4355 4356 c578eb 4355->4356 4357 c53b1f _free 66 API calls 4356->4357 4358 c578f6 4357->4358 4359 c53b1f _free 66 API calls 4358->4359 4360 c57901 4359->4360 4361 c53b1f _free 66 API calls 4360->4361 4362 c5790c 4361->4362 4363 c53b1f _free 66 API calls 4362->4363 4364 c57917 4363->4364 4365 c53b1f _free 66 API calls 4364->4365 4366 c57922 4365->4366 4367 c53b1f _free 66 API calls 4366->4367 4368 c5792d 4367->4368 4369 c53b1f _free 66 API calls 4368->4369 4370 c57938 4369->4370 4371 c53b1f _free 66 API calls 4370->4371 4372 c57943 4371->4372 4373 c53b1f _free 66 API calls 4372->4373 4374 c5794e 4373->4374 4375 c53b1f _free 66 API calls 4374->4375 4376 c57959 4375->4376 4377 c53b1f _free 66 API calls 4376->4377 4378 c57964 4377->4378 4379 c53b1f _free 66 API calls 4378->4379 4380 c5796f 4379->4380 4381 c53b1f _free 66 API calls 4380->4381 4382 c5797a 4381->4382 4383 c53b1f _free 66 API calls 4382->4383 4384 c57985 4383->4384 4385 c53b1f _free 66 API calls 4384->4385 4386 c57990 4385->4386 4387 c53b1f _free 66 API calls 4386->4387 4388 c5799e 4387->4388 4389 c53b1f _free 66 API calls 4388->4389 4390 c579a9 4389->4390 4391 c53b1f _free 66 API calls 4390->4391 4392 c579b4 4391->4392 4393 c53b1f _free 66 API calls 4392->4393 4394 c579bf 4393->4394 4395 c53b1f _free 66 API calls 4394->4395 4396 c579ca 4395->4396 4397 c53b1f _free 66 API calls 4396->4397 4397->4226 4398->4182 4400 c51395 InitializeSecurityDescriptor SetSecurityDescriptorDacl CreateNamedPipeA 4399->4400 4400->4400 4401 c513f0 ConnectNamedPipe 4400->4401 4402 c51a62 88 API calls 4401->4402 4403 c51406 4402->4403 4403->4400 4404 c51410 4405 c51a62 92 API calls 4404->4405 4406 c5141f 4405->4406 4407 c51428 WaitForSingleObject 4406->4407 4407->4407 4408 c51436 4407->4408 4411 c51450 OpenSCManagerA 4408->4411 4410 c5143b CloseHandle 4412 c51467 OpenServiceA 4411->4412 4413 c514d1 4411->4413 4414 c5147f CloseServiceHandle 4412->4414 4415 c5148a DeleteService SetServiceStatus CloseServiceHandle CloseServiceHandle 4412->4415 4413->4410 4414->4410 4415->4413 5171 c51d50 5174 c54792 5171->5174 5173 c51d55 5173->5173 5175 c547c4 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 5174->5175 5176 c547b7 5174->5176 5177 c547bb 5175->5177 5176->5175 5176->5177 5177->5173 5378 c53990 5379 c539bc 5378->5379 5380 c539c9 5378->5380 5381 c518da __crtGetStringTypeA_stat 5 API calls 5379->5381 5382 c518da __crtGetStringTypeA_stat 5 API calls 5380->5382 5381->5380 5388 c539d9 __except_handler4 __IsNonwritableInCurrentImage 5382->5388 5383 c53a5c 5384 c53a32 __except_handler4 5384->5383 5385 c53a4c 5384->5385 5386 c518da __crtGetStringTypeA_stat 5 API calls 5384->5386 5387 c518da __crtGetStringTypeA_stat 5 API calls 5385->5387 5386->5385 5387->5383 5388->5383 5388->5384 5394 c56772 RtlUnwind 5388->5394 5390 c53aae __except_handler4 5391 c53ae2 5390->5391 5392 c518da __crtGetStringTypeA_stat 5 API calls 5390->5392 5393 c518da __crtGetStringTypeA_stat 5 API calls 5391->5393 5392->5391 5393->5384 5394->5390 5411 c512b0 5422 c51970 5411->5422 5414 c51341 DisconnectNamedPipe CloseHandle InterlockedDecrement 5416 c51364 SetEvent 5414->5416 5417 c51370 5414->5417 5415 c51303 5415->5414 5424 c51180 5415->5424 5416->5417 5418 c518da __crtGetStringTypeA_stat 5 API calls 5417->5418 5420 c5137a 5418->5420 5421 c5131f WriteFile 5421->5414 5423 c512bd InterlockedIncrement ReadFile 5422->5423 5423->5414 5423->5415 5425 c511ab _memset 5424->5425 5441 c51000 InitializeSecurityDescriptor SetSecurityDescriptorDacl 5425->5441 5427 c511c2 5428 c511de 5427->5428 5429 c511c9 5427->5429 5451 c51856 5428->5451 5430 c518da __crtGetStringTypeA_stat 5 API calls 5429->5430 5432 c511da 5430->5432 5432->5421 5434 c5124d 5435 c5128c 5434->5435 5436 c51264 WaitForSingleObject GetExitCodeProcess 5434->5436 5437 c518da __crtGetStringTypeA_stat 5 API calls 5435->5437 5438 c518da __crtGetStringTypeA_stat 5 API calls 5436->5438 5440 c512a9 5437->5440 5439 c51288 5438->5439 5439->5421 5440->5421 5442 c51856 _sprintf 100 API calls 5441->5442 5443 c51083 5442->5443 5444 c51856 _sprintf 100 API calls 5443->5444 5445 c5109f 5444->5445 5446 c51856 _sprintf 100 API calls 5445->5446 5447 c510bb CreateNamedPipeA CreateNamedPipeA CreateNamedPipeA 5446->5447 5448 c51155 CloseHandle CloseHandle CloseHandle 5447->5448 5449 c51123 5447->5449 5448->5427 5449->5448 5450 c5112e ConnectNamedPipe ConnectNamedPipe ConnectNamedPipe 5449->5450 5450->5427 5452 c51874 5451->5452 5453 c51889 5451->5453 5454 c52dbe __fclose_nolock 66 API calls 5452->5454 5453->5452 5455 c51890 5453->5455 5457 c51879 5454->5457 5456 c51fda _sprintf 100 API calls 5455->5456 5459 c518b6 5456->5459 5458 c52d6c __fclose_nolock 11 API calls 5457->5458 5460 c51201 CreateProcessA 5458->5460 5459->5460 5461 c51d5a __flsbuf 97 API calls 5459->5461 5460->5434 5460->5435 5461->5460 5462 c58230 5463 c58246 5462->5463 5464 c5823a 5462->5464 5464->5463 5465 c5823f CloseHandle 5464->5465 5465->5463 5395 c51d12 5398 c537e1 5395->5398 5399 c5314b __getptd_noexit 66 API calls 5398->5399 5400 c51d23 5399->5400 5357 c519fd 5358 c5378f __amsg_exit 66 API calls 5357->5358 5359 c51a08 5358->5359 5360 c53009 ___set_flsgetvalue 3 API calls 5359->5360 5361 c51a13 5360->5361 5362 c52fe9 TlsGetValue 5361->5362 5363 c51a1e 5362->5363 5364 c51a41 5363->5364 5365 c51a22 5363->5365 5366 c531de __freefls@4 75 API calls 5364->5366 5368 c5303d ___fls_setvalue@8 DecodePointer 5365->5368 5367 c51a5c 5366->5367 5369 c519c8 92 API calls 5367->5369 5370 c51a30 5368->5370 5371 c51a61 5369->5371 5370->5367 5372 c51a34 GetLastError ExitThread 5370->5372 5466 c53ebd 5467 c53ef9 5466->5467 5468 c53ecf 5466->5468 5468->5467 5470 c5611a 5468->5470 5471 c56126 _wprintf 5470->5471 5472 c531c4 __getptd 66 API calls 5471->5472 5473 c5612b 5472->5473 5476 c57b4b 5473->5476 5475 c5614d _wprintf 5475->5467 5485 c561b9 DecodePointer 5476->5485 5478 c57b50 5479 c57b5b 5478->5479 5486 c561c6 5478->5486 5481 c57b73 5479->5481 5482 c52bf1 __call_reportfault 8 API calls 5479->5482 5483 c5378f __amsg_exit 66 API calls 5481->5483 5482->5481 5484 c57b7d 5483->5484 5484->5475 5485->5478 5488 c561d2 _wprintf 5486->5488 5487 c5622d 5490 c5620f DecodePointer 5487->5490 5494 c5623c 5487->5494 5488->5487 5489 c561f9 5488->5489 5488->5490 5496 c561f5 5488->5496 5491 c5314b __getptd_noexit 66 API calls 5489->5491 5493 c561fe _siglookup 5490->5493 5491->5493 5498 c56299 5493->5498 5500 c5378f __amsg_exit 66 API calls 5493->5500 5506 c56207 _wprintf 5493->5506 5495 c52dbe __fclose_nolock 66 API calls 5494->5495 5497 c56241 5495->5497 5496->5489 5496->5494 5499 c52d6c __fclose_nolock 11 API calls 5497->5499 5501 c560e7 __lock 66 API calls 5498->5501 5502 c562a4 5498->5502 5499->5506 5500->5498 5501->5502 5504 c562d9 5502->5504 5507 c52fd7 EncodePointer 5502->5507 5508 c5632d 5504->5508 5506->5479 5507->5504 5509 c56333 5508->5509 5510 c5633a 5508->5510 5512 c5600e LeaveCriticalSection 5509->5512 5510->5506 5512->5510 5373 c53eff SetUnhandledExceptionFilter 5157 c53c3e 5158 c53c4b 5157->5158 5159 c53b9e __calloc_crt 66 API calls 5158->5159 5160 c53c65 5159->5160 5161 c53b9e __calloc_crt 66 API calls 5160->5161 5162 c53c7e 5160->5162 5161->5162 5513 c5613e 5514 c56141 5513->5514 5515 c57b4b _abort 68 API calls 5514->5515 5516 c5614d _wprintf 5515->5516 5374 c51f78 5375 c51f8c 5374->5375 5376 c51f92 5375->5376 5377 c51f45 97 API calls _sprintf 5375->5377 5377->5375

              Executed Functions

              Control-flow Graph

              APIs
              • GetCurrentProcessId.KERNEL32 ref: 00C51559
              • OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 00C51588
              • OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 00C51598
              • GetLastError.KERNEL32 ref: 00C515A2
              • LocalAlloc.KERNEL32(00000000,00000032), ref: 00C515B5
              • GetLastError.KERNEL32 ref: 00C515C1
              • FreeSid.ADVAPI32(?), ref: 00C516F0
              • FreeSid.ADVAPI32(?), ref: 00C516FA
              • LocalFree.KERNEL32(00000000), ref: 00C51701
              • FindCloseChangeNotification.KERNELBASE(?), ref: 00C51715
              • CloseHandle.KERNEL32(?), ref: 00C5171F
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2945612423.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
              • Associated: 00000006.00000002.2945595181.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945631917.0000000000C59000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945651363.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945670100.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_c50000_RemComSvc.jbxd
              Yara matches
              Similarity
              • API ID: FreeProcess$CloseErrorLastLocalOpen$AllocChangeCurrentFindHandleNotificationToken
              • String ID: 2
              • API String ID: 608825413-450215437
              • Opcode ID: c9f13bfaa9071dc33f76b4d8d7ff5838101ac99cdf5a5309533d7bb7f31b0282
              • Instruction ID: 1056260fffc4c00cc4368c7c15f1803dd23f8fbc1a136e63df2a14f1d3ecb611
              • Opcode Fuzzy Hash: c9f13bfaa9071dc33f76b4d8d7ff5838101ac99cdf5a5309533d7bb7f31b0282
              • Instruction Fuzzy Hash: CE61FB78A0031ADFDB10DFA5CC88BAFB7B8FF48342F184559ED11A7250DB7499858B64
              Uniqueness

              Uniqueness Score: -1.00%

              Control-flow Graph

              APIs
              • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 00C513AA
              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000001), ref: 00C513B6
              • CreateNamedPipeA.KERNEL32(\\.\pipe\RemCom_communicaton,00000003,00000004,000000FF,00000000,00000000,000000FF,00000000), ref: 00C513E4
              • ConnectNamedPipe.KERNELBASE(00000000,00000000), ref: 00C513F3
              Strings
              • \\.\pipe\RemCom_communicaton, xrefs: 00C513CE
              Memory Dump Source
              • Source File: 00000006.00000002.2945612423.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
              • Associated: 00000006.00000002.2945595181.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945631917.0000000000C59000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945651363.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945670100.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_c50000_RemComSvc.jbxd
              Yara matches
              Similarity
              • API ID: DescriptorNamedPipeSecurity$ConnectCreateDaclInitialize
              • String ID: \\.\pipe\RemCom_communicaton
              • API String ID: 82124186-1156804775
              • Opcode ID: 88a64e1cceaac4c6538ad08711cf62e711d82a4125b25c3db4a7f05684663d9b
              • Instruction ID: 78d79a9dbe2cc78c3045f80005b7baa8a6d5cbb9edf3ddfe84de207d129f90ab
              • Opcode Fuzzy Hash: 88a64e1cceaac4c6538ad08711cf62e711d82a4125b25c3db4a7f05684663d9b
              • Instruction Fuzzy Hash: 2401F574D40314FBEB20CB908C46FDDBBB8EB4CB11F144154FA04BA1C0E3B452848B69
              Uniqueness

              Uniqueness Score: -1.00%

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 95 c51800-c51839 call c51540 98 c51848-c51855 StartServiceCtrlDispatcherA 95->98 99 c5183b-c51845 call c51b09 95->99 99->98
              APIs
                • Part of subcall function 00C51540: GetCurrentProcessId.KERNEL32 ref: 00C51559
                • Part of subcall function 00C51540: OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 00C51588
                • Part of subcall function 00C51540: OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 00C51598
                • Part of subcall function 00C51540: GetLastError.KERNEL32 ref: 00C515A2
                • Part of subcall function 00C51540: FreeSid.ADVAPI32(?), ref: 00C516F0
                • Part of subcall function 00C51540: FreeSid.ADVAPI32(?), ref: 00C516FA
                • Part of subcall function 00C51540: LocalFree.KERNEL32(00000000), ref: 00C51701
                • Part of subcall function 00C51540: FindCloseChangeNotification.KERNELBASE(?), ref: 00C51715
                • Part of subcall function 00C51540: CloseHandle.KERNEL32(?), ref: 00C5171F
              • _wprintf.LIBCMT ref: 00C51840
              • StartServiceCtrlDispatcherA.ADVAPI32(RemComSvc), ref: 00C5184C
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2945612423.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
              • Associated: 00000006.00000002.2945595181.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945631917.0000000000C59000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945651363.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945670100.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_c50000_RemComSvc.jbxd
              Yara matches
              Similarity
              • API ID: FreeProcess$CloseOpen$ChangeCtrlCurrentDispatcherErrorFindHandleLastLocalNotificationServiceStartToken_wprintf
              • String ID: A service Cannot be started directly.$RemComSvc
              • API String ID: 2955876789-1801173105
              • Opcode ID: 2dbe165187956fe25eda39d6a28424d090a9415cfc05813256f385de02c39496
              • Instruction ID: dbfc9b8fe19d00c333e22f21445ac6acbd44f46f8c814e17258f86995d43f0e9
              • Opcode Fuzzy Hash: 2dbe165187956fe25eda39d6a28424d090a9415cfc05813256f385de02c39496
              • Instruction Fuzzy Hash: 55E030F8C01208EBDF00EFD4D90979EBBB4EB04306F1400A4DC1962241E7B5578CDB96
              Uniqueness

              Uniqueness Score: -1.00%

              Control-flow Graph

              APIs
              • ___set_flsgetvalue.LIBCMT ref: 00C51A88
              • __calloc_crt.LIBCMT ref: 00C51A94
              • __getptd.LIBCMT ref: 00C51AA1
              • CreateThread.KERNELBASE(00000000,?,00C51A09,00000000,00000004,00000000), ref: 00C51AC8
              • ResumeThread.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 00C51AD8
              • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00C51AE3
              • _free.LIBCMT ref: 00C51AEC
              • __dosmaperr.LIBCMT ref: 00C51AF7
                • Part of subcall function 00C52DBE: __getptd_noexit.LIBCMT ref: 00C52DBE
              Memory Dump Source
              • Source File: 00000006.00000002.2945612423.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
              • Associated: 00000006.00000002.2945595181.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945631917.0000000000C59000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945651363.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945670100.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_c50000_RemComSvc.jbxd
              Yara matches
              Similarity
              • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
              • String ID:
              • API String ID: 3638380555-0
              • Opcode ID: 5f9e7fa1fbf3091f4d70c2285e902fe0fda82c05c3341f7258cc006227093762
              • Instruction ID: 663d13ca0243991b9e0bb9a4f1f8f57b000941fe37075577513ee5b0671acf05
              • Opcode Fuzzy Hash: 5f9e7fa1fbf3091f4d70c2285e902fe0fda82c05c3341f7258cc006227093762
              • Instruction Fuzzy Hash: F511593E101740AFC7222BB59C09F5B7BA8DFC1773B140216FD24971C0DF708988A2A8
              Uniqueness

              Uniqueness Score: -1.00%

              Control-flow Graph

              APIs
              • RegisterServiceCtrlHandlerA.ADVAPI32(Service,Function_000014E0), ref: 00C51793
              • SetServiceStatus.SECHOST(00000000,00C5D0E0), ref: 00C517BE
              • GetLastError.KERNEL32 ref: 00C517C8
              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C517D6
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2945612423.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
              • Associated: 00000006.00000002.2945595181.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945631917.0000000000C59000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945651363.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945670100.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_c50000_RemComSvc.jbxd
              Yara matches
              Similarity
              • API ID: Service$CreateCtrlErrorEventHandlerLastRegisterStatus
              • String ID: Service
              • API String ID: 2753365956-773890894
              • Opcode ID: 98447a1f80f4ad0d362680be64b7d57360bf5531ca3dbde998d574e5d759396e
              • Instruction ID: 65797d65d3ef3c68a6801e2af28035afcbfdfffb3d743ea25a991fc030263013
              • Opcode Fuzzy Hash: 98447a1f80f4ad0d362680be64b7d57360bf5531ca3dbde998d574e5d759396e
              • Instruction Fuzzy Hash: BC0121BC401322DBC3709F15AD0DB8F3E68E788793F104416F816A61E0E37440CACB9A
              Uniqueness

              Uniqueness Score: -1.00%

              Control-flow Graph

              APIs
              • ___set_flsgetvalue.LIBCMT ref: 00C51A0E
                • Part of subcall function 00C53009: TlsGetValue.KERNEL32(?,00C51A13), ref: 00C53012
                • Part of subcall function 00C53009: DecodePointer.KERNEL32(?,00C51A13), ref: 00C53024
                • Part of subcall function 00C53009: TlsSetValue.KERNEL32(00000000,?,00C51A13), ref: 00C53033
                • Part of subcall function 00C52FE9: TlsGetValue.KERNEL32(?,?,00C51A1E,00000000), ref: 00C52FF7
              • ___fls_setvalue@8.LIBCMT ref: 00C51A2B
                • Part of subcall function 00C5303D: DecodePointer.KERNEL32(?,?,?,00C51A30,00000000,?,00000000), ref: 00C5304E
              • GetLastError.KERNEL32(00000000,?,00000000), ref: 00C51A34
              • ExitThread.KERNEL32 ref: 00C51A3B
              • __freefls@4.LIBCMT ref: 00C51A57
              Memory Dump Source
              • Source File: 00000006.00000002.2945612423.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
              • Associated: 00000006.00000002.2945595181.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945631917.0000000000C59000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945651363.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945670100.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_c50000_RemComSvc.jbxd
              Yara matches
              Similarity
              • API ID: Value$DecodePointer$ErrorExitLastThread___fls_setvalue@8___set_flsgetvalue__freefls@4
              • String ID:
              • API String ID: 1318250341-0
              • Opcode ID: eb662512b3ed2cd2cf6b664ca8be4d2b968a1caf41092070151642bb14181d8e
              • Instruction ID: 6660596d2f2aa8659385ed423477ed0eea7dfe5dc9e86545ec5ceddfcfa32d7f
              • Opcode Fuzzy Hash: eb662512b3ed2cd2cf6b664ca8be4d2b968a1caf41092070151642bb14181d8e
              • Instruction Fuzzy Hash: CAF0127C500780ABDB05FFB1D94990E7FA99FC83467148454FC0997262DA38DACAA668
              Uniqueness

              Uniqueness Score: -1.00%

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 102 c53c3e-c53c49 103 c53c52-c53c54 102->103 104 c53c4b-c53c50 102->104 106 c53c56 103->106 107 c53c5d-c53c60 call c53b9e 103->107 105 c53c58 104->105 105->107 106->105 109 c53c65-c53c6e 107->109 110 c53c70-c53c87 call c53b9e 109->110 111 c53c8e-c53c95 109->111 110->111 118 c53c89-c53c8d 110->118 112 c53c9c-c53cab 111->112 114 c53c97 112->114 115 c53cad-c53cb7 112->115 114->112 117 c53cb8-c53cd2 115->117 119 c53cd4-c53cd6 117->119 120 c53cdc 117->120 119->120 121 c53cd8-c53cda 119->121 122 c53cde-c53ce8 120->122 121->120 121->122 122->117 123 c53cea-c53cee 122->123
              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.2945612423.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
              • Associated: 00000006.00000002.2945595181.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945631917.0000000000C59000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945651363.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945670100.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_c50000_RemComSvc.jbxd
              Yara matches
              Similarity
              • API ID: __calloc_crt
              • String ID:
              • API String ID: 3494438863-0
              • Opcode ID: 05941524e91b8b2056ff068258dbfb48ea5ea6e361d0d5c2b50e29eef1113d21
              • Instruction ID: 9d9130f3b0fd3396663354d13ab9324dbe35327ccc087a1e8832b72c9448e3ad
              • Opcode Fuzzy Hash: 05941524e91b8b2056ff068258dbfb48ea5ea6e361d0d5c2b50e29eef1113d21
              • Instruction Fuzzy Hash: 62113A7E3003504BE7298E2DBC457692382E7413A2B14072AFD12EB290E7B0EAC5820C
              Uniqueness

              Uniqueness Score: -1.00%

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 124 c51410-c5141a call c51a62 126 c5141f-c51425 124->126 127 c51428-c51434 WaitForSingleObject 126->127 127->127 128 c51436-c51449 call c51450 CloseHandle 127->128
              APIs
              • WaitForSingleObject.KERNEL32(00000144,0000000A), ref: 00C51430
              • CloseHandle.KERNEL32(00000144), ref: 00C51442
              Memory Dump Source
              • Source File: 00000006.00000002.2945612423.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
              • Associated: 00000006.00000002.2945595181.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945631917.0000000000C59000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945651363.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945670100.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_c50000_RemComSvc.jbxd
              Yara matches
              Similarity
              • API ID: CloseHandleObjectSingleWait
              • String ID:
              • API String ID: 528846559-0
              • Opcode ID: 62a7543870fef23bfdea14e000dd9233aca91645374bad1667fa878b5441ffa6
              • Instruction ID: e1beaa852046d2856c1988339f02740c9f92c476a8ff0c7e23a91a7b2de1d39e
              • Opcode Fuzzy Hash: 62a7543870fef23bfdea14e000dd9233aca91645374bad1667fa878b5441ffa6
              • Instruction Fuzzy Hash: D3D01239F41312E6D7206764BC4AF4A3614ABC4753F194450FD01A71D1E76094C5867D
              Uniqueness

              Uniqueness Score: -1.00%

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 131 c56836-c56840 132 c56842-c5684c 131->132 133 c5685d-c56866 131->133 132->133 134 c5684e-c5685c call c52dbe 132->134 135 c56869-c5686e 133->135 136 c56868 133->136 138 c56870-c56881 RtlAllocateHeap 135->138 139 c56883-c5688a 135->139 136->135 138->139 143 c568b5-c568b7 138->143 140 c5688c-c56895 call c56396 139->140 141 c568a8-c568ad 139->141 140->135 147 c56897-c5689c 140->147 141->143 145 c568af 141->145 145->143 148 c568a4-c568a6 147->148 149 c5689e 147->149 148->143 149->148
              APIs
              • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00C53BB4,?,?,00000000,00000000,00000000,?,00C53176,00000001,00000214,?,00C53B6A), ref: 00C56879
                • Part of subcall function 00C52DBE: __getptd_noexit.LIBCMT ref: 00C52DBE
              Memory Dump Source
              • Source File: 00000006.00000002.2945612423.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
              • Associated: 00000006.00000002.2945595181.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945631917.0000000000C59000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945651363.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945670100.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_c50000_RemComSvc.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap__getptd_noexit
              • String ID:
              • API String ID: 328603210-0
              • Opcode ID: 61341f1598a78ff14410483d9da5f078b8f4c5b7f9e173af2c6cf5dc0668e256
              • Instruction ID: d394deacecb6e5273ad372b832e45d4f4762f10c1247a1bf004a99748a2df45f
              • Opcode Fuzzy Hash: 61341f1598a78ff14410483d9da5f078b8f4c5b7f9e173af2c6cf5dc0668e256
              • Instruction Fuzzy Hash: D701B5392013119BEF249F35DC14B6A3394EF91763F414529EC269B2E0CB3099C8CB58
              Uniqueness

              Uniqueness Score: -1.00%

              Control-flow Graph

              APIs
              • __getptd.LIBCMT ref: 00C519D4
                • Part of subcall function 00C531C4: __getptd_noexit.LIBCMT ref: 00C531C7
                • Part of subcall function 00C531C4: __amsg_exit.LIBCMT ref: 00C531D4
                • Part of subcall function 00C5199B: __getptd_noexit.LIBCMT ref: 00C5199E
                • Part of subcall function 00C5199B: CloseHandle.KERNEL32(?,?,00C519E9), ref: 00C519B2
                • Part of subcall function 00C5199B: __freeptd.LIBCMT ref: 00C519B9
                • Part of subcall function 00C5199B: ExitThread.KERNEL32 ref: 00C519C1
                • Part of subcall function 00C537E1: __getptd_noexit.LIBCMT ref: 00C537E7
              Memory Dump Source
              • Source File: 00000006.00000002.2945612423.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
              • Associated: 00000006.00000002.2945595181.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945631917.0000000000C59000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945651363.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945670100.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_c50000_RemComSvc.jbxd
              Yara matches
              Similarity
              • API ID: __getptd_noexit$CloseExitHandleThread__amsg_exit__freeptd__getptd
              • String ID:
              • API String ID: 4046768623-0
              • Opcode ID: 343c631d1b6ce114c93e15120c235a4f9b29c21f790bad413d0cf59c70314b60
              • Instruction ID: c40fbf0a9f11720e032005e7d028af2f998c1fdfb1e974a43ffab1421a003b15
              • Opcode Fuzzy Hash: 343c631d1b6ce114c93e15120c235a4f9b29c21f790bad413d0cf59c70314b60
              • Instruction Fuzzy Hash: 13E08CB89006409FDB08AB60C886F6E7731EF04352F200048F8022B2E2CE759A88AA18
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              APIs
              • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,?,00C5143B), ref: 00C5145B
              • OpenServiceA.ADVAPI32(00000000,RemComSvc,000F01FF,74DF30D0,?,?,00C5143B), ref: 00C51473
              • CloseServiceHandle.ADVAPI32(00000000,?,?,00C5143B), ref: 00C51480
              • DeleteService.ADVAPI32(00000000,?,?,00C5143B), ref: 00C5148B
              • SetServiceStatus.ADVAPI32(011F46E0,00C5D0E0,?,?,00C5143B), ref: 00C514BE
              • CloseServiceHandle.ADVAPI32(00000000,?,?,00C5143B), ref: 00C514CB
              • CloseServiceHandle.ADVAPI32(00000000,?,?,00C5143B), ref: 00C514CE
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2945612423.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
              • Associated: 00000006.00000002.2945595181.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945631917.0000000000C59000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945651363.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945670100.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_c50000_RemComSvc.jbxd
              Yara matches
              Similarity
              • API ID: Service$CloseHandle$Open$DeleteManagerStatus
              • String ID: RemComSvc
              • API String ID: 3691197935-1342256991
              • Opcode ID: 968e249da4fc8ec61bc7cf9941c1fa02468c541dc0e5fd66e66b6184be5a1bca
              • Instruction ID: fae4eebedbca790416fe9eb8dc349579aa46c63be0b6abc175bd6ada84d2df2e
              • Opcode Fuzzy Hash: 968e249da4fc8ec61bc7cf9941c1fa02468c541dc0e5fd66e66b6184be5a1bca
              • Instruction Fuzzy Hash: 52F062BE600321EBC7206F65EC88B9E3B68E7CC763700446AFA07A2190C77448C69A65
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • IsDebuggerPresent.KERNEL32 ref: 00C52EC2
              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C52ED7
              • UnhandledExceptionFilter.KERNEL32(00C592DC), ref: 00C52EE2
              • GetCurrentProcess.KERNEL32(C0000409), ref: 00C52EFE
              • TerminateProcess.KERNEL32(00000000), ref: 00C52F05
              Memory Dump Source
              • Source File: 00000006.00000002.2945612423.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
              • Associated: 00000006.00000002.2945595181.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945631917.0000000000C59000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945651363.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945670100.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_c50000_RemComSvc.jbxd
              Yara matches
              Similarity
              • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
              • String ID:
              • API String ID: 2579439406-0
              • Opcode ID: e2729c7c624e69263af0780fecd997b46060ff4deb271a0c0cae512d1a728d9a
              • Instruction ID: 6d20e3fa2d9ca493874dfe8e918e2790efc9470e3066f6e62c18a99e084c47bc
              • Opcode Fuzzy Hash: e2729c7c624e69263af0780fecd997b46060ff4deb271a0c0cae512d1a728d9a
              • Instruction Fuzzy Hash: A621BBBC801304DFD720DF64ED8574D7BA0FB48327F50815AE80AA76A0E7B099C5CB9A
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • SetUnhandledExceptionFilter.KERNEL32(Function_00003EBD), ref: 00C53F04
              Memory Dump Source
              • Source File: 00000006.00000002.2945612423.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
              • Associated: 00000006.00000002.2945595181.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945631917.0000000000C59000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945651363.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945670100.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_c50000_RemComSvc.jbxd
              Yara matches
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 0d4e11220ad683a9729fadefb2b992204bd6ebff8879fa708546e107d1e2161b
              • Instruction ID: 38d8e1a3957435ea12b5d9b9464f6e5fcb9a6a64a74cfbe0901222b256fcbc57
              • Opcode Fuzzy Hash: 0d4e11220ad683a9729fadefb2b992204bd6ebff8879fa708546e107d1e2161b
              • Instruction Fuzzy Hash: 519002692512648A46011B705C1E70B76E0EA8D64B7810CA16401D40D4DBB54188D555
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00C51C6F,00C5AB50,00000014), ref: 00C53383
              • __mtterm.LIBCMT ref: 00C5338F
                • Part of subcall function 00C5305A: DecodePointer.KERNEL32(00000002,00C534F1,?,00C51C6F,00C5AB50,00000014), ref: 00C5306B
                • Part of subcall function 00C5305A: TlsFree.KERNEL32(00000001,00C534F1,?,00C51C6F,00C5AB50,00000014), ref: 00C53085
                • Part of subcall function 00C5305A: DeleteCriticalSection.KERNEL32(00000000,00000000,76EF5810,?,00C534F1,?,00C51C6F,00C5AB50,00000014), ref: 00C55FD4
                • Part of subcall function 00C5305A: _free.LIBCMT ref: 00C55FD7
                • Part of subcall function 00C5305A: DeleteCriticalSection.KERNEL32(00000001,76EF5810,?,00C534F1,?,00C51C6F,00C5AB50,00000014), ref: 00C55FFE
              • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00C533A5
              • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00C533B2
              • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00C533BF
              • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00C533CC
              • TlsAlloc.KERNEL32(?,00C51C6F,00C5AB50,00000014), ref: 00C5341C
              • TlsSetValue.KERNEL32(00000000,?,00C51C6F,00C5AB50,00000014), ref: 00C53437
              • __init_pointers.LIBCMT ref: 00C53441
              • EncodePointer.KERNEL32(?,00C51C6F,00C5AB50,00000014), ref: 00C53452
              • EncodePointer.KERNEL32(?,00C51C6F,00C5AB50,00000014), ref: 00C5345F
              • EncodePointer.KERNEL32(?,00C51C6F,00C5AB50,00000014), ref: 00C5346C
              • EncodePointer.KERNEL32(?,00C51C6F,00C5AB50,00000014), ref: 00C53479
              • DecodePointer.KERNEL32(Function_000031DE,?,00C51C6F,00C5AB50,00000014), ref: 00C5349A
              • __calloc_crt.LIBCMT ref: 00C534AF
              • DecodePointer.KERNEL32(00000000,?,00C51C6F,00C5AB50,00000014), ref: 00C534C9
              • GetCurrentThreadId.KERNEL32 ref: 00C534DB
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2945612423.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
              • Associated: 00000006.00000002.2945595181.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945631917.0000000000C59000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945651363.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945670100.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_c50000_RemComSvc.jbxd
              Yara matches
              Similarity
              • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
              • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
              • API String ID: 3698121176-3819984048
              • Opcode ID: ee2c876586cf5dc90e795056f59e7c137bc3fbbf959e171644f6563d543ed68d
              • Instruction ID: 83a7bd88d8119b56ec7c78662b5948e4c231f8cd7832760a2bc1690588c8cfb0
              • Opcode Fuzzy Hash: ee2c876586cf5dc90e795056f59e7c137bc3fbbf959e171644f6563d543ed68d
              • Instruction Fuzzy Hash: D931503D900350DBC7326B75AC0971E3EA4EB843A37140966E819E32F1EB74A5C9DF56
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 00C5101E
              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 00C5102E
              • _sprintf.LIBCMT ref: 00C5107E
              • _sprintf.LIBCMT ref: 00C5109A
              • _sprintf.LIBCMT ref: 00C510B6
                • Part of subcall function 00C51856: __flsbuf.LIBCMT ref: 00C518CC
              • CreateNamedPipeA.KERNEL32(00C5CDC8,00000002,00000004,000000FF,00000000,00000000,000000FF,0000000C), ref: 00C510DC
              • CreateNamedPipeA.KERNEL32(00C5CFD8,00000002,00000004,000000FF,00000000,00000000,000000FF,0000000C), ref: 00C510F9
              • CreateNamedPipeA.KERNEL32(00C5CED0,00000001,00000004,000000FF,00000000,00000000,000000FF,0000000C), ref: 00C51116
              • ConnectNamedPipe.KERNEL32(?,00000000), ref: 00C51137
              • ConnectNamedPipe.KERNEL32(?,00000000), ref: 00C5113F
              • ConnectNamedPipe.KERNEL32(?,00000000), ref: 00C51147
              • CloseHandle.KERNEL32(?), ref: 00C5115C
              • CloseHandle.KERNEL32(?), ref: 00C51162
              • CloseHandle.KERNEL32(?), ref: 00C51168
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2945612423.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
              • Associated: 00000006.00000002.2945595181.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945631917.0000000000C59000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945651363.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945670100.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_c50000_RemComSvc.jbxd
              Yara matches
              Similarity
              • API ID: NamedPipe$CloseConnectCreateHandle_sprintf$DescriptorSecurity$DaclInitialize__flsbuf
              • String ID: RemCom_stderr$RemCom_stdin$RemCom_stdout$\\.\pipe\%s%s%d
              • API String ID: 1233488124-627055030
              • Opcode ID: e57a8d1e8768f517d27f3046717bdddaed65a9b3f524bc8f22489ad30acc28f5
              • Instruction ID: 8e988cbb6c71512529034972b36ae10883870105937cfc3b78e049262bc7af4b
              • Opcode Fuzzy Hash: e57a8d1e8768f517d27f3046717bdddaed65a9b3f524bc8f22489ad30acc28f5
              • Instruction Fuzzy Hash: 15418375A80704BFE720DBA48C86FAAB3B4EB88721F104759FB25A75D0D7F0B4848B54
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00C5203C
                • Part of subcall function 00C51EBE: __getptd.LIBCMT ref: 00C51ED1
                • Part of subcall function 00C52DBE: __getptd_noexit.LIBCMT ref: 00C52DBE
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2945612423.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
              • Associated: 00000006.00000002.2945595181.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945631917.0000000000C59000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945651363.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945670100.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_c50000_RemComSvc.jbxd
              Yara matches
              Similarity
              • API ID: Locale$UpdateUpdate::___getptd__getptd_noexit
              • String ID: @$g$$4$Z$i$
              • API String ID: 943650538-3645810406
              • Opcode ID: 096649a8136e5e27ddc3d13175e2513a7f76c45aaad3340507359f99555be709
              • Instruction ID: 7ac732c0e5a10e151af397a991979ddb37bb0674c63955e30cdf0dd78f20fd7a
              • Opcode Fuzzy Hash: 096649a8136e5e27ddc3d13175e2513a7f76c45aaad3340507359f99555be709
              • Instruction Fuzzy Hash: 53B18F79C056298FDF24CF248C887ADBBF4AB56312F1402D6D829A62A1D7745FC9CF48
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • _memset.LIBCMT ref: 00C511A6
                • Part of subcall function 00C51000: InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 00C5101E
                • Part of subcall function 00C51000: SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 00C5102E
                • Part of subcall function 00C51000: _sprintf.LIBCMT ref: 00C5107E
                • Part of subcall function 00C51000: _sprintf.LIBCMT ref: 00C5109A
                • Part of subcall function 00C51000: _sprintf.LIBCMT ref: 00C510B6
                • Part of subcall function 00C51000: CreateNamedPipeA.KERNEL32(00C5CDC8,00000002,00000004,000000FF,00000000,00000000,000000FF,0000000C), ref: 00C510DC
                • Part of subcall function 00C51000: CreateNamedPipeA.KERNEL32(00C5CFD8,00000002,00000004,000000FF,00000000,00000000,000000FF,0000000C), ref: 00C510F9
                • Part of subcall function 00C51000: CreateNamedPipeA.KERNEL32(00C5CED0,00000001,00000004,000000FF,00000000,00000000,000000FF,0000000C), ref: 00C51116
                • Part of subcall function 00C51000: ConnectNamedPipe.KERNEL32(?,00000000), ref: 00C51137
              • _sprintf.LIBCMT ref: 00C511FC
              • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,?,00000000,?,00000044,?), ref: 00C51243
              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C51267
              • GetExitCodeProcess.KERNEL32(?,?), ref: 00C5126F
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2945612423.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
              • Associated: 00000006.00000002.2945595181.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945631917.0000000000C59000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945651363.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945670100.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_c50000_RemComSvc.jbxd
              Yara matches
              Similarity
              • API ID: CreateNamedPipe_sprintf$DescriptorProcessSecurity$CodeConnectDaclExitInitializeObjectSingleWait_memset
              • String ID: D$cmd.exe /q /c "%s"
              • API String ID: 3348913544-2994407908
              • Opcode ID: 5a214be4790592f088689c8929359e84e985905c1da91eb3351334de6520169a
              • Instruction ID: 3f29bcb8517832d567392ca6ad088b5686773987e8302e8fba6d9905a26db883
              • Opcode Fuzzy Hash: 5a214be4790592f088689c8929359e84e985905c1da91eb3351334de6520169a
              • Instruction Fuzzy Hash: ED31C475A00218ABDB20DB64DC46BEBB3B8EB48302F0441D9FD09971C0D7B46AC88F94
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • InterlockedIncrement.KERNEL32(00C5CDC0), ref: 00C512D0
              • ReadFile.KERNEL32(?,?,00001214,?,00000000), ref: 00C512F9
              • WriteFile.KERNEL32(?,?,00000008,?,00000000), ref: 00C5133B
              • DisconnectNamedPipe.KERNEL32(?), ref: 00C51342
              • CloseHandle.KERNEL32(?), ref: 00C51349
              • InterlockedDecrement.KERNEL32(00C5CDC0), ref: 00C51354
              • SetEvent.KERNEL32(00000144), ref: 00C5136A
                • Part of subcall function 00C51180: _memset.LIBCMT ref: 00C511A6
              Memory Dump Source
              • Source File: 00000006.00000002.2945612423.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
              • Associated: 00000006.00000002.2945595181.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945631917.0000000000C59000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945651363.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945670100.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_c50000_RemComSvc.jbxd
              Yara matches
              Similarity
              • API ID: FileInterlocked$CloseDecrementDisconnectEventHandleIncrementNamedPipeReadWrite_memset
              • String ID:
              • API String ID: 767879101-0
              • Opcode ID: 420dd39bdfbfee2645125b8f89782049bf370b4f3d3d46198d74f702955c0e76
              • Instruction ID: b56fb8a7fccf062a8eb7913ecca1d8b128e0a7ff27260c30efbd551bf025b104
              • Opcode Fuzzy Hash: 420dd39bdfbfee2645125b8f89782049bf370b4f3d3d46198d74f702955c0e76
              • Instruction Fuzzy Hash: A1114A39940318EFCB10DBA4EC49BDE77B8EB58302F044595F909E2090DB706AD8CFA4
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,00C5AB70,00000008,00C5319F,00000000,00000000,?,00C53B6A,?,00000001,?,?,00C56072,00000018,00C5AC80,0000000C), ref: 00C530A8
              • __lock.LIBCMT ref: 00C530DC
                • Part of subcall function 00C560E7: __mtinitlocknum.LIBCMT ref: 00C560FD
                • Part of subcall function 00C560E7: __amsg_exit.LIBCMT ref: 00C56109
                • Part of subcall function 00C560E7: EnterCriticalSection.KERNEL32(?,?,?,00C5326F,0000000D,00C5AB98,00000008,00C51A5C,?,00000000), ref: 00C56111
              • InterlockedIncrement.KERNEL32(00C5C460), ref: 00C530E9
              • __lock.LIBCMT ref: 00C530FD
              • ___addlocaleref.LIBCMT ref: 00C5311B
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2945612423.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
              • Associated: 00000006.00000002.2945595181.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945631917.0000000000C59000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945651363.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945670100.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_c50000_RemComSvc.jbxd
              Yara matches
              Similarity
              • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
              • String ID: KERNEL32.DLL
              • API String ID: 637971194-2576044830
              • Opcode ID: ba1cd28d6b082ab62d4789101ba44903141f3b67fea7f22165ebbc2308af6349
              • Instruction ID: 06000ed1bd55cdc8f08e5c10fcfe9c25eeb918b7be0c61d44b0f7d2f3e380693
              • Opcode Fuzzy Hash: ba1cd28d6b082ab62d4789101ba44903141f3b67fea7f22165ebbc2308af6349
              • Instruction Fuzzy Hash: 380161B9400B40EFD7209F65D80675DFBE0AF50322F10894EE896572E1CBB4AAC8DB59
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • __getptd.LIBCMT ref: 00C55462
                • Part of subcall function 00C531C4: __getptd_noexit.LIBCMT ref: 00C531C7
                • Part of subcall function 00C531C4: __amsg_exit.LIBCMT ref: 00C531D4
              • __amsg_exit.LIBCMT ref: 00C55482
              • __lock.LIBCMT ref: 00C55492
              • InterlockedDecrement.KERNEL32(?), ref: 00C554AF
              • _free.LIBCMT ref: 00C554C2
              • InterlockedIncrement.KERNEL32(014F15B8), ref: 00C554DA
              Memory Dump Source
              • Source File: 00000006.00000002.2945612423.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
              • Associated: 00000006.00000002.2945595181.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945631917.0000000000C59000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945651363.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945670100.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_c50000_RemComSvc.jbxd
              Yara matches
              Similarity
              • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
              • String ID:
              • API String ID: 3470314060-0
              • Opcode ID: 941c134ad186c8b30d95c09c5275baf3b387a18f7d57986a98bac4624f8f87fd
              • Instruction ID: c3cc054094195028545569d9f5385e6ebed42d30a9b8722d3d848c13371a7d58
              • Opcode Fuzzy Hash: 941c134ad186c8b30d95c09c5275baf3b387a18f7d57986a98bac4624f8f87fd
              • Instruction Fuzzy Hash: BC01AD7E900B21ABCB21AB64989676EB7A0AF54763F004505EC24672C0C734AAC8DBDD
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • _malloc.LIBCMT ref: 00C568C6
                • Part of subcall function 00C567A2: __FF_MSGBANNER.LIBCMT ref: 00C567BB
                • Part of subcall function 00C567A2: __NMSG_WRITE.LIBCMT ref: 00C567C2
                • Part of subcall function 00C567A2: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00C53B6A,?,00000001,?,?,00C56072,00000018,00C5AC80,0000000C,00C56102), ref: 00C567E7
              • _free.LIBCMT ref: 00C568D9
              Memory Dump Source
              • Source File: 00000006.00000002.2945612423.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
              • Associated: 00000006.00000002.2945595181.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945631917.0000000000C59000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945651363.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945670100.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_c50000_RemComSvc.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap_free_malloc
              • String ID:
              • API String ID: 1020059152-0
              • Opcode ID: 84fcf779928c255701fa1bdfe68a0470cc0aab1c3ad842c64fddc378d4ca88ae
              • Instruction ID: 39bab87723991c1bcc51316d0df567fddfd0a46962b9e0744e7af5e637004691
              • Opcode Fuzzy Hash: 84fcf779928c255701fa1bdfe68a0470cc0aab1c3ad842c64fddc378d4ca88ae
              • Instruction Fuzzy Hash: C711C43E500715ABCF312B75A80475E3BA4AB453B3B654425FC59AB2A0DB3489C8EB9C
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • __getptd.LIBCMT ref: 00C55BE3
                • Part of subcall function 00C531C4: __getptd_noexit.LIBCMT ref: 00C531C7
                • Part of subcall function 00C531C4: __amsg_exit.LIBCMT ref: 00C531D4
              • __getptd.LIBCMT ref: 00C55BFA
              • __amsg_exit.LIBCMT ref: 00C55C08
              • __lock.LIBCMT ref: 00C55C18
              • __updatetlocinfoEx_nolock.LIBCMT ref: 00C55C2C
              Memory Dump Source
              • Source File: 00000006.00000002.2945612423.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
              • Associated: 00000006.00000002.2945595181.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945631917.0000000000C59000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945651363.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945670100.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_c50000_RemComSvc.jbxd
              Yara matches
              Similarity
              • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
              • String ID:
              • API String ID: 938513278-0
              • Opcode ID: 195956efe3a03fd364566e41a86ac373affd981892812d876c24a7441588ddc3
              • Instruction ID: 3f644314e40b3c7942dc6d1d9213e9824b7f6a927f9c13c71ada353ecc40f367
              • Opcode Fuzzy Hash: 195956efe3a03fd364566e41a86ac373affd981892812d876c24a7441588ddc3
              • Instruction Fuzzy Hash: 38F0907A904B549BEB21BB749847B5D72906F04763F104109FC116B1D2CB646AC8EA9E
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00C571F4
              • __isleadbyte_l.LIBCMT ref: 00C57227
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,?,?,00000000,?,?,?), ref: 00C57258
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000,?,?,?), ref: 00C572C6
              Memory Dump Source
              • Source File: 00000006.00000002.2945612423.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
              • Associated: 00000006.00000002.2945595181.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945631917.0000000000C59000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945651363.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945670100.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_c50000_RemComSvc.jbxd
              Yara matches
              Similarity
              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
              • String ID:
              • API String ID: 3058430110-0
              • Opcode ID: 238c411cabed6036cf84a479d999f767d242dbcca3f998490458c72d6eed65b1
              • Instruction ID: d4b7d5d460848bd2eababc47240668800322d3e86154c219fb7c313f8b219d67
              • Opcode Fuzzy Hash: 238c411cabed6036cf84a479d999f767d242dbcca3f998490458c72d6eed65b1
              • Instruction Fuzzy Hash: E931C235908246EFDB20DF64DC44ABE3BA1AF01312F1546A9FC649B191D730CAC4DB54
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
                • Part of subcall function 00C5378F: _doexit.LIBCMT ref: 00C5379B
              • ___set_flsgetvalue.LIBCMT ref: 00C51A0E
                • Part of subcall function 00C53009: TlsGetValue.KERNEL32(?,00C51A13), ref: 00C53012
                • Part of subcall function 00C53009: DecodePointer.KERNEL32(?,00C51A13), ref: 00C53024
                • Part of subcall function 00C53009: TlsSetValue.KERNEL32(00000000,?,00C51A13), ref: 00C53033
                • Part of subcall function 00C52FE9: TlsGetValue.KERNEL32(?,?,00C51A1E,00000000), ref: 00C52FF7
              • ___fls_setvalue@8.LIBCMT ref: 00C51A2B
                • Part of subcall function 00C5303D: DecodePointer.KERNEL32(?,?,?,00C51A30,00000000,?,00000000), ref: 00C5304E
              • GetLastError.KERNEL32(00000000,?,00000000), ref: 00C51A34
              • ExitThread.KERNEL32 ref: 00C51A3B
              • __freefls@4.LIBCMT ref: 00C51A57
              Memory Dump Source
              • Source File: 00000006.00000002.2945612423.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
              • Associated: 00000006.00000002.2945595181.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945631917.0000000000C59000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945651363.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945670100.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_c50000_RemComSvc.jbxd
              Yara matches
              Similarity
              • API ID: Value$DecodePointer$ErrorExitLastThread___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
              • String ID:
              • API String ID: 2004460516-0
              • Opcode ID: 6e1bcb581fa5bf3027d9e327ce819333711cc14999ff298780f83963ab74e74f
              • Instruction ID: 45af67ae15d660ae166ec64f7803e2d3d28421b393e11cba2be6f386498175bc
              • Opcode Fuzzy Hash: 6e1bcb581fa5bf3027d9e327ce819333711cc14999ff298780f83963ab74e74f
              • Instruction Fuzzy Hash: 6DE086BC800385A7CF1137F1DC0EA5E3D2C9EC4383B440850BD1592062DE38C6D97568
              Uniqueness

              Uniqueness Score: -1.00%

              APIs
              • __getptd_noexit.LIBCMT ref: 00C5199E
                • Part of subcall function 00C5314B: GetLastError.KERNEL32(00000001,00000000,00C52DC3,00C5682B,00000000,?,00C53B6A,?,00000001,?,?,00C56072,00000018,00C5AC80,0000000C,00C56102), ref: 00C5314F
                • Part of subcall function 00C5314B: ___set_flsgetvalue.LIBCMT ref: 00C5315D
                • Part of subcall function 00C5314B: __calloc_crt.LIBCMT ref: 00C53171
                • Part of subcall function 00C5314B: DecodePointer.KERNEL32(00000000,?,00C53B6A,?,00000001,?,?,00C56072,00000018,00C5AC80,0000000C,00C56102,?,?,?,00C5326F), ref: 00C5318B
                • Part of subcall function 00C5314B: GetCurrentThreadId.KERNEL32 ref: 00C531A1
                • Part of subcall function 00C5314B: SetLastError.KERNEL32(00000000,?,00C53B6A,?,00000001,?,?,00C56072,00000018,00C5AC80,0000000C,00C56102,?,?,?,00C5326F), ref: 00C531B9
              • CloseHandle.KERNEL32(?,?,00C519E9), ref: 00C519B2
              • __freeptd.LIBCMT ref: 00C519B9
              • ExitThread.KERNEL32 ref: 00C519C1
              Memory Dump Source
              • Source File: 00000006.00000002.2945612423.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
              • Associated: 00000006.00000002.2945595181.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945631917.0000000000C59000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945651363.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000006.00000002.2945670100.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_c50000_RemComSvc.jbxd
              Yara matches
              Similarity
              • API ID: ErrorLastThread$CloseCurrentDecodeExitHandlePointer___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
              • String ID:
              • API String ID: 2242352317-0
              • Opcode ID: ee347fdcb34b49adf3ef7e8b7747b6e4e6eee635a414ccf5c8509942dd65832b
              • Instruction ID: 00d23bc2157fb2202a643f2fe8d4142d26015c8d85b25816b00d2594480ecbb5
              • Opcode Fuzzy Hash: ee347fdcb34b49adf3ef7e8b7747b6e4e6eee635a414ccf5c8509942dd65832b
              • Instruction Fuzzy Hash: 82D0523A505E6097C3212334890DB5E26569F85B23B280B00FC36EA1E0CF288E8A8698
              Uniqueness

              Uniqueness Score: -1.00%