Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
nc.exe

Overview

General Information

Sample Name:nc.exe
Analysis ID:1307249
MD5:c90459986070e38fd8260d4430e23dfd
SHA1:ce3e01c3fce1f4563335cda87df7406c8ad2b6b7
SHA256:109c04127c3168a386744027413d11a84c6b5c91738b05f5c5e40c45e07b72f9
Tags:ChineseAPTexeHUN
Infos:

Detection

Netcat
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Netcat
Creates a DirectInput object (often for capturing keystrokes)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Program does not show much activity (idle)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • nc.exe (PID: 6828 cmdline: C:\Users\user\Desktop\nc.exe MD5: C90459986070E38FD8260D4430E23DFD)
    • conhost.exe (PID: 6836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
nc.exeJoeSecurity_NetcatYara detected NetcatJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.650038928.0000000000408000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NetcatYara detected NetcatJoe Security
      00000000.00000000.377888447.0000000000408000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NetcatYara detected NetcatJoe Security
        Process Memory Space: nc.exe PID: 6828JoeSecurity_NetcatYara detected NetcatJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          • AV Detection
          • Compliance
          • Spreading
          • Networking
          • Key, Mouse, Clipboard, Microphone and Screen Capturing
          • System Summary
          • Malware Analysis System Evasion
          • Anti Debugging
          • Language, Device and Operating System Detection
          • Remote Access Functionality

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: nc.exeAvira: detected
          Source: nc.exeReversingLabs: Detection: 28%
          Source: nc.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

          Spreading

          barindex
          Source: Yara matchFile source: nc.exe, type: SAMPLE
          Source: Yara matchFile source: 00000000.00000002.650038928.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000000.377888447.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: nc.exe PID: 6828, type: MEMORYSTR
          Source: C:\Users\user\Desktop\nc.exeCode function: 0_2_0040446D time,_isatty,_setmode,_isatty,_setmode,_close,_sleep,_errno,WSASetLastError,__WSAFDIsSet,memcpy,memcpy,select,WSAGetLastError,WSAGetLastError,shutdown,closesocket,time,shutdown,closesocket,WSASetLastError,__WSAFDIsSet,time,recv,_kbhit,gets,strcat,strlen,_close,_read,_close,_close,_write,_iob,fflush,send,_sleep,_errno,shutdown,closesocket,0_2_0040446D
          Source: nc.exe, 00000000.00000002.650060409.0000000000638000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>memstr_cafd4fb1-8
          Source: nc.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
          Source: nc.exeReversingLabs: Detection: 28%
          Source: nc.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\nc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: classification engineClassification label: mal60.spre.winEXE@2/1@0/0
          Source: unknownProcess created: C:\Users\user\Desktop\nc.exe C:\Users\user\Desktop\nc.exe
          Source: C:\Users\user\Desktop\nc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6836:120:WilError_01
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\nc.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-2359
          Source: C:\Users\user\Desktop\nc.exeAPI coverage: 3.5 %
          Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
          Source: nc.exe, 00000000.00000002.650060409.0000000000638000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllB
          Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
          Source: C:\Users\user\Desktop\nc.exeCode function: 0_2_00401150 SetUnhandledExceptionFilter,__getmainargs,_iob,_iob,_setmode,_iob,_iob,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess,_iob,_setmode,_iob,0_2_00401150
          Source: C:\Users\user\Desktop\nc.exeCode function: 0_2_00405B80 cpuid 0_2_00405B80
          Source: C:\Users\user\Desktop\nc.exeCode function: 0_2_00403829 _errno,WSASetLastError,socket,socket,_dup,setsockopt,memcpy,htons,bind,_errno,inet_ntoa,_sleep,_errno,inet_ntoa,memcpy,htons,_setjmp,connect,WSASetLastError,WSAGetLastError,_errno,shutdown,closesocket,_errno,WSASetLastError,0_2_00403829
          Source: C:\Users\user\Desktop\nc.exeCode function: 0_2_00403BA8 _errno,listen,getsockname,strcpy,inet_ntoa,strcat,strcat,strcat,htons,_setjmp,recvfrom,connect,_setjmp,accept,shutdown,closesocket,memset,getsockname,inet_ntoa,strcpy,htons,inet_ntoa,strcpy,_errno,memcmp,_errno,shutdown,closesocket,0_2_00403BA8

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management InstrumentationPath Interception1
          Process Injection          		1
          Process Injection          		1
          Input Capture          		1
          Security Software Discovery          		Remote Services1
          Input Capture          		Exfiltration Over Other Network Medium1
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory11
          System Information Discovery          		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1307249 Sample: nc.exe Startdate: 11/09/2023 Architecture: WINDOWS Score: 60 10 Antivirus / Scanner detection for submitted sample 2->10 12 Multi AV Scanner detection for submitted file 2->12 14 Yara detected Netcat 2->14 6 nc.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       

          Screenshots

          Download Video

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          nc.exe29%ReversingLabsWin32.Trojan.Generic
          nc.exe100%AviraBDS/Backdoor.Gen

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox Version:38.0.0 Beryl
          Analysis ID:1307249
          Start date and time:2023-09-11 13:11:48 +02:00
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 5m 19s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:18
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample file name:nc.exe
          Detection:MAL
          Classification:mal60.spre.winEXE@2/1@0/0
          EGA Information:
          • Successful, ratio: 100%
          HDC Information:Failed
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 5
          • Number of non-executed functions: 16
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
          • Excluded domains from analysis (whitelisted): www.bing.com, tse1.mm.bing.net, g.bing.com, arc.msn.com
          • Not all processes where analyzed, report is missing behavior information
          • VT rate limit hit for: nc.exe

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          \Device\ConDrv

          Download File
          Process:C:\Users\user\Desktop\nc.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):10
          Entropy (8bit):3.121928094887362
          Encrypted:false
          SSDEEP:3:umFn:D
          MD5:552430716D5ECD7EB607728C6AA6D750
          SHA1:343C92A87B4E6887E140DFA476AEBAD03C4ABFD5
          SHA-256:E58FE825DF1CD85145B06292195AA553F11577105BA848731FAF0C774EE56648
          SHA-512:8DC6C13551BFDB196595B1368A5B72A5D85FE22736466C6DD5127A4F62C7D1E73A004C8F86072EAC245BF905A5336F5E8DE913D6B5F5010F98AE03F1DE503C01
          Malicious:false
          Reputation:moderate, very likely benign file
          Preview:Cmd line:

          Static File Info

          General

          File type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
          Entropy (8bit):5.156999044074612
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.94%
          • Win16/32 Executable Delphi generic (2074/23) 0.02%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • VXD Driver (31/22) 0.00%
          File name:nc.exe
          File size:58'888 bytes
          MD5:c90459986070e38fd8260d4430e23dfd
          SHA1:ce3e01c3fce1f4563335cda87df7406c8ad2b6b7
          SHA256:109c04127c3168a386744027413d11a84c6b5c91738b05f5c5e40c45e07b72f9
          SHA512:6da06ebcf86251d4617f74ac63b07d3c161937961874434774e85edb6f7da2f0166080860066832da790d9a87948bc460f714980819f42aa3f8f6b543fd50f11
          SSDEEP:768:UU9M7HdpLfr1wD+lFn7uqXXlfHbE2mmuL6JZs0L7Yp8O6bpbec2V:UN7m4jlf7XmRsZv/9X2V
          TLSH:C34332E5BACA9DE7EA1452BCCCAAD676203CF4E087134F5396744C325B62E927CD4213
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....y.L.x..#..........8.T...t...............p....@..................................!........ ............................

          File Icon

          Icon Hash:90cececece8e8eb0

          Static PE Info

          General

          Entrypoint:0x401280
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows cui
          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
          DLL Characteristics:
          Time Stamp:0x4CC77990 [Wed Oct 27 01:00:00 2010 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:9284347e8448a2e126e2a8d612a42f54
          Instruction
          push ebp
          mov ebp, esp
          sub esp, 08h
          mov dword ptr [esp], 00000001h
          call dword ptr [0040B2A8h]
          call 00007F37CCEA5C0Dh
          nop
          lea esi, dword ptr [esi+00000000h]
          push ebp
          mov ebp, esp
          sub esp, 08h
          mov dword ptr [esp], 00000002h
          call dword ptr [0040B2A8h]
          call 00007F37CCEA5BEDh
          nop
          lea esi, dword ptr [esi+00000000h]
          push ebp
          mov ecx, dword ptr [0040B2D4h]
          mov ebp, esp
          pop ebp
          jmp ecx
          lea esi, dword ptr [esi+00h]
          push ebp
          mov ecx, dword ptr [0040B2C0h]
          mov ebp, esp
          pop ebp
          jmp ecx
          nop
          nop
          nop
          nop
          push ebp
          mov ebp, esp
          pop ebp
          jmp 00007F37CCEAA7ACh
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          push ebp
          mov ebp, esp
          sub esp, 04h
          mov eax, dword ptr [ebp+08h]
          cmp byte ptr [eax], 00000000h
          je 00007F37CCEA5D6Ah
          mov eax, dword ptr [ebp+08h]
          movsx eax, byte ptr [eax]
          cmp eax, dword ptr [ebp+0Ch]
          jne 00007F37CCEA5D5Ah
          mov eax, dword ptr [ebp+08h]
          mov dword ptr [ebp-04h], eax
          jmp 00007F37CCEA5D5Eh
          inc dword ptr [ebp+08h]
          jmp 00007F37CCEA5D32h
          mov dword ptr [ebp-04h], 00000000h
          mov eax, dword ptr [ebp-04h]
          leave
          ret
          push ebp
          mov ebp, esp
          push ebx
          sub esp, 1Ch
          mov eax, dword ptr [0040A048h]
          mov dword ptr [ebp-08h], eax
          mov eax, dword ptr [0040A058h]
          mov dword ptr [ebp-0Ch], eax
          mov eax, dword ptr [0040A014h]
          mov dword ptr [ebp-10h], eax
          mov eax, dword ptr [ebp-10h]
          cmp eax, dword ptr [ebp-0Ch]
          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xb0000xa70.idata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x53040x5400False0.44228980654761907data5.598404569723046IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .data0x70000xb00x200False0.189453125Matlab v4 mat-file (little endian) (UNKNOWN), text, rows 63, columns 01.2831406116232933IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rdata0x80000x10100x1200False0.4249131944444444data4.971079818250585IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .bss0xa0000x2800x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .idata0xb0000xa700xc00False0.3505859375data4.073144532935977IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          DLLImport
          KERNEL32.dllAddAtomA, CloseHandle, CreatePipe, CreateProcessA, CreateThread, DisconnectNamedPipe, DuplicateHandle, ExitProcess, ExitThread, FindAtomA, FreeConsole, GetAtomNameA, GetCurrentProcess, GetLastError, GetStdHandle, PeekNamedPipe, ReadFile, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TerminateThread, WaitForMultipleObjects, WriteFile
          msvcrt.dll_close, _dup, _itoa, _kbhit, _open, _read, _strcmpi, _strnicmp, _write
          msvcrt.dll__getmainargs, __p__environ, __p__fmode, __set_app_type, _assert, _cexit, _errno, _iob, _isatty, _onexit, _setjmp, _setmode, _sleep, abort, atexit, atoi, exit, fflush, fprintf, free, getenv, gets, longjmp, malloc, memcmp, memcpy, memset, rand, signal, sprintf, srand, strcat, strchr, strcmp, strcpy, strlen, strncmp, strncpy, time
          WSOCK32.DLLWSACleanup, WSAGetLastError, WSASetLastError, WSAStartup, __WSAFDIsSet, accept, bind, closesocket, connect, gethostbyaddr, gethostbyname, getservbyname, getservbyport, getsockname, htons, inet_addr, inet_ntoa, listen, ntohs, recv, recvfrom, select, send, setsockopt, shutdown, socket

          Network Behavior

          No network behavior found

          Statistics

          CPU Usage

          050100s020406080100

          Click to jump to process

          Memory Usage

          050100s0.0051015MB

          Click to jump to process

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:13:12:47
          Start date:11/09/2023
          Path:C:\Users\user\Desktop\nc.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\Desktop\nc.exe
          Imagebase:0x400000
          File size:58'888 bytes
          MD5 hash:C90459986070E38FD8260D4430E23DFD
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Netcat, Description: Yara detected Netcat, Source: 00000000.00000002.650038928.0000000000408000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
          • Rule: JoeSecurity_Netcat, Description: Yara detected Netcat, Source: 00000000.00000000.377888447.0000000000408000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
          Reputation:low
          Has exited:false
          Show Windows behavior

          File Activities

          Show Windows behavior

          Section Activities

          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
          Show Windows behavior

          Memory Activities

          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

          General

          Target ID:1
          Start time:13:12:47
          Start date:11/09/2023
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff766460000
          File size:625'664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:false
          Show Windows behavior

          File Activities

          Show Windows behavior

          Section Activities

          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
          Show Windows behavior

          Mutex Activities

          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
          Show Windows behavior

          Thread Activities

          Show Windows behavior

          Memory Activities

          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
          Show Windows behavior

          Windows UI Activities

          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

          Disassembly

          Execution Graph

          Execution Coverage

          Dynamic/Packed Code Coverage

          Signature Coverage

          Execution Coverage:3.2%
          Dynamic/Decrypted Code Coverage:0%
          Signature Coverage:13.4%
          Total number of Nodes:644
          Total number of Limit Nodes:1
          Show Legend
          Hide Nodes/Edges
          execution_graph 2281 401280 __set_app_type 2286 401150 SetUnhandledExceptionFilter 2281->2286 2287 40116b 2286->2287 2288 401170 __getmainargs 2287->2288 2289 401210 __p__fmode 2288->2289 2292 4011ac 2288->2292 2289->2292 2290 401260 _setmode 2290->2292 2291 4011c4 _setmode 2291->2292 2292->2289 2292->2290 2292->2291 2293 4011e8 _setmode 2292->2293 2294 40122a __p__environ 2292->2294 2293->2289 2297 404b3f 2294->2297 2298 404b64 2297->2298 2360 4028d0 WSAStartup 2298->2360 2303 403097 13 API calls 2304 404bd3 2303->2304 2305 403097 13 API calls 2304->2305 2306 404be4 2305->2306 2307 403097 13 API calls 2306->2307 2308 404bf5 2307->2308 2309 403097 13 API calls 2308->2309 2310 404c06 2309->2310 2311 403097 13 API calls 2310->2311 2312 404c17 2311->2312 2313 403097 13 API calls 2312->2313 2314 404c28 malloc _errno 2313->2314 2325 404c5b 2314->2325 2316 403097 13 API calls 2317 404c90 fprintf fflush _read 2316->2317 2317->2325 2318 405109 _errno 2372 402f82 2318->2372 2319 40512f time srand 2322 403097 13 API calls 2319->2322 2320 40515b _close 2320->2325 2322->2325 2323 405184 _open 2323->2325 2324 403097 13 API calls 2324->2325 2325->2316 2325->2318 2325->2319 2325->2320 2325->2323 2325->2324 2327 405238 _errno 2325->2327 2328 404d4a strchr 2325->2328 2329 404d2a memcpy 2325->2329 2330 404d71 strchr 2325->2330 2331 40351d 15 API calls 2325->2331 2333 402f82 11 API calls 2325->2333 2334 4053d4 strchr 2325->2334 2335 4056ec _errno 2325->2335 2348 40550a rand 2325->2348 2359 4051ea 2325->2359 2369 401dc3 2325->2369 2457 4037b0 2325->2457 2463 403716 2325->2463 2327->2325 2328->2325 2328->2330 2329->2328 2330->2325 2331->2325 2333->2325 2334->2325 2338 405701 2335->2338 2339 40571f WSACleanup 2335->2339 2336 402f82 11 API calls 2336->2359 2337 402f82 11 API calls 2337->2325 2341 402ecf 6 API calls 2338->2341 2339->2325 2342 40572f 2339->2342 2340 402077 53 API calls 2340->2359 2341->2339 2343 405744 exit 2342->2343 2344 405739 exit 2342->2344 2344->2343 2345 40534d exit 2345->2359 2348->2359 2351 402ecf 6 API calls 2351->2359 2352 405639 WSAGetLastError 2352->2359 2355 405677 shutdown closesocket 2356 4056a8 _sleep 2355->2356 2355->2359 2356->2359 2357 40446d 53 API calls 2357->2359 2358 403716 rand 2358->2359 2359->2325 2359->2336 2359->2337 2359->2340 2359->2345 2359->2351 2359->2352 2359->2355 2359->2357 2359->2358 2380 4031b3 _errno 2359->2380 2411 403ba8 _errno 2359->2411 2467 40351d 2359->2467 2485 403829 _errno WSASetLastError 2359->2485 2522 404058 send 2359->2522 2535 402ecf 2359->2535 2362 402909 2360->2362 2363 402907 2360->2363 2361 402923 WSACleanup 2361->2363 2362->2361 2362->2363 2364 403097 malloc 2363->2364 2365 4030d9 2364->2365 2366 4030bd memset 2364->2366 2367 402f82 11 API calls 2365->2367 2368 4030ec 2366->2368 2367->2368 2368->2303 2543 40153f 2369->2543 2373 402ecf 6 API calls 2372->2373 2374 402fc6 shutdown closesocket _sleep exit _errno 2373->2374 2375 403021 2374->2375 2376 40303f 2374->2376 2377 402f82 6 API calls 2375->2377 2378 402f82 6 API calls 2376->2378 2377->2376 2379 40304b 2378->2379 2379->2325 2381 4031e4 2380->2381 2382 4031d8 2380->2382 2384 4031f9 strcpy inet_addr 2381->2384 2385 402f82 11 API calls 2381->2385 2383 403097 13 API calls 2382->2383 2383->2381 2386 403227 2384->2386 2387 4033ef memcpy inet_ntoa strncpy 2384->2387 2385->2384 2388 403241 gethostbyname 2386->2388 2391 402f82 11 API calls 2386->2391 2389 40344a 2387->2389 2402 40333d 2387->2402 2392 403274 strncpy 2388->2392 2393 403258 WSAGetLastError 2388->2393 2390 40345f gethostbyaddr 2389->2390 2389->2402 2394 4034a4 strncpy gethostbyname 2390->2394 2395 403486 WSAGetLastError 2390->2395 2391->2388 2397 403297 2392->2397 2396 402f82 11 API calls 2393->2396 2399 4034e2 WSAGetLastError 2394->2399 2400 4034d7 2394->2400 2398 402ecf 6 API calls 2395->2398 2396->2392 2401 4032b7 memcpy inet_ntoa strncpy 2397->2401 2408 403333 2397->2408 2398->2402 2404 402ecf 6 API calls 2399->2404 2400->2399 2403 403500 2400->2403 2401->2397 2402->2359 2405 403159 8 API calls 2403->2405 2404->2402 2405->2402 2406 40336d gethostbyaddr 2407 4033a7 WSAGetLastError 2406->2407 2406->2408 2409 402ecf 6 API calls 2407->2409 2408->2402 2408->2406 2408->2407 2581 403159 _errno _strcmpi 2408->2581 2409->2408 2412 403829 37 API calls 2411->2412 2413 403bf0 2412->2413 2414 403c24 listen 2413->2414 2415 403c0f 2413->2415 2456 403bf9 2413->2456 2416 403c22 2414->2416 2417 403c43 2414->2417 2415->2416 2418 402f82 11 API calls 2415->2418 2420 403d34 2416->2420 2421 403c5d getsockname 2416->2421 2419 402f82 11 API calls 2417->2419 2418->2416 2419->2416 2422 403d42 2420->2422 2423 403de4 2420->2423 2424 403c97 strcpy 2421->2424 2425 403c8b 2421->2425 2585 40307d GetStdHandle 2422->2585 2587 40307d GetStdHandle 2423->2587 2429 403cb7 inet_ntoa strcat 2424->2429 2430 403cdd strcat 2424->2430 2428 402ecf 6 API calls 2425->2428 2428->2424 2431 403cf2 strcat htons 2429->2431 2430->2431 2434 402ecf 6 API calls 2431->2434 2432 403d5e _setjmp 2435 403d72 recvfrom 2432->2435 2436 40401d _errno 2432->2436 2433 403e00 _setjmp 2433->2436 2437 403e14 accept 2433->2437 2434->2420 2586 40307d GetStdHandle 2435->2586 2438 404028 shutdown closesocket 2436->2438 2588 40307d GetStdHandle 2437->2588 2438->2456 2441 403dbd connect 2443 403e73 2441->2443 2442 403e49 shutdown closesocket 2442->2443 2444 403e79 2443->2444 2445 403e7e memset getsockname 2443->2445 2444->2438 2446 403ee0 inet_ntoa strcpy htons inet_ntoa strcpy 2445->2446 2447 403ed4 2445->2447 2449 4031b3 34 API calls 2446->2449 2448 402ecf 6 API calls 2447->2448 2448->2446 2450 403f56 _errno 2449->2450 2451 403f71 memcmp 2450->2451 2452 403f94 2450->2452 2451->2452 2453 403fe7 2452->2453 2455 402f82 11 API calls 2452->2455 2454 402ecf 6 API calls 2453->2454 2454->2456 2455->2453 2456->2359 2458 4037d6 2457->2458 2459 4037ca 2457->2459 2461 403800 2458->2461 2462 402f82 11 API calls 2458->2462 2460 402f82 11 API calls 2459->2460 2460->2458 2461->2325 2462->2461 2464 403723 2463->2464 2465 403729 rand 2464->2465 2466 403744 2464->2466 2465->2464 2465->2466 2466->2325 2468 403534 2467->2468 2469 403613 2468->2469 2470 403556 2468->2470 2471 40355c 2469->2471 2472 40362f atoi 2469->2472 2470->2471 2473 403579 2470->2473 2474 40357e htons getservbyport 2470->2474 2471->2359 2475 403664 2472->2475 2476 403645 2472->2476 2477 4036d7 sprintf 2473->2477 2474->2477 2478 4035b4 htons 2474->2478 2475->2471 2480 40367a getservbyname 2475->2480 2479 40351d 6 API calls 2476->2479 2477->2471 2481 4035f0 strncpy 2478->2481 2482 4035d4 2478->2482 2479->2471 2480->2471 2484 403698 strncpy htons 2480->2484 2481->2477 2483 402ecf 6 API calls 2482->2483 2483->2481 2484->2477 2486 403862 socket 2485->2486 2487 403888 socket 2485->2487 2488 4038ac 2486->2488 2487->2488 2489 4038c1 2488->2489 2490 402f82 11 API calls 2488->2490 2491 4038ca _dup 2489->2491 2492 4038dc setsockopt 2489->2492 2490->2489 2491->2492 2493 403922 2492->2493 2494 403916 2492->2494 2495 40395b 2493->2495 2496 40393c memcpy 2493->2496 2497 402ecf 6 API calls 2494->2497 2498 403962 htons 2495->2498 2499 40397b 2495->2499 2496->2495 2497->2493 2498->2499 2500 40398f 2499->2500 2501 4039ac bind 2499->2501 2502 403a68 2500->2502 2503 403a3b inet_ntoa 2500->2503 2501->2500 2504 4039d8 _errno 2501->2504 2506 403a72 2502->2506 2507 403a7f memcpy htons 2502->2507 2505 402f82 11 API calls 2503->2505 2504->2500 2508 4039e7 inet_ntoa 2504->2508 2505->2502 2506->2359 2509 403ac0 2507->2509 2510 403acc 2507->2510 2511 402ecf 6 API calls 2508->2511 2512 402ecf 6 API calls 2509->2512 2589 40307d GetStdHandle 2510->2589 2514 403a14 _sleep _errno 2511->2514 2512->2510 2514->2499 2515 403ae1 _setjmp 2516 403af1 connect 2515->2516 2517 403b17 WSASetLastError 2515->2517 2518 403b2d 2516->2518 2517->2518 2590 40307d GetStdHandle 2518->2590 2520 403b41 2520->2506 2521 403b51 6 API calls 2520->2521 2521->2506 2523 4040a5 2522->2523 2524 40408e _errno 2522->2524 2526 4040bd 2523->2526 2527 4040ae _sleep 2523->2527 2525 402ecf 6 API calls 2524->2525 2525->2523 2529 403829 37 API calls 2526->2529 2528 404138 _errno send 2527->2528 2531 404173 2528->2531 2532 40417b shutdown closesocket 2528->2532 2530 4040f3 2529->2530 2533 404112 closesocket 2530->2533 2534 4040fc shutdown 2530->2534 2531->2359 2532->2531 2533->2528 2534->2533 2536 402f80 2535->2536 2537 402ee3 fprintf WSAGetLastError 2535->2537 2536->2355 2538 402f58 fprintf 2537->2538 2539 402f2d WSAGetLastError 2537->2539 2541 402f70 fflush 2538->2541 2591 40292a 2539->2591 2541->2536 2544 401559 2543->2544 2547 401564 2543->2547 2579 4014ae getenv 2544->2579 2546 40161e strcmp 2556 401644 2546->2556 2547->2546 2547->2556 2548 401c0a 2549 401c4f 2548->2549 2564 401c4d 2548->2564 2554 401c61 fprintf 2549->2554 2555 401c8c fprintf 2549->2555 2578 4016a2 2549->2578 2550 401841 strncmp 2552 40186a strlen 2550->2552 2550->2556 2551 401888 2553 401939 2551->2553 2557 4018d4 2551->2557 2552->2551 2552->2556 2558 401943 2553->2558 2568 401b1d 2553->2568 2554->2578 2555->2578 2556->2548 2556->2550 2556->2551 2556->2578 2560 401914 strlen 2557->2560 2561 4018dd fprintf 2557->2561 2562 401a21 2558->2562 2563 40195b 2558->2563 2559 401b5a 2569 401bab fprintf 2559->2569 2570 401b7f fprintf 2559->2570 2559->2578 2560->2578 2561->2560 2565 401acb strlen 2562->2565 2567 401964 2562->2567 2572 401a57 2562->2572 2566 401972 2563->2566 2563->2567 2573 401d46 fprintf 2564->2573 2564->2578 2565->2578 2571 401a02 strlen 2566->2571 2574 4019c1 fprintf 2566->2574 2575 401995 fprintf 2566->2575 2567->2565 2568->2548 2568->2559 2569->2578 2570->2578 2571->2578 2576 401a60 fprintf 2572->2576 2577 401a95 strlen 2572->2577 2573->2578 2574->2571 2575->2571 2576->2577 2577->2578 2578->2325 2580 4014f5 2579->2580 2580->2547 2582 403182 2581->2582 2583 40319e 2581->2583 2584 402ecf 6 API calls 2582->2584 2583->2408 2584->2583 2585->2432 2586->2441 2587->2433 2588->2442 2589->2515 2590->2520 2592 402943 fprintf 2591->2592 2592->2541 2593 401000 2594 401061 2593->2594 2595 40101e 2593->2595 2596 40102a signal 2594->2596 2598 401025 2594->2598 2599 401087 2594->2599 2597 401080 2595->2597 2595->2598 2601 4010bb signal 2596->2601 2604 401041 2596->2604 2597->2599 2600 4010e2 signal 2597->2600 2598->2596 2603 401071 2598->2603 2599->2604 2605 40108e signal 2599->2605 2602 401129 signal 2600->2602 2600->2604 2601->2604 2602->2604 2605->2604 2606 40110f signal 2605->2606 2606->2604 2792 405ca0 GetAtomNameA 2793 405cd6 2792->2793 2794 405cd8 2792->2794 2795 405d15 _assert 2793->2795 2797 405cf0 2794->2797 2798 405cf7 _assert 2794->2798 2796 405d56 2795->2796 2798->2795 2607 404e83 atoi 2608 404e99 2607->2608 2609 402f82 11 API calls 2608->2609 2617 404c5b 2608->2617 2609->2617 2610 401dc3 17 API calls 2610->2617 2611 405109 _errno 2614 402f82 11 API calls 2611->2614 2612 40512f time srand 2615 403097 13 API calls 2612->2615 2613 40515b _close 2613->2617 2614->2617 2615->2617 2616 405184 _open 2616->2617 2617->2610 2617->2611 2617->2612 2617->2613 2617->2616 2618 4031b3 34 API calls 2617->2618 2619 405238 _errno 2617->2619 2620 40351d 15 API calls 2617->2620 2621 403ba8 88 API calls 2617->2621 2622 402f82 11 API calls 2617->2622 2623 4053d4 strchr 2617->2623 2624 4056ec _errno 2617->2624 2626 402077 53 API calls 2617->2626 2627 402ecf 6 API calls 2617->2627 2631 40534d exit 2617->2631 2632 403097 13 API calls 2617->2632 2633 403097 13 API calls 2617->2633 2634 4037b0 11 API calls 2617->2634 2636 40550a rand 2617->2636 2637 403829 37 API calls 2617->2637 2638 404d4a strchr 2617->2638 2639 404d2a memcpy 2617->2639 2640 404d71 strchr 2617->2640 2641 402ecf 6 API calls 2617->2641 2642 405639 WSAGetLastError 2617->2642 2643 404058 46 API calls 2617->2643 2644 402ecf 6 API calls 2617->2644 2645 405677 shutdown closesocket 2617->2645 2647 40446d 53 API calls 2617->2647 2648 403716 rand 2617->2648 2618->2617 2619->2617 2620->2617 2621->2617 2622->2617 2623->2617 2624->2617 2625 40571f WSACleanup 2624->2625 2625->2617 2628 40572f 2625->2628 2626->2617 2627->2625 2629 405744 exit 2628->2629 2630 405739 exit 2628->2630 2630->2629 2631->2617 2632->2617 2635 404c90 fprintf fflush _read 2633->2635 2634->2617 2635->2617 2636->2617 2637->2617 2638->2617 2638->2640 2639->2638 2640->2617 2641->2617 2642->2617 2643->2617 2644->2645 2645->2617 2646 4056a8 _sleep 2645->2646 2646->2617 2647->2617 2648->2617 2649 404eca 2650 402f82 11 API calls 2649->2650 2651 404ede 2650->2651 2652 404ef3 2651->2652 2653 403097 13 API calls 2651->2653 2654 4031b3 34 API calls 2652->2654 2653->2652 2655 404f10 2654->2655 2656 40304d 2657 403068 longjmp 2656->2657 2658 40305c 2656->2658 2660 40307d GetStdHandle 2657->2660 2659 402f82 11 API calls 2658->2659 2659->2657 2799 40502e 2800 4031b3 34 API calls 2799->2800 2801 405046 2800->2801 2661 405092 atoi 2662 4050c2 2661->2662 2663 4050ad 2661->2663 2665 403097 13 API calls 2662->2665 2664 402f82 11 API calls 2663->2664 2664->2662 2666 4050ce 2665->2666 2667 403097 13 API calls 2666->2667 2668 4050df 2667->2668 2669 404e53 2699 404c5b 2669->2699 2670 401dc3 17 API calls 2670->2699 2671 405109 _errno 2674 402f82 11 API calls 2671->2674 2672 40512f time srand 2675 403097 13 API calls 2672->2675 2673 40515b _close 2673->2699 2674->2699 2675->2699 2676 405184 _open 2676->2699 2677 4031b3 34 API calls 2677->2699 2678 405238 _errno 2678->2699 2679 403ba8 88 API calls 2679->2699 2680 402f82 11 API calls 2680->2699 2681 4053d4 strchr 2681->2699 2682 4056ec _errno 2683 40571f WSACleanup 2682->2683 2682->2699 2686 40572f 2683->2686 2683->2699 2684 402077 53 API calls 2684->2699 2685 402ecf 6 API calls 2685->2683 2689 405744 exit 2686->2689 2690 405739 exit 2686->2690 2687 40351d 15 API calls 2687->2699 2688 402ecf 6 API calls 2688->2699 2690->2689 2691 40534d exit 2691->2699 2692 403097 13 API calls 2692->2699 2693 403097 13 API calls 2695 404c90 fprintf fflush _read 2693->2695 2694 4037b0 11 API calls 2694->2699 2695->2699 2696 403716 rand 2696->2699 2697 40550a rand 2697->2699 2698 403829 37 API calls 2698->2699 2699->2669 2699->2670 2699->2671 2699->2672 2699->2673 2699->2676 2699->2677 2699->2678 2699->2679 2699->2680 2699->2681 2699->2682 2699->2684 2699->2685 2699->2687 2699->2688 2699->2691 2699->2692 2699->2693 2699->2694 2699->2696 2699->2697 2699->2698 2700 404d4a strchr 2699->2700 2701 404d2a memcpy 2699->2701 2702 404d71 strchr 2699->2702 2703 405639 WSAGetLastError 2699->2703 2704 404058 46 API calls 2699->2704 2705 402ecf 6 API calls 2699->2705 2706 405677 shutdown closesocket 2699->2706 2708 40446d 53 API calls 2699->2708 2700->2699 2700->2702 2701->2700 2702->2699 2703->2699 2704->2699 2705->2706 2706->2699 2707 4056a8 _sleep 2706->2707 2707->2699 2708->2699 2802 404e37 2803 402f82 11 API calls 2802->2803 2831 404c5b 2803->2831 2804 401dc3 17 API calls 2804->2831 2805 405109 _errno 2808 402f82 11 API calls 2805->2808 2806 40512f time srand 2809 403097 13 API calls 2806->2809 2807 40515b _close 2807->2831 2808->2831 2809->2831 2810 405184 _open 2810->2831 2811 4031b3 34 API calls 2811->2831 2812 405238 _errno 2812->2831 2813 40351d 15 API calls 2813->2831 2814 403ba8 88 API calls 2814->2831 2815 4053d4 strchr 2815->2831 2816 4056ec _errno 2818 40571f WSACleanup 2816->2818 2816->2831 2817 402f82 11 API calls 2817->2831 2820 40572f 2818->2820 2818->2831 2819 402ecf 6 API calls 2819->2818 2821 405744 exit 2820->2821 2822 405739 exit 2820->2822 2822->2821 2823 40534d exit 2823->2831 2824 403097 13 API calls 2824->2831 2825 403097 13 API calls 2827 404c90 fprintf fflush _read 2825->2827 2826 4037b0 11 API calls 2826->2831 2827->2831 2828 403716 rand 2828->2831 2829 40550a rand 2829->2831 2830 403829 37 API calls 2830->2831 2831->2804 2831->2805 2831->2806 2831->2807 2831->2810 2831->2811 2831->2812 2831->2813 2831->2814 2831->2815 2831->2816 2831->2817 2831->2819 2831->2823 2831->2824 2831->2825 2831->2826 2831->2828 2831->2829 2831->2830 2832 404d4a strchr 2831->2832 2833 404d2a memcpy 2831->2833 2834 404d71 strchr 2831->2834 2835 402ecf 6 API calls 2831->2835 2836 405639 WSAGetLastError 2831->2836 2837 404058 46 API calls 2831->2837 2838 402ecf 6 API calls 2831->2838 2839 405677 shutdown closesocket 2831->2839 2841 402077 53 API calls 2831->2841 2842 40446d 53 API calls 2831->2842 2832->2831 2832->2834 2833->2832 2834->2831 2835->2831 2836->2831 2837->2831 2838->2839 2839->2831 2840 4056a8 _sleep 2839->2840 2840->2831 2841->2831 2842->2831 2843 404e79 FreeConsole 2851 404c5b 2843->2851 2844 401dc3 17 API calls 2844->2851 2845 405109 _errno 2848 402f82 11 API calls 2845->2848 2846 40512f time srand 2849 403097 13 API calls 2846->2849 2847 40515b _close 2847->2851 2848->2851 2849->2851 2850 405184 _open 2850->2851 2851->2844 2851->2845 2851->2846 2851->2847 2851->2850 2852 4031b3 34 API calls 2851->2852 2853 405238 _errno 2851->2853 2854 40351d 15 API calls 2851->2854 2855 403ba8 88 API calls 2851->2855 2856 4053d4 strchr 2851->2856 2857 4056ec _errno 2851->2857 2858 402f82 11 API calls 2851->2858 2860 402077 53 API calls 2851->2860 2861 40446d 53 API calls 2851->2861 2862 402ecf 6 API calls 2851->2862 2866 40534d exit 2851->2866 2867 403097 13 API calls 2851->2867 2868 403097 13 API calls 2851->2868 2869 4037b0 11 API calls 2851->2869 2871 403716 rand 2851->2871 2872 40550a rand 2851->2872 2873 403829 37 API calls 2851->2873 2874 404d4a strchr 2851->2874 2875 404d2a memcpy 2851->2875 2876 404d71 strchr 2851->2876 2877 402ecf 6 API calls 2851->2877 2878 405639 WSAGetLastError 2851->2878 2879 404058 46 API calls 2851->2879 2880 402ecf 6 API calls 2851->2880 2881 405677 shutdown closesocket 2851->2881 2852->2851 2853->2851 2854->2851 2855->2851 2856->2851 2857->2851 2859 40571f WSACleanup 2857->2859 2858->2851 2859->2851 2863 40572f 2859->2863 2860->2851 2861->2851 2862->2859 2864 405744 exit 2863->2864 2865 405739 exit 2863->2865 2865->2864 2866->2851 2867->2851 2870 404c90 fprintf fflush _read 2868->2870 2869->2851 2870->2851 2871->2851 2872->2851 2873->2851 2874->2851 2874->2876 2875->2874 2876->2851 2877->2851 2878->2851 2879->2851 2880->2881 2881->2851 2882 4056a8 _sleep 2881->2882 2882->2851 2883 4025bb 2884 4025ca PeekNamedPipe 2883->2884 2885 402735 GetLastError 2884->2885 2886 40260e 2884->2886 2887 402794 ExitThread 2885->2887 2888 40273f GetLastError _itoa 2885->2888 2889 402654 Sleep 2886->2889 2890 40261e ReadFile 2886->2890 2895 402700 send 2886->2895 2892 4027b9 recv 2887->2892 2891 402ecf 6 API calls 2888->2891 2889->2884 2890->2886 2891->2887 2893 4028c0 ExitThread 2892->2893 2898 4027e9 2892->2898 2894 402829 _strnicmp 2896 40284b ExitThread 2894->2896 2894->2898 2895->2884 2895->2885 2897 402874 WriteFile 2897->2898 2899 4028af 2897->2899 2898->2892 2898->2894 2898->2897 2899->2893 2900 404f3c _errno 2944 405750 2900->2944 2903 404f80 2904 402f82 11 API calls 2903->2904 2933 404c5b 2904->2933 2905 401dc3 17 API calls 2905->2933 2906 405109 _errno 2909 402f82 11 API calls 2906->2909 2907 40512f time srand 2910 403097 13 API calls 2907->2910 2908 40515b _close 2908->2933 2909->2933 2910->2933 2911 405184 _open 2911->2933 2912 4031b3 34 API calls 2912->2933 2913 405238 _errno 2913->2933 2914 40351d 15 API calls 2914->2933 2915 403ba8 88 API calls 2915->2933 2916 4053d4 strchr 2916->2933 2917 4056ec _errno 2919 40571f WSACleanup 2917->2919 2917->2933 2918 402f82 11 API calls 2918->2933 2923 40572f 2919->2923 2919->2933 2920 402077 53 API calls 2920->2933 2921 40446d 53 API calls 2921->2933 2922 402ecf 6 API calls 2922->2919 2924 405744 exit 2923->2924 2925 405739 exit 2923->2925 2925->2924 2926 40534d exit 2926->2933 2927 403097 13 API calls 2927->2933 2928 403097 13 API calls 2930 404c90 fprintf fflush _read 2928->2930 2929 4037b0 11 API calls 2929->2933 2930->2933 2931 40550a rand 2931->2933 2932 403829 37 API calls 2932->2933 2933->2905 2933->2906 2933->2907 2933->2908 2933->2911 2933->2912 2933->2913 2933->2914 2933->2915 2933->2916 2933->2917 2933->2918 2933->2920 2933->2921 2933->2922 2933->2926 2933->2927 2933->2928 2933->2929 2933->2931 2933->2932 2934 404d4a strchr 2933->2934 2935 404d2a memcpy 2933->2935 2936 404d71 strchr 2933->2936 2937 402ecf 6 API calls 2933->2937 2938 405639 WSAGetLastError 2933->2938 2939 404058 46 API calls 2933->2939 2940 402ecf 6 API calls 2933->2940 2941 405677 shutdown closesocket 2933->2941 2943 403716 rand 2933->2943 2934->2933 2934->2936 2935->2934 2936->2933 2937->2933 2938->2933 2939->2933 2940->2941 2941->2933 2942 4056a8 _sleep 2941->2942 2942->2933 2943->2933 2945 402ecf 6 API calls 2944->2945 2946 40576b 2945->2946 2947 402ecf 6 API calls 2946->2947 2948 405777 2947->2948 2949 402ecf 6 API calls 2948->2949 2950 405783 2949->2950 2951 402ecf 6 API calls 2950->2951 2952 40578f 2951->2952 2953 402ecf 6 API calls 2952->2953 2954 40579b 2953->2954 2955 402ecf 6 API calls 2954->2955 2956 4057a7 2955->2956 2957 402f82 11 API calls 2956->2957 2958 404f4c atoi 2957->2958 2958->2903 2958->2933 2709 404fdd 2710 40351d 15 API calls 2709->2710 2711 404ff2 2710->2711 2713 402f82 11 API calls 2711->2713 2742 404c5b 2711->2742 2712 401dc3 17 API calls 2712->2742 2713->2742 2714 405109 _errno 2717 402f82 11 API calls 2714->2717 2715 40512f time srand 2718 403097 13 API calls 2715->2718 2716 40515b _close 2716->2742 2717->2742 2718->2742 2719 405184 _open 2719->2742 2720 4031b3 34 API calls 2720->2742 2721 405238 _errno 2721->2742 2722 40351d 15 API calls 2722->2742 2723 403ba8 88 API calls 2723->2742 2724 4053d4 strchr 2724->2742 2725 4056ec _errno 2727 40571f WSACleanup 2725->2727 2725->2742 2726 402f82 11 API calls 2726->2742 2731 40572f 2727->2731 2727->2742 2728 402077 53 API calls 2728->2742 2729 40446d 53 API calls 2729->2742 2730 402ecf 6 API calls 2730->2727 2732 405744 exit 2731->2732 2733 405739 exit 2731->2733 2733->2732 2734 40534d exit 2734->2742 2735 403097 13 API calls 2735->2742 2736 403097 13 API calls 2738 404c90 fprintf fflush _read 2736->2738 2737 4037b0 11 API calls 2737->2742 2738->2742 2739 403716 rand 2739->2742 2740 40550a rand 2740->2742 2741 403829 37 API calls 2741->2742 2742->2712 2742->2714 2742->2715 2742->2716 2742->2719 2742->2720 2742->2721 2742->2722 2742->2723 2742->2724 2742->2725 2742->2726 2742->2728 2742->2729 2742->2730 2742->2734 2742->2735 2742->2736 2742->2737 2742->2739 2742->2740 2742->2741 2743 404d4a strchr 2742->2743 2744 404d2a memcpy 2742->2744 2745 404d71 strchr 2742->2745 2746 402ecf 6 API calls 2742->2746 2747 405639 WSAGetLastError 2742->2747 2748 404058 46 API calls 2742->2748 2749 402ecf 6 API calls 2742->2749 2750 405677 shutdown closesocket 2742->2750 2743->2742 2743->2745 2744->2743 2745->2742 2746->2742 2747->2742 2748->2742 2749->2750 2750->2742 2751 4056a8 _sleep 2750->2751 2751->2742 2752 404e5f 2767 404c5b 2752->2767 2753 401dc3 17 API calls 2753->2767 2754 405109 _errno 2757 402f82 11 API calls 2754->2757 2755 40512f time srand 2758 403097 13 API calls 2755->2758 2756 40515b _close 2756->2767 2757->2767 2758->2767 2759 405184 _open 2759->2767 2760 402f82 11 API calls 2760->2767 2761 4031b3 34 API calls 2761->2767 2762 405238 _errno 2762->2767 2763 40351d 15 API calls 2763->2767 2764 403ba8 88 API calls 2764->2767 2765 4053d4 strchr 2765->2767 2766 4056ec _errno 2766->2767 2768 40571f WSACleanup 2766->2768 2767->2753 2767->2754 2767->2755 2767->2756 2767->2759 2767->2760 2767->2761 2767->2762 2767->2763 2767->2764 2767->2765 2767->2766 2769 402077 53 API calls 2767->2769 2770 40446d 53 API calls 2767->2770 2771 402ecf 6 API calls 2767->2771 2775 40534d exit 2767->2775 2776 403097 13 API calls 2767->2776 2777 403097 13 API calls 2767->2777 2778 4037b0 11 API calls 2767->2778 2780 403716 rand 2767->2780 2781 40550a rand 2767->2781 2782 403829 37 API calls 2767->2782 2783 404d4a strchr 2767->2783 2784 404d2a memcpy 2767->2784 2785 404d71 strchr 2767->2785 2786 402ecf 6 API calls 2767->2786 2787 405639 WSAGetLastError 2767->2787 2788 404058 46 API calls 2767->2788 2789 402ecf 6 API calls 2767->2789 2790 405677 shutdown closesocket 2767->2790 2768->2767 2772 40572f 2768->2772 2769->2767 2770->2767 2771->2768 2773 405744 exit 2772->2773 2774 405739 exit 2772->2774 2774->2773 2775->2767 2776->2767 2779 404c90 fprintf fflush _read 2777->2779 2778->2767 2779->2767 2780->2767 2781->2767 2782->2767 2783->2767 2783->2785 2784->2783 2785->2767 2786->2767 2787->2767 2788->2767 2789->2790 2790->2767 2791 4056a8 _sleep 2790->2791 2791->2767

          Callgraph

          Hide Legend
          • Executed
          • Not Executed
          • Opacity -> Relevance
          • Disassembly available
          callgraph 0 Function_00404FC0 1 Function_004012C0 2 Function_00401DC3 65 Function_0040153F 2->65 3 Function_00401149 4 Function_00405AC9 4->1 5 Function_00404ECA 34 Function_00402F82 5->34 39 Function_00403097 5->39 59 Function_004031B3 5->59 6 Function_004012CC 7 Function_0040304D 7->34 8 Function_00402ECF 50 Function_0040292A 8->50 9 Function_004028D0 10 Function_00401150 11 Function_00405B50 10->11 32 Function_00405B80 10->32 33 Function_00405C80 10->33 56 Function_00405B30 10->56 64 Function_00404B3F 10->64 12 Function_00405750 12->8 12->34 13 Function_00404E53 13->2 13->8 14 Function_00404058 13->14 21 Function_0040446D 13->21 23 Function_004030F1 13->23 25 Function_00402077 13->25 13->34 38 Function_00403716 13->38 13->39 42 Function_0040351D 13->42 47 Function_00403BA8 13->47 48 Function_00403829 13->48 58 Function_004037B0 13->58 13->59 14->8 14->48 15 Function_00405059 16 Function_00403159 16->8 17 Function_00404FDD 17->2 17->8 17->14 17->21 17->23 17->25 17->34 17->38 17->39 17->42 17->47 17->48 17->58 17->59 18 Function_00404E5F 18->2 18->8 18->14 18->21 18->23 18->25 18->34 18->38 18->39 18->42 18->47 18->48 18->58 18->59 19 Function_004062E0 20 Function_0040506C 21->8 21->23 51 Function_004041AB 21->51 52 Function_004043AD 21->52 22 Function_004012F0 24 Function_004050F6 25->8 30 Function_00401E00 25->30 26 Function_00404E79 26->2 26->8 26->14 26->21 26->23 26->25 26->34 26->38 26->39 26->42 26->47 26->48 26->58 26->59 27 Function_0040307D 28 Function_0040507F 29 Function_00401000 29->33 30->8 61 Function_00402439 30->61 31 Function_00401280 31->10 34->8 34->34 35 Function_00404E83 35->2 35->8 35->14 35->21 35->23 35->25 35->34 35->38 35->39 35->42 35->47 35->48 35->58 35->59 36 Function_00405C90 37 Function_00405092 37->34 37->39 39->34 40 Function_00404F9A 41 Function_0040501B 42->8 42->42 43 Function_00405C9E 44 Function_00405CA0 45 Function_00405AA0 46 Function_00401322 47->8 47->27 47->34 47->48 47->59 48->8 48->27 48->34 49 Function_00405B29 51->34 53 Function_00404FAD 54 Function_0040502E 54->59 55 Function_004014AE 56->1 57 Function_00405FB0 58->34 59->8 59->16 59->34 59->39 60 Function_00404E37 60->2 60->8 60->14 60->21 60->23 60->25 60->34 60->38 60->39 60->42 60->47 60->48 60->58 60->59 61->8 62 Function_004025BB 62->8 63 Function_00404F3C 63->2 63->8 63->12 63->14 63->21 63->23 63->25 63->34 63->38 63->39 63->42 63->47 63->48 63->58 63->59 64->2 64->8 64->9 64->14 64->21 64->23 64->25 64->34 64->38 64->39 64->42 64->47 64->48 64->56 64->57 64->58 64->59 65->22 65->46 65->55

          Executed Functions

          Control-flow Graph

          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.650029112.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.650019894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650038928.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650044935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_nc.jbxd
          Yara matches
          Similarity
          • API ID: _setmode$ExceptionExitFilterProcessUnhandled__getmainargs__p__environ__p__fmode_cexit
          • String ID:
          • API String ID: 3695137517-0
          • Opcode ID: 5ccf9f71e1772bdbbf39e5b335e3ec5758c075b78937d724ca577ce6272db996
          • Instruction ID: b2a29bb59dfddbed60e9d4291c6854c0dc59f2d1d3290c6ab55ec4b5ee31e2ac
          • Opcode Fuzzy Hash: 5ccf9f71e1772bdbbf39e5b335e3ec5758c075b78937d724ca577ce6272db996
          • Instruction Fuzzy Hash: 8C31E6749047048FC740EF79D585A1A77F4FB48354F018A7EE485A73A1DB38A850DB9E
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 0 404b3f-404c51 call 405fb0 call 405b30 call 4028d0 call 403097 * 7 malloc _errno 21 404c5b-404c5f 0->21 22 404c65-404ced call 403097 * 2 fprintf fflush _read 21->22 23 404def-404e12 call 401dc3 21->23 38 404cfb-404d16 call 4030f1 22->38 39 404cef-404cf6 call 402f82 22->39 29 405125-40512d 23->29 30 404e18-404e25 23->30 34 405152-405159 29->34 35 40512f-40514f time srand call 403097 29->35 32 405109-405120 _errno call 402f82 30->32 33 404e2b-404e5d 30->33 32->23 33->23 36 40517a-405182 34->36 37 40515b-405170 _close 34->37 35->34 42 405184-4051ad _open 36->42 43 4051d5-4051e8 36->43 37->36 56 404d21-404d28 38->56 57 404d18-404d1b 38->57 39->38 49 4051c4-4051d0 call 403097 42->49 50 4051af-4051bf call 402f82 42->50 52 405212-405216 43->52 53 4051ea-40520f call 4031b3 43->53 49->43 50->49 59 405218-40521f 52->59 60 40522c-405230 52->60 53->52 64 404d4a-404d69 strchr 56->64 65 404d2a-404d45 memcpy 56->65 57->56 59->60 67 405221-405229 59->67 61 405232 60->61 62 405238-40524b _errno 60->62 61->62 68 405251-40526a 62->68 69 405364-405368 62->69 70 404d71-404d90 strchr 64->70 71 404d6b-404d6e 64->71 65->64 67->60 74 4052bb-4052e9 call 403ba8 68->74 75 40526c-405297 call 40351d 68->75 76 405376-405389 69->76 77 40536a-405371 call 402f82 69->77 72 404d92-404d95 70->72 73 404d98-404da6 70->73 71->70 72->73 78 404dad-404db3 73->78 95 405358-40535f call 402f82 74->95 96 4052eb-4052f2 74->96 75->74 94 405299-4052b6 call 402f82 75->94 82 405397-4053a8 76->82 83 40538b-405392 call 402f82 76->83 77->76 87 404db5-404dbb 78->87 88 404de9-404dec 78->88 85 4053b3-4053b7 82->85 86 4053aa 82->86 83->82 91 4053bb-4053ce 85->91 86->85 92 404dc5-404dcc 87->92 93 404dbd-404dc3 87->93 88->23 97 4053d4-405409 strchr 91->97 98 4056ec-4056ff _errno 91->98 99 404de4-404de7 92->99 100 404dce-404de1 92->100 93->99 94->74 95->69 103 405301-405308 96->103 104 4052f4-4052fc call 402077 96->104 109 405445-405470 call 40351d 97->109 110 40540b-405430 call 40351d 97->110 107 405701-40571a call 402ecf 98->107 108 40571f-405728 WSACleanup 98->108 99->78 100->99 105 40531a-405322 103->105 106 40530a-405317 call 40446d 103->106 104->103 114 405342-405346 105->114 115 405324-40533d call 402ecf 105->115 106->105 107->108 116 40572a 108->116 117 40572f-405737 108->117 129 405472-40548f call 402f82 109->129 130 405494-40549b 109->130 110->109 128 405432-405440 call 402f82 110->128 124 405348 114->124 125 40534d-405353 exit 114->125 115->114 116->21 122 405744-40574b exit 117->122 123 405739-40573f exit 117->123 123->122 124->21 125->95 128->109 129->130 131 4054e3-4054e7 130->131 132 40549d-4054b5 130->132 136 4054eb-4054f3 131->136 135 4054b7-4054e1 call 4037b0 call 403716 132->135 132->136 135->136 138 4056e1-4056e7 136->138 139 4054f9-4054fe 136->139 138->91 141 405500-405508 139->141 142 40552e-405574 call 40351d call 403829 139->142 141->142 144 40550a-405520 rand 141->144 151 4055a3-4055aa 142->151 152 405576-40557e 142->152 144->142 147 405522-40552a 144->147 147->142 154 4055ac-4055ea call 402ecf 151->154 155 40561e-40562d 151->155 152->151 153 405580-405588 152->153 153->151 158 40558a-40559e call 404058 153->158 167 4055f9-405601 154->167 168 4055ec-4055f4 call 402077 154->168 156 405647-405672 call 402ecf 155->156 157 40562f-405637 155->157 166 405677-4056a6 shutdown closesocket 156->166 157->156 160 405639-405643 WSAGetLastError 157->160 158->151 160->156 164 405645 160->164 164->166 169 4056b5-4056bd 166->169 170 4056a8-4056b0 _sleep 166->170 167->166 172 405603-40560a 167->172 168->167 173 4056d3-4056dc 169->173 174 4056bf-4056ce call 403716 169->174 170->169 172->166 175 40560c-40561c call 40446d 172->175 173->136 174->136 175->166
          APIs
            • Part of subcall function 004028D0: WSAStartup.WSOCK32 ref: 004028F0
            • Part of subcall function 00403097: malloc.MSVCRT ref: 004030AF
            • Part of subcall function 00403097: memset.MSVCRT ref: 004030D2
          • malloc.MSVCRT ref: 00404C34
          • _errno.MSVCRT ref: 00404C46
          • fprintf.MSVCRT ref: 00404CB1
          • fflush.MSVCRT ref: 00404CC1
          • _read.MSVCRT ref: 00404CDC
          • memcpy.MSVCRT ref: 00404D45
          • strchr.MSVCRT ref: 00404D5D
          • strchr.MSVCRT ref: 00404D84
            • Part of subcall function 00402F82: shutdown.WSOCK32 ref: 00402FD6
            • Part of subcall function 00402F82: closesocket.WSOCK32 ref: 00402FE6
            • Part of subcall function 00402F82: _sleep.MSVCRT ref: 00402FF5
            • Part of subcall function 00402F82: exit.MSVCRT ref: 00403001
            • Part of subcall function 00402F82: _errno.MSVCRT ref: 0040300C
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.650029112.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.650019894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650038928.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650044935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_nc.jbxd
          Yara matches
          Similarity
          • API ID: _errnomallocstrchr$Startup_read_sleepclosesocketexitfflushfprintfmemcpymemsetshutdown
          • String ID: -$3
          • API String ID: 252166648-2179763217
          • Opcode ID: d6f3d651980bc7f2da0cd37318467a5da7418944ce8d8500b5e6a3aae846b490
          • Instruction ID: 1ef7e52fd0711f9fae56f10bd1047bcc78a6a35cab79e0fb5138a11a05c26703
          • Opcode Fuzzy Hash: d6f3d651980bc7f2da0cd37318467a5da7418944ce8d8500b5e6a3aae846b490
          • Instruction Fuzzy Hash: D542C4B4904609DFDB10EF69D6447AEBBF0FB44308F00882EE485AB391D3799994DF5A
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 198 4028d0-402905 WSAStartup 199 402907 198->199 200 402909-402911 198->200 201 402928-402929 199->201 202 402923 WSACleanup 200->202 203 402913-40291f 200->203 202->201 203->202 204 402921 203->204 204->201
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.650029112.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.650019894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650038928.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650044935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_nc.jbxd
          Yara matches
          Similarity
          • API ID: Startup
          • String ID:
          • API String ID: 724789610-0
          • Opcode ID: d4d4897f77f9a831faf0b04030197b9fc0de5fe4051e218cc7902d3bfd0c03eb
          • Instruction ID: 12d7a9241bd70b487e9e8ceb51e60967d66dd23e63bf4637674b5b0b6a08df7f
          • Opcode Fuzzy Hash: d4d4897f77f9a831faf0b04030197b9fc0de5fe4051e218cc7902d3bfd0c03eb
          • Instruction Fuzzy Hash: 74F01274F0522C9DDB20AB6595493EDB7F4AF02305F4005ABD4C5722C0E6BC8989CF5B
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          APIs
          • __set_app_type.MSVCRT ref: 0040128D
            • Part of subcall function 00401150: SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,00401298), ref: 0040115E
            • Part of subcall function 00401150: __getmainargs.MSVCRT ref: 0040119E
            • Part of subcall function 00401150: _setmode.MSVCRT ref: 004011D8
            • Part of subcall function 00401150: _setmode.MSVCRT ref: 004011FC
            • Part of subcall function 00401150: __p__fmode.MSVCRT ref: 00401210
            • Part of subcall function 00401150: __p__environ.MSVCRT ref: 0040122A
            • Part of subcall function 00401150: _cexit.MSVCRT ref: 0040124D
            • Part of subcall function 00401150: ExitProcess.KERNEL32 ref: 00401255
            • Part of subcall function 00401150: _setmode.MSVCRT ref: 0040126F
          • __set_app_type.MSVCRT ref: 004012AD
          Memory Dump Source
          • Source File: 00000000.00000002.650029112.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.650019894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650038928.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650044935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_nc.jbxd
          Yara matches
          Similarity
          • API ID: _setmode$__set_app_type$ExceptionExitFilterProcessUnhandled__getmainargs__p__environ__p__fmode_cexit
          • String ID:
          • API String ID: 2043081007-0
          • Opcode ID: ccdb75c038e21b3412f0778672d55d0ec663c20d7a429cc5ba2fb924a44e5c23
          • Instruction ID: 0fc9b1ea2834b4d55f9e3481def7c8755dcfaf78b5b63eca07436e3d5fb50777
          • Opcode Fuzzy Hash: ccdb75c038e21b3412f0778672d55d0ec663c20d7a429cc5ba2fb924a44e5c23
          • Instruction Fuzzy Hash: 28D06235405214ABC3003BB5DD0A35DBBA8AB05301F41053CE6C577271D778384547DA
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 210 403097-4030bb malloc 211 4030d9-4030e7 call 402f82 210->211 212 4030bd-4030d7 memset 210->212 214 4030ec-4030f0 211->214 212->214
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.650029112.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.650019894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650038928.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650044935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_nc.jbxd
          Yara matches
          Similarity
          • API ID: mallocmemset
          • String ID:
          • API String ID: 2882185209-0
          • Opcode ID: 776f2886ea24ebb40fe1cd321e2564f421eda7a237da9ace3bb0caa819d1d9a2
          • Instruction ID: 610e233dd54368f0e48f107edaa981eaecc20945b78952e42fd8a403bd4c74ca
          • Opcode Fuzzy Hash: 776f2886ea24ebb40fe1cd321e2564f421eda7a237da9ace3bb0caa819d1d9a2
          • Instruction Fuzzy Hash: E9F0A470905208EBCB00EFA9C58565DBBF4AF04308F1184AEE885A7381D778AA80DB46
          Uniqueness

          Uniqueness Score: -1.00%

          Non-executed Functions

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 215 40446d-40449b time _isatty 216 4044b1-4044c4 _isatty 215->216 217 40449d-4044ac _setmode 215->217 218 4044c6-4044d5 _setmode 216->218 219 4044da 216->219 217->216 218->219 220 4044e1-4044eb 219->220 221 404507-404511 220->221 222 4044ed-4044fc 220->222 225 404513-40451b 221->225 226 404534-404555 221->226 223 404500-404505 222->223 224 4044fe 222->224 223->220 224->221 225->226 227 40451d-404532 225->227 228 4045f4-4045fb 226->228 229 40455b-404579 226->229 227->226 230 40460a-404621 _errno WSASetLastError 228->230 231 4045fd-404605 _sleep 228->231 232 404587 229->232 233 40457b-404585 229->233 234 404624-40463d __WSAFDIsSet 230->234 231->230 235 40458e-404598 232->235 233->228 236 404643-40464e 234->236 237 404b0c-404b30 shutdown closesocket 234->237 238 4045e8-4045ef _close 235->238 239 40459a-4045a8 235->239 240 404650-404656 236->240 241 40465b-404684 memcpy 236->241 242 404b37-404b3e 237->242 238->228 243 4045e1-4045e6 239->243 244 4045aa-4045b5 239->244 245 40498c-404993 240->245 246 4046a4-4046da select 241->246 247 404686-40469f memcpy 241->247 243->235 248 4045b7-4045d6 244->248 249 4045d8-4045df 244->249 252 4049a0-4049c1 call 402ecf 245->252 253 404995-40499c 245->253 250 40472c-404730 246->250 251 4046dc-4046e6 WSAGetLastError 246->251 247->246 248->244 249->238 257 404736-404748 time 250->257 258 4047bd-4047d6 __WSAFDIsSet 250->258 251->250 255 4046e8-404727 WSAGetLastError call 402ecf shutdown closesocket 251->255 264 4049c8-4049cd 252->264 253->252 256 40499e 253->256 255->242 256->264 257->258 259 40474a-40475b 257->259 261 4048ac-4048b0 258->261 262 4047dc-404815 time recv 258->262 259->258 265 40475d-404765 259->265 266 4048b2 261->266 267 4048b7-4048bb 261->267 270 404882-404898 262->270 271 404817 262->271 268 4049e7-4049eb 264->268 269 4049cf-4049e2 call 402ecf 264->269 274 404773-4047b8 shutdown closesocket WSASetLastError 265->274 275 404767-40476e call 402ecf 265->275 266->245 277 40492b-40494f _read 267->277 278 4048bd-4048c4 _kbhit 267->278 279 404a58-404a5c 268->279 280 4049ed-404a1b _write fflush 268->280 269->242 270->261 273 40489a-4048a7 call 4043ad 270->273 281 40481e-404828 271->281 273->261 274->242 275->274 287 404951-40495d _close 277->287 288 40495f-404976 277->288 278->245 285 4048ca-404912 gets strcat strlen 278->285 291 404ac8-404acf 279->291 292 404a5e-404a65 279->292 280->279 286 404a1d-404a25 280->286 289 404879-404880 281->289 290 40482a-404839 281->290 285->245 295 404914-404929 _close 285->295 296 404a41-404a52 286->296 297 404a27-404a3c call 4041ab 286->297 287->245 288->245 300 404978-404987 _close 288->300 289->261 298 404872-404877 290->298 299 40483b-404846 290->299 293 404ad1-404ae9 _sleep _errno 291->293 294 404aee-404af2 291->294 301 404a67-404a7c call 4030f1 292->301 302 404a7e-404a81 292->302 293->234 304 404af4-404af8 294->304 305 404aff-404b07 294->305 295->245 296->279 297->296 298->281 307 404848-404867 299->307 308 404869-404870 299->308 300->245 303 404a84-404aaf send 301->303 302->303 303->291 311 404ab1-404ac2 303->311 304->305 312 404afa 304->312 305->245 307->299 308->289 311->291 312->234
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.650029112.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.650019894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650038928.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650044935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_nc.jbxd
          Yara matches
          Similarity
          • API ID: ErrorLast_close$closesocketshutdowntime$_errno_isatty_setmode_sleepmemcpy$_kbhit_read_writefflushgetsrecvselectsendstrcatstrlen
          • String ID:
          • API String ID: 3999812599-0
          • Opcode ID: 39fa05aa31d10d10c0bc0456772fc601b339261855aa14d69fcded914fb68f28
          • Instruction ID: 2c93763f636bf7982f465ebb7d121f96439a7f7c435dab8046fe155020e47178
          • Opcode Fuzzy Hash: 39fa05aa31d10d10c0bc0456772fc601b339261855aa14d69fcded914fb68f28
          • Instruction Fuzzy Hash: E922D5B4904308DFDB10EFA9D58475EBBF0FB48304F10842AE985AB391D7789995CF5A
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 313 403ba8-403bf7 _errno call 403829 316 403c05-403c0d 313->316 317 403bf9-403c00 313->317 319 403c24-403c41 listen 316->319 320 403c0f-403c14 316->320 318 404053-404057 317->318 322 403c4f-403c57 319->322 323 403c43-403c4a call 402f82 319->323 321 403c16-403c22 call 402f82 320->321 320->322 321->322 326 403d34-403d3c 322->326 327 403c5d-403c89 getsockname 322->327 323->322 328 403d42-403d6c call 40307d _setjmp 326->328 329 403de4-403e0e call 40307d _setjmp 326->329 331 403c97-403cb5 strcpy 327->331 332 403c8b-403c92 call 402ecf 327->332 342 403d72-403ddf recvfrom call 40307d connect 328->342 343 40401d-404022 _errno 328->343 329->343 344 403e14-403e70 accept call 40307d shutdown closesocket 329->344 336 403cb7-403cdb inet_ntoa strcat 331->336 337 403cdd-403ced strcat 331->337 332->331 338 403cf2-403d2f strcat htons call 402ecf 336->338 337->338 338->326 350 403e73-403e77 342->350 345 404028-40404c shutdown closesocket 343->345 344->350 345->318 351 403e79 350->351 352 403e7e-403ed2 memset getsockname 350->352 351->345 353 403ee0-403f6f inet_ntoa strcpy htons inet_ntoa strcpy call 4031b3 _errno 352->353 354 403ed4-403edb call 402ecf 352->354 358 403f71-403f92 memcmp 353->358 359 403f9b-403fa0 353->359 354->353 358->359 360 403f94 358->360 361 403fa2-403faa 359->361 362 403fb3-403fb7 359->362 360->359 361->362 363 403fac 361->363 364 403fe7-40401b call 402ecf 362->364 365 403fb9-403fe2 call 402f82 362->365 363->362 364->318 365->364
          APIs
          • _errno.MSVCRT ref: 00403BC3
            • Part of subcall function 00403829: _errno.MSVCRT ref: 0040383E
            • Part of subcall function 00403829: WSASetLastError.WSOCK32 ref: 00403850
            • Part of subcall function 00403829: socket.WSOCK32 ref: 00403879
            • Part of subcall function 00403829: _dup.MSVCRT ref: 004038D2
            • Part of subcall function 00403829: setsockopt.WSOCK32 ref: 00403905
            • Part of subcall function 00403829: memcpy.MSVCRT ref: 00403956
            • Part of subcall function 00403829: htons.WSOCK32 ref: 0040396F
            • Part of subcall function 00403829: inet_ntoa.WSOCK32 ref: 00403A46
          • getsockname.WSOCK32 ref: 00403C7A
          • strcpy.MSVCRT ref: 00403CA7
          • inet_ntoa.WSOCK32 ref: 00403CC2
          • strcat.MSVCRT ref: 00403CD6
          • strcat.MSVCRT ref: 00403D02
          • htons.WSOCK32 ref: 00403D13
          • _setjmp.MSVCRT ref: 00403D65
          • recvfrom.WSOCK32 ref: 00403DA1
          • connect.WSOCK32 ref: 00403DD4
          • shutdown.WSOCK32 ref: 00404036
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.650029112.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.650019894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650038928.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650044935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_nc.jbxd
          Yara matches
          Similarity
          • API ID: _errnohtonsinet_ntoastrcat$ErrorLast_dup_setjmpconnectgetsocknamememcpyrecvfromsetsockoptshutdownsocketstrcpy
          • String ID: @
          • API String ID: 3180767748-2766056989
          • Opcode ID: 04a7635a6cf578ca84297678b22ca44b553d2c80e9f977fe9165d0359ccfb7aa
          • Instruction ID: 68810559001089906fd8573ee2d96bf6fc2683d2137b0bc9ffbaf30d5933130b
          • Opcode Fuzzy Hash: 04a7635a6cf578ca84297678b22ca44b553d2c80e9f977fe9165d0359ccfb7aa
          • Instruction Fuzzy Hash: 3DD190B4904305DFDB00EFA9C54966EBBF0BF48304F01882EE894A7391E7789994DB5A
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 392 403829-403860 _errno WSASetLastError 393 403862-403886 socket 392->393 394 403888-4038a7 socket 392->394 395 4038ac-4038b3 393->395 394->395 396 4038c1-4038c8 395->396 397 4038b5-4038bc call 402f82 395->397 399 4038ca-4038d7 _dup 396->399 400 4038dc-403914 setsockopt 396->400 397->396 399->400 401 403922-40393a 400->401 402 403916-40391d call 402ecf 400->402 403 40395b-403960 401->403 404 40393c-403956 memcpy 401->404 402->401 406 403962-403977 htons 403->406 407 40397b-403986 403->407 404->403 406->407 408 403994-40399b 407->408 409 403988-40398d 407->409 411 4039a2-4039a6 408->411 409->408 410 40398f 409->410 412 403a35-403a39 410->412 411->412 413 4039ac-4039d4 bind 411->413 414 403a68-403a70 412->414 415 403a3b-403a63 inet_ntoa call 402f82 412->415 416 4039d6 413->416 417 4039d8-4039e3 _errno 413->417 419 403a72-403a7a 414->419 420 403a7f-403abe memcpy htons 414->420 415->414 416->412 421 4039e5 417->421 422 4039e7-403a30 inet_ntoa call 402ecf _sleep _errno 417->422 423 403ba0-403ba7 419->423 424 403ac0-403ac7 call 402ecf 420->424 425 403acc-403aef call 40307d _setjmp 420->425 421->412 422->411 424->425 431 403af1-403b15 connect 425->431 432 403b17-403b2a WSASetLastError 425->432 433 403b2d-403b45 call 40307d 431->433 432->433 436 403b51-403b99 WSAGetLastError _errno shutdown closesocket _errno WSASetLastError 433->436 437 403b47-403b4f 433->437 436->423 437->423
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.650029112.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.650019894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650038928.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650044935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_nc.jbxd
          Yara matches
          Similarity
          • API ID: ErrorLast_errno$htonsmemcpysocket$_dup_setjmpbindclosesocketconnectinet_ntoasetsockoptshutdown
          • String ID:
          • API String ID: 3116141737-0
          • Opcode ID: cebecbf1948128c84a897a449a8a71be53735ef64cd7bb28cff415594c858c9a
          • Instruction ID: cb6bf92ac2ae36df461301d33440b0a49c4f5f323d04458afb416de52c00d575
          • Opcode Fuzzy Hash: cebecbf1948128c84a897a449a8a71be53735ef64cd7bb28cff415594c858c9a
          • Instruction Fuzzy Hash: 78A1F6B0904305DFDB00FF65D68936ABBF4BB04309F11893EE885AB291D3789994DB5B
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000000.00000002.650029112.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.650019894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650038928.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650044935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_nc.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: d0464e965de918735676d5588757127b1df1ed642007614594c902c391adfb61
          • Instruction ID: bf907c1f4d2a70a300ee28d3a5b8865cbc45d60bac5e03ab3dee2a637f9031e1
          • Opcode Fuzzy Hash: d0464e965de918735676d5588757127b1df1ed642007614594c902c391adfb61
          • Instruction Fuzzy Hash: 3511AB71108B154AF3298618EA497933A65F354314F14853ED906F93F1D3BDDD90CA0D
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          APIs
            • Part of subcall function 00401E00: malloc.MSVCRT ref: 00401E23
          • CreateThread.KERNEL32 ref: 004020D3
          • GetLastError.KERNEL32 ref: 004020E7
          • _itoa.MSVCRT ref: 004020FF
            • Part of subcall function 00402ECF: fprintf.MSVCRT ref: 00402F1F
            • Part of subcall function 00402ECF: WSAGetLastError.WSOCK32(?,?,?,?,?,?,?,?,?,00402FC6), ref: 00402F24
            • Part of subcall function 00402ECF: WSAGetLastError.WSOCK32(?,?,?,?,?,?,?,?,?,00402FC6), ref: 00402F2D
            • Part of subcall function 00402ECF: fprintf.MSVCRT ref: 00402F51
            • Part of subcall function 00402ECF: fflush.MSVCRT ref: 00402F7B
          • CreateThread.KERNEL32 ref: 00402181
          • GetLastError.KERNEL32 ref: 00402199
          • _itoa.MSVCRT ref: 004021B1
          • TerminateThread.KERNEL32 ref: 00402209
          Memory Dump Source
          • Source File: 00000000.00000002.650029112.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.650019894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650038928.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650044935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_nc.jbxd
          Yara matches
          Similarity
          • API ID: ErrorLast$Thread$Create_itoafprintf$Terminatefflushmalloc
          • String ID:
          • API String ID: 3697086593-0
          • Opcode ID: 10572a788af219330ef33cc0ec57ca242faa5f6ad944d3b1b4897c30640919eb
          • Instruction ID: 3776174efba38127411f1320ec35b2f68c9a9832294c0841666b97e542e3db12
          • Opcode Fuzzy Hash: 10572a788af219330ef33cc0ec57ca242faa5f6ad944d3b1b4897c30640919eb
          • Instruction Fuzzy Hash: C9B17DB5904704DFDB00EFA9C18974EBBF0EF44308F41896EE894AB391D37899588F96
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 568 4031b3-4031d6 _errno 569 4031e7-4031eb 568->569 570 4031d8-4031e4 call 403097 568->570 572 4031f9-403221 strcpy inet_addr 569->572 573 4031ed-4031f4 call 402f82 569->573 570->569 576 403227-40322c 572->576 577 4033ef-40343d memcpy inet_ntoa strncpy 572->577 573->572 578 403241-403256 gethostbyname 576->578 579 40322e-40323c call 402f82 576->579 580 40344a-403452 577->580 581 40343f-403445 577->581 586 403274-403290 strncpy 578->586 587 403258-40326f WSAGetLastError call 402f82 578->587 579->578 583 403454-40345a 580->583 584 40345f-403484 gethostbyaddr 580->584 582 403518-40351c 581->582 583->582 588 4034a4-4034d5 strncpy gethostbyname 584->588 589 403486-4034a2 WSAGetLastError call 402ecf 584->589 591 403297-4032ab 586->591 587->586 593 4034e2-4034fe WSAGetLastError call 402ecf 588->593 594 4034d7-4034e0 588->594 604 403512-403515 589->604 595 4032b1-4032b5 591->595 596 403333-40333b 591->596 593->604 594->593 601 403500-40350d call 403159 594->601 595->596 597 4032b7-40332e memcpy inet_ntoa strncpy 595->597 598 403348 596->598 599 40333d-403343 596->599 597->591 603 40334f-40335d 598->603 599->582 601->604 603->604 607 403363-403367 603->607 604->582 607->604 608 40336d-40339d gethostbyaddr 607->608 609 4033a7-4033d3 WSAGetLastError call 402ecf 608->609 610 40339f-4033a5 608->610 615 4033e7-4033ea 609->615 610->609 611 4033d5-4033e2 call 403159 610->611 611->615 615->603
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.650029112.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.650019894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650038928.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650044935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_nc.jbxd
          Yara matches
          Similarity
          • API ID: ErrorLaststrncpy$gethostbyaddrinet_ntoamemcpy$_errnogethostbynameinet_addrmallocmemsetstrcpy
          • String ID:
          • API String ID: 2342530455-0
          • Opcode ID: b9942a84afb539e0eda7b6ed3162e11b2fe907c25a7a57c16b796f68144fe27c
          • Instruction ID: 1b65a61c478efe84f4354dbc273b01f441d4b55b229c26b46f73aa6b5a72dc0f
          • Opcode Fuzzy Hash: b9942a84afb539e0eda7b6ed3162e11b2fe907c25a7a57c16b796f68144fe27c
          • Instruction Fuzzy Hash: 58A1DBB0904209DFDB00EFA8C5856AEBBF0FF44305F10886EE485AB391D7789A84CF56
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 616 401e00-401e2f malloc 617 401e31-401e38 616->617 618 401e3d-401e90 CreatePipe 616->618 619 40206f-402076 617->619 620 401e92-401ee7 GetLastError _itoa call 402ecf 618->620 621 401eec-401f1a CreatePipe 618->621 628 402003-402007 620->628 623 401f76-401fb1 call 402439 CloseHandle * 2 621->623 624 401f1c-401f71 GetLastError _itoa call 402ecf 621->624 631 401ff1-402001 623->631 632 401fb3-401fef call 402ecf 623->632 624->628 633 402017-40201b 628->633 634 402009-402014 CloseHandle 628->634 631->619 632->628 635 40202b-402031 633->635 636 40201d-402028 CloseHandle 633->636 634->633 638 402043-40204a 635->638 639 402033-402040 CloseHandle 635->639 636->635 641 40204c-40205a CloseHandle 638->641 642 40205d-402068 free 638->642 639->638 641->642 642->619
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.650029112.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.650019894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650038928.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650044935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_nc.jbxd
          Yara matches
          Similarity
          • API ID: CloseHandle$CreateErrorLastPipe_itoafreemalloc
          • String ID:
          • API String ID: 2877767537-0
          • Opcode ID: 6c217010293287cfd7200fa62ad3d828bb5f4129676e82021c0155888544c6fc
          • Instruction ID: d1cc404e7ce06c917d4e96b2f805319fd7073a00040dc44ca341ce4c7169a73c
          • Opcode Fuzzy Hash: 6c217010293287cfd7200fa62ad3d828bb5f4129676e82021c0155888544c6fc
          • Instruction Fuzzy Hash: 456198B0805705DFEB00EFA5C18979EBBF0EF44308F10896EE8956B291D7B99548CF96
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 643 4025bb-4025c7 644 4025ca-402608 PeekNamedPipe 643->644 645 402735-40273d GetLastError 644->645 646 40260e-40261c 644->646 647 402794-4027af ExitThread 645->647 648 40273f-40278f GetLastError _itoa call 402ecf 645->648 649 402654-402663 Sleep 646->649 650 40261e-402672 ReadFile 646->650 652 4027b9-4027e3 recv 647->652 648->647 649->644 656 40267c-402688 650->656 654 4028c0-4028cf ExitThread 652->654 655 4027e9-40280c 652->655 657 402829-402849 _strnicmp 655->657 658 40280e-402827 655->658 659 402700-40272f send 656->659 660 40268a-40269b 656->660 661 402857-40285b 657->661 662 40284b-402852 ExitThread 657->662 658->657 659->644 659->645 663 4026c1-4026fb 660->663 664 40269d-4026a4 660->664 666 402874-4028ad WriteFile 661->666 667 40285d-402861 661->667 663->656 664->663 665 4026a6-4026bf 664->665 665->663 668 4028b1-4028bb 666->668 669 4028af 666->669 667->666 670 402863-40286d 667->670 668->652 669->654 670->666 671 40286f 670->671 671->652
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.650029112.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.650019894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650038928.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650044935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_nc.jbxd
          Yara matches
          Similarity
          • API ID: ExitThread$ErrorFileLast$NamedPeekPipeReadSleepWrite_itoa_strnicmprecvsend
          • String ID:
          • API String ID: 715083019-0
          • Opcode ID: c529273add3dfaa1fc56797edcac1404f6c1d3707c77490e89bcca9a942f96ff
          • Instruction ID: 812cba63fcffcf901759d42b92c3547cfe5b8ab2797f02535df047f268386e0e
          • Opcode Fuzzy Hash: c529273add3dfaa1fc56797edcac1404f6c1d3707c77490e89bcca9a942f96ff
          • Instruction Fuzzy Hash: F5914E74904319DFDB10EF68C58879EBBF4EF45344F4089AAD488A7381D7B89A88CF56
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 672 40351d-403532 673 403534 672->673 674 40353b-403550 672->674 673->674 675 403613-403617 674->675 676 403556-40355a 674->676 677 40361d-403621 675->677 678 4036ce-4036d5 675->678 679 403568-403577 676->679 680 40355c-403563 676->680 681 403623-40362a 677->681 682 40362f-403643 atoi 677->682 683 403711-403715 678->683 684 403579 679->684 685 40357e-4035ae htons getservbyport 679->685 680->683 681->683 686 403664-40366c 682->686 687 403645-40365f call 40351d 682->687 688 4036d7-40370e sprintf 684->688 685->688 689 4035b4-4035d2 htons 685->689 691 40367a-403696 getservbyname 686->691 692 40366e-403675 686->692 687->683 688->683 693 4035f0-40360e strncpy 689->693 694 4035d4-4035e4 689->694 691->678 697 403698-4036cc strncpy htons 691->697 692->683 693->688 695 4035eb call 402ecf 694->695 695->693 697->688
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.650029112.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.650019894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650038928.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650044935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_nc.jbxd
          Yara matches
          Similarity
          • API ID: htons$getservbyportsprintfstrncpy
          • String ID: "p@$@
          • API String ID: 3015932977-3786540563
          • Opcode ID: 7b4d9b4591384e893e6d9c61fc36fe7f64902d931136992fe0f6443062b520dc
          • Instruction ID: 744cfc42fd78bbf95e49668f0f7f0cbdb84426594174ba2373b19d373039ff26
          • Opcode Fuzzy Hash: 7b4d9b4591384e893e6d9c61fc36fe7f64902d931136992fe0f6443062b520dc
          • Instruction Fuzzy Hash: 5C51E2B4904318EECB10EFA9C54476DBBF4FF04345F50886AE885AB391E37C9A84DB56
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 698 404058-40408c send 699 4040a5-4040ac 698->699 700 40408e-4040a0 _errno call 402ecf 698->700 702 4040bd-4040fa call 403829 699->702 703 4040ae-4040bb _sleep 699->703 700->699 709 404112-404132 closesocket 702->709 710 4040fc-40410f shutdown 702->710 704 404138-404171 _errno send 703->704 707 404173-404179 704->707 708 40417b-40419f shutdown closesocket 704->708 711 4041a6-4041aa 707->711 708->711 709->704 710->709
          APIs
          • send.WSOCK32 ref: 0040407D
          • _errno.MSVCRT ref: 0040408E
            • Part of subcall function 00402ECF: fprintf.MSVCRT ref: 00402F1F
            • Part of subcall function 00402ECF: WSAGetLastError.WSOCK32(?,?,?,?,?,?,?,?,?,00402FC6), ref: 00402F24
            • Part of subcall function 00402ECF: WSAGetLastError.WSOCK32(?,?,?,?,?,?,?,?,?,00402FC6), ref: 00402F2D
            • Part of subcall function 00402ECF: fprintf.MSVCRT ref: 00402F51
            • Part of subcall function 00402ECF: fflush.MSVCRT ref: 00402F7B
            • Part of subcall function 00403829: _errno.MSVCRT ref: 0040383E
            • Part of subcall function 00403829: WSASetLastError.WSOCK32 ref: 00403850
            • Part of subcall function 00403829: socket.WSOCK32 ref: 00403879
            • Part of subcall function 00403829: _dup.MSVCRT ref: 004038D2
            • Part of subcall function 00403829: setsockopt.WSOCK32 ref: 00403905
            • Part of subcall function 00403829: memcpy.MSVCRT ref: 00403956
            • Part of subcall function 00403829: htons.WSOCK32 ref: 0040396F
            • Part of subcall function 00403829: inet_ntoa.WSOCK32 ref: 00403A46
          • _sleep.MSVCRT ref: 004040B6
          • shutdown.WSOCK32 ref: 0040410A
          • closesocket.WSOCK32 ref: 00404118
          • _errno.MSVCRT ref: 00404138
          • send.WSOCK32 ref: 00404162
          • shutdown.WSOCK32 ref: 00404189
          • closesocket.WSOCK32 ref: 00404197
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.650029112.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.650019894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650038928.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650044935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_nc.jbxd
          Yara matches
          Similarity
          • API ID: ErrorLast_errno$closesocketfprintfsendshutdown$_dup_sleepfflushhtonsinet_ntoamemcpysetsockoptsocket
          • String ID: iz
          • API String ID: 912985972-1161189939
          • Opcode ID: 511a912a00d4491d3990e70137e5ded1860bd43f8c7f80d84e3ba8f24e7322b2
          • Instruction ID: 34c7a4c70d11b6233b84278bbde6e1ff19722ab5da9ffacb43e31969e5b7ae55
          • Opcode Fuzzy Hash: 511a912a00d4491d3990e70137e5ded1860bd43f8c7f80d84e3ba8f24e7322b2
          • Instruction Fuzzy Hash: 5C31E7B0814704DFD700FF65D68935EBBF0EB44358F10886EE884AB391D37996989F4A
          Uniqueness

          Uniqueness Score: -1.00%

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.650029112.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.650019894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650038928.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650044935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_nc.jbxd
          Yara matches
          Similarity
          • API ID: Process$CurrentHandle$CloseCreateDuplicateErrorLast_itoa
          • String ID: D
          • API String ID: 1554987783-2746444292
          • Opcode ID: d5aa1974ed85d349a8d2c4cf5adf57c7c616c5c7661a19cbc9a2feabadb2b9b4
          • Instruction ID: aca483b5e203881d84b43a89d7403c2f3b622e2447578a08dc1a50f0580ba481
          • Opcode Fuzzy Hash: d5aa1974ed85d349a8d2c4cf5adf57c7c616c5c7661a19cbc9a2feabadb2b9b4
          • Instruction Fuzzy Hash: 924145B09053059BEB00EFA5C15934FBBF4AF44348F10891DE898AB281D7B99548CF96
          Uniqueness

          Uniqueness Score: -1.00%

          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.650029112.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.650019894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650038928.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650044935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_nc.jbxd
          Yara matches
          Similarity
          • API ID: signal
          • String ID:
          • API String ID: 1946981877-0
          • Opcode ID: e3d26237c5e129f4b8dc384cc51770ebccf14432f0a058bc797907c54c869385
          • Instruction ID: 012213b2b02f3db4e16211d5a2618c0f0beba23899dbc112933408f09f9a925f
          • Opcode Fuzzy Hash: e3d26237c5e129f4b8dc384cc51770ebccf14432f0a058bc797907c54c869385
          • Instruction Fuzzy Hash: C63123B09042449BEB20AF69C58032EB6E0BF49354F56893FD9C5E77E1C67E8DC0974A
          Uniqueness

          Uniqueness Score: -1.00%

          APIs
          • fprintf.MSVCRT ref: 00402F1F
          • WSAGetLastError.WSOCK32(?,?,?,?,?,?,?,?,?,00402FC6), ref: 00402F24
          • WSAGetLastError.WSOCK32(?,?,?,?,?,?,?,?,?,00402FC6), ref: 00402F2D
          • fprintf.MSVCRT ref: 00402F51
          • fprintf.MSVCRT ref: 00402F6B
          • fflush.MSVCRT ref: 00402F7B
          Memory Dump Source
          • Source File: 00000000.00000002.650029112.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.650019894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650038928.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650044935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_nc.jbxd
          Yara matches
          Similarity
          • API ID: fprintf$ErrorLast$fflush
          • String ID:
          • API String ID: 1179342926-0
          • Opcode ID: 1507f440a48880477d309dd62419c95f9a5d188ea55d3f880cd1ddb13ec90a23
          • Instruction ID: aedba044920dac11781e30089c66d1c72976f9705aae3b5046c65b340d9c2235
          • Opcode Fuzzy Hash: 1507f440a48880477d309dd62419c95f9a5d188ea55d3f880cd1ddb13ec90a23
          • Instruction Fuzzy Hash: 6B11B9B05043069FD740EF29DA8954A7BF0EF44388F01892EF889EB391D778D8548F9A
          Uniqueness

          Uniqueness Score: -1.00%

          APIs
            • Part of subcall function 00402ECF: fprintf.MSVCRT ref: 00402F1F
            • Part of subcall function 00402ECF: WSAGetLastError.WSOCK32(?,?,?,?,?,?,?,?,?,00402FC6), ref: 00402F24
            • Part of subcall function 00402ECF: WSAGetLastError.WSOCK32(?,?,?,?,?,?,?,?,?,00402FC6), ref: 00402F2D
            • Part of subcall function 00402ECF: fprintf.MSVCRT ref: 00402F51
            • Part of subcall function 00402ECF: fflush.MSVCRT ref: 00402F7B
          • shutdown.WSOCK32 ref: 00402FD6
          • closesocket.WSOCK32 ref: 00402FE6
          • _sleep.MSVCRT ref: 00402FF5
          • exit.MSVCRT ref: 00403001
          • _errno.MSVCRT ref: 0040300C
          Memory Dump Source
          • Source File: 00000000.00000002.650029112.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.650019894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650038928.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650044935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_nc.jbxd
          Yara matches
          Similarity
          • API ID: ErrorLastfprintf$_errno_sleepclosesocketexitfflushshutdown
          • String ID:
          • API String ID: 3984783896-0
          • Opcode ID: 6e9c7c120c1affb8180beccbe2b3cfc04695f91e07880b9eef69a37c199af21d
          • Instruction ID: 3542e69b3411e4e71ba3b63367d5401c8d3bb16ff36ee3f3bbffff72c4001994
          • Opcode Fuzzy Hash: 6e9c7c120c1affb8180beccbe2b3cfc04695f91e07880b9eef69a37c199af21d
          • Instruction Fuzzy Hash: C211CCB49083059FC700FF69D645649BBF4BB44344F01482EF8C4A7391E7B8E8948B9B
          Uniqueness

          Uniqueness Score: -1.00%

          APIs
            • Part of subcall function 00402F82: shutdown.WSOCK32 ref: 00402FD6
            • Part of subcall function 00402F82: closesocket.WSOCK32 ref: 00402FE6
            • Part of subcall function 00402F82: _sleep.MSVCRT ref: 00402FF5
            • Part of subcall function 00402F82: exit.MSVCRT ref: 00403001
            • Part of subcall function 00402F82: _errno.MSVCRT ref: 0040300C
          • sprintf.MSVCRT ref: 004042C9
          • _write.MSVCRT ref: 00404388
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.650029112.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.650019894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650038928.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650044935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_nc.jbxd
          Yara matches
          Similarity
          • API ID: _errno_sleep_writeclosesocketexitshutdownsprintf
          • String ID: N
          • API String ID: 941380402-1130791706
          • Opcode ID: 37b05e5afd40601c5a73a3549bd8d9f3e12d6401dcb359f71d3e62110ca999fc
          • Instruction ID: 68083ad8bac51fe3905405b462c0b6f67bb4a1db247556006c561e3c8f4ebfcf
          • Opcode Fuzzy Hash: 37b05e5afd40601c5a73a3549bd8d9f3e12d6401dcb359f71d3e62110ca999fc
          • Instruction Fuzzy Hash: 4971C4B4E0424ACFCB01DF98C6446AEBBF0BF55304F1481A6D951BB392C3789A52DF66
          Uniqueness

          Uniqueness Score: -1.00%

          APIs
          • _errno.MSVCRT ref: 00404F3C
          • atoi.MSVCRT ref: 00404F54
            • Part of subcall function 00402F82: shutdown.WSOCK32 ref: 00402FD6
            • Part of subcall function 00402F82: closesocket.WSOCK32 ref: 00402FE6
            • Part of subcall function 00402F82: _sleep.MSVCRT ref: 00402FF5
            • Part of subcall function 00402F82: exit.MSVCRT ref: 00403001
            • Part of subcall function 00402F82: _errno.MSVCRT ref: 0040300C
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.650029112.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.650019894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650038928.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.650044935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_nc.jbxd
          Yara matches
          Similarity
          • API ID: _errno$_sleepatoiclosesocketexitshutdown
          • String ID: 3
          • API String ID: 1965425864-1842515611
          • Opcode ID: f0a7008b52452b5db2457fb5b3bdcb433ce73af9d45da533742d5288b72da504
          • Instruction ID: 9e18031511e0b90bc96fffc2f7724399808eaf037f08a3e26671e6fc7f0f7b20
          • Opcode Fuzzy Hash: f0a7008b52452b5db2457fb5b3bdcb433ce73af9d45da533742d5288b72da504
          • Instruction Fuzzy Hash: C60117B0904308DFD700EFA9DA8465EBBF1EB54300F11893EE494BB291D7789950DF1A
          Uniqueness

          Uniqueness Score: -1.00%