Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RpcSsv.exe

Overview

General Information

Sample name:RpcSsv.exe
Analysis ID:1431645
MD5:523613a7b9dfa398cbd5ebd2dd0f4f38
SHA1:3e92f697d642d68bb766cc93e3130b36b2da2bab
SHA256:3e59379f585ebf0becb6b4e06d0fbbf806de28a4bb256e837b4555f1b4245571
Infos:

Detection

Netcat
Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Netcat
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

  • System is w10x64
  • RpcSsv.exe (PID: 7592 cmdline: "C:\Users\user\Desktop\RpcSsv.exe" MD5: 523613A7B9DFA398CBD5EBD2DD0F4F38)
    • conhost.exe (PID: 7600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
RpcSsv.exeJoeSecurity_NetcatYara detected NetcatJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NetcatYara detected NetcatJoe Security
      00000000.00000000.1611099098.0000000000409000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NetcatYara detected NetcatJoe Security
        Process Memory Space: RpcSsv.exe PID: 7592JoeSecurity_NetcatYara detected NetcatJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: RpcSsv.exeReversingLabs: Detection: 34%
          Source: RpcSsv.exeVirustotal: Detection: 39%Perma Link
          Source: RpcSsv.exeStatic PE information: certificate valid

          Spreading

          barindex
          Yara detected Netcat
          Source: Yara matchFile source: RpcSsv.exe, type: SAMPLE
          Source: Yara matchFile source: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000000.1611099098.0000000000409000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RpcSsv.exe PID: 7592, type: MEMORYSTR
          Source: C:\Users\user\Desktop\RpcSsv.exeCode function: 0_2_0040425F _errno,listen,getsockname,inet_ntoa,htons,recvfrom,connect,accept,shutdown,closesocket,getsockname,inet_ntoa,htons,inet_ntoa,_errno,_errno,shutdown,closesocket,0_2_0040425F
          Source: RpcSsv.exeString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
          Source: RpcSsv.exeString found in binary or memory: http://crl.globalsign.net/Root.crl0
          Source: RpcSsv.exeString found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
          Source: RpcSsv.exeString found in binary or memory: http://crl.globalsign.net/primobject.crl0N
          Source: RpcSsv.exeString found in binary or memory: http://crl.globalsign.net/root.crl0
          Source: RpcSsv.exeString found in binary or memory: http://eternallybored.org/misc/netcat/
          Source: RpcSsv.exeString found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
          Source: RpcSsv.exeString found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
          Source: RpcSsv.exeString found in binary or memory: http://www.globalsign.net/repository/0
          Source: RpcSsv.exeString found in binary or memory: http://www.globalsign.net/repository/03
          Source: RpcSsv.exeString found in binary or memory: http://www.globalsign.net/repository09
          Source: C:\Users\user\Desktop\RpcSsv.exeCode function: 0_2_004011B00_2_004011B0
          Source: C:\Users\user\Desktop\RpcSsv.exeCode function: String function: 004034EB appears 186 times
          Source: C:\Users\user\Desktop\RpcSsv.exeCode function: String function: 004035DB appears 145 times
          Source: classification engineClassification label: mal52.spre.winEXE@2/1@0/0
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03
          Source: RpcSsv.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\RpcSsv.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: RpcSsv.exeReversingLabs: Detection: 34%
          Source: RpcSsv.exeVirustotal: Detection: 39%
          Source: unknownProcess created: C:\Users\user\Desktop\RpcSsv.exe "C:\Users\user\Desktop\RpcSsv.exe"
          Source: C:\Users\user\Desktop\RpcSsv.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\RpcSsv.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\RpcSsv.exeSection loaded: wsock32.dllJump to behavior
          Source: RpcSsv.exeStatic PE information: certificate valid
          Source: C:\Users\user\Desktop\RpcSsv.exeAPI coverage: 7.5 %
          Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: RpcSsv.exe, 00000000.00000002.2854248497.000000000073B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
          Source: C:\Users\user\Desktop\RpcSsv.exeCode function: 0_2_0040C554 RtlLookupFunctionEntry,SetUnhandledExceptionFilter,TlsGetValue,VirtualProtect,0_2_0040C554
          Source: C:\Users\user\Desktop\RpcSsv.exeCode function: 0_2_00406C60 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00406C60
          Source: C:\Users\user\Desktop\RpcSsv.exeCode function: 0_2_00405FD1 SetUnhandledExceptionFilter,0_2_00405FD1
          Source: C:\Users\user\Desktop\RpcSsv.exeCode function: 0_2_004011B0 Sleep,Sleep,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleHandleA,GetProcAddress,_acmdln,__initenv,GetStartupInfoA,GetModuleHandleA,GetModuleHandleA,LoadLibraryA,GetModuleHandleA,0_2_004011B0
          Source: C:\Users\user\Desktop\RpcSsv.exeCode function: 0_2_00406B60 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00406B60
          Source: C:\Users\user\Desktop\RpcSsv.exeCode function: 0_2_0040425F _errno,listen,getsockname,inet_ntoa,htons,recvfrom,connect,accept,shutdown,closesocket,getsockname,inet_ntoa,htons,inet_ntoa,_errno,_errno,shutdown,closesocket,0_2_0040425F
          Source: C:\Users\user\Desktop\RpcSsv.exeCode function: 0_2_00403EC7 _errno,WSASetLastError,socket,socket,_dup,setsockopt,htons,bind,_errno,inet_ntoa,_sleep,_errno,inet_ntoa,htons,connect,WSASetLastError,_errno,WSAGetLastError,shutdown,closesocket,_errno,WSASetLastError,0_2_00403EC7

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          DLL Side-Loading          		1
          Process Injection          		1
          Process Injection          		OS Credential Dumping1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          Security Software Discovery          		Remote Desktop ProtocolData from Removable Media1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
          DLL Side-Loading          		Security Account Manager2
          System Information Discovery          		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Obfuscated Files or Information          		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1431645 Sample: RpcSsv.exe Startdate: 25/04/2024 Architecture: WINDOWS Score: 52 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected Netcat 2->12 6 RpcSsv.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          RpcSsv.exe34%ReversingLabsWin32.Trojan.Generic
          RpcSsv.exe39%VirustotalBrowse

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.globalsign.net/repository/030%URL Reputationsafe
          http://secure.globalsign.net/cacert/PrimObject.crt00%Avira URL Cloudsafe
          http://secure.globalsign.net/cacert/ObjectSign.crt090%Avira URL Cloudsafe
          http://www.globalsign.net/repository090%Avira URL Cloudsafe
          http://www.globalsign.net/repository/00%Avira URL Cloudsafe
          http://www.globalsign.net/repository/00%VirustotalBrowse
          http://secure.globalsign.net/cacert/PrimObject.crt00%VirustotalBrowse
          http://www.globalsign.net/repository090%VirustotalBrowse
          http://secure.globalsign.net/cacert/ObjectSign.crt090%VirustotalBrowse

          Domains and IPs

          Contacted Domains

          No contacted domains info

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://secure.globalsign.net/cacert/PrimObject.crt0RpcSsv.exefalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://secure.globalsign.net/cacert/ObjectSign.crt09RpcSsv.exefalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.globalsign.net/repository09RpcSsv.exefalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://eternallybored.org/misc/netcat/RpcSsv.exefalse
            		high
            http://www.globalsign.net/repository/0RpcSsv.exefalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.globalsign.net/repository/03RpcSsv.exefalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1431645
            Start date and time:2024-04-25 14:58:48 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 3m 49s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:6
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:RpcSsv.exe
            Detection:MAL
            Classification:mal52.spre.winEXE@2/1@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 3
            • Number of non-executed functions: 32
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            \Device\ConDrv

            Download File
            Process:C:\Users\user\Desktop\RpcSsv.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):10
            Entropy (8bit):3.121928094887362
            Encrypted:false
            SSDEEP:3:umFn:D
            MD5:552430716D5ECD7EB607728C6AA6D750
            SHA1:343C92A87B4E6887E140DFA476AEBAD03C4ABFD5
            SHA-256:E58FE825DF1CD85145B06292195AA553F11577105BA848731FAF0C774EE56648
            SHA-512:8DC6C13551BFDB196595B1368A5B72A5D85FE22736466C6DD5127A4F62C7D1E73A004C8F86072EAC245BF905A5336F5E8DE913D6B5F5010F98AE03F1DE503C01
            Malicious:false
            Reputation:moderate, very likely benign file
            Preview:Cmd line:

            Static File Info

            General

            File type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
            Entropy (8bit):6.15395147872826
            TrID:
            • Win64 Executable (generic) (12005/4) 74.80%
            • Generic Win/DOS Executable (2004/3) 12.49%
            • DOS Executable Generic (2002/1) 12.47%
            • VXD Driver (31/22) 0.19%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
            File name:RpcSsv.exe
            File size:45'272 bytes
            MD5:523613a7b9dfa398cbd5ebd2dd0f4f38
            SHA1:3e92f697d642d68bb766cc93e3130b36b2da2bab
            SHA256:3e59379f585ebf0becb6b4e06d0fbbf806de28a4bb256e837b4555f1b4245571
            SHA512:2ca42e21ebc26233c3822851d9fc82f950186820e10d3601c92b648415eb720f0e1a3a6d9d296497a3393a939a9424c47b1e5eaedfd864f96e3ab8986f6b35b5
            SSDEEP:768:gaGHu/aKUAvRCXA/e6PfVVCJrxg/KKjMozd6jSemG0nf2Fcc5C+qLaVp:CuSzAvRCxmNVCgi+IjNmDO15C+qLaVp
            TLSH:52134B7BF21684FED117C6BCA6D65871A4F4BC500A71606E63E68A373F39EB05BB8101
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....sN........../......f...,................@.....................................9......... ............................

            File Icon

            Icon Hash:90cececece8e8eb0

            Static PE Info

            General

            Entrypoint:0x401710
            Entrypoint Section:.text
            Digitally signed:true
            Imagebase:0x400000
            Subsystem:windows cui
            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
            DLL Characteristics:
            Time Stamp:0x4E73D1B2 [Fri Sep 16 22:46:10 2011 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:567531f08180ab3963b70889578118a3

            Authenticode Signature

            Signature Valid:true
            Signature Issuer:CN=GlobalSign ObjectSign CA, OU=ObjectSign CA, O=GlobalSign nv-sa, C=BE
            Signature Validation Error:The operation completed successfully
            Error Number:0
            Not Before, Not After
            • 10/06/2011 15:37:33 10/06/2012 14:56:30
            Subject Chain
            • CN=Jernej Simoncic, C=SI
            Version:3
            Thumbprint MD5:3325943A6BCF2EB101C1CD5474EC7CB1
            Thumbprint SHA-1:ABAC542F13EE0FC3C70B1920FBAA7B3B592915AD
            Thumbprint SHA-256:D135329B2B4E5543CB847E6F0BD7168F137C47EDAD0AC09D0066D79824757F15
            Serial:010000000001307A27872D

            Entrypoint Preview

            Instruction
            dec eax
            sub esp, 28h
            mov dword ptr [00009A22h], 00000000h
            call 00007FF7F0E44642h
            dec eax
            add esp, 28h
            jmp 00007FF7F0E3EC89h
            nop
            nop
            nop
            nop
            push ebp
            dec eax
            mov ebp, esp
            dec eax
            mov dword ptr [ebp+10h], ecx
            mov dword ptr [ebp+18h], edx
            jmp 00007FF7F0E3F21Ch
            dec eax
            mov eax, dword ptr [ebp+10h]
            movzx eax, byte ptr [eax]
            movsx eax, al
            cmp eax, dword ptr [ebp+18h]
            jne 00007FF7F0E3F208h
            dec eax
            mov eax, dword ptr [ebp+10h]
            jmp 00007FF7F0E3F217h
            dec eax
            add dword ptr [ebp+10h], 01h
            dec eax
            mov eax, dword ptr [ebp+10h]
            movzx eax, byte ptr [eax]
            test al, al
            jne 00007FF7F0E3F1DDh
            mov eax, 00000000h
            leave
            ret
            push ebp
            dec eax
            mov ebp, esp
            push esi
            push ebx
            dec eax
            sub esp, 20h
            dec eax
            mov dword ptr [ebp+10h], ecx
            mov eax, dword ptr [000098EBh]
            mov dword ptr [ebp-14h], eax
            mov eax, dword ptr [000098E6h]
            mov dword ptr [ebp-1Ch], eax
            mov eax, dword ptr [000098B9h]
            mov dword ptr [ebp-18h], eax
            jmp 00007FF7F0E3F327h
            mov eax, dword ptr [ebp-1Ch]
            mov edx, dword ptr [ebp-18h]
            mov ecx, edx
            sub ecx, eax
            mov eax, dword ptr [ebp-14h]
            mov edx, dword ptr [ebp-1Ch]
            mov ebx, edx
            sub ebx, eax
            mov eax, ebx
            cmp ecx, eax
            jng 00007FF7F0E3F295h
            mov eax, dword ptr [ebp-14h]
            mov edx, dword ptr [ebp-1Ch]
            mov esi, edx
            sub esi, eax
            mov eax, esi
            mov dword ptr [ebp-20h], eax
            mov ebx, 00000000h
            jmp 00007FF7F0E3F26Eh
            mov eax, ebx
            add eax, dword ptr [ebp-14h]
            dec eax
            cwde
            dec eax
            shl eax, 03h
            dec eax

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xc0000x1130.idata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x96000x1ad8
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0xc4640x400.idata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x66000x6600e2b1cd470ac63d157e4c65e232c07adfFalse0.5197610294117647data5.901700911521572IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .data0x80000xf00x200c5407141c3fdbdff8172a329e9384d18False0.25Matlab v4 mat-file (little endian) (UNKNOWN), text, rows 63, columns 01.6180650973966408IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rdata0x90000x12100x140057e82d7c7851e8632411901e03ba61beFalse0.4279296875data5.0077462845443765IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
            .bss0xb0000xc000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .idata0xc0000x11300x1200d2a0f7d3008f5d537376c1a482dcb11eFalse0.3092447916666667data3.9140315483096777IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .CRT0xe0000x680x20058729826accb6b45d872788e51ad82c7False0.0703125data0.2592004782599745IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .tls0xf0000x480x20087bd9ed859278120552d9cd12f0ab113False0.052734375data0.21776995545804623IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

            Imports

            DLLImport
            KERNEL32.dllCloseHandle, CreatePipe, CreateProcessA, CreateThread, DeleteCriticalSection, DisconnectNamedPipe, DuplicateHandle, EnterCriticalSection, ExitThread, FreeConsole, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetLastError, GetModuleHandleA, GetProcAddress, GetStartupInfoA, GetStdHandle, GetSystemTimeAsFileTime, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, PeekNamedPipe, QueryPerformanceCounter, ReadFile, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TerminateThread, TlsGetValue, UnhandledExceptionFilter, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WriteFile
            msvcrt.dll_close, _dup, _itoa, _kbhit, _open, _read, _strcmpi, _strnicmp, _write
            msvcrt.dll__dllonexit, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _errno, _fmode, _initterm, _isatty, _lock, _onexit, _setjmp, _setmode, _sleep, _time64, _unlock, abort, atoi, calloc, exit, fflush, fprintf, fputc, free, fwrite, getenv, gets, longjmp, malloc, memcmp, memcpy, memset, rand, signal, sprintf, srand, strcat, strchr, strcmp, strcpy, strlen, strncmp, strncpy, vfprintf
            WSOCK32.dllWSACleanup, WSAGetLastError, WSASetLastError, WSAStartup, __WSAFDIsSet, accept, bind, closesocket, connect, gethostbyaddr, gethostbyname, getservbyname, getservbyport, getsockname, htons, inet_addr, inet_ntoa, listen, ntohs, recv, recvfrom, select, send, setsockopt, shutdown, socket

            Network Behavior

            No network behavior found

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:14:59:32
            Start date:25/04/2024
            Path:C:\Users\user\Desktop\RpcSsv.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\Desktop\RpcSsv.exe"
            Imagebase:0x400000
            File size:45'272 bytes
            MD5 hash:523613A7B9DFA398CBD5EBD2DD0F4F38
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Netcat, Description: Yara detected Netcat, Source: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Netcat, Description: Yara detected Netcat, Source: 00000000.00000000.1611099098.0000000000409000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
            Reputation:low
            Has exited:false

            General

            Target ID:1
            Start time:14:59:32
            Start date:25/04/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7699e0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:3%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:10.2%
              Total number of Nodes:615
              Total number of Limit Nodes:20
              execution_graph 6650 406300 6653 406250 6650->6653 6652 406309 6654 406264 6653->6654 6655 4062e5 _onexit 6654->6655 6656 40626f 6654->6656 6655->6652 6656->6652 6301 405743 6337 403bc0 6301->6337 6303 405757 6304 4035db fprintf 6303->6304 6329 405397 6303->6329 6304->6329 6305 402422 fprintf 6305->6329 6306 4073a0 _time64 6306->6329 6307 405913 _close 6307->6329 6308 40593c _open 6308->6329 6309 403841 2 API calls 6309->6329 6310 40371e malloc fprintf 6310->6329 6311 40425f 3 API calls 6311->6329 6312 4035db fprintf 6312->6329 6313 4026fd 7 API calls 6313->6329 6314 404b7c 10 API calls 6314->6329 6315 4034eb fprintf 6315->6329 6316 403bc0 fprintf 6316->6329 6317 403e4e fprintf 6317->6329 6318 405f43 6319 4034eb fprintf 6318->6319 6320 405f7d 6319->6320 6321 4034eb fprintf 6320->6321 6323 405f89 6321->6323 6322 403ec7 2 API calls 6322->6329 6324 4034eb fprintf 6323->6324 6325 405f95 6324->6325 6326 4034eb fprintf 6325->6326 6328 405fa1 6326->6328 6327 405418 _read 6327->6329 6331 4034eb fprintf 6328->6331 6329->6305 6329->6306 6329->6307 6329->6308 6329->6309 6329->6310 6329->6311 6329->6312 6329->6313 6329->6314 6329->6315 6329->6316 6329->6317 6329->6318 6329->6322 6329->6327 6330 404773 2 API calls 6329->6330 6330->6329 6332 405fad 6331->6332 6333 4034eb fprintf 6332->6333 6334 405fb9 6333->6334 6335 4035db fprintf 6334->6335 6336 405fc5 6335->6336 6338 403be6 6337->6338 6339 403cce 6338->6339 6342 403c10 6338->6342 6340 403bc0 fprintf 6339->6340 6341 403c17 6339->6341 6340->6341 6341->6303 6342->6341 6343 4034eb fprintf 6342->6343 6343->6341 6344 4055c3 6345 4055d2 6344->6345 6346 4035db fprintf 6345->6346 6372 405397 6345->6372 6346->6372 6347 402422 fprintf 6347->6372 6348 4073a0 _time64 6348->6372 6349 405913 _close 6349->6372 6350 40593c _open 6350->6372 6351 40371e malloc fprintf 6351->6372 6352 403841 2 API calls 6352->6372 6353 40425f 3 API calls 6353->6372 6354 4035db fprintf 6354->6372 6355 404b7c 10 API calls 6355->6372 6356 4034eb fprintf 6356->6372 6357 403bc0 fprintf 6357->6372 6358 403e4e fprintf 6358->6372 6359 405f43 6360 4034eb fprintf 6359->6360 6361 405f7d 6360->6361 6362 4034eb fprintf 6361->6362 6364 405f89 6362->6364 6363 403ec7 2 API calls 6363->6372 6365 4034eb fprintf 6364->6365 6366 405f95 6365->6366 6367 4034eb fprintf 6366->6367 6369 405fa1 6367->6369 6368 405418 _read 6368->6372 6371 4034eb fprintf 6369->6371 6370 404773 2 API calls 6370->6372 6373 405fad 6371->6373 6372->6347 6372->6348 6372->6349 6372->6350 6372->6351 6372->6352 6372->6353 6372->6354 6372->6355 6372->6356 6372->6357 6372->6358 6372->6359 6372->6363 6372->6368 6372->6370 6375 4026fd 7 API calls 6372->6375 6374 4034eb fprintf 6373->6374 6376 405fb9 6374->6376 6375->6372 6377 4035db fprintf 6376->6377 6378 405fc5 6377->6378 6379 4063c3 6380 406350 6379->6380 6381 407458 fprintf 6380->6381 6382 40638a 6381->6382 6690 405585 6694 405397 6690->6694 6691 402422 fprintf 6691->6694 6692 4073a0 _time64 6692->6694 6693 405913 _close 6693->6694 6694->6691 6694->6692 6694->6693 6695 40593c _open 6694->6695 6696 403841 2 API calls 6694->6696 6697 40371e malloc fprintf 6694->6697 6698 403bc0 fprintf 6694->6698 6699 40425f 3 API calls 6694->6699 6700 4035db fprintf 6694->6700 6701 4026fd 7 API calls 6694->6701 6702 4034eb fprintf 6694->6702 6703 403e4e fprintf 6694->6703 6704 405f43 6694->6704 6708 403ec7 2 API calls 6694->6708 6713 405418 _read 6694->6713 6715 404773 2 API calls 6694->6715 6720 404b7c 10 API calls 6694->6720 6695->6694 6696->6694 6697->6694 6698->6694 6699->6694 6700->6694 6701->6694 6702->6694 6703->6694 6705 4034eb fprintf 6704->6705 6706 405f7d 6705->6706 6707 4034eb fprintf 6706->6707 6709 405f89 6707->6709 6708->6694 6710 4034eb fprintf 6709->6710 6711 405f95 6710->6711 6712 4034eb fprintf 6711->6712 6714 405fa1 6712->6714 6713->6694 6716 4034eb fprintf 6714->6716 6715->6694 6717 405fad 6716->6717 6718 4034eb fprintf 6717->6718 6719 405fb9 6718->6719 6721 4035db fprintf 6719->6721 6720->6694 6722 405fc5 6721->6722 6134 405887 6147 405397 6134->6147 6137 405913 _close 6137->6147 6138 40593c _open 6138->6147 6139 4035db fprintf 6139->6147 6140 40371e malloc fprintf 6140->6147 6143 4026fd 7 API calls 6143->6147 6144 404b7c 10 API calls 6144->6147 6145 4034eb fprintf 6145->6147 6146 403bc0 fprintf 6146->6147 6147->6137 6147->6138 6147->6139 6147->6140 6147->6143 6147->6144 6147->6145 6147->6146 6149 405f43 6147->6149 6158 405418 _read 6147->6158 6167 402422 6147->6167 6170 4073a0 6147->6170 6173 403841 6147->6173 6195 40425f 6147->6195 6216 403e4e 6147->6216 6222 403ec7 6147->6222 6236 404773 6147->6236 6242 4034eb 6149->6242 6151 405f7d 6152 4034eb fprintf 6151->6152 6154 405f89 6152->6154 6155 4034eb fprintf 6154->6155 6156 405f95 6155->6156 6157 4034eb fprintf 6156->6157 6159 405fa1 6157->6159 6158->6147 6161 4034eb fprintf 6159->6161 6162 405fad 6161->6162 6163 4034eb fprintf 6162->6163 6164 405fb9 6163->6164 6248 4035db 6164->6248 6255 4019aa 6167->6255 6169 402462 6169->6147 6171 407540 _time64 6170->6171 6172 40c694 6171->6172 6174 403864 6173->6174 6175 40387b 6174->6175 6292 40371e 6174->6292 6177 4035db fprintf 6175->6177 6178 40388f 6175->6178 6177->6178 6179 4038bd 6178->6179 6183 403a98 6178->6183 6180 4035db fprintf 6179->6180 6181 4038d4 6179->6181 6180->6181 6182 4035db fprintf 6181->6182 6187 403908 6181->6187 6182->6187 6184 403b20 6183->6184 6185 4039d8 6183->6185 6188 403b3e 6183->6188 6186 4034eb fprintf 6184->6186 6185->6147 6186->6185 6187->6185 6193 4034eb fprintf 6187->6193 6297 4037e0 6187->6297 6189 403b83 6188->6189 6191 403ba5 6188->6191 6194 4034eb fprintf 6189->6194 6192 4037e0 fprintf 6191->6192 6192->6185 6193->6187 6194->6185 6196 40428e 6195->6196 6197 403ec7 2 API calls 6196->6197 6198 4042b1 6197->6198 6199 4042d0 6198->6199 6200 4042e5 6198->6200 6205 4042ba 6198->6205 6201 4035db fprintf 6199->6201 6203 4042e3 6199->6203 6202 4035db fprintf 6200->6202 6200->6203 6201->6203 6202->6203 6204 4034eb fprintf 6203->6204 6206 404356 6203->6206 6208 404429 6203->6208 6204->6206 6205->6147 6207 4034eb fprintf 6206->6207 6207->6208 6208->6205 6209 4034eb fprintf 6208->6209 6210 4045db 6208->6210 6209->6210 6211 403841 2 API calls 6210->6211 6212 40465c 6211->6212 6213 4046f5 6212->6213 6214 4035db fprintf 6212->6214 6215 4034eb fprintf 6213->6215 6214->6213 6215->6205 6217 403e6e 6216->6217 6218 403e7a 6216->6218 6219 4035db fprintf 6217->6219 6220 403ea1 6218->6220 6221 4035db fprintf 6218->6221 6219->6218 6220->6147 6221->6220 6223 403eef 6222->6223 6224 403f65 6223->6224 6225 4035db fprintf 6223->6225 6226 403f82 6224->6226 6227 403f6f _dup 6224->6227 6225->6224 6228 4034eb fprintf 6226->6228 6232 403fc6 6226->6232 6227->6226 6228->6232 6229 4040df 6230 4035db fprintf 6229->6230 6231 404114 6229->6231 6230->6231 6233 4034eb fprintf 6231->6233 6235 404120 6231->6235 6232->6229 6234 4034eb fprintf 6232->6234 6233->6235 6234->6232 6235->6147 6237 4047a7 6236->6237 6238 4047c7 6237->6238 6240 4034eb fprintf 6237->6240 6239 403ec7 2 API calls 6238->6239 6241 4047d1 6238->6241 6239->6241 6240->6238 6241->6147 6243 403515 6242->6243 6245 4035a2 6242->6245 6244 407458 fprintf 6243->6244 6246 403560 6244->6246 6245->6151 6246->6245 6247 407458 fprintf 6246->6247 6247->6245 6249 4034eb fprintf 6248->6249 6250 403636 6249->6250 6251 4036bc 6250->6251 6252 4035db fprintf 6250->6252 6253 4035db fprintf 6251->6253 6252->6251 6254 4036c8 6253->6254 6257 4019db 6255->6257 6256 4021fe 6258 402258 6256->6258 6260 4022e4 6256->6260 6257->6256 6263 401e77 6257->6263 6265 401df4 6257->6265 6282 401b70 6257->6282 6259 402262 6258->6259 6258->6282 6261 4022a0 6259->6261 6262 40226e 6259->6262 6278 402393 6260->6278 6260->6282 6270 407458 fprintf 6261->6270 6268 407458 fprintf 6262->6268 6264 401e82 6263->6264 6271 4020de 6263->6271 6269 401ea6 6264->6269 6273 401fab 6264->6273 6267 401dfe 6265->6267 6265->6282 6266 402124 6272 402132 6266->6272 6266->6282 6290 407458 fprintf 6267->6290 6274 401f28 6268->6274 6275 401ed3 6269->6275 6269->6282 6270->6282 6271->6256 6271->6266 6276 402150 6272->6276 6277 402185 6272->6277 6281 401ff9 6273->6281 6273->6282 6274->6282 6279 401ef5 6275->6279 6280 401f2a 6275->6280 6284 407458 fprintf 6276->6284 6285 407458 fprintf 6277->6285 6286 407458 fprintf 6278->6286 6287 407458 fprintf 6279->6287 6288 407458 fprintf 6280->6288 6289 407458 fprintf 6281->6289 6282->6169 6284->6274 6285->6282 6286->6282 6287->6274 6288->6282 6289->6282 6291 40c6cc 6290->6291 6293 407400 malloc 6292->6293 6294 403740 6293->6294 6295 4035db fprintf 6294->6295 6296 40374b 6294->6296 6295->6296 6296->6175 6298 4037f9 6297->6298 6299 403833 6298->6299 6300 4034eb fprintf 6298->6300 6299->6187 6300->6299 6416 4036ca 6417 4036dc 6416->6417 6419 4036e8 6416->6419 6418 4035db fprintf 6417->6418 6418->6419 6789 40568a 6790 405693 6789->6790 6826 405f60 6790->6826 6792 40569e 6793 4035db fprintf 6792->6793 6818 405397 6792->6818 6793->6818 6794 402422 fprintf 6794->6818 6795 4073a0 _time64 6795->6818 6796 405913 _close 6796->6818 6797 40593c _open 6797->6818 6798 403841 2 API calls 6798->6818 6799 40371e malloc fprintf 6799->6818 6800 40425f 3 API calls 6800->6818 6801 4035db fprintf 6801->6818 6802 4026fd 7 API calls 6802->6818 6803 404b7c 10 API calls 6803->6818 6804 4034eb fprintf 6804->6818 6805 403bc0 fprintf 6805->6818 6806 403e4e fprintf 6806->6818 6807 405f43 6808 4034eb fprintf 6807->6808 6809 405f7d 6808->6809 6810 4034eb fprintf 6809->6810 6812 405f89 6810->6812 6811 403ec7 2 API calls 6811->6818 6813 4034eb fprintf 6812->6813 6814 405f95 6813->6814 6815 4034eb fprintf 6814->6815 6817 405fa1 6815->6817 6816 405418 _read 6816->6818 6820 4034eb fprintf 6817->6820 6818->6794 6818->6795 6818->6796 6818->6797 6818->6798 6818->6799 6818->6800 6818->6801 6818->6802 6818->6803 6818->6804 6818->6805 6818->6806 6818->6807 6818->6811 6818->6816 6819 404773 2 API calls 6818->6819 6819->6818 6821 405fad 6820->6821 6822 4034eb fprintf 6821->6822 6823 405fb9 6822->6823 6824 4035db fprintf 6823->6824 6825 405fc5 6824->6825 6827 4034eb fprintf 6826->6827 6828 405f7d 6827->6828 6829 4034eb fprintf 6828->6829 6830 405f89 6829->6830 6831 4034eb fprintf 6830->6831 6832 405f95 6831->6832 6833 4034eb fprintf 6832->6833 6834 405fa1 6833->6834 6835 4034eb fprintf 6834->6835 6836 405fad 6835->6836 6837 4034eb fprintf 6836->6837 6838 405fb9 6837->6838 6839 4035db fprintf 6838->6839 6840 405fc5 6839->6840 6840->6792 6845 401710 6846 406b60 5 API calls 6845->6846 6847 401723 6846->6847 6848 406190 6849 40619f 6848->6849 6850 407030 5 API calls 6849->6850 6851 4061b3 6849->6851 6850->6851 6852 406f90 6853 406fb0 EnterCriticalSection 6852->6853 6854 406fa1 6852->6854 6855 406fe3 LeaveCriticalSection 6853->6855 6858 406fc9 6853->6858 6856 406ff0 6855->6856 6857 406fcf 6859 40700d LeaveCriticalSection 6857->6859 6858->6855 6858->6857 6859->6856 6424 405fd1 SetUnhandledExceptionFilter 6860 402c97 6861 402cb3 6860->6861 6862 402dfa _itoa 6861->6862 6866 402e44 6861->6866 6863 4034eb fprintf 6862->6863 6863->6866 6864 402f51 6865 402e9f _strnicmp 6865->6866 6866->6864 6866->6865 6867 405797 6868 403841 2 API calls 6867->6868 6898 405397 6868->6898 6869 402422 fprintf 6869->6898 6870 4073a0 _time64 6870->6898 6871 405913 _close 6871->6898 6872 40593c _open 6872->6898 6873 4035db fprintf 6873->6898 6874 40371e malloc fprintf 6874->6898 6875 403841 2 API calls 6875->6898 6876 40425f 3 API calls 6876->6898 6877 4026fd 7 API calls 6877->6898 6878 404b7c 10 API calls 6878->6898 6879 4034eb fprintf 6879->6898 6880 403bc0 fprintf 6880->6898 6881 403e4e fprintf 6881->6898 6882 405f43 6883 4034eb fprintf 6882->6883 6884 405f7d 6883->6884 6885 4034eb fprintf 6884->6885 6887 405f89 6885->6887 6886 403ec7 2 API calls 6886->6898 6888 4034eb fprintf 6887->6888 6889 405f95 6888->6889 6890 4034eb fprintf 6889->6890 6892 405fa1 6890->6892 6891 405418 _read 6891->6898 6894 4034eb fprintf 6892->6894 6893 404773 2 API calls 6893->6898 6895 405fad 6894->6895 6896 4034eb fprintf 6895->6896 6897 405fb9 6896->6897 6899 4035db fprintf 6897->6899 6898->6869 6898->6870 6898->6871 6898->6872 6898->6873 6898->6874 6898->6875 6898->6876 6898->6877 6898->6878 6898->6879 6898->6880 6898->6881 6898->6882 6898->6886 6898->6891 6898->6893 6900 405fc5 6899->6900 6967 40581f 6968 40582e 6967->6968 6969 405854 6968->6969 6970 4035db fprintf 6968->6970 6971 40371e 2 API calls 6969->6971 6970->6969 6972 40585e 6971->6972 6973 40371e 2 API calls 6972->6973 6987 405397 6973->6987 6974 402422 fprintf 6974->6987 6975 4073a0 _time64 6975->6987 6976 405913 _close 6976->6987 6977 40593c _open 6977->6987 6978 40371e malloc fprintf 6978->6987 6979 403841 2 API calls 6979->6987 6980 40425f 3 API calls 6980->6987 6981 4035db fprintf 6981->6987 6982 404b7c 10 API calls 6982->6987 6983 4034eb fprintf 6983->6987 6984 403bc0 fprintf 6984->6987 6985 403e4e fprintf 6985->6987 6986 405f43 6988 4034eb fprintf 6986->6988 6987->6974 6987->6975 6987->6976 6987->6977 6987->6978 6987->6979 6987->6980 6987->6981 6987->6982 6987->6983 6987->6984 6987->6985 6987->6986 6991 403ec7 2 API calls 6987->6991 6996 405418 _read 6987->6996 6998 404773 2 API calls 6987->6998 7002 4026fd 7 API calls 6987->7002 6989 405f7d 6988->6989 6990 4034eb fprintf 6989->6990 6992 405f89 6990->6992 6991->6987 6993 4034eb fprintf 6992->6993 6994 405f95 6993->6994 6995 4034eb fprintf 6994->6995 6997 405fa1 6995->6997 6996->6987 6999 4034eb fprintf 6997->6999 6998->6987 7000 405fad 6999->7000 7001 4034eb fprintf 7000->7001 7003 405fb9 7001->7003 7002->6987 7004 4035db fprintf 7003->7004 7005 405fc5 7004->7005 6458 406c60 RtlCaptureContext 6460 406c90 6458->6460 6459 406cd1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6459->6460 6460->6459 6461 406160 6462 406168 6461->6462 6463 40616d 6462->6463 6466 407030 6462->6466 6465 406185 6467 407080 6466->6467 6468 407039 6466->6468 6469 4070a0 InitializeCriticalSection 6467->6469 6470 40708a 6467->6470 6471 407050 6468->6471 6472 40703b 6468->6472 6469->6470 6470->6465 6473 406e30 3 API calls 6471->6473 6474 407045 6472->6474 6478 406e30 6472->6478 6475 407055 6473->6475 6474->6465 6475->6474 6477 407060 DeleteCriticalSection 6475->6477 6477->6474 6479 406e70 EnterCriticalSection 6478->6479 6480 406e52 6478->6480 6481 406ec4 6479->6481 6483 406e89 6479->6483 6480->6474 6482 406ea0 TlsGetValue GetLastError 6482->6483 6483->6481 6483->6482 6484 401060 6485 40109d 6484->6485 6486 4010f9 6485->6486 6487 401110 __setusermatherr 6485->6487 7006 406320 7007 4063b0 7006->7007 7008 406342 7006->7008 7009 407458 fprintf 7008->7009 7010 40638a 7009->7010 6492 405fe1 GetProcAddress 6493 405563 6494 4035db fprintf 6493->6494 6522 405397 6494->6522 6495 402422 fprintf 6495->6522 6496 4073a0 _time64 6496->6522 6497 405913 _close 6497->6522 6498 40593c _open 6498->6522 6499 403841 2 API calls 6499->6522 6500 40371e malloc fprintf 6500->6522 6501 40425f 3 API calls 6501->6522 6502 4035db fprintf 6502->6522 6503 4026fd 7 API calls 6503->6522 6504 404b7c 10 API calls 6504->6522 6505 4034eb fprintf 6505->6522 6506 403bc0 fprintf 6506->6522 6507 403e4e fprintf 6507->6522 6508 405f43 6509 4034eb fprintf 6508->6509 6510 405f7d 6509->6510 6511 4034eb fprintf 6510->6511 6513 405f89 6511->6513 6512 403ec7 2 API calls 6512->6522 6514 4034eb fprintf 6513->6514 6515 405f95 6514->6515 6516 4034eb fprintf 6515->6516 6518 405fa1 6516->6518 6517 405418 _read 6517->6522 6520 4034eb fprintf 6518->6520 6519 404773 2 API calls 6519->6522 6521 405fad 6520->6521 6523 4034eb fprintf 6521->6523 6522->6495 6522->6496 6522->6497 6522->6498 6522->6499 6522->6500 6522->6501 6522->6502 6522->6503 6522->6504 6522->6505 6522->6506 6522->6507 6522->6508 6522->6512 6522->6517 6522->6519 6524 405fb9 6523->6524 6525 4035db fprintf 6524->6525 6526 405fc5 6525->6526 6046 4011b0 6047 4014a2 GetStartupInfoA 6046->6047 6048 4011df 6046->6048 6050 4014b0 6047->6050 6049 401234 6048->6049 6051 401206 6048->6051 6049->6050 6056 401251 6049->6056 6052 407420 _initterm 6050->6052 6053 40121a Sleep 6051->6053 6055 401232 6051->6055 6054 4014cd 6052->6054 6053->6051 6053->6055 6059 4014d2 GetModuleHandleA 6054->6059 6055->6049 6055->6056 6057 40126a 6056->6057 6093 407420 _initterm 6056->6093 6076 4065d0 6057->6076 6061 4014e4 GetModuleHandleA 6059->6061 6062 4012c7 GetProcAddress 6059->6062 6061->6062 6065 4014f6 LoadLibraryA 6061->6065 6064 4012dc 6062->6064 6072 4012e5 6062->6072 6063 401295 SetUnhandledExceptionFilter 6087 406a20 6063->6087 6064->6072 6067 40150c 6065->6067 6065->6072 6067->6062 6091 407400 malloc 6072->6091 6078 406620 6076->6078 6085 4065f9 6076->6085 6077 40665e 6077->6085 6095 406490 6077->6095 6078->6077 6079 4066ce 6078->6079 6078->6085 6083 406490 6 API calls 6079->6083 6084 40685e 6079->6084 6079->6085 6114 406430 6079->6114 6080 406430 6 API calls 6086 406871 6080->6086 6083->6079 6084->6080 6085->6063 6086->6063 6088 406a47 6087->6088 6089 406b30 RtlAddFunctionTable 6088->6089 6090 4012ae GetModuleHandleA 6088->6090 6089->6090 6090->6059 6090->6062 6092 40c704 6091->6092 6094 40c65c 6093->6094 6096 406505 VirtualQuery 6095->6096 6100 4064d1 6095->6100 6097 4065b1 6096->6097 6098 40651f 6096->6098 6099 406430 3 API calls 6097->6099 6098->6100 6101 406545 VirtualProtect 6098->6101 6106 4065c5 6099->6106 6100->6077 6102 406586 6101->6102 6102->6100 6104 406598 VirtualProtect 6102->6104 6103 4065f9 6103->6077 6104->6100 6105 40665e 6105->6103 6109 406490 3 API calls 6105->6109 6106->6103 6106->6105 6111 4066ce 6106->6111 6107 40685e 6108 406430 3 API calls 6107->6108 6113 406871 6108->6113 6109->6105 6110 406430 3 API calls 6110->6111 6111->6103 6111->6107 6111->6110 6112 406490 VirtualQuery VirtualProtect VirtualProtect 6111->6112 6112->6111 6113->6077 6115 406457 6114->6115 6116 406505 VirtualQuery 6115->6116 6120 4064d1 6115->6120 6117 4065b1 6116->6117 6118 40651f 6116->6118 6119 406430 3 API calls 6117->6119 6118->6120 6121 406545 VirtualProtect 6118->6121 6126 4065c5 6119->6126 6120->6079 6122 406586 6121->6122 6122->6120 6124 406598 VirtualProtect 6122->6124 6123 4065f9 6123->6079 6124->6120 6125 40665e 6125->6123 6129 406490 3 API calls 6125->6129 6126->6123 6126->6125 6131 4066ce 6126->6131 6127 40685e 6128 406430 3 API calls 6127->6128 6133 406871 6128->6133 6129->6125 6130 406430 3 API calls 6130->6131 6131->6123 6131->6127 6131->6130 6132 406490 VirtualQuery VirtualProtect VirtualProtect 6131->6132 6132->6131 6133->6079 6527 4016f0 6530 406b60 6527->6530 6531 406bc4 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 6530->6531 6532 401703 6530->6532 6531->6532 6537 406ef0 6538 406f30 6537->6538 6539 406f12 6537->6539 6538->6539 6540 406f4c EnterCriticalSection LeaveCriticalSection 6538->6540 6540->6539 6607 4055ff 6608 405616 6607->6608 6609 40560a 6607->6609 6610 40562c 6608->6610 6612 40371e 2 API calls 6608->6612 6611 4035db fprintf 6609->6611 6613 403841 2 API calls 6610->6613 6611->6608 6612->6610 6638 405397 6613->6638 6614 402422 fprintf 6614->6638 6615 4073a0 _time64 6615->6638 6616 405913 _close 6616->6638 6617 40593c _open 6617->6638 6618 4035db fprintf 6618->6638 6619 403841 2 API calls 6619->6638 6620 40371e malloc fprintf 6620->6638 6621 40425f 3 API calls 6621->6638 6622 4026fd 7 API calls 6622->6638 6623 404b7c 10 API calls 6623->6638 6624 4034eb fprintf 6624->6638 6625 403bc0 fprintf 6625->6638 6626 403e4e fprintf 6626->6638 6627 405f43 6628 4034eb fprintf 6627->6628 6629 405f7d 6628->6629 6630 4034eb fprintf 6629->6630 6632 405f89 6630->6632 6631 403ec7 2 API calls 6631->6638 6633 4034eb fprintf 6632->6633 6634 405f95 6633->6634 6635 4034eb fprintf 6634->6635 6637 405fa1 6635->6637 6636 405418 _read 6636->6638 6640 4034eb fprintf 6637->6640 6638->6614 6638->6615 6638->6616 6638->6617 6638->6618 6638->6619 6638->6620 6638->6621 6638->6622 6638->6623 6638->6624 6638->6625 6638->6626 6638->6627 6638->6631 6638->6636 6639 404773 2 API calls 6638->6639 6639->6638 6641 405fad 6640->6641 6642 4034eb fprintf 6641->6642 6643 405fb9 6642->6643 6644 4035db fprintf 6643->6644 6645 405fc5 6644->6645

              Callgraph

              • Executed
              • Not Executed
              • Opacity -> Relevance
              • Disassembly available
              callgraph 0 Function_00406240 1 Function_00403841 37 Function_0040371E 1->37 64 Function_004035DB 1->64 67 Function_004037E0 1->67 71 Function_004034EB 1->71 2 Function_00405743 2->1 3 Function_00403E4E 2->3 10 Function_0040425F 2->10 21 Function_00404773 2->21 22 Function_0040377B 2->22 23 Function_00404B7C 2->23 2->37 44 Function_00402422 2->44 50 Function_00403BC0 2->50 54 Function_00403EC7 2->54 57 Function_00403DCA 2->57 2->64 2->71 79 Function_004026FD 2->79 96 Function_004073A0 2->96 3->64 4 Function_00406B50 5 Function_00406250 5->0 49 Function_00406230 5->49 6 Function_00407150 7 Function_00406151 8 Function_0040C554 9 Function_00407458 10->1 10->54 10->64 10->71 78 Function_004036FC 10->78 82 Function_00407380 10->82 11 Function_00405F60 11->64 11->71 12 Function_00406D60 13 Function_00406C60 14 Function_00406160 48 Function_00407030 14->48 15 Function_00401060 15->0 43 Function_00406420 15->43 16 Function_00406B60 17 Function_00405563 17->1 17->3 17->10 17->21 17->22 17->23 17->37 17->44 17->50 17->54 17->57 17->64 17->71 17->79 17->96 18 Function_00401769 19 Function_00402F70 20 Function_00402470 28 Function_00407400 20->28 70 Function_00402AE4 20->70 20->71 21->54 21->71 23->22 59 Function_004048CC 23->59 23->71 23->96 102 Function_00404ABB 23->102 24 Function_00406400 24->9 25 Function_00406300 25->5 26 Function_00406200 27 Function_00401000 29 Function_00406E00 30 Function_00405709 30->1 30->3 30->10 30->21 30->22 30->23 30->37 30->44 30->50 30->54 30->57 30->64 30->71 30->79 30->96 31 Function_00405809 31->1 31->3 31->10 31->21 31->22 31->23 31->37 31->44 31->50 31->54 31->57 31->64 31->71 31->79 31->96 32 Function_00406410 32->9 33 Function_00401010 34 Function_00401710 34->16 35 Function_00407210 36 Function_00406210 37->28 37->64 38 Function_0040571F 38->1 38->3 38->10 38->21 38->22 38->23 38->37 38->44 38->50 38->54 38->57 38->64 38->71 38->79 38->96 39 Function_0040581F 39->1 39->3 39->10 39->21 39->22 39->23 39->37 39->44 39->50 39->54 39->57 39->64 39->71 39->79 39->96 40 Function_00406320 40->9 41 Function_00407420 42 Function_00406A20 42->6 42->35 90 Function_00407290 42->90 97 Function_004019AA 44->97 45 Function_00401730 46 Function_00406430 46->4 46->46 89 Function_00406490 46->89 47 Function_00406E30 48->47 50->50 50->71 51 Function_004073C0 52 Function_004055C3 52->1 52->3 52->10 52->21 52->22 52->23 52->37 52->44 52->50 52->54 52->57 52->64 52->71 52->79 52->96 53 Function_004063C3 53->9 54->64 54->71 54->78 54->82 55 Function_004057C7 55->1 55->3 55->10 55->21 55->22 55->23 55->37 55->44 55->50 55->54 55->57 55->64 55->71 55->79 55->96 56 Function_00402FC9 58 Function_004036CA 58->64 86 Function_00407386 58->86 59->64 60 Function_004065D0 60->4 60->46 60->89 61 Function_004063D0 61->9 62 Function_004072D0 75 Function_004070F0 62->75 63 Function_00405FD1 64->64 64->71 65 Function_0040C4DC 66 Function_004057DD 66->1 66->3 66->10 66->21 66->22 66->23 66->37 66->44 66->50 66->54 66->57 66->64 66->71 66->79 66->96 67->71 68 Function_004063E0 68->9 69 Function_00405FE1 70->71 71->9 71->56 72 Function_004016F0 72->16 73 Function_004063F0 73->9 74 Function_00406EF0 76 Function_004056F3 76->1 76->3 76->10 76->21 76->22 76->23 76->37 76->44 76->50 76->54 76->57 76->64 76->71 76->79 76->96 77 Function_004057F3 77->1 77->3 77->10 77->21 77->22 77->23 77->37 77->44 77->50 77->54 77->57 77->64 77->71 77->79 77->96 79->20 79->71 80 Function_004018FE 81 Function_004055FF 81->1 81->3 81->10 81->21 81->22 81->23 81->37 81->44 81->50 81->54 81->57 81->64 81->71 81->79 81->96 83 Function_00405781 83->1 83->3 83->10 83->21 83->22 83->23 83->37 83->44 83->50 83->54 83->57 83->64 83->71 83->79 83->96 84 Function_00405282 84->1 84->3 84->10 84->19 84->21 84->22 84->23 84->28 84->29 84->37 84->44 84->50 84->54 84->57 84->64 84->71 84->79 84->96 85 Function_00405585 85->1 85->3 85->10 85->21 85->22 85->23 85->37 85->44 85->50 85->54 85->57 85->64 85->71 85->79 85->96 87 Function_00405887 87->1 87->3 87->10 87->21 87->22 87->23 87->37 87->44 87->50 87->54 87->57 87->64 87->71 87->79 87->96 88 Function_0040568A 88->1 88->3 88->10 88->11 88->21 88->22 88->23 88->37 88->44 88->50 88->54 88->57 88->64 88->71 88->79 88->96 89->4 89->46 89->89 91 Function_00406190 91->48 92 Function_00406F90 93 Function_00402C97 93->71 94 Function_00405797 94->1 94->3 94->10 94->21 94->22 94->23 94->37 94->44 94->50 94->54 94->57 94->64 94->71 94->79 94->96 95 Function_00405598 95->1 95->3 95->10 95->21 95->22 95->23 95->37 95->44 95->50 95->54 95->57 95->64 95->71 95->79 95->96 97->9 97->18 97->45 97->80 98 Function_004011B0 98->4 98->28 98->41 98->42 98->60 98->84 99 Function_004070B0 100 Function_004073B0 101 Function_004055B5 101->1 101->3 101->10 101->21 101->22 101->23 101->37 101->44 101->50 101->54 101->57 101->64 101->71 101->79 101->96

              Executed Functions

              Function 00405282 Relevance: 28.6, APIs: 3, Strings: 13, Instructions: 581COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 405282-405395 call 406e00 call 402f70 call 40371e * 7 call 407400 22 40539b-40539f 0->22 23 4053a5-405439 call 40371e * 2 call 4074e8 call 407490 _read 22->23 24 4058bb-4058d6 call 402422 22->24 73 405447-40545b call 40377b 23->73 74 40543b-405442 call 4035db 23->74 29 405533-405539 24->29 30 4058dc-4058e6 24->30 35 40589a-4058b5 call 4035db 29->35 36 40553f-40555d 29->36 32 405907-405911 30->32 33 4058e8-405903 call 4073a0 call 4074f8 call 40371e 30->33 38 405930-40593a 32->38 39 405913-405926 _close 32->39 33->32 35->24 36->35 43 40593c-405964 _open 38->43 44 40598d-4059a3 38->44 39->38 50 405966-405977 call 4035db 43->50 51 40597c-405986 call 40371e 43->51 46 4059a5-4059ca call 403841 44->46 47 4059ce-4059d3 44->47 46->47 56 4059f2-4059f7 47->56 57 4059d5-4059e2 47->57 50->51 51->44 64 405a08-405a21 56->64 65 4059f9-405a02 56->65 57->56 63 4059e4-4059ee 57->63 63->56 71 405a27-405a43 64->71 72 405b3e-405b43 64->72 65->64 77 405a92-405abe call 40425f 71->77 78 405a45-405a6e call 403bc0 71->78 75 405b51-405b67 72->75 76 405b45-405b4c call 4035db 72->76 93 405471-405479 73->93 94 40545d-40546b 73->94 74->73 84 405b75-405b8f 75->84 85 405b69-405b70 call 4035db 75->85 76->75 95 405ac0-405aca 77->95 96 405b32-405b39 call 4035db 77->96 78->77 92 405a70-405a8d call 4035db 78->92 90 405b91 84->90 91 405b9a-405ba2 84->91 85->84 90->91 97 405edb-405ef1 91->97 92->77 104 40547b-405497 call 4073f8 93->104 105 40549c-4054ba call 4074f0 93->105 94->93 102 405adc-405ae6 95->102 103 405acc-405ad7 call 4026fd 95->103 96->72 98 405ba7-405bdb call 4074f0 97->98 99 405ef7-405f11 97->99 123 405c0b-405c34 call 403bc0 98->123 124 405bdd-405bfa call 403bc0 98->124 121 405f30-405f3d 99->121 122 405f13-405f2b call 4034eb 99->122 109 405af7-405b02 102->109 110 405ae8-405af5 call 404b7c 102->110 103->102 104->105 126 4054bc 105->126 127 4054bf-4054dd call 4074f0 105->127 116 405b21-405b25 109->116 117 405b04-405b1c call 4034eb 109->117 110->109 119 405397-405398 116->119 120 405b2b-405b2d call 407428 116->120 117->116 119->22 120->96 139 405f43-405f4d 121->139 140 40539a 121->140 122->121 142 405c36-405c53 call 4035db 123->142 143 405c58-405c60 123->143 124->123 141 405bfc-405c06 call 4035db 124->141 126->127 137 4054e2-4054f6 127->137 138 4054df 127->138 146 405524-405529 137->146 138->137 147 405f56-405fcb call 407428 call 4034eb * 6 call 4035db 139->147 148 405f4f-405f51 call 407428 139->148 140->22 141->123 142->143 144 405c62-405c7d 143->144 145 405caf-405cb7 143->145 151 405c83-405caa call 403e4e call 403dca 144->151 152 405ebe-405ec6 144->152 145->152 153 4054f8-4054fd 146->153 154 40552b-40552e 146->154 148->147 151->152 160 405cbc-405cc1 152->160 161 405ecc-405ed5 152->161 158 405504-40550d 153->158 159 4054ff-405502 153->159 154->24 164 405520 158->164 165 40550f-40551d 158->165 159->164 166 405cc3-405ccd 160->166 167 405ce6-405d26 call 403bc0 call 403ec7 160->167 161->97 164->146 165->164 166->167 170 405ccf-405cde call 4074c0 166->170 183 405d57-405d5f 167->183 184 405d28-405d32 167->184 170->167 182 405ce0 170->182 182->167 188 405d65-405dad call 4034eb 183->188 189 405dec-405dfb 183->189 184->183 186 405d34-405d3e 184->186 186->183 192 405d40-405d51 call 404773 186->192 203 405dbf-405dc9 188->203 204 405daf-405dba call 4026fd 188->204 190 405e1a-405e4e call 4034eb 189->190 191 405dfd-405e08 189->191 202 405e53-405e88 190->202 191->190 195 405e0a-405e18 191->195 192->183 195->190 195->202 217 405e8a-405e92 202->217 218 405e9b-405ea5 202->218 203->202 208 405dcf-405dd9 203->208 204->203 208->202 209 405ddb-405dea call 404b7c 208->209 209->202 217->218 219 405ea7-405eb7 call 403dca 218->219 220 405eb9 218->220 219->152 220->152
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: Startup_close_open_read
              • String ID: sent %d, rcvd %d$%s [%s] %d (%s)$%s [%s] %d (%s) open$Cmd line: $ade:g:G:hi:lLno:p:rs:tcuvw:z$can't open %s$invalid port %s$nc -h for help$no connection$no destination$no port[s] to connect to$sent %d, rcvd %d$wrong
              • API String ID: 4055665335-2008981751
              • Opcode ID: 945ebf9ac20181d164727630f1f54f8069b7d551b4570e1053475a9ce1b1d09e
              • Instruction ID: aa6d466d49ba75014a6fd088382988284f4421623f444755cc5968d3db34c99a
              • Opcode Fuzzy Hash: 945ebf9ac20181d164727630f1f54f8069b7d551b4570e1053475a9ce1b1d09e
              • Instruction Fuzzy Hash: 0B425EA5B10B1089EB10DF66E89136A37A0FB44B88F44442AEF5D677E5EB3CC941C79C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00406A20 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 223 406a20-406a53 call 407290 226 406a80-406a82 223->226 227 406a55-406a77 223->227 226->227 228 406a84-406aa5 call 407150 226->228 228->227 231 406aa7-406ae0 228->231 232 406b0f-406b1a call 407210 231->232 235 406ae2-406b0d 232->235 236 406b1c-406b1f 232->236 235->232 237 406b30-406b47 RtlAddFunctionTable 235->237 236->237 238 406b21-406b26 236->238 237->227 238->227
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: .pdata
              • API String ID: 0-4177594709
              • Opcode ID: 848ff36b62a2b5aff3fa10d18bb057375645d8e1eef1ab0ae7ac3e9fe25b8922
              • Instruction ID: 45ff1e9a60c1157d607ad3e4c4e18b95299c8fe5b1e485a1b1b3035dc337f696
              • Opcode Fuzzy Hash: 848ff36b62a2b5aff3fa10d18bb057375645d8e1eef1ab0ae7ac3e9fe25b8922
              • Instruction Fuzzy Hash: 0221BF71715684CBDB10AF05E84034A77A1F348BC4F98803AEF8AA7B99DB3CD425CB48
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402F70 Relevance: 1.5, APIs: 1, Instructions: 26networkCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 239 402f70-402f9e WSAStartup 240 402fa0-402fa9 239->240 241 402fc6 239->241 242 402fba-402fc4 240->242 243 402fab-402fb8 240->243 244 402fc7-402fc8 241->244 242->244 243->242 243->244
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: Startup
              • String ID:
              • API String ID: 724789610-0
              • Opcode ID: fd50942647596e9adff19615f9acac6174bf98626788d581ad528cc4b900d8f1
              • Instruction ID: d979e13f101af2de71beeaa6dfad1e31789a9e17aa052920b34001e835b19141
              • Opcode Fuzzy Hash: fd50942647596e9adff19615f9acac6174bf98626788d581ad528cc4b900d8f1
              • Instruction Fuzzy Hash: A3F08261B11126DCF7115764D9453F83374A745748F5040A2EE88A67D8D67CCD86DB14
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 004011B0 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 319sleeplibraryloaderCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: AddressExceptionFilterHandleInfoModuleProcSleepStartupUnhandled
              • String ID: _set_invalid_parameter_handler$msvcr70.dll$msvcr80.dll$msvcrt.dll
              • API String ID: 2266094942-642542254
              • Opcode ID: 56095309bf7a8c3b66de1de47b6568b22e89348a84533b73710e95d38ee6dfee
              • Instruction ID: 5b6e076c5045b8a0079544a8a1ac6406c7196364995176b67122be39bdec3849
              • Opcode Fuzzy Hash: 56095309bf7a8c3b66de1de47b6568b22e89348a84533b73710e95d38ee6dfee
              • Instruction Fuzzy Hash: 8FC1A17160560086EB259B25AC9036A3361EB89798F88453BDF1DBB3F1DF3CD885878D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040425F Relevance: 11.6, Strings: 9, Instructions: 307COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: _dup
              • String ID: UDP listen needs -p arg$] %d ...$any$connect to [%s] from %s [%s] %d$invalid connection to [%s] from %s [%s] %d$listening on [$local getsockname failed$local listen fuxored$post-rcv getsockname failed
              • API String ID: 4290338715-1417769188
              • Opcode ID: 9814f324597a2c128c250115492104a44e538bf979e0cc934165edc76680b334
              • Instruction ID: fae62bbe820c3f8e4ccf25578a5d57cd35fb67886a86de2ca3ddb9177e1a32ff
              • Opcode Fuzzy Hash: 9814f324597a2c128c250115492104a44e538bf979e0cc934165edc76680b334
              • Instruction Fuzzy Hash: B2D12EA571160489EB50DFA6E8913A937A0E788BC8F44812ADF1DA77A5EF3CC940C758
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403EC7 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 222COMMON
              Download Yara Rule
              APIs
              Strings
              • Can't grab %s:%d with bind, xrefs: 00404108
              • Can't get socket, xrefs: 00403F59
              • retrying local %s:%d, xrefs: 004040A8
              • Warning: source routing unavailable on this machine, ignoring, xrefs: 0040416C
              • nnetfd reuseaddr failed, xrefs: 00403FBA
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: _dup
              • String ID: Can't get socket$Can't grab %s:%d with bind$Warning: source routing unavailable on this machine, ignoring$nnetfd reuseaddr failed$retrying local %s:%d
              • API String ID: 4290338715-1629468623
              • Opcode ID: 81195a13f2a274a7a8b28e53bd2533d14ed36ab7e99d3ebe814992cc2bb95606
              • Instruction ID: 796a5e7de7e8b4d4d34cb24cf692fcf8d0d9c0bba1063527440a6a88acc77b97
              • Opcode Fuzzy Hash: 81195a13f2a274a7a8b28e53bd2533d14ed36ab7e99d3ebe814992cc2bb95606
              • Instruction Fuzzy Hash: 4EA1ECA1710605CAEB509F6AEC8436937A0E788B98F14822ADF5DA77B4DF3DC941C74C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00406C60 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
              Download Yara Rule
              APIs
              • RtlCaptureContext.KERNEL32 ref: 00406C74
              • SetUnhandledExceptionFilter.KERNEL32 ref: 00406D12
              • UnhandledExceptionFilter.KERNEL32 ref: 00406D1F
              • GetCurrentProcess.KERNEL32 ref: 00406D25
              • TerminateProcess.KERNEL32 ref: 00406D33
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentTerminate
              • String ID:
              • API String ID: 4227532867-0
              • Opcode ID: dbc72f76830ff9da06bbf8b047b60c4ced8e52ebf8dc847f5436a09ace3722fe
              • Instruction ID: 806709c38d932ebe020d2be2581943bc65d06b3b3ce8ab5b5d62cd5fcd632005
              • Opcode Fuzzy Hash: dbc72f76830ff9da06bbf8b047b60c4ced8e52ebf8dc847f5436a09ace3722fe
              • Instruction Fuzzy Hash: C62104B5616F04E9EB009B61FC8039933A4F748788F54012ADB8E23B65EF3CD244878C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00406B60 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
              Download Yara Rule
              APIs
              • GetSystemTimeAsFileTime.KERNEL32 ref: 00406BC9
              • GetCurrentProcessId.KERNEL32 ref: 00406BD4
              • GetCurrentThreadId.KERNEL32 ref: 00406BDC
              • GetTickCount.KERNEL32 ref: 00406BE6
              • QueryPerformanceCounter.KERNEL32 ref: 00406BF5
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
              • String ID:
              • API String ID: 1445889803-0
              • Opcode ID: 67c04eecbba078a7038835ea3813aebdbee4ae9d6fcb65bb677d228f3e40501e
              • Instruction ID: 028d8ec5365a5601458f3b91cb52c4a4b563417e76bb7ab21696fc452bac0917
              • Opcode Fuzzy Hash: 67c04eecbba078a7038835ea3813aebdbee4ae9d6fcb65bb677d228f3e40501e
              • Instruction Fuzzy Hash: AD116A76218F5082E7109B11F94031AB3A4F789BA0F591229EFDE53BA8CF7CD414C704
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040C554 Relevance: .1, Instructions: 91COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1076d771c2a51fa4f6bc76235493e04b32cae95c7138d50a69a54d5d520abb4f
              • Instruction ID: 3ef281a9a11953fac464a4376d4bbb0b98ddb9c8bb1d40f916b525e31b01085c
              • Opcode Fuzzy Hash: 1076d771c2a51fa4f6bc76235493e04b32cae95c7138d50a69a54d5d520abb4f
              • Instruction Fuzzy Hash: 9231128FE5EBE0EBD32357240CAD1992F61A5A3E2634D81AFCB40637D3E45D6C059319
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405FD1 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 408aaf348a2a9458c6a2207c94412e7a397df4fe8707b78f4b06967b6432009d
              • Instruction ID: dbe8914ba4c1b64724497f8881cb4b4c1494ccf6a1cfefe493af15d29377b386
              • Opcode Fuzzy Hash: 408aaf348a2a9458c6a2207c94412e7a397df4fe8707b78f4b06967b6432009d
              • Instruction Fuzzy Hash: 91A0025644AC14D8E3001B04DE513645229D306201F0521208214724558A3D90644148
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004055FF Relevance: 31.8, APIs: 2, Strings: 16, Instructions: 255COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 387 4055ff-405608 388 405616-405620 387->388 389 40560a-405611 call 4035db 387->389 390 405622-40562c call 40371e 388->390 391 405633-405655 call 403841 388->391 389->388 390->391 397 405676-405685 391->397 398 405657-405673 391->398 399 4058bb-4058d6 call 402422 397->399 398->397 402 405533-405539 399->402 403 4058dc-4058e6 399->403 406 40589a-4058b5 call 4035db 402->406 407 40553f-40555d 402->407 404 405907-405911 403->404 405 4058e8-405903 call 4073a0 call 4074f8 call 40371e 403->405 409 405930-40593a 404->409 410 405913-405926 _close 404->410 405->404 406->399 407->406 413 40593c-405964 _open 409->413 414 40598d-4059a3 409->414 410->409 419 405966-405977 call 4035db 413->419 420 40597c-405986 call 40371e 413->420 416 4059a5-4059ca call 403841 414->416 417 4059ce-4059d3 414->417 416->417 425 4059f2-4059f7 417->425 426 4059d5-4059e2 417->426 419->420 420->414 432 405a08-405a21 425->432 433 4059f9-405a02 425->433 426->425 431 4059e4-4059ee 426->431 431->425 436 405a27-405a43 432->436 437 405b3e-405b43 432->437 433->432 440 405a92-405abe call 40425f 436->440 441 405a45-405a6e call 403bc0 436->441 438 405b51-405b67 437->438 439 405b45-405b4c call 4035db 437->439 445 405b75-405b8f 438->445 446 405b69-405b70 call 4035db 438->446 439->438 453 405ac0-405aca 440->453 454 405b32-405b39 call 4035db 440->454 441->440 452 405a70-405a8d call 4035db 441->452 450 405b91 445->450 451 405b9a-405ba2 445->451 446->445 450->451 455 405edb-405ef1 451->455 452->440 460 405adc-405ae6 453->460 461 405acc-405ad7 call 4026fd 453->461 454->437 456 405ba7-405bdb call 4074f0 455->456 457 405ef7-405f11 455->457 476 405c0b-405c34 call 403bc0 456->476 477 405bdd-405bfa call 403bc0 456->477 474 405f30-405f3d 457->474 475 405f13-405f2b call 4034eb 457->475 464 405af7-405b02 460->464 465 405ae8-405af5 call 404b7c 460->465 461->460 469 405b21-405b25 464->469 470 405b04-405b1c call 4034eb 464->470 465->464 472 405397-405398 469->472 473 405b2b-405b2d call 407428 469->473 470->469 479 40539b-40539f 472->479 473->454 489 405f43-405f4d 474->489 490 40539a 474->490 475->474 492 405c36-405c53 call 4035db 476->492 493 405c58-405c60 476->493 477->476 491 405bfc-405c06 call 4035db 477->491 479->399 484 4053a5-4053d9 call 40371e * 2 479->484 517 4053e2-4053fe call 4074e8 484->517 497 405f56-405fcb call 407428 call 4034eb * 6 call 4035db 489->497 498 405f4f-405f51 call 407428 489->498 490->479 491->476 492->493 494 405c62-405c7d 493->494 495 405caf-405cb7 493->495 501 405c83-405caa call 403e4e call 403dca 494->501 502 405ebe-405ec6 494->502 495->502 498->497 501->502 507 405cbc-405cc1 502->507 508 405ecc-405ed5 502->508 512 405cc3-405ccd 507->512 513 405ce6-405d26 call 403bc0 call 403ec7 507->513 508->455 512->513 516 405ccf-405cde call 4074c0 512->516 532 405d57-405d5f 513->532 533 405d28-405d32 513->533 516->513 531 405ce0 516->531 528 405403-405413 call 407490 517->528 541 405418-405439 _read 528->541 531->513 539 405d65-405dad call 4034eb 532->539 540 405dec-405dfb 532->540 533->532 537 405d34-405d3e 533->537 537->532 544 405d40-405d51 call 404773 537->544 559 405dbf-405dc9 539->559 560 405daf-405dba call 4026fd 539->560 542 405e1a-405e4e call 4034eb 540->542 543 405dfd-405e08 540->543 547 405447-40545b call 40377b 541->547 548 40543b-405442 call 4035db 541->548 558 405e53-405e88 542->558 543->542 549 405e0a-405e18 543->549 544->532 567 405471-405479 547->567 568 40545d-40546b 547->568 548->547 549->542 549->558 581 405e8a-405e92 558->581 582 405e9b-405ea5 558->582 559->558 565 405dcf-405dd9 559->565 560->559 565->558 566 405ddb-405dea call 404b7c 565->566 566->558 572 40547b-405497 call 4073f8 567->572 573 40549c-4054ba call 4074f0 567->573 568->567 572->573 585 4054bc 573->585 586 4054bf-4054dd call 4074f0 573->586 581->582 583 405ea7-405eb7 call 403dca 582->583 584 405eb9 582->584 583->502 584->502 585->586 591 4054e2-4054f6 586->591 592 4054df 586->592 593 405524-405529 591->593 592->591 594 4054f8-4054fd 593->594 595 40552b-40552e 593->595 596 405504-40550d 594->596 597 4054ff-405502 594->597 595->399 598 405520 596->598 599 40550f-40551d 596->599 597->598 598->593 599->598
              APIs
              Strings
              • ade:g:G:hi:lLno:p:rs:tcuvw:z, xrefs: 004058BF
              • -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning], xrefs: 00405FAD
              • no port[s] to connect to, xrefs: 00405B69
              • -e proginbound program to exec [dangerous!!], xrefs: 00405F89
              • [v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:, xrefs: 00405F71
              • port numbers can be individual or ranges: m-n [inclusive], xrefs: 00405FB9
              • no destination, xrefs: 00405B45
              • -ddetach from console, background mode, xrefs: 00405F7D
              • sent %d, rcvd %d, xrefs: 00405F24
              • sent %d, rcvd %d, xrefs: 00405B15
              • -tanswer TELNET negotiation, xrefs: 00405FA1
              • invalid port %s, xrefs: 00405A86
              • can't open %s, xrefs: 00405970
              • no connection, xrefs: 00405B32
              • -g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum, xrefs: 00405F95
              • too many -g hops, xrefs: 0040560A
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: _close_open
              • String ID: -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning]$-ddetach from console, background mode$-e proginbound program to exec [dangerous!!]$-g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum$-tanswer TELNET negotiation$ sent %d, rcvd %d$[v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:$ade:g:G:hi:lLno:p:rs:tcuvw:z$can't open %s$invalid port %s$no connection$no destination$no port[s] to connect to$port numbers can be individual or ranges: m-n [inclusive]$sent %d, rcvd %d$too many -g hops
              • API String ID: 3007559463-909044548
              • Opcode ID: 87ca6f6635c9188b87a7fbc92b53bcf131d77999c7084ea5157d1f83321a5bb5
              • Instruction ID: 8e437f1b80d787de8f8b3079899cb673138f008f2ce05e725b2ae541dc826503
              • Opcode Fuzzy Hash: 87ca6f6635c9188b87a7fbc92b53bcf131d77999c7084ea5157d1f83321a5bb5
              • Instruction Fuzzy Hash: 87B12BA1B00A0486EB10EF26E89136A37A0E744798F44442AEB5DA77E5EF3CD945C79C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040568A Relevance: 31.7, APIs: 2, Strings: 16, Instructions: 247COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 600 40568a-4056d2 call 405f60 call 4074b0 606 4058b7-4058b8 600->606 607 4056d8-4056ee call 4035db 600->607 609 4058bb-4058d6 call 402422 606->609 607->609 613 405533-405539 609->613 614 4058dc-4058e6 609->614 617 40589a-4058b5 call 4035db 613->617 618 40553f-40555d 613->618 615 405907-405911 614->615 616 4058e8-405903 call 4073a0 call 4074f8 call 40371e 614->616 620 405930-40593a 615->620 621 405913-405926 _close 615->621 616->615 617->609 618->617 624 40593c-405964 _open 620->624 625 40598d-4059a3 620->625 621->620 630 405966-405977 call 4035db 624->630 631 40597c-405986 call 40371e 624->631 627 4059a5-4059ca call 403841 625->627 628 4059ce-4059d3 625->628 627->628 636 4059f2-4059f7 628->636 637 4059d5-4059e2 628->637 630->631 631->625 643 405a08-405a21 636->643 644 4059f9-405a02 636->644 637->636 642 4059e4-4059ee 637->642 642->636 647 405a27-405a43 643->647 648 405b3e-405b43 643->648 644->643 651 405a92-405abe call 40425f 647->651 652 405a45-405a6e call 403bc0 647->652 649 405b51-405b67 648->649 650 405b45-405b4c call 4035db 648->650 656 405b75-405b8f 649->656 657 405b69-405b70 call 4035db 649->657 650->649 664 405ac0-405aca 651->664 665 405b32-405b39 call 4035db 651->665 652->651 663 405a70-405a8d call 4035db 652->663 661 405b91 656->661 662 405b9a-405ba2 656->662 657->656 661->662 666 405edb-405ef1 662->666 663->651 671 405adc-405ae6 664->671 672 405acc-405ad7 call 4026fd 664->672 665->648 667 405ba7-405bdb call 4074f0 666->667 668 405ef7-405f11 666->668 687 405c0b-405c34 call 403bc0 667->687 688 405bdd-405bfa call 403bc0 667->688 685 405f30-405f3d 668->685 686 405f13-405f2b call 4034eb 668->686 675 405af7-405b02 671->675 676 405ae8-405af5 call 404b7c 671->676 672->671 680 405b21-405b25 675->680 681 405b04-405b1c call 4034eb 675->681 676->675 683 405397-405398 680->683 684 405b2b-405b2d call 407428 680->684 681->680 690 40539b-40539f 683->690 684->665 700 405f43-405f4d 685->700 701 40539a 685->701 686->685 703 405c36-405c53 call 4035db 687->703 704 405c58-405c60 687->704 688->687 702 405bfc-405c06 call 4035db 688->702 690->609 695 4053a5-4053d9 call 40371e * 2 690->695 728 4053e2-4053fe call 4074e8 695->728 708 405f56-405fcb call 407428 call 4034eb * 6 call 4035db 700->708 709 405f4f-405f51 call 407428 700->709 701->690 702->687 703->704 705 405c62-405c7d 704->705 706 405caf-405cb7 704->706 712 405c83-405caa call 403e4e call 403dca 705->712 713 405ebe-405ec6 705->713 706->713 709->708 712->713 718 405cbc-405cc1 713->718 719 405ecc-405ed5 713->719 723 405cc3-405ccd 718->723 724 405ce6-405d26 call 403bc0 call 403ec7 718->724 719->666 723->724 727 405ccf-405cde call 4074c0 723->727 743 405d57-405d5f 724->743 744 405d28-405d32 724->744 727->724 742 405ce0 727->742 739 405403-405413 call 407490 728->739 752 405418-405439 _read 739->752 742->724 750 405d65-405dad call 4034eb 743->750 751 405dec-405dfb 743->751 744->743 748 405d34-405d3e 744->748 748->743 755 405d40-405d51 call 404773 748->755 770 405dbf-405dc9 750->770 771 405daf-405dba call 4026fd 750->771 753 405e1a-405e4e call 4034eb 751->753 754 405dfd-405e08 751->754 758 405447-40545b call 40377b 752->758 759 40543b-405442 call 4035db 752->759 769 405e53-405e88 753->769 754->753 760 405e0a-405e18 754->760 755->743 778 405471-405479 758->778 779 40545d-40546b 758->779 759->758 760->753 760->769 792 405e8a-405e92 769->792 793 405e9b-405ea5 769->793 770->769 776 405dcf-405dd9 770->776 771->770 776->769 777 405ddb-405dea call 404b7c 776->777 777->769 783 40547b-405497 call 4073f8 778->783 784 40549c-4054ba call 4074f0 778->784 779->778 783->784 796 4054bc 784->796 797 4054bf-4054dd call 4074f0 784->797 792->793 794 405ea7-405eb7 call 403dca 793->794 795 405eb9 793->795 794->713 795->713 796->797 802 4054e2-4054f6 797->802 803 4054df 797->803 804 405524-405529 802->804 803->802 805 4054f8-4054fd 804->805 806 40552b-40552e 804->806 807 405504-40550d 805->807 808 4054ff-405502 805->808 806->609 809 405520 807->809 810 40550f-40551d 807->810 808->809 809->804 810->809
              APIs
              Strings
              • ade:g:G:hi:lLno:p:rs:tcuvw:z, xrefs: 004058BF
              • -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning], xrefs: 00405FAD
              • no port[s] to connect to, xrefs: 00405B69
              • -e proginbound program to exec [dangerous!!], xrefs: 00405F89
              • [v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:, xrefs: 00405F71
              • port numbers can be individual or ranges: m-n [inclusive], xrefs: 00405FB9
              • invalid interval time %s, xrefs: 004056E2
              • no destination, xrefs: 00405B45
              • -ddetach from console, background mode, xrefs: 00405F7D
              • sent %d, rcvd %d, xrefs: 00405F24
              • sent %d, rcvd %d, xrefs: 00405B15
              • -tanswer TELNET negotiation, xrefs: 00405FA1
              • invalid port %s, xrefs: 00405A86
              • can't open %s, xrefs: 00405970
              • no connection, xrefs: 00405B32
              • -g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum, xrefs: 00405F95
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: _close_open
              • String ID: -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning]$-ddetach from console, background mode$-e proginbound program to exec [dangerous!!]$-g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum$-tanswer TELNET negotiation$ sent %d, rcvd %d$[v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:$ade:g:G:hi:lLno:p:rs:tcuvw:z$can't open %s$invalid interval time %s$invalid port %s$no connection$no destination$no port[s] to connect to$port numbers can be individual or ranges: m-n [inclusive]$sent %d, rcvd %d
              • API String ID: 3007559463-4285341050
              • Opcode ID: 7db0b8ca37dfe16f10ebca187822d17eefff9d87851ab826b924773274c8b7cc
              • Instruction ID: fc8d50b5f30da4e9a3539b8203064f8c1c5d40110fba828f126db5dd2a13a262
              • Opcode Fuzzy Hash: 7db0b8ca37dfe16f10ebca187822d17eefff9d87851ab826b924773274c8b7cc
              • Instruction Fuzzy Hash: 09B121A1711A0486EB10DF26E89136A37A0FB44788F44442AEB5DB73E1EF3CD945C79C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040581F Relevance: 31.7, APIs: 2, Strings: 16, Instructions: 246COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 811 40581f-40583c call 4074b0 814 405854-405885 call 40371e * 2 811->814 815 40583e-40584f call 4035db 811->815 821 4058bb-4058d6 call 402422 814->821 815->814 824 405533-405539 821->824 825 4058dc-4058e6 821->825 828 40589a-4058b5 call 4035db 824->828 829 40553f-40555d 824->829 826 405907-405911 825->826 827 4058e8-405903 call 4073a0 call 4074f8 call 40371e 825->827 831 405930-40593a 826->831 832 405913-405926 _close 826->832 827->826 828->821 829->828 835 40593c-405964 _open 831->835 836 40598d-4059a3 831->836 832->831 841 405966-405977 call 4035db 835->841 842 40597c-405986 call 40371e 835->842 838 4059a5-4059ca call 403841 836->838 839 4059ce-4059d3 836->839 838->839 847 4059f2-4059f7 839->847 848 4059d5-4059e2 839->848 841->842 842->836 854 405a08-405a21 847->854 855 4059f9-405a02 847->855 848->847 853 4059e4-4059ee 848->853 853->847 858 405a27-405a43 854->858 859 405b3e-405b43 854->859 855->854 862 405a92-405abe call 40425f 858->862 863 405a45-405a6e call 403bc0 858->863 860 405b51-405b67 859->860 861 405b45-405b4c call 4035db 859->861 867 405b75-405b8f 860->867 868 405b69-405b70 call 4035db 860->868 861->860 875 405ac0-405aca 862->875 876 405b32-405b39 call 4035db 862->876 863->862 874 405a70-405a8d call 4035db 863->874 872 405b91 867->872 873 405b9a-405ba2 867->873 868->867 872->873 877 405edb-405ef1 873->877 874->862 882 405adc-405ae6 875->882 883 405acc-405ad7 call 4026fd 875->883 876->859 878 405ba7-405bdb call 4074f0 877->878 879 405ef7-405f11 877->879 898 405c0b-405c34 call 403bc0 878->898 899 405bdd-405bfa call 403bc0 878->899 896 405f30-405f3d 879->896 897 405f13-405f2b call 4034eb 879->897 886 405af7-405b02 882->886 887 405ae8-405af5 call 404b7c 882->887 883->882 891 405b21-405b25 886->891 892 405b04-405b1c call 4034eb 886->892 887->886 894 405397-405398 891->894 895 405b2b-405b2d call 407428 891->895 892->891 901 40539b-40539f 894->901 895->876 911 405f43-405f4d 896->911 912 40539a 896->912 897->896 914 405c36-405c53 call 4035db 898->914 915 405c58-405c60 898->915 899->898 913 405bfc-405c06 call 4035db 899->913 901->821 906 4053a5-4053d9 call 40371e * 2 901->906 939 4053e2-4053fe call 4074e8 906->939 919 405f56-405fcb call 407428 call 4034eb * 6 call 4035db 911->919 920 405f4f-405f51 call 407428 911->920 912->901 913->898 914->915 916 405c62-405c7d 915->916 917 405caf-405cb7 915->917 923 405c83-405caa call 403e4e call 403dca 916->923 924 405ebe-405ec6 916->924 917->924 920->919 923->924 929 405cbc-405cc1 924->929 930 405ecc-405ed5 924->930 934 405cc3-405ccd 929->934 935 405ce6-405d26 call 403bc0 call 403ec7 929->935 930->877 934->935 938 405ccf-405cde call 4074c0 934->938 954 405d57-405d5f 935->954 955 405d28-405d32 935->955 938->935 953 405ce0 938->953 950 405403-405413 call 407490 939->950 963 405418-405439 _read 950->963 953->935 961 405d65-405dad call 4034eb 954->961 962 405dec-405dfb 954->962 955->954 959 405d34-405d3e 955->959 959->954 966 405d40-405d51 call 404773 959->966 981 405dbf-405dc9 961->981 982 405daf-405dba call 4026fd 961->982 964 405e1a-405e4e call 4034eb 962->964 965 405dfd-405e08 962->965 969 405447-40545b call 40377b 963->969 970 40543b-405442 call 4035db 963->970 980 405e53-405e88 964->980 965->964 971 405e0a-405e18 965->971 966->954 989 405471-405479 969->989 990 40545d-40546b 969->990 970->969 971->964 971->980 1003 405e8a-405e92 980->1003 1004 405e9b-405ea5 980->1004 981->980 987 405dcf-405dd9 981->987 982->981 987->980 988 405ddb-405dea call 404b7c 987->988 988->980 994 40547b-405497 call 4073f8 989->994 995 40549c-4054ba call 4074f0 989->995 990->989 994->995 1007 4054bc 995->1007 1008 4054bf-4054dd call 4074f0 995->1008 1003->1004 1005 405ea7-405eb7 call 403dca 1004->1005 1006 405eb9 1004->1006 1005->924 1006->924 1007->1008 1013 4054e2-4054f6 1008->1013 1014 4054df 1008->1014 1015 405524-405529 1013->1015 1014->1013 1016 4054f8-4054fd 1015->1016 1017 40552b-40552e 1015->1017 1018 405504-40550d 1016->1018 1019 4054ff-405502 1016->1019 1017->821 1020 405520 1018->1020 1021 40550f-40551d 1018->1021 1019->1020 1020->1015 1021->1020
              APIs
              Strings
              • ade:g:G:hi:lLno:p:rs:tcuvw:z, xrefs: 004058BF
              • invalid wait-time %s, xrefs: 00405848
              • -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning], xrefs: 00405FAD
              • no port[s] to connect to, xrefs: 00405B69
              • -e proginbound program to exec [dangerous!!], xrefs: 00405F89
              • [v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:, xrefs: 00405F71
              • port numbers can be individual or ranges: m-n [inclusive], xrefs: 00405FB9
              • no destination, xrefs: 00405B45
              • -ddetach from console, background mode, xrefs: 00405F7D
              • sent %d, rcvd %d, xrefs: 00405F24
              • sent %d, rcvd %d, xrefs: 00405B15
              • -tanswer TELNET negotiation, xrefs: 00405FA1
              • invalid port %s, xrefs: 00405A86
              • can't open %s, xrefs: 00405970
              • no connection, xrefs: 00405B32
              • -g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum, xrefs: 00405F95
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: _close_open
              • String ID: -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning]$-ddetach from console, background mode$-e proginbound program to exec [dangerous!!]$-g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum$-tanswer TELNET negotiation$ sent %d, rcvd %d$[v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:$ade:g:G:hi:lLno:p:rs:tcuvw:z$can't open %s$invalid port %s$invalid wait-time %s$no connection$no destination$no port[s] to connect to$port numbers can be individual or ranges: m-n [inclusive]$sent %d, rcvd %d
              • API String ID: 3007559463-633440223
              • Opcode ID: 76f88a5d1358f924b7e8d9898098cb5b8bac9a8561e16428d76b4f049ea4efc6
              • Instruction ID: 05b4733661cf0231066567cd4c170bdb3769fcc207079a19a1e9e71d0c46e157
              • Opcode Fuzzy Hash: 76f88a5d1358f924b7e8d9898098cb5b8bac9a8561e16428d76b4f049ea4efc6
              • Instruction Fuzzy Hash: 4AB11DA1700A0486EB10EF26E89136A37A0F744798F44442AEB5DB77E5EF3CD945C79C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004055C3 Relevance: 31.7, APIs: 2, Strings: 16, Instructions: 241COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1022 4055c3-4055d6 call 4074b0 1025 4055d8-4055df 1022->1025 1026 4055ec-4055fa call 4035db 1022->1026 1025->1026 1028 4055e1-4055e7 1025->1028 1030 4058bb-4058d6 call 402422 1026->1030 1028->1030 1033 405533-405539 1030->1033 1034 4058dc-4058e6 1030->1034 1037 40589a-4058b5 call 4035db 1033->1037 1038 40553f-40555d 1033->1038 1035 405907-405911 1034->1035 1036 4058e8-405903 call 4073a0 call 4074f8 call 40371e 1034->1036 1040 405930-40593a 1035->1040 1041 405913-405926 _close 1035->1041 1036->1035 1037->1030 1038->1037 1044 40593c-405964 _open 1040->1044 1045 40598d-4059a3 1040->1045 1041->1040 1050 405966-405977 call 4035db 1044->1050 1051 40597c-405986 call 40371e 1044->1051 1047 4059a5-4059ca call 403841 1045->1047 1048 4059ce-4059d3 1045->1048 1047->1048 1056 4059f2-4059f7 1048->1056 1057 4059d5-4059e2 1048->1057 1050->1051 1051->1045 1063 405a08-405a21 1056->1063 1064 4059f9-405a02 1056->1064 1057->1056 1062 4059e4-4059ee 1057->1062 1062->1056 1067 405a27-405a43 1063->1067 1068 405b3e-405b43 1063->1068 1064->1063 1071 405a92-405abe call 40425f 1067->1071 1072 405a45-405a6e call 403bc0 1067->1072 1069 405b51-405b67 1068->1069 1070 405b45-405b4c call 4035db 1068->1070 1076 405b75-405b8f 1069->1076 1077 405b69-405b70 call 4035db 1069->1077 1070->1069 1084 405ac0-405aca 1071->1084 1085 405b32-405b39 call 4035db 1071->1085 1072->1071 1083 405a70-405a8d call 4035db 1072->1083 1081 405b91 1076->1081 1082 405b9a-405ba2 1076->1082 1077->1076 1081->1082 1086 405edb-405ef1 1082->1086 1083->1071 1091 405adc-405ae6 1084->1091 1092 405acc-405ad7 call 4026fd 1084->1092 1085->1068 1087 405ba7-405bdb call 4074f0 1086->1087 1088 405ef7-405f11 1086->1088 1107 405c0b-405c34 call 403bc0 1087->1107 1108 405bdd-405bfa call 403bc0 1087->1108 1105 405f30-405f3d 1088->1105 1106 405f13-405f2b call 4034eb 1088->1106 1095 405af7-405b02 1091->1095 1096 405ae8-405af5 call 404b7c 1091->1096 1092->1091 1100 405b21-405b25 1095->1100 1101 405b04-405b1c call 4034eb 1095->1101 1096->1095 1103 405397-405398 1100->1103 1104 405b2b-405b2d call 407428 1100->1104 1101->1100 1110 40539b-40539f 1103->1110 1104->1085 1120 405f43-405f4d 1105->1120 1121 40539a 1105->1121 1106->1105 1123 405c36-405c53 call 4035db 1107->1123 1124 405c58-405c60 1107->1124 1108->1107 1122 405bfc-405c06 call 4035db 1108->1122 1110->1030 1115 4053a5-4053d9 call 40371e * 2 1110->1115 1148 4053e2-4053fe call 4074e8 1115->1148 1128 405f56-405fcb call 407428 call 4034eb * 6 call 4035db 1120->1128 1129 405f4f-405f51 call 407428 1120->1129 1121->1110 1122->1107 1123->1124 1125 405c62-405c7d 1124->1125 1126 405caf-405cb7 1124->1126 1132 405c83-405caa call 403e4e call 403dca 1125->1132 1133 405ebe-405ec6 1125->1133 1126->1133 1129->1128 1132->1133 1138 405cbc-405cc1 1133->1138 1139 405ecc-405ed5 1133->1139 1143 405cc3-405ccd 1138->1143 1144 405ce6-405d26 call 403bc0 call 403ec7 1138->1144 1139->1086 1143->1144 1147 405ccf-405cde call 4074c0 1143->1147 1163 405d57-405d5f 1144->1163 1164 405d28-405d32 1144->1164 1147->1144 1162 405ce0 1147->1162 1159 405403-405413 call 407490 1148->1159 1172 405418-405439 _read 1159->1172 1162->1144 1170 405d65-405dad call 4034eb 1163->1170 1171 405dec-405dfb 1163->1171 1164->1163 1168 405d34-405d3e 1164->1168 1168->1163 1175 405d40-405d51 call 404773 1168->1175 1190 405dbf-405dc9 1170->1190 1191 405daf-405dba call 4026fd 1170->1191 1173 405e1a-405e4e call 4034eb 1171->1173 1174 405dfd-405e08 1171->1174 1178 405447-40545b call 40377b 1172->1178 1179 40543b-405442 call 4035db 1172->1179 1189 405e53-405e88 1173->1189 1174->1173 1180 405e0a-405e18 1174->1180 1175->1163 1198 405471-405479 1178->1198 1199 40545d-40546b 1178->1199 1179->1178 1180->1173 1180->1189 1212 405e8a-405e92 1189->1212 1213 405e9b-405ea5 1189->1213 1190->1189 1196 405dcf-405dd9 1190->1196 1191->1190 1196->1189 1197 405ddb-405dea call 404b7c 1196->1197 1197->1189 1203 40547b-405497 call 4073f8 1198->1203 1204 40549c-4054ba call 4074f0 1198->1204 1199->1198 1203->1204 1216 4054bc 1204->1216 1217 4054bf-4054dd call 4074f0 1204->1217 1212->1213 1214 405ea7-405eb7 call 403dca 1213->1214 1215 405eb9 1213->1215 1214->1133 1215->1133 1216->1217 1222 4054e2-4054f6 1217->1222 1223 4054df 1217->1223 1224 405524-405529 1222->1224 1223->1222 1225 4054f8-4054fd 1224->1225 1226 40552b-40552e 1224->1226 1227 405504-40550d 1225->1227 1228 4054ff-405502 1225->1228 1226->1030 1229 405520 1227->1229 1230 40550f-40551d 1227->1230 1228->1229 1229->1224 1230->1229
              APIs
              Strings
              • ade:g:G:hi:lLno:p:rs:tcuvw:z, xrefs: 004058BF
              • -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning], xrefs: 00405FAD
              • no port[s] to connect to, xrefs: 00405B69
              • -e proginbound program to exec [dangerous!!], xrefs: 00405F89
              • [v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:, xrefs: 00405F71
              • port numbers can be individual or ranges: m-n [inclusive], xrefs: 00405FB9
              • no destination, xrefs: 00405B45
              • -ddetach from console, background mode, xrefs: 00405F7D
              • sent %d, rcvd %d, xrefs: 00405F24
              • sent %d, rcvd %d, xrefs: 00405B15
              • -tanswer TELNET negotiation, xrefs: 00405FA1
              • invalid port %s, xrefs: 00405A86
              • invalid hop pointer %d, must be multiple of 4 <= 28, xrefs: 004055EE
              • can't open %s, xrefs: 00405970
              • no connection, xrefs: 00405B32
              • -g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum, xrefs: 00405F95
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: _close_open
              • String ID: -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning]$-ddetach from console, background mode$-e proginbound program to exec [dangerous!!]$-g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum$-tanswer TELNET negotiation$ sent %d, rcvd %d$[v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:$ade:g:G:hi:lLno:p:rs:tcuvw:z$can't open %s$invalid hop pointer %d, must be multiple of 4 <= 28$invalid port %s$no connection$no destination$no port[s] to connect to$port numbers can be individual or ranges: m-n [inclusive]$sent %d, rcvd %d
              • API String ID: 3007559463-3941223175
              • Opcode ID: fe10ccebe754170c8a62fe9969b43f30d820fffeb18aaa36aa2d431ed5819ef3
              • Instruction ID: b395948c6c4bd3e0e78c5d0e51a79d20c3281f9b485f8eef4a6e79a4afb90c63
              • Opcode Fuzzy Hash: fe10ccebe754170c8a62fe9969b43f30d820fffeb18aaa36aa2d431ed5819ef3
              • Instruction Fuzzy Hash: ECB13EA1B00A1486EB10DF25E89136A37A0F744798F44442AEB5DB73E5EF3CD945C79C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405743 Relevance: 31.7, APIs: 2, Strings: 16, Instructions: 238COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1231 405743-405760 call 403bc0 1234 405766-40577c call 4035db 1231->1234 1235 4058ba 1231->1235 1237 4058bb-4058d6 call 402422 1234->1237 1235->1237 1241 405533-405539 1237->1241 1242 4058dc-4058e6 1237->1242 1245 40589a-4058b5 call 4035db 1241->1245 1246 40553f-40555d 1241->1246 1243 405907-405911 1242->1243 1244 4058e8-405903 call 4073a0 call 4074f8 call 40371e 1242->1244 1248 405930-40593a 1243->1248 1249 405913-405926 _close 1243->1249 1244->1243 1245->1237 1246->1245 1252 40593c-405964 _open 1248->1252 1253 40598d-4059a3 1248->1253 1249->1248 1258 405966-405977 call 4035db 1252->1258 1259 40597c-405986 call 40371e 1252->1259 1255 4059a5-4059ca call 403841 1253->1255 1256 4059ce-4059d3 1253->1256 1255->1256 1264 4059f2-4059f7 1256->1264 1265 4059d5-4059e2 1256->1265 1258->1259 1259->1253 1271 405a08-405a21 1264->1271 1272 4059f9-405a02 1264->1272 1265->1264 1270 4059e4-4059ee 1265->1270 1270->1264 1275 405a27-405a43 1271->1275 1276 405b3e-405b43 1271->1276 1272->1271 1279 405a92-405abe call 40425f 1275->1279 1280 405a45-405a6e call 403bc0 1275->1280 1277 405b51-405b67 1276->1277 1278 405b45-405b4c call 4035db 1276->1278 1284 405b75-405b8f 1277->1284 1285 405b69-405b70 call 4035db 1277->1285 1278->1277 1292 405ac0-405aca 1279->1292 1293 405b32-405b39 call 4035db 1279->1293 1280->1279 1291 405a70-405a8d call 4035db 1280->1291 1289 405b91 1284->1289 1290 405b9a-405ba2 1284->1290 1285->1284 1289->1290 1294 405edb-405ef1 1290->1294 1291->1279 1299 405adc-405ae6 1292->1299 1300 405acc-405ad7 call 4026fd 1292->1300 1293->1276 1295 405ba7-405bdb call 4074f0 1294->1295 1296 405ef7-405f11 1294->1296 1315 405c0b-405c34 call 403bc0 1295->1315 1316 405bdd-405bfa call 403bc0 1295->1316 1313 405f30-405f3d 1296->1313 1314 405f13-405f2b call 4034eb 1296->1314 1303 405af7-405b02 1299->1303 1304 405ae8-405af5 call 404b7c 1299->1304 1300->1299 1308 405b21-405b25 1303->1308 1309 405b04-405b1c call 4034eb 1303->1309 1304->1303 1311 405397-405398 1308->1311 1312 405b2b-405b2d call 407428 1308->1312 1309->1308 1318 40539b-40539f 1311->1318 1312->1293 1328 405f43-405f4d 1313->1328 1329 40539a 1313->1329 1314->1313 1331 405c36-405c53 call 4035db 1315->1331 1332 405c58-405c60 1315->1332 1316->1315 1330 405bfc-405c06 call 4035db 1316->1330 1318->1237 1323 4053a5-4053d9 call 40371e * 2 1318->1323 1356 4053e2-4053fe call 4074e8 1323->1356 1336 405f56-405fcb call 407428 call 4034eb * 6 call 4035db 1328->1336 1337 405f4f-405f51 call 407428 1328->1337 1329->1318 1330->1315 1331->1332 1333 405c62-405c7d 1332->1333 1334 405caf-405cb7 1332->1334 1340 405c83-405caa call 403e4e call 403dca 1333->1340 1341 405ebe-405ec6 1333->1341 1334->1341 1337->1336 1340->1341 1346 405cbc-405cc1 1341->1346 1347 405ecc-405ed5 1341->1347 1351 405cc3-405ccd 1346->1351 1352 405ce6-405d26 call 403bc0 call 403ec7 1346->1352 1347->1294 1351->1352 1355 405ccf-405cde call 4074c0 1351->1355 1371 405d57-405d5f 1352->1371 1372 405d28-405d32 1352->1372 1355->1352 1370 405ce0 1355->1370 1367 405403-405413 call 407490 1356->1367 1380 405418-405439 _read 1367->1380 1370->1352 1378 405d65-405dad call 4034eb 1371->1378 1379 405dec-405dfb 1371->1379 1372->1371 1376 405d34-405d3e 1372->1376 1376->1371 1383 405d40-405d51 call 404773 1376->1383 1398 405dbf-405dc9 1378->1398 1399 405daf-405dba call 4026fd 1378->1399 1381 405e1a-405e4e call 4034eb 1379->1381 1382 405dfd-405e08 1379->1382 1386 405447-40545b call 40377b 1380->1386 1387 40543b-405442 call 4035db 1380->1387 1397 405e53-405e88 1381->1397 1382->1381 1388 405e0a-405e18 1382->1388 1383->1371 1406 405471-405479 1386->1406 1407 40545d-40546b 1386->1407 1387->1386 1388->1381 1388->1397 1420 405e8a-405e92 1397->1420 1421 405e9b-405ea5 1397->1421 1398->1397 1404 405dcf-405dd9 1398->1404 1399->1398 1404->1397 1405 405ddb-405dea call 404b7c 1404->1405 1405->1397 1411 40547b-405497 call 4073f8 1406->1411 1412 40549c-4054ba call 4074f0 1406->1412 1407->1406 1411->1412 1424 4054bc 1412->1424 1425 4054bf-4054dd call 4074f0 1412->1425 1420->1421 1422 405ea7-405eb7 call 403dca 1421->1422 1423 405eb9 1421->1423 1422->1341 1423->1341 1424->1425 1430 4054e2-4054f6 1425->1430 1431 4054df 1425->1431 1432 405524-405529 1430->1432 1431->1430 1433 4054f8-4054fd 1432->1433 1434 40552b-40552e 1432->1434 1435 405504-40550d 1433->1435 1436 4054ff-405502 1433->1436 1434->1237 1437 405520 1435->1437 1438 40550f-40551d 1435->1438 1436->1437 1437->1432 1438->1437
              APIs
              Strings
              • ade:g:G:hi:lLno:p:rs:tcuvw:z, xrefs: 004058BF
              • -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning], xrefs: 00405FAD
              • no port[s] to connect to, xrefs: 00405B69
              • -e proginbound program to exec [dangerous!!], xrefs: 00405F89
              • [v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:, xrefs: 00405F71
              • port numbers can be individual or ranges: m-n [inclusive], xrefs: 00405FB9
              • invalid local port %s, xrefs: 00405770
              • no destination, xrefs: 00405B45
              • -ddetach from console, background mode, xrefs: 00405F7D
              • sent %d, rcvd %d, xrefs: 00405F24
              • sent %d, rcvd %d, xrefs: 00405B15
              • -tanswer TELNET negotiation, xrefs: 00405FA1
              • invalid port %s, xrefs: 00405A86
              • can't open %s, xrefs: 00405970
              • no connection, xrefs: 00405B32
              • -g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum, xrefs: 00405F95
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: _close_open
              • String ID: -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning]$-ddetach from console, background mode$-e proginbound program to exec [dangerous!!]$-g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum$-tanswer TELNET negotiation$ sent %d, rcvd %d$[v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:$ade:g:G:hi:lLno:p:rs:tcuvw:z$can't open %s$invalid local port %s$invalid port %s$no connection$no destination$no port[s] to connect to$port numbers can be individual or ranges: m-n [inclusive]$sent %d, rcvd %d
              • API String ID: 3007559463-1475400292
              • Opcode ID: 6dc5251d790861df4746517fb317d590a2c5f166a036c983b1c2d4eae0398727
              • Instruction ID: 412349e23a80563349d223d5c2fc72623315a500cee4f8d9f13a9d5feb982282
              • Opcode Fuzzy Hash: 6dc5251d790861df4746517fb317d590a2c5f166a036c983b1c2d4eae0398727
              • Instruction Fuzzy Hash: AEB13DA1B10A0486EB10EF26E89136A37A0FB44788F44442AEB5D777E1EF3CD945C79C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405563 Relevance: 31.7, APIs: 2, Strings: 16, Instructions: 231COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1439 405563-405580 call 4035db 1442 4058bb-4058d6 call 402422 1439->1442 1445 405533-405539 1442->1445 1446 4058dc-4058e6 1442->1446 1449 40589a-4058b5 call 4035db 1445->1449 1450 40553f-40555d 1445->1450 1447 405907-405911 1446->1447 1448 4058e8-405903 call 4073a0 call 4074f8 call 40371e 1446->1448 1452 405930-40593a 1447->1452 1453 405913-405926 _close 1447->1453 1448->1447 1449->1442 1450->1449 1456 40593c-405964 _open 1452->1456 1457 40598d-4059a3 1452->1457 1453->1452 1462 405966-405977 call 4035db 1456->1462 1463 40597c-405986 call 40371e 1456->1463 1459 4059a5-4059ca call 403841 1457->1459 1460 4059ce-4059d3 1457->1460 1459->1460 1468 4059f2-4059f7 1460->1468 1469 4059d5-4059e2 1460->1469 1462->1463 1463->1457 1475 405a08-405a21 1468->1475 1476 4059f9-405a02 1468->1476 1469->1468 1474 4059e4-4059ee 1469->1474 1474->1468 1479 405a27-405a43 1475->1479 1480 405b3e-405b43 1475->1480 1476->1475 1483 405a92-405abe call 40425f 1479->1483 1484 405a45-405a6e call 403bc0 1479->1484 1481 405b51-405b67 1480->1481 1482 405b45-405b4c call 4035db 1480->1482 1488 405b75-405b8f 1481->1488 1489 405b69-405b70 call 4035db 1481->1489 1482->1481 1496 405ac0-405aca 1483->1496 1497 405b32-405b39 call 4035db 1483->1497 1484->1483 1495 405a70-405a8d call 4035db 1484->1495 1493 405b91 1488->1493 1494 405b9a-405ba2 1488->1494 1489->1488 1493->1494 1498 405edb-405ef1 1494->1498 1495->1483 1503 405adc-405ae6 1496->1503 1504 405acc-405ad7 call 4026fd 1496->1504 1497->1480 1499 405ba7-405bdb call 4074f0 1498->1499 1500 405ef7-405f11 1498->1500 1519 405c0b-405c34 call 403bc0 1499->1519 1520 405bdd-405bfa call 403bc0 1499->1520 1517 405f30-405f3d 1500->1517 1518 405f13-405f2b call 4034eb 1500->1518 1507 405af7-405b02 1503->1507 1508 405ae8-405af5 call 404b7c 1503->1508 1504->1503 1512 405b21-405b25 1507->1512 1513 405b04-405b1c call 4034eb 1507->1513 1508->1507 1515 405397-405398 1512->1515 1516 405b2b-405b2d call 407428 1512->1516 1513->1512 1522 40539b-40539f 1515->1522 1516->1497 1532 405f43-405f4d 1517->1532 1533 40539a 1517->1533 1518->1517 1535 405c36-405c53 call 4035db 1519->1535 1536 405c58-405c60 1519->1536 1520->1519 1534 405bfc-405c06 call 4035db 1520->1534 1522->1442 1527 4053a5-4053d9 call 40371e * 2 1522->1527 1560 4053e2-4053fe call 4074e8 1527->1560 1540 405f56-405fcb call 407428 call 4034eb * 6 call 4035db 1532->1540 1541 405f4f-405f51 call 407428 1532->1541 1533->1522 1534->1519 1535->1536 1537 405c62-405c7d 1536->1537 1538 405caf-405cb7 1536->1538 1544 405c83-405caa call 403e4e call 403dca 1537->1544 1545 405ebe-405ec6 1537->1545 1538->1545 1541->1540 1544->1545 1550 405cbc-405cc1 1545->1550 1551 405ecc-405ed5 1545->1551 1555 405cc3-405ccd 1550->1555 1556 405ce6-405d26 call 403bc0 call 403ec7 1550->1556 1551->1498 1555->1556 1559 405ccf-405cde call 4074c0 1555->1559 1575 405d57-405d5f 1556->1575 1576 405d28-405d32 1556->1576 1559->1556 1574 405ce0 1559->1574 1571 405403-405413 call 407490 1560->1571 1584 405418-405439 _read 1571->1584 1574->1556 1582 405d65-405dad call 4034eb 1575->1582 1583 405dec-405dfb 1575->1583 1576->1575 1580 405d34-405d3e 1576->1580 1580->1575 1587 405d40-405d51 call 404773 1580->1587 1602 405dbf-405dc9 1582->1602 1603 405daf-405dba call 4026fd 1582->1603 1585 405e1a-405e4e call 4034eb 1583->1585 1586 405dfd-405e08 1583->1586 1590 405447-40545b call 40377b 1584->1590 1591 40543b-405442 call 4035db 1584->1591 1601 405e53-405e88 1585->1601 1586->1585 1592 405e0a-405e18 1586->1592 1587->1575 1610 405471-405479 1590->1610 1611 40545d-40546b 1590->1611 1591->1590 1592->1585 1592->1601 1624 405e8a-405e92 1601->1624 1625 405e9b-405ea5 1601->1625 1602->1601 1608 405dcf-405dd9 1602->1608 1603->1602 1608->1601 1609 405ddb-405dea call 404b7c 1608->1609 1609->1601 1615 40547b-405497 call 4073f8 1610->1615 1616 40549c-4054ba call 4074f0 1610->1616 1611->1610 1615->1616 1628 4054bc 1616->1628 1629 4054bf-4054dd call 4074f0 1616->1629 1624->1625 1626 405ea7-405eb7 call 403dca 1625->1626 1627 405eb9 1625->1627 1626->1545 1627->1545 1628->1629 1634 4054e2-4054f6 1629->1634 1635 4054df 1629->1635 1636 405524-405529 1634->1636 1635->1634 1637 4054f8-4054fd 1636->1637 1638 40552b-40552e 1636->1638 1639 405504-40550d 1637->1639 1640 4054ff-405502 1637->1640 1638->1442 1641 405520 1639->1641 1642 40550f-40551d 1639->1642 1640->1641 1641->1636 1642->1641
              APIs
              Strings
              • ade:g:G:hi:lLno:p:rs:tcuvw:z, xrefs: 004058BF
              • -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning], xrefs: 00405FAD
              • no port[s] to connect to, xrefs: 00405B69
              • -e proginbound program to exec [dangerous!!], xrefs: 00405F89
              • [v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:, xrefs: 00405F71
              • port numbers can be individual or ranges: m-n [inclusive], xrefs: 00405FB9
              • no destination, xrefs: 00405B45
              • -ddetach from console, background mode, xrefs: 00405F7D
              • sent %d, rcvd %d, xrefs: 00405F24
              • sent %d, rcvd %d, xrefs: 00405B15
              • -tanswer TELNET negotiation, xrefs: 00405FA1
              • all-A-records NIY, xrefs: 00405563
              • invalid port %s, xrefs: 00405A86
              • can't open %s, xrefs: 00405970
              • no connection, xrefs: 00405B32
              • -g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum, xrefs: 00405F95
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: _close_itoa_open
              • String ID: -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning]$-ddetach from console, background mode$-e proginbound program to exec [dangerous!!]$-g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum$-tanswer TELNET negotiation$ sent %d, rcvd %d$[v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:$ade:g:G:hi:lLno:p:rs:tcuvw:z$all-A-records NIY$can't open %s$invalid port %s$no connection$no destination$no port[s] to connect to$port numbers can be individual or ranges: m-n [inclusive]$sent %d, rcvd %d
              • API String ID: 357769857-2323755471
              • Opcode ID: 02a9b6737114b9787cf83e46bd712633344938b826b37088b88542a449b2d82e
              • Instruction ID: 7cabb3e495677b6ded4950639222f7885a430f654292a11837caf2832b9c2118
              • Opcode Fuzzy Hash: 02a9b6737114b9787cf83e46bd712633344938b826b37088b88542a449b2d82e
              • Instruction Fuzzy Hash: EEA13FA1B10A1486EB10DF26E89136A37A0FB44798F44442AEB5DB73E1EF3CD945C79C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405797 Relevance: 30.0, APIs: 2, Strings: 15, Instructions: 235COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1643 405797-4057c2 call 403841 1646 4058bb-4058d6 call 402422 1643->1646 1649 405533-405539 1646->1649 1650 4058dc-4058e6 1646->1650 1653 40589a-4058b5 call 4035db 1649->1653 1654 40553f-40555d 1649->1654 1651 405907-405911 1650->1651 1652 4058e8-405903 call 4073a0 call 4074f8 call 40371e 1650->1652 1656 405930-40593a 1651->1656 1657 405913-405926 _close 1651->1657 1652->1651 1653->1646 1654->1653 1660 40593c-405964 _open 1656->1660 1661 40598d-4059a3 1656->1661 1657->1656 1666 405966-405977 call 4035db 1660->1666 1667 40597c-405986 call 40371e 1660->1667 1663 4059a5-4059ca call 403841 1661->1663 1664 4059ce-4059d3 1661->1664 1663->1664 1672 4059f2-4059f7 1664->1672 1673 4059d5-4059e2 1664->1673 1666->1667 1667->1661 1679 405a08-405a21 1672->1679 1680 4059f9-405a02 1672->1680 1673->1672 1678 4059e4-4059ee 1673->1678 1678->1672 1683 405a27-405a43 1679->1683 1684 405b3e-405b43 1679->1684 1680->1679 1687 405a92-405abe call 40425f 1683->1687 1688 405a45-405a6e call 403bc0 1683->1688 1685 405b51-405b67 1684->1685 1686 405b45-405b4c call 4035db 1684->1686 1692 405b75-405b8f 1685->1692 1693 405b69-405b70 call 4035db 1685->1693 1686->1685 1700 405ac0-405aca 1687->1700 1701 405b32-405b39 call 4035db 1687->1701 1688->1687 1699 405a70-405a8d call 4035db 1688->1699 1697 405b91 1692->1697 1698 405b9a-405ba2 1692->1698 1693->1692 1697->1698 1702 405edb-405ef1 1698->1702 1699->1687 1707 405adc-405ae6 1700->1707 1708 405acc-405ad7 call 4026fd 1700->1708 1701->1684 1703 405ba7-405bdb call 4074f0 1702->1703 1704 405ef7-405f11 1702->1704 1723 405c0b-405c34 call 403bc0 1703->1723 1724 405bdd-405bfa call 403bc0 1703->1724 1721 405f30-405f3d 1704->1721 1722 405f13-405f2b call 4034eb 1704->1722 1711 405af7-405b02 1707->1711 1712 405ae8-405af5 call 404b7c 1707->1712 1708->1707 1716 405b21-405b25 1711->1716 1717 405b04-405b1c call 4034eb 1711->1717 1712->1711 1719 405397-405398 1716->1719 1720 405b2b-405b2d call 407428 1716->1720 1717->1716 1726 40539b-40539f 1719->1726 1720->1701 1736 405f43-405f4d 1721->1736 1737 40539a 1721->1737 1722->1721 1739 405c36-405c53 call 4035db 1723->1739 1740 405c58-405c60 1723->1740 1724->1723 1738 405bfc-405c06 call 4035db 1724->1738 1726->1646 1731 4053a5-4053d9 call 40371e * 2 1726->1731 1764 4053e2-4053fe call 4074e8 1731->1764 1744 405f56-405fcb call 407428 call 4034eb * 6 call 4035db 1736->1744 1745 405f4f-405f51 call 407428 1736->1745 1737->1726 1738->1723 1739->1740 1741 405c62-405c7d 1740->1741 1742 405caf-405cb7 1740->1742 1748 405c83-405caa call 403e4e call 403dca 1741->1748 1749 405ebe-405ec6 1741->1749 1742->1749 1745->1744 1748->1749 1754 405cbc-405cc1 1749->1754 1755 405ecc-405ed5 1749->1755 1759 405cc3-405ccd 1754->1759 1760 405ce6-405d26 call 403bc0 call 403ec7 1754->1760 1755->1702 1759->1760 1763 405ccf-405cde call 4074c0 1759->1763 1779 405d57-405d5f 1760->1779 1780 405d28-405d32 1760->1780 1763->1760 1778 405ce0 1763->1778 1775 405403-405413 call 407490 1764->1775 1788 405418-405439 _read 1775->1788 1778->1760 1786 405d65-405dad call 4034eb 1779->1786 1787 405dec-405dfb 1779->1787 1780->1779 1784 405d34-405d3e 1780->1784 1784->1779 1791 405d40-405d51 call 404773 1784->1791 1806 405dbf-405dc9 1786->1806 1807 405daf-405dba call 4026fd 1786->1807 1789 405e1a-405e4e call 4034eb 1787->1789 1790 405dfd-405e08 1787->1790 1794 405447-40545b call 40377b 1788->1794 1795 40543b-405442 call 4035db 1788->1795 1805 405e53-405e88 1789->1805 1790->1789 1796 405e0a-405e18 1790->1796 1791->1779 1814 405471-405479 1794->1814 1815 40545d-40546b 1794->1815 1795->1794 1796->1789 1796->1805 1828 405e8a-405e92 1805->1828 1829 405e9b-405ea5 1805->1829 1806->1805 1812 405dcf-405dd9 1806->1812 1807->1806 1812->1805 1813 405ddb-405dea call 404b7c 1812->1813 1813->1805 1819 40547b-405497 call 4073f8 1814->1819 1820 40549c-4054ba call 4074f0 1814->1820 1815->1814 1819->1820 1832 4054bc 1820->1832 1833 4054bf-4054dd call 4074f0 1820->1833 1828->1829 1830 405ea7-405eb7 call 403dca 1829->1830 1831 405eb9 1829->1831 1830->1749 1831->1749 1832->1833 1838 4054e2-4054f6 1833->1838 1839 4054df 1833->1839 1840 405524-405529 1838->1840 1839->1838 1841 4054f8-4054fd 1840->1841 1842 40552b-40552e 1840->1842 1843 405504-40550d 1841->1843 1844 4054ff-405502 1841->1844 1842->1646 1845 405520 1843->1845 1846 40550f-40551d 1843->1846 1844->1845 1845->1840 1846->1845
              APIs
              Strings
              • ade:g:G:hi:lLno:p:rs:tcuvw:z, xrefs: 004058BF
              • -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning], xrefs: 00405FAD
              • no port[s] to connect to, xrefs: 00405B69
              • -e proginbound program to exec [dangerous!!], xrefs: 00405F89
              • [v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:, xrefs: 00405F71
              • port numbers can be individual or ranges: m-n [inclusive], xrefs: 00405FB9
              • no destination, xrefs: 00405B45
              • -ddetach from console, background mode, xrefs: 00405F7D
              • sent %d, rcvd %d, xrefs: 00405F24
              • sent %d, rcvd %d, xrefs: 00405B15
              • -tanswer TELNET negotiation, xrefs: 00405FA1
              • invalid port %s, xrefs: 00405A86
              • can't open %s, xrefs: 00405970
              • no connection, xrefs: 00405B32
              • -g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum, xrefs: 00405F95
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: _close_itoa_open
              • String ID: -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning]$-ddetach from console, background mode$-e proginbound program to exec [dangerous!!]$-g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum$-tanswer TELNET negotiation$ sent %d, rcvd %d$[v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:$ade:g:G:hi:lLno:p:rs:tcuvw:z$can't open %s$invalid port %s$no connection$no destination$no port[s] to connect to$port numbers can be individual or ranges: m-n [inclusive]$sent %d, rcvd %d
              • API String ID: 357769857-3526283814
              • Opcode ID: 7cb95d333917b75a1f19fc3b667313b740d961bb7bbd8feef2aa009acc712494
              • Instruction ID: 88e6ff62caf1252c4ffe0d9992e833e06b6c4ec77a96bdd4dfb1b046ccbd3f98
              • Opcode Fuzzy Hash: 7cb95d333917b75a1f19fc3b667313b740d961bb7bbd8feef2aa009acc712494
              • Instruction Fuzzy Hash: 96B13DA1B01A1486EB10DF26E89136A37A0FB44788F44442AEB5DB77E5EF3CD941C79C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040571F Relevance: 30.0, APIs: 2, Strings: 15, Instructions: 231COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1847 40571f-40573e 1848 4058bb-4058d6 call 402422 1847->1848 1851 405533-405539 1848->1851 1852 4058dc-4058e6 1848->1852 1855 40589a-4058b5 call 4035db 1851->1855 1856 40553f-40555d 1851->1856 1853 405907-405911 1852->1853 1854 4058e8-405903 call 4073a0 call 4074f8 call 40371e 1852->1854 1858 405930-40593a 1853->1858 1859 405913-405926 _close 1853->1859 1854->1853 1855->1848 1856->1855 1862 40593c-405964 _open 1858->1862 1863 40598d-4059a3 1858->1863 1859->1858 1868 405966-405977 call 4035db 1862->1868 1869 40597c-405986 call 40371e 1862->1869 1865 4059a5-4059ca call 403841 1863->1865 1866 4059ce-4059d3 1863->1866 1865->1866 1874 4059f2-4059f7 1866->1874 1875 4059d5-4059e2 1866->1875 1868->1869 1869->1863 1881 405a08-405a21 1874->1881 1882 4059f9-405a02 1874->1882 1875->1874 1880 4059e4-4059ee 1875->1880 1880->1874 1885 405a27-405a43 1881->1885 1886 405b3e-405b43 1881->1886 1882->1881 1889 405a92-405abe call 40425f 1885->1889 1890 405a45-405a6e call 403bc0 1885->1890 1887 405b51-405b67 1886->1887 1888 405b45-405b4c call 4035db 1886->1888 1894 405b75-405b8f 1887->1894 1895 405b69-405b70 call 4035db 1887->1895 1888->1887 1902 405ac0-405aca 1889->1902 1903 405b32-405b39 call 4035db 1889->1903 1890->1889 1901 405a70-405a8d call 4035db 1890->1901 1899 405b91 1894->1899 1900 405b9a-405ba2 1894->1900 1895->1894 1899->1900 1904 405edb-405ef1 1900->1904 1901->1889 1909 405adc-405ae6 1902->1909 1910 405acc-405ad7 call 4026fd 1902->1910 1903->1886 1905 405ba7-405bdb call 4074f0 1904->1905 1906 405ef7-405f11 1904->1906 1925 405c0b-405c34 call 403bc0 1905->1925 1926 405bdd-405bfa call 403bc0 1905->1926 1923 405f30-405f3d 1906->1923 1924 405f13-405f2b call 4034eb 1906->1924 1913 405af7-405b02 1909->1913 1914 405ae8-405af5 call 404b7c 1909->1914 1910->1909 1918 405b21-405b25 1913->1918 1919 405b04-405b1c call 4034eb 1913->1919 1914->1913 1921 405397-405398 1918->1921 1922 405b2b-405b2d call 407428 1918->1922 1919->1918 1928 40539b-40539f 1921->1928 1922->1903 1938 405f43-405f4d 1923->1938 1939 40539a 1923->1939 1924->1923 1941 405c36-405c53 call 4035db 1925->1941 1942 405c58-405c60 1925->1942 1926->1925 1940 405bfc-405c06 call 4035db 1926->1940 1928->1848 1933 4053a5-4053d9 call 40371e * 2 1928->1933 1966 4053e2-4053fe call 4074e8 1933->1966 1946 405f56-405fcb call 407428 call 4034eb * 6 call 4035db 1938->1946 1947 405f4f-405f51 call 407428 1938->1947 1939->1928 1940->1925 1941->1942 1943 405c62-405c7d 1942->1943 1944 405caf-405cb7 1942->1944 1950 405c83-405caa call 403e4e call 403dca 1943->1950 1951 405ebe-405ec6 1943->1951 1944->1951 1947->1946 1950->1951 1956 405cbc-405cc1 1951->1956 1957 405ecc-405ed5 1951->1957 1961 405cc3-405ccd 1956->1961 1962 405ce6-405d26 call 403bc0 call 403ec7 1956->1962 1957->1904 1961->1962 1965 405ccf-405cde call 4074c0 1961->1965 1981 405d57-405d5f 1962->1981 1982 405d28-405d32 1962->1982 1965->1962 1980 405ce0 1965->1980 1977 405403-405413 call 407490 1966->1977 1990 405418-405439 _read 1977->1990 1980->1962 1988 405d65-405dad call 4034eb 1981->1988 1989 405dec-405dfb 1981->1989 1982->1981 1986 405d34-405d3e 1982->1986 1986->1981 1993 405d40-405d51 call 404773 1986->1993 2008 405dbf-405dc9 1988->2008 2009 405daf-405dba call 4026fd 1988->2009 1991 405e1a-405e4e call 4034eb 1989->1991 1992 405dfd-405e08 1989->1992 1996 405447-40545b call 40377b 1990->1996 1997 40543b-405442 call 4035db 1990->1997 2007 405e53-405e88 1991->2007 1992->1991 1998 405e0a-405e18 1992->1998 1993->1981 2016 405471-405479 1996->2016 2017 40545d-40546b 1996->2017 1997->1996 1998->1991 1998->2007 2030 405e8a-405e92 2007->2030 2031 405e9b-405ea5 2007->2031 2008->2007 2014 405dcf-405dd9 2008->2014 2009->2008 2014->2007 2015 405ddb-405dea call 404b7c 2014->2015 2015->2007 2021 40547b-405497 call 4073f8 2016->2021 2022 40549c-4054ba call 4074f0 2016->2022 2017->2016 2021->2022 2034 4054bc 2022->2034 2035 4054bf-4054dd call 4074f0 2022->2035 2030->2031 2032 405ea7-405eb7 call 403dca 2031->2032 2033 405eb9 2031->2033 2032->1951 2033->1951 2034->2035 2040 4054e2-4054f6 2035->2040 2041 4054df 2035->2041 2042 405524-405529 2040->2042 2041->2040 2043 4054f8-4054fd 2042->2043 2044 40552b-40552e 2042->2044 2045 405504-40550d 2043->2045 2046 4054ff-405502 2043->2046 2044->1848 2047 405520 2045->2047 2048 40550f-40551d 2045->2048 2046->2047 2047->2042 2048->2047
              APIs
              Strings
              • ade:g:G:hi:lLno:p:rs:tcuvw:z, xrefs: 004058BF
              • -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning], xrefs: 00405FAD
              • no port[s] to connect to, xrefs: 00405B69
              • -e proginbound program to exec [dangerous!!], xrefs: 00405F89
              • [v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:, xrefs: 00405F71
              • port numbers can be individual or ranges: m-n [inclusive], xrefs: 00405FB9
              • no destination, xrefs: 00405B45
              • -ddetach from console, background mode, xrefs: 00405F7D
              • sent %d, rcvd %d, xrefs: 00405F24
              • sent %d, rcvd %d, xrefs: 00405B15
              • -tanswer TELNET negotiation, xrefs: 00405FA1
              • invalid port %s, xrefs: 00405A86
              • can't open %s, xrefs: 00405970
              • no connection, xrefs: 00405B32
              • -g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum, xrefs: 00405F95
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: _close_itoa_open
              • String ID: -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning]$-ddetach from console, background mode$-e proginbound program to exec [dangerous!!]$-g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum$-tanswer TELNET negotiation$ sent %d, rcvd %d$[v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:$ade:g:G:hi:lLno:p:rs:tcuvw:z$can't open %s$invalid port %s$no connection$no destination$no port[s] to connect to$port numbers can be individual or ranges: m-n [inclusive]$sent %d, rcvd %d
              • API String ID: 357769857-3526283814
              • Opcode ID: 11986d9d1fb2c3a380ec7fd46836451cb31239c5fdd6edc82d1f490680556fde
              • Instruction ID: 97f028e474ae15dea11a3c05a44dfeb8e1187850dccbedaa3eb4596c0e0c8f79
              • Opcode Fuzzy Hash: 11986d9d1fb2c3a380ec7fd46836451cb31239c5fdd6edc82d1f490680556fde
              • Instruction Fuzzy Hash: 2CA13DA1B00A1486EB10DF26E89136A37A0FB44798F44442AEB5DB73E1EF3CD945C79C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405598 Relevance: 30.0, APIs: 2, Strings: 15, Instructions: 230COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2049 405598-4055b0 2050 4058bb-4058d6 call 402422 2049->2050 2053 405533-405539 2050->2053 2054 4058dc-4058e6 2050->2054 2057 40589a-4058b5 call 4035db 2053->2057 2058 40553f-40555d 2053->2058 2055 405907-405911 2054->2055 2056 4058e8-405903 call 4073a0 call 4074f8 call 40371e 2054->2056 2060 405930-40593a 2055->2060 2061 405913-405926 _close 2055->2061 2056->2055 2057->2050 2058->2057 2064 40593c-405964 _open 2060->2064 2065 40598d-4059a3 2060->2065 2061->2060 2070 405966-405977 call 4035db 2064->2070 2071 40597c-405986 call 40371e 2064->2071 2067 4059a5-4059ca call 403841 2065->2067 2068 4059ce-4059d3 2065->2068 2067->2068 2076 4059f2-4059f7 2068->2076 2077 4059d5-4059e2 2068->2077 2070->2071 2071->2065 2083 405a08-405a21 2076->2083 2084 4059f9-405a02 2076->2084 2077->2076 2082 4059e4-4059ee 2077->2082 2082->2076 2087 405a27-405a43 2083->2087 2088 405b3e-405b43 2083->2088 2084->2083 2091 405a92-405abe call 40425f 2087->2091 2092 405a45-405a6e call 403bc0 2087->2092 2089 405b51-405b67 2088->2089 2090 405b45-405b4c call 4035db 2088->2090 2096 405b75-405b8f 2089->2096 2097 405b69-405b70 call 4035db 2089->2097 2090->2089 2104 405ac0-405aca 2091->2104 2105 405b32-405b39 call 4035db 2091->2105 2092->2091 2103 405a70-405a8d call 4035db 2092->2103 2101 405b91 2096->2101 2102 405b9a-405ba2 2096->2102 2097->2096 2101->2102 2106 405edb-405ef1 2102->2106 2103->2091 2111 405adc-405ae6 2104->2111 2112 405acc-405ad7 call 4026fd 2104->2112 2105->2088 2107 405ba7-405bdb call 4074f0 2106->2107 2108 405ef7-405f11 2106->2108 2127 405c0b-405c34 call 403bc0 2107->2127 2128 405bdd-405bfa call 403bc0 2107->2128 2125 405f30-405f3d 2108->2125 2126 405f13-405f2b call 4034eb 2108->2126 2115 405af7-405b02 2111->2115 2116 405ae8-405af5 call 404b7c 2111->2116 2112->2111 2120 405b21-405b25 2115->2120 2121 405b04-405b1c call 4034eb 2115->2121 2116->2115 2123 405397-405398 2120->2123 2124 405b2b-405b2d call 407428 2120->2124 2121->2120 2130 40539b-40539f 2123->2130 2124->2105 2140 405f43-405f4d 2125->2140 2141 40539a 2125->2141 2126->2125 2143 405c36-405c53 call 4035db 2127->2143 2144 405c58-405c60 2127->2144 2128->2127 2142 405bfc-405c06 call 4035db 2128->2142 2130->2050 2135 4053a5-4053d9 call 40371e * 2 2130->2135 2168 4053e2-4053fe call 4074e8 2135->2168 2148 405f56-405fcb call 407428 call 4034eb * 6 call 4035db 2140->2148 2149 405f4f-405f51 call 407428 2140->2149 2141->2130 2142->2127 2143->2144 2145 405c62-405c7d 2144->2145 2146 405caf-405cb7 2144->2146 2152 405c83-405caa call 403e4e call 403dca 2145->2152 2153 405ebe-405ec6 2145->2153 2146->2153 2149->2148 2152->2153 2158 405cbc-405cc1 2153->2158 2159 405ecc-405ed5 2153->2159 2163 405cc3-405ccd 2158->2163 2164 405ce6-405d26 call 403bc0 call 403ec7 2158->2164 2159->2106 2163->2164 2167 405ccf-405cde call 4074c0 2163->2167 2183 405d57-405d5f 2164->2183 2184 405d28-405d32 2164->2184 2167->2164 2182 405ce0 2167->2182 2179 405403-405413 call 407490 2168->2179 2192 405418-405439 _read 2179->2192 2182->2164 2190 405d65-405dad call 4034eb 2183->2190 2191 405dec-405dfb 2183->2191 2184->2183 2188 405d34-405d3e 2184->2188 2188->2183 2195 405d40-405d51 call 404773 2188->2195 2210 405dbf-405dc9 2190->2210 2211 405daf-405dba call 4026fd 2190->2211 2193 405e1a-405e4e call 4034eb 2191->2193 2194 405dfd-405e08 2191->2194 2198 405447-40545b call 40377b 2192->2198 2199 40543b-405442 call 4035db 2192->2199 2209 405e53-405e88 2193->2209 2194->2193 2200 405e0a-405e18 2194->2200 2195->2183 2218 405471-405479 2198->2218 2219 40545d-40546b 2198->2219 2199->2198 2200->2193 2200->2209 2232 405e8a-405e92 2209->2232 2233 405e9b-405ea5 2209->2233 2210->2209 2216 405dcf-405dd9 2210->2216 2211->2210 2216->2209 2217 405ddb-405dea call 404b7c 2216->2217 2217->2209 2223 40547b-405497 call 4073f8 2218->2223 2224 40549c-4054ba call 4074f0 2218->2224 2219->2218 2223->2224 2236 4054bc 2224->2236 2237 4054bf-4054dd call 4074f0 2224->2237 2232->2233 2234 405ea7-405eb7 call 403dca 2233->2234 2235 405eb9 2233->2235 2234->2153 2235->2153 2236->2237 2242 4054e2-4054f6 2237->2242 2243 4054df 2237->2243 2244 405524-405529 2242->2244 2243->2242 2245 4054f8-4054fd 2244->2245 2246 40552b-40552e 2244->2246 2247 405504-40550d 2245->2247 2248 4054ff-405502 2245->2248 2246->2050 2249 405520 2247->2249 2250 40550f-40551d 2247->2250 2248->2249 2249->2244 2250->2249
              APIs
              Strings
              • ade:g:G:hi:lLno:p:rs:tcuvw:z, xrefs: 004058BF
              • -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning], xrefs: 00405FAD
              • no port[s] to connect to, xrefs: 00405B69
              • -e proginbound program to exec [dangerous!!], xrefs: 00405F89
              • [v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:, xrefs: 00405F71
              • port numbers can be individual or ranges: m-n [inclusive], xrefs: 00405FB9
              • no destination, xrefs: 00405B45
              • -ddetach from console, background mode, xrefs: 00405F7D
              • sent %d, rcvd %d, xrefs: 00405F24
              • sent %d, rcvd %d, xrefs: 00405B15
              • -tanswer TELNET negotiation, xrefs: 00405FA1
              • invalid port %s, xrefs: 00405A86
              • can't open %s, xrefs: 00405970
              • no connection, xrefs: 00405B32
              • -g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum, xrefs: 00405F95
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: _close_itoa_open
              • String ID: -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning]$-ddetach from console, background mode$-e proginbound program to exec [dangerous!!]$-g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum$-tanswer TELNET negotiation$ sent %d, rcvd %d$[v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:$ade:g:G:hi:lLno:p:rs:tcuvw:z$can't open %s$invalid port %s$no connection$no destination$no port[s] to connect to$port numbers can be individual or ranges: m-n [inclusive]$sent %d, rcvd %d
              • API String ID: 357769857-3526283814
              • Opcode ID: bd0d8fd678dcd62ff55a949ca998d91e37a2f52ad729474c2222c5deef51e314
              • Instruction ID: 2ced718abb88147c80181c75dd8c69b75c195ba48d33959a02bd4597aa9895b3
              • Opcode Fuzzy Hash: bd0d8fd678dcd62ff55a949ca998d91e37a2f52ad729474c2222c5deef51e314
              • Instruction Fuzzy Hash: E5A13EA1B00A1486EB10DF26E89136A37A0FB44798F44442AEB5DB77E1EF3CD945C79C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405709 Relevance: 30.0, APIs: 2, Strings: 15, Instructions: 229COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2453 405709-40571a 2454 4058bb-4058d6 call 402422 2453->2454 2457 405533-405539 2454->2457 2458 4058dc-4058e6 2454->2458 2461 40589a-4058b5 call 4035db 2457->2461 2462 40553f-40555d 2457->2462 2459 405907-405911 2458->2459 2460 4058e8-405903 call 4073a0 call 4074f8 call 40371e 2458->2460 2464 405930-40593a 2459->2464 2465 405913-405926 _close 2459->2465 2460->2459 2461->2454 2462->2461 2468 40593c-405964 _open 2464->2468 2469 40598d-4059a3 2464->2469 2465->2464 2474 405966-405977 call 4035db 2468->2474 2475 40597c-405986 call 40371e 2468->2475 2471 4059a5-4059ca call 403841 2469->2471 2472 4059ce-4059d3 2469->2472 2471->2472 2480 4059f2-4059f7 2472->2480 2481 4059d5-4059e2 2472->2481 2474->2475 2475->2469 2487 405a08-405a21 2480->2487 2488 4059f9-405a02 2480->2488 2481->2480 2486 4059e4-4059ee 2481->2486 2486->2480 2491 405a27-405a43 2487->2491 2492 405b3e-405b43 2487->2492 2488->2487 2495 405a92-405abe call 40425f 2491->2495 2496 405a45-405a6e call 403bc0 2491->2496 2493 405b51-405b67 2492->2493 2494 405b45-405b4c call 4035db 2492->2494 2500 405b75-405b8f 2493->2500 2501 405b69-405b70 call 4035db 2493->2501 2494->2493 2508 405ac0-405aca 2495->2508 2509 405b32-405b39 call 4035db 2495->2509 2496->2495 2507 405a70-405a8d call 4035db 2496->2507 2505 405b91 2500->2505 2506 405b9a-405ba2 2500->2506 2501->2500 2505->2506 2510 405edb-405ef1 2506->2510 2507->2495 2515 405adc-405ae6 2508->2515 2516 405acc-405ad7 call 4026fd 2508->2516 2509->2492 2511 405ba7-405bdb call 4074f0 2510->2511 2512 405ef7-405f11 2510->2512 2531 405c0b-405c34 call 403bc0 2511->2531 2532 405bdd-405bfa call 403bc0 2511->2532 2529 405f30-405f3d 2512->2529 2530 405f13-405f2b call 4034eb 2512->2530 2519 405af7-405b02 2515->2519 2520 405ae8-405af5 call 404b7c 2515->2520 2516->2515 2524 405b21-405b25 2519->2524 2525 405b04-405b1c call 4034eb 2519->2525 2520->2519 2527 405397-405398 2524->2527 2528 405b2b-405b2d call 407428 2524->2528 2525->2524 2534 40539b-40539f 2527->2534 2528->2509 2544 405f43-405f4d 2529->2544 2545 40539a 2529->2545 2530->2529 2547 405c36-405c53 call 4035db 2531->2547 2548 405c58-405c60 2531->2548 2532->2531 2546 405bfc-405c06 call 4035db 2532->2546 2534->2454 2539 4053a5-4053d9 call 40371e * 2 2534->2539 2572 4053e2-4053fe call 4074e8 2539->2572 2552 405f56-405fcb call 407428 call 4034eb * 6 call 4035db 2544->2552 2553 405f4f-405f51 call 407428 2544->2553 2545->2534 2546->2531 2547->2548 2549 405c62-405c7d 2548->2549 2550 405caf-405cb7 2548->2550 2556 405c83-405caa call 403e4e call 403dca 2549->2556 2557 405ebe-405ec6 2549->2557 2550->2557 2553->2552 2556->2557 2562 405cbc-405cc1 2557->2562 2563 405ecc-405ed5 2557->2563 2567 405cc3-405ccd 2562->2567 2568 405ce6-405d26 call 403bc0 call 403ec7 2562->2568 2563->2510 2567->2568 2571 405ccf-405cde call 4074c0 2567->2571 2587 405d57-405d5f 2568->2587 2588 405d28-405d32 2568->2588 2571->2568 2586 405ce0 2571->2586 2583 405403-405413 call 407490 2572->2583 2596 405418-405439 _read 2583->2596 2586->2568 2594 405d65-405dad call 4034eb 2587->2594 2595 405dec-405dfb 2587->2595 2588->2587 2592 405d34-405d3e 2588->2592 2592->2587 2599 405d40-405d51 call 404773 2592->2599 2614 405dbf-405dc9 2594->2614 2615 405daf-405dba call 4026fd 2594->2615 2597 405e1a-405e4e call 4034eb 2595->2597 2598 405dfd-405e08 2595->2598 2602 405447-40545b call 40377b 2596->2602 2603 40543b-405442 call 4035db 2596->2603 2613 405e53-405e88 2597->2613 2598->2597 2604 405e0a-405e18 2598->2604 2599->2587 2622 405471-405479 2602->2622 2623 40545d-40546b 2602->2623 2603->2602 2604->2597 2604->2613 2636 405e8a-405e92 2613->2636 2637 405e9b-405ea5 2613->2637 2614->2613 2620 405dcf-405dd9 2614->2620 2615->2614 2620->2613 2621 405ddb-405dea call 404b7c 2620->2621 2621->2613 2627 40547b-405497 call 4073f8 2622->2627 2628 40549c-4054ba call 4074f0 2622->2628 2623->2622 2627->2628 2640 4054bc 2628->2640 2641 4054bf-4054dd call 4074f0 2628->2641 2636->2637 2638 405ea7-405eb7 call 403dca 2637->2638 2639 405eb9 2637->2639 2638->2557 2639->2557 2640->2641 2646 4054e2-4054f6 2641->2646 2647 4054df 2641->2647 2648 405524-405529 2646->2648 2647->2646 2649 4054f8-4054fd 2648->2649 2650 40552b-40552e 2648->2650 2651 405504-40550d 2649->2651 2652 4054ff-405502 2649->2652 2650->2454 2653 405520 2651->2653 2654 40550f-40551d 2651->2654 2652->2653 2653->2648 2654->2653
              APIs
              Strings
              • ade:g:G:hi:lLno:p:rs:tcuvw:z, xrefs: 004058BF
              • -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning], xrefs: 00405FAD
              • no port[s] to connect to, xrefs: 00405B69
              • -e proginbound program to exec [dangerous!!], xrefs: 00405F89
              • [v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:, xrefs: 00405F71
              • port numbers can be individual or ranges: m-n [inclusive], xrefs: 00405FB9
              • no destination, xrefs: 00405B45
              • -ddetach from console, background mode, xrefs: 00405F7D
              • sent %d, rcvd %d, xrefs: 00405F24
              • sent %d, rcvd %d, xrefs: 00405B15
              • -tanswer TELNET negotiation, xrefs: 00405FA1
              • invalid port %s, xrefs: 00405A86
              • can't open %s, xrefs: 00405970
              • no connection, xrefs: 00405B32
              • -g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum, xrefs: 00405F95
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: _close_itoa_open
              • String ID: -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning]$-ddetach from console, background mode$-e proginbound program to exec [dangerous!!]$-g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum$-tanswer TELNET negotiation$ sent %d, rcvd %d$[v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:$ade:g:G:hi:lLno:p:rs:tcuvw:z$can't open %s$invalid port %s$no connection$no destination$no port[s] to connect to$port numbers can be individual or ranges: m-n [inclusive]$sent %d, rcvd %d
              • API String ID: 357769857-3526283814
              • Opcode ID: 72d83f644af1d587b92f490ff5e22cc670de32f493b5b5125b806490678883c0
              • Instruction ID: 13f9a44ee06a4180d9e4e87645fcb9b8c050e4a90a022d1ba9c8af33fe448c17
              • Opcode Fuzzy Hash: 72d83f644af1d587b92f490ff5e22cc670de32f493b5b5125b806490678883c0
              • Instruction Fuzzy Hash: ACA13EA1B00A1486EB10DF26E89136A37A0FB44798F44442AEB5DB73E1EF3CD945C79C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405809 Relevance: 30.0, APIs: 2, Strings: 15, Instructions: 229COMMON
              Download Yara Rule
              APIs
              Strings
              • ade:g:G:hi:lLno:p:rs:tcuvw:z, xrefs: 004058BF
              • -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning], xrefs: 00405FAD
              • no port[s] to connect to, xrefs: 00405B69
              • -e proginbound program to exec [dangerous!!], xrefs: 00405F89
              • [v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:, xrefs: 00405F71
              • port numbers can be individual or ranges: m-n [inclusive], xrefs: 00405FB9
              • no destination, xrefs: 00405B45
              • -ddetach from console, background mode, xrefs: 00405F7D
              • sent %d, rcvd %d, xrefs: 00405F24
              • sent %d, rcvd %d, xrefs: 00405B15
              • -tanswer TELNET negotiation, xrefs: 00405FA1
              • invalid port %s, xrefs: 00405A86
              • can't open %s, xrefs: 00405970
              • no connection, xrefs: 00405B32
              • -g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum, xrefs: 00405F95
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: _close_itoa_open
              • String ID: -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning]$-ddetach from console, background mode$-e proginbound program to exec [dangerous!!]$-g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum$-tanswer TELNET negotiation$ sent %d, rcvd %d$[v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:$ade:g:G:hi:lLno:p:rs:tcuvw:z$can't open %s$invalid port %s$no connection$no destination$no port[s] to connect to$port numbers can be individual or ranges: m-n [inclusive]$sent %d, rcvd %d
              • API String ID: 357769857-3526283814
              • Opcode ID: 3f84420f88529ff46f892d28b501fa6cc0e7fbb3f46a61c356c1e814d1db33a9
              • Instruction ID: 5d22e836d81dc684cd68b93662e43c6f5f6a1c427a4cbc473dc87eea764dbb85
              • Opcode Fuzzy Hash: 3f84420f88529ff46f892d28b501fa6cc0e7fbb3f46a61c356c1e814d1db33a9
              • Instruction Fuzzy Hash: 05A13EA1B00A1486EB10DF26E89136A37A0FB44798F44442AEB5DB73E1EF3CD945C79C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004057C7 Relevance: 30.0, APIs: 2, Strings: 15, Instructions: 229COMMON
              Download Yara Rule
              APIs
              Strings
              • ade:g:G:hi:lLno:p:rs:tcuvw:z, xrefs: 004058BF
              • -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning], xrefs: 00405FAD
              • no port[s] to connect to, xrefs: 00405B69
              • -e proginbound program to exec [dangerous!!], xrefs: 00405F89
              • [v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:, xrefs: 00405F71
              • port numbers can be individual or ranges: m-n [inclusive], xrefs: 00405FB9
              • no destination, xrefs: 00405B45
              • -ddetach from console, background mode, xrefs: 00405F7D
              • sent %d, rcvd %d, xrefs: 00405F24
              • sent %d, rcvd %d, xrefs: 00405B15
              • -tanswer TELNET negotiation, xrefs: 00405FA1
              • invalid port %s, xrefs: 00405A86
              • can't open %s, xrefs: 00405970
              • no connection, xrefs: 00405B32
              • -g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum, xrefs: 00405F95
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: _close_itoa_open
              • String ID: -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning]$-ddetach from console, background mode$-e proginbound program to exec [dangerous!!]$-g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum$-tanswer TELNET negotiation$ sent %d, rcvd %d$[v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:$ade:g:G:hi:lLno:p:rs:tcuvw:z$can't open %s$invalid port %s$no connection$no destination$no port[s] to connect to$port numbers can be individual or ranges: m-n [inclusive]$sent %d, rcvd %d
              • API String ID: 357769857-3526283814
              • Opcode ID: 10d93a76a723074bc1ea73b591166d6d6b116f23e5057b24e29fb4e6dd497874
              • Instruction ID: c99734c4faf20deb3e312f39af979299bc276a7bb6ddd07d05680851355301fe
              • Opcode Fuzzy Hash: 10d93a76a723074bc1ea73b591166d6d6b116f23e5057b24e29fb4e6dd497874
              • Instruction Fuzzy Hash: 52A13EA1B00A1486EB10DF26E89136A37A0FB44798F44442AEB5DB77E1EF3CD945C79C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004057DD Relevance: 30.0, APIs: 2, Strings: 15, Instructions: 229COMMON
              Download Yara Rule
              APIs
              Strings
              • ade:g:G:hi:lLno:p:rs:tcuvw:z, xrefs: 004058BF
              • -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning], xrefs: 00405FAD
              • no port[s] to connect to, xrefs: 00405B69
              • -e proginbound program to exec [dangerous!!], xrefs: 00405F89
              • [v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:, xrefs: 00405F71
              • port numbers can be individual or ranges: m-n [inclusive], xrefs: 00405FB9
              • no destination, xrefs: 00405B45
              • -ddetach from console, background mode, xrefs: 00405F7D
              • sent %d, rcvd %d, xrefs: 00405F24
              • sent %d, rcvd %d, xrefs: 00405B15
              • -tanswer TELNET negotiation, xrefs: 00405FA1
              • invalid port %s, xrefs: 00405A86
              • can't open %s, xrefs: 00405970
              • no connection, xrefs: 00405B32
              • -g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum, xrefs: 00405F95
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: _close_itoa_open
              • String ID: -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning]$-ddetach from console, background mode$-e proginbound program to exec [dangerous!!]$-g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum$-tanswer TELNET negotiation$ sent %d, rcvd %d$[v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:$ade:g:G:hi:lLno:p:rs:tcuvw:z$can't open %s$invalid port %s$no connection$no destination$no port[s] to connect to$port numbers can be individual or ranges: m-n [inclusive]$sent %d, rcvd %d
              • API String ID: 357769857-3526283814
              • Opcode ID: edcbcf9daa62a74caa35f4fc58f72260fe55109df5da429b4ccc0eb52b2585e9
              • Instruction ID: 2b9f7e0ba8bb8de98284cc66be26ed87c87f879519a41079b020130af3776ea8
              • Opcode Fuzzy Hash: edcbcf9daa62a74caa35f4fc58f72260fe55109df5da429b4ccc0eb52b2585e9
              • Instruction Fuzzy Hash: F0A13EA1B00A1486EB10DF26E89136A37A0FB44798F44442AEB5DB73E1EF3CD945C79C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004056F3 Relevance: 30.0, APIs: 2, Strings: 15, Instructions: 229COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2251 4056f3-405704 2252 4058bb-4058d6 call 402422 2251->2252 2255 405533-405539 2252->2255 2256 4058dc-4058e6 2252->2256 2259 40589a-4058b5 call 4035db 2255->2259 2260 40553f-40555d 2255->2260 2257 405907-405911 2256->2257 2258 4058e8-405903 call 4073a0 call 4074f8 call 40371e 2256->2258 2262 405930-40593a 2257->2262 2263 405913-405926 _close 2257->2263 2258->2257 2259->2252 2260->2259 2266 40593c-405964 _open 2262->2266 2267 40598d-4059a3 2262->2267 2263->2262 2272 405966-405977 call 4035db 2266->2272 2273 40597c-405986 call 40371e 2266->2273 2269 4059a5-4059ca call 403841 2267->2269 2270 4059ce-4059d3 2267->2270 2269->2270 2278 4059f2-4059f7 2270->2278 2279 4059d5-4059e2 2270->2279 2272->2273 2273->2267 2285 405a08-405a21 2278->2285 2286 4059f9-405a02 2278->2286 2279->2278 2284 4059e4-4059ee 2279->2284 2284->2278 2289 405a27-405a43 2285->2289 2290 405b3e-405b43 2285->2290 2286->2285 2293 405a92-405abe call 40425f 2289->2293 2294 405a45-405a6e call 403bc0 2289->2294 2291 405b51-405b67 2290->2291 2292 405b45-405b4c call 4035db 2290->2292 2298 405b75-405b8f 2291->2298 2299 405b69-405b70 call 4035db 2291->2299 2292->2291 2306 405ac0-405aca 2293->2306 2307 405b32-405b39 call 4035db 2293->2307 2294->2293 2305 405a70-405a8d call 4035db 2294->2305 2303 405b91 2298->2303 2304 405b9a-405ba2 2298->2304 2299->2298 2303->2304 2308 405edb-405ef1 2304->2308 2305->2293 2313 405adc-405ae6 2306->2313 2314 405acc-405ad7 call 4026fd 2306->2314 2307->2290 2309 405ba7-405bdb call 4074f0 2308->2309 2310 405ef7-405f11 2308->2310 2329 405c0b-405c34 call 403bc0 2309->2329 2330 405bdd-405bfa call 403bc0 2309->2330 2327 405f30-405f3d 2310->2327 2328 405f13-405f2b call 4034eb 2310->2328 2317 405af7-405b02 2313->2317 2318 405ae8-405af5 call 404b7c 2313->2318 2314->2313 2322 405b21-405b25 2317->2322 2323 405b04-405b1c call 4034eb 2317->2323 2318->2317 2325 405397-405398 2322->2325 2326 405b2b-405b2d call 407428 2322->2326 2323->2322 2332 40539b-40539f 2325->2332 2326->2307 2342 405f43-405f4d 2327->2342 2343 40539a 2327->2343 2328->2327 2345 405c36-405c53 call 4035db 2329->2345 2346 405c58-405c60 2329->2346 2330->2329 2344 405bfc-405c06 call 4035db 2330->2344 2332->2252 2337 4053a5-4053d9 call 40371e * 2 2332->2337 2370 4053e2-4053fe call 4074e8 2337->2370 2350 405f56-405fcb call 407428 call 4034eb * 6 call 4035db 2342->2350 2351 405f4f-405f51 call 407428 2342->2351 2343->2332 2344->2329 2345->2346 2347 405c62-405c7d 2346->2347 2348 405caf-405cb7 2346->2348 2354 405c83-405caa call 403e4e call 403dca 2347->2354 2355 405ebe-405ec6 2347->2355 2348->2355 2351->2350 2354->2355 2360 405cbc-405cc1 2355->2360 2361 405ecc-405ed5 2355->2361 2365 405cc3-405ccd 2360->2365 2366 405ce6-405d26 call 403bc0 call 403ec7 2360->2366 2361->2308 2365->2366 2369 405ccf-405cde call 4074c0 2365->2369 2385 405d57-405d5f 2366->2385 2386 405d28-405d32 2366->2386 2369->2366 2384 405ce0 2369->2384 2381 405403-405413 call 407490 2370->2381 2394 405418-405439 _read 2381->2394 2384->2366 2392 405d65-405dad call 4034eb 2385->2392 2393 405dec-405dfb 2385->2393 2386->2385 2390 405d34-405d3e 2386->2390 2390->2385 2397 405d40-405d51 call 404773 2390->2397 2412 405dbf-405dc9 2392->2412 2413 405daf-405dba call 4026fd 2392->2413 2395 405e1a-405e4e call 4034eb 2393->2395 2396 405dfd-405e08 2393->2396 2400 405447-40545b call 40377b 2394->2400 2401 40543b-405442 call 4035db 2394->2401 2411 405e53-405e88 2395->2411 2396->2395 2402 405e0a-405e18 2396->2402 2397->2385 2420 405471-405479 2400->2420 2421 40545d-40546b 2400->2421 2401->2400 2402->2395 2402->2411 2434 405e8a-405e92 2411->2434 2435 405e9b-405ea5 2411->2435 2412->2411 2418 405dcf-405dd9 2412->2418 2413->2412 2418->2411 2419 405ddb-405dea call 404b7c 2418->2419 2419->2411 2425 40547b-405497 call 4073f8 2420->2425 2426 40549c-4054ba call 4074f0 2420->2426 2421->2420 2425->2426 2438 4054bc 2426->2438 2439 4054bf-4054dd call 4074f0 2426->2439 2434->2435 2436 405ea7-405eb7 call 403dca 2435->2436 2437 405eb9 2435->2437 2436->2355 2437->2355 2438->2439 2444 4054e2-4054f6 2439->2444 2445 4054df 2439->2445 2446 405524-405529 2444->2446 2445->2444 2447 4054f8-4054fd 2446->2447 2448 40552b-40552e 2446->2448 2449 405504-40550d 2447->2449 2450 4054ff-405502 2447->2450 2448->2252 2451 405520 2449->2451 2452 40550f-40551d 2449->2452 2450->2451 2451->2446 2452->2451
              APIs
              Strings
              • ade:g:G:hi:lLno:p:rs:tcuvw:z, xrefs: 004058BF
              • -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning], xrefs: 00405FAD
              • no port[s] to connect to, xrefs: 00405B69
              • -e proginbound program to exec [dangerous!!], xrefs: 00405F89
              • [v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:, xrefs: 00405F71
              • port numbers can be individual or ranges: m-n [inclusive], xrefs: 00405FB9
              • no destination, xrefs: 00405B45
              • -ddetach from console, background mode, xrefs: 00405F7D
              • sent %d, rcvd %d, xrefs: 00405F24
              • sent %d, rcvd %d, xrefs: 00405B15
              • -tanswer TELNET negotiation, xrefs: 00405FA1
              • invalid port %s, xrefs: 00405A86
              • can't open %s, xrefs: 00405970
              • no connection, xrefs: 00405B32
              • -g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum, xrefs: 00405F95
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: _close_itoa_open
              • String ID: -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning]$-ddetach from console, background mode$-e proginbound program to exec [dangerous!!]$-g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum$-tanswer TELNET negotiation$ sent %d, rcvd %d$[v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:$ade:g:G:hi:lLno:p:rs:tcuvw:z$can't open %s$invalid port %s$no connection$no destination$no port[s] to connect to$port numbers can be individual or ranges: m-n [inclusive]$sent %d, rcvd %d
              • API String ID: 357769857-3526283814
              • Opcode ID: a0cbd94ab833b5377a21c85ccb85a5987aa83267bc165d54f244e728c7fd89e3
              • Instruction ID: b209e171abd88e54e660072998be3d337a93ca3cf228b4de89aa67daf5c472ba
              • Opcode Fuzzy Hash: a0cbd94ab833b5377a21c85ccb85a5987aa83267bc165d54f244e728c7fd89e3
              • Instruction Fuzzy Hash: 44A13EA1B00A1486EB10DF26E89136A37A0FB44798F44442AEB5DB73E1EF3CD945C79C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004057F3 Relevance: 30.0, APIs: 2, Strings: 15, Instructions: 229COMMON
              Download Yara Rule
              APIs
              Strings
              • ade:g:G:hi:lLno:p:rs:tcuvw:z, xrefs: 004058BF
              • -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning], xrefs: 00405FAD
              • no port[s] to connect to, xrefs: 00405B69
              • -e proginbound program to exec [dangerous!!], xrefs: 00405F89
              • [v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:, xrefs: 00405F71
              • port numbers can be individual or ranges: m-n [inclusive], xrefs: 00405FB9
              • no destination, xrefs: 00405B45
              • -ddetach from console, background mode, xrefs: 00405F7D
              • sent %d, rcvd %d, xrefs: 00405F24
              • sent %d, rcvd %d, xrefs: 00405B15
              • -tanswer TELNET negotiation, xrefs: 00405FA1
              • invalid port %s, xrefs: 00405A86
              • can't open %s, xrefs: 00405970
              • no connection, xrefs: 00405B32
              • -g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum, xrefs: 00405F95
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: _close_itoa_open
              • String ID: -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning]$-ddetach from console, background mode$-e proginbound program to exec [dangerous!!]$-g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum$-tanswer TELNET negotiation$ sent %d, rcvd %d$[v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:$ade:g:G:hi:lLno:p:rs:tcuvw:z$can't open %s$invalid port %s$no connection$no destination$no port[s] to connect to$port numbers can be individual or ranges: m-n [inclusive]$sent %d, rcvd %d
              • API String ID: 357769857-3526283814
              • Opcode ID: ca32ef9a596dc3f52f2dab401382c3e440302f7bb3ee0b3c3bd24f8a6a9251b7
              • Instruction ID: 8d424b4d7d049871720d3b4a90c17472bb77e7b16826db6d56e936f330c36256
              • Opcode Fuzzy Hash: ca32ef9a596dc3f52f2dab401382c3e440302f7bb3ee0b3c3bd24f8a6a9251b7
              • Instruction Fuzzy Hash: 5EA13EA1B00A1486EB10DF26E89136A37A0FB44798F44442AEB5DB73E1EF3CD945C79C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405781 Relevance: 30.0, APIs: 2, Strings: 15, Instructions: 229COMMON
              Download Yara Rule
              APIs
              Strings
              • ade:g:G:hi:lLno:p:rs:tcuvw:z, xrefs: 004058BF
              • -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning], xrefs: 00405FAD
              • no port[s] to connect to, xrefs: 00405B69
              • -e proginbound program to exec [dangerous!!], xrefs: 00405F89
              • [v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:, xrefs: 00405F71
              • port numbers can be individual or ranges: m-n [inclusive], xrefs: 00405FB9
              • no destination, xrefs: 00405B45
              • -ddetach from console, background mode, xrefs: 00405F7D
              • sent %d, rcvd %d, xrefs: 00405F24
              • sent %d, rcvd %d, xrefs: 00405B15
              • -tanswer TELNET negotiation, xrefs: 00405FA1
              • invalid port %s, xrefs: 00405A86
              • can't open %s, xrefs: 00405970
              • no connection, xrefs: 00405B32
              • -g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum, xrefs: 00405F95
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: _close_itoa_open
              • String ID: -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning]$-ddetach from console, background mode$-e proginbound program to exec [dangerous!!]$-g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum$-tanswer TELNET negotiation$ sent %d, rcvd %d$[v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:$ade:g:G:hi:lLno:p:rs:tcuvw:z$can't open %s$invalid port %s$no connection$no destination$no port[s] to connect to$port numbers can be individual or ranges: m-n [inclusive]$sent %d, rcvd %d
              • API String ID: 357769857-3526283814
              • Opcode ID: d15327f1078ff533f86da4e6fbb4fdca3da6d0c53178bc817945293cc8ea8191
              • Instruction ID: df61f6ffd2cc24baa300273d20d97d9390fc97a82d4a82d33d6cd4f6ff161ba5
              • Opcode Fuzzy Hash: d15327f1078ff533f86da4e6fbb4fdca3da6d0c53178bc817945293cc8ea8191
              • Instruction Fuzzy Hash: 5FA13EA1B00A1486EB10DF26E89136A37A0FB44798F44442AEB5DB73E1EF3CD945C79C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405887 Relevance: 30.0, APIs: 2, Strings: 15, Instructions: 229COMMON
              Download Yara Rule
              APIs
              Strings
              • ade:g:G:hi:lLno:p:rs:tcuvw:z, xrefs: 004058BF
              • -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning], xrefs: 00405FAD
              • no port[s] to connect to, xrefs: 00405B69
              • -e proginbound program to exec [dangerous!!], xrefs: 00405F89
              • [v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:, xrefs: 00405F71
              • port numbers can be individual or ranges: m-n [inclusive], xrefs: 00405FB9
              • no destination, xrefs: 00405B45
              • -ddetach from console, background mode, xrefs: 00405F7D
              • sent %d, rcvd %d, xrefs: 00405F24
              • sent %d, rcvd %d, xrefs: 00405B15
              • -tanswer TELNET negotiation, xrefs: 00405FA1
              • invalid port %s, xrefs: 00405A86
              • can't open %s, xrefs: 00405970
              • no connection, xrefs: 00405B32
              • -g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum, xrefs: 00405F95
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: _close_itoa_open
              • String ID: -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning]$-ddetach from console, background mode$-e proginbound program to exec [dangerous!!]$-g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum$-tanswer TELNET negotiation$ sent %d, rcvd %d$[v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:$ade:g:G:hi:lLno:p:rs:tcuvw:z$can't open %s$invalid port %s$no connection$no destination$no port[s] to connect to$port numbers can be individual or ranges: m-n [inclusive]$sent %d, rcvd %d
              • API String ID: 357769857-3526283814
              • Opcode ID: 64fe301c2b49228a59aea6c5be925c66a4848b408ced80f509f267529d06ab2c
              • Instruction ID: e70857ff56071e4686d2b734595b1809ffa81c2d574203557aa85be2d0f3298e
              • Opcode Fuzzy Hash: 64fe301c2b49228a59aea6c5be925c66a4848b408ced80f509f267529d06ab2c
              • Instruction Fuzzy Hash: 88A13EA1B00A1486EB10DF26E89136A37A0FB44798F44442AEB5DB73E1EF3CD945C79C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405585 Relevance: 30.0, APIs: 2, Strings: 15, Instructions: 228COMMON
              Download Yara Rule
              APIs
              Strings
              • ade:g:G:hi:lLno:p:rs:tcuvw:z, xrefs: 004058BF
              • -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning], xrefs: 00405FAD
              • no port[s] to connect to, xrefs: 00405B69
              • -e proginbound program to exec [dangerous!!], xrefs: 00405F89
              • [v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:, xrefs: 00405F71
              • port numbers can be individual or ranges: m-n [inclusive], xrefs: 00405FB9
              • no destination, xrefs: 00405B45
              • -ddetach from console, background mode, xrefs: 00405F7D
              • sent %d, rcvd %d, xrefs: 00405F24
              • sent %d, rcvd %d, xrefs: 00405B15
              • -tanswer TELNET negotiation, xrefs: 00405FA1
              • invalid port %s, xrefs: 00405A86
              • can't open %s, xrefs: 00405970
              • no connection, xrefs: 00405B32
              • -g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum, xrefs: 00405F95
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: _close_itoa_open
              • String ID: -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning]$-ddetach from console, background mode$-e proginbound program to exec [dangerous!!]$-g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum$-tanswer TELNET negotiation$ sent %d, rcvd %d$[v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:$ade:g:G:hi:lLno:p:rs:tcuvw:z$can't open %s$invalid port %s$no connection$no destination$no port[s] to connect to$port numbers can be individual or ranges: m-n [inclusive]$sent %d, rcvd %d
              • API String ID: 357769857-3526283814
              • Opcode ID: 1669b2e5e66dc879dd0d20d4eb66c0b91ee9dd1b7078a8f24d9b467ac99b1e07
              • Instruction ID: 91497e83ffc2b0f5ee9b8eda1886ff08df82a04189f1f93d419c6693ae7b4ba2
              • Opcode Fuzzy Hash: 1669b2e5e66dc879dd0d20d4eb66c0b91ee9dd1b7078a8f24d9b467ac99b1e07
              • Instruction Fuzzy Hash: 39A13DA1B00A1486EB10DF26E89136A37A0FB44798F44442AEB5DB73E1EF3CD945C79C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004055B5 Relevance: 30.0, APIs: 2, Strings: 15, Instructions: 228COMMON
              Download Yara Rule
              APIs
              Strings
              • ade:g:G:hi:lLno:p:rs:tcuvw:z, xrefs: 004058BF
              • -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning], xrefs: 00405FAD
              • no port[s] to connect to, xrefs: 00405B69
              • -e proginbound program to exec [dangerous!!], xrefs: 00405F89
              • [v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:, xrefs: 00405F71
              • port numbers can be individual or ranges: m-n [inclusive], xrefs: 00405FB9
              • no destination, xrefs: 00405B45
              • -ddetach from console, background mode, xrefs: 00405F7D
              • sent %d, rcvd %d, xrefs: 00405F24
              • sent %d, rcvd %d, xrefs: 00405B15
              • -tanswer TELNET negotiation, xrefs: 00405FA1
              • invalid port %s, xrefs: 00405A86
              • can't open %s, xrefs: 00405970
              • no connection, xrefs: 00405B32
              • -g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum, xrefs: 00405F95
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: _close_itoa_open
              • String ID: -csend CRLF instead of just LF-uUDP mode-vverbose [use twice to be more verbose]-w secstimeout for connects and final net reads-zzero-I/O mode [used for scanning]$-ddetach from console, background mode$-e proginbound program to exec [dangerous!!]$-g gatewaysource-routing hop point[s], up to 8-G numsource-routing pointer: 4, 8, 12, ...-hthis cruft-i secsdelay interval for lines sent, ports scanned-llisten mode, for inbound connects-Llisten harder, re-listen on socket close-nnum$-tanswer TELNET negotiation$ sent %d, rcvd %d$[v1.12 NT http://eternallybored.org/misc/netcat/]connect to somewhere:nc [-options] hostname port[s] [ports] ... listen for inbound:nc -l -p port [options] [hostname] [port]options:$ade:g:G:hi:lLno:p:rs:tcuvw:z$can't open %s$invalid port %s$no connection$no destination$no port[s] to connect to$port numbers can be individual or ranges: m-n [inclusive]$sent %d, rcvd %d
              • API String ID: 357769857-3526283814
              • Opcode ID: 3a6a0462b61e22ec1e4e1e08eede510bdf388febeacd1c22725377d6b02288f0
              • Instruction ID: 32178a147c5a87466c29771b37e4f748e23c356c5c57a27f44acaaec0d940870
              • Opcode Fuzzy Hash: 3a6a0462b61e22ec1e4e1e08eede510bdf388febeacd1c22725377d6b02288f0
              • Instruction Fuzzy Hash: A6A13FA1B00A1486EB10DF26E89136A37A0FB44798F44442AEB5D773E1EF3CD945C79C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404B7C Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 446COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: _close$_kbhit_read
              • String ID: Preposterous Pointers: %d, %d$net timeout$select fuxored$too many output retries
              • API String ID: 219334779-2498977472
              • Opcode ID: 82ed814d9ba9085e01aaf7aeeb0be3f3254f412ad1ed24ef9e9cb5b6d6c82bd0
              • Instruction ID: cf21e2d091fa6b690a5056ef3650b023c702295b07089b35a35e04ed77456dc2
              • Opcode Fuzzy Hash: 82ed814d9ba9085e01aaf7aeeb0be3f3254f412ad1ed24ef9e9cb5b6d6c82bd0
              • Instruction Fuzzy Hash: 0E121BB5B01604CAEB10DF6AE89075A33B1F788B88F54412ADF1DA77A4DB3DD941CB48
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004048CC Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: _write
              • String ID: %8.8x $0123456789abcdef $ofd write err$oprint called with no open fd?!
              • API String ID: 4149450435-2525127170
              • Opcode ID: 5f0cacba8cb66720dad3cc8de6fe5842dc065c2c274e094dd3d56471bcba8317
              • Instruction ID: 753d877037e281a7939baf9683916c7999053b966fcdfa04dcdb03f4a0fd957e
              • Opcode Fuzzy Hash: 5f0cacba8cb66720dad3cc8de6fe5842dc065c2c274e094dd3d56471bcba8317
              • Instruction Fuzzy Hash: 7E518DB3B456A08AEB02CB39E84039E3BA1F354748F084126EF9967799D73CC901C799
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004026FD Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 223COMMON
              Download Yara Rule
              APIs
              Strings
              • Failed to create ReadShell session thread, error = %s, xrefs: 004027CB, 00402884
              • WaitForMultipleObjects error: %s, xrefs: 00402A05
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: _itoa
              • String ID: Failed to create ReadShell session thread, error = %s$WaitForMultipleObjects error: %s
              • API String ID: 2976379300-1286572211
              • Opcode ID: 2a9cf43e09b0fceb8f74368e5b9e0c26564e1dcfd8b798480aaccd27c0ca2a2e
              • Instruction ID: 0cf69bf676a791dd5fa2397a66077d321a7da3f5f50b2f4c5f390b80d2b701dc
              • Opcode Fuzzy Hash: 2a9cf43e09b0fceb8f74368e5b9e0c26564e1dcfd8b798480aaccd27c0ca2a2e
              • Instruction Fuzzy Hash: 59A1E7B6B00B0889EB50DB6AE89135D2B70F388B98F104626CF5D677B8DF38C5458794
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402470 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 142COMMON
              Download Yara Rule
              APIs
              Strings
              • Failed to create shell stdin pipe, error = %s, xrefs: 004025D3
              • Failed to create shell stdout pipe, error = %s, xrefs: 0040254D
              • Failed to execute shell, xrefs: 00402655
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: _itoa
              • String ID: Failed to create shell stdin pipe, error = %s$Failed to create shell stdout pipe, error = %s$Failed to execute shell
              • API String ID: 2976379300-2392963465
              • Opcode ID: b0f55332e28ff3cb3008e544f4763bc45c2f83d5e1f8347cbdb1f26d53328cae
              • Instruction ID: 99d4967df45a7bf232336e649b03466fdce5a92ee8dc76b57760f8b5f02a6509
              • Opcode Fuzzy Hash: b0f55332e28ff3cb3008e544f4763bc45c2f83d5e1f8347cbdb1f26d53328cae
              • Instruction Fuzzy Hash: DA61E532B11B0498EF10DBA6E8A479D2770B348B98F04422ADE5D6BBE8DF7DC645C744
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00406490 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84COMMON
              Download Yara Rule
              APIs
              Strings
              • VirtualQuery failed for %d bytes at address %p, xrefs: 004065B1
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: QueryVirtual
              • String ID: VirtualQuery failed for %d bytes at address %p
              • API String ID: 1804819252-2206166143
              • Opcode ID: 37bdc5911b218e1f3bbe607bee17ffe94384d2fcda080e89025a07e95b95bf67
              • Instruction ID: 0637fb309ef209699b267df1f0d1f578fe8f7498e289977fe83c24590cb80b55
              • Opcode Fuzzy Hash: 37bdc5911b218e1f3bbe607bee17ffe94384d2fcda080e89025a07e95b95bf67
              • Instruction Fuzzy Hash: CC314876618B9086E6209B16B84035BB774F789BC4F584026EF8A63B69CF3CD521CF08
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402C97 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 176COMMON
              Download Yara Rule
              APIs
              Strings
              • SessionReadShellThreadFn exitted, error = %s, xrefs: 00402E38
              • exit, xrefs: 00402EAC
              Memory Dump Source
              • Source File: 00000000.00000002.2854150652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2854135434.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854167578.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854204691.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2854218942.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_RpcSsv.jbxd
              Yara matches
              Similarity
              • API ID: _itoa_strnicmp
              • String ID: SessionReadShellThreadFn exitted, error = %s$exit
              • API String ID: 2283094285-2225757753
              • Opcode ID: 821976ffd4d3dd39a9abe39c8850d3ccbbf38a04894f7d84bae644aa84c5f3e6
              • Instruction ID: a910a5ee9e59e8e36ce5f91a2045ce4b3482010477b2b0533805864d1e806828
              • Opcode Fuzzy Hash: 821976ffd4d3dd39a9abe39c8850d3ccbbf38a04894f7d84bae644aa84c5f3e6
              • Instruction Fuzzy Hash: 27717872B04B5589EB10CBA9E9947AD37B0B30878CF044566DF4C67BA8DB78CA05CB58
              Uniqueness

              Uniqueness Score: -1.00%